added validation before update

2025-07-22 18:56:05 +02:00 · 2021-11-04 13:52:00 +02:00 · 2021-11-04 13:52:00 +02:00 · f637b94dbb
commit f637b94dbb
parent 00c188a1ce
2 changed files with 46 additions and 0 deletions
--- a/app/interactions/actions/domain_update.rb
+++ b/app/interactions/actions/domain_update.rb
@ -14,11 +14,56 @@ module Actions
      assign_new_registrant if params[:registrant]
      assign_relational_modifications
      assign_requested_statuses
+      validate_dnskey unless Rails.env.test?
      ::Actions::BaseAction.maybe_attach_legal_doc(domain, params[:legal_document])

      commit
    end

+    def validate_dnskey
+      domain = Domain.find_by(name: @params[:domain])
+      dns = prepare_resolver
+      update_params_info = parse_data_from_update_request(@params[:dns_keys][0])
+
+      domain.add_epp_error('2308', nil, nil, I18n.t(:dns_policy_violation)) if domain.nameservers.empty?
+
+      domain.nameservers.each do |n|
+        zone_info = parse_data_from_zonefile(dns_resolver: dns, hostname: n.hostname)
+
+        domain.add_epp_error('2308', nil, nil, I18n.t(:dns_policy_violation)) unless zone_info == update_params_info
+      end
+
+      true
+    end
+
+    def parse_data_from_update_request(data)
+      {
+        flags: data[:flags],
+        algorithm: data[:alg],
+        protocol: data[:protocol],
+      }
+    end
+
+    def parse_data_from_zonefile(dns_resolver:, hostname:)
+      alg = dns_resolver.query(hostname, 'DS').answer[0].rdata[1]
+      result = dns_resolver.query(hostname, 'DNSKEY').answer[0]
+
+      {
+        flags: result.flags.to_s,
+        algorithm: alg.to_s,
+        protocol: result.protocol.to_s,
+      }
+    end
+
+    def prepare_resolver
+      dns = Dnsruby::Resolver.new(nameserver: ['8.8.8.8', '8.8.4.4'])
+      dns.do_validation = true
+      dns.do_caching = true
+      dns.dnssec = true
+
+      dns
+    end
+
    def assign_relational_modifications
      assign_nameserver_modifications if params[:nameservers]
      assign_dnssec_modifications if params[:dns_keys]
--- a/config/locales/en.yml
+++ b/config/locales/en.yml
@ -666,6 +666,7 @@ en:
  user_not_authenticated: "user not authenticated"
  actions: Actions
  contact_has_been_archived: 'Contact with code %{contact_code} has been archieved because it has been orphaned for longer than %{orphan_months} months.'
+  dns_policy_violation: "Data management policy violation: DNSKEY does not match or not found in the authoritative nameservers"

  number:
    currency: