Commit e9bdfb9e authored by Daniel Salzman's avatar Daniel Salzman
Browse files

conf: revert control.acl item

parent 33ce0d3b
......@@ -306,7 +306,7 @@ acl:
\- id: STR
address: ADDR[/INT] ...
key: key_id ...
action: transfer | notify | update ...
action: transfer | notify | update | control ...
deny: BOOL
.ft P
.fi
......@@ -339,6 +339,8 @@ Possible values:
\fBnotify\fP \- Allow incoming notify
.IP \(bu 2
\fBupdate\fP \- Allow zone updates
.IP \(bu 2
\fBcontrol\fP \- Allow remote control
.UNINDENT
.sp
Default: empty
......@@ -362,6 +364,7 @@ it is recommended to use default UNIX socket.
.ft C
control:
listen: ADDR[@INT]
acl: acl_id ...
.ft P
.fi
.UNINDENT
......@@ -373,6 +376,14 @@ commands. Optional port specification (default is 5533) can be appended to the
address using \fB@\fP separator.
.sp
Default: \fI\%rundir\fP/knot.sock
.SS acl
.sp
An ordered list of \fI\%references\fP to ACL rules allowing the remote
control.
.sp
Caution: This option has no effect with UNIX socket.
.sp
Default: empty
.SH REMOTE SECTION
.sp
Definition of remote servers for zone transfers or notifications.
......
......@@ -359,7 +359,7 @@ Access control list rule definition.
- id: STR
address: ADDR[/INT] ...
key: key_id ...
action: transfer | notify | update ...
action: transfer | notify | update | control ...
deny: BOOL
.. _acl_id:
......@@ -401,6 +401,7 @@ Possible values:
- ``transfer`` - Allow zone transfer
- ``notify`` - Allow incoming notify
- ``update`` - Allow zone updates
- ``control`` - Allow remote control
Default: empty
......@@ -429,6 +430,7 @@ it is recommended to use default UNIX socket.
control:
listen: ADDR[@INT]
acl: acl_id ...
.. _control_listen:
......@@ -443,6 +445,16 @@ Default: :ref:`rundir<server_rundir>`/knot.sock
.. _control_acl:
acl
---
An ordered list of :ref:`references<acl_id>` to ACL rules allowing the remote
control.
Caution: This option has no effect with UNIX socket.
Default: empty
.. _Remote section:
Remote section
......
......@@ -51,6 +51,7 @@ static const lookup_table_t acl_actions[] = {
{ ACL_ACTION_NOTIFY, "notify" },
{ ACL_ACTION_TRANSFER, "transfer" },
{ ACL_ACTION_UPDATE, "update" },
{ ACL_ACTION_CONTROL, "control" },
{ 0, NULL }
};
......@@ -117,6 +118,7 @@ static const yp_item_t desc_acl[] = {
static const yp_item_t desc_control[] = {
{ C_LISTEN, YP_TADDR, YP_VADDR = { REMOTE_PORT, REMOTE_SOCKET } },
{ C_ACL, YP_TREF, YP_VREF = { C_ACL }, YP_FMULTI, { check_ref } },
{ C_COMMENT, YP_TSTR, YP_VNONE },
{ NULL }
};
......@@ -172,10 +174,10 @@ static const yp_item_t desc_log[] = {
const yp_item_t conf_scheme[] = {
{ C_SRV, YP_TGRP, YP_VGRP = { desc_server } },
{ C_CTL, YP_TGRP, YP_VGRP = { desc_control } },
{ C_LOG, YP_TGRP, YP_VGRP = { desc_log }, YP_FMULTI },
{ C_KEY, YP_TGRP, YP_VGRP = { desc_key }, YP_FMULTI },
{ C_ACL, YP_TGRP, YP_VGRP = { desc_acl }, YP_FMULTI },
{ C_CTL, YP_TGRP, YP_VGRP = { desc_control } },
{ C_RMT, YP_TGRP, YP_VGRP = { desc_remote }, YP_FMULTI },
/* MODULES */
{ C_MOD_SYNTH_RECORD, YP_TGRP, YP_VGRP = { scheme_mod_synth_record }, YP_FMULTI },
......
......@@ -908,13 +908,29 @@ int remote_process(server_t *s, struct sockaddr_storage *ctl_addr, int sock,
char addr_str[SOCKADDR_STRLEN] = { 0 };
sockaddr_tostr(addr_str, sizeof(addr_str), &ss);
/* Check TSIG. */
if (pkt->tsig_rr != NULL) {
knot_tsig_key_t tsig = {
.name = pkt->tsig_rr->owner,
.algorithm = knot_tsig_rdata_alg(pkt->tsig_rr)
};
/* Prepare tsig parameters. */
knot_tsig_key_t tsig = { NULL };
if (pkt->tsig_rr) {
tsig.name = pkt->tsig_rr->owner;
tsig.algorithm = knot_tsig_rdata_alg(pkt->tsig_rr);
}
/* Check ACL. */
rcu_read_lock();
conf_val_t acl = conf_get(conf(), C_CTL, C_ACL);
bool allowed = acl_allowed(&acl, ACL_ACTION_CONTROL, &ss, &tsig);
rcu_read_unlock();
if (!allowed) {
log_warning("remote control, denied '%s', "
"no matching ACL", addr_str);
remote_senderr(client, pkt->wire, pkt->size);
ret = KNOT_EACCES;
goto finish;
}
/* Check TSIG. */
if (tsig.name != NULL) {
uint16_t ts_rc = 0;
uint16_t ts_trc = 0;
uint64_t ts_tmsigned = 0;
......
