diff --git a/bin/tests/system/Makefile.am b/bin/tests/system/Makefile.am index c55c5305ed..c107e2853a 100644 --- a/bin/tests/system/Makefile.am +++ b/bin/tests/system/Makefile.am @@ -214,6 +214,10 @@ if HAVE_PKCS11 TESTS += pkcs11 endif +if HAVE_PYTEST +TESTS += rpzextra +endif + else !HAVE_PERL check: echo Perl is not available, no tests were ran diff --git a/bin/tests/system/rpzextra/clean.sh b/bin/tests/system/rpzextra/clean.sh new file mode 100644 index 0000000000..dc52e5e4a3 --- /dev/null +++ b/bin/tests/system/rpzextra/clean.sh @@ -0,0 +1,17 @@ +# Copyright (C) Internet Systems Consortium, Inc. ("ISC") +# +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, You can obtain one at http://mozilla.org/MPL/2.0/. +# +# See the COPYRIGHT file distributed with this work for additional +# information regarding copyright ownership. + +rm -f ns*/*.jnl +rm -f ns*/named.conf +rm -f ns*/named.lock +rm -f ns*/named.memstats +rm -f ns*/named.run +rm -f ns*/rpz*.txt +rm -rf __pycache__ +rm -f *.status diff --git a/bin/tests/system/rpzextra/conftest.py b/bin/tests/system/rpzextra/conftest.py new file mode 100644 index 0000000000..6ccbbb999e --- /dev/null +++ b/bin/tests/system/rpzextra/conftest.py @@ -0,0 +1,54 @@ +############################################################################ +# Copyright (C) Internet Systems Consortium, Inc. ("ISC") +# +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, You can obtain one at http://mozilla.org/MPL/2.0/. +# +# See the COPYRIGHT file distributed with this work for additional +# information regarding copyright ownership. +############################################################################ + +import os +import pytest + +try: + import dns.resolver # noqa: F401 # pylint: disable=unused-import +except ModuleNotFoundError: + dns_resolver_module_found = False +else: + dns_resolver_module_found = True + + +def pytest_configure(config): + config.addinivalue_line( + "markers", "dnspython: mark tests that need dnspython to function" + ) + + +def pytest_collection_modifyitems(config, items): + # pylint: disable=unused-argument + # Test for dnspython module + if not dns_resolver_module_found: + skip_requests = pytest.mark.skip(reason="need dnspython module to run") + for item in items: + if "dnspython" in item.keywords: + item.add_marker(skip_requests) + # Test if JSON statistics channel was enabled + no_jsonstats = pytest.mark.skip(reason="need JSON statistics to be enabled") + if os.getenv("HAVEJSONSTATS") is None: + for item in items: + if "json" in item.keywords: + item.add_marker(no_jsonstats) + + +@pytest.fixture +def named_port(request): + # pylint: disable=unused-argument + port = os.getenv("PORT") + if port is None: + port = 5301 + else: + port = int(port) + + return port diff --git a/bin/tests/system/rpzextra/ns1/named.args b/bin/tests/system/rpzextra/ns1/named.args new file mode 100644 index 0000000000..e4ae75e3aa --- /dev/null +++ b/bin/tests/system/rpzextra/ns1/named.args @@ -0,0 +1 @@ + -m record,size,mctx -c named.conf -d 99 -D rpzextra-ns1 -X named.lock -U 4 diff --git a/bin/tests/system/rpzextra/ns1/named.conf.in b/bin/tests/system/rpzextra/ns1/named.conf.in new file mode 100644 index 0000000000..23cbad05a8 --- /dev/null +++ b/bin/tests/system/rpzextra/ns1/named.conf.in @@ -0,0 +1,61 @@ +key rndc_key { + secret "1234abcd8765"; + algorithm hmac-sha256; +}; + +controls { + inet 10.53.0.1 port @CONTROLPORT@ allow { any; } keys { rndc_key; }; +}; + +options { + query-source address 10.53.0.1; + notify-source 10.53.0.1; + transfer-source 10.53.0.1; + port @PORT@; + listen-on { 10.53.0.1; }; + pid-file "named.pid"; + notify no; + dnssec-validation no; + allow-query { any; }; + recursion yes; + allow-recursion { any; }; + + response-policy { + zone "rpz.local"; + }; +}; + +logging { + channel rpz_passthru { + file "rpz_passthru.txt" versions 3 size 5m; + print-time yes; + print-category yes; + print-severity yes; + severity info; + }; + + channel rpz_log { + file "rpz.txt" versions 3 size 20m; + print-time yes; + print-category yes; + print-severity yes; + severity info; + }; + + category rpz { rpz_log; default_debug; }; + category rpz-passthru { rpz_passthru; default_debug; }; +}; + +zone "rpz.local" { + type master; + file "rpz.local.db"; + allow-transfer { none; }; + allow-query { localhost; }; +}; + +zone "." { + type hint; + file "root.db"; +}; + + diff --git a/bin/tests/system/rpzextra/ns1/root.db b/bin/tests/system/rpzextra/ns1/root.db new file mode 100644 index 0000000000..c5b4550dee --- /dev/null +++ b/bin/tests/system/rpzextra/ns1/root.db @@ -0,0 +1,25 @@ +; Copyright (C) Internet Systems Consortium, Inc. ("ISC") +; +; This Source Code Form is subject to the terms of the Mozilla Public +; License, v. 2.0. If a copy of the MPL was not distributed with this +; file, You can obtain one at http://mozilla.org/MPL/2.0/. +; +; See the COPYRIGHT file distributed with this work for additional +; information regarding copyright ownership. + +$TTL 300 +. IN SOA gson.nominum.com. a.root.servers.nil. ( + 2000042100 ; serial + 600 ; refresh + 600 ; retry + 1200 ; expire + 600 ; minimum + ) +. NS ns1.allowed + + +allowed. NS ns1.allowed. +ns1.allowed. A 10.53.0.2 + +baddomain. NS ns1.baddomain. +ns1.baddomain. A 10.53.0.2 diff --git a/bin/tests/system/rpzextra/ns1/rpz.local.db b/bin/tests/system/rpzextra/ns1/rpz.local.db new file mode 100644 index 0000000000..9dcf5ce725 --- /dev/null +++ b/bin/tests/system/rpzextra/ns1/rpz.local.db @@ -0,0 +1,18 @@ +$TTL 300 + +@ IN SOA localhost.rpz.local root.rpz.local. ( + 2020022500 ; serial number + 60 ; refresh every minute + 60 ; retry every minute + 432000 ; expire in 5 days + 60 ; negative caching ttl, 1 minute +) + + + IN NS LOCALHOST. + +allowed IN CNAME rpz-passthru. +*.allowed IN CNAME rpz-passthru. + +baddomain IN CNAME . +*.baddomain IN CNAME . diff --git a/bin/tests/system/rpzextra/ns2/allowed.db b/bin/tests/system/rpzextra/ns2/allowed.db new file mode 100644 index 0000000000..17f45dceeb --- /dev/null +++ b/bin/tests/system/rpzextra/ns2/allowed.db @@ -0,0 +1,7 @@ +$TTL 300 + +@ IN SOA ns1 root.allowed. 2020040101 4h 1h 1w 60 +@ IN NS ns1 +ns1 IN A 10.53.0.2 +@ IN A 10.53.0.2 +www IN A 10.53.0.2 diff --git a/bin/tests/system/rpzextra/ns2/baddomain.db b/bin/tests/system/rpzextra/ns2/baddomain.db new file mode 100644 index 0000000000..c40bf3bfae --- /dev/null +++ b/bin/tests/system/rpzextra/ns2/baddomain.db @@ -0,0 +1,16 @@ +$TTL 300 + +@ IN SOA ns1 root.baddomain. ( + 2020040101 + 4h + 1h + 1w + 60 +) + + IN NS ns1 + +ns1 IN A 10.53.0.2 + +baddomain. IN A 10.53.0.2 +www IN A 10.53.0.3 diff --git a/bin/tests/system/rpzextra/ns2/named.conf.in b/bin/tests/system/rpzextra/ns2/named.conf.in new file mode 100644 index 0000000000..7af2f69b5a --- /dev/null +++ b/bin/tests/system/rpzextra/ns2/named.conf.in @@ -0,0 +1,33 @@ +key rndc_key { + secret "1234abcd8765"; + algorithm hmac-sha256; +}; + +controls { + inet 