From dab9c91013c7510c81e52d9e8e32ebd0c908873a Mon Sep 17 00:00:00 2001
From: Jamie Cameron <jcameron@webmin.com>
Date: Tue, 25 Sep 2012 12:24:51 -0700
Subject: [PATCH] Add ACL option to control access to DNSSEC for zones
 https://sourceforge.net/tracker/?func=detail&atid=117457&aid=3571551&group_id=17457

---
 bind8/acl_security.pl           | 7 +++++++
 bind8/disable_zonedt.cgi        | 2 +-
 bind8/edit_master.cgi           | 2 +-
 bind8/edit_zonedt.cgi           | 2 +-
 bind8/edit_zonekey.cgi          | 1 +
 bind8/enable_zonedt.cgi         | 2 +-
 bind8/lang/en                   | 1 +
 bind8/zone_dnssecmgt_dt.cgi     | 2 +-
 bind8/zone_dnssecmigrate_dt.cgi | 2 +-
 9 files changed, 15 insertions(+), 6 deletions(-)

diff --git a/bind8/acl_security.pl b/bind8/acl_security.pl
index e30a75b6d8..a747a98845 100755
--- a/bind8/acl_security.pl
+++ b/bind8/acl_security.pl
@@ -148,6 +148,12 @@ sub acl_security_form
 printf "<input type=radio name=slaves value=0 %s> $text{'no'}</td>\n",
 	$_[0]->{'slaves'} ? "" : "checked";
 
+print "<td><b>$text{'acl_dnssec'}</b></td> <td nowrap>\n";
+printf "<input type=radio name=dnssec value=1 %s> $text{'yes'}\n",
+	$_[0]->{'dnssec'} ? "checked" : "";
+printf "<input type=radio name=dnssec value=0 %s> $text{'no'}</td> </tr>\n",
+	$_[0]->{'dnssec'} ? "" : "checked";
+
 print "</tr>\n";
 
 print "<tr> <td><b>$text{'acl_views'}</b></td> <td colspan=3>\n";
@@ -218,6 +224,7 @@ sub acl_security_save
 $_[0]->{'slaves'} = $in{'slaves'};
 $_[0]->{'views'} = $in{'views'};
 $_[0]->{'remote'} = $in{'remote'};
+$_[0]->{'dnssec'} = $in{'dnssec'};
 $_[0]->{'gen'} = $in{'gen'};
 $_[0]->{'whois'} = $in{'whois'};
 $_[0]->{'vlist'} = $in{'vlist_def'} == 1 ? "*" :
diff --git a/bind8/disable_zonedt.cgi b/bind8/disable_zonedt.cgi
index f3257c5137..e27fad9c29 100755
--- a/bind8/disable_zonedt.cgi
+++ b/bind8/disable_zonedt.cgi
@@ -1,4 +1,3 @@
-
 #!/usr/local/bin/perl
 # Remove the signing key records for a zone
 
@@ -14,6 +13,7 @@ $zone = &get_zone_name($in{'index'}, $in{'view'});
 $dom = $zone->{'name'};
 &can_edit_zone($zone) ||
 	&error($text{'master_ecannot'});
+$access{'dnssec'} || &error($text{'dnssec_ecannot'});
 $desc = &ip6int_to_net(&arpa_to_ip($dom));
 
 &ui_print_unbuffered_header($desc, $text{'dt_enable_title'}, "",
diff --git a/bind8/edit_master.cgi b/bind8/edit_master.cgi
index e1c6306234..e8d1cbd0b4 100755
--- a/bind8/edit_master.cgi
+++ b/bind8/edit_master.cgi
@@ -105,7 +105,7 @@ if ($access{'whois'} && &has_command($config{'whois_cmd'}) &&
 	push(@titles, $text{'master_whois'});
 	push(@images, "images/whois.gif");
 	}
-if (&supports_dnssec()) {
+if ($access{'dnssec'} && &supports_dnssec()) {
 	if (&have_dnssec_tools_support()) {
 		# DNSSEC Automation
 		push(@links, "edit_zonedt.cgi?index=$in{'index'}&view=$in{'view'}");
diff --git a/bind8/edit_zonedt.cgi b/bind8/edit_zonedt.cgi
index a32105be1b..cf3c2a09c5 100755
--- a/bind8/edit_zonedt.cgi
+++ b/bind8/edit_zonedt.cgi
@@ -1,4 +1,3 @@
-
 #!/usr/local/bin/perl
 # Display the signing key for a zone, or offer to set one up
 
@@ -14,6 +13,7 @@ $zone = &get_zone_name($in{'index'}, $in{'view'});
 $dom = $zone->{'name'};
 &can_edit_zone($zone) ||
 	&error($text{'master_ecannot'});
+$access{'dnssec'} || &error($text{'dnssec_ecannot'});
 $desc = &ip6int_to_net(&arpa_to_ip($dom));
 
 &ui_print_header($desc, $text{'dt_zone_title'}, "",
diff --git a/bind8/edit_zonekey.cgi b/bind8/edit_zonekey.cgi
index 83e66e8942..0e4184dcbe 100755
--- a/bind8/edit_zonekey.cgi
+++ b/bind8/edit_zonekey.cgi
@@ -7,6 +7,7 @@ $zone = &get_zone_name($in{'index'}, $in{'view'});
 $dom = $zone->{'name'};
 &can_edit_zone($zone) ||
 	&error($text{'master_ecannot'});
+$access{'dnssec'} || &error($text{'dnssec_ecannot'});
 $desc = &ip6int_to_net(&arpa_to_ip($dom));
 
 &ui_print_header($desc, $text{'zonekey_title'}, "",
diff --git a/bind8/enable_zonedt.cgi b/bind8/enable_zonedt.cgi
index 4167c6a87b..c65f4cb1b6 100755
--- a/bind8/enable_zonedt.cgi
+++ b/bind8/enable_zonedt.cgi
@@ -1,4 +1,3 @@
-
 #!/usr/local/bin/perl
 # Create a signing key for a zone, add it, and sign the zone
 
@@ -14,6 +13,7 @@ $zone = &get_zone_name($in{'index'}, $in{'view'});
 $dom = $zone->{'name'};
 &can_edit_zone($zone) ||
 	&error($text{'master_ecannot'});
+$access{'dnssec'} || &error($text{'dnssec_ecannot'});
 $desc = &ip6int_to_net(&arpa_to_ip($dom));
 
 &ui_print_unbuffered_header($desc, $text{'dt_enable_title'}, "",
diff --git a/bind8/lang/en b/bind8/lang/en
index 61bf576ab8..564a2fe6d1 100644
--- a/bind8/lang/en
+++ b/bind8/lang/en
@@ -488,6 +488,7 @@ acl_slaves=Can manage cluster slave servers?
 acl_views=Can create and edit views?
 acl_edonly=Edit only
 acl_remote=Can create slave zones on remote servers?
+acl_dnssec=Can configure DNSSEC for zones?
 acl_gen=Can edit record generators?
 acl_whois=Can lookup WHOIS information?
 acl_vlist=Views this user can edit and add zones to
diff --git a/bind8/zone_dnssecmgt_dt.cgi b/bind8/zone_dnssecmgt_dt.cgi
index c96de629eb..8a9bea5b67 100755
--- a/bind8/zone_dnssecmgt_dt.cgi
+++ b/bind8/zone_dnssecmgt_dt.cgi
@@ -1,4 +1,3 @@
-
 #!/usr/local/bin/perl
 # Perform one of a number of DNSSEC-related operations for the zone 
 
@@ -14,6 +13,7 @@ $zone = &get_zone_name($in{'index'}, $in{'view'});
 $dom = $zone->{'name'};
 &can_edit_zone($zone) ||
 	&error($text{'master_ecannot'});
+$access{'dnssec'} || &error($text{'dnssec_ecannot'});
 
 if (&have_dnssec_tools_support()) {
 	my $optype = $in{'optype'};
diff --git a/bind8/zone_dnssecmigrate_dt.cgi b/bind8/zone_dnssecmigrate_dt.cgi
index 4a9499065e..cc0f31c75a 100755
--- a/bind8/zone_dnssecmigrate_dt.cgi
+++ b/bind8/zone_dnssecmigrate_dt.cgi
@@ -1,4 +1,3 @@
-
 #!/usr/local/bin/perl
 # Migrate an existing DNSSEC signed zone to using the DNSSEC-Tools suite for DNSSEC-related automation 
 
@@ -15,6 +14,7 @@ $zone = &get_zone_name($in{'index'}, $in{'view'});
 $dom = $zone->{'name'};
 &can_edit_zone($zone) ||
 	&error($text{'master_ecannot'});
+$access{'dnssec'} || &error($text{'dnssec_ecannot'});
 $desc = &ip6int_to_net(&arpa_to_ip($dom));
 
 &ui_print_unbuffered_header($desc, $text{'dt_enable_title'}, "",