test the use of the view ACL in DLZ

e2062879 · Evan Hunt · Mark Andrews · a520662e · e2062879 · e2062879
Commit e2062879 authored Mar 07, 2019 by Evan Hunt Committed by Mark Andrews Mar 11, 2019
--- a/bin/tests/system/dlzexternal/driver.c
+++ b/bin/tests/system/dlzexternal/driver.c
@@ -534,21 +534,56 @@ dlz_lookup(const char *zone, const char *name, void *dbdata,
 */
 isc_result_t
 dlz_allowzonexfr(void *dbdata, const char *name, const char *client) {
+	struct dlz_example_data *state = (struct dlz_example_data *)dbdata;
 	isc_result_t result;

+	if (state->log != NULL) {
+		state->log(ISC_LOG_INFO,
+			   "dlz_example: dlz_allowzonexfr called for %s",
+			   name);
+	}
+
 	result = dlz_findzonedb(dbdata, name, NULL, NULL);
 	if (result != ISC_R_SUCCESS) {
+		if (state->log != NULL) {
+			state->log(ISC_LOG_INFO,
+				   "dlz_example: findzonedb returned %s",
+				   isc_result_totext(result));
+		}
 		return (result);
 	}

+	/*
+	 * Exception for "example.org" so we can test the use of
+	 * the view ACL.
+	 */
+	if (strcmp(name, "example.org") == 0) {
+		if (state->log != NULL) {
+			state->log(ISC_LOG_INFO,
+				   "dlz_example: use view ACL "
+				   "for example.org");
+		}
+		return (ISC_R_DEFAULT);
+	}
+
 	/*
 	 * Exception for 10.53.0.5 so we can test that allow-transfer
 	 * is effective.
 	 */
 	if (strcmp(client, "10.53.0.5") == 0) {
+		if (state->log != NULL) {
+			state->log(ISC_LOG_INFO,
+				   "dlz_example: disallow transfer "
+				   "to 10.53.0.5");
+		}
 		return (ISC_R_NOPERM);
 	}

+	if (state->log != NULL) {
+		state->log(ISC_LOG_INFO,
+			   "dlz_example: transfer allowed for %s", name);
+	}
+
 	return (ISC_R_SUCCESS);
 }


--- a/bin/tests/system/dlzexternal/ns1/dlzs.conf.in
+++ b/bin/tests/system/dlzexternal/ns1/dlzs.conf.in
@@ -17,6 +17,10 @@ dlz "example two" {
 	database "dlopen ../driver.@SO@ alternate.nil";
 };

+dlz "example three" {
+	database "dlopen ../driver.@SO@ example.org";
+};
+
 dlz "unsearched1" {
 	database "dlopen ../driver.@SO@ other.nil";
 	search no;

--- a/bin/tests/system/dlzexternal/ns1/named.conf.in
+++ b/bin/tests/system/dlzexternal/ns1/named.conf.in
@@ -18,6 +18,7 @@ options {
 	session-keyfile "session.key";
 	listen-on { 10.53.0.1; 127.0.0.1; };
 	listen-on-v6 { none; };
+	allow-transfer { !10.53.0.1; any; };
 	recursion no;
 	notify yes;
 };

--- a/bin/tests/system/dlzexternal/tests.sh
+++ b/bin/tests/system/dlzexternal/tests.sh
@@ -125,6 +125,16 @@ grep "; Transfer failed" dig.out.alternate.ns1.test$n > /dev/null || ret=1
 [ "$ret" -eq 0 ] || echo_i "failed"
 status=`expr $status + $ret`

+newtest "testing AXFR denied based on view ACL"
+# 10.53.0.1 should be disallowed
+$DIG $DIGOPTS -b 10.53.0.1 +noall +answer axfr example.org > dig.out.example.ns1.test$n.1
+grep "; Transfer failed" dig.out.example.ns1.test$n.1 > /dev/null || ret=1
+# 10.53.0.2 should be allowed
+$DIG $DIGOPTS -b 10.53.0.2 +noall +answer axfr example.org > dig.out.example.ns1.test$n.2
+grep "; Transfer failed" dig.out.example.ns1.test$n.2 > /dev/null && ret=1
+[ "$ret" -eq 0 ] || echo_i "failed"
+status=`expr $status + $ret`
+
 newtest "testing unsearched/unregistered DLZ zone is not found"
 $DIG $DIGOPTS +noall +answer ns other.nil > dig.out.ns1.test$n
 grep "3600.IN.NS.other.nil." dig.out.ns1.test$n > /dev/null && ret=1