diff options
| author | Martin Kosek <mkosek@redhat.com> | 2013-04-02 11:59:16 +0200 |
|---|---|---|
| committer | Martin Kosek <mkosek@redhat.com> | 2013-04-02 17:11:57 +0200 |
| commit | 30a1bc1f0959e2b89f00a0b4cd661778a0625a89 (patch) | |
| tree | bdc6522c5a28a60a21665f5040e3388eac4f5aff /ipalib/plugins/dns.py | |
| parent | 42c401a87795fe3a2067155460ae276ad2d3e360 (diff) | |
| download | freeipa-30a1bc1f0959e2b89f00a0b4cd661778a0625a89.tar.gz freeipa-30a1bc1f0959e2b89f00a0b4cd661778a0625a89.tar.xz freeipa-30a1bc1f0959e2b89f00a0b4cd661778a0625a89.zip | |
Improve DNAME record validation
Extend DNS RR conflict check and forbid DNAME+NS combination unless
it is done in root DNS zone record.
Add tests to verify this enforced check.
https://fedorahosted.org/freeipa/ticket/3449
Diffstat (limited to 'ipalib/plugins/dns.py')
| -rw-r--r-- | ipalib/plugins/dns.py | 24 |
1 files changed, 21 insertions, 3 deletions
diff --git a/ipalib/plugins/dns.py b/ipalib/plugins/dns.py index 7d995650..3e6ed835 100644 --- a/ipalib/plugins/dns.py +++ b/ipalib/plugins/dns.py @@ -2267,7 +2267,7 @@ class dnsrecord(LDAPObject): processed.append(rrparam.name) yield rrparam - def check_record_type_collisions(self, old_entry, entry_attrs): + def check_record_type_collisions(self, keys, old_entry, entry_attrs): # Test that only allowed combination of record types was created rrattrs = {} if old_entry is not None: @@ -2298,6 +2298,24 @@ class dnsrecord(LDAPObject): error=_('CNAME record is not allowed to coexist ' 'with any other record (RFC 1034, section 3.6.2)')) + # DNAME record validation + try: + dnames = rrattrs['dnamerecord'] + except KeyError: + pass + else: + if dnames is not None: + if len(dnames) > 1: + raise errors.ValidationError(name='dnamerecord', + error=_('only one DNAME record is allowed per name ' + '(RFC 6672, section 2.4)')) + # DNAME must not coexist with CNAME, but this is already checked earlier + if rrattrs.get('nsrecord') and keys[1] != _dns_zone_record: + raise errors.ValidationError(name='dnamerecord', + error=_('DNAME record is not allowed to coexist with an ' + 'NS record except when located in a zone root ' + 'record (RFC 6672, section 2.3)')) + api.register(dnsrecord) @@ -2459,7 +2477,7 @@ class dnsrecord_add(LDAPCreate): vals = list(entry_attrs[attr]) entry_attrs[attr] = list(set(old_entry.get(attr, []) + vals)) - self.obj.check_record_type_collisions(old_entry, entry_attrs) + self.obj.check_record_type_collisions(keys, old_entry, entry_attrs) return dn def exc_callback(self, keys, options, exc, call_func, *call_args, **call_kwargs): @@ -2560,7 +2578,7 @@ class dnsrecord_mod(LDAPUpdate): new_dnsvalue = [param._convert_scalar(modified_parts)] entry_attrs[attr] = list(set(old_entry[attr] + new_dnsvalue)) - self.obj.check_record_type_collisions(old_entry, entry_attrs) + self.obj.check_record_type_collisions(keys, old_entry, entry_attrs) return dn def execute(self, *keys, **options): |