7 from dnsdisttests
import DNSDistTest
9 class TestAPIBasics(DNSDistTest
):
13 _webServerBasicAuthPassword
= 'secret'
14 _webServerAPIKey
= 'apisecret'
15 # paths accessible using the API key only
16 _apiOnlyPaths
= ['/api/v1/servers/localhost/config', '/api/v1/servers/localhost/config/allow-from', '/api/v1/servers/localhost/statistics']
17 # paths accessible using an API key or basic auth
18 _statsPaths
= [ '/jsonstat?command=stats', '/jsonstat?command=dynblocklist', '/api/v1/servers/localhost']
19 # paths accessible using basic auth only (list not exhaustive)
20 _basicOnlyPaths
= ['/', '/index.html']
21 _config_params
= ['_testServerPort', '_webServerPort', '_webServerBasicAuthPassword', '_webServerAPIKey']
22 _config_template
= """
23 setACL({"127.0.0.1/32", "::1/128"})
24 newServer{address="127.0.0.1:%s"}
25 webserver("127.0.0.1:%s", "%s", "%s")
28 def testBasicAuth(self
):
30 API: Basic Authentication
32 for path
in self
._basicOnlyPaths
+ self
._statsPaths
:
33 url
= 'http://127.0.0.1:' + str(self
._webServerPort
) + path
34 r
= requests
.get(url
, auth
=('whatever', "evilsecret"), timeout
=self
._webTimeout
)
35 self
.assertEquals(r
.status_code
, 401)
36 r
= requests
.get(url
, auth
=('whatever', self
._webServerBasicAuthPassword
), timeout
=self
._webTimeout
)
38 self
.assertEquals(r
.status_code
, 200)
40 def testXAPIKey(self
):
44 headers
= {'x-api-key': self
._webServerAPIKey
}
45 for path
in self
._apiOnlyPaths
+ self
._statsPaths
:
46 url
= 'http://127.0.0.1:' + str(self
._webServerPort
) + path
47 r
= requests
.get(url
, headers
=headers
, timeout
=self
._webTimeout
)
49 self
.assertEquals(r
.status_code
, 200)
51 def testWrongXAPIKey(self
):
55 headers
= {'x-api-key': "evilapikey"}
56 for path
in self
._apiOnlyPaths
+ self
._statsPaths
:
57 url
= 'http://127.0.0.1:' + str(self
._webServerPort
) + path
58 r
= requests
.get(url
, headers
=headers
, timeout
=self
._webTimeout
)
59 self
.assertEquals(r
.status_code
, 401)
61 def testBasicAuthOnly(self
):
63 API: Basic Authentication Only
65 headers
= {'x-api-key': self
._webServerAPIKey
}
66 for path
in self
._basicOnlyPaths
:
67 url
= 'http://127.0.0.1:' + str(self
._webServerPort
) + path
68 r
= requests
.get(url
, headers
=headers
, timeout
=self
._webTimeout
)
69 self
.assertEquals(r
.status_code
, 401)
71 def testAPIKeyOnly(self
):
75 for path
in self
._apiOnlyPaths
:
76 url
= 'http://127.0.0.1:' + str(self
._webServerPort
) + path
77 r
= requests
.get(url
, auth
=('whatever', self
._webServerBasicAuthPassword
), timeout
=self
._webTimeout
)
78 self
.assertEquals(r
.status_code
, 401)
80 def testServersLocalhost(self
):
82 API: /api/v1/servers/localhost
84 headers
= {'x-api-key': self
._webServerAPIKey
}
85 url
= 'http://127.0.0.1:' + str(self
._webServerPort
) + '/api/v1/servers/localhost'
86 r
= requests
.get(url
, headers
=headers
, timeout
=self
._webTimeout
)
88 self
.assertEquals(r
.status_code
, 200)
89 self
.assertTrue(r
.json())
92 self
.assertEquals(content
['daemon_type'], 'dnsdist')
94 rule_groups
= ['response-rules', 'cache-hit-response-rules', 'self-answered-response-rules', 'rules']
95 for key
