Blob Blame History Raw
From c884a56c2d9996fc54c054c78d56eae50f696997 Mon Sep 17 00:00:00 2001
From: Martin Basti <mbasti@redhat.com>
Date: Fri, 31 Jan 2014 15:42:31 +0100
Subject: [PATCH 45/46] DNS classless support for reverse domains

Now users can add reverse zones in classless form:
0/25.1.168.192.in-addr.arpa.
0-25.1.168.192.in-addr.arpa.

128/25 NS ns.example.com.
10 CNAME 10.128/25.1.168.192.in-addr.arpa.

Ticket: https://fedorahosted.org/freeipa/ticket/4143
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
---
 ipalib/plugins/dns.py | 45 +++++++++++++++++++++++++++----------
 ipalib/util.py        | 61 ++++++++++++++++++++++++++++++---------------------
 2 files changed, 70 insertions(+), 36 deletions(-)

diff --git a/ipalib/plugins/dns.py b/ipalib/plugins/dns.py
index 94ae92ba5d1ae42e31ebb6100c743a2334f29e70..a78dc9e90a04a00a731541f8a04db5c0f0dd12bb 100644
--- a/ipalib/plugins/dns.py
+++ b/ipalib/plugins/dns.py
@@ -368,25 +368,31 @@ def _normalize_bind_aci(bind_acis):
     acis += u';'
     return acis
 
-def _bind_hostname_validator(ugettext, value):
+def _bind_hostname_validator(ugettext, value, allow_slash=False):
     if value == _dns_zone_record:
         return
     try:
         # Allow domain name which is not fully qualified. These are supported
         # in bind and then translated as <non-fqdn-name>.<domain>.
-        validate_hostname(value, check_fqdn=False, allow_underscore=True)
+        validate_hostname(value, check_fqdn=False, allow_underscore=True, allow_slash=allow_slash)
     except ValueError, e:
         return _('invalid domain-name: %s') \
             % unicode(e)
 
     return None
 
+def _bind_cname_hostname_validator(ugettext, value):
+    """
+    Validator for CNAME allows classless domain names (25/0.0.10.in-addr.arpa.)
+    """
+    return _bind_hostname_validator(ugettext, value, allow_slash=True)
+
 def _dns_record_name_validator(ugettext, value):
     if value == _dns_zone_record:
         return
 
     try:
-        map(lambda label:validate_dns_label(label, allow_underscore=True), \
+        map(lambda label:validate_dns_label(label, allow_underscore=True, allow_slash=True), \
             value.split(u'.'))
     except ValueError, e:
         return unicode(e)
@@ -411,7 +417,10 @@ def _validate_bind_forwarder(ugettext, forwarder):
 
 def _domain_name_validator(ugettext, value):
     try:
-        validate_domain_name(value)
+        #classless reverse zones can contain slash '/'
+        normalized_zone = normalize_zone(value)
+        validate_domain_name(value, allow_slash=zone_is_reverse(normalized_zone))
+
     except ValueError, e:
         return unicode(e)
 
@@ -939,7 +948,7 @@ class CNAMERecord(DNSRecord):
     rfc = 1035
     parts = (
         Str('hostname',
-            _bind_hostname_validator,
+            _bind_cname_hostname_validator,
             label=_('Hostname'),
             doc=_('A hostname which this alias hostname points to'),
         ),
@@ -960,7 +969,7 @@ class DNAMERecord(DNSRecord):
     rfc = 2672
     parts = (
         Str('target',
-            _bind_hostname_validator,
+            _bind_cname_hostname_validator,
             label=_('Target'),
         ),
     )
@@ -2119,6 +2128,14 @@ class dnsrecord(LDAPObject):
                            doc=_('Parse all raw DNS records and return them in a structured way'),
                            )
 
+    def _idnsname_pre_callback(self, ldap, dn, entry_attrs, *keys, **options):
+        if not self.is_pkey_zone_record(*keys):
+            zone, addr = normalize_zone(keys[-2]), keys[-1]
+            try:
+                validate_domain_name(addr, allow_underscore=True, allow_slash=zone_is_reverse(zone))
+            except ValueError, e:
+                raise errors.ValidationError(name='idnsname', error=unicode(e))
+
     def _nsrecord_pre_callback(self, ldap, dn, entry_attrs, *keys, **options):
         assert isinstance(dn, DN)
         nsrecords = entry_attrs.get('nsrecord')
@@ -2132,6 +2149,7 @@ def _ptrrecord_pre_callback(self, ldap, dn, entry_attrs, *keys, **options):
         ptrrecords = entry_attrs.get('ptrrecord')
         if ptrrecords is None:
             return
+
         zone = keys[-2]
         if self.is_pkey_zone_record(*keys):
             addr = u''
@@ -2150,11 +2168,16 @@ def _ptrrecord_pre_callback(self, ldap, dn, entry_attrs, *keys, **options):
                     error=unicode(_('Reverse zone for PTR record should be a sub-zone of one the following fully qualified domains: %s') % allowed_zones))
 
         addr_len = len(addr.split('.')) if addr else 0
-        ip_addr_comp_count = addr_len + len(zone.split('.'))
-        if ip_addr_comp_count != zone_len:
-            raise errors.ValidationError(name='ptrrecord',
-                error=unicode(_('Reverse zone %(name)s requires exactly %(count)d IP address components, %(user_count)d given')
-                % dict(name=zone_name, count=zone_len, user_count=ip_addr_comp_count)))
+
+        #Classless zones (0/25.0.0.10.in-addr.arpa.) -> skip check
+        #zone has to be checked without reverse domain suffix (in-addr.arpa.)
+        if ('/' not in addr and '/' not in zone and
+            '-' not in addr and '-' not in zone):
+            ip_addr_comp_count = addr_len + len(zone.split('.'))
+            if ip_addr_comp_count != zone_len:
+                raise errors.ValidationError(name='ptrrecord',
+                      error=unicode(_('Reverse zone %(name)s requires exactly %(count)d IP address components, %(user_count)d given')
+                      % dict(name=zone_name, count=zone_len, user_count=ip_addr_comp_count)))
 
     def run_precallback_validators(self, dn, entry_attrs, *keys, **options):
         assert isinstance(dn, DN)
diff --git a/ipalib/util.py b/ipalib/util.py
index 3c52e4fd9a3e08d160dd4ae7076590be8b869d2c..17851294a78507aba7035390c3695184b7d641b1 100644
--- a/ipalib/util.py
+++ b/ipalib/util.py
@@ -215,34 +215,45 @@ def normalize_zone(zone):
     else:
         return zone
 
-def validate_dns_label(dns_label, allow_underscore=False):
-    label_chars = r'a-z0-9'
-    underscore_err_msg = ''
-    if allow_underscore:
-        label_chars += "_"
-        underscore_err_msg = u' _,'
-    label_regex = r'^[%(chars)s]([%(chars)s-]?[%(chars)s])*$' % dict(chars=label_chars)
-    regex = re.compile(label_regex, re.IGNORECASE)
-
-    if not dns_label:
-        raise ValueError(_('empty DNS label'))
-
-    if len(dns_label) > 63:
-        raise ValueError(_('DNS label cannot be longer that 63 characters'))
-
-    if not regex.match(dns_label):
-        raise ValueError(_('only letters, numbers,%(underscore)s and - are allowed. ' \
-                           'DNS label may not start or end with -') \
-                           % dict(underscore=underscore_err_msg))
-
-def validate_domain_name(domain_name, allow_underscore=False):
+
+def validate_dns_label(dns_label, allow_underscore=False, allow_slash=False):
+     base_chars = 'a-z0-9'
+     extra_chars = ''
+     middle_chars = ''
+
+     if allow_underscore:
+         extra_chars += '_'
+     if allow_slash:
+         middle_chars += '/'
+
+     middle_chars = middle_chars + '-' #has to be always the last in the regex [....-]
+
+     label_regex = r'^[%(base)s%(extra)s]([%(base)s%(extra)s%(middle)s]?[%(base)s%(extra)s])*$' \
+         % dict(base=base_chars, extra=extra_chars, middle=middle_chars)
+     regex = re.compile(label_regex, re.IGNORECASE)
+
+     if not dns_label:
+         raise ValueError(_('empty DNS label'))
+
+     if len(dns_label) > 63:
+         raise ValueError(_('DNS label cannot be longer that 63 characters'))
+
+     if not regex.match(dns_label):
+         chars = ', '.join("'%s'" % c for c in extra_chars + middle_chars)
+         chars2 = ', '.join("'%s'" % c for c in middle_chars)
+         raise ValueError(_("only letters, numbers, %(chars)s are allowed. " \
+                            "DNS label may not start or end with %(chars2)s") \
+                            % dict(chars=chars, chars2=chars2))
+
+
+def validate_domain_name(domain_name, allow_underscore=False, allow_slash=False):
     if domain_name.endswith('.'):
         domain_name = domain_name[:-1]
 
     domain_name = domain_name.split(".")
 
     # apply DNS name validator to every name part
-    map(lambda label:validate_dns_label(label,allow_underscore), domain_name)
+    map(lambda label:validate_dns_label(label, allow_underscore, allow_slash), domain_name)
 
 
 def validate_zonemgr(zonemgr):
@@ -287,7 +298,7 @@ def validate_zonemgr(zonemgr):
                local_part.split(local_part_sep)):
         raise ValueError(local_part_errmsg)
 
-def validate_hostname(hostname, check_fqdn=True, allow_underscore=False):
+def validate_hostname(hostname, check_fqdn=True, allow_underscore=False, allow_slash=False):
     """ See RFC 952, 1123
 
     :param hostname Checked value
@@ -305,9 +316,9 @@ def validate_hostname(hostname, check_fqdn=True, allow_underscore=False):
     if '.' not in hostname:
         if check_fqdn:
             raise ValueError(_('not fully qualified'))
-        validate_dns_label(hostname,allow_underscore)
+        validate_dns_label(hostname, allow_underscore, allow_slash)
     else:
-        validate_domain_name(hostname,allow_underscore)
+        validate_domain_name(hostname, allow_underscore, allow_slash)
 
 def normalize_sshpubkey(value):
     return SSHPublicKey(value).openssh()
-- 
1.8.5.3