From: Otto Moerbeek <otto.moerbeek@open-xchange.com>
Date: Mon, 3 Feb 2025 13:26:56 +0000 (+0100)
Subject: Run API tests using https
X-Git-Tag: dnsdist-2.0.0-alpha1~95^2~9
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=cd979ea2a15ec4ddabb0cb18125e20d4f913b0c0;p=thirdparty%2Fpdns.git

Run API tests using https
---

diff --git a/regression-tests.api/.gitignore b/regression-tests.api/.gitignore
index fcd61ea7b4..e80d95307f 100644
--- a/regression-tests.api/.gitignore
+++ b/regression-tests.api/.gitignore
@@ -16,3 +16,12 @@
 /acl-notify.list.yml
 /acl.list.yml
 /recursor.yml
+/rec-api.d
+/ca.key
+/ca.pem
+/ca.srl
+/server.chain
+/server.csr
+/server.key
+/server.pem
+/server.p12
diff --git a/regression-tests.api/Makefile b/regression-tests.api/Makefile
new file mode 100644
index 0000000000..84286d7a4a
--- /dev/null
+++ b/regression-tests.api/Makefile
@@ -0,0 +1,15 @@
+clean-certs:
+	rm -f ca.key ca.pem ca.srl server.csr server.key server.pem server.chain server.ocsp
+clean-configs:
+	rm -rf configs/*
+certs:
+	# Generate a new CA
+	openssl req -new -x509 -days 1 -extensions v3_ca -keyout ca.key -out ca.pem -nodes -config configCA.conf
+	# Generate a new server certificate request
+	openssl req -new -newkey rsa:2048 -nodes -keyout server.key -out server.csr -config configServer.conf
+	# Sign the server cert
+	openssl x509 -req -days 1 -CA ca.pem -CAkey ca.key -CAcreateserial -in server.csr -out server.pem -extfile configServer.conf -extensions v3_req
+	# Generate a chain
+	cat server.pem ca.pem > server.chain
+	# Generate a password-protected PKCS12 file
+	openssl pkcs12 -export -passout pass:passw0rd -clcerts -in server.pem -CAfile ca.pem -inkey server.key -out server.p12
diff --git a/regression-tests.api/configCA.conf b/regression-tests.api/configCA.conf
new file mode 100644
index 0000000000..353616e910
--- /dev/null
+++ b/regression-tests.api/configCA.conf
@@ -0,0 +1,19 @@
+[req]
+default_bits = 2048
+encrypt_key = no
+prompt = no
+distinguished_name = distinguished_name
+
+[v3_ca]
+subjectKeyIdentifier = hash
+authorityKeyIdentifier = keyid:always,issuer:always
+basicConstraints = critical, CA:true
+keyUsage = critical, cRLSign, keyCertSign
+
+[distinguished_name]
+CN = PowerDNS Recursor TLS regression tests CA
+OU = PowerDNS.com BV
+countryName = NL
+
+[CA_default]
+copy_extensions = copy
diff --git a/regression-tests.api/configServer.conf b/regression-tests.api/configServer.conf
new file mode 100644
index 0000000000..587caf621f
--- /dev/null
+++ b/regression-tests.api/configServer.conf
@@ -0,0 +1,21 @@
+[req]
+default_bits = 2048
+encrypt_key = no
+prompt = no
+distinguished_name = server_distinguished_name
+req_extensions = v3_req
+
+[server_distinguished_name]
+CN = tls.tests.powerdns.com
+OU = PowerDNS.com BV
+countryName = NL
+
+[v3_req]
+basicConstraints = CA:FALSE
+keyUsage = nonRepudiation, digitalSignature, keyEncipherment
+subjectAltName = @alt_names
+
+[alt_names]
+DNS.1 = tls.tests.powerdns.com
+DNS.2 = powerdns.com
+IP.3 = 127.0.0.1
diff --git a/regression-tests.api/runtests b/regression-tests.api/runtests
index 46bddcbbf2..6e7838a1c3 100755
--- a/regression-tests.api/runtests
+++ b/regression-tests.api/runtests
@@ -8,6 +8,9 @@ python -V
 pip install -U pip wheel | cat
 pip install -r requirements.txt | cat
 
