Added test for rpz-passthru logging channel

This test ensures that all rpz-passthru activity will be redirected
to a dedicated log file following ns1/named.conf configuration.

bin/tests/system/Makefile.am

@@ -214,6 +214,10 @@ if HAVE_PKCS11
 TESTS += pkcs11
 endif
 
+if HAVE_PYTEST
+TESTS += rpzextra
+endif
+
 else !HAVE_PERL
 check:
 	echo Perl is not available, no tests were ran

bin/tests/system/rpzextra/clean.sh

@@ -0,0 +1,17 @@
+# Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+#
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0. If a copy of the MPL was not distributed with this
+# file, You can obtain one at http://mozilla.org/MPL/2.0/.
+#
+# See the COPYRIGHT file distributed with this work for additional
+# information regarding copyright ownership.
+
+rm -f ns*/*.jnl
+rm -f ns*/named.conf
+rm -f ns*/named.lock
+rm -f ns*/named.memstats
+rm -f ns*/named.run
+rm -f ns*/rpz*.txt
+rm -rf __pycache__
+rm -f *.status

bin/tests/system/rpzextra/conftest.py

@@ -0,0 +1,54 @@
+############################################################################
+# Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+#
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0. If a copy of the MPL was not distributed with this
+# file, You can obtain one at http://mozilla.org/MPL/2.0/.
+#
+# See the COPYRIGHT file distributed with this work for additional
+# information regarding copyright ownership.
+############################################################################
+
+import os
+import pytest
+
+try:
+    import dns.resolver  # noqa: F401 # pylint: disable=unused-import
+except ModuleNotFoundError:
+    dns_resolver_module_found = False
+else:
+    dns_resolver_module_found = True
+
+
+def pytest_configure(config):
+    config.addinivalue_line(
+        "markers", "dnspython: mark tests that need dnspython to function"
+    )
+
+
+def pytest_collection_modifyitems(config, items):
+    # pylint: disable=unused-argument
+    # Test for dnspython module
+    if not dns_resolver_module_found:
+        skip_requests = pytest.mark.skip(reason="need dnspython module to run")
+        for item in items:
+            if "dnspython" in item.keywords:
+                item.add_marker(skip_requests)
+    # Test if JSON statistics channel was enabled
+    no_jsonstats = pytest.mark.skip(reason="need JSON statistics to be enabled")
+    if os.getenv("HAVEJSONSTATS") is None:
+        for item in items:
+            if "json" in item.keywords:
+                item.add_marker(no_jsonstats)
+
+
+@pytest.fixture
+def named_port(request):
+    # pylint: disable=unused-argument
+    port = os.getenv("PORT")
+    if port is None:
+        port = 5301
+    else:
+        port = int(port)
+
+    return port

bin/tests/system/rpzextra/ns1/named.args

@@ -0,0 +1 @@
+ -m record,size,mctx -c named.conf -d 99 -D rpzextra-ns1 -X named.lock -U 4

bin/tests/system/rpzextra/ns1/named.conf.in

@@ -0,0 +1,61 @@
+key rndc_key {
+    secret "1234abcd8765";
+	algorithm hmac-sha256;
+};
+
+controls {
+	inet 10.53.0.1 port @CONTROLPORT@ allow { any; } keys { rndc_key; };
+};
+
+options {
+	query-source address 10.53.0.1;
+	notify-source 10.53.0.1;
+	transfer-source 10.53.0.1;
+	port @PORT@;
+	listen-on { 10.53.0.1; };
+	pid-file "named.pid";
+	notify no;
+	dnssec-validation no;
+	allow-query { any; };
+	recursion yes;
+	allow-recursion { any; };
+
+	response-policy {
+		zone "rpz.local";
+	};
+};
+
+logging {
+     channel rpz_passthru {
+          file "rpz_passthru.txt" versions 3 size 5m;
+          print-time yes;
+          print-category yes;
+          print-severity yes;
+          severity info;
+     };
+
+     channel rpz_log {
+          file "rpz.txt" versions 3 size 20m;
+          print-time yes;
+          print-category yes;
+          print-severity yes;
+          severity info;
+     };
+
+     category rpz { rpz_log; default_debug; };
+	 category rpz-passthru { rpz_passthru; default_debug; };
+};
+
+zone "rpz.local" {
+    type master;
+    file "rpz.local.db";
+    allow-transfer { none; };
+    allow-query { localhost; };
+};
+
+zone "." {
+	type hint;
+	file "root.db";
+};
+
+

bin/tests/system/rpzextra/ns1/root.db

@@ -0,0 +1,25 @@
+; Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+;
+; This Source Code Form is subject to the terms of the Mozilla Public
+; License, v. 2.0. If a copy of the MPL was not distributed with this
+; file, You can obtain one at http://mozilla.org/MPL/2.0/.
+;
+; See the COPYRIGHT file distributed with this work for additional
+; information regarding copyright ownership.
+
+$TTL 300
+. 			IN SOA	gson.nominum.com. a.root.servers.nil. (
+				2000042100   	; serial
+				600         	; refresh
+				600         	; retry
+				1200    	; expire
+				600       	; minimum
+				)
+.			    NS ns1.allowed
+
+
+allowed.		NS	ns1.allowed.
+ns1.allowed.	A	10.53.0.2
+
+baddomain.		NS	ns1.baddomain.
+ns1.baddomain.	A	10.53.0.2

bin/tests/system/rpzextra/ns1/rpz.local.db

@@ -0,0 +1,18 @@
+$TTL 300
+
+@	IN	SOA	localhost.rpz.local root.rpz.local. (
+	2020022500	; serial number
+	60			; refresh every minute
+	60			; retry every minute
+	432000		; expire in 5 days
+	60			; negative caching ttl, 1 minute
+)
+
+
+                IN	NS	LOCALHOST.
+
+allowed       IN	CNAME	rpz-passthru.
+*.allowed     IN	CNAME	rpz-passthru.
+
+baddomain     IN	CNAME	.
+*.baddomain   IN	CNAME	.

bin/tests/system/rpzextra/ns2/allowed.db

@@ -0,0 +1,7 @@
+$TTL 300
+
+@	IN	SOA	ns1 root.allowed. 2020040101 4h 1h 1w 60
+@	IN	NS	ns1
+ns1	IN	A	10.53.0.2
+@	IN	A	10.53.0.2
+www	IN	A	10.53.0.2

bin/tests/system/rpzextra/ns2/baddomain.db

@@ -0,0 +1,16 @@
+$TTL 300
+
+@	IN	SOA ns1	root.baddomain. (
+	2020040101
+	4h
+	1h
+	1w
+	60
+)
+
+             IN	NS    ns1
+
+ns1          IN	A     10.53.0.2
+
+baddomain.  IN A     10.53.0.2
+www         IN A     10.53.0.3

bin/tests/system/rpzextra/ns2/named.conf.in

@@ -0,0 +1,33 @@
+key rndc_key {
+    secret "1234abcd8765";
+	algorithm hmac-sha256;
+};
+
+controls {
+	inet 10.53.0.1 port @CONTROLPORT@ allow { any; } keys { rndc_key; };
+};
+
+options {
+	query-source address 10.53.0.2;
+	notify-source 10.53.0.2;
+	transfer-source 10.53.0.2;
+	port @PORT@;
+	listen-on { 10.53.0.2; };
+	pid-file "named.pid";
+	notify no;
+	dnssec-validation no;
+	allow-query { any; };
+};
+
+zone "allowed" {
+    type master;
+	file "allowed.db";
+	allow-transfer { none; };
+};
+
+zone "baddomain" {
+    type master;
+    file "baddomain.db";
+    allow-transfer { none; };
+};
+

bin/tests/system/rpzextra/setup.sh

@@ -0,0 +1,20 @@
+#! /bin/sh
+#
+# Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+#
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0. If a copy of the MPL was not distributed with this
+# file, You can obtain one at http://mozilla.org/MPL/2.0/.
+#
+# See the COPYRIGHT file distributed with this work for additional
+# information regarding copyright ownership.
+
+# touch dnsrps-off to not test with DNSRPS
+
+set -e
+
+SYSTEMTESTTOP=..
+. $SYSTEMTESTTOP/conf.sh
+
+copy_setports ns1/named.conf.in ns1/named.conf
+copy_setports ns2/named.conf.in ns2/named.conf

bin/tests/system/rpzextra/tests-rpz-passthru-logging.py

@@ -0,0 +1,47 @@
+#!/usr/bin/python3
+############################################################################
+# Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+#
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0. If a copy of the MPL was not distributed with this
+# file, You can obtain one at http://mozilla.org/MPL/2.0/.
+#
+# See the COPYRIGHT file distributed with this work for additional
+# information regarding copyright ownership.
+############################################################################
+
+import os
+import pytest
+import dns.resolver
+
+
+# @pytest.mark.dnspython
+def test_rpz_passthru_logging(named_port):
+    resolver = dns.resolver.Resolver()
+    resolver.nameservers = ['10.53.0.1']
+    resolver.port = named_port
+
+    # Should generate a log entry into rpz_passthru.txt
+    ans = resolver.query('allowed.', 'A')
+    for rd in ans:
+        assert rd.address == "10.53.0.2"
+
+    # baddomain.com isn't allowed (CNAME .), should return NXDOMAIN
+    # Should generate a log entry into rpz.txt
+    with pytest.raises(dns.resolver.NXDOMAIN):
+        resolver.query('baddomain.', 'A')
+
+    rpz_passthru_logfile = os.path.join("ns1", "rpz_passthru.txt")
+    rpz_logfile = os.path.join("ns1", "rpz.txt")
+
+    assert os.path.isfile(rpz_passthru_logfile)
+    assert os.path.isfile(rpz_logfile)
+
+    with open(rpz_passthru_logfile) as log_file:
+        line = log_file.read()
+        assert "rpz QNAME PASSTHRU rewrite allowed/A/IN" in line
+
+    with open(rpz_logfile) as log_file:
+        line = log_file.read()
+        assert "rpz QNAME PASSTHRU rewrite allowed/A/IN" not in line
+        assert "rpz QNAME NXDOMAIN rewrite baddomain/A/IN" in line

configure.ac

@@ -284,6 +284,7 @@ AC_PATH_PROGS([PYTEST], [pytest-3 pytest pytest-pypy], [])
 AS_IF([test -z "$PYTEST"],
       [AC_MSG_WARN([pytest not found, some system tests will be skipped])])
 AC_SUBST([PYTEST])
+AM_CONDITIONAL([HAVE_PYTEST], [test -n "$PYTEST"])
 
 AX_PYTHON_MODULE([dns])
 AM_CONDITIONAL([HAVE_PYMOD_DNS], [test "$HAVE_PYMOD_DNS" = "yes"])