From 9069215eac23e32f4ef1c8e44ad7ff2865cfcdac Mon Sep 17 00:00:00 2001
From: Evan Hunt <each@isc.org>
Date: Wed, 29 Jul 2009 17:52:00 +0000
Subject: [PATCH] 2641.	[bug]		Fixed an error in parsing
 update-policy syntax, 			added a regression test to check it.
 [RT #20007]

---
 CHANGES                                  |  3 +++
 bin/confgen/ddns-confgen.c               |  7 ++---
 bin/tests/system/conf.sh.in              |  3 ++-
 bin/tests/system/nsupdate/clean.sh       |  4 +--
 bin/tests/system/nsupdate/ns1/named.conf | 20 +++++++++++---
 bin/tests/system/nsupdate/setup.sh       |  8 +++++-
 bin/tests/system/nsupdate/tests.sh       | 34 +++++++++++++++++++-----
 lib/isccfg/namedconf.c                   |  3 ++-
 8 files changed, 65 insertions(+), 17 deletions(-)

diff --git a/CHANGES b/CHANGES
index 244739a423..d9852e1dd2 100644
--- a/CHANGES
+++ b/CHANGES
@@ -1,5 +1,8 @@
 	--- 9.7.0a2 released ---
 
+2641.	[bug]		Fixed an error in parsing update-policy syntax,
+			added a regression test to check it. [RT #20007]
+
 2640.	[security]	A specially crafted update packet will cause named
 			to exit. [RT #20000]
 
diff --git a/bin/confgen/ddns-confgen.c b/bin/confgen/ddns-confgen.c
index f25a15a1ad..c2ec61e1dc 100644
--- a/bin/confgen/ddns-confgen.c
+++ b/bin/confgen/ddns-confgen.c
@@ -14,7 +14,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: ddns-confgen.c,v 1.7 2009/07/02 22:50:24 jinmei Exp $ */
+/* $Id: ddns-confgen.c,v 1.8 2009/07/29 17:52:00 each Exp $ */
 
 /*! \file */
 
@@ -234,13 +234,14 @@ update-policy {\n\
 };\n",
 			       keyname);
 		}
-	}
 
-	printf("\n\
+		printf("\n\
 # After the keyfile has been placed, the following command will\n\
 # execute nsupdate using this key:\n\
 nsupdate -k <keyfile>\n");
 
+	}
+
 	if (keybuf != NULL)
 		isc_mem_put(mctx, keybuf, len);
 
diff --git a/bin/tests/system/conf.sh.in b/bin/tests/system/conf.sh.in
index 23b31f10ce..633d962b9c 100644
--- a/bin/tests/system/conf.sh.in
+++ b/bin/tests/system/conf.sh.in
@@ -15,7 +15,7 @@
 # OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
 # PERFORMANCE OF THIS SOFTWARE.
 
-# $Id: conf.sh.in,v 1.39 2008/01/10 23:47:01 tbox Exp $
+# $Id: conf.sh.in,v 1.40 2009/07/29 17:52:00 each Exp $
 
 #
 # Common configuration data for system tests, to be sourced into
@@ -35,6 +35,7 @@ LWRESD="$TOP/bin/named/named -l"
 DIG=$TOP/bin/dig/dig
 RNDC=$TOP/bin/rndc/rndc
 NSUPDATE=$TOP/bin/nsupdate/nsupdate
+DDNSCONFGEN=$TOP/bin/confgen/ddns-confgen
 KEYGEN=$TOP/bin/dnssec/dnssec-keygen
 SIGNER=$TOP/bin/dnssec/dnssec-signzone
 CHECKZONE=$TOP/bin/check/named-checkzone
diff --git a/bin/tests/system/nsupdate/clean.sh b/bin/tests/system/nsupdate/clean.sh
index 565c97ba7f..43185dfb58 100644
--- a/bin/tests/system/nsupdate/clean.sh
+++ b/bin/tests/system/nsupdate/clean.sh
@@ -15,14 +15,14 @@
 # OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
 # PERFORMANCE OF THIS SOFTWARE.
 
-# $Id: clean.sh,v 1.12 2007/09/26 03:22:44 marka Exp $
+# $Id: clean.sh,v 1.13 2009/07/29 17:52:00 each Exp $
 
 #
 # Clean up after zone transfer tests.
 #
 
 rm -f dig.out.ns1 dig.out.ns2 dig.out.ns1.after ns1/*.jnl ns2/*.jnl \
-    ns1/example.db ns1/update.db
+    ns1/example.db ns1/update.db ns1/other.db
 rm -f ns2/example.bk
 rm -f ns2/update.bk
 rm -f */named.memstats
diff --git a/bin/tests/system/nsupdate/ns1/named.conf b/bin/tests/system/nsupdate/ns1/named.conf
index 0c0e8ff460..0bc4ac5857 100644
--- a/bin/tests/system/nsupdate/ns1/named.conf
+++ b/bin/tests/system/nsupdate/ns1/named.conf
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: named.conf,v 1.17 2007/06/19 23:47:04 tbox Exp $ */
+/* $Id: named.conf,v 1.18 2009/07/29 17:52:00 each Exp $ */
 
 controls { /* empty */ };
 
@@ -25,7 +25,8 @@ options {
 	transfer-source 10.53.0.1;
 	port 5300;
 	pid-file "named.pid";
-	listen-on { 10.53.0.1; };
+	session-keyfile "session.key";
+	listen-on { 10.53.0.1; 127.0.0.1; };
 	listen-on-v6 { none; };
 	recursion no;
 	notify yes;
@@ -40,11 +41,24 @@ controls {
 	inet 10.53.0.1 port 9953 allow { any; } keys { rndc_key; };
 };
 
+include "ddns.key";
+
 zone "example.nil" {
 	type master;
 	file "example.db";
 	check-integrity no;
-	allow-update { any; };
+	update-policy {
+		grant ddns-key.example.nil subdomain example.nil ANY;
+	};
+	allow-transfer { any; };
+};
+
+zone "other.nil" {
+	type master;
+	file "other.db";
+	check-integrity no;
+	update-policy local;
+	allow-query-on { 127.0.0.1; };
 	allow-transfer { any; };
 };
 
diff --git a/bin/tests/system/nsupdate/setup.sh b/bin/tests/system/nsupdate/setup.sh
index 2d9d51b8a1..aac7eecf52 100644
--- a/bin/tests/system/nsupdate/setup.sh
+++ b/bin/tests/system/nsupdate/setup.sh
@@ -15,7 +15,10 @@
 # OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
 # PERFORMANCE OF THIS SOFTWARE.
 
-# $Id: setup.sh,v 1.10 2007/06/19 23:47:04 tbox Exp $
+# $Id: setup.sh,v 1.11 2009/07/29 17:52:00 each Exp $
+
+SYSTEMTESTTOP=..
+. $SYSTEMTESTTOP/conf.sh
 
 #
 # jnl and database files MUST be removed before we start
@@ -24,6 +27,7 @@
 rm -f ns1/*.jnl ns1/example.db ns2/*.jnl ns2/example.bk
 
 cp -f ns1/example1.db ns1/example.db
+sed 's/example.nil/other.nil/g' ns1/example1.db > ns1/other.db
 
 # update_test.pl has its own zone file because it
 # requires a specific NS record set.
@@ -40,3 +44,5 @@ update.nil              IN SOA  ns1.example.nil. hostmaster.example.nil. (
 update.nil.             NS      ns1.update.nil.
 ns1.update.nil.         A       10.53.0.2
 EOF
+
+$DDNSCONFGEN -q -z example.nil > ns1/ddns.key
diff --git a/bin/tests/system/nsupdate/tests.sh b/bin/tests/system/nsupdate/tests.sh
index c6a26bbc60..b6aa4adafa 100644
--- a/bin/tests/system/nsupdate/tests.sh
+++ b/bin/tests/system/nsupdate/tests.sh
@@ -15,7 +15,7 @@
 # OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
 # PERFORMANCE OF THIS SOFTWARE.
 
