From 48e8ac1757e445d1467cb3770481bd0e4c0f45d4 Mon Sep 17 00:00:00 2001
From: Pieter Lexis <pieter.lexis@powerdns.com>
Date: Tue, 30 Sep 2025 11:33:24 +0200
Subject: [PATCH] test: Add IPCrypt2 tests

---
 pdns/dnsdistdist/Makefile.am                 |  3 +
 pdns/dnsdistdist/meson.build                 |  2 +
 pdns/dnsdistdist/test-dnsdist-ipcrypt2_cc.cc | 95 ++++++++++++++++++++
 3 files changed, 100 insertions(+)
 create mode 100644 pdns/dnsdistdist/test-dnsdist-ipcrypt2_cc.cc

diff --git a/pdns/dnsdistdist/Makefile.am b/pdns/dnsdistdist/Makefile.am
index 19a64dc7eb..14761865b8 100644
--- a/pdns/dnsdistdist/Makefile.am
+++ b/pdns/dnsdistdist/Makefile.am
@@ -337,6 +337,7 @@ testrunner_SOURCES = \
 	dnsdist-edns.cc dnsdist-edns.hh \
 	dnsdist-frontend.cc dnsdist-frontend.hh \
 	dnsdist-idstate.cc dnsdist-idstate.hh \
+	dnsdist-ipcrypt2.cc dnsdist-ipcrypt2.hh \
 	dnsdist-kvs.cc dnsdist-kvs.hh \
 	dnsdist-lbpolicies.cc dnsdist-lbpolicies.hh \
 	dnsdist-lua-bindings-dnsquestion.cc \
@@ -399,6 +400,7 @@ testrunner_SOURCES = \
 	test-dnscrypt_cc.cc \
 	test-dnsdist-connections-cache.cc \
 	test-dnsdist-dnsparser.cc \
+	test-dnsdist-ipcrypt2_cc.cc \
 	test-dnsdist-lua-ffi.cc \
 	test-dnsdist_cc.cc \
 	test-dnsdistasync.cc \
@@ -458,6 +460,7 @@ testrunner_LDADD = \
 	$(LUA_LIBS) \
 	$(RT_LIBS) \
 	$(LIBCAP_LIBS) \
+	$(IPCRYPT2_LIBS) \
 	$(ARC4RANDOM_LIBS)
 
 if HAVE_CDB
diff --git a/pdns/dnsdistdist/meson.build b/pdns/dnsdistdist/meson.build
index 4cc1eb6366..73cbdf994a 100644
--- a/pdns/dnsdistdist/meson.build
+++ b/pdns/dnsdistdist/meson.build
@@ -528,6 +528,7 @@ test_sources += files(
   src_dir / 'test-dnsdist_cc.cc',
   src_dir / 'test-dnsdist-connections-cache.cc',
   src_dir / 'test-dnsdist-dnsparser.cc',
+  src_dir / 'test-dnsdist-ipcrypt2_cc.cc',
   src_dir / 'test-dnsdistdynblocks_hh.cc',
   src_dir / 'test-dnsdistedns.cc',
   src_dir / 'test-dnsdistkvs_cc.cc',
@@ -559,6 +560,7 @@ if get_option('unit-tests')
       dependencies: [
           dep_boost,
           dep_boost_test,
+          dep_ipcrypt2,
           dep_lua,
           dep_protozero,
       ],
diff --git a/pdns/dnsdistdist/test-dnsdist-ipcrypt2_cc.cc b/pdns/dnsdistdist/test-dnsdist-ipcrypt2_cc.cc
new file mode 100644
index 0000000000..f5b7aa82f5
--- /dev/null
+++ b/pdns/dnsdistdist/test-dnsdist-ipcrypt2_cc.cc
@@ -0,0 +1,95 @@
+/*
+ * This file is part of PowerDNS or dnsdist.
+ * Copyright -- PowerDNS.COM B.V. and its contributors
+ *
+ * This program is free software; you can redistribute it and/or modify
+ * it under the terms of version 2 of the GNU General Public License as
+ * published by the Free Software Foundation.
+ *
+ * In addition, for the avoidance of any doubt, permission is granted to
+ * link this program with OpenSSL and to (re)distribute the binaries
+ * produced as the result of such linking.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with this program; if not, write to the Free Software
+ * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+ */
+#ifndef BOOST_TEST_DYN_LINK
+#define BOOST_TEST_DYN_LINK
+#include "iputils.hh"
+#include <boost/test/tools/old/interface.hpp>
+#include <boost/test/unit_test_suite.hpp>
+#include <stdexcept>
+#endif
+
+#define BOOST_TEST_NO_MAIN
+
+#include <boost/test/unit_test.hpp>
+
+#include "dnsdist-ipcrypt2.hh"
+
+BOOST_AUTO_TEST_SUITE(test_dnsdist_ipcrypt2_cc)
+
+BOOST_AUTO_TEST_CASE(pfx_success)
+{
+  auto ipcrypt = pdns::ipcrypt2::IPCrypt2(pdns::ipcrypt2::IPCryptMethod::pfx, "12345678901234567890123456789012");
+
+  auto encip = ipcrypt.encrypt(ComboAddress("127.0.0.1"));
+  BOOST_CHECK(encip.isIPv4());
+  BOOST_CHECK_NE(ComboAddress("127.0.0.1").toLogString(), encip.toLogString());
+
+  encip = ipcrypt.encrypt(ComboAddress("::1"));
+  BOOST_CHECK(encip.isIPv6());
+  BOOST_CHECK_NE(ComboAddress("::1").toLogString(), encip.toLogString());
+}
+
+BOOST_AUTO_TEST_CASE(pfx_bad_key)
+{
+  BOOST_CHECK_THROW(
+    auto ipcrypt = pdns::ipcrypt2::IPCrypt2(pdns::ipcrypt2::IPCryptMethod::pfx, "notlongenough"), std::runtime_error);
+}
+
+BOOST_AUTO_TEST_CASE(pfx_preserves)
+{
+  auto ipcrypt = pdns::ipcrypt2::IPCrypt2(pdns::ipcrypt2::IPCryptMethod::pfx, "12345678901234567890123456789012");
+
+  auto encip = ipcrypt.encrypt(ComboAddress("127.0.0.1"));
+  BOOST_CHECK(encip.isIPv4());
+  auto encip2 = ipcrypt.encrypt(ComboAddress("127.0.0.2"));
+  BOOST_CHECK(encip2.isIPv4());
+
+  BOOST_CHECK(encip != encip2);
+
+  auto nw = Netmask(encip, 24);
+  BOOST_CHECK(nw.match(encip));
+  BOOST_CHECK(nw.match(encip2));
+}
+
+BOOST_AUTO_TEST_CASE(assignment)
+{
+  std::optional<pdns::ipcrypt2::IPCrypt2> optIPCrypt;
+  optIPCrypt = std::make_optional(pdns::ipcrypt2::IPCrypt2(pdns::ipcrypt2::IPCryptMethod::pfx, "12345678901234567890123456789012"));
+
+  BOOST_CHECK(optIPCrypt.has_value());
+
+  auto encip = optIPCrypt->encrypt(ComboAddress("127.0.0.1"));
+  BOOST_CHECK(encip.isIPv4());
+  BOOST_CHECK_NE(ComboAddress("127.0.0.1").toLogString(), encip.toLogString());
+
+  encip = optIPCrypt->encrypt(ComboAddress("::1"));
+  BOOST_CHECK(encip.isIPv6());
+  BOOST_CHECK_NE(ComboAddress("::1").toLogString(), encip.toLogString());
+}
+
+BOOST_AUTO_TEST_CASE(unsupported_method)
+{
+  BOOST_CHECK_THROW(
+    auto ipcrypt = pdns::ipcrypt2::IPCrypt2(pdns::ipcrypt2::IPCryptMethod::deterministic, ""), std::runtime_error);
+}
+
+BOOST_AUTO_TEST_SUITE_END()
-- 
2.47.3