From: Michal Nowak <mnowak@isc.org>
Date: Wed, 17 Jan 2024 19:43:21 +0000 (+0100)
Subject: Rewrite cipher-suites system test to pytest
X-Git-Tag: v9.21.5~30^2~3
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=100b75986322d5105734bd9c1e70a2e5a987dc2d;p=thirdparty%2Fbind9.git

Rewrite cipher-suites system test to pytest

The minimal required dnspython version is 2.5.0 because of the need for
the "verify" argument in dns.query.tls().
---

diff --git a/bin/tests/system/cipher-suites/setup.sh b/bin/tests/system/cipher-suites/setup.sh
index 9d7d0a928ec..71b94b9fb73 100644
--- a/bin/tests/system/cipher-suites/setup.sh
+++ b/bin/tests/system/cipher-suites/setup.sh
@@ -13,7 +13,13 @@
 
 . ../conf.sh
 
-$SHELL "${TOP_SRCDIR}/bin/tests/system/genzone.sh" 2 >ns1/example.db
+# Drop unusual RR sets dnspython can't handle. For more information
+# see https://github.com/rthalley/dnspython/issues/1034#issuecomment-1896541899.
+$SHELL "${TOP_SRCDIR}/bin/tests/system/genzone.sh" 2 \
+  | sed \
+    -e '/AMTRELAY.*\# 2 0004/d' \
+    -e '/GPOS.*"" "" ""/d' \
+    -e '/URI.*30 40 ""/d' >ns1/example.db
 
