Re: [Freeipa-devel] [PATCH] 47 Validate that the reverse DNS record is correct
Adam Tkac wrote: On Wed, Feb 16, 2011 at 05:26:55PM +0100, Jan Zeleny wrote: Adam Tkac wrote: On Wed, Feb 16, 2011 at 10:53:14AM +0100, Jan Zelený wrote: This patch ensures that PTR records added by FreeIPA are compliant with RFC. Nack. In my opinion the _ptrrecord_pre_callback should also handle PTR records for IPv6 addresses. You can check validity of IPv6 PTR record this way (pseudocode): zone.replace(.ip6.arpa., '') if (len(addr.split('.')) + len(zone.split('.')) != 32) raise_error Regards, Adam Thanks for the review, I made the changes you suggested. Second patch is in attachment. Thanks for improvement, now it looks fine for me. Ack. Regards, Adam From a01180772ab9ce9409532892e81f03ea7fc2582a Mon Sep 17 00:00:00 2001 From: Jan Zeleny Date: Wed, 16 Feb 2011 04:47:36 -0500 Subject: [PATCH] Validate that the reverse DNS record is correct This patch ensures that PTR records added by FreeIPA are compliant with RFC. https://fedorahosted.org/freeipa/ticket/839 --- ipalib/plugins/dns.py | 16 1 files changed, 16 insertions(+), 0 deletions(-) diff --git a/ipalib/plugins/dns.py b/ipalib/plugins/dns.py index 592945f78c59877fada5fa6c40eee3b1acb564b2..f50dd51f28f0ff59c8d1fe84730de302d9855467 100644 --- a/ipalib/plugins/dns.py +++ b/ipalib/plugins/dns.py @@ -619,6 +619,22 @@ class dnsrecord_add(LDAPCreate, dnsrecord_cmd_w_record_options): is_ns_rec_resolvable(ns) return dn +def _ptrrecord_pre_callback(self, ldap, dn, entry_attrs, *keys, **options): +components = dn.split(',',2) +addr = components[0].split('=')[1] +zone = components[1].split('=')[1] +if zone.find('ip6') != -1: +zone = zone.replace('.ip6.arpa.','') +zone_len = 32 +else: +zone = zone.replace('.in-addr.arpa.','') +zone_len = 4 + +if len(addr.split('.'))+len(zone.split('.')) != zone_len: +raise errors.ValidationError(name='cn', error=unicode('IP address must have exactly '+str(zone_len)+' components')) + +return dn + def pre_callback(self, ldap, dn, entry_attrs, *keys, **options): for rtype in options: rtype_cb = '_%s_pre_callback' % rtype -- 1.7.4 ack as well pushed to master ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 47 Validate that the reverse DNS record is correct
On Wed, Feb 16, 2011 at 05:26:55PM +0100, Jan Zeleny wrote: > Adam Tkac wrote: > > On Wed, Feb 16, 2011 at 10:53:14AM +0100, Jan Zelený wrote: > > > This patch ensures that PTR records added by FreeIPA are compliant with > > > RFC. > > > > Nack. > > > > In my opinion the _ptrrecord_pre_callback should also handle PTR records > > for IPv6 addresses. > > > > You can check validity of IPv6 PTR record this way (pseudocode): > > > > zone.replace(.ip6.arpa., '') > > if (len(addr.split('.')) + len(zone.split('.')) != 32) > > raise_error > > > > Regards, Adam > > Thanks for the review, I made the changes you suggested. Second patch is in > attachment. Thanks for improvement, now it looks fine for me. Ack. Regards, Adam > From a01180772ab9ce9409532892e81f03ea7fc2582a Mon Sep 17 00:00:00 2001 > From: Jan Zeleny > Date: Wed, 16 Feb 2011 04:47:36 -0500 > Subject: [PATCH] Validate that the reverse DNS record is correct > > This patch ensures that PTR records added by FreeIPA are compliant with > RFC. > > https://fedorahosted.org/freeipa/ticket/839 > --- > ipalib/plugins/dns.py | 16 > 1 files changed, 