Commit dbc27ca2 authored by Jelte Jansen's avatar Jelte Jansen

[master] Merge branch 'trac2027' with minor conflict

Conflicts:
	src/lib/python/isc/ddns/tests/session_tests.py
parents ef5d56d8 dcafee23
......@@ -242,12 +242,17 @@ class UpdateSession:
'''
try:
self._get_update_zone()
# Contrary to what RFC2136 specifies, we do ACL checks before
# prerequisites. It's now generally considered to be a bad
# idea, and actually does harm such as information
# leak. It should make more sense to prevent any security issues
# by performing ACL check as early as possible.
self.__check_update_acl(self.__zname, self.__zclass)
self._create_diff()
prereq_result = self.__check_prerequisites()
if prereq_result != Rcode.NOERROR():
self.__make_response(prereq_result)
return UPDATE_ERROR, self.__zname, self.__zclass
self.__check_update_acl(self.__zname, self.__zclass)
update_result = self.__do_update()
if update_result != Rcode.NOERROR():
self.__make_response(update_result)
......
......@@ -657,12 +657,12 @@ class SessionTest(SessionTestBase):
self.assertEqual(str(expected_soa),
str(session._UpdateSession__added_soa))
def check_full_handle_result(self, expected, updates):
def check_full_handle_result(self, expected, updates, prerequisites=[]):
'''Helper method for checking the result of a full handle;
creates an update session, and fills it with the list of rrsets
from 'updates'. Then checks if __handle()
results in a response with rcode 'expected'.'''
msg = create_update_msg([TEST_ZONE_RECORD], [], updates)
msg = create_update_msg([TEST_ZONE_RECORD], prerequisites, updates)
zconfig = ZoneConfig(set(), TEST_RRCLASS, self._datasrc_client,
self._acl_map)
session = UpdateSession(msg, TEST_CLIENT4, zconfig)
......@@ -902,6 +902,21 @@ class SessionTest(SessionTestBase):
[ b'\x00\x0a\x04mail\x07example\x03org\x00' ])
self.rrset_update_del_rrset_mx = rrset_update_del_rrset_mx
def test_acl_before_prereq(self):
name_in_use_no = create_rrset("foo.example.org", RRClass.ANY(),
RRType.ANY(), 0)
# Test a prerequisite that would fail
self.check_full_handle_result(Rcode.NXDOMAIN(), [], [ name_in_use_no ])
# Change ACL so that it would be denied
self._acl_map = {(TEST_ZONE_NAME, TEST_RRCLASS):
REQUEST_LOADER.load([{"action": "REJECT"}])}
# The prerequisite should now not be reached; it should fail on the
# ACL
self.check_full_handle_result(Rcode.REFUSED(), [], [ name_in_use_no ])
def test_prescan(self):
'''Test whether the prescan succeeds on data that is ok, and whether
if notices the SOA if present'''
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment