From: Otto Moerbeek <otto.moerbeek@open-xchange.com>
Date: Thu, 18 Jul 2024 07:48:12 +0000 (+0200)
Subject: rec: allow_notify should be processed for forward_zones and forward_zones_recurse
X-Git-Tag: rec-5.2.0-alpha1~42^2
X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=refs%2Fpull%2F14506%2Fhead;p=thirdparty%2Fpdns.git

rec: allow_notify should be processed for forward_zones and forward_zones_recurse

For ForwardZones it was only processed if reading from a forward_zones_file.
---

diff --git a/pdns/recursordist/settings/cxxsupport.cc b/pdns/recursordist/settings/cxxsupport.cc
index 1a4d59d9f5..f8345b4918 100644
--- a/pdns/recursordist/settings/cxxsupport.cc
+++ b/pdns/recursordist/settings/cxxsupport.cc
@@ -310,6 +310,15 @@ void pdns::settings::rec::processAPIDir(const string& includeDirOnCommandLine, p
   possiblyConvertForwardsandAuths(includeDir, apiDir, log);
 }
 
+static void addToAllowNotifyFor(Recursorsettings& settings, const rust::Vec<::pdns::rust::settings::rec::ForwardZone>& vec)
+{
+  for (const auto& item : vec) {
+    if (item.notify_allowed) {
+      settings.incoming.allow_notify_for.emplace_back(item.zone);
+    }
+  }
+}
+
 pdns::settings::rec::YamlSettingsStatus pdns::settings::rec::readYamlSettings(const std::string& configname, const std::string& includeDirOnCommandLine, Recursorsettings& settings, std::string& msg, Logr::log_t log)
 {
   auto file = ifstream(configname);
@@ -328,6 +337,11 @@ pdns::settings::rec::YamlSettingsStatus pdns::settings::rec::readYamlSettings(co
     for (const auto& yamlfile : yamlFiles) {
       mergeYamlSubFile(yamlfile, yamlstruct, false, log);
     }
+    // Add the zones with notify_allowed to allow_notify_for. For a forward_zones_file that will be
+    // taken care of elsewhere.  One drawback: the zones will be shown in allow_notify_for if you
+    // run --config, while they aren't actually there in any config file.
+    addToAllowNotifyFor(yamlstruct, yamlstruct.recursor.forward_zones);
+    addToAllowNotifyFor(yamlstruct, yamlstruct.recursor.forward_zones_recurse);
     yamlstruct.validate();
     settings = std::move(yamlstruct);
     return YamlSettingsStatus::OK;
diff --git a/pdns/recursordist/settings/docs-new-preamble-in.rst b/pdns/recursordist/settings/docs-new-preamble-in.rst
index df5a08ae5b..94aa4a222a 100644
--- a/pdns/recursordist/settings/docs-new-preamble-in.rst
+++ b/pdns/recursordist/settings/docs-new-preamble-in.rst
@@ -160,7 +160,7 @@ A forward zone is defined as:
     - Socket Address
     - ...
   recurse: Boolean, default false
-  allow_notify:  Boolean, default false
+  allow_notify: Boolean, default false
 
 An example of a ``forward_zones`` entry, which consists of a sequence of `Forward Zone`_ entries:
 
diff --git a/pdns/recursordist/settings/table.py b/pdns/recursordist/settings/table.py
index 1262b51132..f3060219c5 100644
--- a/pdns/recursordist/settings/table.py
+++ b/pdns/recursordist/settings/table.py
@@ -1084,6 +1084,7 @@ To prevent this, add a Negative Trust Anchor (NTA) for this zone in the :ref:`se
 If this forwarded zone is signed, instead of adding NTA, add the DS record to the :ref:`setting-lua-config-file`.
 See the :doc:`dnssec` information.
  ''',
+        'versionchanged' : ('5.2.0',  'Zones having ``notify_allowed`` set will be added to :ref:`setting-yaml-incoming.allow_notify_for`.')
     },
     {
         'name' : 'forward_zones_file',
diff --git a/regression-tests.recursor-dnssec/test_Notify.py b/regression-tests.recursor-dnssec/test_Notify.py
index 7b65e1dda4..2caf99c501 100644
--- a/regression-tests.recursor-dnssec/test_Notify.py
+++ b/regression-tests.recursor-dnssec/test_Notify.py
@@ -20,18 +20,25 @@ class NotifyTest(RecursorTest):
     _wsPassword = 'secretpassword'
     _apiKey = 'secretapikey'
     _config_template = """
-    disable-packetcache=yes
-    auth-zones=example=configs/%s/example.zone
-    allow-notify-from=127.0.0.1
-    allow-notify-for=example
-    quiet=no
-    loglevel=9
-    webserver=yes
-    webserver-port=%d
-    webserver-address=127.0.0.1
-    webserver-password=%s
-    api-key=%s
-    """ % (_confdir, _wsPort, _wsPassword, _apiKey)
+packetcache:
+    disable: true
+recursor:
+    auth_zones:
+    - zone: example
+      file: configs/%s/example.zone
+incoming:
+    allow_notify_from: [127.0.0.1]
+    allow_notify_for: ['example']
+logging:
+    quiet: false
+    loglevel: 9
+webservice:
+    webserver: true
+    port: %d
+    address: 127.0.0.1
+    password: %s
+    api_key: %s
+""" % (_confdir, _wsPort, _wsPassword, _apiKey)
 
     @classmethod
     def generateRecursorConfig(cls, confdir):
@@ -46,7 +53,7 @@ d 3600 IN A 192.0.2.42
 e 3600 IN A 192.0.2.42
 f 3600 IN CNAME f            ; CNAME loop: dirty trick to get a ServFail in an authzone
 """.format(soa=cls._SOA))
-        super(NotifyTest, cls).generateRecursorConfig(confdir)
+        super(NotifyTest, cls).generateRecursorYamlConfig(confdir)
 
     def checkRecordCacheMetrics(self, expectedHits, expectedMisses):
         headers = {'x-api-key': self._apiKey}