TESTS += pkcs11
endif
+if HAVE_PYTEST
+TESTS += rpzextra
+endif
+
else !HAVE_PERL
check:
echo Perl is not available, no tests were ran
--- /dev/null
+# Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+#
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0. If a copy of the MPL was not distributed with this
+# file, You can obtain one at http://mozilla.org/MPL/2.0/.
+#
+# See the COPYRIGHT file distributed with this work for additional
+# information regarding copyright ownership.
+
+rm -f ns*/*.jnl
+rm -f ns*/named.conf
+rm -f ns*/named.lock
+rm -f ns*/named.memstats
+rm -f ns*/named.run
+rm -f ns*/rpz*.txt
+rm -rf __pycache__
+rm -f *.status
--- /dev/null
+############################################################################
+# Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+#
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0. If a copy of the MPL was not distributed with this
+# file, You can obtain one at http://mozilla.org/MPL/2.0/.
+#
+# See the COPYRIGHT file distributed with this work for additional
+# information regarding copyright ownership.
+############################################################################
+
+import os
+import pytest
+
+try:
+ import dns.resolver # noqa: F401 # pylint: disable=unused-import
+except ModuleNotFoundError:
+ dns_resolver_module_found = False
+else:
+ dns_resolver_module_found = True
+
+
+def pytest_configure(config):
+ config.addinivalue_line(
+ "markers", "dnspython: mark tests that need dnspython to function"
+ )
+
+
+def pytest_collection_modifyitems(config, items):
+ # pylint: disable=unused-argument
+ # Test for dnspython module
+ if not dns_resolver_module_found:
+ skip_requests = pytest.mark.skip(reason="need dnspython module to run")
+ for item in items:
+ if "dnspython" in item.keywords:
+ item.add_marker(skip_requests)
+ # Test if JSON statistics channel was enabled
+ no_jsonstats = pytest.mark.skip(reason="need JSON statistics to be enabled")
+ if os.getenv("HAVEJSONSTATS") is None:
+ for item in items:
+ if "json" in item.keywords:
+ item.add_marker(no_jsonstats)
+
+
+@pytest.fixture
+def named_port(request):
+ # pylint: disable=unused-argument
+ port = os.getenv("PORT")
+ if port is None:
+ port = 5301
+ else:
+ port = int(port)
+
+ return port
--- /dev/null
+ -m record,size,mctx -c named.conf -d 99 -D rpzextra-ns1 -X named.lock -U 4
--- /dev/null
+key rndc_key {
+ secret "1234abcd8765";
+ algorithm hmac-sha256;
+};
+
+controls {
+ inet 10.53.0.1 port @CONTROLPORT@ allow { any; } keys { rndc_key; };
+};
+
+options {
+ query-source address 10.53.0.1;
+ notify-source 10.53.0.1;
+ transfer-source 10.53.0.1;
+ port @PORT@;
+ listen-on { 10.53.0.1; };
+ pid-file "named.pid";
+ notify no;
+ dnssec-validation no;
+ allow-query { any; };
+ recursion yes;
+ allow-recursion { any; };
+
+ response-policy {
+ zone "rpz.local";
+ };
+};
+
+logging {
+ channel rpz_passthru {
+ file "rpz_passthru.txt" versions 3 size 5m;
+ print-time yes;
+ print-category yes;
+ print-severity yes;
+ severity info;
+ };
+
+ channel rpz_log {
+ file "rpz.txt" versions 3 size 20m;
+ print-time yes;
+ print-category yes;
+ print-severity yes;
+ severity info;
+ };
+
+ category rpz { rpz_log; default_debug; };
+ category rpz-passthru { rpz_passthru; default_debug; };
+};
+
+zone "rpz.local" {
+ type master;
+ file "rpz.local.db";
+ allow-transfer { none; };
+ allow-query { localhost; };
+};
+
+zone "." {
+ type hint;
+ file "root.db";
+};
+
+
--- /dev/null
+; Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+;
+; This Source Code Form is subject to the terms of the Mozilla Public
+; License, v. 2.0. If a copy of the MPL was not distributed with this
+; file, You can obtain one at http://mozilla.org/MPL/2.0/.
+;
+; See the COPYRIGHT file distributed with this work for additional
+; information regarding copyright ownership.
+
+$TTL 300
+. IN SOA gson.nominum.com. a.root.servers.nil. (
+ 2000042100 ; serial
+ 600 ; refresh
+ 600 ; retry
+ 1200 ; expire
+ 600 ; minimum
+ )
+. NS ns1.allowed
+
+
+allowed. NS ns1.allowed.
+ns1.allowed. A 10.53.0.2
+
+baddomain. NS ns1.baddomain.