in ['version', 'acl', 'local', 'servers', 'frontends', 'pools'] + rule_groups
:
96 self
.assertIn(key
, content
)
98 for rule_group
in rule_groups
:
99 for rule
in content
[rule_group
]:
100 for key
in ['id', 'creationOrder', 'matches', 'rule', 'action', 'uuid']:
101 self
.assertIn(key
, rule
)
102 for key
in ['id', 'creationOrder', 'matches']:
103 self
.assertTrue(rule
[key
] >= 0)
105 for server
in content
['servers']:
106 for key
in ['id', 'latency', 'name', 'weight', 'outstanding', 'qpsLimit',
107 'reuseds', 'state', 'address', 'pools', 'qps', 'queries', 'order', 'sendErrors',
109 self
.assertIn(key
, server
)
111 for key
in ['id', 'latency', 'weight', 'outstanding', 'qpsLimit', 'reuseds',
112 'qps', 'queries', 'order']:
113 self
.assertTrue(server
[key
] >= 0)
115 self
.assertTrue(server
['state'] in ['up', 'down', 'UP', 'DOWN'])
117 for frontend
in content
['frontends']:
118 for key
in ['id', 'address', 'udp', 'tcp', 'type', 'queries']:
119 self
.assertIn(key
, frontend
)
121 for key
in ['id', 'queries']:
122 self
.assertTrue(frontend
[key
] >= 0)
124 for pool
in content
['pools']:
125 for key
in ['id', 'name', 'cacheSize', 'cacheEntries', 'cacheHits', 'cacheMisses', 'cacheDeferredInserts', 'cacheDeferredLookups', 'cacheLookupCollisions', 'cacheInsertCollisions', 'cacheTTLTooShorts']:
126 self
.assertIn(key
, pool
)
128 for key
in ['id', 'cacheSize', 'cacheEntries', 'cacheHits', 'cacheMisses', 'cacheDeferredInserts', 'cacheDeferredLookups', 'cacheLookupCollisions', 'cacheInsertCollisions', 'cacheTTLTooShorts']:
129 self
.assertTrue(pool
[key
] >= 0)
131 def testServersIDontExist(self
):
133 API: /api/v1/servers/idontexist (should be 404)
135 headers
= {'x-api-key': self
._webServerAPIKey
}
136 url
= 'http://127.0.0.1:' + str(self
._webServerPort
) + '/api/v1/servers/idontexist'
137 r
= requests
.get(url
, headers
=headers
, timeout
=self
._webTimeout
)
138 self
.assertEquals(r
.status_code
, 404)
140 def testServersLocalhostConfig(self
):
142 API: /api/v1/servers/localhost/config
144 headers
= {'x-api-key': self
._webServerAPIKey
}
145 url
= 'http://127.0.0.1:' + str(self
._webServerPort
) + '/api/v1/servers/localhost/config'
146 r
= requests
.get(url
, headers
=headers
, timeout
=self
._webTimeout
)
148 self
.assertEquals(r
.status_code
, 200)
149 self
.assertTrue(r
.json())
152 for entry
in content
:
153 for key
in ['type', 'name', 'value']:
154 self
.assertIn(key
, entry
)
156 self
.assertEquals(entry
['type'], 'ConfigSetting')
157 values
[entry
['name']] = entry
['value']
159 for key
in ['acl', 'control-socket', 'ecs-override', 'ecs-source-prefix-v4',
160 'ecs-source-prefix-v6', 'fixup-case', 'max-outstanding', 'server-policy',
161 'stale-cache-entries-ttl', 'tcp-recv-timeout', 'tcp-send-timeout',
162 'truncate-tc', 'verbose', 'verbose-health-checks']:
163 self
.assertIn(key
, values
)
165 for key
in ['max-outstanding', 'stale-cache-entries-ttl', 'tcp-recv-timeout',
167 self
.assertTrue(values
[key
] >= 0)
169 self
.assertTrue(values
['ecs-source-prefix-v4'] >= 0 and values
['ecs-source-prefix-v4'] <= 32)
170 self
.assertTrue(values
['ecs-source-prefix-v6'] >= 0 and values
