From: Petr Špaček <petr.spacek@nic.cz>
Date: Fri, 15 Mar 2019 15:32:29 +0000 (+0100)
Subject: trust_anchors: add distrust function to remove TA
X-Git-Tag: v4.0.0~15^2~23
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=0ca663dc65debb99bfbdf2ad73bf5dedb7a29ec3;p=thirdparty%2Fknot-resolver.git

trust_anchors: add distrust function to remove TA
---

diff --git a/daemon/lua/trust_anchors.lua.in b/daemon/lua/trust_anchors.lua.in
index 0643763db..599098653 100644
--- a/daemon/lua/trust_anchors.lua.in
+++ b/daemon/lua/trust_anchors.lua.in
@@ -370,6 +370,20 @@ local function add_file(path, unmanaged)
 	if managed then refresh_plan(keyset, 0 * sec, false) end
 end
 
+local function distrust(owner)
+	if not trust_anchors.keysets[owner] then
+		return false
+	end
+
+	if ta_update then
+		ta_update.stop(owner)
+	end
+	trust_anchors.keysets[owner] = nil
+	local store = kres.context().trust_anchors
+	C.kr_ta_del(store, owner)
+	return true
+end
+
 local function ta_str(owner)
 	local owner_str = kres.dname2str(owner) .. ' '
 	local msg = ''
@@ -415,6 +429,7 @@ trust_anchors = {
 	-- If managed and the file doesn't exist, try bootstrapping the root into it.
 	add_file = add_file,
 	config = add_file,
+	distrust = distrust,
 
 	keyset_write = keyset_write,
 	keyset_publish = keyset_publish,
diff --git a/daemon/lua/trust_anchors.test/ta.test.lua b/daemon/lua/trust_anchors.test/ta.test.lua
index 97da60da5..e8654b763 100644
--- a/daemon/lua/trust_anchors.test/ta.test.lua
+++ b/daemon/lua/trust_anchors.test/ta.test.lua
@@ -1,3 +1,4 @@
+trust_anchors.keyfile_default = nil
 
 local ffi = require('ffi')
 
@@ -21,8 +22,23 @@ local function test_revoked_key()
 	same(root_ta.rrs.count, 1, 'the root TA set contains one RR')
 end
 
+local function test_distrust()
+	-- uses root key from the previous test
+	assert(trust_anchors.keysets['\0'], 'root key must be there from previous test')
+	local ta_c = kres.context().trust_anchors
+	local root_ta = ffi.C.kr_ta_get(ta_c, '\0')
+	assert(root_ta ~= nil, 'we got non-NULL TA RRset')
+	assert(root_ta.rrs.count, 1, 'we have a root TA set to be deleted')
+
+	trust_anchors.distrust('\0')
+
+	same(trust_anchors.keysets['\0'], nil, 'Lua interface does not have the removed key')
+	local root_ta = ffi.C.kr_ta_get(ta_c, '\0')
+	same(root_ta == nil, true, 'C interface does not have the removed key')
+end
 
 return {
-	test_revoked_key()
+	test_revoked_key,
+	test_distrust
 }