Parts of ns_plugin_expandpath() test expected the plugin extension to be
appened automatically (the plugin name/path is provided without the
extension), this enable to test the logic which adds the correct
extension based on the platfrom.
But the expected expanded paths from the test were hard coded with the
`.so` extension, so the test can't pass on macOS platform. This fixes
the test by using the macro providing the current-platform extension.
MR !10753 breaks macOS build for plugin unit test as its linker doesn't
supports `--wrap` option, which is used in in order to mock the function
`isc_file_exits()`.
To work around the problem, a mocked `isc_file_exits()` is implemented
inside the plugin test as a static function before inlining the file
using it, which effectively links to this version rather than the isclib
one.
added some helper functions in isctest to reduce code repetition
in dnssec-related tests:
- isctest.check.adflag() - checks that a response contains AD=1
- isctest.check.noadflag() - checks that a response contains AD=0
- isctest.check.rdflag() - checks that a response contains RD=1
- isctest.check.nordflag() - checks that a response contains RD=0
- isctest.check.raflag() - checks that a response contains RA=1
- isctest.check.noraflag() - checks that a response contains RA=0
- isctest.check.rr_count_eq() - checks the number of RRsset in a section
- isctest.check.same_data() - checks that two message have the
same rcode and data
- isctest.check.same_answer() - checks that two message have the same
rcode and answer
- isctest.query.create() - a wrapper for dns.message.make_query() that
creates a query message similar to dig +dnssec
Merge branch 'each-isctest-helpers' into 'main'
See merge request isc-projects/bind9!10760
Rather than using the dnspython's facilities and defaults to create the
queries, use the isctest.query.create function in all the cases that
don't require special handling to have consistent defaults.
Use a common function to count the number of RRs in any section of the
DNS message. For the ADDITIONAL section, stick with the dnspython
convention of not including OPT and TSIG.
added some helper functions in isctest to reduce code repetition
in dnssec-related tests:
- isctest.check.adflag() - checks that a response contains AD=1
- isctest.check.noadflag() - checks that a response contains AD=0
- isctest.check.rdflag() - checks that a response contains RD=1
- isctest.check.nordflag() - checks that a response contains RD=0
- isctest.check.answer_count_eq() - checks the answer count is correct
- isctest.check.additional_count_eq() - same for authority count
- isctest.check.authority_count_eq() - same for additional count
- isctest.check.same_data() - check that two message have the
same rcode and data
- isctest.check.same_answer() - check that two message have the same
rcode and answer
- isctest.dnssec.msg() - a wrapper for dns.message.make_query() that
creates a query message similar to dig +dnssec:
use_edns=True, want_dnssec=True,
and flags are set to (RD|AD) by default, but
options exist to disable AD or enable CD.
(to generate non-DNSSEC queries, use
message.make_query() directly.)
MR !10238 added key collision detection in the ksr system test but it was flawed because for every "collide" in the output we also log
"Generating an new key" and for each "Generating" we add the counter by one, nullifying the subtract by one.
Fix by splitting the output on ':' rather than on the default whitespace. Also make the substring matching more strict.
Closes#5229 (again)
Merge branch '5229-ksr-key-collision' into 'main'
See merge request isc-projects/bind9!10775
MR !10238 added key collision detection in the ksr system test but it
was flawed because for every "collide" in the output we also log
"Generating an new key" and for each "Generating" we add the counter
by one, nullifying the subtract by one.
Use regular expressions to search in the output and make the string
expression more strict.
Add missing type hints in the tests_nsec3.py module. Tweak the syntax
used for type hints for better consistency with other Python code in
bin/tests/system/.
Basic sanity checks - limited to responses from a single zone:
- NSEC3 type cannot be present in type bitmap:
By definition, the type bitmap describes state of the unhashed name
but NSEC3 RR is present at a different owner name. RFC 7129 section 5
- NSEC3 owner names cannot be duplicated:
Unless the response crosses zone boundary, parent zone has insecure
delegation for child, but child is signed ... don't do that.
- All parameters are consistent across all RRs present in answer:
RFC 5155 section 7.2, last paragraph - at least when we don't cross
zone boundary.
Untangling individual cases allows for clearer documentation and makes
it easier to build similar but slightly different test cases. Wildcard
NODATA answer was added.
Test all combinations of wildcard, ENT, DNAME, NS, and ordinary
TXT records.
Test zone and expected outputs are generated by another script which
encodes node content into node name. This encoding removes 'node
content' level of indirection and thus enables simpler implementation of
same logic which needs to be in ZoneAnalyzer itself.
For humans the generated zone file also lists expected 'categories' a
name belongs to as dot-separated list on right hand side of a generated
RR.
I've considered writing hypothesis test for this but I would have to
reimplement the same thing, which would probably have the same logic
bugs, so I will leave it as an exercise for someone else.
Check the correctness of NSEC3 hash generation by generating random
combinations of name, salt, and iterations and comparing the outputs
of the nsec3hash tool against the dnspython nsec3_hash function
for the same inputs.
For any given NSEC3 signed zone, when doing queries for non-existent
names, the response must contain:
- NSEC3 RR that matches the closest encloser,
- NSEC3 RR that covers the next closer name,
- NSEC3 RR that covers the wildcard.
Plugin configuration no longer requires the library file extension, so it is now possible to invoke a plugin using the syntax `plugin query "library"` instead of `plugin query "libary.so"`.
Closes#5377
Merge branch '5377-implicit-plugin-ext' into 'main'
See merge request isc-projects/bind9!10753
Update existing ns_plugin_expandpath() unit test to cover the logic
appending the plugin extension if missing.
Because ns_plugin_expandpath() now relies on isc_file_exists() API, a
mocked version has been added in tests/ns/plugin_test.c and relies on the
linker --wrap mechanism.
If a plugin is configured without the extension,
`ns_plugin_expandpath()` automatically take cares of appending the
suffix to the path. The way it works is by checking if a file exists at
the expanded path. If it doesn't, it assumes the plugin path (or name)
doesn't have the extension and append the extension (which is
platform-specific) to the actual path.
Dynamically loadable libraries all use the `.so` extension on
BIND9-supported platforms, except for macOS. Export the dynamic library
extension of the current build platform in the generated `config.h`
file, in order to let the plugin code building plugin path based on a
simple plugin name. (which then would be platform-independent)
Rename isc__loopmgr when including the loop.c into loop_test.c to prevent odr-violation over isc__loopmgr.
Merge branch 'ondrej/prevent-odr-violation-in-loop-unit-test' into 'main'
See merge request isc-projects/bind9!10772
Locally, clang reported following odr-violation:
=================================================================
==1132009==ERROR: AddressSanitizer: odr-violation (0x555555589280):
[1] size=8 'isc__loopmgr' ../lib/isc/loop.c:52:16 in /home/ondrej/Projects/bind9/build/tests/isc/loop
[2] size=8 'isc__loopmgr' ../lib/isc/loop.c:52:16 in /home/ondrej/Projects/bind9/build/tests/isc/../../libisc.so
These globals were registered at these points:
[1]:
#0 0x7ffff785306f in __asan_register_globals ../../../../src/libsanitizer/asan/asan_globals.cpp:350
#1 0x55555556abce in _sub_I_00099_1 (/home/ondrej/Projects/bind9/build/tests/isc/loop+0x16bce) (BuildId: e7c586e966e6986532a3da40df41223ae16e55c9)
#2 0x7ffff702a303 in call_init ../csu/libc-start.c:145
#3 0x7ffff702a303 in __libc_start_main_impl ../csu/libc-start.c:347
#4 0x5555555622e4 in _start (/home/ondrej/Projects/bind9/build/tests/isc/loop+0xe2e4) (BuildId: e7c586e966e6986532a3da40df41223ae16e55c9)
[2]:
#0 0x7ffff785306f in __asan_register_globals ../../../../src/libsanitizer/asan/asan_globals.cpp:350
#1 0x7ffff75335b9 in _sub_I_00099_1 (/home/ondrej/Projects/bind9/build/tests/isc/../../libisc.so+0x1335b9) (BuildId: 33ab72bc676e9ef9111b3db1fc4347595069cd29)
#2 0x7ffff7fca71e in call_init elf/dl-init.c:74
#3 0x7ffff7fca823 in call_init elf/dl-init.c:120
#4 0x7ffff7fca823 in _dl_init elf/dl-init.c:121
#5 0x7ffff7fe459f (/lib64/ld-linux-x86-64.so.2+0x1f59f) (BuildId: 281ac1521b4102509b1c7ac7004db7c1efb81796)
==1132009==HINT: if you don't care about these errors you may set ASAN_OPTIONS=detect_odr_violation=0
SUMMARY: AddressSanitizer: odr-violation: global 'isc__loopmgr' at ../lib/isc/loop.c:52:16 in /home/ondrej/Projects/bind9/build/tests/isc/loop
==1132009==ABORTING
Aborted (core dumped)
Rename isc__loopmgr when including the loop.c into loop_test.c to
prevent odr-violation over isc__loopmgr.
Replace the custom DNS server used in the "dispatch" system test with
new code based on the isctest.asyncserver module.
Merge branch 'stepan/dispatch-asyncserver' into 'main'
See merge request isc-projects/bind9!10689
When the tests-connreset.py module was initially implemented in commit
5c17919019ef0af8226e5bb61214b805bb3e2451, the dispatch code did not
properly apply the idle timeout to TCP connections. This allowed the
check in that test module to reset the TCP connection after 5 seconds as
named did not attempt to tear the connection down earlier than that.
However, as the dispatch code was improved, the idle timeout started
being enforced for TCP dispatches; the exact value it is set to in the
current code depends on a given server's SRTT, but it defaults to about
1.2 seconds for responsive servers. This means that the code paths
triggered by the "dispatch" system test are now different than the ones
it was originally supposed to trigger because it is now named itself
that shuts the TCP connection down cleanly before the ans3 server gets a
chance to reset it.
Account for the above by lowering the amount of time after which the
ans3 server in the "dispatch" system test resets TCP connections to just
1 second, so that the test actually does what its name implies.
