From: Remi Gacogne <remi.gacogne@powerdns.com>
Date: Thu, 8 Feb 2024 13:43:18 +0000 (+0100)
Subject: dnsdist: Add a regression test for DoQ certs/keys reloading
X-Git-Tag: dnsdist-1.9.0~6^2~2
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=9ec97c74cc9011c149e3210f319a2f5c23bbc6ed;p=thirdparty%2Fpdns.git

dnsdist: Add a regression test for DoQ certs/keys reloading
---

diff --git a/regression-tests.dnsdist/.gitignore b/regression-tests.dnsdist/.gitignore
index 78d7bc1ccb..0b347c4993 100644
--- a/regression-tests.dnsdist/.gitignore
+++ b/regression-tests.dnsdist/.gitignore
@@ -15,16 +15,14 @@
 /server.key
 /server.pem
 /server.p12
+/server-doq.*
+/server-doh3.*
 /server-ocsp.chain
 /server-ocsp.csr
 /server-ocsp.key
 /server-ocsp.pem
 /server-ocsp.p12
-/server-tls.chain
-/server-tls.csr
-/server-tls.key
-/server-tls.pem
-/server-tls.p12
+/server-tls.*
 /server.ocsp
 /configs
 /dnsdist.log
diff --git a/regression-tests.dnsdist/dnsdisttests.py b/regression-tests.dnsdist/dnsdisttests.py
index d8e0cd9fff..c854cfab53 100644
--- a/regression-tests.dnsdist/dnsdisttests.py
+++ b/regression-tests.dnsdist/dnsdisttests.py
@@ -1116,7 +1116,7 @@ class DNSDistTest(AssertEqualDNSMessageMixin, unittest.TestCase):
             else:
                 cls._toResponderQueue.put(response, True, timeout)
 
-        message = quic_query(query, '127.0.0.1', timeout, port, verify=caFile, server_hostname=serverName)
+        (message, _) = quic_query(query, '127.0.0.1', timeout, port, verify=caFile, server_hostname=serverName)
 
         receivedQuery = None
 
diff --git a/regression-tests.dnsdist/doqclient.py b/regression-tests.dnsdist/doqclient.py
index 94fa7bdc8e..2f0272630f 100644
--- a/regression-tests.dnsdist/doqclient.py
+++ b/regression-tests.dnsdist/doqclient.py
@@ -4,6 +4,7 @@ import ssl
 import struct
 from typing import Any, Optional, cast
 import dns
+import dns.message
 import async_timeout
 
 from aioquic.quic.configuration import QuicConfiguration
@@ -77,9 +78,9 @@ async def async_quic_query(
         try:
             async with async_timeout.timeout(timeout):
                 answer = await client.query(query)
-                return answer
+                return (answer, client._quic.tls._peer_certificate.serial_number)
         except asyncio.TimeoutError as e:
-            return e
+            return (e, None)
 
 class StreamResetError(Exception):
     def __init__(self, error, message="Stream reset by peer"):
@@ -90,7 +91,7 @@ def quic_query(query, host='127.0.0.1', timeout=2, port=853, verify=None, server
     configuration = QuicConfiguration(alpn_protocols=["doq"], is_client=True)
     if verify:
         configuration.load_verify_locations(verify)
-    result = asyncio.run(
+    (result, serial) = asyncio.run(
         async_quic_query(
             configuration=configuration,
             host=host,
@@ -104,13 +105,13 @@ def quic_query(query, host='127.0.0.1', timeout=2, port=853, verify=None, server
         raise StreamResetError(result.error_code)
     if (isinstance(result, asyncio.TimeoutError)):
         raise TimeoutError()
-    return result
+    return (result, serial)
 
 def quic_bogus_query(query, host='127.0.0.1', timeout=2, port=853, verify=None, server_hostname=None):
     configuration = QuicConfiguration(alpn_protocols=["doq"], is_client=True)
     if verify:
         configuration.load_verify_locations(verify)
-    result = asyncio.run(
+    (result, _) = asyncio.run(
         async_quic_query(
             configuration=configuration,
             host=host,
diff --git a/regression-tests.dnsdist/test_DOQ.py b/regression-tests.dnsdist/test_DOQ.py
index 69d61dc7a1..9af5d8a938 100644
--- a/regression-tests.dnsdist/test_DOQ.py
+++ b/regression-tests.dnsdist/test_DOQ.py
@@ -1,4 +1,5 @@
 #!/usr/bin/env python
+import base64
 import dns
 import clientsubnetoption
 
@@ -7,6 +8,7 @@ from dnsdisttests import pickAvailablePort
 from doqclient import quic_bogus_query
 from quictests import QUICTests, QUICWithCacheTests, QUICACLTests
 import doqclient
+from doqclient import quic_query
 
 class TestDOQBogus(DNSDistTest):
     _serverKey = 'server.key'
@@ -20,7 +22,6 @@ class TestDOQBogus(DNSDistTest):
     addDOQLocal("127.0.0.1:%d", "%s", "%s")
     """
     _config_params = ['_testServerPort', '_doqServerPort','_serverCert', '_serverKey']
-    _verboseMode = True
 
     def testDOQBogus(self):
         """
@@ -55,7 +56,6 @@ class TestDOQ(QUICTests, DNSDistTest):
     addDOQLocal("127.0.0.1:%d", "%s", "%s")
     """
     _config_params = ['_testServerPort', '_doqServerPort','_serverCert', '_serverKey']
-    _verboseMode = True
 
     def getQUICConnection(self):
         return self.getDOQConnection(self._doqServerPort, self._caCert)
@@ -78,7 +78,6 @@ class TestDOQWithCache(QUICWithCacheTests, DNSDistTest):
     getPool(""):setCache(pc)
     """
     _config_params = ['_testServerPort', '_doqServerPort','_serverCert', '_serverKey']
-    _verboseMode = True
 
     def getQUICConnection(self):
         return self.getDOQConnection(self._doqServerPort, self._caCert)
@@ -99,10 +98,47 @@ class TestDOQWithACL(QUICACLTests, DNSDistTest):
     addDOQLocal("127.0.0.1:%d", "%s", "%s")
     """
     _config_params = ['_testServerPort', '_doqServerPort','_serverCert', '_serverKey']
-    _verboseMode = True
 
     def getQUICConnection(self):
         return self.getDOQConnection(self._doqServerPort, self._caCert)
 
     def sendQUICQuery(self, query, response=None, useQueue=True, connection=None):
         return self.sendDOQQuery(self._doqServerPort, query, response=response, caFile=self._caCert, useQueue=useQueue, serverName=self._serverName, connection=connection)
+
+class TestDOQCertificateReloading(DNSDistTest):
+    _consoleKey = DNSDistTest.generateConsoleKey()
+    _consoleKeyB64 = base64.b64encode(_consoleKey).decode('ascii')
+    _serverKey = 'server-doq.key'
+    _serverCert = 'server-doq.chain'
+    _serverName = 'tls.tests.dnsdist.org'
+    _caCert = 'ca.pem'
+    _doqServerPort = pickAvailablePort()
+    _config_template = """
+    setKey("%s")
+    controlSocket("127.0.0.1:%s")
+
+    newServer{address="127.0.0.1:%d"}
+
+    addDOQLocal("127.0.0.1:%d", "%s", "%s")
+    """
+    _config_params = ['_consoleKeyB64', '_consolePort', '_testServerPort', '_doqServerPort','_serverCert', '_serverKey']
+
+    @classmethod
+    def setUpClass(cls):
+        cls.generateNewCertificateAndKey('server-doq')
+        cls.startResponders()
+        cls.startDNSDist()
+        cls.setUpSockets()
+
+    def testCertificateReloaded(self):
+        name = 'certificate-reload.doq.tests.powerdns.com.'
+        query = dns.message.make_query(name, 'A', 'IN', use_edns=False)
+        query.id = 0
+        (_, serial) = quic_query(query, '127.0.0.1', 0.5, self._doqServerPort, verify=self._caCert, server_hostname=self._serverName)
+
+        self.generateNewCertificateAndKey('server-doq')
+        self.sendConsoleCommand("reloadAllCertificates()")
+
+        (_, secondSerial) = quic_query(query, '127.0.0.1', 0.5, self._doqServerPort, verify=self._caCert, server_hostname=self._serverName)
+        # check that the serial is different
+        self.assertNotEqual(serial, secondSerial)