[#3133] Checkpoint

author Francis Dupont <fdupont@isc.org>

Wed, 27 Mar 2024 10:20:52 +0000 (11:20 +0100)

committer Thomas Markwalder <tmark@isc.org>

Tue, 16 Apr 2024 19:00:57 +0000 (19:00 +0000)
author Francis Dupont <fdupont@isc.org>
Wed, 27 Mar 2024 10:20:52 +0000 (11:20 +0100)
committer Thomas Markwalder <tmark@isc.org>
Tue, 16 Apr 2024 19:00:57 +0000 (19:00 +0000)
diff --git a/doc/examples/ddns/all-keys.json b/doc/examples/ddns/all-keys.json

index 6907d178fe669f4549a33b3632dd980da9336fd7..bcb4735d9868b2772d2b5c472768e8cdcd52d1fe 100644 (file)
--- a/doc/examples/ddns/all-keys.json
+++ b/doc/examples/ddns/all-keys.json
@@ -138,6 +138,14 @@
  
              // Secret of the TSIG key (required) in base-64.
              "secret": "LSWXnfkKZjdPJI5QxlpnfQ=="
+        },
+        {
+            "name": "d2.sha1.key",
+            "algorithm": "HMAC-SHA1",
+
+            // An alternative to secret: specify a file where the secret
+            // can be found. i.e. the secret is the content of the file.
+            "secret-file": "/tmp/d2-sha1-secret"
          }
      ],
  
diff --git a/doc/examples/ddns/sample1.json b/doc/examples/ddns/sample1.json

index 4c8190ea036706ef60d66975dc7e2529301f7880..4d8148bc29f41c30bfe0a78d78eb8c2895da8a1e 100644 (file)
--- a/doc/examples/ddns/sample1.json
+++ b/doc/examples/ddns/sample1.json
@@ -134,6 +134,11 @@
              "algorithm": "HMAC-SHA1",
              "secret": "hRrp29wzUv3uzSNRLlY68w=="
          },
+        {
+            "name": "d2.sha256.key",
+            "algorithm": "HMAC-SHA256",
+            "secret-file": "/tmp/d2-sha256-secret"
+        },
          {
              "name": "d2.sha512.key",
              "algorithm": "HMAC-SHA512",
diff --git a/doc/sphinx/arm/ddns.rst b/doc/sphinx/arm/ddns.rst

index 9b3464e827187f6a7edbc87f9e6b3823a073c1b5..bab8c96a65542a2bec9e220423f3e3930d05b235 100644 (file)
--- a/doc/sphinx/arm/ddns.rst
+++ b/doc/sphinx/arm/ddns.rst
@@ -408,6 +408,10 @@ Every entry in the list has three parameters:
     key. This value is case-sensitive and must exactly match the value
     specified on the DNS server(s). It is a base64-encoded text value.
  
+- ``secret-file`` - since Kea 2.5.8 a more secure alternative is supported:
+  specify a file name where the secret can be found, i.e. the base64-encoded
+  secret is the content of the file.
+
  As an example, suppose that a domain D2 will be updating is maintained
  by a BIND 9 DNS server, which requires dynamic updates to be secured
  with TSIG. Suppose further that the entry for the TSIG key in BIND 9's
diff --git a/src/bin/d2/tests/d2_simple_parser_unittest.cc b/src/bin/d2/tests/d2_simple_parser_unittest.cc

index b02aa91a75a610c7e0fa72a00760d68e8e0483d6..75bdd9cf4631549210493aaae52d08f52222627e 100644 (file)
--- a/src/bin/d2/tests/d2_simple_parser_unittest.cc
+++ b/src/bin/d2/tests/d2_simple_parser_unittest.cc
@@ -91,7 +91,7 @@ bool checkKey(TSIGKeyInfoPtr key, const std::string& name,
          (key->getName() == name) &&
          (key->getAlgorithm() == algorithm)  &&
          (key->getDigestbits() == digestbits) &&
-        (key->getSecret() ==  secret)  &&
+        (key->getSecret() == secret)  &&
          (key->getTSIGKey())));
  }
  
@@ -508,7 +508,7 @@ public:
      void addKey(const std::string& name, const std::string& algorithm,
                  const std::string& secret) {
          TSIGKeyInfoPtr key_info(new TSIGKeyInfo(name, algorithm, secret));
-        (*keys_)[name]=key_info;
+        (*keys_)[name] = key_info;
      }
  
      /// @brief Adds DDNS Domain values to the given DDNS Domain element
diff --git a/src/bin/d2/tests/parser_unittest.cc b/src/bin/d2/tests/parser_unittest.cc

index 40779beb867d33adabae8f826a5255a202700648..15b82af56df2ad217810a8f0c6aae4dda1c6c4a7 100644 (file)
--- a/src/bin/d2/tests/parser_unittest.cc
+++ b/src/bin/d2/tests/parser_unittest.cc
@@ -298,7 +298,7 @@ TEST(ParserTest, file) {
      configs.push_back("sample1.json");
      configs.push_back("template.json");
  
-    for (int i = 0; i<configs.size(); i++) {
+    for (size_t i = 0; i < configs.size(); ++i) {
          testFile(string(CFG_EXAMPLES) + "/" + configs[i]);
      }
  }
diff --git a/src/bin/d2/tests/testdata/get_config.json b/src/bin/d2/tests/testdata/get_config.json

index 1eb04243571dc281325554a3ee73a3fc684f966c..ee3deccbb01d2266c5ff69d1a2e6f766b9db96d9 100644 (file)
--- a/src/bin/d2/tests/testdata/get_config.json
+++ b/src/bin/d2/tests/testdata/get_config.json
@@ -92,6 +92,12 @@
                  "name": "d2.sha1.key",
                  "secret": "hRrp29wzUv3uzSNRLlY68w=="
              },
+            {
+                "algorithm": "HMAC-SHA256",
+                "digest-bits": 0,
+                "name": "d2.sha256.key",
+                "secret-file": "/tmp/d2-sha256-secret"
+            },
              {
                  "algorithm": "HMAC-SHA512",
                  "digest-bits": 256,
author	Francis Dupont <fdupont@isc.org>
	Wed, 27 Mar 2024 10:20:52 +0000 (11:20 +0100)
committer	Thomas Markwalder <tmark@isc.org>
	Tue, 16 Apr 2024 19:00:57 +0000 (19:00 +0000)
doc/examples/ddns/all-keys.json		patch \| blob \| blame \| history
doc/examples/ddns/sample1.json		patch \| blob \| blame \| history
doc/sphinx/arm/ddns.rst		patch \| blob \| blame \| history
src/bin/d2/tests/d2_simple_parser_unittest.cc		patch \| blob \| blame \| history
src/bin/d2/tests/parser_unittest.cc		patch \| blob \| blame \| history
src/bin/d2/tests/testdata/get_config.json		patch \| blob \| blame \| history