dns.cc 4.71 KB
Newer Older
1 2 3 4 5 6 7 8 9 10 11 12 13 14
// Copyright (C) 2011  Internet Systems Consortium, Inc. ("ISC")
//
// Permission to use, copy, modify, and/or distribute this software for any
// purpose with or without fee is hereby granted, provided that the above
// copyright notice and this permission notice appear in all copies.
//
// THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
// REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
// AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
// INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
// LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
// OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
// PERFORMANCE OF THIS SOFTWARE.

15 16 17 18 19 20 21 22
#include <memory>
#include <string>
#include <vector>

#include <boost/shared_ptr.hpp>

#include <exceptions/exceptions.h>

23 24 25
#include <dns/name.h>
#include <dns/tsigrecord.h>

26 27 28 29
#include <cc/data.h>

#include <acl/dns.h>
#include <acl/ip_check.h>
JINMEI Tatuya's avatar
JINMEI Tatuya committed
30
#include <acl/dnsname_check.h>
31
#include <acl/loader.h>
32
#include <acl/logic_check.h>
33 34

using namespace std;
35
using namespace isc::dns;
36
using namespace isc::data;
37 38 39

namespace isc {
namespace acl {
40 41 42 43 44 45

/// The specialization of \c IPCheck for access control with \c RequestContext.
///
/// It returns \c true if the remote (source) IP address of the request
/// matches the expression encapsulated in the \c IPCheck, and returns
/// \c false if not.
46 47
template <>
bool
48 49 50 51 52
IPCheck<dns::RequestContext>::matches(
    const dns::RequestContext& request) const
{
    return (compare(request.remote_address.getData(),
                    request.remote_address.getFamily()));
53 54
}

55 56
namespace dns {

57 58 59
/// The specialization of \c NameCheck for access control with
/// \c RequestContext.
///
60 61 62
/// It returns \c true if the request contains a TSIG record and its key
/// (owner) name is equal to the name stored in the check; otherwise
/// it returns \c false.
63 64 65 66 67 68
template<>
bool
NameCheck<RequestContext>::matches(const RequestContext& request) const {
    return (request.tsig != NULL && request.tsig->getName() == name_);
}

69 70 71 72 73 74 75
vector<string>
internal::RequestCheckCreator::names() const {
    // Probably we should eventually build this vector in a more
    // sophisticated way.  For now, it's simple enough to hardcode
    // everything.
    vector<string> supported_names;
    supported_names.push_back("from");
76
    supported_names.push_back("key");
77 78 79
    return (supported_names);
}

80
boost::shared_ptr<RequestCheck>
81 82 83 84 85 86 87 88 89 90 91
internal::RequestCheckCreator::create(const string& name,
                                      ConstElementPtr definition,
                                      // unused:
                                      const acl::Loader<RequestContext>&)
{
    if (!definition) {
        isc_throw(LoaderError,
                  "NULL pointer is passed to RequestCheckCreator");
    }

    if (name == "from") {
92
        return (boost::shared_ptr<internal::RequestIPCheck>(
93
                    new internal::RequestIPCheck(definition->stringValue())));
94
    } else if (name == "key") {
95
        return (boost::shared_ptr<internal::RequestKeyCheck>(
96 97
                    new internal::RequestKeyCheck(
                        Name(definition->stringValue()))));
98 99 100 101 102 103 104 105 106 107
    } else {
        // This case shouldn't happen (normally) as it should have been
        // rejected at the loader level.  But we explicitly catch the case
        // and throw an exception for that.
        isc_throw(LoaderError, "Invalid check name for RequestCheck: " <<
                  name);
    }
}

RequestLoader&
108
getRequestLoader() {
109
    static RequestLoader* loader(NULL);
110
    if (loader == NULL) {
111 112 113 114 115 116 117
        // Creator registration may throw, so we first store the new loader
        // in an auto pointer in order to provide the strong exception
        // guarantee.
        auto_ptr<RequestLoader> loader_ptr =
            auto_ptr<RequestLoader>(new RequestLoader(REJECT));

        // Register default check creator(s)
118
        loader_ptr->registerCreator(
119 120 121 122
            boost::shared_ptr<internal::RequestCheckCreator>(
                new internal::RequestCheckCreator()));
        loader_ptr->registerCreator(
            boost::shared_ptr<NotCreator<RequestContext> >(
123
                new NotCreator<RequestContext>("NOT")));
124
        loader_ptr->registerCreator(
125
            boost::shared_ptr<LogicCreator<AnyOfSpec, RequestContext> >(
126
                new LogicCreator<AnyOfSpec, RequestContext>("ANY")));
127
        loader_ptr->registerCreator(
128
            boost::shared_ptr<LogicCreator<AllOfSpec, RequestContext> >(
129
                new LogicCreator<AllOfSpec, RequestContext>("ALL")));
130 131 132

        // From this point there shouldn't be any exception thrown
        loader = loader_ptr.release();
133
    }
134

135 136 137 138 139 140
    return (*loader);
}

}
}
}