18776176249

Committed 24 Oct 2025 09:51AM UTC coverage: 73.028% (+15.6%) from 57.383%

Build # 18776176249

Build Type

Pull #16370

github

Committed by

web-flow

Commit Message

Merge 0f309894e into 39f7f1b27

Pull Request Pull Request #16370: auth: xfr churning

Run Details

38273 of 63104 branches covered (60.65%)

Branch coverage included in aggregate %.

186 of 264 new or added lines in 1 file covered. (70.45%)

14471 existing lines in 217 files now uncovered.

127487 of 163878 relevant lines covered (77.79%)

5632363.83 hits per line

Source File
Press 'n' to go to next uncovered line, 'b' for previous

62.5

/pdns/dnsseckeeper.hh

/*
 * This file is part of PowerDNS or dnsdist.
 * Copyright -- PowerDNS.COM B.V. and its contributors
 *
 * This program is free software; you can redistribute it and/or modify
 * it under the terms of version 2 of the GNU General Public License as
 * published by the Free Software Foundation.
 *
 * In addition, for the avoidance of any doubt, permission is granted to
 * link this program with OpenSSL and to (re)distribute the binaries
 * produced as the result of such linking.
 *
 * This program is distributed in the hope that it will be useful,
 * but WITHOUT ANY WARRANTY; without even the implied warranty of
 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
 * GNU General Public License for more details.
 *
 * You should have received a copy of the GNU General Public License
 * along with this program; if not, write to the Free Software
 * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
 */
#pragma once

#include <vector>
#include <boost/logic/tribool.hpp>
#include <boost/multi_index_container.hpp>
#include <boost/multi_index/hashed_index.hpp>
#include <boost/multi_index/ordered_index.hpp>
#include <boost/multi_index/key_extractors.hpp>
#include <boost/multi_index/sequenced_index.hpp>
#include "dnssecinfra.hh"
#include "dnsrecords.hh"
#include "dnspacket.hh"
#include "ueberbackend.hh"
#include "lock.hh"
#include "dnssec.hh"

using namespace ::boost::multi_index;

class DNSSECKeeper : public DNSSEC
{
public:

  struct KeyMetaData
  {
    string fname;
    unsigned int id;
    bool active;
    keytype_t keyType;
    bool hasSEPBit;
    bool published;
  };
  typedef std::pair<DNSSECPrivateKey, KeyMetaData> keymeta_t;
  typedef std::vector<keymeta_t > keyset_t;


private:
  UeberBackend* d_keymetadb;
  bool d_ourDB;

public:
  DNSSECKeeper() : d_keymetadb( new UeberBackend("key-only")), d_ourDB(true)
  {

  }

  DNSSECKeeper(UeberBackend* db) : d_keymetadb(db), d_ourDB(false)
  {
  }

  ~DNSSECKeeper()
  {
    if(d_ourDB)
      delete d_keymetadb;
  }

  DNSSECKeeper(const DNSSECKeeper&) = delete;
  DNSSECKeeper operator=(const DNSSECKeeper&) = delete;

  static uint64_t dbdnssecCacheSizes(const std::string& str);
  static void clearAllCaches();
  static bool clearKeyCache(const ZoneName& name);
  static bool clearMetaCache(const ZoneName& name);
  static void clearCaches(const ZoneName& name);

  bool doesDNSSEC();
  bool isSecuredZone(const ZoneName& zone, bool useCache=true);
  keyset_t getEntryPoints(const ZoneName& zname);
  keyset_t getKeys(const ZoneName& zone, bool useCache = true);
  DNSSECPrivateKey getKeyById(const ZoneName& zname, unsigned int keyId);
  bool addKey(const ZoneName& zname, bool setSEPBit, int algorithm, int64_t& keyId, int bits=0, bool active=true, bool published=true);
  bool addKey(const ZoneName& zname, const DNSSECPrivateKey& dpk, int64_t& keyId, bool active=true, bool published=true);
  bool removeKey(const ZoneName& zname, unsigned int keyId);
  bool activateKey(const ZoneName& zname, unsigned int keyId);
  bool deactivateKey(const ZoneName& zname, unsigned int keyId);
  bool publishKey(const ZoneName& zname, unsigned int keyId);
  bool unpublishKey(const ZoneName& zname, unsigned int keyId);
  bool checkKeys(const ZoneName& zone, std::optional<std::reference_wrapper<std::vector<std::string>>> errorMessages);