+ns1.baddomain. A 10.53.0.2
--- /dev/null
+$TTL 300
+
+@ IN SOA localhost.rpz.local root.rpz.local. (
+ 2020022500 ; serial number
+ 60 ; refresh every minute
+ 60 ; retry every minute
+ 432000 ; expire in 5 days
+ 60 ; negative caching ttl, 1 minute
+)
+
+
+ IN NS LOCALHOST.
+
+allowed IN CNAME rpz-passthru.
+*.allowed IN CNAME rpz-passthru.
+
+baddomain IN CNAME .
+*.baddomain IN CNAME .
--- /dev/null
+$TTL 300
+
+@ IN SOA ns1 root.allowed. 2020040101 4h 1h 1w 60
+@ IN NS ns1
+ns1 IN A 10.53.0.2
+@ IN A 10.53.0.2
+www IN A 10.53.0.2
--- /dev/null
+$TTL 300
+
+@ IN SOA ns1 root.baddomain. (
+ 2020040101
+ 4h
+ 1h
+ 1w
+ 60
+)
+
+ IN NS ns1
+
+ns1 IN A 10.53.0.2
+
+baddomain. IN A 10.53.0.2
+www IN A 10.53.0.3
--- /dev/null
+key rndc_key {
+ secret "1234abcd8765";
+ algorithm hmac-sha256;
+};
+
+controls {
+ inet 10.53.0.1 port @CONTROLPORT@ allow { any; } keys { rndc_key; };
+};
+
+options {
+ query-source address 10.53.0.2;
+ notify-source 10.53.0.2;
+ transfer-source 10.53.0.2;
+ port @PORT@;
+ listen-on { 10.53.0.2; };
+ pid-file "named.pid";
+ notify no;
+ dnssec-validation no;
+ allow-query { any; };
+};
+
+zone "allowed" {
+ type master;
+ file "allowed.db";
+ allow-transfer { none; };
+};
+
+zone "baddomain" {
+ type master;
+ file "baddomain.db";
+ allow-transfer { none; };
+};
+
--- /dev/null
+#! /bin/sh
+#
+# Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+#
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0. If a copy of the MPL was not distributed with this
+# file, You can obtain one at http://mozilla.org/MPL/2.0/.
+#
+# See the COPYRIGHT file distributed with this work for additional
+# information regarding copyright ownership.
+
+# touch dnsrps-off to not test with DNSRPS
+
+set -e
+
+SYSTEMTESTTOP=..
+. $SYSTEMTESTTOP/conf.sh
+
+copy_setports ns1/named.conf.in ns1/named.conf
+copy_setports ns2/named.conf.in ns2/named.conf
--- /dev/null
+#!/usr/bin/python3
+############################################################################
+# Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+#
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0. If a copy of the MPL was not distributed with this
+# file, You can obtain one at http://mozilla.org/MPL/2.0/.
+#
+# See the COPYRIGHT file distributed with this work for additional
+# information regarding copyright ownership.
+############################################################################
+
+import os
+import pytest
+import dns.resolver
+
+
+# @pytest.mark.dnspython
+def test_rpz_passthru_logging(named_port):
+ resolver = dns.resolver.Resolver()
+ resolver.nameservers = ['10.53.0.1']
+ resolver.port = named_port
+
+ # Should generate a log entry into rpz_passthru.txt
+ ans = resolver.query('allowed.', 'A')
+ for rd in ans:
+ assert rd.address == "10.53.0.2"
+
+ # baddomain.com isn't allowed (CNAME .), should return NXDOMAIN
+ # Should generate a log entry into rpz.txt
+ with pytest.raises(dns.resolver.NXDOMAIN):
+ resolver.query('baddomain.', 'A')
+
+ rpz_passthru_logfile = os.path.join("ns1", "rpz_passthru.txt")
+ rpz_logfile = os.path.join("ns1", "rpz.txt")
+
+ assert os.path.isfile(rpz_passthru_logfile)
+ assert os.path.isfile(rpz_logfile)
+
+ with open(rpz_passthru_logfile) as log_file:
+ line = log_file.read()
+ assert "rpz QNAME PASSTHRU rewrite allowed/A/IN" in line
+
+ with open(rpz_logfile) as log_file:
+ line = log_file.read()
+ assert "rpz QNAME PASSTHRU rewrite allowed/A/IN" not in line
+ assert "rpz QNAME NXDOMAIN rewrite baddomain/A/IN" in line
AS_IF([test -z "$PYTEST"],
[AC_MSG_WARN([pytest not found, some system tests will be skipped])])
AC_SUBST([PYTEST])
+AM_CONDITIONAL([HAVE_PYTEST], [test -n "$PYTEST"])
AX_PYTHON_MODULE([dns])
AM_CONDITIONAL([HAVE_PYMOD_DNS], [test "$HAVE_PYMOD_DNS" = "yes"])
projects / thirdparty / bind9.git / commitdiff
