BIND 10 master, updated. fef88019d325474471a353304499e7919023912e Merge branch 'work/dnsacl'
BIND 10 source code commits
bind10-changes at lists.isc.org
Thu Jun 23 13:40:42 UTC 2011
The branch, master has been updated
via fef88019d325474471a353304499e7919023912e (commit)
via e6b3d50483fb739da2ca83e493a1c30043ba0464 (commit)
via a2158e5b2c17043f0f3aa194009408aa73bd62ce (commit)
via 4f87326ae6c17e26769b4ae276001b49d5bb3561 (commit)
via 06c9c2a763326d4b30ff9448f726928538fba94c (commit)
from 3f15151252dd734210582a2ae8923dada661231f (commit)
Those revisions listed above that are new to this repository have
not appeared on any other notification email; so we list those
revisions in full, below.
- Log -----------------------------------------------------------------
commit fef88019d325474471a353304499e7919023912e
Merge: 3f15151252dd734210582a2ae8923dada661231f e6b3d50483fb739da2ca83e493a1c30043ba0464
Author: Michal 'vorner' Vaner <michal.vaner at nic.cz>
Date: Thu Jun 23 15:30:49 2011 +0200
Merge branch 'work/dnsacl'
Conflicts:
src/lib/acl/tests/Makefile.am
commit e6b3d50483fb739da2ca83e493a1c30043ba0464
Author: Michal 'vorner' Vaner <michal.vaner at nic.cz>
Date: Thu Jun 23 15:05:15 2011 +0200
[trac769] Little bit of renaming
commit a2158e5b2c17043f0f3aa194009408aa73bd62ce
Author: Michal 'vorner' Vaner <michal.vaner at nic.cz>
Date: Sun Jun 19 19:26:04 2011 +0200
[trac769] Makefile fix
Auto(conf|make|whatever it is) tracks deps only when the library is
simple filename. It failed because it wanted to create libdnsacl before
libacl, this way it knows it should wait.
commit 4f87326ae6c17e26769b4ae276001b49d5bb3561
Author: Michal 'vorner' Vaner <michal.vaner at nic.cz>
Date: Sun Jun 19 16:13:19 2011 +0200
[trac769] Documentation
commit 06c9c2a763326d4b30ff9448f726928538fba94c
Author: Michal 'vorner' Vaner <michal.vaner at nic.cz>
Date: Sun Jun 19 15:45:24 2011 +0200
[trac769] Typedefs, Context, loader singleton
-----------------------------------------------------------------------
Summary of changes:
src/lib/acl/Makefile.am | 9 ++
src/lib/{datasrc/logger.cc => acl/dns.cc} | 17 +++-
src/lib/acl/dns.h | 89 ++++++++++++++++++++
src/lib/acl/tests/Makefile.am | 2 +
.../tests/dns_test.cc} | 27 ++++---
5 files changed, 129 insertions(+), 15 deletions(-)
copy src/lib/{datasrc/logger.cc => acl/dns.cc} (71%)
create mode 100644 src/lib/acl/dns.h
copy src/lib/{asiolink/tests/io_socket_unittest.cc => acl/tests/dns_test.cc} (57%)
-----------------------------------------------------------------------
diff --git a/src/lib/acl/Makefile.am b/src/lib/acl/Makefile.am
index d3222ae..890851e 100644
--- a/src/lib/acl/Makefile.am
+++ b/src/lib/acl/Makefile.am
@@ -5,6 +5,7 @@ AM_CPPFLAGS += $(BOOST_INCLUDES)
AM_CXXFLAGS = $(B10_CXXFLAGS)
+# The core library
lib_LTLIBRARIES = libacl.la
libacl_la_SOURCES = check.h acl.h
libacl_la_SOURCES += loader.h loader.cc
@@ -12,4 +13,12 @@ libacl_la_SOURCES += loader.h loader.cc
libacl_la_LIBADD = $(top_builddir)/src/lib/exceptions/libexceptions.la
libacl_la_LIBADD += $(top_builddir)/src/lib/cc/libcc.la
+# DNS specialized one
+lib_LTLIBRARIES += libdnsacl.la
+
+libdnsacl_la_SOURCES = dns.h dns.cc
+
+libdnsacl_la_LIBADD = libacl.la
+libdnsacl_la_LIBADD += $(top_builddir)/src/lib/dns/libdns++.la
+
CLEANFILES = *.gcno *.gcda
diff --git a/src/lib/acl/dns.cc b/src/lib/acl/dns.cc
new file mode 100644
index 0000000..16f1bf5
--- /dev/null
+++ b/src/lib/acl/dns.cc
@@ -0,0 +1,34 @@
+// Copyright (C) 2011 Internet Systems Consortium, Inc. ("ISC")
+//
+// Permission to use, copy, modify, and/or distribute this software for any
+// purpose with or without fee is hereby granted, provided that the above
+// copyright notice and this permission notice appear in all copies.
+//
+// THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+// REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+// AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+// INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+// LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+// OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+// PERFORMANCE OF THIS SOFTWARE.
+
+#include "dns.h"
+
+namespace isc {
+namespace acl {
+namespace dns {
+
+Loader&
+getLoader() {
+ static Loader* loader(NULL);
+ if (loader == NULL) {
+ loader = new Loader(REJECT);
+ // TODO: This is the place where we register default check creators
+ // like IP check, etc, once we have them.