......@@ -35,7 +35,8 @@ typedef enum {
ACL_ACTION_NONE = 0,
ACL_ACTION_NOTIFY = 1,
ACL_ACTION_TRANSFER = 2,
ACL_ACTION_UPDATE = 3
ACL_ACTION_UPDATE = 3,
ACL_ACTION_CONTROL = 4
} acl_action_t;
/*!
......
This diff is collapsed.
......@@ -119,7 +119,7 @@ extern int cf_debug;
typedef union YYSTYPE YYSTYPE;
union YYSTYPE
{
#line 353 "cf-parse.y" /* yacc.c:1909 */
#line 361 "cf-parse.y" /* yacc.c:1909 */
struct {
char *t;
......
......@@ -199,6 +199,7 @@ typedef enum {
ACL_XFR,
ACL_NTF,
ACL_UPD,
ACL_CTL
} acl_type_t;
static void acl_start(void *scanner, acl_type_t type)
......@@ -211,6 +212,7 @@ static void acl_start(void *scanner, acl_type_t type)
case ACL_XFR: extra->current_trie = extra->share->acl_xfer; break;
case ACL_NTF: extra->current_trie = extra->share->acl_notify; break;
case ACL_UPD: extra->current_trie = extra->share->acl_update; break;
case ACL_CTL: extra->current_trie = extra->share->acl_control; break;
}
}
......@@ -281,9 +283,10 @@ static void acl_end(void *scanner)
static bool is_acl(void *scanner, const char *str) {
conf_extra_t *extra = cf_get_extra(scanner);
return hattrie_tryget(extra->share->acl_xfer, str, strlen(str)) != NULL ||
hattrie_tryget(extra->share->acl_notify, str, strlen(str)) != NULL ||
hattrie_tryget(extra->share->acl_update, str, strlen(str)) != NULL;
return hattrie_tryget(extra->share->acl_xfer, str, strlen(str)) != NULL ||
hattrie_tryget(extra->share->acl_notify, str, strlen(str)) != NULL ||
hattrie_tryget(extra->share->acl_update, str, strlen(str)) != NULL ||
hattrie_tryget(extra->share->acl_control, str, strlen(str)) != NULL;
}
static bool have_acl(void *scanner) {
......@@ -291,7 +294,8 @@ static bool have_acl(void *scanner) {
return (hattrie_weight(extra->share->acl_xfer) +
hattrie_weight(extra->share->acl_notify) +
hattrie_weight(extra->share->acl_update)) > 0;
hattrie_weight(extra->share->acl_update) +
hattrie_weight(extra->share->acl_control)) > 0;
}
static char *acl_actions(void *scanner, const char *str) {
......@@ -314,6 +318,10 @@ static char *acl_actions(void *scanner, const char *str) {
strlcat(actions, _first ? "" : ", ", sizeof(actions)); _first = false;
strlcat(actions, "update", sizeof(actions));
}
if (hattrie_tryget(extra->share->acl_control, str, strlen(str)) != NULL) {
strlcat(actions, _first ? "" : ", ", sizeof(actions)); _first = false;
strlcat(actions, "control", sizeof(actions));
}
strlcat(actions, "]", sizeof(actions));
......@@ -750,21 +758,8 @@ ctl_listen_start:
LISTEN_ON
;
ctl_allow_item:
| TEXT { free($1.t); }
| LOG_SRC
| LOG
| LOG_LEVEL
| CONTROL
;
ctl_allow_list:
| ctl_allow_list ctl_allow_item ','
| ctl_allow_list ctl_allow_item ';'
;
ctl_allow_start:
ALLOW
ALLOW { f_name(scanner, R_CTL, C_ACL, false); acl_start(scanner, ACL_CTL); _str = "acl_"; }
;
control:
......@@ -781,7 +776,7 @@ control:
free(_addr);
}
| control ctl_listen_start TEXT ';' { f_quote(scanner, R_CTL, C_LISTEN, $3.t); free($3.t); }
| control ctl_allow_start ctl_allow_list
| control ctl_allow_start zone_acl_list
;
conf: ';' | system '}' | interfaces '}' | keys '}' | remotes '}' | groups '}' | zones '}' | log '}' | control '}';
......
......@@ -31,6 +31,7 @@ typedef struct {
hattrie_t *acl_xfer;
hattrie_t *acl_notify;
hattrie_t *acl_update;
hattrie_t *acl_control;
} share_t;
/*!
......
......@@ -80,6 +80,7 @@ static int convert(const char *file_out, const char *file_in)
.acl_xfer = hattrie_create(),
.acl_notify = hattrie_create(),
.acl_update = hattrie_create(),
.acl_control = hattrie_create(),
};
// Parse the input file multiple times to get some context.
......@@ -114,6 +115,7 @@ static int convert(const char *file_out, const char *file_in)
hattrie_free(share.acl_xfer);
hattrie_free(share.acl_notify);
hattrie_free(share.acl_update);
hattrie_free(share.acl_control);
fclose(out);
......
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment