776. [func] Improved error reporting in denied messages. [RT #252]

55b62439 · Mark Andrews · 06150c83 · 55b62439 · 55b62439 · 55b62439
Commit 55b62439 authored Mar 11, 2001 by Mark Andrews
--- a/CHANGES
+++ b/CHANGES
+ 776.	[func]		Improved error reporting in denied messages. [RT #252]
+
 775.	[placeholder]

 774.	[func]		max-cache-size is implemented.

--- a/bin/named/client.c
+++ b/bin/named/client.c
@@ -15,7 +15,7 @@
 * WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
 */

-/* $Id: client.c,v 1.157 2001/03/06 04:18:42 marka Exp $ */
+/* $Id: client.c,v 1.158 2001/03/11 06:19:34 marka Exp $ */

 #include <config.h>

@@ -2144,3 +2144,14 @@ ns_client_log(ns_client_t *client, isc_logcategory_t *category,
 	va_end(ap);
 }

+void
+ns_client_aclmsg(const char *msg, dns_name_t *name, dns_rdataclass_t rdclass,
+		 char *buf, size_t len) 
+{
+        char namebuf[DNS_NAME_FORMATSIZE];
+        char classbuf[DNS_RDATACLASS_FORMATSIZE];
+
+        dns_name_format(name, namebuf, sizeof(namebuf));
+        dns_rdataclass_format(rdclass, classbuf, sizeof(classbuf));
+        (void)snprintf(buf, len, "%s '%s/%s'", msg, namebuf, classbuf);
+}
--- a/bin/named/include/named/client.h
+++ b/bin/named/include/named/client.h
@@ -15,7 +15,7 @@
 * WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
 */

-/* $Id: client.h,v 1.55 2001/03/06 01:24:40 bwelling Exp $ */
+/* $Id: client.h,v 1.56 2001/03/11 06:19:39 marka Exp $ */

 #ifndef NAMED_CLIENT_H
 #define NAMED_CLIENT_H 1
@@ -292,4 +292,8 @@ ns_client_log(ns_client_t *client, isc_logcategory_t *category,
 	      isc_logmodule_t *module, int level,
 	      const char *fmt, ...);

+void
+ns_client_aclmsg(const char *msg, dns_name_t *name, dns_rdataclass_t rdclass,
+                 char *buf, size_t len);
+
 #endif /* NAMED_CLIENT_H */
--- a/bin/named/query.c
+++ b/bin/named/query.c
@@ -15,7 +15,7 @@
 * WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
 */

-/* $Id: query.c,v 1.185 2001/03/06 06:57:47 halley Exp $ */
+/* $Id: query.c,v 1.186 2001/03/11 06:19:35 marka Exp $ */

 #include <config.h>

@@ -621,7 +621,12 @@ query_getzonedb(ns_client_t *client, dns_name_t *name, unsigned int options,

 	if (check_acl) {
 		isc_boolean_t log = ISC_TF((options & DNS_GETDB_NOLOG) == 0);
-		result = ns_client_checkacl(client, "query", queryacl,
+		char msg[DNS_NAME_FORMATSIZE + DNS_RDATACLASS_FORMATSIZE
+			 + sizeof "query '/'"];
+		
+		ns_client_aclmsg("query", name, client->view->rdclass,
+				 msg, sizeof(msg));
+		result = ns_client_checkacl(client, msg, queryacl,
 					    ISC_TRUE,
 					    log ? ISC_LOG_INFO : ISC_LOG_DEBUG(3));

@@ -712,10 +717,12 @@ query_getcachedb(ns_client_t *client, dns_db_t **dbp, unsigned int options)

 	if (check_acl) {
 		isc_boolean_t log = ISC_TF((options & DNS_GETDB_NOLOG) == 0);
-		result = ns_client_checkacl(client, "query",
+		
+		result = ns_client_checkacl(client, "query (cache)",
 					    client->view->queryacl,
 					    ISC_TRUE,
-					    log ? ISC_LOG_INFO : ISC_LOG_DEBUG(3));
+					    log ? ISC_LOG_INFO :
+						  ISC_LOG_DEBUG(3));
 		if (result == ISC_R_SUCCESS) {
 			/*
 			 * We were allowed by the default

--- a/bin/named/update.c
+++ b/bin/named/update.c
@@ -15,7 +15,7 @@
 * WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
 */

-/* $Id: update.c,v 1.84 2001/02/22 19:15:01 bwelling Exp $ */
+/* $Id: update.c,v 1.85 2001/03/11 06:19:37 marka Exp $ */

 #include <config.h>

@@ -175,7 +175,7 @@ update_log(ns_client_t *client, dns_zone_t *zone,
 	va_end(ap);

 	ns_client_log(client, NS_LOGCATEGORY_UPDATE, NS_LOGMODULE_UPDATE,
-		      level, "updating zone %s/%s: %s",
+		      level, "updating zone '%s/%s': %s",
 		      namebuf, classbuf, message);
 }

@@ -2118,13 +2118,21 @@ update_action(isc_task_t *task, isc_event_t *event) {
 	 * Check Requestor's Permissions.  It seems a bit silly to do this
 	 * only after prerequisite testing, but that is what RFC2136 says.
 	 */
-	if (ssutable == NULL)
-		CHECK(ns_client_checkacl(client, "update",
+	if (ssutable == NULL) {
+		char msg[DNS_RDATACLASS_FORMATSIZE + DNS_NAME_FORMATSIZE
+			 + sizeof("update '/'")];
+		ns_client_aclmsg("update", zonename, client->view->rdclass,
+                                 msg, sizeof(msg));
+		CHECK(ns_client_checkacl(client, msg,
 					 dns_zone_getupdateacl(zone),
 					 ISC_FALSE, ISC_LOG_ERROR));
-	else if (client->signer == NULL) {
+	} else if (client->signer == NULL) {
 		/* This gets us a free log message. */
-		CHECK(ns_client_checkacl(client, "update", NULL, ISC_FALSE,
+		char msg[DNS_RDATACLASS_FORMATSIZE + DNS_NAME_FORMATSIZE
+			 + sizeof("update '/'")];
+		ns_client_aclmsg("update", zonename, client->view->rdclass,
+                                 msg, sizeof(msg));
+		CHECK(ns_client_checkacl(client, msg, NULL, ISC_FALSE,
 					 ISC_LOG_ERROR));
 	}

@@ -2592,5 +2600,3 @@ send_forward_event(ns_client_t *client, dns_zone_t *zone) {
 		isc_event_free((isc_event_t **)&event);
 	return (result);
 }
-
-