From: Pieter Lexis Date: Wed, 15 Jul 2020 15:50:45 +0000 (+0200) Subject: Auth API: Allow removal of NSEC3PARAM metadata X-Git-Tag: rec-4.4.0-beta1~40^2 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=df434f42c4a59b5f7d070baa65515ef0e0441897;p=thirdparty%2Fpdns.git Auth API: Allow removal of NSEC3PARAM metadata Before, it was possible to set nsec3params, but an API user was never able to switch back to NSEC. --- diff --git a/pdns/ws-auth.cc b/pdns/ws-auth.cc index 93a4c26251..4feb89b81f 100644 --- a/pdns/ws-auth.cc +++ b/pdns/ws-auth.cc @@ -680,6 +680,8 @@ static void updateDomainSettingsFromDocument(UeberBackend& B, const DomainInfo& bool shouldRectify = false; bool dnssecInJSON = false; bool dnssecDocVal = false; + bool nsec3paramInJSON = false; + string nsec3paramDocVal; try { dnssecDocVal = boolFromJson(document, "dnssec"); @@ -687,6 +689,13 @@ static void updateDomainSettingsFromDocument(UeberBackend& B, const DomainInfo& } catch (const JsonException&) {} + try { + nsec3paramDocVal = stringFromJson(document, "nsec3param"); + nsec3paramInJSON = true; + } + catch (const JsonException&) {} + + bool isDNSSECZone = dk.isSecuredZone(zonename); if (dnssecInJSON) { @@ -737,19 +746,30 @@ static void updateDomainSettingsFromDocument(UeberBackend& B, const DomainInfo& } } - if(document["nsec3param"].string_value().length() > 0) { + if (nsec3paramInJSON) { shouldRectify = true; - NSEC3PARAMRecordContent ns3pr(document["nsec3param"].string_value()); - string error_msg = ""; if (!isDNSSECZone) { throw ApiException("NSEC3PARAMs provided for zone '"+zonename.toString()+"', but zone is not DNSSEC secured."); } - if (!dk.checkNSEC3PARAM(ns3pr, error_msg)) { - throw ApiException("NSEC3PARAMs provided for zone '"+zonename.toString()+"' are invalid. " + error_msg); + + if (nsec3paramDocVal.length() == 0) { + // Switch to NSEC + if (!dk.unsetNSEC3PARAM(zonename)) { + throw ApiException("Unable to remove NSEC3PARAMs from zone '" + zonename.toString()); + } } - if (!dk.setNSEC3PARAM(zonename, ns3pr, boolFromJson(document, "nsec3narrow", false))) { - throw ApiException("NSEC3PARAMs provided for zone '" + zonename.toString() + - "' passed our basic sanity checks, but cannot be used with the current backend."); + + if (nsec3paramDocVal.length() > 0) { + // Set the NSEC3PARAMs + NSEC3PARAMRecordContent ns3pr(nsec3paramDocVal); + string error_msg = ""; + if (!dk.checkNSEC3PARAM(ns3pr, error_msg)) { + throw ApiException("NSEC3PARAMs provided for zone '"+zonename.toString()+"' are invalid. " + error_msg); + } + if (!dk.setNSEC3PARAM(zonename, ns3pr, boolFromJson(document, "nsec3narrow", false))) { + throw ApiException("NSEC3PARAMs provided for zone '" + zonename.toString() + + "' passed our basic sanity checks, but cannot be used with the current backend."); + } } } diff --git a/regression-tests.api/test_Zones.py b/regression-tests.api/test_Zones.py index 09c1844dc4..2fbc4cdaf5 100644 --- a/regression-tests.api/test_Zones.py +++ b/regression-tests.api/test_Zones.py @@ -539,6 +539,21 @@ class AuthZones(ApiTestCase, AuthZonesHelperMixin): self.assertEquals(data['kind'], 'NSEC3NARROW') self.assertEquals(data['metadata'][0], '1') + def test_create_zone_with_nsec3param_switch_to_nsec(self): + """ + Create a zone with "nsec3param", then remove the params + """ + name, payload, data = self.create_zone(dnssec=True, + nsec3param='1 0 1 ab') + self.session.put(self.url("/api/v1/servers/localhost/zones/" + name), + data=json.dumps({'nsec3param': ''})) + r = self.session.get( + self.url("/api/v1/servers/localhost/zones/" + name)) + data = r.json() + + self.assertEquals(r.status_code, 200) + self.assertEquals(data['nsec3param'], '') + def test_create_zone_dnssec_serial(self): """ Create a zone set/unset "dnssec" and see if the serial was increased