IntenseWebs/freeipa
3
0
Fork 0
mirror of https://salsa.debian.org/freeipa-team/freeipa.git synced 2025-02-25 18:55:28 -06:00
Code Issues Packages Projects Releases Wiki Activity

Query and transfer ACLs for DNS zones

Browse Source 
Provide a way to specify BIND allow-query and allow-transfer ACLs
for DNS zones.

IMPORTANT: new bind-dyndb-ldap adds a zone transfer ability. To
avoid zone information leaks to unintended places, allow-transfer
ACL for every zone is by default set to none and has to be
explicitly enabled by an Administrator. This is done both for new
DNS zones and old DNS zones during RPM update via new DNS upgrade
plugin.

https://fedorahosted.org/freeipa/ticket/1211
This commit is contained in:
Martin Kosek
2012-02-24 09:30:39 +01:00
parent 2cf5893761
commit 8605790225
7 changed files with 264 additions and 14 deletions
Download Patch File Download Diff File Expand all files Collapse all files

86
tests/test_xmlrpc/test_dns_plugin.py
View File

@@ -115,6 +115,8 @@ class test_dns(Declarative):
'idnssoaexpire': [fuzzy_digits],
'idnssoaminimum': [fuzzy_digits],
'idnsallowdynupdate': [u'FALSE'],
'idnsallowtransfer': [u'none;'],
'idnsallowquery': [u'any;'],
'objectclass': [u'top', u'idnsrecord', u'idnszone'],
},
},
@@ -169,6 +171,8 @@ class test_dns(Declarative):
'idnssoaexpire': [fuzzy_digits],
'idnssoaminimum': [fuzzy_digits],
'idnsallowdynupdate': [u'FALSE'],
'idnsallowtransfer': [u'none;'],
'idnsallowquery': [u'any;'],
'objectclass': [u'top', u'idnsrecord', u'idnszone'],
},
},
@@ -202,6 +206,8 @@ class test_dns(Declarative):
'idnssoaretry': [fuzzy_digits],
'idnssoaexpire': [fuzzy_digits],
'idnssoaminimum': [fuzzy_digits],
'idnsallowtransfer': [u'none;'],
'idnsallowquery': [u'any;'],
},
},
),
@@ -224,6 +230,8 @@ class test_dns(Declarative):
'idnssoaretry': [fuzzy_digits],
'idnssoaexpire': [fuzzy_digits],
'idnssoaminimum': [fuzzy_digits],
'idnsallowtransfer': [u'none;'],
'idnsallowquery': [u'any;'],
},
},
),
@@ -254,6 +262,8 @@ class test_dns(Declarative):
'idnssoaexpire': [fuzzy_digits],
'idnssoaminimum': [fuzzy_digits],
'idnsallowdynupdate': [u'FALSE'],
'idnsallowtransfer': [u'none;'],
'idnsallowquery': [u'any;'],
'objectclass': [u'top', u'idnsrecord', u'idnszone'],
},
},
@@ -279,6 +289,8 @@ class test_dns(Declarative):
'idnssoaretry': [fuzzy_digits],
'idnssoaexpire': [fuzzy_digits],
'idnssoaminimum': [fuzzy_digits],
'idnsallowtransfer': [u'none;'],
'idnsallowquery': [u'any;'],
},
{
'dn': unicode(dnszone1_dn),
@@ -292,6 +304,8 @@ class test_dns(Declarative):
'idnssoaretry': [fuzzy_digits],
'idnssoaexpire': [fuzzy_digits],
'idnssoaminimum': [fuzzy_digits],
'idnsallowtransfer': [u'none;'],
'idnsallowquery': [u'any;'],
}],
},
),
@@ -316,6 +330,8 @@ class test_dns(Declarative):
'idnssoaretry': [fuzzy_digits],
'idnssoaexpire': [fuzzy_digits],
'idnssoaminimum': [fuzzy_digits],
'idnsallowtransfer': [u'none;'],
'idnsallowquery': [u'any;'],
}],
},
),
@@ -361,6 +377,8 @@ class test_dns(Declarative):
'idnssoaretry': [fuzzy_digits],
'idnssoaexpire': [fuzzy_digits],
'idnssoaminimum': [fuzzy_digits],
'idnsallowtransfer': [u'none;'],
'idnsallowquery': [u'any;'],
},
},
),
@@ -395,6 +413,8 @@ class test_dns(Declarative):
'idnssoaretry': [fuzzy_digits],
'idnssoaexpire': [fuzzy_digits],
'idnssoaminimum': [fuzzy_digits],
'idnsallowtransfer': [u'none;'],
'idnsallowquery': [u'any;'],
},
},
),
@@ -746,6 +766,8 @@ class test_dns(Declarative):
'idnssoaexpire': [fuzzy_digits],
'idnssoaminimum': [fuzzy_digits],
'idnsallowdynupdate': [u'FALSE'],
'idnsallowtransfer': [u'none;'],
'idnsallowquery': [u'any;'],
'objectclass': [u'top', u'idnsrecord', u'idnszone'],
},
},
@@ -787,6 +809,70 @@ class test_dns(Declarative):
),
dict(
desc='Try to add invalid allow-query to zone %r' % dnszone1,
command=('dnszone_mod', [dnszone1], {'idnsallowquery': u'localhost'}),
expected=errors.ValidationError(name='idnsallowquery', error=''),
),
dict(
desc='Add allow-query ACL to zone %r' % dnszone1,
command=('dnszone_mod', [dnszone1], {'idnsallowquery': u'!10/8;any'}),
expected={
'value': dnszone1,
'summary': None,
'result': {
'idnsname': [dnszone1],
'idnszoneactive': [u'TRUE'],
'nsrecord': [dnszone1_mname],
'mxrecord': [u'0 ns1.dnszone.test.'],
'locrecord': [u"49 11 42.400 N 16 36 29.600 E 227.64"],
'idnssoamname': [dnszone1_mname],
'idnssoarname': [dnszone1_rname],
'idnssoaserial': [fuzzy_digits],
'idnssoarefresh': [u'5478'],
'idnssoaretry': [fuzzy_digits],
'idnssoaexpire': [fuzzy_digits],
'idnssoaminimum': [fuzzy_digits],
'idnsallowquery': [u'!10.0.0.0/8;any;'],
'idnsallowtransfer': [u'none;'],
},
},
),
dict(
desc='Try to add invalid allow-transfer to zone %r' % dnszone1,
command=('dnszone_mod', [dnszone1], {'idnsallowtransfer': u'10.'}),
expected=errors.ValidationError(name='idnsallowtransfer', error=''),
),
dict(
desc='Add allow-transer ACL to zone %r' % dnszone1,
command=('dnszone_mod', [dnszone1], {'idnsallowtransfer': u'80.142.15.80'}),
expected={
'value': dnszone1,
'summary': None,
'result': {
'idnsname': [dnszone1],
'idnszoneactive': [u'TRUE'],
'nsrecord': [dnszone1_mname],
'mxrecord': [u'0 ns1.dnszone.test.'],
'locrecord': [u"49 11 42.400 N 16 36 29.600 E 227.64"],
'idnssoamname': [dnszone1_mname],
'idnssoarname': [dnszone1_rname],
'idnssoaserial': [fuzzy_digits],
'idnssoarefresh': [u'5478'],
'idnssoaretry': [fuzzy_digits],
'idnssoaexpire': [fuzzy_digits],
'idnssoaminimum': [fuzzy_digits],
'idnsallowquery': [u'!10.0.0.0/8;any;'],
'idnsallowtransfer': [u'80.142.15.80;'],
},
},
),
dict(
desc='Delete zone %r' % dnszone1,
command=('dnszone_del', [dnszone1], {}),