diff options
Diffstat (limited to 'bin/tests/system/tsiggss')
| -rw-r--r-- | bin/tests/system/tsiggss/authsock.pl | 89 | ||||
| -rw-r--r-- | bin/tests/system/tsiggss/clean.sh | 25 | ||||
| -rw-r--r-- | bin/tests/system/tsiggss/ns1/administrator.ccache | bin | 0 -> 2315 bytes | |||
| -rw-r--r-- | bin/tests/system/tsiggss/ns1/dns.keytab | bin | 0 -> 1087 bytes | |||
| -rw-r--r-- | bin/tests/system/tsiggss/ns1/example.nil.db.in | 51 | ||||
| -rw-r--r-- | bin/tests/system/tsiggss/ns1/named.conf.in | 47 | ||||
| -rw-r--r-- | bin/tests/system/tsiggss/ns1/testdenied.ccache | bin | 0 -> 2188 bytes | |||
| -rw-r--r-- | bin/tests/system/tsiggss/prereq.sh | 22 | ||||
| -rw-r--r-- | bin/tests/system/tsiggss/setup.sh | 22 | ||||
| -rw-r--r-- | bin/tests/system/tsiggss/tests.sh | 105 |
10 files changed, 361 insertions, 0 deletions
diff --git a/bin/tests/system/tsiggss/authsock.pl b/bin/tests/system/tsiggss/authsock.pl new file mode 100644 index 0000000..57a72b2 --- /dev/null +++ b/bin/tests/system/tsiggss/authsock.pl @@ -0,0 +1,89 @@ +#!/usr/bin/env perl +# +# Copyright (C) Internet Systems Consortium, Inc. ("ISC") +# +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, You can obtain one at http://mozilla.org/MPL/2.0/. +# +# See the COPYRIGHT file distributed with this work for additional +# information regarding copyright ownership. + +# test the update-policy external protocol + +require 5.6.0; + +use IO::Socket::UNIX; +use Getopt::Long; + +my $path; +my $typeallowed = "A"; +my $pidfile = "authsock.pid"; +my $timeout = 0; + +GetOptions("path=s" => \$path, + "type=s" => \$typeallowed, + "pidfile=s" => \$pidfile, + "timeout=i" => \$timeout); + +if (!defined($path)) { + print("Usage: authsock.pl --path=<sockpath> --type=type --pidfile=pidfile\n"); + exit(1); +} + +unlink($path); +my $server = IO::Socket::UNIX->new(Local => $path, Type => SOCK_STREAM, Listen => 8) or + die "unable to create socket $path"; +chmod 0777, $path; + +# setup our pidfile +open(my $pid,">",$pidfile) + or die "unable to open pidfile $pidfile"; +print $pid "$$\n"; +close($pid); + +if ($timeout != 0) { + # die after the given timeout + alarm($timeout); +} + +while (my $client = $server->accept()) { + $client->recv(my $buf, 8, 0); + my ($version, $req_len) = unpack('N N', $buf); + + if ($version != 1 || $req_len < 17) { + printf("Badly formatted request\n"); + $client->send(pack('N', 2)); + next; + } + + $client->recv(my $buf, $req_len - 8, 0); + + my ($signer, + $name, + $addr, + $type, + $key, + $key_data) = unpack('Z* Z* Z* Z* Z* N/a', $buf); + + if ($req_len != length($buf)+8) { + printf("Length mismatch %u %u\n", $req_len, length($buf)+8); + $client->send(pack('N', 2)); + next; + } + + printf("version=%u signer=%s name=%s addr=%s type=%s key=%s key_data_len=%u\n", + $version, $signer, $name, $addr, $type, $key, length($key_data)); + + my $result; + if ($typeallowed eq $type) { + $result = 1; + printf("allowed type %s == %s\n", $type, $typeallowed); + } else { + printf("disallowed type %s != %s\n", $type, $typeallowed); + $result = 0; + } + + $reply = pack('N', $result); + $client->send($reply); +} diff --git a/bin/tests/system/tsiggss/clean.sh b/bin/tests/system/tsiggss/clean.sh new file mode 100644 index 0000000..c97ade7 --- /dev/null +++ b/bin/tests/system/tsiggss/clean.sh @@ -0,0 +1,25 @@ +#!/bin/sh +# +# Copyright (C) Internet Systems Consortium, Inc. ("ISC") +# +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, You can obtain one at http://mozilla.org/MPL/2.0/. +# +# See the COPYRIGHT file distributed with this work for additional +# information regarding copyright ownership. + +# +# Clean up after tsiggss tests. +# + +rm -f ns1/*.jnl ns1/update.txt ns1/auth.sock +rm -f ns1/*.db ns1/K*.key ns1/K*.private +rm -f ns1/_default.tsigkeys +rm -f */named.memstats +rm -f */named.conf +rm -f */named.run +rm -f authsock.pid +rm -f ns1/core +rm -f nsupdate.out +rm -f ns*/named.lock diff --git a/bin/tests/system/tsiggss/ns1/administrator.ccache b/bin/tests/system/tsiggss/ns1/administrator.ccache Binary files differnew file mode 100644 index 0000000..e6c2e74 --- /dev/null +++ b/bin/tests/system/tsiggss/ns1/administrator.ccache diff --git a/bin/tests/system/tsiggss/ns1/dns.keytab b/bin/tests/system/tsiggss/ns1/dns.keytab Binary files differnew file mode 100644 index 0000000..dcb863b --- /dev/null +++ b/bin/tests/system/tsiggss/ns1/dns.keytab diff --git a/bin/tests/system/tsiggss/ns1/example.nil.db.in b/bin/tests/system/tsiggss/ns1/example.nil.db.in new file mode 100644 index 0000000..001bb29 --- /dev/null +++ b/bin/tests/system/tsiggss/ns1/example.nil.db.in @@ -0,0 +1,51 @@ +; -*- zone -*- +; this was generated by a Samba4 provision, and is typical +; of a AD DNS zone +$ORIGIN example.nil. +$TTL 1W +@ IN SOA blu hostmaster ( + 2010113027 ; serial + 2D ; refresh + 4H ; retry + 6W ; expiry + 1W ) ; minimum + IN NS blu + + IN A 10.53.0.1 +; + +blu IN A 10.53.0.1 +gc._msdcs IN A 10.53.0.1 + +fb33eb58-5d58-4100-a114-256e0a97ffc1._msdcs IN CNAME blu +; +; global catalog servers +_gc._tcp IN SRV 0 100 3268 blu +_gc._tcp.Default-First-Site-Name._sites IN SRV 0 100 3268 blu +_ldap._tcp.gc._msdcs IN SRV 0 100 3268 blu +_ldap._tcp.Default-First-Site-Name._sites.gc._msdcs IN SRV 0 100 3268 blu +; +; ldap servers +_ldap._tcp IN SRV 0 100 389 blu +_ldap._tcp.dc._msdcs IN SRV 0 100 389 blu +_ldap._tcp.pdc._msdcs IN SRV 0 100 389 blu +_ldap._tcp.d86745b4-f3e0-4af3-be03-2130d1534be8.domains._msdcs IN SRV 0 100 389 blu +_ldap._tcp.Default-First-Site-Name._sites IN SRV 0 100 389 blu +_ldap._tcp.Default-First-Site-Name._sites.dc._msdcs IN SRV 0 100 389 blu +; +; krb5 servers +_kerberos._tcp IN SRV 0 100 88 blu +_kerberos._tcp.dc._msdcs IN SRV 0 100 88 blu +_kerberos._tcp.Default-First-Site-Name._sites IN SRV 0 100 88 blu +_kerberos._tcp.Default-First-Site-Name._sites.dc._msdcs IN SRV 0 100 88 blu +_kerberos._udp IN SRV 0 100 88 blu +; MIT kpasswd likes to lookup this name on password change +_kerberos-master._tcp IN SRV 0 100 88 blu +_kerberos-master._udp IN SRV 0 100 88 blu +; +; kpasswd +_kpasswd._tcp IN SRV 0 100 464 blu +_kpasswd._udp IN SRV 0 100 464 blu +; +; heimdal 'find realm for host' hack +_kerberos IN TXT EXAMPLE.NIL diff --git a/bin/tests/system/tsiggss/ns1/named.conf.in b/bin/tests/system/tsiggss/ns1/named.conf.in new file mode 100644 index 0000000..583cb37 --- /dev/null +++ b/bin/tests/system/tsiggss/ns1/named.conf.in @@ -0,0 +1,47 @@ +/* + * Copyright (C) Internet Systems Consortium, Inc. ("ISC") + * + * This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, You can obtain one at http://mozilla.org/MPL/2.0/. + * + * See the COPYRIGHT file distributed with this work for additional + * information regarding copyright ownership. + */ + +options { + query-source address 10.53.0.1; + notify-source 10.53.0.1; + transfer-source 10.53.0.1; + port @PORT@; + pid-file "named.pid"; + session-keyfile "session.key"; + listen-on { 10.53.0.1; 127.0.0.1; }; + listen-on-v6 { none; }; + recursion no; + notify yes; + tkey-gssapi-keytab "dns.keytab"; +}; + +key rndc_key { + secret "1234abcd8765"; + algorithm hmac-sha256; +}; + +controls { + inet 10.53.0.1 port @CONTROLPORT@ allow { any; } keys { rndc_key; }; +}; + +zone "example.nil." IN { + type master; + file "example.nil.db"; + + update-policy { + grant Administrator@EXAMPLE.NIL wildcard * A AAAA SRV CNAME; + grant testdenied@EXAMPLE.NIL wildcard * TXT; + grant "local:auth.sock" external * CNAME; + }; + + /* we need to use check-names ignore so _msdcs A records can be created */ + check-names ignore; +}; diff --git a/bin/tests/system/tsiggss/ns1/testdenied.ccache b/bin/tests/system/tsiggss/ns1/testdenied.ccache Binary files differnew file mode 100644 index 0000000..070e85b --- /dev/null +++ b/bin/tests/system/tsiggss/ns1/testdenied.ccache diff --git a/bin/tests/system/tsiggss/prereq.sh b/bin/tests/system/tsiggss/prereq.sh new file mode 100644 index 0000000..8fbe016 --- /dev/null +++ b/bin/tests/system/tsiggss/prereq.sh @@ -0,0 +1,22 @@ +#!/bin/sh +# +# Copyright (C) Internet Systems Consortium, Inc. ("ISC") +# +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, You can obtain one at http://mozilla.org/MPL/2.0/. +# +# See the COPYRIGHT file distributed with this work for additional +# information regarding copyright ownership. + +SYSTEMTESTTOP=.. +. $SYSTEMTESTTOP/conf.sh + +# enable the tsiggss test only if gssapi was enabled +$FEATURETEST --gssapi || { + echo_i "gssapi and krb5 not supported - skipping tsiggss test" + exit 255 +} + +# ... and crypto +exec $SHELL ../testcrypto.sh diff --git a/bin/tests/system/tsiggss/setup.sh b/bin/tests/system/tsiggss/setup.sh new file mode 100644 index 0000000..5da33cf --- /dev/null +++ b/bin/tests/system/tsiggss/setup.sh @@ -0,0 +1,22 @@ +#!/bin/sh +# +# Copyright (C) Internet Systems Consortium, Inc. ("ISC") +# +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, You can obtain one at http://mozilla.org/MPL/2.0/. +# +# See the COPYRIGHT file distributed with this work for additional +# information regarding copyright ownership. + +SYSTEMTESTTOP=.. +. $SYSTEMTESTTOP/conf.sh + +$SHELL clean.sh + +test -r $RANDFILE || $GENRANDOM 400 $RANDFILE + +copy_setports ns1/named.conf.in ns1/named.conf + +key=`$KEYGEN -Cq -K ns1 -a DSA -b 512 -r $RANDFILE -n HOST -T KEY key.example.nil.` +cat ns1/example.nil.db.in ns1/${key}.key > ns1/example.nil.db diff --git a/bin/tests/system/tsiggss/tests.sh b/bin/tests/system/tsiggss/tests.sh new file mode 100644 index 0000000..b489d7b --- /dev/null +++ b/bin/tests/system/tsiggss/tests.sh @@ -0,0 +1,105 @@ +#!/bin/sh +# +# Copyright (C) Internet Systems Consortium, Inc. ("ISC") +# +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, You can obtain one at http://mozilla.org/MPL/2.0/. +# +# See the COPYRIGHT file distributed with this work for additional +# information regarding copyright ownership. + +# tests for TSIG-GSS updates + +SYSTEMTESTTOP=.. +. $SYSTEMTESTTOP/conf.sh + +status=0 + +DIGOPTS="@10.53.0.1 -p ${PORT}" + +test_update() { + host="$1" + type="$2" + cmd="$3" + digout="$4" + + cat <<EOF > ns1/update.txt +server 10.53.0.1 ${PORT} +update add $host $cmd +send +EOF + echo "I:testing update for $host $type $cmd" + $NSUPDATE -g -d ns1/update.txt > nsupdate.out 2>&1 || { + echo "I:update failed for $host $type $cmd" + sed "s/^/I:/" nsupdate.out + return 1 + } + + out=`$DIG $DIGOPTS -t $type -q $host | egrep "^${host}"` + lines=`echo "$out" | grep "$digout" | wc -l` + [ $lines -eq 1 ] || { + echo "I:dig output incorrect for $host $type $cmd: $out" + return 1 + } + return 0 +} + +echo "I:testing updates as administrator" +KRB5CCNAME="FILE:"`pwd`/ns1/administrator.ccache +export KRB5CCNAME + +test_update testdc1.example.nil. A "86400 A 10.53.0.10" "10.53.0.10" || status=1 +test_update testdc2.example.nil. A "86400 A 10.53.0.11" "10.53.0.11" || status=1 +test_update denied.example.nil. TXT "86400 TXT helloworld" "helloworld" > /dev/null && status=1 + +echo "I:testing updates as a user" +KRB5CCNAME="FILE:"`pwd`/ns1/testdenied.ccache +export KRB5CCNAME + +test_update testdenied.example.nil. A "86400 A 10.53.0.12" "10.53.0.12" > /dev/null && status=1 +test_update testdenied.example.nil. TXT "86400 TXT helloworld" "helloworld" || status=1 + +echo "I:testing external update policy" +test_update testcname.example.nil. TXT "86400 CNAME testdenied.example.nil" "testdenied" > /dev/null && status=1 +$PERL ./authsock.pl --type=CNAME --path=ns1/auth.sock --pidfile=authsock.pid --timeout=120 > /dev/null 2>&1 & +sleep 1 +test_update testcname.example.nil. TXT "86400 CNAME testdenied.example.nil" "testdenied" || status=1 +test_update testcname.example.nil. TXT "86400 A 10.53.0.13" "10.53.0.13" > /dev/null && status=1 + +echo "I:testing external policy with SIG(0) key" +ret=0 +$NSUPDATE -R $RANDFILE -k ns1/Kkey.example.nil.*.private <<END > /dev/null 2>&1 || ret=1 +server 10.53.0.1 ${PORT} +zone example.nil +update add fred.example.nil 120 cname foo.bar. +send +END +output=`$DIG $DIGOPTS +short cname fred.example.nil.` +[ -n "$output" ] || ret=1 +[ $ret -eq 0 ] || echo "I:failed" +status=`expr $status + $ret` + +echo "I:ensure too long realm name is fatal in non-interactive mode" +ret=0 +$NSUPDATE <<END > nsupdate.out 2>&1 && ret=1 + realm namenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamename +END +grep "realm is too long" nsupdate.out > /dev/null || ret=1 +grep "syntax error" nsupdate.out > /dev/null || ret=1 +[ $ret = 0 ] || { echo I:failed; status=1; } + +echo "I:ensure too long realm name is not fatal in interactive mode" +ret=0 +$NSUPDATE -i <<END > nsupdate.out 2>&1 || ret=1 + realm namenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamename +END +grep "realm is too long" nsupdate.out > /dev/null || ret=1 +[ $ret = 0 ] || { echo I:failed; status=1; } + +[ $status -eq 0 ] && echo "I:tsiggss tests all OK" + +kill `cat authsock.pid` + +echo "I:exit status: $status" +[ $status -eq 0 ] || exit 1 |