From c884a56c2d9996fc54c054c78d56eae50f696997 Mon Sep 17 00:00:00 2001

From: Martin Basti <mbasti@redhat.com>

Date: Fri, 31 Jan 2014 15:42:31 +0100

Subject: [PATCH 45/46] DNS classless support for reverse domains

Now users can add reverse zones in classless form:

0/25.1.168.192.in-addr.arpa.

0-25.1.168.192.in-addr.arpa.

128/25 NS ns.example.com.

10 CNAME 10.128/25.1.168.192.in-addr.arpa.

Ticket: https://fedorahosted.org/freeipa/ticket/4143

Reviewed-By: Jan Cholasta <jcholast@redhat.com>

---

 ipalib/plugins/dns.py | 45 +++++++++++++++++++++++++++----------

 ipalib/util.py        | 61 ++++++++++++++++++++++++++++++---------------------

 2 files changed, 70 insertions(+), 36 deletions(-)

diff --git a/ipalib/plugins/dns.py b/ipalib/plugins/dns.py

index 94ae92ba5d1ae42e31ebb6100c743a2334f29e70..a78dc9e90a04a00a731541f8a04db5c0f0dd12bb 100644

--- a/ipalib/plugins/dns.py

+++ b/ipalib/plugins/dns.py

@@ -368,25 +368,31 @@ def _normalize_bind_aci(bind_acis):

     acis += u';'

     return acis

-def _bind_hostname_validator(ugettext, value):

+def _bind_hostname_validator(ugettext, value, allow_slash=False):

     if value == _dns_zone_record:

         return

     try:

         # Allow domain name which is not fully qualified. These are supported

         # in bind and then translated as <non-fqdn-name>.<domain>.

-        validate_hostname(value, check_fqdn=False, allow_underscore=True)

+        validate_hostname(value, check_fqdn=False, allow_underscore=True, allow_slash=allow_slash)

     except ValueError, e:

         return _('invalid domain-name: %s') \

             % unicode(e)

     return None

+def _bind_cname_hostname_validator(ugettext, value):

+    """

+    Validator for CNAME allows classless domain names (25/0.0.10.in-addr.arpa.)

+    """

+    return _bind_hostname_validator(ugettext, value, allow_slash=True)

+

 def _dns_record_name_validator(ugettext, value):

     if value == _dns_zone_record:

         return

     try:

-        map(lambda label:validate_dns_label(label, allow_underscore=True), \

+        map(lambda label:validate_dns_label(label, allow_underscore=True, allow_slash=True), \

             value.split(u'.'))

     except ValueError, e:

         return unicode(e)

@@ -411,7 +417,10 @@ def _validate_bind_forwarder(ugettext, forwarder):

 def _domain_name_validator(ugettext, value):

     try:

-        validate_domain_name(value)

+        #classless reverse zones can contain slash '/'

+        normalized_zone = normalize_zone(value)

+        validate_domain_name(value, allow_slash=zone_is_reverse(normalized_zone))

+

     except ValueError, e:

         return unicode(e)

@@ -939,7 +948,7 @@ class CNAMERecord(DNSRecord):

     rfc = 1035

     parts = (

         Str('hostname',

-            _bind_hostname_validator,

+            _bind_cname_hostname_validator,

             label=_('Hostname'),

             doc=_('A hostname which this alias hostname points to'),

         ),

@@ -960,7 +969,7 @@ class DNAMERecord(DNSRecord):

     rfc = 2672

     parts = (

         Str('target',

-            _bind_hostname_validator,

+            _bind_cname_hostname_validator,

             label=_('Target'),

         ),

     )

@@ -2119,6 +2128,14 @@ class dnsrecord(LDAPObject):

                            doc=_('Parse all raw DNS records and return them in a structured way'),

                            )

+    def _idnsname_pre_callback(self, ldap, dn, entry_attrs, *keys, **options):

+        if not self.is_pkey_zone_record(*keys):

+            zone, addr = normalize_zone(keys[-2]), keys[-1]

+            try:

+                validate_domain_name(addr, allow_underscore=True, allow_slash=zone_is_reverse(zone))

+            except ValueError, e:

+                raise errors.ValidationError(name='idnsname', error=unicode(e))

+

     def _nsrecord_pre_callback(self, ldap, dn, entry_attrs, *keys, **options):

         assert isinstance(dn, DN)

         nsrecords = entry_attrs.get('nsrecord')

@@ -2132,6 +2149,7 @@ def _ptrrecord_pre_callback(self, ldap, dn, entry_attrs, *keys, **options):

         ptrrecords = entry_attrs.get('ptrrecord')

         if ptrrecords is None:

             return

+

         zone = keys[-2]

         if self.is_pkey_zone_record(*keys):

             addr = u''

@@ -2150,11 +2168,16 @@ def _ptrrecord_pre_callback(self, ldap, dn, entry_attrs, *keys, **options):

                     error=unicode(_('Reverse zone for PTR record should be a sub-zone of one the following fully qualified domains: %s') % allowed_zones))

         addr_len = len(addr.split('.')) if addr else 0

-        ip_addr_comp_count = addr_len + len(zone.split('.'))

