From cb54e9b5e82f3398fc0fb024e1cf9b43de74349e Mon Sep 17 00:00:00 2001
From: Pieter Lexis <pieter.lexis@powerdns.com>
Date: Wed, 27 Apr 2016 09:23:10 +0200
Subject: [PATCH] Add timing based DNSSEC tests

Note: the `faketime` program does not clean up its childprocesses
properly (possibly in combination with authbind), hence we LD_PRELOAD it
and supply the faketime through the environment.
---
 build-scripts/travis.sh                       |  1 +
 regression-tests.recursor-dnssec/.gitignore   |  1 +
 .../recursortests.py                          | 13 ++++++----
 regression-tests.recursor-dnssec/runtests     |  4 +++
 .../test_Expired.py                           | 26 +++++++++++++++++++
 .../test_NotYetValid.py                       | 26 +++++++++++++++++++
 6 files changed, 66 insertions(+), 5 deletions(-)
 create mode 100644 regression-tests.recursor-dnssec/test_Expired.py
 create mode 100644 regression-tests.recursor-dnssec/test_NotYetValid.py

diff --git a/build-scripts/travis.sh b/build-scripts/travis.sh
index 463088007d..f556ae9d84 100755
--- a/build-scripts/travis.sh
+++ b/build-scripts/travis.sh
@@ -330,6 +330,7 @@ install_recursor() {
     authbind \
     daemontools \
     libbotan-1.10-0 \
+    libfaketime \
     liblua5.2-0 \
     moreutils \
     jq"
diff --git a/regression-tests.recursor-dnssec/.gitignore b/regression-tests.recursor-dnssec/.gitignore
index 862ef16091..7103d74161 100644
--- a/regression-tests.recursor-dnssec/.gitignore
+++ b/regression-tests.recursor-dnssec/.gitignore
@@ -2,3 +2,4 @@
 /*.xml
 /.venv
 /configs
+/vars
diff --git a/regression-tests.recursor-dnssec/recursortests.py b/regression-tests.recursor-dnssec/recursortests.py
index d93aef9605..3292705c3e 100644
--- a/regression-tests.recursor-dnssec/recursortests.py
+++ b/regression-tests.recursor-dnssec/recursortests.py
@@ -149,6 +149,9 @@ PrivateKey: f5jV7Q8kd5hDpMWObsuQ6SQda0ftf+JrO3uZwEg6nVw=
         '13': ['insecure.example']
     }
 
+    _auth_cmd = ['authbind',
+                 os.environ['PDNS']]
+    _auth_env = {}
     _auths = {}
 
     @classmethod
@@ -270,16 +273,16 @@ distributor-threads=1""".format(confdir=confdir,
     @classmethod
     def startAuth(cls, confdir, ipaddress):
         print("Launching pdns_server..")
-        authcmd = ['authbind',
-                   os.environ['PDNS'],
-                   '--config-dir=%s' % confdir,
-                   '--local-address=%s' % ipaddress]
+        authcmd = cls._auth_cmd
+        authcmd.append('--config-dir=%s' % confdir)
+        authcmd.append('--local-address=%s' % ipaddress)
         print(' '.join(authcmd))
 
         logFile = os.path.join(confdir, 'pdns.log')
         with open(logFile, 'w') as fdLog:
             cls._auths[ipaddress] = subprocess.Popen(authcmd, close_fds=True,
-                                                     stdout=fdLog, stderr=fdLog)
+                                                     stdout=fdLog, stderr=fdLog,
+                                                     env=cls._auth_env)
 
         time.sleep(2)
 
diff --git a/regression-tests.recursor-dnssec/runtests b/regression-tests.recursor-dnssec/runtests
index 215639d3aa..d1d941a039 100755
--- a/regression-tests.recursor-dnssec/runtests
+++ b/regression-tests.recursor-dnssec/runtests
@@ -9,13 +9,17 @@ pip install -r requirements.txt
 
 mkdir -p configs
 
+[ -f ./vars ] && . ./vars
+
 export PDNS=${PDNS:-${PWD}/../pdns/pdns_server}
 export PDNSUTIL=${PDNSUTIL:-${PWD}/../pdns/pdnsutil}
 export PDNSRECURSOR=${PDNSRECURSOR:-${PWD}/../pdns/recursordist/pdns_recursor}
 export RECCONTROL=${RECCONTROL:-${PWD}/../pdns/recursordist/rec_control}
+export LIBFAKETIME=${LIBFAKETIME:-/usr/lib/x86_64-linux-gnu/faketime/libfaketime.so.1} # ubuntu default
 
 export PREFIX=10.0.3
 
+
 set -e
 if [ "${PDNS_DEBUG}" = "YES" ]; then
   set -x
diff --git a/regression-tests.recursor-dnssec/test_Expired.py b/regression-tests.recursor-dnssec/test_Expired.py
new file mode 100644
index 0000000000..7ef785d1d5
--- /dev/null
+++ b/regression-tests.recursor-dnssec/test_Expired.py
@@ -0,0 +1,26 @@
+import errno
+import os
+import subprocess
+import time
+
+import dns
+from recursortests import RecursorTest
+
+
+class testExpired(RecursorTest):
+    """This regression test starts the authoritative servers with a clock that is
+    set 15 days into the past. Hence, the recursor must reject the signatures
+    because they are expired.
+    """
+    _confdir = 'Expired'
+
+    _config_template = """dnssec=validate"""
+
+    _auth_env = {'LD_PRELOAD':os.environ.get('LIBFAKETIME'),
+                 'FAKETIME':'-15d'}
+
+    def testA(self):
+        query = dns.message.make_query('host1.secure.example', 'A')
+        res = self.sendUDPQuery(query)
+
+        self.assertRcodeEqual(res, dns.rcode.SERVFAIL)
diff --git a/regression-tests.recursor-dnssec/test_NotYetValid.py b/regression-tests.recursor-dnssec/test_NotYetValid.py
new file mode 100644
index 0000000000..b2164cf340
--- /dev/null
+++ b/regression-tests.recursor-dnssec/test_NotYetValid.py
@@ -0,0 +1,26 @@
+import errno
+import os
+import subprocess
+import time
+
+import dns
+from recursortests import RecursorTest
+
+
+class testNotYetValid(RecursorTest):
+    """This regression test starts the authoritative servers with a clock that is
+    set 15 days into the future. Hence, the recursor must reject the signatures
+    because they are not yet valid.
+    """
+    _confdir = 'NotYetValid'
+
+    _config_template = """dnssec=validate"""
+
+    _auth_env = {'LD_PRELOAD':os.environ.get('LIBFAKETIME'),
+                 'FAKETIME':'+15d'}
+
+    def testA(self):
+        query = dns.message.make_query('host1.secure.example', 'A')
+        res = self.sendUDPQuery(query)
+
+        self.assertRcodeEqual(res, dns.rcode.SERVFAIL)
-- 
2.47.2