From 1e763e582bf85ecdc2624e526237671a63fb76f5 Mon Sep 17 00:00:00 2001
From: Matthijs Mekking <matthijs@isc.org>
Date: Fri, 7 May 2021 14:27:25 +0200
Subject: [PATCH] Check parental-agents config

Add checks for "parental-agents" configuration, checking for the option
being at wrong type of zone (only allowed for primaries and
secondaries), duplicate definitions, duplicate references, and
undefined parental clauses (the name referenced in the zone clause
does not have a matching "parental-agent" clause).
---
 .../bad-parental-agents-def-options.conf      |  19 +++
 .../bad-parental-agents-def-view.conf         |  18 +++
 .../bad-parental-agents-def-view2.conf        |  20 +++
 .../bad-parental-agents-def-zone.conf         |  16 +++
 .../checkconf/bad-parental-agents-dup.conf    |  17 +++
 .../checkconf/bad-parental-agents-dupdef.conf |  24 ++++
 .../checkconf/bad-parental-agents-empty.conf  |  18 +++
 .../checkconf/bad-parental-agents-empty2.conf |  16 +++
 .../checkconf/bad-parental-agents-mirror.conf |  16 +++
 .../bad-parental-agents-notfound.conf         |  20 +++
 .../checkconf/bad-primaries-notfound.conf     |  19 +++
 lib/bind9/check.c                             | 116 +++++++++++++-----
 12 files changed, 290 insertions(+), 29 deletions(-)
 create mode 100644 bin/tests/system/checkconf/bad-parental-agents-def-options.conf
 create mode 100644 bin/tests/system/checkconf/bad-parental-agents-def-view.conf
 create mode 100644 bin/tests/system/checkconf/bad-parental-agents-def-view2.conf
 create mode 100644 bin/tests/system/checkconf/bad-parental-agents-def-zone.conf
 create mode 100644 bin/tests/system/checkconf/bad-parental-agents-dup.conf
 create mode 100644 bin/tests/system/checkconf/bad-parental-agents-dupdef.conf
 create mode 100644 bin/tests/system/checkconf/bad-parental-agents-empty.conf
 create mode 100644 bin/tests/system/checkconf/bad-parental-agents-empty2.conf
 create mode 100644 bin/tests/system/checkconf/bad-parental-agents-mirror.conf
 create mode 100644 bin/tests/system/checkconf/bad-parental-agents-notfound.conf
 create mode 100644 bin/tests/system/checkconf/bad-primaries-notfound.conf

diff --git a/bin/tests/system/checkconf/bad-parental-agents-def-options.conf b/bin/tests/system/checkconf/bad-parental-agents-def-options.conf
new file mode 100644
index 0000000000..6bf2115662
--- /dev/null
+++ b/bin/tests/system/checkconf/bad-parental-agents-def-options.conf
@@ -0,0 +1,19 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+options {
+	parental-agents { 192.168.1.2; };
+};
+
+zone "example.net" {
+	type primary;
+	file "example.net.db";
+};
diff --git a/bin/tests/system/checkconf/bad-parental-agents-def-view.conf b/bin/tests/system/checkconf/bad-parental-agents-def-view.conf
new file mode 100644
index 0000000000..5cb0f81d88
--- /dev/null
+++ b/bin/tests/system/checkconf/bad-parental-agents-def-view.conf
@@ -0,0 +1,18 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+view "test" {
+	parental-agents { 192.168.1.2; };
+	zone "example.net" {
+		type primary;
+		file "example.net.db";
+	};
+};
diff --git a/bin/tests/system/checkconf/bad-parental-agents-def-view2.conf b/bin/tests/system/checkconf/bad-parental-agents-def-view2.conf
new file mode 100644
index 0000000000..3487429a50
--- /dev/null
+++ b/bin/tests/system/checkconf/bad-parental-agents-def-view2.conf
@@ -0,0 +1,20 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+view "test" {
+	parental-agents "net" {
+		192.168.1.2;
+	 };
+	zone "example.net" {
+		type primary;
+		file "example.net.db";
+	};
+};
diff --git a/bin/tests/system/checkconf/bad-parental-agents-def-zone.conf b/bin/tests/system/checkconf/bad-parental-agents-def-zone.conf
new file mode 100644
index 0000000000..48b735a055
--- /dev/null
+++ b/bin/tests/system/checkconf/bad-parental-agents-def-zone.conf
@@ -0,0 +1,16 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+zone "example.net" {
+	type primary;
+	file "example.net.db";
+	parental-agents "net" { 192.168.1.1; };
+};
diff --git a/bin/tests/system/checkconf/bad-parental-agents-dup.conf b/bin/tests/system/checkconf/bad-parental-agents-dup.conf
new file mode 100644
index 0000000000..569c42baea
--- /dev/null
+++ b/bin/tests/system/checkconf/bad-parental-agents-dup.conf
@@ -0,0 +1,17 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+zone "example.net" {
+	type primary;
+	file "example.net.db";
+	parental-agents { 192.168.1.1; };
+	parental-agents { 192.168.1.1; };
+};
diff --git a/bin/tests/system/checkconf/bad-parental-agents-dupdef.conf b/bin/tests/system/checkconf/bad-parental-agents-dupdef.conf
new file mode 100644
index 0000000000..99360745fb
--- /dev/null
+++ b/bin/tests/system/checkconf/bad-parental-agents-dupdef.conf
@@ -0,0 +1,24 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+parental-agents "net" {
+	192.168.1.1;
+};
+
+parental-agents "net" {
+	192.168.1.2;
+};
+
+zone "example.net" {
+	type primary;
+	file "example.net.db";
+	parental-agents { "net"; };
+};
diff --git a/bin/tests/system/checkconf/bad-parental-agents-empty.conf b/bin/tests/system/checkconf/bad-parental-agents-empty.conf
new file mode 100644
index 0000000000..0329584132
--- /dev/null
+++ b/bin/tests/system/checkconf/bad-parental-agents-empty.conf
@@ -0,0 +1,18 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+parental-agents "net" { };
+
+zone "example.net" {
+	type primary;
+	file "example.net.db";
+	parental-agents { "net"; };
+};
diff --git a/bin/tests/system/checkconf/bad-parental-agents-empty2.conf b/bin/tests/system/checkconf/bad-parental-agents-empty2.conf
new file mode 100644
index 0000000000..18d9d8214b
--- /dev/null
+++ b/bin/tests/system/checkconf/bad-parental-agents-empty2.conf
@@ -0,0 +1,16 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+zone "example.net" {
+	type primary;
+	file "example.net.db";
+	parental-agents { };
+};
diff --git a/bin/tests/system/checkconf/bad-parental-agents-mirror.conf b/bin/tests/system/checkconf/bad-parental-agents-mirror.conf
new file mode 100644
index 0000000000..d06662d7c2
--- /dev/null
+++ b/bin/tests/system/checkconf/bad-parental-agents-mirror.conf
@@ -0,0 +1,16 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+zone "." {
+	type mirror;
+	file "root.mirror";
+	parental-agents { 192.168.1.1; };
+};
diff --git a/bin/tests/system/checkconf/bad-parental-agents-notfound.conf b/bin/tests/system/checkconf/bad-parental-agents-notfound.conf
new file mode 100644
index 0000000000..7639c5f383
--- /dev/null
+++ b/bin/tests/system/checkconf/bad-parental-agents-notfound.conf
@@ -0,0 +1,20 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+parental-agents "com" {
+	192.168.1.2;
+};
+
+zone "example.net" {
+	type primary;
+	file "example.net.db";
+	parental-agents { "net"; };
+};
diff --git a/bin/tests/system/checkconf/bad-primaries-notfound.conf b/bin/tests/system/checkconf/bad-primaries-notfound.conf
new file mode 100644
index 0000000000..db290e82d8
--- /dev/null
+++ b/bin/tests/system/checkconf/bad-primaries-notfound.conf
@@ -0,0 +1,19 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+primaries "net" {
+	 192.168.1.2;
+};
+
+zone "example.net" {
+	type secondary;
+	primaries { "foo"; };
+};
diff --git a/lib/bind9/check.c b/lib/bind9/check.c
index e19d5dc21c..8d9807c190 100644
--- a/lib/bind9/check.c
+++ b/lib/bind9/check.c
@@ -1841,12 +1841,12 @@ check_options(const cfg_obj_t *options, const cfg_obj_t *config,
 }
 
 /*
- * Check "primaries" style list.
+ * Check "remote-servers" style list.
  */
 static isc_result_t
-bind9_check_primarylist(const cfg_obj_t *cctx, const char *list,
-			isc_log_t *logctx, isc_symtab_t *symtab,
-			isc_mem_t *mctx) {
+bind9_check_remoteserverlist(const cfg_obj_t *cctx, const char *list,
+			     isc_log_t *logctx, isc_symtab_t *symtab,
+			     isc_mem_t *mctx) {
 	isc_symvalue_t symvalue;
 	isc_result_t result, tresult;
 	const cfg_obj_t *obj = NULL;
@@ -1883,9 +1883,9 @@ bind9_check_primarylist(const cfg_obj_t *cctx, const char *list,
 				file = "<unknown file>";
 			}
 			cfg_obj_log(obj, logctx, ISC_LOG_ERROR,
-				    "primaries list '%s' is duplicated: "
+				    "%s list '%s' is duplicated: "
 				    "also defined at %s:%u",
-				    name, file, line);
+				    list, name, file, line);
 			isc_mem_free(mctx, tmp);
 			result = tresult;
 			break;
@@ -1913,13 +1913,35 @@ bind9_check_primarylists(const cfg_obj_t *cctx, isc_log_t *logctx,
 	if (result != ISC_R_SUCCESS) {
 		return (result);
 	}
-	tresult = bind9_check_primarylist(cctx, "primaries", logctx, symtab,
-					  mctx);
+	tresult = bind9_check_remoteserverlist(cctx, "primaries", logctx,
+					       symtab, mctx);
 	if (tresult != ISC_R_SUCCESS) {
 		result = tresult;
 	}
-	tresult = bind9_check_primarylist(cctx, "masters", logctx, symtab,
-					  mctx);
+	tresult = bind9_check_remoteserverlist(cctx, "masters", logctx, symtab,
+					       mctx);
+	if (tresult != ISC_R_SUCCESS) {
+		result = tresult;
+	}
+	isc_symtab_destroy(&symtab);
+	return (result);
+}
+
+/*
+ * Check parental-agents lists for duplicates.
+ */
+static isc_result_t
+bind9_check_parentalagentlists(const cfg_obj_t *cctx, isc_log_t *logctx,
+			       isc_mem_t *mctx) {
+	isc_result_t result, tresult;
+	isc_symtab_t *symtab = NULL;
+
+	result = isc_symtab_create(mctx, 100, freekey, mctx, false, &symtab);
+	if (result != ISC_R_SUCCESS) {
+		return (result);
+	}
+	tresult = bind9_check_remoteserverlist(cctx, "parental-agents", logctx,
+					       symtab, mctx);
 	if (tresult != ISC_R_SUCCESS) {
 		result = tresult;
 	}
@@ -1928,8 +1950,8 @@ bind9_check_primarylists(const cfg_obj_t *cctx, isc_log_t *logctx,
 }
 
 static isc_result_t
-get_primaries(const cfg_obj_t *cctx, const char *list, const char *name,
-	      const cfg_obj_t **ret) {
+get_remotes(const cfg_obj_t *cctx, const char *list, const char *name,
+	    const cfg_obj_t **ret) {
 	isc_result_t result;
 	const cfg_obj_t *obj = NULL;
 	const cfg_listelt_t *elt = NULL;
@@ -1958,20 +1980,25 @@ get_primaries(const cfg_obj_t *cctx, const char *list, const char *name,
 }
 
 static isc_result_t
-get_primaries_def(const cfg_obj_t *cctx, const char *name,
-		  const cfg_obj_t **ret) {
-	isc_result_t result;
+get_remoteservers_def(const char *list, const char *name, const cfg_obj_t *cctx,
+		      const cfg_obj_t **ret) {
+	isc_result_t result = ISC_R_NOTFOUND;
 
-	result = get_primaries(cctx, "primaries", name, ret);
-	if (result != ISC_R_SUCCESS) {
-		result = get_primaries(cctx, "masters", name, ret);
+	if (strcmp(list, "primaries") == 0) {
+		result = get_remotes(cctx, "primaries", name, ret);
+		if (result != ISC_R_SUCCESS) {
+			result = get_remotes(cctx, "masters", name, ret);
+		}
+	} else if (strcmp(list, "parental-agents") == 0) {
+		result = get_remotes(cctx, "parental-agents", name, ret);
 	}
 	return (result);
 }
 
 static isc_result_t
-validate_primaries(const cfg_obj_t *obj, const cfg_obj_t *config,
-		   uint32_t *countp, isc_log_t *logctx, isc_mem_t *mctx) {
+validate_remotes(const char *list, const cfg_obj_t *obj,
+		 const cfg_obj_t *config, uint32_t *countp, isc_log_t *logctx,
+		 isc_mem_t *mctx) {
 	isc_result_t result = ISC_R_SUCCESS;
 	isc_result_t tresult;
 	uint32_t count = 0;
@@ -1980,7 +2007,7 @@ validate_primaries(const cfg_obj_t *obj, const cfg_obj_t *config,
 	const cfg_listelt_t *element;
 	const cfg_listelt_t **stack = NULL;
 	uint32_t stackcount = 0, pushed = 0;
-	const cfg_obj_t *list;
+	const cfg_obj_t *listobj;
 
 	REQUIRE(countp != NULL);
 	result = isc_symtab_create(mctx, 100, NULL, NULL, false, &symtab);
@@ -1990,8 +2017,8 @@ validate_primaries(const cfg_obj_t *obj, const cfg_obj_t *config,
 	}
 
 newlist:
-	list = cfg_tuple_get(obj, "addresses");
-	element = cfg_list_first(list);
+	listobj = cfg_tuple_get(obj, "addresses");
+	element = cfg_list_first(listobj);
 resume:
 	for (; element != NULL; element = cfg_list_next(element)) {
 		const char *listname;
@@ -2021,13 +2048,13 @@ resume:
 		if (tresult == ISC_R_EXISTS) {
 			continue;
 		}
-		tresult = get_primaries_def(config, listname, &obj);
+		tresult = get_remoteservers_def(list, listname, config, &obj);
 		if (tresult != ISC_R_SUCCESS) {
 			if (result == ISC_R_SUCCESS) {
 				result = tresult;
 			}
 			cfg_obj_log(addr, logctx, ISC_LOG_ERROR,
-				    "unable to find primaries list '%s'",
+				    "unable to find %s list '%s'", list,
 				    listname);
 			continue;
 		}
@@ -2764,8 +2791,8 @@ check_zoneconf(const cfg_obj_t *zconfig, const cfg_obj_t *voptions,
 		}
 		if (tresult == ISC_R_SUCCESS && donotify) {
 			uint32_t count;
-			tresult = validate_primaries(obj, config, &count,
-						     logctx, mctx);
+			tresult = validate_remotes("primaries", obj, config,
+						   &count, logctx, mctx);
 			if (tresult != ISC_R_SUCCESS && result == ISC_R_SUCCESS)
 			{
 				result = tresult;
@@ -2806,8 +2833,8 @@ check_zoneconf(const cfg_obj_t *zconfig, const cfg_obj_t *voptions,
 			result = ISC_R_FAILURE;
 		} else {
 			uint32_t count;
-			tresult = validate_primaries(obj, config, &count,
-						     logctx, mctx);
+			tresult = validate_remotes("primaries", obj, config,
+						   &count, logctx, mctx);
 			if (tresult != ISC_R_SUCCESS && result == ISC_R_SUCCESS)
 			{
 				result = tresult;
@@ -2822,6 +2849,32 @@ check_zoneconf(const cfg_obj_t *zconfig, const cfg_obj_t *voptions,
 		}
 	}
 
+	/*
+	 * Primary and secondary zones that have a "parental-agents" field,
+	 * must have a corresponding "parental-agents" clause.
+	 */
+	if (ztype == CFG_ZONE_MASTER || ztype == CFG_ZONE_SLAVE) {
+		obj = NULL;
+		(void)cfg_map_get(zoptions, "parental-agents", &obj);
+		if (obj != NULL) {
+			uint32_t count;
+			tresult = validate_remotes("parental-agents", obj,
+						   config, &count, logctx,
+						   mctx);
+			if (tresult != ISC_R_SUCCESS && result == ISC_R_SUCCESS)
+			{
+				result = tresult;
+			}
+			if (tresult == ISC_R_SUCCESS && count == 0) {
+				cfg_obj_log(zoptions, logctx, ISC_LOG_ERROR,
+					    "zone '%s': "
+					    "empty 'parental-agents' entry",
+					    znamestr);
+				result = ISC_R_FAILURE;
+			}
+		}
+	}
+
 	/*
 	 * Configuring a mirror zone and disabling recursion at the same time
 	 * contradicts the purpose of the former.
@@ -5148,6 +5201,11 @@ bind9_check_namedconf(const cfg_obj_t *config, bool check_plugins,
 		result = ISC_R_FAILURE;
 	}
 
+	if (bind9_check_parentalagentlists(config, logctx, mctx) !=
+	    ISC_R_SUCCESS) {
+		result = ISC_R_FAILURE;
+	}
+
 	(void)cfg_map_get(config, "view", &views);
 
 	if (views != NULL && options != NULL) {