 copy_setports ns1/named.conf.in ns1/named.conf
 copy_setports ns2/named.conf.in ns2/named.conf
diff --git a/bin/tests/system/cipher-suites/tests.sh b/bin/tests/system/cipher-suites/tests.sh
deleted file mode 100644
index f5b28b79dfe..00000000000
--- a/bin/tests/system/cipher-suites/tests.sh
+++ /dev/null
@@ -1,96 +0,0 @@
-#!/bin/sh
-
-# Copyright (C) Internet Systems Consortium, Inc. ("ISC")
-#
-# SPDX-License-Identifier: MPL-2.0
-#
-# This Source Code Form is subject to the terms of the Mozilla Public
-# License, v. 2.0.  If a copy of the MPL was not distributed with this
-# file, you can obtain one at https://mozilla.org/MPL/2.0/.
-#
-# See the COPYRIGHT file distributed with this work for additional
-# information regarding copyright ownership.
-
-set -e
-
-# shellcheck disable=SC1091
-. ../conf.sh
-
-testing="testing zone transfer over TLS (XoT): "
-
-common_dig_options="+noadd +nosea +nostat +noquest +nocmd"
-
-status=0
-n=0
-
-dig_with_tls_opts() {
-  # shellcheck disable=SC2086
-  "$DIG" +tls $common_dig_options -p "${TLSPORT}" "$@"
-}
-
-wait_for_tls_xfer() (
-  srv_number="$1"
-  shift
-  zone_name="$1"
-  shift
-  # Let's bind to .10 to make it possible to easily distinguish dig from NSs in packet traces
-  dig_with_tls_opts -b 10.53.0.10 "@10.53.0.$srv_number" "${zone_name}." AXFR >"dig.out.ns$srv_number.${zone_name}.test$n" || return 1
-  grep "^;" "dig.out.ns$srv_number.${zone_name}.test$n" >/dev/null && return 1
-  return 0
-)
-
-tls_xfer_expect_success() {
-  test_message="$1"
-  shift
-  n=$((n + 1))
-  echo_i "$test_message - zone \"$2\" at \"ns$1\" ($n)"
-  ret=0
-  retry_quiet 10 wait_for_tls_xfer "$@" || ret=1
-  if [ $ret != 0 ]; then echo_i "failed"; fi
-  status=$((status + ret))
-}
-
-tls_xfer_expect_failure() {
-  test_message="$1"
-  shift
-  n=$((n + 1))
-  echo_i "$test_message - zone \"$2\" at \"ns$1\", failure expected ($n)"
-  ret=0
-  retry_quiet 10 wait_for_tls_xfer "$@" && ret=1
-  if [ $ret != 0 ]; then echo_i "failed"; fi
-  status=$((status + ret))
-}
-
-tls_xfer_expect_success "$testing" 2 example
-tls_xfer_expect_success "$testing" 3 example
-tls_xfer_expect_success "$testing" 4 example
-
-tls_xfer_expect_success "$testing" 2 example-aes-128
-tls_xfer_expect_success "$testing" 3 example-aes-256
-if ! $FEATURETEST --have-fips-mode; then
-  tls_xfer_expect_success "$testing" 4 example-chacha-20
-fi
-
-tls_xfer_expect_failure "$testing" 2 example-aes-256
-if ! $FEATURETEST --have-fips-mode; then
-  tls_xfer_expect_failure "$testing" 2 example-chacha-20
-fi
-
-tls_xfer_expect_failure "$testing" 3 example-aes-128
-if ! $FEATURETEST --have-fips-mode; then
-  tls_xfer_expect_failure "$testing" 3 example-chacha-20
-fi
-
-tls_xfer_expect_failure "$testing" 4 example-aes-128
-tls_xfer_expect_failure "$testing" 4 example-aes-256
-
-# NS5 tries to download the zone over TLSv1.2
-tls_xfer_expect_failure "$testing" 5 example
-tls_xfer_expect_failure "$testing" 5 example-aes-128
-tls_xfer_expect_failure "$testing" 5 example-aes-256
-if ! $FEATURETEST --have-fips-mode; then
-  tls_xfer_expect_failure "$testing" 5 example-chacha-20
-fi
-
-echo_i "exit status: $status"
-[ $status -eq 0 ] || exit 1
diff --git a/bin/tests/system/cipher-suites/tests_cipher_suites.py b/bin/tests/system/cipher-suites/tests_cipher_suites.py
new file mode 100644
index 00000000000..255fc326acd
--- /dev/null
+++ b/bin/tests/system/cipher-suites/tests_cipher_suites.py
@@ -0,0 +1,79 @@
+# Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+#
+# SPDX-License-Identifier: MPL-2.0
+#
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0.  If a copy of the MPL was not distributed with this
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
+#
+# See the COPYRIGHT file distributed with this work for additional
+# information regarding copyright ownership.
+
+import pytest
+
+pytest.importorskip("dns", minversion="2.5.0")
+
+import dns.message
+
+import isctest
+import isctest.mark
+
+
+pytestmark = pytest.mark.extra_artifacts(
+    [
+        "ns*/example*.db",
+    ]
+)
+
+
+@pytest.mark.requires_zones_loaded("ns1", "ns2", "ns3", "ns4", "ns5")
+@pytest.mark.parametrize(
+    "qname,ns,rcode",
+    [
+        ("example.", 2, dns.rcode.NOERROR),
+        ("example.", 3, dns.rcode.NOERROR),
+        ("example.", 4, dns.rcode.NOERROR),
+        ("example-aes-128.", 2, dns.rcode.NOERROR),
+        ("example-aes-256.", 3, dns.rcode.NOERROR),
+        pytest.param(
+            "example-chacha-20.",
+            4,
+            dns.rcode.NOERROR,
+            marks=isctest.mark.without_fips,
+        ),
+        ("example-aes-256", 2, dns.rcode.SERVFAIL),
+        pytest.param(
+            "example-chacha-20",
+            2,
+            dns.rcode.SERVFAIL,
+            marks=isctest.mark.without_fips,
+        ),
+        ("example-aes-128", 3, dns.rcode.SERVFAIL),
+        pytest.param(
+            "example-chacha-20",
+            3,
+            dns.rcode.SERVFAIL,
+            marks=isctest.mark.without_fips,
+        ),
+        ("example-aes-128", 4, dns.rcode.SERVFAIL),
+        ("example-aes-256", 4, dns.rcode.SERVFAIL),
+        # NS5 tries to download the zone over TLSv1.2
+        ("example", 5, dns.rcode.SERVFAIL),
+        ("example-aes-128", 5, dns.rcode.SERVFAIL),
+        ("example-aes-256", 5, dns.rcode.SERVFAIL),
+        pytest.param(
+            "example-chacha-20",
+            5,
+            dns.rcode.SERVFAIL,
+            marks=isctest.mark.without_fips,
+        ),
+    ],
+)
+def test_cipher_suites_tls_xfer(qname, ns, rcode):
+    msg = dns.message.make_query(qname, "AXFR")
+    ans = isctest.query.tls(msg, f"10.53.0.{ns}")
+    assert ans.rcode() == rcode
+    if rcode == dns.rcode.NOERROR:
+        assert ans.answer != []
+    elif rcode == dns.rcode.SERVFAIL:
+        assert ans.answer == []
diff --git a/bin/tests/system/cipher-suites/tests_sh_cipher_suites.py b/bin/tests/system/cipher-suites/tests_sh_cipher_suites.py
deleted file mode 100644
index 65a4b825912..00000000000
--- a/bin/tests/system/cipher-suites/tests_sh_cipher_suites.py
+++ /dev/null
@@ -1,23 +0,0 @@
-# Copyright (C) Internet Systems Consortium, Inc. ("ISC")
-#
-# SPDX-License-Identifier: MPL-2.0
-#
-# This Source Code Form is subject to the terms of the Mozilla Public
-# License, v. 2.0.  If a copy of the MPL was not distributed with this
-# file, you can obtain one at https://mozilla.org/MPL/2.0/.
-#
-# See the COPYRIGHT file distributed with this work for additional
-# information regarding copyright ownership.
-
-import pytest
-
-pytestmark = pytest.mark.extra_artifacts(
-    [
-        "dig.out.*",
-        "ns*/example*.db",
-    ]
-)
-
-
-def test_cipher_suites(run_tests_sh):
-    run_tests_sh()