From: Kees Monshouwer Date: Thu, 8 Sep 2022 15:01:33 +0000 (+0200) Subject: auth: api, nsec3param improvements X-Git-Tag: rec-4.8.0-alpha1~25^2 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=refs%2Fpull%2F11918%2Fhead;p=thirdparty%2Fpdns.git auth: api, nsec3param improvements --- diff --git a/pdns/ws-auth.cc b/pdns/ws-auth.cc index 2e29adb8fc..733a127f89 100644 --- a/pdns/ws-auth.cc +++ b/pdns/ws-auth.cc @@ -363,16 +363,21 @@ static void fillZone(UeberBackend& B, const DNSName& zonename, HttpResponse* res string soa_edit; di.backend->getDomainMetadataOne(zonename, "SOA-EDIT", soa_edit); doc["soa_edit"] = soa_edit; + string nsec3param; - di.backend->getDomainMetadataOne(zonename, "NSEC3PARAM", nsec3param); - doc["nsec3param"] = nsec3param; - string nsec3narrow; bool nsec3narrowbool = false; - di.backend->getDomainMetadataOne(zonename, "NSEC3NARROW", nsec3narrow); - if (nsec3narrow == "1") - nsec3narrowbool = true; + bool is_secured = dk.isSecuredZone(zonename); + if (is_secured) { // ignore NSEC3PARAM and NSEC3NARROW metadata present in the db for unsigned zones + di.backend->getDomainMetadataOne(zonename, "NSEC3PARAM", nsec3param); + string nsec3narrow; + di.backend->getDomainMetadataOne(zonename, "NSEC3NARROW", nsec3narrow); + if (nsec3narrow == "1") { + nsec3narrowbool = true; + } + } + doc["nsec3param"] = nsec3param; doc["nsec3narrow"] = nsec3narrowbool; - doc["dnssec"] = dk.isSecuredZone(zonename); + doc["dnssec"] = is_secured; string api_rectify; di.backend->getDomainMetadataOne(zonename, "API-RECTIFY", api_rectify); @@ -690,6 +695,7 @@ static void updateDomainSettingsFromDocument(UeberBackend& B, const DomainInfo& bool dnssecInJSON = false; bool dnssecDocVal = false; bool nsec3paramInJSON = false; + bool updateNsec3Param = false; string nsec3paramDocVal; try { @@ -739,6 +745,7 @@ static void updateDomainSettingsFromDocument(UeberBackend& B, const DomainInfo& throwUnableToSecure(zonename); } shouldRectify = true; + updateNsec3Param = true; } } else { // "dnssec": false in json @@ -752,24 +759,24 @@ static void updateDomainSettingsFromDocument(UeberBackend& B, const DomainInfo& throw ApiException("Unable to un-secure zone '"+ zonename.toString()+"'"); } shouldRectify = true; + updateNsec3Param = true; } } } - if (nsec3paramInJSON) { + if (nsec3paramInJSON || updateNsec3Param) { shouldRectify = true; - if (!isDNSSECZone) { - throw ApiException("NSEC3PARAMs provided for zone '"+zonename.toString()+"', but zone is not DNSSEC secured."); + if (!isDNSSECZone && !nsec3paramDocVal.empty()) { + throw ApiException("NSEC3PARAM value provided for zone '" + zonename.toString() + "', but zone is not DNSSEC secured."); } - if (nsec3paramDocVal.length() == 0) { + if (nsec3paramDocVal.empty()) { // Switch to NSEC if (!dk.unsetNSEC3PARAM(zonename)) { throw ApiException("Unable to remove NSEC3PARAMs from zone '" + zonename.toString()); } } - - if (nsec3paramDocVal.length() > 0) { + else { // Set the NSEC3PARAMs NSEC3PARAMRecordContent ns3pr(nsec3paramDocVal); string error_msg = ""; diff --git a/regression-tests.api/test_Zones.py b/regression-tests.api/test_Zones.py index 4a5173700a..15384539b9 100644 --- a/regression-tests.api/test_Zones.py +++ b/regression-tests.api/test_Zones.py @@ -569,6 +569,26 @@ class AuthZones(ApiTestCase, AuthZonesHelperMixin): self.assertEqual(r.status_code, 200) self.assertEqual(data['nsec3param'], '') + def test_create_zone_without_dnssec_unset_nsec3parm(self): + """ + Create a non dnssec zone and set an empty "nsec3param" + """ + name, payload, data = self.create_zone(dnssec=False) + r = self.session.put(self.url("/api/v1/servers/localhost/zones/" + name), + data=json.dumps({'nsec3param': ''})) + + self.assertEqual(r.status_code, 204) + + def test_create_zone_without_dnssec_set_nsec3parm(self): + """ + Create a non dnssec zone and set "nsec3param" + """ + name, payload, data = self.create_zone(dnssec=False) + r = self.session.put(self.url("/api/v1/servers/localhost/zones/" + name), + data=json.dumps({'nsec3param': '1 0 1 ab'})) + + self.assertEqual(r.status_code, 422) + def test_create_zone_dnssec_serial(self): """ Create a zone set/unset "dnssec" and see if the serial was increased