Commit f39c8aea authored by Michal 'vorner' Vaner's avatar Michal 'vorner' Vaner
Browse files

[trac931] Decouple the server from keyring

It now uses a pointer that is set to the global variable instead of the
global variable directly. This makes tests easier as they don't need to
set it back and is more flexible.
parent 5dcd9589
......@@ -60,8 +60,6 @@
#include <auth/query.h>
#include <auth/statistics.h>
#include <server_common/keyring.h>
using namespace std;
using namespace isc;
......@@ -77,6 +75,7 @@ using namespace isc::xfr;
using namespace isc::asiolink;
using namespace isc::asiodns;
using namespace isc::server_common::portconfig;
using boost::shared_ptr;
class AuthSrvImpl {
private:
......@@ -123,6 +122,9 @@ public:
/// Addresses we listen on
AddressList listen_addresses_;
/// The TSIG keyring
const shared_ptr<TSIGKeyRing>* keyring_;
private:
std::string db_file_;
......@@ -146,6 +148,7 @@ AuthSrvImpl::AuthSrvImpl(const bool use_cache,
memory_datasrc_class_(RRClass::IN()),
statistics_timer_(io_service_),
counters_(verbose_mode_),
keyring_(NULL),
xfrout_connected_(false),
xfrout_client_(xfrout_client)
{
......@@ -467,11 +470,11 @@ AuthSrv::processMessage(const IOMessage& io_message, MessagePtr message,
// Do we do TSIG?
// The keyring can be null if we're in test
if (server_common::keyring != NULL && tsig_record != NULL) {
if (impl_->keyring_ != NULL && tsig_record != NULL) {
tsig_context.reset(new TSIGContext(tsig_record->getName(),
tsig_record->getRdata().
getAlgorithm(),
*server_common::keyring));
**impl_->keyring_));
tsig_error = tsig_context->verify(tsig_record, io_message.getData(),
io_message.getDataSize());
}
......@@ -822,3 +825,8 @@ void
AuthSrv::setDNSService(isc::asiodns::DNSService& dnss) {
dnss_ = &dnss;
}
void
AuthSrv::setTSIGKeyRing(const shared_ptr<TSIGKeyRing>* keyring) {
impl_->keyring_ = keyring;
}
......@@ -44,6 +44,9 @@ class MemoryDataSrc;
namespace xfr {
class AbstractXfroutClient;
}
namespace dns {
class TSIGKeyRing;
}
}
......@@ -374,6 +377,14 @@ public:
/// \brief Assign an ASIO DNS Service queue to this Auth object
void setDNSService(isc::asiodns::DNSService& dnss);
/// \brief Sets the keyring used for verifying and signing
///
/// The parameter is pointer to shared pointer, because the automatic
/// reloading routines of tsig keys replace the actual keyring object.
/// It is expected the pointer will point to some statically-allocated
/// object, it doesn't take ownership of it.
void setTSIGKeyRing(const boost::shared_ptr<isc::dns::TSIGKeyRing>*
keyring);
private:
AuthSrvImpl* impl_;
......
......@@ -198,6 +198,7 @@ main(int argc, char* argv[]) {
cout << "[b10-auth] Loading TSIG keys" << endl;
isc::server_common::initKeyring(*config_session);
auth_server->setTSIGKeyRing(&isc::server_common::keyring);
// Now start asynchronous read.
config_session->start();
......
......@@ -16,6 +16,8 @@
#include <vector>
#include <boost/shared_ptr.hpp>
#include <gtest/gtest.h>
#include <dns/message.h>
......@@ -52,6 +54,7 @@ using namespace isc::asiolink;
using namespace isc::testutils;
using namespace isc::server_common::portconfig;
using isc::UnitTestUtil;
using boost::shared_ptr;
namespace {
const char* const CONFIG_TESTDB =
......@@ -255,11 +258,11 @@ TEST_F(AuthSrvTest, TSIGSigned) {
createRequestPacket(request_message, IPPROTO_UDP, &context);
// Run the message through the server
isc::server_common::keyring.reset(new TSIGKeyRing);
isc::server_common::keyring->add(key);
shared_ptr<TSIGKeyRing> keyring(new TSIGKeyRing);
keyring->add(key);
server.setTSIGKeyRing(&keyring);
server.processMessage(*io_message, parse_message, response_obuffer,
&dnsserv);
isc::server_common::keyring.reset();
// What did we get?
EXPECT_TRUE(dnsserv.hasAnswer());
......@@ -288,10 +291,10 @@ TEST_F(AuthSrvTest, TSIGSignedBadKey) {
createRequestPacket(request_message, IPPROTO_UDP, &context);
// Process the message, but use a different key there
isc::server_common::keyring.reset(new TSIGKeyRing);
shared_ptr<TSIGKeyRing> keyring(new TSIGKeyRing);
server.setTSIGKeyRing(&keyring);
server.processMessage(*io_message, parse_message, response_obuffer,
&dnsserv);
isc::server_common::keyring.reset();
EXPECT_TRUE(dnsserv.hasAnswer());
headerCheck(*parse_message, default_qid, TSIGError::BAD_KEY().toRcode(),
......@@ -318,11 +321,12 @@ TEST_F(AuthSrvTest, TSIGBadSig) {
Name("version.bind"), RRClass::CH(), RRType::TXT());
createRequestPacket(request_message, IPPROTO_UDP, &context);
isc::server_common::keyring.reset(new TSIGKeyRing);
isc::server_common::keyring->add(TSIGKey("key:QkFECg==:hmac-sha1"));
// Process the message, but use a different key there
shared_ptr<TSIGKeyRing> keyring(new TSIGKeyRing);
keyring->add(TSIGKey("key:QkFECg==:hmac-sha1"));
server.setTSIGKeyRing(&keyring);
server.processMessage(*io_message, parse_message, response_obuffer,
&dnsserv);
isc::server_common::keyring.reset();
EXPECT_TRUE(dnsserv.hasAnswer());
headerCheck(*parse_message, default_qid, TSIGError::BAD_SIG().toRcode(),
......@@ -353,11 +357,12 @@ TEST_F(AuthSrvTest, TSIGCheckFirst) {
RRClass::CH(), RRType::TXT());
createRequestPacket(request_message, IPPROTO_UDP, &context);
isc::server_common::keyring.reset(new TSIGKeyRing);
isc::server_common::keyring->add(TSIGKey("key:QkFECg==:hmac-sha1"));
// Process the message, but use a different key there
shared_ptr<TSIGKeyRing> keyring(new TSIGKeyRing);
keyring->add(TSIGKey("key:QkFECg==:hmac-sha1"));
server.setTSIGKeyRing(&keyring);
server.processMessage(*io_message, parse_message, response_obuffer,
&dnsserv);
isc::server_common::keyring.reset();
EXPECT_TRUE(dnsserv.hasAnswer());
headerCheck(*parse_message, default_qid, TSIGError::BAD_SIG().toRcode(),
......
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment