From: Evil Eye Date: Wed, 7 Feb 2024 09:01:55 +0000 (+0000) Subject: Add tests X-Git-Tag: rec-5.1.0-alpha1~88^2~4 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=8b4b19b6a1100a65641ae585f3833d51f98a3938;p=thirdparty%2Fpdns.git Add tests --- diff --git a/regression-tests.auth-py/test_GSSTSIG.py b/regression-tests.auth-py/test_GSSTSIG.py index 066f6f91cd..8ef7c5b717 100644 --- a/regression-tests.auth-py/test_GSSTSIG.py +++ b/regression-tests.auth-py/test_GSSTSIG.py @@ -27,6 +27,7 @@ gsqlite3-dnssec=yes enable-gss-tsig=yes allow-dnsupdate-from=0.0.0.0/0 dnsupdate=yes +dnsupdate-require-tsig=no """ _auth_env = {'KRB5_CONFIG' : './kerberos-client/krb5.conf', 'KRB5_KTNAME' : './kerberos-client/kt.keytab' @@ -54,10 +55,13 @@ dnsupdate=yes ret = subprocess.run(["kinit", "-Vt", "./kerberos-client/kt.keytab", user], env=self._auth_env) self.assertEqual(ret.returncode, 0) - def nsupdate(self, commands, expected=0): + def nsupdate(self, commands, expected=0, unauth=False): full = "server 127.0.0.1 %s\n" % self._authPort full += commands + "\nsend\nquit\n" - ret = subprocess.run(["nsupdate", "-g"], input=full, env=self._auth_env, capture_output=True, text=True) + if unauth: + ret = subprocess.run(["nsupdate"], input=full, capture_output=True, text=True) + else: + ret = subprocess.run(["nsupdate", "-g"], input=full, env=self._auth_env, capture_output=True, text=True) self.assertEqual(ret.returncode, expected) def checkInDB(self, zone, record): @@ -133,3 +137,69 @@ lua-dnsupdate-policy-script=kerberos-client/update-policy.lua self.nsupdate("add inserted13.wrongacceptor.net 10 A 1.2.3.13", 2) self.checkNotInDB('wrongacceptor.net', 'inserted13.wrongacceptor.net') +class TestUnauthTSIG(GSSTSIGBase): + + _config_template = """ +launch=gsqlite3 +gsqlite3-database=configs/auth/powerdns.sqlite +gsqlite3-pragma-foreign-keys=yes +gsqlite3-dnssec=yes +enable-gss-tsig=no +allow-dnsupdate-from=0.0.0.0/0 +dnsupdate=yes +""" + def testNoAcceptor(self): + self.checkNotInDB('noacceptor.net', 'inserted20.noacceptor.net') + self.nsupdate("add inserted20.noacceptor.net 10 A 1.2.3.3", 0, True) + self.checkInDB('noacceptor.net', 'inserted20.noacceptor.net') + +class TestAuthTSIG(GSSTSIGBase): + + _config_template = """ +launch=gsqlite3 +gsqlite3-database=configs/auth/powerdns.sqlite +gsqlite3-pragma-foreign-keys=yes +gsqlite3-dnssec=yes +enable-gss-tsig=no +allow-dnsupdate-from=0.0.0.0/0 +dnsupdate=yes +dnsupdate-require-tsig=yes +""" + def testNoAcceptor(self): + self.nsupdate("add inserted30.noacceptor.net 10 A 1.2.3.3", 2, True) + self.checkNotInDB('noacceptor.net', 'inserted30.noacceptor.net') + +class TestBasicRequiredGSSTSIG(GSSTSIGBase): + + _config_template = """ +launch=gsqlite3 +gsqlite3-database=configs/auth/powerdns.sqlite +gsqlite3-pragma-foreign-keys=yes +gsqlite3-dnssec=yes +enable-gss-tsig=yes +allow-dnsupdate-from=0.0.0.0/0 +dnsupdate=yes +dnsupdate-require-tsig=yes +""" + def testAllowedUpdate(self): + self.checkNotInDB('example.net', 'inserted40.example.net') + self.kinit("testuser1") + self.nsupdate("add inserted40.example.net 10 A 1.2.3.1") + self.checkInDB('example.net', '^inserted40.example.net.*10.*IN.*A.*1.2.3.1$') + + def testDisallowedUpdate(self): + self.kinit("testuser2") + self.nsupdate("add inserted41.example.net 10 A 1.2.3.2", 2) + self.checkNotInDB('example.net', 'inserted41.example.net') + + def testNoAcceptor(self): + self.kinit("testuser1") + self.nsupdate("add inserted42.noacceptor.net 10 A 1.2.3.3", 2) + self.checkNotInDB('noacceptor.net', 'inserted42.noacceptor.net') + + def testWrongAcceptor(self): + self.kinit("testuser1") + self.nsupdate("add inserted43.wrongacceptor.net 10 A 1.2.3.4", 2) + self.checkNotInDB('wrongacceptor.net', 'inserted43.wrongacceptor.net') + +