Prevent XFR from being used on PRIMARY zones

- Added constant for PRIMARY / SECONDARY. Related-Bug: #2036750 Change-Id: Ie0419cdb52dbfcb813faf9070110a2635a46ed51
2023-09-21 05:04:41 -07:00 · 2023-09-21 05:04:41 -07:00 · 79aac2b206
commit 79aac2b206
parent aaed97875c
4 changed files with 38 additions and 6 deletions
--- a/designate/central/service.py
+++ b/designate/central/service.py
@ -808,7 +808,7 @@ class Service(service.RPCService):
        """Create zone straight away
        """

-        if zone.type == 'SECONDARY' and zone.serial is None:
+        if zone.type == constants.ZONE_SECONDARY and zone.serial is None:
            zone.serial = 1

        # randomize the zone refresh time
@ -818,7 +818,7 @@ class Service(service.RPCService):

        self.worker_api.create_zone(context, zone)

-        if zone.type == 'SECONDARY':
+        if zone.type == constants.ZONE_SECONDARY:
            xfr_zone = copy.deepcopy(zone)
            xfr_zone.obj_reset_changes(recursive=True)
            self.worker_api.perform_zone_xfr(context, xfr_zone)
@ -996,7 +996,7 @@ class Service(service.RPCService):
        )

        # Fire off a XFR
-        if zone.type == 'SECONDARY' and 'masters' in changes:
+        if zone.type == constants.ZONE_SECONDARY and 'masters' in changes:
            self.worker_api.perform_zone_xfr(context, zone)

        return zone
@ -1128,7 +1128,7 @@ class Service(service.RPCService):

        policy.check('xfr_zone', context, target)

-        if zone.type != 'SECONDARY':
+        if zone.type != constants.ZONE_SECONDARY:
            msg = "Can't XFR a non Secondary zone."
            raise exceptions.BadRequest(msg)

--- a/designate/common/constants.py
+++ b/designate/common/constants.py
@ -54,6 +54,11 @@ VALID_QUOTAS = [QUOTA_API_EXPORT_SIZE, QUOTA_RECORDSET_RECORDS,
 # RBAC scopes
 PROJECT = 'project'

+# Zone constants
+ZONE_PRIMARY = 'PRIMARY'
+ZONE_SECONDARY = 'SECONDARY'
+ZONE_TYPES = [ZONE_PRIMARY, ZONE_SECONDARY]
+
 # Record regexes
 RE_HOSTNAME = re.compile(r'^(?!.{255,})(?:(?:^\*|(?!\-)[A-Za-z0-9_\-]{1,63})(?<!\-)\.)+\Z')  # noqa
 RE_ZONENAME = re.compile(r'^(?!.{255,})(?:(?!\-)[A-Za-z0-9_\-]{1,63}(?<!\-)\.)+\Z')  # noqa
--- a/designate/tests/unit/workers/test_xfr.py
+++ b/designate/tests/unit/workers/test_xfr.py
@ -19,6 +19,7 @@ from oslo_config import cfg
 from oslo_config import fixture as cfg_fixture
 import oslotest.base

+from designate.common import constants
 from designate import dnsutils
 from designate import exceptions
 from designate import objects
@ -44,7 +45,8 @@ class TestXfr(oslotest.base.BaseTestCase):
            serial=1,
            masters=objects.ZoneMasterList.from_list(
                [{'host': '127.0.0.1', 'port': 53}, ]
-            )
+            ),
+            type=constants.ZONE_SECONDARY,
        )

        self.xfr = worker_zone.ZoneXfr(mock.Mock(), self.context, zone)
@ -64,6 +66,7 @@ class TestXfr(oslotest.base.BaseTestCase):
            id='7592878e-4ade-40de-8b8d-699b871ee6fa',
            name='example.com.',
            serial=1,
+            type=constants.ZONE_SECONDARY,
        )

        self.xfr = worker_zone.ZoneXfr(
@ -88,7 +91,8 @@ class TestXfr(oslotest.base.BaseTestCase):
            serial=1,
            masters=objects.ZoneMasterList.from_list(
                [{'host': '127.0.0.1', 'port': 53}, ]
-            )
+            ),
+            type=constants.ZONE_SECONDARY,
        )

        self.xfr = worker_zone.ZoneXfr(mock.Mock(), self.context, zone)
@ -100,3 +104,22 @@ class TestXfr(oslotest.base.BaseTestCase):
            self.xfr()

            self.assertNotIn('transferred_at', zone.obj_what_changed())
+
+    @mock.patch.object(dnsutils, 'do_axfr')
+    def test_zone_only_allow_axfr_on_secondary_zones(self, mock_do_axfr):
+        zone = objects.Zone(
+            id='7592878e-4ade-40de-8b8d-699b871ee6fa',
+            name='example.com.',
+            serial=1,
+            masters=objects.ZoneMasterList.from_list(
+                [{'host': '127.0.0.1', 'port': 53}, ]
+            ),
+            type=constants.ZONE_PRIMARY,
+        )
+
+        self.xfr = worker_zone.ZoneXfr(mock.Mock(), self.context, zone)
+        self.xfr._central_api = mock.Mock()
+
+        self.xfr()
+
+        mock_do_axfr.assert_not_called()
--- a/designate/worker/tasks/zone.py
+++ b/designate/worker/tasks/zone.py
@ -23,6 +23,7 @@ from oslo_config import cfg
 from oslo_log import log as logging
 from oslo_utils import timeutils

+from designate.common import constants
 from designate import dnsutils
 from designate import exceptions
 from designate import objects
@ -167,6 +168,9 @@ class ZoneXfr(base.Task):
        self.servers = servers

    def __call__(self):
+        if self.zone.type != constants.ZONE_SECONDARY:
+            return
+
        servers = self.servers or self.zone.masters
        if isinstance(servers, objects.ListObjectMixin):
            servers = servers.to_list()