From: Aleš Mrázek <ales.mrazek@nic.cz>
Date: Fri, 2 Jun 2023 13:30:35 +0000 (+0200)
Subject: manager: datamodel: forward: allow list for pin_sha256
X-Git-Tag: v6.0.1~11^2^2~1
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=77d66cdc528f4529c6a6686b158884476b3c8b9a;p=thirdparty%2Fknot-resolver.git

manager: datamodel: forward: allow list for pin_sha256
---

diff --git a/manager/knot_resolver_manager/datamodel/forward_schema.py b/manager/knot_resolver_manager/datamodel/forward_schema.py
index 2f7e07ead..df30229d7 100644
--- a/manager/knot_resolver_manager/datamodel/forward_schema.py
+++ b/manager/knot_resolver_manager/datamodel/forward_schema.py
@@ -21,10 +21,14 @@ class ForwardServerSchema(ConfigSchema):
 
     address: ListOrItem[IPAddressOptionalPort]
     transport: Optional[Literal["tls"]] = None
-    pin_sha256: Optional[str] = None
+    pin_sha256: Optional[ListOrItem[str]] = None
     hostname: Optional[DomainName] = None
     ca_file: Optional[FilePath] = None
 
+    def _validate(self) -> None:
+        if self.pin_sha256 and (self.hostname or self.ca_file):
+            ValueError("'pin-sha256' cannot be configurad together with 'hostname' or 'ca-file'")
+
 
 class ForwardOptionsSchema(ConfigSchema):
     """
diff --git a/manager/knot_resolver_manager/datamodel/templates/macros/forward_macros.lua.j2 b/manager/knot_resolver_manager/datamodel/templates/macros/forward_macros.lua.j2
index 4736b01d9..f67773242 100644
--- a/manager/knot_resolver_manager/datamodel/templates/macros/forward_macros.lua.j2
+++ b/manager/knot_resolver_manager/datamodel/templates/macros/forward_macros.lua.j2
@@ -1,4 +1,4 @@
-{% from 'macros/common_macros.lua.j2' import boolean %}
+{% from 'macros/common_macros.lua.j2' import boolean, string_table %}
 
 {% macro forward_options(options) -%}
 {dnssec={{ boolean(options.dnssec) }},auth={{ boolean(options.authoritative) }}}
@@ -16,6 +16,9 @@ tls=false,
 {%- if server.hostname -%}
 hostname='{{ server.hostname }}',
 {%- endif -%}
+{%- if server.pin_sha256 -%}
+pin_sha256={{ string_table(server.pin_sha256) }},
+{%- endif -%}
 {%- if server.ca_file -%}
 ca_file='{{ server.ca_file }}',
 {%- endif -%}
diff --git a/manager/tests/unit/datamodel/templates/test_common_macros.py b/manager/tests/unit/datamodel/templates/test_common_macros.py
index 611cb14db..d730fb9da 100644
--- a/manager/tests/unit/datamodel/templates/test_common_macros.py
+++ b/manager/tests/unit/datamodel/templates/test_common_macros.py
@@ -78,5 +78,5 @@ def test_tls_servers_table():
     assert tmpl.render(x=[d.address, t[1].address]) == f"{{'{d.address}','{t[1].address}',}}"
     assert (
         tmpl.render(x=t)
-        == f"{{{{'{d.address}',hostname='{d.hostname}',ca_file='{d.ca_file}',}},{{'{t[1].address}',pin_sha256='{t[1].pin_sha256}',}},}}"
+        == f"{{{{'{d.address}',hostname='{d.hostname}',ca_file='{d.ca_file}',}},{{'{t[1].address}',pin_sha256={{'{t[1].pin_sha256}',}}}},}}"
     )