diff options
Diffstat (limited to '')
-rw-r--r-- | lib/dns/tests/acl_test.c | 374 |
1 files changed, 374 insertions, 0 deletions
diff --git a/lib/dns/tests/acl_test.c b/lib/dns/tests/acl_test.c new file mode 100644 index 0000000..285a990 --- /dev/null +++ b/lib/dns/tests/acl_test.c @@ -0,0 +1,374 @@ +/* + * Copyright (C) Internet Systems Consortium, Inc. ("ISC") + * + * This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, You can obtain one at http://mozilla.org/MPL/2.0/. + * + * See the COPYRIGHT file distributed with this work for additional + * information regarding copyright ownership. + */ + + +/*! \file */ + +#include <config.h> + +#include <atf-c.h> + +#include <stdio.h> +#include <stdbool.h> +#include <unistd.h> + +#include <isc/print.h> +#include <isc/string.h> + +#include <dns/acl.h> +#include "dnstest.h" + +/* + * Helper functions + */ + +#define BUFLEN 255 +#define BIGBUFLEN (70 * 1024) +#define TEST_ORIGIN "test" + +ATF_TC(dns_acl_isinsecure); +ATF_TC_HEAD(dns_acl_isinsecure, tc) { + atf_tc_set_md_var(tc, "descr", "test that dns_acl_isinsecure works"); +} +ATF_TC_BODY(dns_acl_isinsecure, tc) { + isc_result_t result; + unsigned int pass; + struct { + bool first; + bool second; + } ecs[] = { + { false, false }, + { true, true }, + { true, false }, + { false, true } + }; + + dns_acl_t *any = NULL; + dns_acl_t *none = NULL; + dns_acl_t *notnone = NULL; + dns_acl_t *notany = NULL; +#ifdef HAVE_GEOIP + dns_acl_t *geoip = NULL; + dns_acl_t *notgeoip = NULL; + dns_aclelement_t *de; +#endif + + dns_acl_t *pos4pos6 = NULL; + dns_acl_t *notpos4pos6 = NULL; + dns_acl_t *neg4pos6 = NULL; + dns_acl_t *notneg4pos6 = NULL; + dns_acl_t *pos4neg6 = NULL; + dns_acl_t *notpos4neg6 = NULL; + dns_acl_t *neg4neg6 = NULL; + dns_acl_t *notneg4neg6 = NULL; + + dns_acl_t *loop4 = NULL; + dns_acl_t *notloop4 = NULL; + + dns_acl_t *loop6 = NULL; + dns_acl_t *notloop6 = NULL; + + dns_acl_t *loop4pos6 = NULL; + dns_acl_t *notloop4pos6 = NULL; + dns_acl_t *loop4neg6 = NULL; + dns_acl_t *notloop4neg6 = NULL; + + struct in_addr inaddr; + isc_netaddr_t addr; + + UNUSED(tc); + + result = dns_test_begin(NULL, false); + ATF_REQUIRE_EQ(result, ISC_R_SUCCESS); + + result = dns_acl_any(mctx, &any); + ATF_REQUIRE_EQ(result, ISC_R_SUCCESS); + + result = dns_acl_none(mctx, &none); + ATF_REQUIRE_EQ(result, ISC_R_SUCCESS); + + result = dns_acl_create(mctx, 1, ¬none); + ATF_REQUIRE_EQ(result, ISC_R_SUCCESS); + + result = dns_acl_create(mctx, 1, ¬any); + ATF_REQUIRE_EQ(result, ISC_R_SUCCESS); + + result = dns_acl_merge(notnone, none, false); + ATF_REQUIRE_EQ(result, ISC_R_SUCCESS); + + result = dns_acl_merge(notany, any, false); + ATF_REQUIRE_EQ(result, ISC_R_SUCCESS); + +#ifdef HAVE_GEOIP + result = dns_acl_create(mctx, 1, &geoip); + ATF_REQUIRE_EQ(result, ISC_R_SUCCESS); + + de = geoip->elements; + ATF_REQUIRE(de != NULL); + strlcpy(de->geoip_elem.as_string, "AU", + sizeof(de->geoip_elem.as_string)); + de->geoip_elem.subtype = dns_geoip_country_code; + de->type = dns_aclelementtype_geoip; + de->negative = false; + ATF_REQUIRE(geoip->length < geoip->alloc); + geoip->node_count++; + de->node_num = geoip->node_count; + geoip->length++; + + result = dns_acl_create(mctx, 1, ¬geoip); + ATF_REQUIRE_EQ(result, ISC_R_SUCCESS); + + result = dns_acl_merge(notgeoip, geoip, false); + ATF_REQUIRE_EQ(result, ISC_R_SUCCESS); +#endif + + ATF_CHECK(dns_acl_isinsecure(any)); /* any; */ + ATF_CHECK(!dns_acl_isinsecure(none)); /* none; */ + ATF_CHECK(!dns_acl_isinsecure(notany)); /* !any; */ + ATF_CHECK(!dns_acl_isinsecure(notnone)); /* !none; */ + +#ifdef HAVE_GEOIP + ATF_CHECK(dns_acl_isinsecure(geoip)); /* geoip; */ + ATF_CHECK(!dns_acl_isinsecure(notgeoip)); /* !geoip; */ +#endif + + dns_acl_detach(&any); + dns_acl_detach(&none); + dns_acl_detach(¬any); + dns_acl_detach(¬none); +#ifdef HAVE_GEOIP + dns_acl_detach(&geoip); + dns_acl_detach(¬geoip); +#endif + + for (pass = 0; pass < sizeof(ecs)/sizeof(ecs[0]); pass++) { + result = dns_acl_create(mctx, 1, &pos4pos6); + ATF_REQUIRE_EQ(result, ISC_R_SUCCESS); + + result = dns_acl_create(mctx, 1, ¬pos4pos6); + ATF_REQUIRE_EQ(result, ISC_R_SUCCESS); + + result = dns_acl_create(mctx, 1, &neg4pos6); + ATF_REQUIRE_EQ(result, ISC_R_SUCCESS); + + result = dns_acl_create(mctx, 1, ¬neg4pos6); + ATF_REQUIRE_EQ(result, ISC_R_SUCCESS); + + result = dns_acl_create(mctx, 1, &pos4neg6); + ATF_REQUIRE_EQ(result, ISC_R_SUCCESS); + + result = dns_acl_create(mctx, 1, ¬pos4neg6); + ATF_REQUIRE_EQ(result, ISC_R_SUCCESS); + + result = dns_acl_create(mctx, 1, &neg4neg6); + ATF_REQUIRE_EQ(result, ISC_R_SUCCESS); + + result = dns_acl_create(mctx, 1, ¬neg4neg6); + ATF_REQUIRE_EQ(result, ISC_R_SUCCESS); + + inaddr.s_addr = htonl(0x0a000000); /* 10.0.0.0 */ + isc_netaddr_fromin(&addr, &inaddr); + result = dns_iptable_addprefix2(pos4pos6->iptable, &addr, 8, + true, ecs[pass].first); + ATF_REQUIRE_EQ(result, ISC_R_SUCCESS); + + addr.family = AF_INET6; /* 0a00:: */ + result = dns_iptable_addprefix2(pos4pos6->iptable, &addr, 8, + true, ecs[pass].second); + ATF_REQUIRE_EQ(result, ISC_R_SUCCESS); + + result = dns_acl_merge(notpos4pos6, pos4pos6, false); + ATF_REQUIRE_EQ(result, ISC_R_SUCCESS); + + inaddr.s_addr = htonl(0x0a000000); /* !10.0.0.0/8 */ + isc_netaddr_fromin(&addr, &inaddr); + result = dns_iptable_addprefix2(neg4pos6->iptable, &addr, 8, + false, ecs[pass].first); + ATF_REQUIRE_EQ(result, ISC_R_SUCCESS); + + addr.family = AF_INET6; /* 0a00::/8 */ + result = dns_iptable_addprefix2(neg4pos6->iptable, &addr, 8, + true, ecs[pass].second); + ATF_REQUIRE_EQ(result, ISC_R_SUCCESS); + + result = dns_acl_merge(notneg4pos6, neg4pos6, false); + ATF_REQUIRE_EQ(result, ISC_R_SUCCESS); + + inaddr.s_addr = htonl(0x0a000000); /* 10.0.0.0/8 */ + isc_netaddr_fromin(&addr, &inaddr); + result = dns_iptable_addprefix2(pos4neg6->iptable, &addr, 8, + true, ecs[pass].first); + ATF_REQUIRE_EQ(result, ISC_R_SUCCESS); + + addr.family = AF_INET6; /* !0a00::/8 */ + result = dns_iptable_addprefix2(pos4neg6->iptable, &addr, 8, + false, ecs[pass].second); + ATF_REQUIRE_EQ(result, ISC_R_SUCCESS); + + result = dns_acl_merge(notpos4neg6, pos4neg6, false); + ATF_REQUIRE_EQ(result, ISC_R_SUCCESS); + + inaddr.s_addr = htonl(0x0a000000); /* !10.0.0.0/8 */ + isc_netaddr_fromin(&addr, &inaddr); + result = dns_iptable_addprefix2(neg4neg6->iptable, &addr, 8, + false, ecs[pass].first); + ATF_REQUIRE_EQ(result, ISC_R_SUCCESS); + + addr.family = AF_INET6; /* !0a00::/8 */ + result = dns_iptable_addprefix2(neg4neg6->iptable, &addr, 8, + false, ecs[pass].second); + ATF_REQUIRE_EQ(result, ISC_R_SUCCESS); + + result = dns_acl_merge(notneg4neg6, neg4neg6, false); + ATF_REQUIRE_EQ(result, ISC_R_SUCCESS); + + ATF_CHECK(dns_acl_isinsecure(pos4pos6)); + ATF_CHECK(!dns_acl_isinsecure(notpos4pos6)); + ATF_CHECK(dns_acl_isinsecure(neg4pos6)); + ATF_CHECK(!dns_acl_isinsecure(notneg4pos6)); + ATF_CHECK(dns_acl_isinsecure(pos4neg6)); + ATF_CHECK(!dns_acl_isinsecure(notpos4neg6)); + ATF_CHECK(!dns_acl_isinsecure(neg4neg6)); + ATF_CHECK(!dns_acl_isinsecure(notneg4neg6)); + + dns_acl_detach(&pos4pos6); + dns_acl_detach(¬pos4pos6); + dns_acl_detach(&neg4pos6); + dns_acl_detach(¬neg4pos6); + dns_acl_detach(&pos4neg6); + dns_acl_detach(¬pos4neg6); + dns_acl_detach(&neg4neg6); + dns_acl_detach(¬neg4neg6); + + result = dns_acl_create(mctx, 1, &loop4); + ATF_REQUIRE_EQ(result, ISC_R_SUCCESS); + + result = dns_acl_create(mctx, 1, ¬loop4); + ATF_REQUIRE_EQ(result, ISC_R_SUCCESS); + + result = dns_acl_create(mctx, 1, &loop6); + ATF_REQUIRE_EQ(result, ISC_R_SUCCESS); + + result = dns_acl_create(mctx, 1, ¬loop6); + ATF_REQUIRE_EQ(result, ISC_R_SUCCESS); + + inaddr.s_addr = htonl(0x7f000001); /* 127.0.0.1 */ + isc_netaddr_fromin(&addr, &inaddr); + result = dns_iptable_addprefix2(loop4->iptable, &addr, 32, + true, ecs[pass].first); + ATF_REQUIRE_EQ(result, ISC_R_SUCCESS); + + result = dns_acl_merge(notloop4, loop4, false); + ATF_REQUIRE_EQ(result, ISC_R_SUCCESS); + + isc_netaddr_fromin6(&addr, &in6addr_loopback); /* ::1 */ + result = dns_iptable_addprefix2(loop6->iptable, &addr, 128, + true, ecs[pass].first); + ATF_REQUIRE_EQ(result, ISC_R_SUCCESS); + + result = dns_acl_merge(notloop6, loop6, false); + ATF_REQUIRE_EQ(result, ISC_R_SUCCESS); + + if (!ecs[pass].first) { + ATF_CHECK(!dns_acl_isinsecure(loop4)); + ATF_CHECK(!dns_acl_isinsecure(notloop4)); + ATF_CHECK(!dns_acl_isinsecure(loop6)); + ATF_CHECK(!dns_acl_isinsecure(notloop6)); + } else if (ecs[pass].first) { + ATF_CHECK(dns_acl_isinsecure(loop4)); + ATF_CHECK(!dns_acl_isinsecure(notloop4)); + ATF_CHECK(dns_acl_isinsecure(loop6)); + ATF_CHECK(!dns_acl_isinsecure(notloop6)); + } + + dns_acl_detach(&loop4); + dns_acl_detach(¬loop4); + dns_acl_detach(&loop6); + dns_acl_detach(¬loop6); + + result = dns_acl_create(mctx, 1, &loop4pos6); + ATF_REQUIRE_EQ(result, ISC_R_SUCCESS); + + result = dns_acl_create(mctx, 1, ¬loop4pos6); + ATF_REQUIRE_EQ(result, ISC_R_SUCCESS); + + result = dns_acl_create(mctx, 1, &loop4neg6); + ATF_REQUIRE_EQ(result, ISC_R_SUCCESS); + + result = dns_acl_create(mctx, 1, ¬loop4neg6); + ATF_REQUIRE_EQ(result, ISC_R_SUCCESS); + + inaddr.s_addr = htonl(0x7f000001); /* 127.0.0.1 */ + isc_netaddr_fromin(&addr, &inaddr); + result = dns_iptable_addprefix2(loop4pos6->iptable, &addr, 32, + true, ecs[pass].first); + ATF_REQUIRE_EQ(result, ISC_R_SUCCESS); + + addr.family = AF_INET6; /* f700:0001::/32 */ + result = dns_iptable_addprefix2(loop4pos6->iptable, &addr, 32, + true, ecs[pass].second); + ATF_REQUIRE_EQ(result, ISC_R_SUCCESS); + + result = dns_acl_merge(notloop4pos6, loop4pos6, false); + ATF_REQUIRE_EQ(result, ISC_R_SUCCESS); + + inaddr.s_addr = htonl(0x7f000001); /* 127.0.0.1 */ + isc_netaddr_fromin(&addr, &inaddr); + result = dns_iptable_addprefix2(loop4neg6->iptable, &addr, 32, + true, ecs[pass].first); + ATF_REQUIRE_EQ(result, ISC_R_SUCCESS); + + addr.family = AF_INET6; /* !f700:0001::/32 */ + result = dns_iptable_addprefix2(loop4neg6->iptable, &addr, 32, + false, ecs[pass].second); + ATF_REQUIRE_EQ(result, ISC_R_SUCCESS); + + result = dns_acl_merge(notloop4neg6, loop4neg6, false); + ATF_REQUIRE_EQ(result, ISC_R_SUCCESS); + + if (!ecs[pass].first && !ecs[pass].second) { + ATF_CHECK(dns_acl_isinsecure(loop4pos6)); + ATF_CHECK(!dns_acl_isinsecure(notloop4pos6)); + ATF_CHECK(!dns_acl_isinsecure(loop4neg6)); + ATF_CHECK(!dns_acl_isinsecure(notloop4neg6)); + } else if (ecs[pass].first && !ecs[pass].second) { + ATF_CHECK(dns_acl_isinsecure(loop4pos6)); + ATF_CHECK(!dns_acl_isinsecure(notloop4pos6)); + ATF_CHECK(dns_acl_isinsecure(loop4neg6)); + ATF_CHECK(!dns_acl_isinsecure(notloop4neg6)); + } else if (!ecs[pass].first && ecs[pass].second) { + ATF_CHECK(dns_acl_isinsecure(loop4pos6)); + ATF_CHECK(!dns_acl_isinsecure(notloop4pos6)); + ATF_CHECK(!dns_acl_isinsecure(loop4neg6)); + ATF_CHECK(!dns_acl_isinsecure(notloop4neg6)); + } else { + ATF_CHECK(dns_acl_isinsecure(loop4pos6)); + ATF_CHECK(!dns_acl_isinsecure(notloop4pos6)); + ATF_CHECK(dns_acl_isinsecure(loop4neg6)); + ATF_CHECK(!dns_acl_isinsecure(notloop4neg6)); + } + + dns_acl_detach(&loop4pos6); + dns_acl_detach(¬loop4pos6); + dns_acl_detach(&loop4neg6); + dns_acl_detach(¬loop4neg6); + } + + dns_test_end(); +} + +/* + * Main + */ +ATF_TP_ADD_TCS(tp) { + ATF_TP_ADD_TC(tp, dns_acl_isinsecure); + return (atf_no_error()); +} |