Merge branch 'master' of ssh://git.bind10.isc.org/var/bind10/git/bind10

42c59bc2 · Shane Kerr · b5ee1d01 · a9bbc6ee · 42c59bc2 · 42c59bc2
Commit 42c59bc2 authored Nov 13, 2012 by Shane Kerr
--- a/ChangeLog
+++ b/ChangeLog
+505.	[bug]		jelte
+	Fixed a bug in b10-xfrin where a wrong call was made during the
+	final check of a TSIG-signed transfer, incorrectly rejecting the
+	transfer.
+	(Trac #2464, git eac81c0cbebee72f6478bdb5cda915f5470d08e1)
+
 504.	[bug]*		naokikambe
 	Fixed an XML format viewed from b10-stats-httpd. Regarding
 	per-zone counters as zones of Xfrout, a part of the item values wasn't

--- a/src/bin/xfrin/tests/xfrin_test.py
+++ b/src/bin/xfrin/tests/xfrin_test.py
@@ -570,7 +570,7 @@ class TestXfrinIXFRAdd(TestXfrinState):
        # difference, starting with removing that SOA.
        self.conn._diff.add_data(self.ns_rrset) # put some dummy change
        self.conn._tsig_ctx = MockTSIGContext(TSIG_KEY)
-        self.conn._tsig_ctx.last_has_signature = lambda: False
+        self.conn._tsig_ctx.last_had_signature = lambda: False
        # First, push a starting SOA inside. This should be OK, nothing checked
        # yet.
        self.state.handle_rr(self.conn, self.begin_soa)
@@ -821,7 +821,7 @@ class TestAXFR(TestXfrinConnection):
        mock_ctx = MockTSIGContext(key)
        mock_ctx.error = error
        if not has_last_signature:
-            mock_ctx.last_has_signature = lambda: False
+            mock_ctx.last_had_signature = lambda: False
        return mock_ctx

    def __match_exception(self, expected_exception, expected_msg, expression):

--- a/src/bin/xfrin/xfrin.py.in
+++ b/src/bin/xfrin/xfrin.py.in
@@ -797,7 +797,7 @@ class XfrinConnection(asyncore.dispatcher):
        Check there's a signature at the last message.
        """
        if self._tsig_ctx is not None:
-            if not self._tsig_ctx.last_has_signature():
+            if not self._tsig_ctx.last_had_signature():
                raise XfrinProtocolError('TSIG verify fail: no TSIG on last '+
                                         'message')


--- a/src/lib/python/isc/testutils/tsigctx_mock.py
+++ b/src/lib/python/isc/testutils/tsigctx_mock.py
@@ -52,5 +52,5 @@ class MockTSIGContext(TSIGContext):
            return self.error(self)
        return self.error

-    def last_has_signature(self):
+    def last_had_signature(self):
        return True
--- a/tests/lettuce/configurations/xfrin/retransfer_slave.conf
+++ b/tests/lettuce/configurations/xfrin/retransfer_slave.conf
--- a/tests/lettuce/features/terrain/terrain.py
+++ b/tests/lettuce/features/terrain/terrain.py
@@ -61,6 +61,8 @@ copylist = [
     "configurations/ddns/noddns.config"],
    ["configurations/xfrin/retransfer_master.conf.orig",
     "configurations/xfrin/retransfer_master.conf"],
+    ["configurations/xfrin/retransfer_slave.conf.orig",
+     "configurations/xfrin/retransfer_slave.conf"],
    ["data/inmem-xfrin.sqlite3.orig",
     "data/inmem-xfrin.sqlite3"],
    ["data/xfrin-notify.sqlite3.orig",

--- a/tests/lettuce/features/xfrin_bind10.feature
+++ b/tests/lettuce/features/xfrin_bind10.feature
-Feature: Xfrin 
+Feature: Xfrin
    Tests for Xfrin, specific for BIND 10 behaviour.
-    
+
    Scenario: Retransfer command
    # Standard check to test (non-)existence of a file.
    # This file is actually automatically created.
@@ -37,3 +37,52 @@ Feature: Xfrin
    # We don't have to specify the address/port here; the defaults will work.
    When I do an AXFR transfer of example.org
    Then transfer result should have 13 rrs
+
+
+
+    Scenario: Transfer with TSIG
+    # Similar setup to the test above, but this time, we add TSIG configuration
+
+    # In order to check that the tests don't give false positives because config
+    # happens to be right (like no TSIG on either side), we take an existing
+    # non-TSIG config, add TSIG on the master side, see it fail, add TSIG
+    # on the slave side, then check again.
+
+    Given I have bind10 running with configuration xfrin/retransfer_master.conf with cmdctl port 47804 as master
+    And wait for master stderr message AUTH_SERVER_STARTED
+    And wait for master stderr message XFROUT_STARTED
+
+    And I have bind10 running with configuration xfrin/retransfer_slave.conf
+    And wait for bind10 stderr message CMDCTL_STARTED
+    And wait for bind10 stderr message XFRIN_STARTED
+
+    # Set slave config for 'automatic' xfrin
+    When I set bind10 configuration Xfrin/zones to [{"master_port": 47806, "name": "example.org", "master_addr": "::1"}]
+
+    # Make sure it is fully open
+    When I send bind10 the command Xfrin retransfer example.org
+    Then wait for new bind10 stderr message XFRIN_TRANSFER_SUCCESS not XFRIN_XFR_PROCESS_FAILURE
+    And wait for new bind10 stderr message ZONEMGR_RECEIVE_XFRIN_SUCCESS
+
+    # First to master, a transfer should then fail
+    When I send bind10 the following commands with cmdctl port 47804:
+    """
+    config add tsig_keys/keys "example.key.:c2VjcmV0"
+    config set Xfrout/zone_config[0]/transfer_acl [{"action": "ACCEPT", "from": "::1", "key": "example.key."}]
+    config commit
+    """
+
+    # Transfer should fail
+    When I send bind10 the command Xfrin retransfer example.org
+    Then wait for new bind10 stderr message XFRIN_XFR_TRANSFER_PROTOCOL_ERROR not XFRIN_TRANSFER_SUCCESS
+    # Set client to use TSIG as well
+    When I send bind10 the following commands:
+    """
+    config add tsig_keys/keys "example.key.:c2VjcmV0"
+    config set Xfrin/zones[0]/tsig_key  "example.key.:c2VjcmV0"
+    config commit
+    """
+
+    # Transwer should succeed now
+    When I send bind10 the command Xfrin retransfer example.org
+    Then wait for new bind10 stderr message XFRIN_TRANSFER_SUCCESS not XFRIN_XFR_PROCESS_FAILURE