-# $Id: tests.sh,v 1.25 2007/06/19 23:47:04 tbox Exp $
+# $Id: tests.sh,v 1.26 2009/07/29 17:52:00 each Exp $
 
 SYSTEMTESTTOP=..
 . $SYSTEMTESTTOP/conf.sh
@@ -28,7 +28,7 @@ $DIG +tcp +noadd +nosea +nostat +noquest +nocomm +nocmd example.nil.\
 
 echo "I:fetching second copy of zone before update"
 $DIG +tcp +noadd +nosea +nostat +noquest +nocomm +nocmd example.nil.\
-	@10.53.0.1 axfr -p 5300 > dig.out.ns2 || status=1
+	@10.53.0.2 axfr -p 5300 > dig.out.ns2 || status=1
 
 echo "I:comparing pre-update copies to known good data"
 $PERL ../digcomp.pl knowngood.ns1.before dig.out.ns1 || status=1
@@ -36,7 +36,7 @@ $PERL ../digcomp.pl knowngood.ns1.before dig.out.ns2 || status=1
 
 echo "I:updating zone"
 # nsupdate will print a ">" prompt to stdout as it gets each input line.
-$NSUPDATE <<END > /dev/null || status=1
+$NSUPDATE -k ns1/ddns.key <<END > /dev/null || status=1
 server 10.53.0.1 5300
 update add updated.example.nil. 600 A 10.10.10.1
 update add updated.example.nil. 600 TXT Foo
@@ -58,6 +58,28 @@ echo "I:comparing post-update copies to known good data"
 $PERL ../digcomp.pl knowngood.ns1.after dig.out.ns1 || status=1
 $PERL ../digcomp.pl knowngood.ns1.after dig.out.ns2 || status=1
 
+echo "I:testing local update policy"
+pre=`$DIG +short new.other.nil. @10.53.0.1 a -p 5300` || status=1
+[ -z "$pre" ] || status=1
+
+echo "I:updating zone"
+# nsupdate will print a ">" prompt to stdout as it gets each input line.
+$NSUPDATE -l -p 5300 -k ns1/session.key > /dev/null <<END || status=1
+zone other.nil.
+update add new.other.nil. 600 IN A 10.10.10.1
+send
+END
+
+echo "I:sleeping 5 seconds for server to incorporate changes"
+sleep 5
+
+echo "I:checking result of update"
+post=`$DIG +short new.other.nil. @10.53.0.1 a -p 5300` || status=1
+[ "$post" = "10.10.10.1" ] || status=1
+
+echo "I:comparing post-update copy to known good data"
+$PERL ../digcomp.pl knowngood.ns1.after dig.out.ns1 || status=1
+
 if $PERL -e 'use Net::DNS;' 2>/dev/null
 then
     echo "I:running update.pl test"
@@ -103,7 +125,7 @@ $PERL ../digcomp.pl dig.out.ns1 dig.out.ns1.after || status=1
 echo "I:begin RT #482 regression test"
 
 echo "I:update master"
-$NSUPDATE <<END > /dev/null || status=1
+$NSUPDATE -k ns1/ddns.key <<END > /dev/null || status=1
 server 10.53.0.1 5300
 update add updated2.example.nil. 600 A 10.10.10.2
 update add updated2.example.nil. 600 TXT Bar
@@ -119,7 +141,7 @@ kill -HUP `cat ns2/named.pid`
 sleep 5
 
 echo "I:update master again"
-$NSUPDATE <<END > /dev/null || status=1
+$NSUPDATE -k ns1/ddns.key <<END > /dev/null || status=1
 server 10.53.0.1 5300
 update add updated3.example.nil. 600 A 10.10.10.3
 update add updated3.example.nil. 600 TXT Zap
@@ -142,7 +164,7 @@ fi
 echo "I:end RT #482 regression test"
 
 echo "I:testing that rndc stop updates the master file"
-$NSUPDATE <<END > /dev/null || status=1
+$NSUPDATE -k ns1/ddns.key <<END > /dev/null || status=1
 server 10.53.0.1 5300
 update add updated4.example.nil. 600 A 10.10.10.3
 send
diff --git a/lib/isccfg/namedconf.c b/lib/isccfg/namedconf.c
index 519e62a30a..c8b433099e 100644
--- a/lib/isccfg/namedconf.c
+++ b/lib/isccfg/namedconf.c
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: namedconf.c,v 1.102 2009/07/14 22:54:57 each Exp $ */
+/* $Id: namedconf.c,v 1.103 2009/07/29 17:52:00 each Exp $ */
 
 /*! \file */
 
@@ -350,6 +350,7 @@ parse_updatepolicy(cfg_parser_t *pctx, const cfg_type_t *type,
 	CHECK(cfg_gettoken(pctx, 0));
 	if (pctx->token.type == isc_tokentype_special &&
 	    pctx->token.value.as_char == '{') {
+		cfg_ungettoken(pctx);
 		return (cfg_parse_bracketed_list(pctx, type, ret));
 	}