Improves allow-suffix-match to be more clear in its behaviour.

Michael Fincham · Michael Fincham · commit 391fca8cf473 · 2018-10-09T12:27:49.000+13:00
With thanks to @luto for pointing out the potential for misunderstanding here.
diff --git a/powerdns_auth_proxy/proxy.py b/powerdns_auth_proxy/proxy.py
@@ -187,7 +187,15 @@ def zone_list():
         return zones
     elif request.method == 'POST':
         requested_name = g.json.get('name', None)
-        if requested_name and not any(requested_name.lower().endswith(prefix.lower()) for prefix in (g.user['allow-suffix-creation'] if isinstance(g.user['allow-suffix-creation'], list) else [g.user['allow-suffix-creation']])):
+        if 'allow-suffix-creation' in g.user:
+            allowed_suffixes = g.user['allow-suffix-creation'] if isinstance(g.user['allow-suffix-creation'], list) else [g.user['allow-suffix-creation']]
+            allowed = False
+            for suffix in allowed_suffixes:
+                if suffix.startswith('.') and requested_name.lower().endswith(suffix.lower()):
+                    allowed = True
+                elif not suffix.startswith('.') and requested_name.lower() == suffix.lower():
+                    allowed = True
+            if allowed != True:
                 raise Forbidden
         
         g.json = sanitise_metadata_updates(g.json, current_app.config['PDNS'])
diff --git a/powerdns_auth_proxy/tests/test_proxy.py b/powerdns_auth_proxy/tests/test_proxy.py
@@ -43,7 +43,11 @@ def client():
 
     [user:demo-example-org]
     key = dd70d1b0eccd79a0cf5d79ddf6672dce
-    allow-suffix-creation = example.org.
+    allow-suffix-creation = example.org. .example.test.
+    
+    [user:demo-example-net]
+    key = a70f4f5fe78ea2e89b53c8b3ee133fdf
+    allow-suffix-creation = example.net.
     """
 
     pdns_db_file, pdns_db_path = tempfile.mkstemp()
@@ -147,10 +151,14 @@ def test_api_auth(client):
         assert response.status_code > 400
 
 def test_api_zone_create(client):
-    # zone that the user is not allowed to create
+    # zone that the user is not allowed to create because it is not listed at all
     response = client.post('/api/v1/servers/localhost/zones', headers=api_key_header(client), json={"masters": [], "name": "example.com.", "nameservers": ["ns1.example.org."], "kind": "MASTER", "soa_edit_api": "INCEPTION-INCREMENT"})
     assert response.status_code > 400
 
+    # zone that the user is not allowed to create but which does share a common prefix with one they can create
+    response = client.post('/api/v1/servers/localhost/zones', headers=api_key_header(client), json={"masters": [], "name": "fooexample.org.", "nameservers": ["ns1.example.org."], "kind": "MASTER", "soa_edit_api": "INCEPTION-INCREMENT"})
+    assert response.status_code > 400
+
     # zone belonging to another user
     response = client.post('/api/v1/servers/localhost/zones', headers=api_key_header(client), json={"masters": [], "name": "example.net.", "nameservers": ["ns1.example.org."], "kind": "MASTER", "soa_edit_api": "INCEPTION-INCREMENT"})
     assert response.status_code > 400
@@ -163,6 +171,14 @@ def test_api_zone_create(client):
     response = client.post('/api/v1/servers/localhost/zones', headers=api_key_header(client), json={"masters": [], "name": "example.org.", "nameservers": ["ns1.example.org."], "kind": "MASTER", "soa_edit_api": "INCEPTION-INCREMENT"})
     assert response.status_code > 400
 
+    # suffix matching a wildcard domain
+    response = client.post('/api/v1/servers/localhost/zones', headers=api_key_header(client), json={"masters": [], "name": "bar.example.test.", "nameservers": ["ns1.example.org."], "kind": "MASTER", "soa_edit_api": "INCEPTION-INCREMENT"})
+    assert response.status_code < 400
+
+    # disallow suffix on non-wildcard domain
+    response = client.post('/api/v1/servers/localhost/zones', headers=api_key_header(client), json={"masters": [], "name": "bar.example.org.", "nameservers": ["ns1.example.org."], "kind": "MASTER", "soa_edit_api": "INCEPTION-INCREMENT"})
+    assert response.status_code > 400
+
 def test_api_zone_list(client):
     # create a zone to use for testing
     response = client.post('/api/v1/servers/localhost/zones', headers=api_key_header(client), json={"masters": [], "name": "example.org.", "nameservers": ["ns1.example.org."], "kind": "MASTER", "soa_edit_api": "INCEPTION-INCREMENT"})
