From f637b94dbbfb15ff2092189c521313adcd29c211 Mon Sep 17 00:00:00 2001
From: olegphenomenon <oleg.hasjanov@eestiinternet.ee>
Date: Thu, 4 Nov 2021 13:52:00 +0200
Subject: [PATCH] added validation before update

---
 app/interactions/actions/domain_update.rb | 45 +++++++++++++++++++++++
 config/locales/en.yml                     |  1 +
 2 files changed, 46 insertions(+)

diff --git a/app/interactions/actions/domain_update.rb b/app/interactions/actions/domain_update.rb
index 40b7876f6..3178de8c5 100644
--- a/app/interactions/actions/domain_update.rb
+++ b/app/interactions/actions/domain_update.rb
@@ -14,11 +14,56 @@ module Actions
       assign_new_registrant if params[:registrant]
       assign_relational_modifications
       assign_requested_statuses
+      validate_dnskey unless Rails.env.test?
       ::Actions::BaseAction.maybe_attach_legal_doc(domain, params[:legal_document])
 
       commit
     end
 
+    def validate_dnskey
+      domain = Domain.find_by(name: @params[:domain])
+      dns = prepare_resolver
+      update_params_info = parse_data_from_update_request(@params[:dns_keys][0])
+
+      domain.add_epp_error('2308', nil, nil, I18n.t(:dns_policy_violation)) if domain.nameservers.empty?
+
+      domain.nameservers.each do |n|
+        zone_info = parse_data_from_zonefile(dns_resolver: dns, hostname: n.hostname)
+
+        domain.add_epp_error('2308', nil, nil, I18n.t(:dns_policy_violation)) unless zone_info == update_params_info
+      end
+
+      true
+    end
+
+    def parse_data_from_update_request(data)
+      {
+        flags: data[:flags],
+        algorithm: data[:alg],
+        protocol: data[:protocol],
+      }
+    end
+
+    def parse_data_from_zonefile(dns_resolver:, hostname:)
+      alg = dns_resolver.query(hostname, 'DS').answer[0].rdata[1]
+      result = dns_resolver.query(hostname, 'DNSKEY').answer[0]
+
+      {
+        flags: result.flags.to_s,
+        algorithm: alg.to_s,
+        protocol: result.protocol.to_s,
+      }
+    end
+
+    def prepare_resolver
+      dns = Dnsruby::Resolver.new(nameserver: ['8.8.8.8', '8.8.4.4'])
+      dns.do_validation = true
+      dns.do_caching = true
+      dns.dnssec = true
+
+      dns
+    end
+
     def assign_relational_modifications
       assign_nameserver_modifications if params[:nameservers]
       assign_dnssec_modifications if params[:dns_keys]
diff --git a/config/locales/en.yml b/config/locales/en.yml
index 31947350d..2f7e8a0aa 100644
--- a/config/locales/en.yml
+++ b/config/locales/en.yml
@@ -666,6 +666,7 @@ en:
   user_not_authenticated: "user not authenticated"
   actions: Actions
   contact_has_been_archived: 'Contact with code %{contact_code} has been archieved because it has been orphaned for longer than %{orphan_months} months.'
+  dns_policy_violation: "Data management policy violation: DNSKEY does not match or not found in the authoritative nameservers"
 
   number:
     currency: