Check GSS-API TKEY against non configured server

Check for the expected error message which includes rcode REFUSED
then reload the server to specify the keytab for the rest of the
GSSAPI tests.

diff --git a/bin/tests/system/nsupdate/ns7/named1.conf.in b/bin/tests/system/nsupdate/ns7/named1.conf.in
new file mode 100644 (file)
index 0000000..28d2aea
--- /dev/null
+++ b/bin/tests/system/nsupdate/ns7/named1.conf.in
@@ -0,0 +1,52 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0.  If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+options {
+       query-source address 10.53.0.7;
+       notify-source 10.53.0.7;
+       transfer-source 10.53.0.7;
+       port @PORT@;
+       pid-file "named.pid";
+       session-keyfile "session.key";
+       listen-on { 10.53.0.7; };
+       recursion no;
+       notify yes;
+       minimal-responses no;
+       dnssec-validation no;
+};
+
+key rndc_key {
+       secret "1234abcd8765";
+       algorithm @DEFAULT_HMAC@;
+};
+
+controls {
+       inet 10.53.0.7 port @CONTROLPORT@ allow { any; } keys { rndc_key; };
+};
+
+zone "in-addr.arpa" {
+       type primary;
+       file "in-addr.db";
+       update-policy { grant EXAMPLE.COM krb5-subdomain-self-rhs . PTR; };
+};
+
+zone "example.com" {
+       type primary;
+       file "example.com.db";
+       update-policy {
+               grant EXAMPLE.COM krb5-self . ANY;
+               grant EXAMPLE.COM krb5-subdomain _tcp.example.com SRV;
+               grant EXAMPLE.COM krb5-subdomain-self-rhs self-srv.example.com SRV;
+               grant EXAMPLE.COM krb5-subdomain-self-rhs self-srv-no-type.example.com;
+       };
+};

diff --git a/bin/tests/system/nsupdate/ns7/named.conf.in b/bin/tests/system/nsupdate/ns7/named2.conf.in
similarity index 100%
rename from bin/tests/system/nsupdate/ns7/named.conf.in
rename to bin/tests/system/nsupdate/ns7/named2.conf.in

diff --git a/bin/tests/system/nsupdate/setup.sh b/bin/tests/system/nsupdate/setup.sh
index a143eac98d670ea278fc05d5e6ba5c9b178cc488..c3477616e7caf01234dd861b6037beb0f106e272 100644 (file)
--- a/bin/tests/system/nsupdate/setup.sh
+++ b/bin/tests/system/nsupdate/setup.sh
@@ -31,7 +31,7 @@ copy_setports ns2/named.conf.in ns2/named.conf
 copy_setports ns3/named.conf.in ns3/named.conf
 copy_setports ns5/named.conf.in ns5/named.conf
 copy_setports ns6/named.conf.in ns6/named.conf
-copy_setports ns7/named.conf.in ns7/named.conf
+copy_setports ns7/named1.conf.in ns7/named.conf
 copy_setports ns8/named.conf.in ns8/named.conf
 
 # If "tkey-gssapi-credential" is set in the configuration and GSSAPI support is

diff --git a/bin/tests/system/nsupdate/tests.sh b/bin/tests/system/nsupdate/tests.sh
index b92b23cd4ab135d42ccb50d5d00867648b84b3c7..04d533b8f1e1d7b701cba40907d8aa59bff0cc78 100755 (executable)
--- a/bin/tests/system/nsupdate/tests.sh
+++ b/bin/tests/system/nsupdate/tests.sh
@@ -1762,6 +1762,24 @@ wait_for_log 10 "too many DNS UPDATEs queued" ns1/named.run || ret=1
 if ! $FEATURETEST --gssapi ; then
   echo_i "SKIPPED: GSSAPI tests"
 else
+  n=$((n + 1))
+  ret=0
+  echo_i "check GSS-API TKEY request rcode against a non configured server ($n)"
+  KRB5CCNAME="FILE:$(pwd)/ns7/machine.ccache"
+  export KRB5CCNAME
+  $NSUPDATE << EOF > nsupdate.out.test$n 2>&1 && ret=1
+  gsstsig
+  realm EXAMPLE.COM
+  server 10.53.0.7 ${PORT}
+  zone example.com
+  send
+EOF
+  grep "response to GSS-TSIG query was unsuccessful (REFUSED)" nsupdate.out.test$n > /dev/null  || ret=1
+  [ $ret = 0 ] || { echo_i "failed"; status=1; }
+
+  copy_setports ns7/named2.conf.in ns7/named.conf
+  rndc_reload ns7 10.53.0.7
+
   n=$((n + 1))
   ret=0
   echo_i "check krb5-self match ($n)"