From: Matthijs Mekking <matthijs@isc.org>
Date: Thu, 28 May 2026 13:06:50 +0000 (+0200)
Subject: Test ACL from template
X-Git-Url: http://git.ipfire.org/gitweb/index.cgi?a=commitdiff_plain;h=d47aeb96d49fb3ff43913eab98e07eb7c5c3afd2;p=thirdparty%2Fbind9.git

Test ACL from template

Add an acl system test case where the ACL comes from a template. It
should override the ACL from the options.
---

diff --git a/bin/tests/system/acl/ns3/named.conf.j2 b/bin/tests/system/acl/ns3/named.conf.j2
index 763949c84f8..c05a0d7953a 100644
--- a/bin/tests/system/acl/ns3/named.conf.j2
+++ b/bin/tests/system/acl/ns3/named.conf.j2
@@ -21,3 +21,8 @@ key rndc_key {
 	secret "1234abcd8765";
 	algorithm @DEFAULT_HMAC@;
 };
+
+template "allow-xfr" {
+	type primary;
+	allow-transfer { any; };
+};
diff --git a/bin/tests/system/acl/ns3/example.db b/bin/tests/system/acl/ns3/template.db
similarity index 100%
rename from bin/tests/system/acl/ns3/example.db
rename to bin/tests/system/acl/ns3/template.db
diff --git a/bin/tests/system/acl/tests.sh b/bin/tests/system/acl/tests.sh
index 50ff78a0aa7..e8adeccf2cd 100644
--- a/bin/tests/system/acl/tests.sh
+++ b/bin/tests/system/acl/tests.sh
@@ -226,7 +226,8 @@ status=$((status + ret))
 echo_i "testing allow-transfer ACLs against ns3 (no existing zones)"
 
 echo_i "calling addzone example.com on ns3"
-$RNDCCMD 10.53.0.3 addzone 'example.com {type primary; file "example.db"; }; '
+cp ns3/template.db ns3/example.com.db
+$RNDCCMD 10.53.0.3 addzone 'example.com {type primary; file "example.com.db"; }; '
 sleep 1
 
 t=$((t + 1))
@@ -237,6 +238,32 @@ grep "Transfer failed." dig.out.${t} >/dev/null 2>&1 || ret=1
 [ $ret -eq 0 ] || echo_i "failed"
 status=$((status + ret))
 
+echo_i "calling addzone allow.example on ns3"
+cp ns3/template.db ns3/allow.example.db
+$RNDCCMD 10.53.0.3 addzone 'allow.example {type primary; file "allow.example.db"; allow-transfer { any; }; }; '
+sleep 1
+
+t=$((t + 1))
+ret=0
+echo_i "checking AXFR of allow.example from ns3 with ACL allow-transfer { any; }; (${t})"
+$DIG -p ${PORT} @10.53.0.3 allow.example axfr >dig.out.${t} 2>&1
+grep "Transfer failed." dig.out.${t} >/dev/null 2>&1 && ret=1
+[ $ret -eq 0 ] || echo_i "failed"
+status=$((status + ret))
+
+echo_i "calling addzone template.example on ns3"
+cp ns3/template.db ns3/template.example.db
+$RNDCCMD 10.53.0.3 addzone 'template.example {file "template.example.db"; template "allow-xfr"; }; '
+sleep 1
+
+t=$((t + 1))
+ret=0
+echo_i "checking AXFR of template.example from ns3 with ACL allow-transfer from template (${t})"
+$DIG -p ${PORT} @10.53.0.3 template.example axfr >dig.out.${t} 2>&1
+grep "Transfer failed." dig.out.${t} >/dev/null 2>&1 && ret=1
+[ $ret -eq 0 ] || echo_i "failed"
+status=$((status + ret))
+
 echo_i "calling rndc reconfig"
 rndc_reconfig ns3 10.53.0.3
 
diff --git a/bin/tests/system/acl/tests_sh_acl.py b/bin/tests/system/acl/tests_sh_acl.py
index 9a6bc91e392..fc8ff379e97 100644
--- a/bin/tests/system/acl/tests_sh_acl.py
+++ b/bin/tests/system/acl/tests_sh_acl.py
@@ -18,6 +18,9 @@ pytestmark = pytest.mark.extra_artifacts(
         "ns*/_default.nzf*",
         "ns2/example.db",
         "ns2/tsigzone.db",
+        "ns3/example.com.db",
+        "ns3/allow.example.db",
+        "ns3/template.example.db",
     ]
 )