-        if ip_addr_comp_count != zone_len:

-            raise errors.ValidationError(name='ptrrecord',

-                error=unicode(_('Reverse zone %(name)s requires exactly %(count)d IP address components, %(user_count)d given')

-                % dict(name=zone_name, count=zone_len, user_count=ip_addr_comp_count)))

+

+        #Classless zones (0/25.0.0.10.in-addr.arpa.) -> skip check

+        #zone has to be checked without reverse domain suffix (in-addr.arpa.)

+        if ('/' not in addr and '/' not in zone and

+            '-' not in addr and '-' not in zone):

+            ip_addr_comp_count = addr_len + len(zone.split('.'))

+            if ip_addr_comp_count != zone_len:

+                raise errors.ValidationError(name='ptrrecord',

+                      error=unicode(_('Reverse zone %(name)s requires exactly %(count)d IP address components, %(user_count)d given')

+                      % dict(name=zone_name, count=zone_len, user_count=ip_addr_comp_count)))

     def run_precallback_validators(self, dn, entry_attrs, *keys, **options):

         assert isinstance(dn, DN)

diff --git a/ipalib/util.py b/ipalib/util.py

index 3c52e4fd9a3e08d160dd4ae7076590be8b869d2c..17851294a78507aba7035390c3695184b7d641b1 100644

--- a/ipalib/util.py

+++ b/ipalib/util.py

@@ -215,34 +215,45 @@ def normalize_zone(zone):

     else:

         return zone

-def validate_dns_label(dns_label, allow_underscore=False):

-    label_chars = r'a-z0-9'

-    underscore_err_msg = ''

-    if allow_underscore:

-        label_chars += "_"

-        underscore_err_msg = u' _,'

-    label_regex = r'^[%(chars)s]([%(chars)s-]?[%(chars)s])*$' % dict(chars=label_chars)

-    regex = re.compile(label_regex, re.IGNORECASE)

-

-    if not dns_label:

-        raise ValueError(_('empty DNS label'))

-

-    if len(dns_label) > 63:

-        raise ValueError(_('DNS label cannot be longer that 63 characters'))

-

-    if not regex.match(dns_label):

-        raise ValueError(_('only letters, numbers,%(underscore)s and - are allowed. ' \

-                           'DNS label may not start or end with -') \

-                           % dict(underscore=underscore_err_msg))

-

-def validate_domain_name(domain_name, allow_underscore=False):

+

+def validate_dns_label(dns_label, allow_underscore=False, allow_slash=False):

+     base_chars = 'a-z0-9'

+     extra_chars = ''

+     middle_chars = ''

+

+     if allow_underscore:

+         extra_chars += '_'

+     if allow_slash:

+         middle_chars += '/'

+

+     middle_chars = middle_chars + '-' #has to be always the last in the regex [....-]

+

+     label_regex = r'^[%(base)s%(extra)s]([%(base)s%(extra)s%(middle)s]?[%(base)s%(extra)s])*$' \

+         % dict(base=base_chars, extra=extra_chars, middle=middle_chars)

+     regex = re.compile(label_regex, re.IGNORECASE)

+

+     if not dns_label:

+         raise ValueError(_('empty DNS label'))

+

+     if len(dns_label) > 63:

+         raise ValueError(_('DNS label cannot be longer that 63 characters'))

+

+     if not regex.match(dns_label):

+         chars = ', '.join("'%s'" % c for c in extra_chars + middle_chars)

+         chars2 = ', '.join("'%s'" % c for c in middle_chars)

+         raise ValueError(_("only letters, numbers, %(chars)s are allowed. " \

+                            "DNS label may not start or end with %(chars2)s") \

+                            % dict(chars=chars, chars2=chars2))

+

+

+def validate_domain_name(domain_name, allow_underscore=False, allow_slash=False):

     if domain_name.endswith('.'):

         domain_name = domain_name[:-1]

     domain_name = domain_name.split(".")

     # apply DNS name validator to every name part

-    map(lambda label:validate_dns_label(label,allow_underscore), domain_name)

+    map(lambda label:validate_dns_label(label, allow_underscore, allow_slash), domain_name)

 def validate_zonemgr(zonemgr):

@@ -287,7 +298,7 @@ def validate_zonemgr(zonemgr):

                local_part.split(local_part_sep)):

         raise ValueError(local_part_errmsg)

-def validate_hostname(hostname, check_fqdn=True, allow_underscore=False):

+def validate_hostname(hostname, check_fqdn=True, allow_underscore=False, allow_slash=False):

     """ See RFC 952, 1123

     :param hostname Checked value

@@ -305,9 +316,9 @@ def validate_hostname(hostname, check_fqdn=True, allow_underscore=False):

     if '.' not in hostname:

         if check_fqdn:

             raise ValueError(_('not fully qualified'))

-        validate_dns_label(hostname,allow_underscore)

+        validate_dns_label(hostname, allow_underscore, allow_slash)

     else:

-        validate_domain_name(hostname,allow_underscore)

+        validate_domain_name(hostname, allow_underscore, allow_slash)

 def normalize_sshpubkey(value):

     return SSHPublicKey(value).openssh()

-- 

1.8.5.3