Hello,

Disallow all zone transfers/queries if transfer/query policy configuration 
failed.

Without this patch the old policy stays in effect
if re-configuration with the new policy failed.

https://fedorahosted.org/bind-dyndb-ldap/ticket/116

--
Petr^2 Spacek
From f2f1207d16e2ae91f824c7543722bf262884fecc Mon Sep 17 00:00:00 2001
From: Petr Spacek <pspa...@redhat.com>
Date: Fri, 19 Apr 2013 12:41:04 +0200
Subject: [PATCH] Disallow all zone transfers/queries if transfer/query policy
 configuration failed.

Without this patch the old policy stays in effect
if re-configuration with the new policy failed.

https://fedorahosted.org/bind-dyndb-ldap/ticket/116

Signed-off-by: Petr Spacek <pspa...@redhat.com>
---
 src/acl.c         |  7 +++++++
 src/acl.h         |  3 +++
 src/ldap_helper.c | 52 ++++++++++++++++++++++++++++++++++++++++++----------
 3 files changed, 52 insertions(+), 10 deletions(-)

diff --git a/src/acl.c b/src/acl.c
index 0adc82cebc5bc514647084f42bd8a115a88c6bb2..754cd53dc3d31b99d0954836feafbd46747c48c2 100644
--- a/src/acl.c
+++ b/src/acl.c
@@ -64,6 +64,7 @@
 #include "str.h"
 #include "util.h"
 #include "log.h"
+#include "types.h"
 
 static isc_once_t once = ISC_ONCE_INIT;
 static cfg_type_t *update_policy;
@@ -84,6 +85,12 @@ static cfg_type_t cfg_type_empty_map = {
 
 static cfg_type_t *empty_map_p = &cfg_type_empty_map;
 
+const enum_txt_assoc_t acl_type_txts[] = {
+	{ acl_type_query,	"query"		},
+	{ acl_type_transfer,	"transfer"	},
+	{ -1,			NULL		} /* end marker */
+};
+
 static cfg_type_t *
 get_type_from_tuplefield(const cfg_type_t *cfg_type, const char *name)
 {
diff --git a/src/acl.h b/src/acl.h
index 7e4471bcc3624719f384d3ced54914631d1136c1..3e99490cfe614867117beb96a07e6bf9fdc72fbe 100644
--- a/src/acl.h
+++ b/src/acl.h
@@ -22,14 +22,17 @@
 #define _LD_ACL_H_
 
 #include "ldap_entry.h"
+#include "types.h"
 
 #include <dns/acl.h>
 
 typedef enum acl_type {
 	acl_type_query,
 	acl_type_transfer
 } acl_type_t;
 
+extern const enum_txt_assoc_t acl_type_txts[];
+
 isc_result_t
 acl_configure_zone_ssutable(const char *policy_str, dns_zone_t *zone);
 
diff --git a/src/ldap_helper.c b/src/ldap_helper.c
index 4d8fb084e6564597dd694a905d749870c8626c94..4bcdf5e3e400eeac3214e8e7fdc9e11a5b471ab6 100644
--- a/src/ldap_helper.c
+++ b/src/ldap_helper.c
@@ -762,6 +762,44 @@ cleanup:
 	return result;
 }
 
+static isc_result_t
+configure_zone_acl(isc_mem_t *mctx, dns_zone_t *zone,
+		void (acl_setter)(dns_zone_t *zone, dns_acl_t *acl),
+		const char *aclstr, acl_type_t type) {
+	isc_result_t result;
+	isc_result_t result2;
+	dns_acl_t *acl = NULL;
+	const char *type_txt = NULL;
+
+	result = acl_from_ldap(mctx, aclstr, type, &acl);
+	if (result != ISC_R_SUCCESS) {
+		result2 = get_enum_description(acl_type_txts, type, &type_txt);
+		if (result2 != ISC_R_SUCCESS) {
+			log_bug("invalid acl type %u", type);
+			type_txt = "<unknown>";
+		}
+
+		dns_zone_logc(zone, DNS_LOGCATEGORY_SECURITY, ISC_LOG_ERROR,
+			      "%s policy is invalid: %s; configuring most "
+			      "restrictive %s policy as possible",
+			      type_txt, isc_result_totext(result), type_txt);
+		result2 = acl_from_ldap(mctx, "", type, &acl);
+		if (result2 != ISC_R_SUCCESS) {
+			dns_zone_logc(zone, DNS_LOGCATEGORY_SECURITY, ISC_LOG_CRITICAL,
+				      "cannot configure restrictive %s policy: %s",
+				      type_txt, isc_result_totext(result2));
+			FATAL_ERROR(__FILE__, __LINE__,
+				    "insecure state detected");
+		}
+	}
+	acl_setter(zone, acl);
+
+	if (acl != NULL)
+		dns_acl_detach(&acl);
+
+	return result;
+}
+
 /* In BIND9 terminology "ssu" means "Simple Secure Update" */
 static isc_result_t
 configure_zone_ssutable(dns_zone_t *zone, const char *update_str)
@@ -1346,24 +1384,18 @@ ldap_parse_master_zoneentry(ldap_entry_t *entry, ldap_instance_t *inst)
 	log_debug(2, "Setting allow-query for %p: %s", zone, dn);
 	result = ldap_entry_getvalues(entry, "idnsAllowQuery", &values);
 	if (result == ISC_R_SUCCESS) {
-		dns_acl_t *queryacl = NULL;
-		CHECK(acl_from_ldap(inst->mctx, HEAD(values)->value,
-		      acl_type_query, &queryacl));
-		dns_zone_setqueryacl(zone, queryacl);
-		dns_acl_detach(&queryacl);
+		CHECK(configure_zone_acl(inst->mctx, zone, &dns_zone_setqueryacl,
+					 HEAD(values)->value, acl_type_query));
 	} else {
 		log_debug(2, "allow-query not set");
 		dns_zone_clearqueryacl(zone);
 	}
 
 	log_debug(2, "Setting allow-transfer for %p: %s", zone, dn);
 	result = ldap_entry_getvalues(entry, "idnsAllowTransfer", &values);
 	if (result == ISC_R_SUCCESS) {
-		dns_acl_t *transferacl = NULL;
-		CHECK(acl_from_ldap(inst->mctx, HEAD(values)->value,
-		      acl_type_transfer, &transferacl));
-		dns_zone_setxfracl(zone, transferacl);
-		dns_acl_detach(&transferacl);
+		CHECK(configure_zone_acl(inst->mctx, zone, &dns_zone_setxfracl,
+					 HEAD(values)->value, acl_type_transfer));
 	} else {
 		log_debug(2, "allow-transfer not set");
 		dns_zone_clearxfracl(zone);
-- 
1.7.11.7

_______________________________________________
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel

Reply via email to