From: Remi Gacogne Date: Sun, 19 Nov 2017 20:31:04 +0000 (+0100) Subject: dnsdist: Remove functions that relied on only one active certificate X-Git-Tag: dnsdist-1.3.0~37^2~1 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=c2baf92853efa2db4536904187b9515f454bb6cf;p=thirdparty%2Fpdns.git dnsdist: Remove functions that relied on only one active certificate --- diff --git a/pdns/dnsdist-lua-bindings.cc b/pdns/dnsdist-lua-bindings.cc index 7889973462..a317e79d16 100644 --- a/pdns/dnsdist-lua-bindings.cc +++ b/pdns/dnsdist-lua-bindings.cc @@ -319,6 +319,7 @@ void setupLuaBindings(bool client) return result; }); + g_lua.registerFunction(std::shared_ptr::*)(size_t idx)>("getCertificatePair", [](std::shared_ptr ctx, size_t idx) { if (ctx == nullptr) { @@ -334,52 +335,18 @@ void setupLuaBindings(bool client) return result; }); - g_lua.registerFunction::*)()>("getCurrentCertificate", [](std::shared_ptr ctx) { - - if (ctx == nullptr) { - throw std::runtime_error("DNSCryptContext::getCurrentCertificate() called on a nil value"); - } - - auto pairs = ctx->getCertificates(); - for (const auto& pair : pairs) { - if (pair->active) { - return pair->cert; - } - } - - throw std::runtime_error("This context has no active certificate"); - }); - - g_lua.registerFunction::*)()>("getOldCertificate", [](std::shared_ptr ctx) { + g_lua.registerFunction::*)(size_t idx)>("getCertificate", [](std::shared_ptr ctx, size_t idx) { if (ctx == nullptr) { - throw std::runtime_error("DNSCryptContext::getOldCertificate() called on a nil value"); + throw std::runtime_error("DNSCryptContext::getCertificate() called on a nil value"); } auto pairs = ctx->getCertificates(); - for (const auto& pair : pairs) { - if (!pair->active) { - return pair->cert; - } - } - - throw std::runtime_error("This context has no inactive certificate"); - }); - - g_lua.registerFunction::*)()>("hasOldCertificate", [](std::shared_ptr ctx) { - - if (ctx == nullptr) { - throw std::runtime_error("DNSCryptContext::hasOldCertificate() called on a nil value"); - } - - auto pairs = ctx->getCertificates(); - for (const auto& pair : pairs) { - if (!pair->active) { - return true; - } + if (idx < pairs.size()) { + return pairs.at(idx)->cert; } - return false; + throw std::runtime_error("This DNSCrypt context has no certificate at index " + std::to_string(idx)); }); g_lua.registerFunction::*)()>("printCertificates", [](const std::shared_ptr ctx) { diff --git a/pdns/dnsdistdist/docs/reference/dnscrypt.rst b/pdns/dnsdistdist/docs/reference/dnscrypt.rst index a119ae7a36..9e67e999a2 100644 --- a/pdns/dnsdistdist/docs/reference/dnscrypt.rst +++ b/pdns/dnsdistdist/docs/reference/dnscrypt.rst @@ -144,47 +144,32 @@ Context :param int end: Unix timestamp from until the certificate is valid :param DNSCryptExchangeVersion version: The exchange version to use. Possible values are ``DNSCryptExchangeVersion::VERSION1`` (default, X25519-XSalsa20Poly1305) and ``DNSCryptExchangeVersion::VERSION2`` (X25519-XChacha20Poly1305) - .. method:: DNSCryptContext:getCertificatePair(index) -> DNSCryptCertificatePair + .. method:: DNSCryptContext:getCertificate(index) -> DNSCryptCert .. versionadded:: 1.3.0 - Return the certificate pair with index `index`. + Return the certificate with index `index`. :param int index: The index of the certificate, starting at 0 - .. method:: DNSCryptContext:getCertificatePair(index) -> table of DNSCryptCertificatePair + .. method:: DNSCryptContext:getCertificatePair(index) -> DNSCryptCertificatePair .. versionadded:: 1.3.0 - Return a table of certificate pairs. - - .. method:: DNSCryptContext:getCurrentCertificate() -> DNSCryptCert - - .. deprecated:: 1.3.0 + Return the certificate pair with index `index`. - Return the current certificate. Deprecated as of 1.3.0 since more than one active certificate - is now supported. For compatibility, it will return the first active certificate. + :param int index: The index of the certificate, starting at 0 - .. method:: DNSCryptContext:getOldCertificate() -> DNSCryptCert + .. method:: DNSCryptContext:getCertificatePair(index) -> table of DNSCryptCertificatePair - .. deprecated:: 1.3.0 + .. versionadded:: 1.3.0 - Return the previous certificate. Deprecated as of 1.3.0 since more than one inactive certificate - is now supported. For compatibility, it will return the first inactive certificate. + Return a table of certificate pairs. .. method:: DNSCryptContext:getProviderName() -> string Return the provider name - .. method:: DNSCryptContext:hasOldCertificate() -> bool - - .. deprecated:: 1.3.0 - - Whether or not the context has a previous certificate, from a certificate rotation. Since - 1.3.0 several certificates active and inactive certificates can be used at the same time, - so this function is deprecated. In order to keep compatibility this function will simply - return `true` if at least one inactive certificate is configured. - .. method:: DNSCryptContext:loadNewCertificate(certificate, keyfile[, active]) .. versionchanged:: 1.3.0 diff --git a/regression-tests.dnsdist/test_DNSCrypt.py b/regression-tests.dnsdist/test_DNSCrypt.py index 376140d804..08a021029f 100644 --- a/regression-tests.dnsdist/test_DNSCrypt.py +++ b/regression-tests.dnsdist/test_DNSCrypt.py @@ -140,13 +140,13 @@ class TestDNSCrypt(DNSCryptTest): # add that new certificate self.sendConsoleCommand("getDNSCryptBind(0):loadNewCertificate('DNSCryptResolver.cert.2', 'DNSCryptResolver.key.2')") - oldSerial = self.sendConsoleCommand("getDNSCryptBind(0):getCertificatePair(0):getCertificate():getSerial()") + oldSerial = self.sendConsoleCommand("getDNSCryptBind(0):getCertificate(0):getSerial()") self.assertEquals(int(oldSerial), self._resolverCertificateSerial) - effectiveSerial = self.sendConsoleCommand("getDNSCryptBind(0):getCertificatePair(1):getCertificate():getSerial()") + effectiveSerial = self.sendConsoleCommand("getDNSCryptBind(0):getCertificate(1):getSerial()") self.assertEquals(int(effectiveSerial), self._resolverCertificateSerial + 1) - tsStart = self.sendConsoleCommand("getDNSCryptBind(0):getCertificatePair(1):getCertificate():getTSStart()") + tsStart = self.sendConsoleCommand("getDNSCryptBind(0):getCertificate(1):getTSStart()") self.assertEquals(int(tsStart), self._resolverCertificateValidFrom) - tsEnd = self.sendConsoleCommand("getDNSCryptBind(0):getCertificatePair(1):getCertificate():getTSEnd()") + tsEnd = self.sendConsoleCommand("getDNSCryptBind(0):getCertificate(1):getTSEnd()") self.assertEquals(int(tsEnd), self._resolverCertificateValidUntil) # we should still be able to send queries with the previous certificate