10.53.0.1 port @CONTROLPORT@ allow { any; } keys { rndc_key; }; +}; + +options { + query-source address 10.53.0.2; + notify-source 10.53.0.2; + transfer-source 10.53.0.2; + port @PORT@; + listen-on { 10.53.0.2; }; + pid-file "named.pid"; + notify no; + dnssec-validation no; + allow-query { any; }; +}; + +zone "allowed" { + type master; + file "allowed.db"; + allow-transfer { none; }; +}; + +zone "baddomain" { + type master; + file "baddomain.db"; + allow-transfer { none; }; +}; + diff --git a/bin/tests/system/rpzextra/setup.sh b/bin/tests/system/rpzextra/setup.sh new file mode 100644 index 0000000000..1c0d9b9d49 --- /dev/null +++ b/bin/tests/system/rpzextra/setup.sh @@ -0,0 +1,20 @@ +#! /bin/sh +# +# Copyright (C) Internet Systems Consortium, Inc. ("ISC") +# +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, You can obtain one at http://mozilla.org/MPL/2.0/. +# +# See the COPYRIGHT file distributed with this work for additional +# information regarding copyright ownership. + +# touch dnsrps-off to not test with DNSRPS + +set -e + +SYSTEMTESTTOP=.. +. $SYSTEMTESTTOP/conf.sh + +copy_setports ns1/named.conf.in ns1/named.conf +copy_setports ns2/named.conf.in ns2/named.conf diff --git a/bin/tests/system/rpzextra/tests-rpz-passthru-logging.py b/bin/tests/system/rpzextra/tests-rpz-passthru-logging.py new file mode 100755 index 0000000000..0284835b24 --- /dev/null +++ b/bin/tests/system/rpzextra/tests-rpz-passthru-logging.py @@ -0,0 +1,47 @@ +#!/usr/bin/python3 +############################################################################ +# Copyright (C) Internet Systems Consortium, Inc. ("ISC") +# +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, You can obtain one at http://mozilla.org/MPL/2.0/. +# +# See the COPYRIGHT file distributed with this work for additional +# information regarding copyright ownership. +############################################################################ + +import os +import pytest +import dns.resolver + + +# @pytest.mark.dnspython +def test_rpz_passthru_logging(named_port): + resolver = dns.resolver.Resolver() + resolver.nameservers = ['10.53.0.1'] + resolver.port = named_port + + # Should generate a log entry into rpz_passthru.txt + ans = resolver.query('allowed.', 'A') + for rd in ans: + assert rd.address == "10.53.0.2" + + # baddomain.com isn't allowed (CNAME .), should return NXDOMAIN + # Should generate a log entry into rpz.txt + with pytest.raises(dns.resolver.NXDOMAIN): + resolver.query('baddomain.', 'A') + + rpz_passthru_logfile = os.path.join("ns1", "rpz_passthru.txt") + rpz_logfile = os.path.join("ns1", "rpz.txt") + + assert os.path.isfile(rpz_passthru_logfile) + assert os.path.isfile(rpz_logfile) + + with open(rpz_passthru_logfile) as log_file: + line = log_file.read() + assert "rpz QNAME PASSTHRU rewrite allowed/A/IN" in line + + with open(rpz_logfile) as log_file: + line = log_file.read() + assert "rpz QNAME PASSTHRU rewrite allowed/A/IN" not in line + assert "rpz QNAME NXDOMAIN rewrite baddomain/A/IN" in line diff --git a/configure.ac b/configure.ac index fc66a21c53..680645c565 100644 --- a/configure.ac +++ b/configure.ac @@ -284,6 +284,7 @@ AC_PATH_PROGS([PYTEST], [pytest-3 pytest pytest-pypy], []) AS_IF([test -z "$PYTEST"], [AC_MSG_WARN([pytest not found, some system tests will be skipped])]) AC_SUBST([PYTEST]) +AM_CONDITIONAL([HAVE_PYTEST], [test -n "$PYTEST"]) AX_PYTHON_MODULE([dns]) AM_CONDITIONAL([HAVE_PYMOD_DNS], [test "$HAVE_PYMOD_DNS" = "yes"])