16 insertions(+), 0 deletions(-) > > diff --git a/ipalib/plugins/dns.py b/ipalib/plugins/dns.py > index > 592945f78c59877fada5fa6c40eee3b1acb564b2..f50dd51f28f0ff59c8d1fe84730de302d9855467 > 100644 > --- a/ipalib/plugins/dns.py > +++ b/ipalib/plugins/dns.py > @@ -619,6 +619,22 @@ class dnsrecord_add(LDAPCreate, > dnsrecord_cmd_w_record_options): > is_ns_rec_resolvable(ns) > return dn > > +def _ptrrecord_pre_callback(self, ldap, dn, entry_attrs, *keys, > **options): > +components = dn.split(',',2) > +addr = components[0].split('=')[1] > +zone = components[1].split('=')[1] > +if zone.find('ip6') != -1: > +zone = zone.replace('.ip6.arpa.','') > +zone_len = 32 > +else: > +zone = zone.replace('.in-addr.arpa.','') > +zone_len = 4 > + > +if len(addr.split('.'))+len(zone.split('.')) != zone_len: > +raise errors.ValidationError(name='cn', error=unicode('IP > address must have exactly '+str(zone_len)+' components')) > + > +return dn > + > def pre_callback(self, ldap, dn, entry_attrs, *keys, **options): > for rtype in options: > rtype_cb = '_%s_pre_callback' % rtype > -- > 1.7.4 > -- Adam Tkac, Red Hat, Inc. ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 47 Validate that the reverse DNS record is correct
Adam Tkac wrote: > On Wed, Feb 16, 2011 at 10:53:14AM +0100, Jan Zelený wrote: > > This patch ensures that PTR records added by FreeIPA are compliant with > > RFC. > > Nack. > > In my opinion the _ptrrecord_pre_callback should also handle PTR records > for IPv6 addresses. > > You can check validity of IPv6 PTR record this way (pseudocode): > > zone.replace(.ip6.arpa., '') > if (len(addr.split('.')) + len(zone.split('.')) != 32) > raise_error > > Regards, Adam Thanks for the review, I made the changes you suggested. Second patch is in attachment. Jan From a01180772ab9ce9409532892e81f03ea7fc2582a Mon Sep 17 00:00:00 2001 From: Jan Zeleny Date: Wed, 16 Feb 2011 04:47:36 -0500 Subject: [PATCH] Validate that the reverse DNS record is correct This patch ensures that PTR records added by FreeIPA are compliant with RFC. https://fedorahosted.org/freeipa/ticket/839 --- ipalib/plugins/dns.py | 16 1 files changed, 16 insertions(+), 0 deletions(-) diff --git a/ipalib/plugins/dns.py b/ipalib/plugins/dns.py index 592945f78c59877fada5fa6c40eee3b1acb564b2..f50dd51f28f0ff59c8d1fe84730de302d9855467 100644 --- a/ipalib/plugins/dns.py +++ b/ipalib/plugins/dns.py @@ -619,6 +619,22 @@ class dnsrecord_add(LDAPCreate, dnsrecord_cmd_w_record_options): is_ns_rec_resolvable(ns) return dn +def _ptrrecord_pre_callback(self, ldap, dn, entry_attrs, *keys, **options): +components = dn.split(',',2) +addr = components[0].split('=')[1] +zone = components[1].split('=')[1] +if zone.find('ip6') != -1: +zone = zone.replace('.ip6.arpa.','') +zone_len = 32 +else: +zone = zone.replace('.in-addr.arpa.','') +zone_len = 4 + +if len(addr.split('.'))+len(zone.split('.')) != zone_len: +raise errors.ValidationError(name='cn', error=unicode('IP address must have exactly '+str(zone_len)+' components')) + +return dn + def pre_callback(self, ldap, dn, entry_attrs, *keys, **options): for rtype in options: rtype_cb = '_%s_pre_callback' % rtype -- 1.7.4 ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 47 Validate that the reverse DNS record is correct
On Wed, Feb 16, 2011 at 10:53:14AM +0100, Jan Zelený wrote: > This patch ensures that PTR records added by FreeIPA are compliant with > RFC. Nack. In my opinion the _ptrrecord_pre_callback should also handle PTR records for IPv6 addresses. You can check validity of IPv6 PTR record this way (pseudocode): zone.replace(.ip6.arpa., '') if (len(addr.split('.')) + len(zone.split('.')) != 32) raise_error Regards, Adam > From 4d2b3200920c90884ddf5a2d5ae784bbe35b41d1 Mon Sep 17 00:00:00 2001 > From: Jan Zeleny > Date: Wed, 16 Feb 2011 04:47:36 -0500 > Subject: [PATCH] Validate that the reverse DNS record is correct > > This patch ensures that PTR records added by FreeIPA are compliant with > RFC. > > https://fedorahosted.org/freeipa/ticket/839 > --- > ipalib/plugins/dns.py | 10 ++ > 1 files changed, 10 insertions(+), 0 deletions(-) > > diff --git a/ipalib/plugins/dns.py b/ipalib/plugins/dns.py > index > 592945f78c59877fada5fa6c40eee3b1acb564b2..e764d6f558a6ecb0d7b732a1e51b1755beb4f7f4 > 100644 > --- a/ipalib/plugins/dns.py > +++ b/ipalib/plugins/dns.py > @@ -619,6 +619,16 @@ class dnsrecord_add(LDAPCreate, > dnsrecord_cmd_w_record_options): > is_ns_rec_resolvable(ns) > return dn > > +def _ptrrecord_pre_callback(self, ldap, dn, entry_attrs, *keys, > **options): > +components = dn.split(',',2) > +addr = components[0].split('=')[1] > +zone = components[1].split('=')[1].replace('.in-addr.arpa.','') > + > +if len(addr.split('.'))+len(zone.split('.')) != 4: > +raise errors.ValidationError(name='idnsname', error=u'reversed > IP address must have exactly four components') > + > +return dn > + > def pre_callback(self, ldap, dn, entry_attrs, *keys, **options): > for rtype in options: > rtype_cb = '_%s_pre_callback' % rtype > -- > 1.7.4 > > ___ > Freeipa-devel mailing list > Freeipa-devel@redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-devel -- Adam Tkac, Red Hat, Inc. ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
[Freeipa-devel] [PATCH] 47 Validate that the reverse DNS record is correct
This patch ensures that PTR records added by FreeIPA are compliant with RFC. https://fedorahosted.org/freeipa/ticket/839 Jan From 4d2b3200920c90884ddf5a2d5ae784bbe35b41d1 Mon Sep 17 00:00:00 2001 From: Jan Zeleny Date: Wed, 16 Feb 2011 04:47:36 -0500 Subject: [PATCH] Validate that the reverse DNS record is correct This patch ensures that PTR records added by FreeIPA are compliant with RFC. https://fedorahosted.org/freeipa/ticket/839 --- ipalib/plugins/dns.py | 10 ++ 1 files changed, 10 insertions(+), 0 deletions(-) diff --git a/ipalib/plugins/dns.py b/ipalib/plugins/dns.py index 592945f78c59877fada5fa6c40eee3b1acb564b2..e764d6f558a6ecb0d7b732a1e51b1755beb4f7f4 100644 --- a/ipalib/plugins/dns.py +++ b/ipalib/plugins/dns.py @@ -619,6 +619,16 @@ class dnsrecord_add(LDAPCreate, dnsrecord_cmd_w_record_options): is_ns_rec_resolvable(ns) return dn +def _ptrrecord_pre_callback(self, ldap, dn, entry_attrs, *keys, **options): +components = dn.split(',',2) +addr = components[0].split('=')[1] +zone = components[1].split('=')[1].replace('.in-addr.arpa.','') + +if len(addr.split('.'))+len(zone.split('.')) != 4: +raise errors.ValidationError(name='idnsname', error=u'reversed IP address must have exactly four components') + +return dn + def pre_callback(self, ldap, dn, entry_attrs, *keys, **options): for rtype in options: rtype_cb = '_%s_pre_callback' % rtype -- 1.7.4 ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel