summaryrefslogtreecommitdiffstats
path: root/bin/tests/system/tsiggss
diff options
context:
space:
mode:
authorDaniel Baumann <daniel.baumann@progress-linux.org>2024-05-05 18:37:14 +0000
committerDaniel Baumann <daniel.baumann@progress-linux.org>2024-05-05 18:37:14 +0000
commitea648e70a989cca190cd7403fe892fd2dcc290b4 (patch)
treee2b6b1c647da68b0d4d66082835e256eb30970e8 /bin/tests/system/tsiggss
parentInitial commit. (diff)
downloadbind9-ea648e70a989cca190cd7403fe892fd2dcc290b4.tar.xz
bind9-ea648e70a989cca190cd7403fe892fd2dcc290b4.zip
Adding upstream version 1:9.11.5.P4+dfsg.upstream/1%9.11.5.P4+dfsgupstream
Signed-off-by: Daniel Baumann <daniel.baumann@progress-linux.org>
Diffstat (limited to 'bin/tests/system/tsiggss')
-rw-r--r--bin/tests/system/tsiggss/authsock.pl89
-rw-r--r--bin/tests/system/tsiggss/clean.sh25
-rw-r--r--bin/tests/system/tsiggss/ns1/administrator.ccachebin0 -> 2315 bytes
-rw-r--r--bin/tests/system/tsiggss/ns1/dns.keytabbin0 -> 1087 bytes
-rw-r--r--bin/tests/system/tsiggss/ns1/example.nil.db.in51
-rw-r--r--bin/tests/system/tsiggss/ns1/named.conf.in47
-rw-r--r--bin/tests/system/tsiggss/ns1/testdenied.ccachebin0 -> 2188 bytes
-rw-r--r--bin/tests/system/tsiggss/prereq.sh22
-rw-r--r--bin/tests/system/tsiggss/setup.sh22
-rw-r--r--bin/tests/system/tsiggss/tests.sh105
10 files changed, 361 insertions, 0 deletions
diff --git a/bin/tests/system/tsiggss/authsock.pl b/bin/tests/system/tsiggss/authsock.pl
new file mode 100644
index 0000000..57a72b2
--- /dev/null
+++ b/bin/tests/system/tsiggss/authsock.pl
@@ -0,0 +1,89 @@
+#!/usr/bin/env perl
+#
+# Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+#
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0. If a copy of the MPL was not distributed with this
+# file, You can obtain one at http://mozilla.org/MPL/2.0/.
+#
+# See the COPYRIGHT file distributed with this work for additional
+# information regarding copyright ownership.
+
+# test the update-policy external protocol
+
+require 5.6.0;
+
+use IO::Socket::UNIX;
+use Getopt::Long;
+
+my $path;
+my $typeallowed = "A";
+my $pidfile = "authsock.pid";
+my $timeout = 0;
+
+GetOptions("path=s" => \$path,
+ "type=s" => \$typeallowed,
+ "pidfile=s" => \$pidfile,
+ "timeout=i" => \$timeout);
+
+if (!defined($path)) {
+ print("Usage: authsock.pl --path=<sockpath> --type=type --pidfile=pidfile\n");
+ exit(1);
+}
+
+unlink($path);
+my $server = IO::Socket::UNIX->new(Local => $path, Type => SOCK_STREAM, Listen => 8) or
+ die "unable to create socket $path";
+chmod 0777, $path;
+
+# setup our pidfile
+open(my $pid,">",$pidfile)
+ or die "unable to open pidfile $pidfile";
+print $pid "$$\n";
+close($pid);
+
+if ($timeout != 0) {
+ # die after the given timeout
+ alarm($timeout);
+}
+
+while (my $client = $server->accept()) {
+ $client->recv(my $buf, 8, 0);
+ my ($version, $req_len) = unpack('N N', $buf);
+
+ if ($version != 1 || $req_len < 17) {
+ printf("Badly formatted request\n");
+ $client->send(pack('N', 2));
+ next;
+ }
+
+ $client->recv(my $buf, $req_len - 8, 0);
+
+ my ($signer,
+ $name,
+ $addr,
+ $type,
+ $key,
+ $key_data) = unpack('Z* Z* Z* Z* Z* N/a', $buf);
+
+ if ($req_len != length($buf)+8) {
+ printf("Length mismatch %u %u\n", $req_len, length($buf)+8);
+ $client->send(pack('N', 2));
+ next;
+ }
+
+ printf("version=%u signer=%s name=%s addr=%s type=%s key=%s key_data_len=%u\n",
+ $version, $signer, $name, $addr, $type, $key, length($key_data));
+
+ my $result;
+ if ($typeallowed eq $type) {
+ $result = 1;
+ printf("allowed type %s == %s\n", $type, $typeallowed);
+ } else {
+ printf("disallowed type %s != %s\n", $type, $typeallowed);
+ $result = 0;
+ }
+
+ $reply = pack('N', $result);
+ $client->send($reply);
+}
diff --git a/bin/tests/system/tsiggss/clean.sh b/bin/tests/system/tsiggss/clean.sh
new file mode 100644
index 0000000..c97ade7
--- /dev/null
+++ b/bin/tests/system/tsiggss/clean.sh
@@ -0,0 +1,25 @@
+#!/bin/sh
+#
+# Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+#
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0. If a copy of the MPL was not distributed with this
+# file, You can obtain one at http://mozilla.org/MPL/2.0/.
+#
+# See the COPYRIGHT file distributed with this work for additional
+# information regarding copyright ownership.
+
+#
+# Clean up after tsiggss tests.
+#
+
+rm -f ns1/*.jnl ns1/update.txt ns1/auth.sock
+rm -f ns1/*.db ns1/K*.key ns1/K*.private
+rm -f ns1/_default.tsigkeys
+rm -f */named.memstats
+rm -f */named.conf
+rm -f */named.run
+rm -f authsock.pid
+rm -f ns1/core
+rm -f nsupdate.out
+rm -f ns*/named.lock
diff --git a/bin/tests/system/tsiggss/ns1/administrator.ccache b/bin/tests/system/tsiggss/ns1/administrator.ccache
new file mode 100644
index 0000000..e6c2e74
--- /dev/null
+++ b/bin/tests/system/tsiggss/ns1/administrator.ccache
Binary files differ
diff --git a/bin/tests/system/tsiggss/ns1/dns.keytab b/bin/tests/system/tsiggss/ns1/dns.keytab
new file mode 100644
index 0000000..dcb863b
--- /dev/null
+++ b/bin/tests/system/tsiggss/ns1/dns.keytab
Binary files differ
diff --git a/bin/tests/system/tsiggss/ns1/example.nil.db.in b/bin/tests/system/tsiggss/ns1/example.nil.db.in
new file mode 100644
index 0000000..001bb29
--- /dev/null
+++ b/bin/tests/system/tsiggss/ns1/example.nil.db.in
@@ -0,0 +1,51 @@
+; -*- zone -*-
+; this was generated by a Samba4 provision, and is typical
+; of a AD DNS zone
+$ORIGIN example.nil.
+$TTL 1W
+@ IN SOA blu hostmaster (
+ 2010113027 ; serial
+ 2D ; refresh
+ 4H ; retry
+ 6W ; expiry
+ 1W ) ; minimum
+ IN NS blu
+
+ IN A 10.53.0.1
+;
+
+blu IN A 10.53.0.1
+gc._msdcs IN A 10.53.0.1
+
+fb33eb58-5d58-4100-a114-256e0a97ffc1._msdcs IN CNAME blu
+;
+; global catalog servers
+_gc._tcp IN SRV 0 100 3268 blu
+_gc._tcp.Default-First-Site-Name._sites IN SRV 0 100 3268 blu
+_ldap._tcp.gc._msdcs IN SRV 0 100 3268 blu
+_ldap._tcp.Default-First-Site-Name._sites.gc._msdcs IN SRV 0 100 3268 blu
+;
+; ldap servers
+_ldap._tcp IN SRV 0 100 389 blu
+_ldap._tcp.dc._msdcs IN SRV 0 100 389 blu
+_ldap._tcp.pdc._msdcs IN SRV 0 100 389 blu
+_ldap._tcp.d86745b4-f3e0-4af3-be03-2130d1534be8.domains._msdcs IN SRV 0 100 389 blu
+_ldap._tcp.Default-First-Site-Name._sites IN SRV 0 100 389 blu
+_ldap._tcp.Default-First-Site-Name._sites.dc._msdcs IN SRV 0 100 389 blu
+;
+; krb5 servers
+_kerberos._tcp IN SRV 0 100 88 blu
+_kerberos._tcp.dc._msdcs IN SRV 0 100 88 blu
+_kerberos._tcp.Default-First-Site-Name._sites IN SRV 0 100 88 blu
+_kerberos._tcp.Default-First-Site-Name._sites.dc._msdcs IN SRV 0 100 88 blu
+_kerberos._udp IN SRV 0 100 88 blu
+; MIT kpasswd likes to lookup this name on password change
+_kerberos-master._tcp IN SRV 0 100 88 blu
+_kerberos-master._udp IN SRV 0 100 88 blu
+;
+; kpasswd
+_kpasswd._tcp IN SRV 0 100 464 blu
+_kpasswd._udp IN SRV 0 100 464 blu
+;
+; heimdal 'find realm for host' hack
+_kerberos IN TXT EXAMPLE.NIL
diff --git a/bin/tests/system/tsiggss/ns1/named.conf.in b/bin/tests/system/tsiggss/ns1/named.conf.in
new file mode 100644
index 0000000..583cb37
--- /dev/null
+++ b/bin/tests/system/tsiggss/ns1/named.conf.in
@@ -0,0 +1,47 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+options {
+ query-source address 10.53.0.1;
+ notify-source 10.53.0.1;
+ transfer-source 10.53.0.1;
+ port @PORT@;
+ pid-file "named.pid";
+ session-keyfile "session.key";
+ listen-on { 10.53.0.1; 127.0.0.1; };
+ listen-on-v6 { none; };
+ recursion no;
+ notify yes;
+ tkey-gssapi-keytab "dns.keytab";
+};
+
+key rndc_key {
+ secret "1234abcd8765";
+ algorithm hmac-sha256;
+};
+
+controls {
+ inet 10.53.0.1 port @CONTROLPORT@ allow { any; } keys { rndc_key; };
+};
+
+zone "example.nil." IN {
+ type master;
+ file "example.nil.db";
+
+ update-policy {
+ grant Administrator@EXAMPLE.NIL wildcard * A AAAA SRV CNAME;
+ grant testdenied@EXAMPLE.NIL wildcard * TXT;
+ grant "local:auth.sock" external * CNAME;
+ };
+
+ /* we need to use check-names ignore so _msdcs A records can be created */
+ check-names ignore;
+};
diff --git a/bin/tests/system/tsiggss/ns1/testdenied.ccache b/bin/tests/system/tsiggss/ns1/testdenied.ccache
new file mode 100644
index 0000000..070e85b
--- /dev/null
+++ b/bin/tests/system/tsiggss/ns1/testdenied.ccache
Binary files differ
diff --git a/bin/tests/system/tsiggss/prereq.sh b/bin/tests/system/tsiggss/prereq.sh
new file mode 100644
index 0000000..8fbe016
--- /dev/null
+++ b/bin/tests/system/tsiggss/prereq.sh
@@ -0,0 +1,22 @@
+#!/bin/sh
+#
+# Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+#
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0. If a copy of the MPL was not distributed with this
+# file, You can obtain one at http://mozilla.org/MPL/2.0/.
+#
+# See the COPYRIGHT file distributed with this work for additional
+# information regarding copyright ownership.
+
+SYSTEMTESTTOP=..
+. $SYSTEMTESTTOP/conf.sh
+
+# enable the tsiggss test only if gssapi was enabled
+$FEATURETEST --gssapi || {
+ echo_i "gssapi and krb5 not supported - skipping tsiggss test"
+ exit 255
+}
+
+# ... and crypto
+exec $SHELL ../testcrypto.sh
diff --git a/bin/tests/system/tsiggss/setup.sh b/bin/tests/system/tsiggss/setup.sh
new file mode 100644
index 0000000..5da33cf
--- /dev/null
+++ b/bin/tests/system/tsiggss/setup.sh
@@ -0,0 +1,22 @@
+#!/bin/sh
+#
+# Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+#
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0. If a copy of the MPL was not distributed with this
+# file, You can obtain one at http://mozilla.org/MPL/2.0/.
+#
+# See the COPYRIGHT file distributed with this work for additional
+# information regarding copyright ownership.
+
+SYSTEMTESTTOP=..
+. $SYSTEMTESTTOP/conf.sh
+
+$SHELL clean.sh
+
+test -r $RANDFILE || $GENRANDOM 400 $RANDFILE
+
+copy_setports ns1/named.conf.in ns1/named.conf
+
+key=`$KEYGEN -Cq -K ns1 -a DSA -b 512 -r $RANDFILE -n HOST -T KEY key.example.nil.`
+cat ns1/example.nil.db.in ns1/${key}.key > ns1/example.nil.db
diff --git a/bin/tests/system/tsiggss/tests.sh b/bin/tests/system/tsiggss/tests.sh
new file mode 100644
index 0000000..b489d7b
--- /dev/null
+++ b/bin/tests/system/tsiggss/tests.sh
@@ -0,0 +1,105 @@
+#!/bin/sh
+#
+# Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+#
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0. If a copy of the MPL was not distributed with this
+# file, You can obtain one at http://mozilla.org/MPL/2.0/.
+#
+# See the COPYRIGHT file distributed with this work for additional
+# information regarding copyright ownership.
+
+# tests for TSIG-GSS updates
+
+SYSTEMTESTTOP=..
+. $SYSTEMTESTTOP/conf.sh
+
+status=0
+
+DIGOPTS="@10.53.0.1 -p ${PORT}"
+
+test_update() {
+ host="$1"
+ type="$2"
+ cmd="$3"
+ digout="$4"
+
+ cat <<EOF > ns1/update.txt
+server 10.53.0.1 ${PORT}
+update add $host $cmd
+send
+EOF
+ echo "I:testing update for $host $type $cmd"
+ $NSUPDATE -g -d ns1/update.txt > nsupdate.out 2>&1 || {
+ echo "I:update failed for $host $type $cmd"
+ sed "s/^/I:/" nsupdate.out
+ return 1
+ }
+
+ out=`$DIG $DIGOPTS -t $type -q $host | egrep "^${host}"`
+ lines=`echo "$out" | grep "$digout" | wc -l`
+ [ $lines -eq 1 ] || {
+ echo "I:dig output incorrect for $host $type $cmd: $out"
+ return 1
+ }
+ return 0
+}
+
+echo "I:testing updates as administrator"
+KRB5CCNAME="FILE:"`pwd`/ns1/administrator.ccache
+export KRB5CCNAME
+
+test_update testdc1.example.nil. A "86400 A 10.53.0.10" "10.53.0.10" || status=1
+test_update testdc2.example.nil. A "86400 A 10.53.0.11" "10.53.0.11" || status=1
+test_update denied.example.nil. TXT "86400 TXT helloworld" "helloworld" > /dev/null && status=1
+
+echo "I:testing updates as a user"
+KRB5CCNAME="FILE:"`pwd`/ns1/testdenied.ccache
+export KRB5CCNAME
+
+test_update testdenied.example.nil. A "86400 A 10.53.0.12" "10.53.0.12" > /dev/null && status=1
+test_update testdenied.example.nil. TXT "86400 TXT helloworld" "helloworld" || status=1
+
+echo "I:testing external update policy"
+test_update testcname.example.nil. TXT "86400 CNAME testdenied.example.nil" "testdenied" > /dev/null && status=1
+$PERL ./authsock.pl --type=CNAME --path=ns1/auth.sock --pidfile=authsock.pid --timeout=120 > /dev/null 2>&1 &
+sleep 1
+test_update testcname.example.nil. TXT "86400 CNAME testdenied.example.nil" "testdenied" || status=1
+test_update testcname.example.nil. TXT "86400 A 10.53.0.13" "10.53.0.13" > /dev/null && status=1
+
+echo "I:testing external policy with SIG(0) key"
+ret=0
+$NSUPDATE -R $RANDFILE -k ns1/Kkey.example.nil.*.private <<END > /dev/null 2>&1 || ret=1
+server 10.53.0.1 ${PORT}
+zone example.nil
+update add fred.example.nil 120 cname foo.bar.
+send
+END
+output=`$DIG $DIGOPTS +short cname fred.example.nil.`
+[ -n "$output" ] || ret=1
+[ $ret -eq 0 ] || echo "I:failed"
+status=`expr $status + $ret`
+
+echo "I:ensure too long realm name is fatal in non-interactive mode"
+ret=0
+$NSUPDATE <<END > nsupdate.out 2>&1 && ret=1
+ realm namenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamename
+END
+grep "realm is too long" nsupdate.out > /dev/null || ret=1
+grep "syntax error" nsupdate.out > /dev/null || ret=1
+[ $ret = 0 ] || { echo I:failed; status=1; }
+
+echo "I:ensure too long realm name is not fatal in interactive mode"
+ret=0
+$NSUPDATE -i <<END > nsupdate.out 2>&1 || ret=1
+ realm namenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamename
+END
+grep "realm is too long" nsupdate.out > /dev/null || ret=1
+[ $ret = 0 ] || { echo I:failed; status=1; }
+
+[ $status -eq 0 ] && echo "I:tsiggss tests all OK"
+
+kill `cat authsock.pid`
+
+echo "I:exit status: $status"
+[ $status -eq 0 ] || exit 1