+ }
+ return (*loader);
+}
+
+}
+}
+}
diff --git a/src/lib/acl/dns.h b/src/lib/acl/dns.h
new file mode 100644
index 0000000..6f36e51
--- /dev/null
+++ b/src/lib/acl/dns.h
@@ -0,0 +1,89 @@
+// Copyright (C) 2011 Internet Systems Consortium, Inc. ("ISC")
+//
+// Permission to use, copy, modify, and/or distribute this software for any
+// purpose with or without fee is hereby granted, provided that the above
+// copyright notice and this permission notice appear in all copies.
+//
+// THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+// REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+// AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+// INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+// LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+// OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+// PERFORMANCE OF THIS SOFTWARE.
+
+#ifndef ACL_DNS_H
+#define ACL_DNS_H
+
+#include "loader.h"
+
+#include <asiolink/io_address.h>
+#include <dns/message.h>
+
+namespace isc {
+namespace acl {
+namespace dns {
+
+/**
+ * \brief DNS request to be checked.
+ *
+ * This plays the role of Context of the generic template ACLs (in namespace
+ * isc::acl).
+ *
+ * It is simple structure holding just the bunch of information. Therefore
+ * the names don't end up with a slash, there are no methods so they can't be
+ * confused with local variables.
+ *
+ * \todo Do we want a constructor to set this in a shorter manner? So we can
+ * call the ACLs directly?
+ */
+struct RequestContext {
+ /// \brief The DNS message (payload).
+ isc::dns::ConstMessagePtr message;
+ /// \brief The remote IP address (eg. the client).
+ asiolink::IOAddress remote_address;
+ /// \brief The local IP address (ours, of the interface where we received).
+ asiolink::IOAddress local_address;
+ /// \brief The remote port.
+ uint16_t remote_port;
+ /// \brief The local port.
+ uint16_t local_port;
+ /**
+ * \brief Name of the TSIG key the message is signed with.
+ *
+ * This will be either the name of the TSIG key the message is signed with,
+ * or empty string, if the message is not signed. It is true we could get
+ * the information from the message itself, but because at the time when
+ * the ACL is checked, the signature has been verified already, so passing
+ * it around is probably cheaper.
+ *
+ * It is expected that messages with invalid signatures are handled before
+ * ACL.
+ */
+ std::string tsig_key_name;
+};
+
+/// \brief DNS based check.
+typedef acl::Check<RequestContext> Check;
+/// \brief DNS based compound check.
+typedef acl::CompoundCheck<RequestContext> CompoundCheck;
+/// \brief DNS based ACL.
+typedef acl::ACL<RequestContext> ACL;
+/// \brief DNS based ACL loader.
+typedef acl::Loader<RequestContext> Loader;
+
+/**
+ * \brief Loader singleton access function.
+ *
+ * This function returns a loader of ACLs. It is expected applications
+ * will use this function instead of creating their own loaders, because
+ * one is enough, this one will have registered default checks and it
+ * is known one, so any plugins can registrer additional checks as well.
+ */
+Loader& getLoader();
+
+}
+}
+}
+
+#endif
diff --git a/src/lib/acl/tests/Makefile.am b/src/lib/acl/tests/Makefile.am
index 6ceb2fa..9328c68 100644
--- a/src/lib/acl/tests/Makefile.am
+++ b/src/lib/acl/tests/Makefile.am
@@ -7,6 +7,7 @@ TESTS += run_unittests
run_unittests_SOURCES = run_unittests.cc
run_unittests_SOURCES += check_test.cc acl_test.cc loader_test.cc
run_unittests_SOURCES += logcheck.h
+run_unittests_SOURCES += dns_test.cc
run_unittests_CPPFLAGS = $(AM_CPPFLAGS) $(GTEST_INCLUDES)
run_unittests_LDFLAGS = $(AM_LDFLAGS) $(GTEST_LDFLAGS)
@@ -15,6 +16,7 @@ run_unittests_LDADD += $(top_builddir)/src/lib/util/unittests/libutil_unittests.
run_unittests_LDADD += $(top_builddir)/src/lib/acl/libacl.la
run_unittests_LDADD += $(top_builddir)/src/lib/cc/libcc.la
run_unittests_LDADD += $(top_builddir)/src/lib/exceptions/libexceptions.la
+run_unittests_LDADD += $(top_builddir)/src/lib/acl/libdnsacl.la
endif
noinst_PROGRAMS = $(TESTS)
diff --git a/src/lib/acl/tests/dns_test.cc b/src/lib/acl/tests/dns_test.cc
new file mode 100644
index 0000000..e5e0f3a
--- /dev/null
+++ b/src/lib/acl/tests/dns_test.cc
@@ -0,0 +1,35 @@
+// Copyright (C) 2011 Internet Systems Consortium, Inc. ("ISC")
+//
+// Permission to use, copy, modify, and/or distribute this software for any
+// purpose with or without fee is hereby granted, provided that the above
+// copyright notice and this permission notice appear in all copies.
+//
+// THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+// REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+// AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+// INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+// LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+// OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+// PERFORMANCE OF THIS SOFTWARE.
+
+#include <acl/dns.h>
+#include <gtest/gtest.h>
+
+using namespace isc::acl::dns;
+
+namespace {
+
+// Tests that the getLoader actually returns something, returns the same every
+// time and the returned value can be used to anything. It is not much of a
+// test, but the getLoader is not much of a function.
+TEST(DNSACL, getLoader) {
+ Loader* l(&getLoader());
+ ASSERT_TRUE(l != NULL);
+ EXPECT_EQ(l, &getLoader());
+ EXPECT_NO_THROW(l->load(isc::data::Element::fromJSON(
+ "[{\"action\": \"DROP\"}]")));
+ // TODO Test that the things we should register by default, like IP based
+ // check, are loaded.
+}
+
+}
More information about the bind10-changes
mailing list