From dc30b8fd2bdaf5d5141fc1f089f7531f25b27197 Mon Sep 17 00:00:00 2001 From: Pieter Lexis Date: Tue, 5 Dec 2017 11:16:25 +0100 Subject: [PATCH] API: check if TSIG key exists when adding to a zone --- pdns/ws-auth.cc | 22 ++++++++++++++++------ regression-tests.api/test_Zones.py | 26 ++++++++++++++++++++++++++ 2 files changed, 42 insertions(+), 6 deletions(-) diff --git a/pdns/ws-auth.cc b/pdns/ws-auth.cc index 6215e0302f..3598914087 100644 --- a/pdns/ws-auth.cc +++ b/pdns/ws-auth.cc @@ -720,10 +720,15 @@ static void updateDomainSettingsFromDocument(UeberBackend& B, const DomainInfo& if (!document["master_tsig_key_ids"].is_null()) { vector metadata; + DNSName keyAlgo; + string keyContent; for(auto value : document["master_tsig_key_ids"].array_items()) { - auto keyname(value.string_value()); - // XXX test if the key actually exists? - metadata.push_back(apiZoneIdToName(keyname).toString()); + auto keyname(apiZoneIdToName(value.string_value())); + B.getTSIGKey(keyname, &keyAlgo, &keyContent); + if (keyAlgo.empty() || keyContent.empty()) { + throw ApiException("A TSIG key with the name '"+keyname.toLogString()+"' does not exist"); + } + metadata.push_back(keyname.toString()); } if (!di.backend->setDomainMetadata(zonename, "TSIG-ALLOW-AXFR", metadata)) { throw ApiException("Unable to set new TSIG master keys for zone '" + zonename.toLogString() + "'"); @@ -731,10 +736,15 @@ static void updateDomainSettingsFromDocument(UeberBackend& B, const DomainInfo& } if (!document["slave_tsig_key_ids"].is_null()) { vector metadata; + DNSName keyAlgo; + string keyContent; for(auto value : document["slave_tsig_key_ids"].array_items()) { - auto keyname(value.string_value()); - // XXX test if the key actually exists? - metadata.push_back(apiZoneIdToName(keyname).toString()); + auto keyname(apiZoneIdToName(value.string_value())); + B.getTSIGKey(keyname, &keyAlgo, &keyContent); + if (keyAlgo.empty() || keyContent.empty()) { + throw ApiException("A TSIG key with the name '"+keyname.toLogString()+"' does not exist"); + } + metadata.push_back(keyname.toString()); } if (!di.backend->setDomainMetadata(zonename, "AXFR-MASTER-TSIG", metadata)) { throw ApiException("Unable to set new TSIG slave keys for zone '" + zonename.toLogString() + "'"); diff --git a/regression-tests.api/test_Zones.py b/regression-tests.api/test_Zones.py index 12c64c8fea..5b68a26996 100644 --- a/regression-tests.api/test_Zones.py +++ b/regression-tests.api/test_Zones.py @@ -1634,6 +1634,32 @@ fred IN A 192.168.0.4 self.assertEquals(r.status_code, 422) self.assertIn("'rrsets' request parameter value 'foobar' is not supported", r.json()['error']) + def test_put_master_tsig_key_ids_non_existent(self): + name = unique_zone_name() + keyname = unique_zone_name().split('.')[0] + self.create_zone(name=name, kind='Native') + payload = { + 'master_tsig_key_ids': [keyname] + } + r = self.session.put(self.url('/api/v1/servers/localhost/zones/' + name), + data=json.dumps(payload), + headers={'content-type': 'application/json'}) + self.assertEquals(r.status_code, 422) + self.assertIn('A TSIG key with the name', r.json()['error']) + + def test_put_slave_tsig_key_ids_non_existent(self): + name = unique_zone_name() + keyname = unique_zone_name().split('.')[0] + self.create_zone(name=name, kind='Native') + payload = { + 'slave_tsig_key_ids': [keyname] + } + r = self.session.put(self.url('/api/v1/servers/localhost/zones/' + name), + data=json.dumps(payload), + headers={'content-type': 'application/json'}) + self.assertEquals(r.status_code, 422) + self.assertIn('A TSIG key with the name', r.json()['error']) + @unittest.skipIf(not is_auth(), "Not applicable") class AuthRootZone(ApiTestCase, AuthZonesHelperMixin): -- 2.39.5