From e2062879c18be5a8dc0750c83d5d5f20345d9a2f Mon Sep 17 00:00:00 2001
From: Evan Hunt <each@isc.org>
Date: Thu, 7 Mar 2019 22:55:16 -0800
Subject: [PATCH] test the use of the view ACL in DLZ

---
 bin/tests/system/dlzexternal/driver.c         | 35 +++++++++++++++++++
 bin/tests/system/dlzexternal/ns1/dlzs.conf.in |  4 +++
 .../system/dlzexternal/ns1/named.conf.in      |  1 +
 bin/tests/system/dlzexternal/tests.sh         | 10 ++++++
 4 files changed, 50 insertions(+)

diff --git a/bin/tests/system/dlzexternal/driver.c b/bin/tests/system/dlzexternal/driver.c
index 35151441d4..6767bfc64a 100644
--- a/bin/tests/system/dlzexternal/driver.c
+++ b/bin/tests/system/dlzexternal/driver.c
@@ -534,21 +534,56 @@ dlz_lookup(const char *zone, const char *name, void *dbdata,
  */
 isc_result_t
 dlz_allowzonexfr(void *dbdata, const char *name, const char *client) {
+	struct dlz_example_data *state = (struct dlz_example_data *)dbdata;
 	isc_result_t result;
 
+	if (state->log != NULL) {
+		state->log(ISC_LOG_INFO,
+			   "dlz_example: dlz_allowzonexfr called for %s",
+			   name);
+	}
+
 	result = dlz_findzonedb(dbdata, name, NULL, NULL);
 	if (result != ISC_R_SUCCESS) {
+		if (state->log != NULL) {
+			state->log(ISC_LOG_INFO,
+				   "dlz_example: findzonedb returned %s",
+				   isc_result_totext(result));
+		}
 		return (result);
 	}
 
+	/*
+	 * Exception for "example.org" so we can test the use of
+	 * the view ACL.
+	 */
+	if (strcmp(name, "example.org") == 0) {
+		if (state->log != NULL) {
+			state->log(ISC_LOG_INFO,
+				   "dlz_example: use view ACL "
+				   "for example.org");
+		}
+		return (ISC_R_DEFAULT);
+	}
+
 	/*
 	 * Exception for 10.53.0.5 so we can test that allow-transfer
 	 * is effective.
 	 */
 	if (strcmp(client, "10.53.0.5") == 0) {
+		if (state->log != NULL) {
+			state->log(ISC_LOG_INFO,
+				   "dlz_example: disallow transfer "
+				   "to 10.53.0.5");
+		}
 		return (ISC_R_NOPERM);
 	}
 
+	if (state->log != NULL) {
+		state->log(ISC_LOG_INFO,
+			   "dlz_example: transfer allowed for %s", name);
+	}
+
 	return (ISC_R_SUCCESS);
 }
 
diff --git a/bin/tests/system/dlzexternal/ns1/dlzs.conf.in b/bin/tests/system/dlzexternal/ns1/dlzs.conf.in
index d583cb4e1a..07bf329b50 100644
--- a/bin/tests/system/dlzexternal/ns1/dlzs.conf.in
+++ b/bin/tests/system/dlzexternal/ns1/dlzs.conf.in
@@ -17,6 +17,10 @@ dlz "example two" {
 	database "dlopen ../driver.@SO@ alternate.nil";
 };
 
+dlz "example three" {
+	database "dlopen ../driver.@SO@ example.org";
+};
+
 dlz "unsearched1" {
 	database "dlopen ../driver.@SO@ other.nil";
 	search no;
diff --git a/bin/tests/system/dlzexternal/ns1/named.conf.in b/bin/tests/system/dlzexternal/ns1/named.conf.in
index d35061a8cb..591061cb85 100644
--- a/bin/tests/system/dlzexternal/ns1/named.conf.in
+++ b/bin/tests/system/dlzexternal/ns1/named.conf.in
@@ -18,6 +18,7 @@ options {
 	session-keyfile "session.key";
 	listen-on { 10.53.0.1; 127.0.0.1; };
 	listen-on-v6 { none; };
+	allow-transfer { !10.53.0.1; any; };
 	recursion no;
 	notify yes;
 };
diff --git a/bin/tests/system/dlzexternal/tests.sh b/bin/tests/system/dlzexternal/tests.sh
index 6c84ad10eb..b9d44057be 100644
--- a/bin/tests/system/dlzexternal/tests.sh
+++ b/bin/tests/system/dlzexternal/tests.sh
@@ -125,6 +125,16 @@ grep "; Transfer failed" dig.out.alternate.ns1.test$n > /dev/null || ret=1
 [ "$ret" -eq 0 ] || echo_i "failed"
 status=`expr $status + $ret`
 
+newtest "testing AXFR denied based on view ACL"
+# 10.53.0.1 should be disallowed
+$DIG $DIGOPTS -b 10.53.0.1 +noall +answer axfr example.org > dig.out.example.ns1.test$n.1
+grep "; Transfer failed" dig.out.example.ns1.test$n.1 > /dev/null || ret=1
+# 10.53.0.2 should be allowed
+$DIG $DIGOPTS -b 10.53.0.2 +noall +answer axfr example.org > dig.out.example.ns1.test$n.2
+grep "; Transfer failed" dig.out.example.ns1.test$n.2 > /dev/null && ret=1
+[ "$ret" -eq 0 ] || echo_i "failed"
+status=`expr $status + $ret`
+
 newtest "testing unsearched/unregistered DLZ zone is not found"
 $DIG $DIGOPTS +noall +answer ns other.nil > dig.out.ns1.test$n
 grep "3600.IN.NS.other.nil." dig.out.ns1.test$n > /dev/null && ret=1