From 9bfd7f033106537a7fc75481bd81e10dcfd01246 Mon Sep 17 00:00:00 2001
From: Charles-Henri Bruyand <charles-henri.bruyand@open-xchange.com>
Date: Wed, 16 May 2018 17:02:02 +0200
Subject: [PATCH] auth-api: restrict creation of OPT and TSIG rrsets

(cherry picked from commit a53b24d006304e00d9c865629f6f0de7e30afbc2)
---
 pdns/ws-auth.cc                    |  4 ++++
 regression-tests.api/test_Zones.py | 23 +++++++++++++++++++++++
 2 files changed, 27 insertions(+)

diff --git a/pdns/ws-auth.cc b/pdns/ws-auth.cc
index 61bd9e257..052ff362a 100644
--- a/pdns/ws-auth.cc
+++ b/pdns/ws-auth.cc
@@ -1658,6 +1658,10 @@ static void patchZone(HttpRequest* req, HttpResponse* resp) {
         if (!qname.isPartOf(zonename) && qname != zonename)
           throw ApiException("RRset "+qname.toString()+" IN "+qtype.getName()+": Name is out of zone");
 
+        if (qtype.getCode() == QType::OPT || qtype.getCode() == QType::TSIG) {
+          throw ApiException("RRset "+qname.toString()+" IN "+stringFromJson(rrset, "type")+": invalid type given");
+        }
+
         bool replace_records = rrset["records"].is_array();
         bool replace_comments = rrset["comments"].is_array();
 
diff --git a/regression-tests.api/test_Zones.py b/regression-tests.api/test_Zones.py
index 6d4c7f845..b27b2e808 100644
--- a/regression-tests.api/test_Zones.py
+++ b/regression-tests.api/test_Zones.py
@@ -892,6 +892,29 @@ fred   IN  A      192.168.0.4
         data = self.session.get(self.url("/api/v1/servers/localhost/zones/" + name)).json()
         self.assertEquals(get_rrset(data, name, 'MX')['records'], rrset['records'])
 
+    def test_zone_rr_update_opt(self):
+        name, payload, zone = self.create_zone()
+        # do a replace (= update)
+        rrset = {
+            'changetype': 'replace',
+            'name': name,
+            'type': 'OPT',
+            'ttl': 3600,
+            'records': [
+                {
+                    "content": "9",
+                    "disabled": False
+                }
+            ]
+        }
+        payload = {'rrsets': [rrset]}
+        r = self.session.patch(
+            self.url("/api/v1/servers/localhost/zones/" + name),
+            data=json.dumps(payload),
+            headers={'content-type': 'application/json'})
+        self.assertEquals(r.status_code, 422)
+        self.assertIn('OPT: invalid type given', r.json()['error'])
+
     def test_zone_rr_update_multiple_rrsets(self):
         name, payload, zone = self.create_zone()
         rrset1 = {
-- 
2.40.0