Merge branch '559-handle-conflicting-trust-anchor-negative-trust-anchor-definitions' into 'master'

daemon/lua/trust_anchors: set_insecure() fails when NTA is in TA list Closes #559 See merge request !995

Merge branch '559-handle-conflicting-trust-anchor-negative-trust-anchor-definitions' into 'master'
6f7701f3 · Petr Špaček · d3b4287d · 19cc7702 · 6f7701f3 · 6f7701f3
Commit 6f7701f3 authored 4 years ago by Petr Špaček
--- a/daemon/lua/trust_anchors.lua.in
+++ b/daemon/lua/trust_anchors.lua.in
@@ -476,6 +476,13 @@ trust_anchors = {
 	set_insecure = function (list)
 		assert(type(list) == 'table', 'parameter must be list of domain names (e.g. {"a.test", "b.example"})')
 		local store = kres.context().negative_anchors
+		for i = 1, #list do
+			local dname = kres.str2dname(list[i])
+			if trust_anchors.keysets[dname] then
+				error('cannot add NTA '..list[i]..' because it is TA. Use trust_anchors.remove() instead')
+			end
+		end
+
 		C.kr_ta_clear(store)
 		for i = 1, #list do
 			local dname = kres.str2dname(list[i])

--- a/daemon/lua/trust_anchors.test/ta.test.lua
+++ b/daemon/lua/trust_anchors.test/ta.test.lua
@@ -66,9 +66,20 @@ local function test_add_file()
 	   "Loaded KeyTag from root.keys")
 end

+local function test_nta()
+	assert(trust_anchors.keysets['\0'], 'root key must be there from previous tests')
+
+	trust_anchors.set_insecure({'example.com'})
+	is(trust_anchors.insecure[1], 'example.com', 'Add example.com to NTA list')
+	boom(trust_anchors.set_insecure, {{'.'}}, 'Got error when adding TA . to NTA list')
+	is(#trust_anchors.insecure, 1, 'Check one item in NTA list')
+	is(trust_anchors.insecure[1], 'example.com', 'Check previous NTA list')
+end
+
 return {
 	test_revoked_key,
 	test_remove,
 	test_add_file,
+	test_nta,
 }