+make clean-certs
+make certs
+
 if [ -z "${SDIG}" ]; then
   export SDIG=$(type -P sdig)
 fi
diff --git a/regression-tests.api/runtests.py b/regression-tests.api/runtests.py
index 0a3e8f1d57..99932570d3 100755
--- a/regression-tests.api/runtests.py
+++ b/regression-tests.api/runtests.py
@@ -110,7 +110,15 @@ incoming:
   allow_from_file: acl.list.yml
   allow_notify_from_file: acl-notify.list.yml
 webservice:
+  webserver: true
   api_dir: %(api_dir)s
+  listen:
+    - addresses: [ 127.0.0.1:"""+str(WEBPORT)+""" ]
+      tls:
+        certificate: server.chain
+        key: server.key
+  api_key: """+APIKEY+"""
+  password: """+WEBPASSWORD+"""
 recursor:
   include_dir: %(conf_dir)s
   devonly_regression_test_mode: true
@@ -160,6 +168,10 @@ common_args = [
     "--webserver-password="+WEBPASSWORD,
     "--api-key="+APIKEY
 ]
+rec_args = [
+    "--daemon=no", "--socket-dir=.", "--config-dir=.",
+    "--local-address=127.0.0.1", "--local-port="+str(DNSPORT),
+]
 
 # Take sdig if it exists (recursor in travis), otherwise build it from Authoritative source.
 sdig = os.environ.get("SDIG", "")
@@ -237,7 +249,7 @@ else:
     with open(conf_dir+'/example.com.yml', 'w') as conf_file:
         conf_file.write(REC_EXAMPLE_COM_CONF_TPL)
 
-    servercmd = [pdns_recursor] + common_args
+    servercmd = [pdns_recursor] + rec_args
 
 
 # Now run pdns and the tests.
@@ -269,7 +281,10 @@ available = False
 time.sleep(1)
 for try_number in range(0, 10):
     try:
-        res = requests.get('http://127.0.0.1:%s/' % WEBPORT)
+        if daemon == 'authoritative':
+            res = requests.get('http://127.0.0.1:%s/' % WEBPORT)
+        else:
+            res = requests.get('https://127.0.0.1:%s/' % WEBPORT, verify=False)
         available = True
         break
     except HTTPError as http_err:
diff --git a/regression-tests.api/test_Basics.py b/regression-tests.api/test_Basics.py
index 46b32a641b..6acf9a8032 100644
--- a/regression-tests.api/test_Basics.py
+++ b/regression-tests.api/test_Basics.py
@@ -7,11 +7,11 @@ from test_helper import ApiTestCase, is_auth
 class TestBasics(ApiTestCase):
 
     def test_unauth(self):
-        r = requests.get(self.url("/api/v1/servers/localhost"))
+        r = requests.get(self.url("/api/v1/servers/localhost"), verify=False)
         self.assertEqual(r.status_code, requests.codes.unauthorized)
 
     def test_index_html(self):
-        r = requests.get(self.url("/"), auth=('admin', self.server_web_password))
+        r = requests.get(self.url("/"), auth=('admin', self.server_web_password), verify=False)
         self.assertEqual(r.status_code, requests.codes.ok)
 
     def test_split_request(self):
diff --git a/regression-tests.api/test_Servers.py b/regression-tests.api/test_Servers.py
index 47122ebb15..c0e1206514 100644
--- a/regression-tests.api/test_Servers.py
+++ b/regression-tests.api/test_Servers.py
@@ -101,7 +101,7 @@ class Servers(ApiTestCase):
 
     @unittest.skipIf(is_auth(), "Not applicable")
     def test_read_statistics_using_password(self):
-        r = requests.get(self.url("/api/v1/servers/localhost/statistics"), auth=('admin', self.server_web_password))
+        r = requests.get(self.url("/api/v1/servers/localhost/statistics"), auth=('admin', self.server_web_password), verify=False)
         self.assertEqual(r.status_code, requests.codes.ok)
         self.assert_success_json(r)
 
diff --git a/regression-tests.api/test_helper.py b/regression-tests.api/test_helper.py
index 54d7012628..fe8272560f 100644
--- a/regression-tests.api/test_helper.py
+++ b/regression-tests.api/test_helper.py
@@ -38,6 +38,9 @@ class ApiTestCase(unittest.TestCase):
         self.server_web_password = os.environ.get('WEBPASSWORD', 'MISSING')
         self.session = requests.Session()
         self.session.headers = {'X-API-Key': os.environ.get('APIKEY', 'changeme-key'), 'Origin': 'http://%s:%s' % (self.server_address, self.server_port)}
+        if is_recursor():
+            self.server_url = 'https://%s:%s/' % (self.server_address, self.server_port)
+            self.session.verify = False
 
     def url(self, relative_url):
         return urljoin(self.server_url, relative_url)
diff --git a/regression-tests.recursor-dnssec/.gitignore b/regression-tests.recursor-dnssec/.gitignore
index 118c63c0c4..1bc206a05c 100644
--- a/regression-tests.recursor-dnssec/.gitignore
+++ b/regression-tests.recursor-dnssec/.gitignore
@@ -12,4 +12,3 @@
 /server.key
 /server.pem
 /server.p12
-