  bool getNSEC3PARAM(const ZoneName& zname, NSEC3PARAMRecordContent* ns3p=nullptr, bool* narrow=nullptr, bool useCache=true);
  bool checkNSEC3PARAM(const NSEC3PARAMRecordContent& ns3p, string& msg);
  bool setNSEC3PARAM(const ZoneName& zname, const NSEC3PARAMRecordContent& ns3p, const bool& narrow=false);
  bool unsetNSEC3PARAM(const ZoneName& zname);
  void getPreRRSIGs(UeberBackend& db, vector<DNSZoneRecord>& rrs, uint32_t signTTL, DNSPacket* p=nullptr);
  bool isPresigned(const ZoneName& zname, bool useCache=true);
  bool setPresigned(const ZoneName& zname);
  bool unsetPresigned(const ZoneName& zname);
  bool isSignalingZone(const ZoneName& zname, bool useCache=true);
  bool setPublishCDNSKEY(const ZoneName& zname, bool deleteAlg);
  void getPublishCDNSKEY(const ZoneName& zname, std::string& value);
  bool unsetPublishCDNSKEY(const ZoneName& zname);
  bool setPublishCDS(const ZoneName& zname, const string& digestAlgos);
  void getPublishCDS(const ZoneName& zname, std::string& value);
  bool unsetPublishCDS(const ZoneName& zname);

  bool TSIGGrantsAccess(const ZoneName& zone, const DNSName& keyname);
  bool getTSIGForAccess(const ZoneName& zone, const ComboAddress& primary, DNSName* keyname);

  void startTransaction(const ZoneName& zone)
  {
    (*d_keymetadb->backends.begin())->startTransaction(zone);
  }

  void commitTransaction()
  {
    (*d_keymetadb->backends.begin())->commitTransaction();
  }

  void getFromMetaOrDefault(const ZoneName& zname, const std::string& key, std::string& value, const std::string& defaultvalue);
  bool getFromMeta(const ZoneName& zname, const std::string& key, std::string& value);
  void getSoaEdit(const ZoneName& zname, std::string& value, bool useCache=true);
  bool unSecureZone(const ZoneName& zone, std::string& error);
  bool rectifyZone(const ZoneName& zone, std::string& error, std::string& info, bool doTransaction);

  static void setMaxEntries(size_t maxEntries);

  bool isMetadataOne(const ZoneName& zname, const std::string& metaname, bool useCache);

  int64_t d_metaCacheCleanAction{0};
  typedef std::map<std::string, std::vector<std::string> > METAValues;
private:
  bool getFromMetaNoCache(const ZoneName& name, const std::string& kind, std::string& value);

  bool d_metaUpdate{false};

  struct KeyCacheEntry
  {
    typedef vector<DNSSECKeeper::keymeta_t> keys_t;

    uint32_t isStale(time_t now) const
    {
      return d_ttd < now;
    }

    ZoneName d_domain;
    mutable keys_t d_keys;
    unsigned int d_ttd;
  };

  struct METACacheEntry
  {
    time_t isStale(time_t now) const
    {
      return d_ttd < now;
    }

    ZoneName d_domain;
    mutable METAValues d_value;
    time_t d_ttd;
  };

  struct KeyCacheTag{};
  struct CompositeTag{};
  struct SequencedTag{};

  typedef multi_index_container<
    KeyCacheEntry,
    indexed_by<
      hashed_unique<tag<KeyCacheTag>,member<KeyCacheEntry, ZoneName, &KeyCacheEntry::d_domain> >,
      sequenced<tag<SequencedTag>>
    >
  > keycache_t;

  typedef multi_index_container<
    METACacheEntry,
    indexed_by<
      ordered_unique<member<METACacheEntry, ZoneName, &METACacheEntry::d_domain> >,
      sequenced<tag<SequencedTag>>
    >
  > metacache_t;

  void cleanup();

  static SharedLockGuarded<keycache_t> s_keycache;
  static SharedLockGuarded<metacache_t> s_metacache;
  static int64_t s_metaCacheCleanActions;
  static AtomicCounter s_ops;
  static time_t s_last_prune;
  static size_t s_maxEntries;
};

uint32_t localtime_format_YYYYMMDDSS(time_t t, uint32_t seq);
// for SOA-EDIT
uint32_t calculateEditSOA(uint32_t old_serial, DNSSECKeeper& dsk, const ZoneName& zonename);
uint32_t calculateEditSOA(uint32_t old_serial, const string& kind, const ZoneName& zonename);
// for SOA-EDIT-DNSUPDATE/API
bool increaseSOARecord(DNSResourceRecord& rr, const string& increaseKind, const string& editKind, const ZoneName& zonename);
bool makeIncreasedSOARecord(SOAData& sd, const string& increaseKind, const string& editKind, DNSResourceRecord& rrout);
DNSZoneRecord makeEditedDNSZRFromSOAData(DNSSECKeeper& dk, const SOAData& sd, DNSResourceRecord::Place place=DNSResourceRecord::ANSWER);

