2641. [bug] Fixed an error in parsing update-policy syntax,

			added a regression test to check it. [RT #20007]

CHANGES

 	--- 9.7.0a2 released ---
 
+2641.	[bug]		Fixed an error in parsing update-policy syntax,
+			added a regression test to check it. [RT #20007]
+
 2640.	[security]	A specially crafted update packet will cause named
 			to exit. [RT #20000]
 

bin/confgen/ddns-confgen.c

@@ -14,7 +14,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: ddns-confgen.c,v 1.7 2009/07/02 22:50:24 jinmei Exp $ */
+/* $Id: ddns-confgen.c,v 1.8 2009/07/29 17:52:00 each Exp $ */
 
 /*! \file */
 
@@ -234,13 +234,14 @@ update-policy {\n\
 };\n",
 			       keyname);
 		}
-	}
 
-	printf("\n\
+		printf("\n\
 # After the keyfile has been placed, the following command will\n\
 # execute nsupdate using this key:\n\
 nsupdate -k <keyfile>\n");
 
+	}
+
 	if (keybuf != NULL)
 		isc_mem_put(mctx, keybuf, len);
 

bin/tests/system/conf.sh.in

@@ -15,7 +15,7 @@
 # OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
 # PERFORMANCE OF THIS SOFTWARE.
 
-# $Id: conf.sh.in,v 1.39 2008/01/10 23:47:01 tbox Exp $
+# $Id: conf.sh.in,v 1.40 2009/07/29 17:52:00 each Exp $
 
 #
 # Common configuration data for system tests, to be sourced into
@@ -35,6 +35,7 @@ LWRESD="$TOP/bin/named/named -l"
 DIG=$TOP/bin/dig/dig
 RNDC=$TOP/bin/rndc/rndc
 NSUPDATE=$TOP/bin/nsupdate/nsupdate
+DDNSCONFGEN=$TOP/bin/confgen/ddns-confgen
 KEYGEN=$TOP/bin/dnssec/dnssec-keygen
 SIGNER=$TOP/bin/dnssec/dnssec-signzone
 CHECKZONE=$TOP/bin/check/named-checkzone

bin/tests/system/nsupdate/clean.sh

@@ -15,14 +15,14 @@
 # OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
 # PERFORMANCE OF THIS SOFTWARE.
 
-# $Id: clean.sh,v 1.12 2007/09/26 03:22:44 marka Exp $
+# $Id: clean.sh,v 1.13 2009/07/29 17:52:00 each Exp $
 
 #
 # Clean up after zone transfer tests.
 #
 
 rm -f dig.out.ns1 dig.out.ns2 dig.out.ns1.after ns1/*.jnl ns2/*.jnl \
-    ns1/example.db ns1/update.db
+    ns1/example.db ns1/update.db ns1/other.db
 rm -f ns2/example.bk
 rm -f ns2/update.bk
 rm -f */named.memstats

bin/tests/system/nsupdate/ns1/named.conf

@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: named.conf,v 1.17 2007/06/19 23:47:04 tbox Exp $ */
+/* $Id: named.conf,v 1.18 2009/07/29 17:52:00 each Exp $ */
 
 controls { /* empty */ };
 
@@ -25,7 +25,8 @@ options {
 	transfer-source 10.53.0.1;
 	port 5300;
 	pid-file "named.pid";
-	listen-on { 10.53.0.1; };
+	session-keyfile "session.key";
+	listen-on { 10.53.0.1; 127.0.0.1; };
 	listen-on-v6 { none; };
 	recursion no;
 	notify yes;
@@ -40,11 +41,24 @@ controls {
 	inet 10.53.0.1 port 9953 allow { any; } keys { rndc_key; };
 };
 
+include "ddns.key";
+
 zone "example.nil" {
 	type master;
 	file "example.db";
 	check-integrity no;
-	allow-update { any; };
+	update-policy {
+		grant ddns-key.example.nil subdomain example.nil ANY;
+	};
+	allow-transfer { any; };
+};
+
+zone "other.nil" {
+	type master;
+	file "other.db";
+	check-integrity no;
+	update-policy local;
+	allow-query-on { 127.0.0.1; };
 	allow-transfer { any; };
 };
 

bin/tests/system/nsupdate/setup.sh

@@ -15,7 +15,10 @@
 # OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
 # PERFORMANCE OF THIS SOFTWARE.
 
-# $Id: setup.sh,v 1.10 2007/06/19 23:47:04 tbox Exp $
+# $Id: setup.sh,v 1.11 2009/07/29 17:52:00 each Exp $
+
+SYSTEMTESTTOP=..
+. $SYSTEMTESTTOP/conf.sh
 
 #
 # jnl and database files MUST be removed before we start
@@ -24,6 +27,7 @@
 rm -f ns1/*.jnl ns1/example.db ns2/*.jnl ns2/example.bk
 
 cp -f ns1/example1.db ns1/example.db
+sed 's/example.nil/other.nil/g' ns1/example1.db > ns1/other.db
 
 # update_test.pl has its own zone file because it
 # requires a specific NS record set.
@@ -40,3 +44,5 @@ update.nil              IN SOA  ns1.example.nil. hostmaster.example.nil. (
 update.nil.             NS      ns1.update.nil.
 ns1.update.nil.         A       10.53.0.2
 EOF
+
+$DDNSCONFGEN -q -z example.nil > ns1/ddns.key

bin/tests/system/nsupdate/tests.sh

@@ -15,7 +15,7 @@
 # OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
 # PERFORMANCE OF THIS SOFTWARE.
 