['ecs-source-prefix-v6'] <= 128)
172 def testServersLocalhostConfigAllowFrom(self
):
174 API: /api/v1/servers/localhost/config/allow-from
176 headers
= {'x-api-key': self
._webServerAPIKey
}
177 url
= 'http://127.0.0.1:' + str(self
._webServerPort
) + '/api/v1/servers/localhost/config/allow-from'
178 r
= requests
.get(url
, headers
=headers
, timeout
=self
._webTimeout
)
180 self
.assertEquals(r
.status_code
, 200)
181 self
.assertTrue(r
.json())
183 for key
in ['type', 'name', 'value']:
184 self
.assertIn(key
, content
)
186 self
.assertEquals(content
['name'], 'allow-from')
187 self
.assertEquals(content
['type'], 'ConfigSetting')
188 acl
= content
['value']
189 expectedACL
= ["127.0.0.1/32", "::1/128"]
192 self
.assertEquals(acl
, expectedACL
)
194 def testServersLocalhostConfigAllowFromPut(self
):
196 API: PUT /api/v1/servers/localhost/config/allow-from (should be refused)
198 The API is read-only by default, so this should be refused
200 newACL
= ["192.0.2.0/24", "198.51.100.0/24", "203.0.113.0/24"]
201 payload
= json
.dumps({"name": "allow-from",
202 "type": "ConfigSetting",
204 headers
= {'x-api-key': self
._webServerAPIKey
}
205 url
= 'http://127.0.0.1:' + str(self
._webServerPort
) + '/api/v1/servers/localhost/config/allow-from'
206 r
= requests
.put(url
, headers
=headers
, timeout
=self
._webTimeout
, data
=payload
)
208 self
.assertEquals(r
.status_code
, 405)
210 def testServersLocalhostStatistics(self
):
212 API: /api/v1/servers/localhost/statistics
214 headers
= {'x-api-key': self
._webServerAPIKey
}
215 url
= 'http://127.0.0.1:' + str(self
._webServerPort
) + '/api/v1/servers/localhost/statistics'
216 r
= requests
.get(url
, headers
=headers
, timeout
=self
._webTimeout
)
218 self
.assertEquals(r
.status_code
, 200)
219 self
.assertTrue(r
.json())
222 for entry
in content
:
223 self
.assertIn('type', entry
)
224 self
.assertIn('name', entry
)
225 self
.assertIn('value', entry
)
226 self
.assertEquals(entry
['type'], 'StatisticItem')
227 values
[entry
['name']] = entry
['value']
229 expected
= ['responses', 'servfail-responses', 'queries', 'acl-drops',
230 'frontend-noerror', 'frontend-nxdomain', 'frontend-servfail',
231 'rule-drop', 'rule-nxdomain', 'rule-refused', 'self-answered', 'downstream-timeouts',
232 'downstream-send-errors', 'trunc-failures', 'no-policy', 'latency0-1',
233 'latency1-10', 'latency10-50', 'latency50-100', 'latency100-1000',
234 'latency-slow', 'latency-sum', 'latency-count', 'latency-avg100', 'latency-avg1000',
235 'latency-avg10000', 'latency-avg1000000', 'uptime', 'real-memory-usage', 'noncompliant-queries',
236 'noncompliant-responses', 'rdqueries', 'empty-queries', 'cache-hits',
237 'cache-misses', 'cpu-iowait', 'cpu-steal', 'cpu-sys-msec', 'cpu-user-msec', 'fd-usage', 'dyn-blocked',
238 'dyn-block-nmg-size', 'rule-servfail', 'security-status',
239 'udp-in-errors', 'udp-noport-errors', 'udp-recvbuf-errors', 'udp-sndbuf-errors']
242 self
.assertIn(key
, values
)
243 self
.assertTrue(values
[key
] >= 0)
246 self
.assertIn(key
, expected
)
248 def testJsonstatStats(self
):
250 API: /jsonstat?command=stats
252 headers
= {'x-api-key': self
._webServerAPIKey
}
253 url
= 'http://127.0.0.1:' + str(self
._webServerPort
) + '/jsonstat?command=stats'
254 r
= requests
.get(url
, headers
=headers
, timeout
=self
._webTimeout
)
256 self
.assertEquals(r
.status_code
, 200)
257 self
.assertTrue(r
.json())
260 expected
= ['responses', 'servfail-responses', 'queries', 'acl-drops',
261 'frontend-noerror', 'frontend-nxdomain', 'frontend-servfail',
262 'rule-drop', 'rule-nxdomain', 'rule-refused', 'self-answered', 'downstream-timeouts',
263 'downstream-send-errors', 'trunc-failures', 'no-policy', 'latency0-1',
264 'latency1-10', 'latency10-50', 'latency50-100', 'latency100-1000',
265 'latency-slow', 'latency-avg100', 'latency-avg1000', 'latency-avg10000',
266 'latency-avg1000000', 'uptime', 'real-memory-usage', 'noncompliant-queries',
267 'noncompliant-responses', 'rdqueries', 'empty-queries', 'cache-hits',
268 'cache-misses', 'cpu-user-msec', 'cpu-sys-msec', 'fd-usage', 'dyn-blocked',
269 'dyn-block-nmg-size', 'packetcache-hits', 'packetcache-misses', 'over-capacity-drops',
273 self
.assertIn(key
, content
)
274 self
.assertTrue(content
[key
] >= 0)
276 def testJsonstatDynblocklist(self
):
278 API: /jsonstat?command=dynblocklist
280 headers
= {'x-api-key': self
._webServerAPIKey
}
281 url
= 'http://127.0.0.1:' + str(self
._webServerPort
) + '/jsonstat?command=dynblocklist'
282 r
= requests
.get(url
, headers
=headers
, timeout
=self
._webTimeout
)
284 self
.assertEquals(r
.status_code
, 200)
289 for key
in ['reason', 'seconds', 'blocks', 'action']:
290 self
.assertIn(key
, content
)
292 for key
in ['blocks']:
293 self
.assertTrue(content
[key
] >= 0)
295 class TestAPIServerDown(DNSDistTest
):
298 _webServerPort
= 8083
299 _webServerBasicAuthPassword
= 'secret'
300 _webServerAPIKey
= 'apisecret'
301 # paths accessible using the API key
302 _config_params
= ['_testServerPort', '_webServerPort', '_webServerBasicAuthPassword', '_webServerAPIKey']
303 _config_template
= """
304 setACL({"127.0.0.1/32", "::1/128"})
305 newServer{address="127.0.0.1:%s"}
306 getServer(0):setDown()
307 webserver("127.0.0.1:%s", "%s", "%s")
310 def testServerDownNoLatencyLocalhost(self
):
312 API: /api/v1/servers/localhost, no latency for a down server
314 headers
= {'x-api-key': self
._webServerAPIKey
}
315 url
= 'http://127.0.0.1:' + str(self
._webServerPort
) + '/api/v1/servers/localhost'
316 r
= requests
.get(url
, headers
=headers
, timeout
=self
._webTimeout
)
318 self
.assertEquals(r
.status_code
, 200)
319 self
.assertTrue(r
.json())
322 self
.assertEquals(content
['servers'][0]['latency'], None)
324 class TestAPIWritable(DNSDistTest
):
327 _webServerPort
= 8083
328 _webServerBasicAuthPassword
= 'secret'
329 _webServerAPIKey
= 'apisecret'
330 _APIWriteDir
= '/tmp'
331 _config_params
= ['_testServerPort', '_webServerPort', '_webServerBasicAuthPassword', '_webServerAPIKey', '_APIWriteDir']
332 _config_template
= """
333 setACL({"127.0.0.1/32", "::1/128"})
334 newServer{address="127.0.0.1:%s"}
335 webserver("127.0.0.1:%s", "%s", "%s")
336 setAPIWritable(true, "%s")
339 def testSetACL(self
):
343 headers
= {'x-api-key': self
._webServerAPIKey
}
344 url
= 'http://127.0.0.1:' + str(self
._webServerPort
) + '/api/v1/servers/localhost/config/allow-from'
345 r
= requests
.get(url
, headers
=headers
, timeout
=self
._webTimeout
)
347 self
.assertEquals(r
.status_code
, 200)
348 self
.assertTrue(r
.json())
350 acl
= content
['value']
351 expectedACL
= ["127.0.0.1/32", "::1/128"]
354 self
.assertEquals(acl
, expectedACL
)
356 newACL
= ["192.0.2.0/24", "198.51.100.0/24", "203.0.113.0/24"]
357 payload
= json
.dumps({"name": "allow-from",
358 "type": "ConfigSetting",
360 r
= requests
.put(url
, headers
=headers
, timeout
=self
._webTimeout
, data
=payload
)
362 self
.assertEquals(r
.status_code
, 200)
363 self
.assertTrue(r
.json())
365 acl
= content
['value']
367 self
.assertEquals(acl
, newACL
)
369 r
= requests
.get(url
, headers
=headers
, timeout
=self
._webTimeout
)
371 self
.assertEquals(r
.status_code
, 200)
372 self
.assertTrue(r
.json())
374 acl
= content
['value']
376 self
.assertEquals(acl
, newACL
)
378 configFile
= self
._APIWriteDir
+ '/' + 'acl.conf'
379 self
.assertTrue(os
.path
.isfile(configFile
))
381 with
open(configFile
, 'rt') as f
:
382 header
= f
.readline()
385 self
.assertEquals(header
, """-- Generated by the REST API, DO NOT EDIT\n""")
387 self
.assertIn(body
, {
388 """setACL({"192.0.2.0/24", "198.51.100.0/24", "203.0.113.0/24"})\n""",
389 """setACL({"192.0.2.0/24", "203.0.113.0/24", "198.51.100.0/24"})\n""",
390 """setACL({"198.51.100.0/24", "192.0.2.0/24", "203.0.113.0/24"})\n""",
391 """setACL({"198.51.100.0/24", "203.0.113.0/24", "192.0.2.0/24"})\n""",
392 """setACL({"203.0.113.0/24", "192.0.2.0/24", "198.51.100.0/24"})\n""",
393 """setACL({"203.0.113.0/24", "198.51.100.0/24", "192.0.2.0/24"})\n"""
396 class TestAPICustomHeaders(DNSDistTest
):
399 _webServerPort
= 8083
400 _webServerBasicAuthPassword
= 'secret'
401 _webServerAPIKey
= 'apisecret'
402 # paths accessible using the API key only
403 _apiOnlyPath
= '/api/v1/servers/localhost/config'
404 # paths accessible using basic auth only (list not exhaustive)
406 _consoleKey
= DNSDistTest
.generateConsoleKey()
407 _consoleKeyB64
= base64
.b64encode(_consoleKey
).decode('ascii')
408 _config_params
= ['_consoleKeyB64', '_consolePort', '_testServerPort', '_webServerPort', '_webServerBasicAuthPassword', '_webServerAPIKey']
409 _config_template
= """
411 controlSocket("127.0.0.1:%s")
412 setACL({"127.0.0.1/32", "::1/128"})
413 newServer({address="127.0.0.1:%s"})
414 webserver("127.0.0.1:%s", "%s", "%s", {["X-Frame-Options"]="", ["X-Custom"]="custom"})
417 def testBasicHeaders(self
):
419 API: Basic custom headers
422 url
= 'http://127.0.0.1:' + str(self
._webServerPort
) + self
._basicOnlyPath
424 r
= requests
.get(url
, auth
=('whatever', self
._webServerBasicAuthPassword
), timeout
=self
._webTimeout
)
426 self
.assertEquals(r
.status_code
, 200)
427 self
.assertEquals(r
.headers
.get('x-custom'), "custom")
428 self
.assertFalse("x-frame-options" in r
.headers
)
430 def testBasicHeadersUpdate(self
):
432 API: Basic update of custom headers
435 url
= 'http://127.0.0.1:' + str(self
._webServerPort
) + self
._basicOnlyPath
436 self
.sendConsoleCommand('setWebserverConfig({customHeaders={["x-powered-by"]="dnsdist"}})')
437 r
= requests
.get(url
, auth
=('whatever', self
._webServerBasicAuthPassword
), timeout
=self
._webTimeout
)
439 self
.assertEquals(r
.status_code
, 200)
440 self
.assertEquals(r
.headers
.get('x-powered-by'), "dnsdist")
441 self
.assertTrue("x-frame-options" in r
.headers
)
444 class TestAPIAuth(DNSDistTest
):
447 _webServerPort
= 8083
448 _webServerBasicAuthPassword
= 'secret'
449 _webServerBasicAuthPasswordNew
= 'password'
450 _webServerAPIKey
= 'apisecret'
451 _webServerAPIKeyNew
= 'apipassword'
452 # paths accessible using the API key only
453 _apiOnlyPath
= '/api/v1/servers/localhost/config'
454 # paths accessible using basic auth only (list not exhaustive)
456 _consoleKey
= DNSDistTest
.generateConsoleKey()
457 _consoleKeyB64
= base64
.b64encode(_consoleKey
).decode('ascii')
458 _config_params
= ['_consoleKeyB64', '_consolePort', '_testServerPort', '_webServerPort', '_webServerBasicAuthPassword', '_webServerAPIKey']
459 _config_template
= """
461 controlSocket("127.0.0.1:%s")
462 setACL({"127.0.0.1/32", "::1/128"})
463 newServer{address="127.0.0.1:%s"}
464 webserver("127.0.0.1:%s", "%s", "%s")
467 def testBasicAuthChange(self
):
469 API: Basic Authentication updating credentials
472 url
= 'http://127.0.0.1:' + str(self
._webServerPort
) + self
._basicOnlyPath
473 self
.sendConsoleCommand('setWebserverConfig({{password="{}"}})'.format(self
._webServerBasicAuthPasswordNew
))
475 r
= requests
.get(url
, auth
=('whatever', self
._webServerBasicAuthPasswordNew
), timeout
=self
._webTimeout
)
477 self
.assertEquals(r
.status_code
, 200)
479 # Make sure the old password is not usable any more
480 r
= requests
.get(url
, auth
=('whatever', self
._webServerBasicAuthPassword
), timeout
=self
._webTimeout
)
481 self
.assertEquals(r
.status_code
, 401)
483 def testXAPIKeyChange(self
):
485 API: X-Api-Key updating credentials
488 url
= 'http://127.0.0.1:' + str(self
._webServerPort
) + self
._apiOnlyPath
489 self
.sendConsoleCommand('setWebserverConfig({{apiKey="{}"}})'.format(self
._webServerAPIKeyNew
))
491 headers
= {'x-api-key': self
._webServerAPIKeyNew
}
492 r
= requests
.get(url
, headers
=headers
, timeout
=self
._webTimeout
)
494 self
.assertEquals(r
.status_code
, 200)
496 # Make sure the old password is not usable any more
497 headers
= {'x-api-key': self
._webServerAPIKey
}
498 r
= requests
.get(url
, headers
=headers
, timeout
=self
._webTimeout
)
499 self
.assertEquals(r
.status_code
, 401)
501 def testBasicAuthOnlyChange(self
):
503 API: X-Api-Key updated to none (disabled)
506 url
= 'http://127.0.0.1:' + str(self
._webServerPort
) + self
._apiOnlyPath
507 self
.sendConsoleCommand('setWebserverConfig({{apiKey="{}"}})'.format(self
._webServerAPIKeyNew
))
509 headers
= {'x-api-key': self
._webServerAPIKeyNew
}
510 r
= requests
.get(url
, headers
=headers
, timeout
=self
._webTimeout
)
512 self
.assertEquals(r
.status_code
, 200)
515 self
.sendConsoleCommand('setWebserverConfig({apiKey=""})')
517 r
= requests
.get(url
, headers
=headers
, timeout
=self
._webTimeout
)
518 self
.assertEquals(r
.status_code
, 401)