1	/*
2	* This file is part of PowerDNS or dnsdist.
3	* Copyright -- PowerDNS.COM B.V. and its contributors
4	*
5	* This program is free software; you can redistribute it and/or modify
6	* it under the terms of version 2 of the GNU General Public License as
7	* published by the Free Software Foundation.
8	*
9	* In addition, for the avoidance of any doubt, permission is granted to
10	* link this program with OpenSSL and to (re)distribute the binaries
11	* produced as the result of such linking.
12	*
13	* This program is distributed in the hope that it will be useful,
14	* but WITHOUT ANY WARRANTY; without even the implied warranty of
15	* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
16	* GNU General Public License for more details.
17	*
18	* You should have received a copy of the GNU General Public License
19	* along with this program; if not, write to the Free Software
20	* Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
21	*/
22	#pragma once
23
24	#include <vector>
25	#include <boost/logic/tribool.hpp>
26	#include <boost/multi_index_container.hpp>
27	#include <boost/multi_index/hashed_index.hpp>
28	#include <boost/multi_index/ordered_index.hpp>
29	#include <boost/multi_index/key_extractors.hpp>
30	#include <boost/multi_index/sequenced_index.hpp>
31	#include "dnssecinfra.hh"
32	#include "dnsrecords.hh"
33	#include "dnspacket.hh"
34	#include "ueberbackend.hh"
35	#include "lock.hh"
36	#include "dnssec.hh"
37
38	using namespace ::boost::multi_index;
39
40	class DNSSECKeeper : public DNSSEC
41	{
42	public:
43
44	struct KeyMetaData
45	{
46	string fname;
47	unsigned int id;
48	bool active;
49	keytype_t keyType;
50	bool hasSEPBit;
51	bool published;
52	};
53	typedef std::pair<DNSSECPrivateKey, KeyMetaData> keymeta_t;
54	typedef std::vector<keymeta_t > keyset_t;
55
56
57	private:
58	UeberBackend* d_keymetadb;
59	bool d_ourDB;
60
61	public:
62	DNSSECKeeper() : d_keymetadb( new UeberBackend("key-only")), d_ourDB(true)
63	{	2,100✔
64
65	}	2,100✔
66
67	DNSSECKeeper(UeberBackend* db) : d_keymetadb(db), d_ourDB(false)
68	{	8,691✔
69	}	8,691✔
70
71	~DNSSECKeeper()
72	{	10,004✔
73	if(d_ourDB)	10,004✔
74	delete d_keymetadb;	2,100✔
75	}	10,004✔
76
77	DNSSECKeeper(const DNSSECKeeper&) = delete;
78	DNSSECKeeper operator=(const DNSSECKeeper&) = delete;
79
80	static uint64_t dbdnssecCacheSizes(const std::string& str);
81	static void clearAllCaches();
82	static bool clearKeyCache(const ZoneName& name);
83	static bool clearMetaCache(const ZoneName& name);
84	static void clearCaches(const ZoneName& name);
85
86	bool doesDNSSEC();
87	bool isSecuredZone(const ZoneName& zone, bool useCache=true);
88	keyset_t getEntryPoints(const ZoneName& zname);
89	keyset_t getKeys(const ZoneName& zone, bool useCache = true);
90	DNSSECPrivateKey getKeyById(const ZoneName& zname, unsigned int keyId);
91	bool addKey(const ZoneName& zname, bool setSEPBit, int algorithm, int64_t& keyId, int bits=0, bool active=true, bool published=true);
92	bool addKey(const ZoneName& zname, const DNSSECPrivateKey& dpk, int64_t& keyId, bool active=true, bool published=true);
93	bool removeKey(const ZoneName& zname, unsigned int keyId);
94	bool activateKey(const ZoneName& zname, unsigned int keyId);
95	bool deactivateKey(const ZoneName& zname, unsigned int keyId);
96	bool publishKey(const ZoneName& zname, unsigned int keyId);
97	bool unpublishKey(const ZoneName& zname, unsigned int keyId);
98	bool checkKeys(const ZoneName& zone, std::optional<std::reference_wrapper<std::vector<std::string>>> errorMessages);
99
100	bool getNSEC3PARAM(const ZoneName& zname, NSEC3PARAMRecordContent* ns3p=nullptr, bool* narrow=nullptr, bool useCache=true);
101	bool checkNSEC3PARAM(const NSEC3PARAMRecordContent& ns3p, string& msg);
102	bool setNSEC3PARAM(const ZoneName& zname, const NSEC3PARAMRecordContent& ns3p, const bool& narrow=false);
103	bool unsetNSEC3PARAM(const ZoneName& zname);
104	void getPreRRSIGs(UeberBackend& db, vector<DNSZoneRecord>& rrs, uint32_t signTTL, DNSPacket* p=nullptr);
105	bool isPresigned(const ZoneName& zname, bool useCache=true);
106	bool setPresigned(const ZoneName& zname);
107	bool unsetPresigned(const ZoneName& zname);
108	bool isSignalingZone(const ZoneName& zname, bool useCache=true);
109	bool setPublishCDNSKEY(const ZoneName& zname, bool deleteAlg);
110	void getPublishCDNSKEY(const ZoneName& zname, std::string& value);
111	bool unsetPublishCDNSKEY(const ZoneName& zname);
112	bool setPublishCDS(const ZoneName& zname, const string& digestAlgos);
113	void getPublishCDS(const ZoneName& zname, std::string& value);
114	bool unsetPublishCDS(const ZoneName& zname);
115
116	bool TSIGGrantsAccess(const ZoneName& zone, const DNSName& keyname);
117	bool getTSIGForAccess(const ZoneName& zone, const ComboAddress& primary, DNSName* keyname);
118
119	void startTransaction(const ZoneName& zone)
120	{
121	(*d_keymetadb->backends.begin())->startTransaction(zone);
122	}
123
124	void commitTransaction()
125	{
126	(*d_keymetadb->backends.begin())->commitTransaction();
127	}
128
129	void getFromMetaOrDefault(const ZoneName& zname, const std::string& key, std::string& value, const std::string& defaultvalue);
130	bool getFromMeta(const ZoneName& zname, const std::string& key, std::string& value);
131	void getSoaEdit(const ZoneName& zname, std::string& value, bool useCache=true);
132	bool unSecureZone(const ZoneName& zone, std::string& error);
133	bool rectifyZone(const ZoneName& zone, std::string& error, std::string& info, bool doTransaction);
134
135	static void setMaxEntries(size_t maxEntries);
136
137	bool isMetadataOne(const ZoneName& zname, const std::string& metaname, bool useCache);
138
139	int64_t d_metaCacheCleanAction{0};
140	typedef std::map<std::string, std::vector<std::string> > METAValues;
141	private:
142	bool getFromMetaNoCache(const ZoneName& name, const std::string& kind, std::string& value);
143
144	bool d_metaUpdate{false};
145
146	struct KeyCacheEntry
147	{
148	typedef vector<DNSSECKeeper::keymeta_t> keys_t;
149
150	uint32_t isStale(time_t now) const
151	{	×
152	return d_ttd < now;	×
153	}	×
154
155	ZoneName d_domain;
156	mutable keys_t d_keys;
157	unsigned int d_ttd;
158	};
159
160	struct METACacheEntry
161	{
162	time_t isStale(time_t now) const
163	{	×
164	return d_ttd < now;	×
UNCOV 165	}	×
166
167	ZoneName d_domain;
168	mutable METAValues d_value;
169	time_t d_ttd;
170	};
171
172	struct KeyCacheTag{};
173	struct CompositeTag{};
174	struct SequencedTag{};
175
176	typedef multi_index_container<
177	KeyCacheEntry,
178	indexed_by<
179	hashed_unique<tag<KeyCacheTag>,member<KeyCacheEntry, ZoneName, &KeyCacheEntry::d_domain> >,
180	sequenced<tag<SequencedTag>>
181	>
182	> keycache_t;
183
184	typedef multi_index_container<
185	METACacheEntry,
186	indexed_by<
187	ordered_unique<member<METACacheEntry, ZoneName, &METACacheEntry::d_domain> >,
188	sequenced<tag<SequencedTag>>
189	>
190	> metacache_t;
191
192	void cleanup();
193
194	static SharedLockGuarded<keycache_t> s_keycache;
195	static SharedLockGuarded<metacache_t> s_metacache;
196	static int64_t s_metaCacheCleanActions;
197	static AtomicCounter s_ops;
198	static time_t s_last_prune;
199	static size_t s_maxEntries;
200	};
201
202	uint32_t localtime_format_YYYYMMDDSS(time_t t, uint32_t seq);
203	// for SOA-EDIT
204	uint32_t calculateEditSOA(uint32_t old_serial, DNSSECKeeper& dsk, const ZoneName& zonename);
205	uint32_t calculateEditSOA(uint32_t old_serial, const string& kind, const ZoneName& zonename);
206	// for SOA-EDIT-DNSUPDATE/API
207	bool increaseSOARecord(DNSResourceRecord& rr, const string& increaseKind, const string& editKind, const ZoneName& zonename);
208	bool makeIncreasedSOARecord(SOAData& sd, const string& increaseKind, const string& editKind, DNSResourceRecord& rrout);
209	DNSZoneRecord makeEditedDNSZRFromSOAData(DNSSECKeeper& dk, const SOAData& sd, DNSResourceRecord::Place place=DNSResourceRecord::ANSWER);

PowerDNS / pdns / 18776176249

Source File Press 'n' to go to next uncovered line, 'b' for previous

Source File
Press 'n' to go to next uncovered line, 'b' for previous