Commit fef88019 authored by Michal 'vorner' Vaner's avatar Michal 'vorner' Vaner
Browse files

Merge branch 'work/dnsacl'

Conflicts:
	src/lib/acl/tests/Makefile.am
parents 3f151512 e6b3d504
......@@ -5,6 +5,7 @@ AM_CPPFLAGS += $(BOOST_INCLUDES)
AM_CXXFLAGS = $(B10_CXXFLAGS)
# The core library
lib_LTLIBRARIES = libacl.la
libacl_la_SOURCES = check.h acl.h
libacl_la_SOURCES += loader.h loader.cc
......@@ -12,4 +13,12 @@ libacl_la_SOURCES += loader.h loader.cc
libacl_la_LIBADD = $(top_builddir)/src/lib/exceptions/libexceptions.la
libacl_la_LIBADD += $(top_builddir)/src/lib/cc/libcc.la
# DNS specialized one
lib_LTLIBRARIES += libdnsacl.la
libdnsacl_la_SOURCES = dns.h dns.cc
libdnsacl_la_LIBADD = libacl.la
libdnsacl_la_LIBADD += $(top_builddir)/src/lib/dns/libdns++.la
CLEANFILES = *.gcno *.gcda
// Copyright (C) 2011 Internet Systems Consortium, Inc. ("ISC")
//
// Permission to use, copy, modify, and/or distribute this software for any
// purpose with or without fee is hereby granted, provided that the above
// copyright notice and this permission notice appear in all copies.
//
// THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
// REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
// AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
// INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
// LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
// OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
// PERFORMANCE OF THIS SOFTWARE.
#include "dns.h"
namespace isc {
namespace acl {
namespace dns {
Loader&
getLoader() {
static Loader* loader(NULL);
if (loader == NULL) {
loader = new Loader(REJECT);
// TODO: This is the place where we register default check creators
// like IP check, etc, once we have them.
}
return (*loader);
}
}
}
}
// Copyright (C) 2011 Internet Systems Consortium, Inc. ("ISC")
//
// Permission to use, copy, modify, and/or distribute this software for any
// purpose with or without fee is hereby granted, provided that the above
// copyright notice and this permission notice appear in all copies.
//
// THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
// REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
// AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
// INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
// LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
// OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
// PERFORMANCE OF THIS SOFTWARE.
#ifndef ACL_DNS_H
#define ACL_DNS_H
#include "loader.h"
#include <asiolink/io_address.h>
#include <dns/message.h>
namespace isc {
namespace acl {
namespace dns {
/**
* \brief DNS request to be checked.
*
* This plays the role of Context of the generic template ACLs (in namespace
* isc::acl).
*
* It is simple structure holding just the bunch of information. Therefore
* the names don't end up with a slash, there are no methods so they can't be
* confused with local variables.
*
* \todo Do we want a constructor to set this in a shorter manner? So we can
* call the ACLs directly?
*/
struct RequestContext {
/// \brief The DNS message (payload).
isc::dns::ConstMessagePtr message;
/// \brief The remote IP address (eg. the client).
asiolink::IOAddress remote_address;
/// \brief The local IP address (ours, of the interface where we received).
asiolink::IOAddress local_address;
/// \brief The remote port.
uint16_t remote_port;
/// \brief The local port.
uint16_t local_port;
/**
* \brief Name of the TSIG key the message is signed with.
*
* This will be either the name of the TSIG key the message is signed with,
* or empty string, if the message is not signed. It is true we could get
* the information from the message itself, but because at the time when
* the ACL is checked, the signature has been verified already, so passing
* it around is probably cheaper.
*
* It is expected that messages with invalid signatures are handled before
* ACL.
*/
std::string tsig_key_name;
};
/// \brief DNS based check.
typedef acl::Check<RequestContext> Check;
/// \brief DNS based compound check.
typedef acl::CompoundCheck<RequestContext> CompoundCheck;
/// \brief DNS based ACL.
typedef acl::ACL<RequestContext> ACL;
/// \brief DNS based ACL loader.
typedef acl::Loader<RequestContext> Loader;
/**
* \brief Loader singleton access function.
*
* This function returns a loader of ACLs. It is expected applications
* will use this function instead of creating their own loaders, because
* one is enough, this one will have registered default checks and it
* is known one, so any plugins can registrer additional checks as well.
*/
Loader& getLoader();
}
}
}
#endif
......@@ -7,6 +7,7 @@ TESTS += run_unittests
run_unittests_SOURCES = run_unittests.cc
run_unittests_SOURCES += check_test.cc acl_test.cc loader_test.cc
run_unittests_SOURCES += logcheck.h
run_unittests_SOURCES += dns_test.cc
run_unittests_CPPFLAGS = $(AM_CPPFLAGS) $(GTEST_INCLUDES)
run_unittests_LDFLAGS = $(AM_LDFLAGS) $(GTEST_LDFLAGS)
......@@ -15,6 +16,7 @@ run_unittests_LDADD += $(top_builddir)/src/lib/util/unittests/libutil_unittests.
run_unittests_LDADD += $(top_builddir)/src/lib/acl/libacl.la
run_unittests_LDADD += $(top_builddir)/src/lib/cc/libcc.la
run_unittests_LDADD += $(top_builddir)/src/lib/exceptions/libexceptions.la
run_unittests_LDADD += $(top_builddir)/src/lib/acl/libdnsacl.la
endif
noinst_PROGRAMS = $(TESTS)
// Copyright (C) 2011 Internet Systems Consortium, Inc. ("ISC")
//
// Permission to use, copy, modify, and/or distribute this software for any
// purpose with or without fee is hereby granted, provided that the above
// copyright notice and this permission notice appear in all copies.
//
// THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
// REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
// AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
// INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
// LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
// OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
// PERFORMANCE OF THIS SOFTWARE.
#include <acl/dns.h>
#include <gtest/gtest.h>
using namespace isc::acl::dns;
namespace {
// Tests that the getLoader actually returns something, returns the same every
// time and the returned value can be used to anything. It is not much of a
// test, but the getLoader is not much of a function.
TEST(DNSACL, getLoader) {
Loader* l(&getLoader());
ASSERT_TRUE(l != NULL);
EXPECT_EQ(l, &getLoader());
EXPECT_NO_THROW(l->load(isc::data::Element::fromJSON(
"[{\"action\": \"DROP\"}]")));
// TODO Test that the things we should register by default, like IP based
// check, are loaded.
}
}
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment