]> git.ipfire.org Git - thirdparty/pdns.git/blob - regression-tests.dnsdist/test_API.py
projects / thirdparty / pdns.git / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
blame | history | raw | HEAD
Merge pull request #8945 from rgacogne/ddist-x-forwarded-for
[thirdparty/pdns.git] / regression-tests.dnsdist / test_API.py
1 #!/usr/bin/env python
2 import os.path
3
4 import base64
5 import json
6 import requests
7 from dnsdisttests import DNSDistTest
8
9 class TestAPIBasics(DNSDistTest):
10
11 _webTimeout = 2.0
12 _webServerPort = 8083
13 _webServerBasicAuthPassword = 'secret'
14 _webServerAPIKey = 'apisecret'
15 # paths accessible using the API key only
16 _apiOnlyPaths = ['/api/v1/servers/localhost/config', '/api/v1/servers/localhost/config/allow-from', '/api/v1/servers/localhost/statistics']
17 # paths accessible using an API key or basic auth
18 _statsPaths = [ '/jsonstat?command=stats', '/jsonstat?command=dynblocklist', '/api/v1/servers/localhost']
19 # paths accessible using basic auth only (list not exhaustive)
20 _basicOnlyPaths = ['/', '/index.html']
21 _config_params = ['_testServerPort', '_webServerPort', '_webServerBasicAuthPassword', '_webServerAPIKey']
22 _config_template = """
23 setACL({"127.0.0.1/32", "::1/128"})
24 newServer{address="127.0.0.1:%s"}
25 webserver("127.0.0.1:%s", "%s", "%s")
26 """
27
28 def testBasicAuth(self):
29 """
30 API: Basic Authentication
31 """
32 for path in self._basicOnlyPaths + self._statsPaths:
33 url = 'http://127.0.0.1:' + str(self._webServerPort) + path
34 r = requests.get(url, auth=('whatever', "evilsecret"), timeout=self._webTimeout)
35 self.assertEquals(r.status_code, 401)
36 r = requests.get(url, auth=('whatever', self._webServerBasicAuthPassword), timeout=self._webTimeout)
37 self.assertTrue(r)
38 self.assertEquals(r.status_code, 200)
39
40 def testXAPIKey(self):
41 """
42 API: X-Api-Key
43 """
44 headers = {'x-api-key': self._webServerAPIKey}
45 for path in self._apiOnlyPaths + self._statsPaths:
46 url = 'http://127.0.0.1:' + str(self._webServerPort) + path
47 r = requests.get(url, headers=headers, timeout=self._webTimeout)
48 self.assertTrue(r)
49 self.assertEquals(r.status_code, 200)
50
51 def testWrongXAPIKey(self):
52 """
53 API: Wrong X-Api-Key
54 """
55 headers = {'x-api-key': "evilapikey"}
56 for path in self._apiOnlyPaths + self._statsPaths:
57 url = 'http://127.0.0.1:' + str(self._webServerPort) + path
58 r = requests.get(url, headers=headers, timeout=self._webTimeout)
59 self.assertEquals(r.status_code, 401)
60
61 def testBasicAuthOnly(self):
62 """
63 API: Basic Authentication Only
64 """
65 headers = {'x-api-key': self._webServerAPIKey}
66 for path in self._basicOnlyPaths:
67 url = 'http://127.0.0.1:' + str(self._webServerPort) + path
68 r = requests.get(url, headers=headers, timeout=self._webTimeout)
69 self.assertEquals(r.status_code, 401)
70
71 def testAPIKeyOnly(self):
72 """
73 API: API Key Only
74 """
75 for path in self._apiOnlyPaths:
76 url = 'http://127.0.0.1:' + str(self._webServerPort) + path
77 r = requests.get(url, auth=('whatever', self._webServerBasicAuthPassword), timeout=self._webTimeout)
78 self.assertEquals(r.status_code, 401)
79
80 def testServersLocalhost(self):
81 """
82 API: /api/v1/servers/localhost
83 """
84 headers = {'x-api-key': self._webServerAPIKey}
85 url = 'http://127.0.0.1:' + str(self._webServerPort) + '/api/v1/servers/localhost'
86 r = requests.get(url, headers=headers, timeout=self._webTimeout)
87 self.assertTrue(r)
88 self.assertEquals(r.status_code, 200)
89 self.assertTrue(r.json())
90 content = r.json()
91
92 self.assertEquals(content['daemon_type'], 'dnsdist')
93
94 rule_groups = ['response-rules', 'cache-hit-response-rules', 'self-answered-response-rules', 'rules']
95 for key in ['version', 'acl', 'local', 'servers', 'frontends', 'pools'] + rule_groups:
96 self.assertIn(key, content)
97
98 for rule_group in rule_groups:
99 for rule in content[rule_group]:
100 for key in ['id', 'creationOrder', 'matches', 'rule', 'action', 'uuid']:
101 self.assertIn(key, rule)
102 for key in ['id', 'creationOrder', 'matches']:
103 self.assertTrue(rule[key] >= 0)
104
105 for server in content['servers']:
106 for key in ['id', 'latency', 'name', 'weight', 'outstanding', 'qpsLimit',
107 'reuseds', 'state', 'address', 'pools', 'qps', 'queries', 'order', 'sendErrors',
108 'dropRate']:
109 self.assertIn(key, server)
110
111 for key in ['id', 'latency', 'weight', 'outstanding', 'qpsLimit', 'reuseds',
112 'qps', 'queries', 'order']:
113 self.assertTrue(server[key] >= 0)
114
115 self.assertTrue(server['state'] in ['up', 'down', 'UP', 'DOWN'])
116
117 for frontend in content['frontends']:
118 for key in ['id', 'address', 'udp', 'tcp', 'type', 'queries']:
119 self.assertIn(key, frontend)
120
121 for key in ['id', 'queries']:
122 self.assertTrue(frontend[key] >= 0)
123
124 for pool in content['pools']:
125 for key in ['id', 'name', 'cacheSize', 'cacheEntries', 'cacheHits', 'cacheMisses', 'cacheDeferredInserts', 'cacheDeferredLookups', 'cacheLookupCollisions', 'cacheInsertCollisions', 'cacheTTLTooShorts']:
126 self.assertIn(key, pool)
127
128 for key in ['id', 'cacheSize', 'cacheEntries', 'cacheHits', 'cacheMisses', 'cacheDeferredInserts', 'cacheDeferredLookups', 'cacheLookupCollisions', 'cacheInsertCollisions', 'cacheTTLTooShorts']:
129 self.assertTrue(pool[key] >= 0)
130
131 def testServersIDontExist(self):
132 """
133 API: /api/v1/servers/idontexist (should be 404)
134 """
135 headers = {'x-api-key': self._webServerAPIKey}
136 url = 'http://127.0.0.1:' + str(self._webServerPort) + '/api/v1/servers/idontexist'
137 r = requests.get(url, headers=headers, timeout=self._webTimeout)
138 self.assertEquals(r.status_code, 404)
139
140 def testServersLocalhostConfig(self):
141 """
142 API: /api/v1/servers/localhost/config
143 """
144 headers = {'x-api-key': self._webServerAPIKey}
145 url = 'http://127.0.0.1:' + str(self._webServerPort) + '/api/v1/servers/localhost/config'
146 r = requests.get(url, headers=headers, timeout=self._webTimeout)
147 self.assertTrue(r)
148 self.assertEquals(r.status_code, 200)
149 self.assertTrue(r.json())
150 content = r.json()
151 values = {}
152 for entry in content:
153 for key in ['type', 'name', 'value']:
154 self.assertIn(key, entry)
155
156 self.assertEquals(entry['type'], 'ConfigSetting')
157 values[entry['name']] = entry['value']
158
159 for key in ['acl', 'control-socket', 'ecs-override', 'ecs-source-prefix-v4',
160 'ecs-source-prefix-v6', 'fixup-case', 'max-outstanding', 'server-policy',
161 'stale-cache-entries-ttl', 'tcp-recv-timeout', 'tcp-send-timeout',
162 'truncate-tc', 'verbose', 'verbose-health-checks']:
163 self.assertIn(key, values)
164
165 for key in ['max-outstanding', 'stale-cache-entries-ttl', 'tcp-recv-timeout',
166 'tcp-send-timeout']:
167 self.assertTrue(values[key] >= 0)
168
169 self.assertTrue(values['ecs-source-prefix-v4'] >= 0 and values['ecs-source-prefix-v4'] <= 32)
170 self.assertTrue(values['ecs-source-prefix-v6'] >= 0 and values['ecs-source-prefix-v6'] <= 128)
171
172 def testServersLocalhostConfigAllowFrom(self):
173 """
174 API: /api/v1/servers/localhost/config/allow-from
175 """
176 headers = {'x-api-key': self._webServerAPIKey}
177 url = 'http://127.0.0.1:' + str(self._webServerPort) + '/api/v1/servers/localhost/config/allow-from'
178 r = requests.get(url, headers=headers, timeout=self._webTimeout)
179 self.assertTrue(r)
180 self.assertEquals(r.status_code, 200)
181 self.assertTrue(r.json())
182 content = r.json()
183 for key in ['type', 'name', 'value']:
184 self.assertIn(key, content)
185
186 self.assertEquals(content['name'], 'allow-from')
187 self.assertEquals(content['type'], 'ConfigSetting')
188 acl = content['value']
189 expectedACL = ["127.0.0.1/32", "::1/128"]
190 acl.sort()
191 expectedACL.sort()
192 self.assertEquals(acl, expectedACL)
193
194 def testServersLocalhostConfigAllowFromPut(self):
195 """
196 API: PUT /api/v1/servers/localhost/config/allow-from (should be refused)
197
198 The API is read-only by default, so this should be refused
199 """
200 newACL = ["192.0.2.0/24", "198.51.100.0/24", "203.0.113.0/24"]
201 payload = json.dumps({"name": "allow-from",
202 "type": "ConfigSetting",
203 "value": newACL})
204 headers = {'x-api-key': self._webServerAPIKey}
205 url = 'http://127.0.0.1:' + str(self._webServerPort) + '/api/v1/servers/localhost/config/allow-from'
206 r = requests.put(url, headers=headers, timeout=self._webTimeout, data=payload)
207 self.assertFalse(r)
208 self.assertEquals(r.status_code, 405)
209
210 def testServersLocalhostStatistics(self):
211 """
212 API: /api/v1/servers/localhost/statistics
213 """
214 headers = {'x-api-key': self._webServerAPIKey}
215 url = 'http://127.0.0.1:' + str(self._webServerPort) + '/api/v1/servers/localhost/statistics'
216 r = requests.get(url, headers=headers, timeout=self._webTimeout)
217 self.assertTrue(r)
218 self.assertEquals(r.status_code, 200)
219 self.assertTrue(r.json())
220 content = r.json()
221 values = {}
222 for entry in content:
223 self.assertIn('type', entry)
224 self.assertIn('name', entry)
225 self.assertIn('value', entry)
226 self.assertEquals(entry['type'], 'StatisticItem')
227 values[entry['name']] = entry['value']
228
229 expected = ['responses', 'servfail-responses', 'queries', 'acl-drops',
230 'frontend-noerror', 'frontend-nxdomain', 'frontend-servfail',
231 'rule-drop', 'rule-nxdomain', 'rule-refused', 'self-answered', 'downstream-timeouts',
232 'downstream-send-errors', 'trunc-failures', 'no-policy', 'latency0-1',
233 'latency1-10', 'latency10-50', 'latency50-100', 'latency100-1000',
234 'latency-slow', 'latency-sum', 'latency-count', 'latency-avg100', 'latency-avg1000',
235 'latency-avg10000', 'latency-avg1000000', 'uptime', 'real-memory-usage', 'noncompliant-queries',
236 'noncompliant-responses', 'rdqueries', 'empty-queries', 'cache-hits',
237 'cache-misses', 'cpu-iowait', 'cpu-steal', 'cpu-sys-msec', 'cpu-user-msec', 'fd-usage', 'dyn-blocked',
238 'dyn-block-nmg-size', 'rule-servfail', 'security-status',
239 'udp-in-errors', 'udp-noport-errors', 'udp-recvbuf-errors', 'udp-sndbuf-errors']
240
241 for key in expected:
242 self.assertIn(key, values)
243 self.assertTrue(values[key] >= 0)
244
245 for key in values:
246 self.assertIn(key, expected)
247
248 def testJsonstatStats(self):
249 """
250 API: /jsonstat?command=stats
251 """
252 headers = {'x-api-key': self._webServerAPIKey}
253 url = 'http://127.0.0.1:' + str(self._webServerPort) + '/jsonstat?command=stats'
254 r = requests.get(url, headers=headers, timeout=self._webTimeout)
255 self.assertTrue(r)
256 self.assertEquals(r.status_code, 200)
257 self.assertTrue(r.json())
258 content = r.json()
259
260 expected = ['responses', 'servfail-responses', 'queries', 'acl-drops',
261 'frontend-noerror', 'frontend-nxdomain', 'frontend-servfail',
262 'rule-drop', 'rule-nxdomain', 'rule-refused', 'self-answered', 'downstream-timeouts',
263 'downstream-send-errors', 'trunc-failures', 'no-policy', 'latency0-1',
264 'latency1-10', 'latency10-50', 'latency50-100', 'latency100-1000',
265 'latency-slow', 'latency-avg100', 'latency-avg1000', 'latency-avg10000',
266 'latency-avg1000000', 'uptime', 'real-memory-usage', 'noncompliant-queries',
267 'noncompliant-responses', 'rdqueries', 'empty-queries', 'cache-hits',
268 'cache-misses', 'cpu-user-msec', 'cpu-sys-msec', 'fd-usage', 'dyn-blocked',
269 'dyn-block-nmg-size', 'packetcache-hits', 'packetcache-misses', 'over-capacity-drops',
270 'too-old-drops']
271
272 for key in expected:
273 self.assertIn(key, content)
274 self.assertTrue(content[key] >= 0)
275
276 def testJsonstatDynblocklist(self):
277 """
278 API: /jsonstat?command=dynblocklist
279 """
280 headers = {'x-api-key': self._webServerAPIKey}
281 url = 'http://127.0.0.1:' + str(self._webServerPort) + '/jsonstat?command=dynblocklist'
282 r = requests.get(url, headers=headers, timeout=self._webTimeout)
283 self.assertTrue(r)
284 self.assertEquals(r.status_code, 200)
285
286 content = r.json()
287
288 if content:
289 for key in ['reason', 'seconds', 'blocks', 'action']:
290 self.assertIn(key, content)
291
292 for key in ['blocks']:
293 self.assertTrue(content[key] >= 0)
294
295 class TestAPIServerDown(DNSDistTest):
296
297 _webTimeout = 2.0
298 _webServerPort = 8083
299 _webServerBasicAuthPassword = 'secret'
300 _webServerAPIKey = 'apisecret'
301 # paths accessible using the API key
302 _config_params = ['_testServerPort', '_webServerPort', '_webServerBasicAuthPassword', '_webServerAPIKey']
303 _config_template = """
304 setACL({"127.0.0.1/32", "::1/128"})
305 newServer{address="127.0.0.1:%s"}
306 getServer(0):setDown()
307 webserver("127.0.0.1:%s", "%s", "%s")
308 """
309
310 def testServerDownNoLatencyLocalhost(self):
311 """
312 API: /api/v1/servers/localhost, no latency for a down server
313 """
314 headers = {'x-api-key': self._webServerAPIKey}
315 url = 'http://127.0.0.1:' + str(self._webServerPort) + '/api/v1/servers/localhost'
316 r = requests.get(url, headers=headers, timeout=self._webTimeout)
317 self.assertTrue(r)
318 self.assertEquals(r.status_code, 200)
319 self.assertTrue(r.json())
320 content = r.json()
321
322 self.assertEquals(content['servers'][0]['latency'], None)
323
324 class TestAPIWritable(DNSDistTest):
325
326 _webTimeout = 2.0
327 _webServerPort = 8083
328 _webServerBasicAuthPassword = 'secret'
329 _webServerAPIKey = 'apisecret'
330 _APIWriteDir = '/tmp'
331 _config_params = ['_testServerPort', '_webServerPort', '_webServerBasicAuthPassword', '_webServerAPIKey', '_APIWriteDir']
332 _config_template = """
333 setACL({"127.0.0.1/32", "::1/128"})
334 newServer{address="127.0.0.1:%s"}
335 webserver("127.0.0.1:%s", "%s", "%s")
336 setAPIWritable(true, "%s")
337 """
338
339 def testSetACL(self):
340 """
341 API: Set ACL
342 """
343 headers = {'x-api-key': self._webServerAPIKey}
344 url = 'http://127.0.0.1:' + str(self._webServerPort) + '/api/v1/servers/localhost/config/allow-from'
345 r = requests.get(url, headers=headers, timeout=self._webTimeout)
346 self.assertTrue(r)
347 self.assertEquals(r.status_code, 200)
348 self.assertTrue(r.json())
349 content = r.json()
350 acl = content['value']
351 expectedACL = ["127.0.0.1/32", "::1/128"]
352 acl.sort()
353 expectedACL.sort()
354 self.assertEquals(acl, expectedACL)
355
356 newACL = ["192.0.2.0/24", "198.51.100.0/24", "203.0.113.0/24"]
357 payload = json.dumps({"name": "allow-from",
358 "type": "ConfigSetting",
359 "value": newACL})
360 r = requests.put(url, headers=headers, timeout=self._webTimeout, data=payload)
361 self.assertTrue(r)
362 self.assertEquals(r.status_code, 200)
363 self.assertTrue(r.json())
364 content = r.json()
365 acl = content['value']
366 acl.sort()
367 self.assertEquals(acl, newACL)
368
369 r = requests.get(url, headers=headers, timeout=self._webTimeout)
370 self.assertTrue(r)
371 self.assertEquals(r.status_code, 200)
372 self.assertTrue(r.json())
373 content = r.json()
374 acl = content['value']
375 acl.sort()
376 self.assertEquals(acl, newACL)
377
378 configFile = self._APIWriteDir + '/' + 'acl.conf'
379 self.assertTrue(os.path.isfile(configFile))
380 fileContent = None
381 with open(configFile, 'rt') as f:
382 header = f.readline()
383 body = f.readline()
384
385 self.assertEquals(header, """-- Generated by the REST API, DO NOT EDIT\n""")
386
387 self.assertIn(body, {
388 """setACL({"192.0.2.0/24", "198.51.100.0/24", "203.0.113.0/24"})\n""",
389 """setACL({"192.0.2.0/24", "203.0.113.0/24", "198.51.100.0/24"})\n""",
390 """setACL({"198.51.100.0/24", "192.0.2.0/24", "203.0.113.0/24"})\n""",
391 """setACL({"198.51.100.0/24", "203.0.113.0/24", "192.0.2.0/24"})\n""",
392 """setACL({"203.0.113.0/24", "192.0.2.0/24", "198.51.100.0/24"})\n""",
393 """setACL({"203.0.113.0/24", "198.51.100.0/24", "192.0.2.0/24"})\n"""
394 })
395
396 class TestAPICustomHeaders(DNSDistTest):
397
398 _webTimeout = 2.0
399 _webServerPort = 8083
400 _webServerBasicAuthPassword = 'secret'
401 _webServerAPIKey = 'apisecret'
402 # paths accessible using the API key only
403 _apiOnlyPath = '/api/v1/servers/localhost/config'
404 # paths accessible using basic auth only (list not exhaustive)
405 _basicOnlyPath = '/'
406 _consoleKey = DNSDistTest.generateConsoleKey()
407 _consoleKeyB64 = base64.b64encode(_consoleKey).decode('ascii')
408 _config_params = ['_consoleKeyB64', '_consolePort', '_testServerPort', '_webServerPort', '_webServerBasicAuthPassword', '_webServerAPIKey']
409 _config_template = """
410 setKey("%s")
411 controlSocket("127.0.0.1:%s")
412 setACL({"127.0.0.1/32", "::1/128"})
413 newServer({address="127.0.0.1:%s"})
414 webserver("127.0.0.1:%s", "%s", "%s", {["X-Frame-Options"]="", ["X-Custom"]="custom"})
415 """
416
417 def testBasicHeaders(self):
418 """
419 API: Basic custom headers
420 """
421
422 url = 'http://127.0.0.1:' + str(self._webServerPort) + self._basicOnlyPath
423
424 r = requests.get(url, auth=('whatever', self._webServerBasicAuthPassword), timeout=self._webTimeout)
425 self.assertTrue(r)
426 self.assertEquals(r.status_code, 200)
427 self.assertEquals(r.headers.get('x-custom'), "custom")
428 self.assertFalse("x-frame-options" in r.headers)
429
430 def testBasicHeadersUpdate(self):
431 """
432 API: Basic update of custom headers
433 """
434
435 url = 'http://127.0.0.1:' + str(self._webServerPort) + self._basicOnlyPath
436 self.sendConsoleCommand('setWebserverConfig({customHeaders={["x-powered-by"]="dnsdist"}})')
437 r = requests.get(url, auth=('whatever', self._webServerBasicAuthPassword), timeout=self._webTimeout)
438 self.assertTrue(r)
439 self.assertEquals(r.status_code, 200)
440 self.assertEquals(r.headers.get('x-powered-by'), "dnsdist")
441 self.assertTrue("x-frame-options" in r.headers)
442
443
444 class TestAPIAuth(DNSDistTest):
445
446 _webTimeout = 2.0
447 _webServerPort = 8083
448 _webServerBasicAuthPassword = 'secret'
449 _webServerBasicAuthPasswordNew = 'password'
450 _webServerAPIKey = 'apisecret'
451 _webServerAPIKeyNew = 'apipassword'
452 # paths accessible using the API key only
453 _apiOnlyPath = '/api/v1/servers/localhost/config'
454 # paths accessible using basic auth only (list not exhaustive)
455 _basicOnlyPath = '/'
456 _consoleKey = DNSDistTest.generateConsoleKey()
457 _consoleKeyB64 = base64.b64encode(_consoleKey).decode('ascii')
458 _config_params = ['_consoleKeyB64', '_consolePort', '_testServerPort', '_webServerPort', '_webServerBasicAuthPassword', '_webServerAPIKey']
459 _config_template = """
460 setKey("%s")
461 controlSocket("127.0.0.1:%s")
462 setACL({"127.0.0.1/32", "::1/128"})
463 newServer{address="127.0.0.1:%s"}
464 webserver("127.0.0.1:%s", "%s", "%s")
465 """
466
467 def testBasicAuthChange(self):
468 """
469 API: Basic Authentication updating credentials
470 """
471
472 url = 'http://127.0.0.1:' + str(self._webServerPort) + self._basicOnlyPath
473 self.sendConsoleCommand('setWebserverConfig({{password="{}"}})'.format(self._webServerBasicAuthPasswordNew))
474
475 r = requests.get(url, auth=('whatever', self._webServerBasicAuthPasswordNew), timeout=self._webTimeout)
476 self.assertTrue(r)
477 self.assertEquals(r.status_code, 200)
478
479 # Make sure the old password is not usable any more
480 r = requests.get(url, auth=('whatever', self._webServerBasicAuthPassword), timeout=self._webTimeout)
481 self.assertEquals(r.status_code, 401)
482
483 def testXAPIKeyChange(self):
484 """
485 API: X-Api-Key updating credentials
486 """
487
488 url = 'http://127.0.0.1:' + str(self._webServerPort) + self._apiOnlyPath
489 self.sendConsoleCommand('setWebserverConfig({{apiKey="{}"}})'.format(self._webServerAPIKeyNew))
490
491 headers = {'x-api-key': self._webServerAPIKeyNew}
492 r = requests.get(url, headers=headers, timeout=self._webTimeout)
493 self.assertTrue(r)
494 self.assertEquals(r.status_code, 200)
495
496 # Make sure the old password is not usable any more
497 headers = {'x-api-key': self._webServerAPIKey}
498 r = requests.get(url, headers=headers, timeout=self._webTimeout)
499 self.assertEquals(r.status_code, 401)
500
501 def testBasicAuthOnlyChange(self):
502 """
503 API: X-Api-Key updated to none (disabled)
504 """
505
506 url = 'http://127.0.0.1:' + str(self._webServerPort) + self._apiOnlyPath
507 self.sendConsoleCommand('setWebserverConfig({{apiKey="{}"}})'.format(self._webServerAPIKeyNew))
508
509 headers = {'x-api-key': self._webServerAPIKeyNew}
510 r = requests.get(url, headers=headers, timeout=self._webTimeout)
511 self.assertTrue(r)
512 self.assertEquals(r.status_code, 200)
513
514 # now disable apiKey
515 self.sendConsoleCommand('setWebserverConfig({apiKey=""})')
516
517 r = requests.get(url, headers=headers, timeout=self._webTimeout)
518 self.assertEquals(r.status_code, 401)
Unnamed repository; edit this file 'description' to name the repository.