-# $Id: tests.sh,v 1.25 2007/06/19 23:47:04 tbox Exp $
+# $Id: tests.sh,v 1.26 2009/07/29 17:52:00 each Exp $
 
 SYSTEMTESTTOP=..
 . $SYSTEMTESTTOP/conf.sh
@@ -28,7 +28,7 @@ $DIG +tcp +noadd +nosea +nostat +noquest +nocomm +nocmd example.nil.\
 
 echo "I:fetching second copy of zone before update"
 $DIG +tcp +noadd +nosea +nostat +noquest +nocomm +nocmd example.nil.\
-	@10.53.0.1 axfr -p 5300 > dig.out.ns2 || status=1
+	@10.53.0.2 axfr -p 5300 > dig.out.ns2 || status=1
 
 echo "I:comparing pre-update copies to known good data"
 $PERL ../digcomp.pl knowngood.ns1.before dig.out.ns1 || status=1
@@ -36,7 +36,7 @@ $PERL ../digcomp.pl knowngood.ns1.before dig.out.ns2 || status=1
 
 echo "I:updating zone"
 # nsupdate will print a ">" prompt to stdout as it gets each input line.
-$NSUPDATE <<END > /dev/null || status=1
+$NSUPDATE -k ns1/ddns.key <<END > /dev/null || status=1
 server 10.53.0.1 5300
 update add updated.example.nil. 600 A 10.10.10.1
 update add updated.example.nil. 600 TXT Foo
@@ -58,6 +58,28 @@ echo "I:comparing post-update copies to known good data"
 $PERL ../digcomp.pl knowngood.ns1.after dig.out.ns1 || status=1
 $PERL ../digcomp.pl knowngood.ns1.after dig.out.ns2 || status=1
 
+echo "I:testing local update policy"
+pre=`$DIG +short new.other.nil. @10.53.0.1 a -p 5300` || status=1
+[ -z "$pre" ] || status=1
+
+echo "I:updating zone"
+# nsupdate will print a ">" prompt to stdout as it gets each input line.
+$NSUPDATE -l -p 5300 -k ns1/session.key > /dev/null <<END || status=1
+zone other.nil.
+update add new.other.nil. 600 IN A 10.10.10.1
+send
+END
+
+echo "I:sleeping 5 seconds for server to incorporate changes"
+sleep 5
+
+echo "I:checking result of update"
+post=`$DIG +short new.other.nil. @10.53.0.1 a -p 5300` || status=1
+[ "$post" = "10.10.10.1" ] || status=1
+
+echo "I:comparing post-update copy to known good data"
+$PERL ../digcomp.pl knowngood.ns1.after dig.out.ns1 || status=1
+
 if $PERL -e 'use Net::DNS;' 2>/dev/null
 then
     echo "I:running update.pl test"
@@ -103,7 +125,7 @@ $PERL ../digcomp.pl dig.out.ns1 dig.out.ns1.after || status=1
 echo "I:begin RT #482 regression test"
 
 echo "I:update master"
-$NSUPDATE <<END > /dev/null || status=1
+$NSUPDATE -k ns1/ddns.key <<END > /dev/null || status=1
 server 10.53.0.1 5300
 update add updated2.example.nil. 600 A 10.10.10.2
 update add updated2.example.nil. 600 TXT Bar
@@ -119,7 +141,7 @@ kill -HUP `cat ns2/named.pid`
 sleep 5
 
 echo "I:update master again"
-$NSUPDATE <<END > /dev/null || status=1
+$NSUPDATE -k ns1/ddns.key <<END > /dev/null || status=1
 server 10.53.0.1 5300
 update add updated3.example.nil. 600 A 10.10.10.3
 update add updated3.example.nil. 600 TXT Zap
@@ -142,7 +164,7 @@ fi
 echo "I:end RT #482 regression test"
 
 echo "I:testing that rndc stop updates the master file"
-$NSUPDATE <<END > /dev/null || status=1
+$NSUPDATE -k ns1/ddns.key <<END > /dev/null || status=1
 server 10.53.0.1 5300
 update add updated4.example.nil. 600 A 10.10.10.3
 send

lib/isccfg/namedconf.c

@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: namedconf.c,v 1.102 2009/07/14 22:54:57 each Exp $ */
+/* $Id: namedconf.c,v 1.103 2009/07/29 17:52:00 each Exp $ */
 
 /*! \file */
 
@@ -350,6 +350,7 @@ parse_updatepolicy(cfg_parser_t *pctx, const cfg_type_t *type,
 	CHECK(cfg_gettoken(pctx, 0));
 	if (pctx->token.type == isc_tokentype_special &&
 	    pctx->token.value.as_char == '{') {
+		cfg_ungettoken(pctx);
 		return (cfg_parse_bracketed_list(pctx, type, ret));
 	}