From: Remi Gacogne Date: Mon, 27 Mar 2023 12:30:57 +0000 (+0200) Subject: dnsdist: Test both incoming DoH implementations in ProxyProtocol tests X-Git-Tag: rec-5.0.0-alpha1~19^2~25 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=2f4ac048d066519a14834321026ba58fbb673ef2;p=thirdparty%2Fpdns.git dnsdist: Test both incoming DoH implementations in ProxyProtocol tests --- diff --git a/regression-tests.dnsdist/dnsdisttests.py b/regression-tests.dnsdist/dnsdisttests.py index 6bc56cdb7a..1e7968aa3d 100644 --- a/regression-tests.dnsdist/dnsdisttests.py +++ b/regression-tests.dnsdist/dnsdisttests.py @@ -1079,5 +1079,11 @@ class DNSDistTest(AssertEqualDNSMessageMixin, unittest.TestCase): def sendDOHQueryWrapper(self, query, response, useQueue=True): return self.sendDOHQuery(self._dohServerPort, self._serverName, self._dohBaseURL, query, response=response, caFile=self._caCert, useQueue=useQueue) + def sendDOHWithNGHTTP2QueryWrapper(self, query, response, useQueue=True): + return self.sendDOHQuery(self._dohWithNGHTTP2ServerPort, self._serverName, self._dohWithNGHTTP2BaseURL, query, response=response, caFile=self._caCert, useQueue=useQueue) + + def sendDOHWithH2OQueryWrapper(self, query, response, useQueue=True): + return self.sendDOHQuery(self._dohWithH2OServerPort, self._serverName, self._dohWithH2OBaseURL, query, response=response, caFile=self._caCert, useQueue=useQueue) + def sendDOTQueryWrapper(self, query, response, useQueue=True): return self.sendDOTQuery(self._tlsServerPort, self._serverName, query, response, self._caCert, useQueue=useQueue) diff --git a/regression-tests.dnsdist/test_Async.py b/regression-tests.dnsdist/test_Async.py index 057bee47e9..8856df30f5 100644 --- a/regression-tests.dnsdist/test_Async.py +++ b/regression-tests.dnsdist/test_Async.py @@ -96,12 +96,6 @@ class AsyncTests(object): _dohWithNGHTTP2BaseURL = ("https://%s:%d/" % (_serverName, _dohWithNGHTTP2ServerPort)) _dohWithH2OBaseURL = ("https://%s:%d/" % (_serverName, _dohWithH2OServerPort)) - def sendDOHWithNGHTTP2QueryWrapper(self, query, response, useQueue=True): - return self.sendDOHQuery(self._dohWithNGHTTP2ServerPort, self._serverName, self._dohWithNGHTTP2BaseURL, query, response=response, caFile=self._caCert, useQueue=useQueue) - - def sendDOHWithH2OQueryWrapper(self, query, response, useQueue=True): - return self.sendDOHQuery(self._dohWithH2OServerPort, self._serverName, self._dohWithH2OBaseURL, query, response=response, caFile=self._caCert, useQueue=useQueue) - def testPass(self): """ Async: Accept diff --git a/regression-tests.dnsdist/test_Protobuf.py b/regression-tests.dnsdist/test_Protobuf.py index 8a5aac6b2e..99a97183de 100644 --- a/regression-tests.dnsdist/test_Protobuf.py +++ b/regression-tests.dnsdist/test_Protobuf.py @@ -510,12 +510,6 @@ class TestProtobufMetaDOH(DNSDistProtobufTest): """ _config_params = ['_testServerPort', '_protobufServerPort', '_tlsServerPort', '_serverCert', '_serverKey', '_dohWithNGHTTP2ServerPort', '_serverCert', '_serverKey', '_dohWithH2OServerPort', '_serverCert', '_serverKey'] - def sendDOHWithNGHTTP2QueryWrapper(self, query, response, useQueue=True): - return self.sendDOHQuery(self._dohWithNGHTTP2ServerPort, self._serverName, self._dohWithNGHTTP2BaseURL, query, response=response, caFile=self._caCert, useQueue=useQueue) - - def sendDOHWithH2OQueryWrapper(self, query, response, useQueue=True): - return self.sendDOHQuery(self._dohWithH2OServerPort, self._serverName, self._dohWithH2OBaseURL, query, response=response, caFile=self._caCert, useQueue=useQueue) - def testProtobufMetaDoH(self): """ Protobuf: Meta values - DoH diff --git a/regression-tests.dnsdist/test_ProxyProtocol.py b/regression-tests.dnsdist/test_ProxyProtocol.py index 1d7aa5c5c9..2ff4a2d741 100644 --- a/regression-tests.dnsdist/test_ProxyProtocol.py +++ b/regression-tests.dnsdist/test_ProxyProtocol.py @@ -729,23 +729,27 @@ class TestDOHWithOutgoingProxyProtocol(DNSDistDOHTest): _serverCert = 'server.chain' _serverName = 'tls.tests.dnsdist.org' _caCert = 'ca.pem' - _dohServerPort = pickAvailablePort() - _dohBaseURL = ("https://%s:%d/dns-query" % (_serverName, _dohServerPort)) + _dohWithNGHTTP2ServerPort = pickAvailablePort() + _dohWithNGHTTP2BaseURL = ("https://%s:%d/dns-query" % (_serverName, _dohWithNGHTTP2ServerPort)) + _dohWithH2OServerPort = pickAvailablePort() + _dohWithH2OBaseURL = ("https://%s:%d/dns-query" % (_serverName, _dohWithH2OServerPort)) _proxyResponderPort = proxyResponderPort _config_template = """ newServer{address="127.0.0.1:%s", useProxyProtocol=true} - addDOHLocal("127.0.0.1:%s", "%s", "%s", { '/dns-query' }, { trustForwardedForHeader=true }) + addDOHLocal("127.0.0.1:%d", "%s", "%s", { '/dns-query' }, { trustForwardedForHeader=true, library='nghttp2' }) + addDOHLocal("127.0.0.1:%d", "%s", "%s", { '/dns-query' }, { trustForwardedForHeader=true, library='h2o' }) setACL( { "::1/128", "127.0.0.0/8" } ) """ - _config_params = ['_proxyResponderPort', '_dohServerPort', '_serverCert', '_serverKey'] + _config_params = ['_proxyResponderPort', '_dohWithNGHTTP2ServerPort', '_serverCert', '_serverKey', '_dohWithH2OServerPort', '_serverCert', '_serverKey'] + _verboseMode = True def testTruncation(self): """ - DOH: Truncation over UDP (with cache) + DOH: Truncation over UDP """ # the query is first forwarded over UDP, leading to a TC=1 answer from the # backend, then over TCP - name = 'truncated-udp.doh-with-cache.tests.powerdns.com.' + name = 'truncated-udp.doh.proxy-protocol.tests.powerdns.com.' query = dns.message.make_query(name, 'A', 'IN') query.id = 42 expectedQuery = dns.message.make_query(name, 'A', 'IN', use_edns=True, payload=4096) @@ -758,39 +762,40 @@ class TestDOHWithOutgoingProxyProtocol(DNSDistDOHTest): '127.0.0.1') response.answer.append(rrset) - # first response is a TC=1 - tcResponse = dns.message.make_response(query) - tcResponse.flags |= dns.flags.TC - toProxyQueue.put(tcResponse, True, 2.0) + for (port,url) in [(self._dohWithNGHTTP2ServerPort, self._dohWithNGHTTP2BaseURL), (self._dohWithH2OServerPort, self._dohWithH2OBaseURL)]: + # first response is a TC=1 + tcResponse = dns.message.make_response(query) + tcResponse.flags |= dns.flags.TC + toProxyQueue.put(tcResponse, True, 2.0) - ((receivedProxyPayload, receivedDNSData), receivedResponse) = self.sendDOHQuery(self._dohServerPort, self._serverName, self._dohBaseURL, query, caFile=self._caCert, response=response, fromQueue=fromProxyQueue, toQueue=toProxyQueue) - # first query, received by the responder over UDP - self.assertTrue(receivedProxyPayload) - self.assertTrue(receivedDNSData) - receivedQuery = dns.message.from_wire(receivedDNSData) - self.assertTrue(receivedQuery) - receivedQuery.id = expectedQuery.id - self.assertEqual(expectedQuery, receivedQuery) - self.checkQueryEDNSWithoutECS(expectedQuery, receivedQuery) - self.checkMessageProxyProtocol(receivedProxyPayload, '127.0.0.1', '127.0.0.1', True, destinationPort=self._dohServerPort) + ((receivedProxyPayload, receivedDNSData), receivedResponse) = self.sendDOHQuery(port, self._serverName, url, query, caFile=self._caCert, response=response, fromQueue=fromProxyQueue, toQueue=toProxyQueue) + # first query, received by the responder over UDP + self.assertTrue(receivedProxyPayload) + self.assertTrue(receivedDNSData) + receivedQuery = dns.message.from_wire(receivedDNSData) + self.assertTrue(receivedQuery) + receivedQuery.id = expectedQuery.id + self.assertEqual(expectedQuery, receivedQuery) + self.checkQueryEDNSWithoutECS(expectedQuery, receivedQuery) + self.checkMessageProxyProtocol(receivedProxyPayload, '127.0.0.1', '127.0.0.1', True, destinationPort=port) - # check the response - self.assertTrue(receivedResponse) - self.assertEqual(response, receivedResponse) + # check the response + self.assertTrue(receivedResponse) + self.assertEqual(response, receivedResponse) - # check the second query, received by the responder over TCP - (receivedProxyPayload, receivedDNSData) = fromProxyQueue.get(True, 2.0) - self.assertTrue(receivedDNSData) - receivedQuery = dns.message.from_wire(receivedDNSData) - self.assertTrue(receivedQuery) - receivedQuery.id = expectedQuery.id - self.assertEqual(expectedQuery, receivedQuery) - self.checkQueryEDNSWithoutECS(expectedQuery, receivedQuery) - self.checkMessageProxyProtocol(receivedProxyPayload, '127.0.0.1', '127.0.0.1', True, destinationPort=self._dohServerPort) + # check the second query, received by the responder over TCP + (receivedProxyPayload, receivedDNSData) = fromProxyQueue.get(True, 2.0) + self.assertTrue(receivedDNSData) + receivedQuery = dns.message.from_wire(receivedDNSData) + self.assertTrue(receivedQuery) + receivedQuery.id = expectedQuery.id + self.assertEqual(expectedQuery, receivedQuery) + self.checkQueryEDNSWithoutECS(expectedQuery, receivedQuery) + self.checkMessageProxyProtocol(receivedProxyPayload, '127.0.0.1', '127.0.0.1', True, destinationPort=port) - # make sure we consumed everything - self.assertTrue(toProxyQueue.empty()) - self.assertTrue(fromProxyQueue.empty()) + # make sure we consumed everything + self.assertTrue(toProxyQueue.empty()) + self.assertTrue(fromProxyQueue.empty()) def testAddressFamilyMismatch(self): """ @@ -809,25 +814,26 @@ class TestDOHWithOutgoingProxyProtocol(DNSDistDOHTest): '127.0.0.1') response.answer.append(rrset) - # the query should be dropped - (receivedQuery, receivedResponse) = self.sendDOHQuery(self._dohServerPort, self._serverName, self._dohBaseURL, query, caFile=self._caCert, customHeaders=['x-forwarded-for: [::1]:8080'], useQueue=False) - self.assertFalse(receivedQuery) - self.assertFalse(receivedResponse) + for (port,url) in [(self._dohWithNGHTTP2ServerPort, self._dohWithNGHTTP2BaseURL), (self._dohWithH2OServerPort, self._dohWithH2OBaseURL)]: + # the query should be dropped + (receivedQuery, receivedResponse) = self.sendDOHQuery(port, self._serverName, url, query, caFile=self._caCert, customHeaders=['x-forwarded-for: [::1]:8080'], useQueue=False) + self.assertFalse(receivedQuery) + self.assertFalse(receivedResponse) - # make sure the timeout is detected, if any - time.sleep(4) + # make sure the timeout is detected, if any + time.sleep(4) - # this one should not - ((receivedProxyPayload, receivedDNSData), receivedResponse) = self.sendDOHQuery(self._dohServerPort, self._serverName, self._dohBaseURL, query, caFile=self._caCert, customHeaders=['x-forwarded-for: 127.0.0.42:8080'], response=response, fromQueue=fromProxyQueue, toQueue=toProxyQueue) - self.assertTrue(receivedProxyPayload) - self.assertTrue(receivedDNSData) - receivedQuery = dns.message.from_wire(receivedDNSData) - self.assertTrue(receivedQuery) - receivedQuery.id = expectedQuery.id - self.assertEqual(expectedQuery, receivedQuery) - self.checkQueryEDNSWithoutECS(expectedQuery, receivedQuery) - self.checkMessageProxyProtocol(receivedProxyPayload, '127.0.0.42', '127.0.0.1', True, destinationPort=self._dohServerPort) - # check the response - self.assertTrue(receivedResponse) - receivedResponse.id = response.id - self.assertEqual(response, receivedResponse) + # this one should not + ((receivedProxyPayload, receivedDNSData), receivedResponse) = self.sendDOHQuery(port, self._serverName, url, query, caFile=self._caCert, customHeaders=['x-forwarded-for: 127.0.0.42:8080'], response=response, fromQueue=fromProxyQueue, toQueue=toProxyQueue) + self.assertTrue(receivedProxyPayload) + self.assertTrue(receivedDNSData) + receivedQuery = dns.message.from_wire(receivedDNSData) + self.assertTrue(receivedQuery) + receivedQuery.id = expectedQuery.id + self.assertEqual(expectedQuery, receivedQuery) + self.checkQueryEDNSWithoutECS(expectedQuery, receivedQuery) + self.checkMessageProxyProtocol(receivedProxyPayload, '127.0.0.42', '127.0.0.1', True, destinationPort=port) + # check the response + self.assertTrue(receivedResponse) + receivedResponse.id = response.id + self.assertEqual(response, receivedResponse)