xref: /netbsd-src/external/mpl/bind/dist/bin/tests/system/acl/tests.sh (revision 9fb66d812c00ebfb445c0b47dea128f32aa6fe96) 
1#!/bin/sh
2#
3# Copyright (C) Internet Systems Consortium, Inc. ("ISC")
4#
5# This Source Code Form is subject to the terms of the Mozilla Public
6# License, v. 2.0. If a copy of the MPL was not distributed with this
7# file, you can obtain one at https://mozilla.org/MPL/2.0/.
8#
9# See the COPYRIGHT file distributed with this work for additional
10# information regarding copyright ownership.
11
12SYSTEMTESTTOP=..
13. $SYSTEMTESTTOP/conf.sh
14
15DIGOPTS="+tcp +noadd +nosea +nostat +noquest +nocomm +nocmd -p ${PORT}"
16RNDCCMD="$RNDC -c $SYSTEMTESTTOP/common/rndc.conf -p ${CONTROLPORT} -s"
17
18status=0
19t=0
20
21echo_i "testing basic ACL processing"
22# key "one" should fail
23t=`expr $t + 1`
24$DIG $DIGOPTS tsigzone. \
25	@10.53.0.2 -b 10.53.0.1 axfr -y one:1234abcd8765 > dig.out.${t}
26grep "^;" dig.out.${t} > /dev/null 2>&1 || { echo_i "test $t failed" ; status=1; }
27
28
29# any other key should be fine
30t=`expr $t + 1`
31$DIG $DIGOPTS tsigzone. \
32	@10.53.0.2 -b 10.53.0.1 axfr -y two:1234abcd8765 > dig.out.${t}
33grep "^;" dig.out.${t} > /dev/null 2>&1 && { echo_i "test $t failed" ; status=1; }
34
35copy_setports ns2/named2.conf.in ns2/named.conf
36rndc_reload ns2 10.53.0.2
37sleep 5
38
39# prefix 10/8 should fail
40t=`expr $t + 1`
41$DIG $DIGOPTS tsigzone. \
42	@10.53.0.2 -b 10.53.0.1 axfr -y one:1234abcd8765 > dig.out.${t}
43grep "^;" dig.out.${t} > /dev/null 2>&1 || { echo_i "test $t failed" ; status=1; }
44
45# any other address should work, as long as it sends key "one"
46t=`expr $t + 1`
47$DIG $DIGOPTS tsigzone. \
48	@10.53.0.2 -b 127.0.0.1 axfr -y two:1234abcd8765 > dig.out.${t}
49grep "^;" dig.out.${t} > /dev/null 2>&1 || { echo_i "test $t failed" ; status=1; }
50
51t=`expr $t + 1`
52$DIG $DIGOPTS tsigzone. \
53	@10.53.0.2 -b 127.0.0.1 axfr -y one:1234abcd8765 > dig.out.${t}
54grep "^;" dig.out.${t} > /dev/null 2>&1 && { echo_i "test $t failed" ; status=1; }
55
56echo_i "testing nested ACL processing"
57# all combinations of 10.53.0.{1|2} with key {one|two}, should succeed
58copy_setports ns2/named3.conf.in ns2/named.conf
59rndc_reload ns2 10.53.0.2
60sleep 5
61
62# should succeed
63t=`expr $t + 1`
64$DIG $DIGOPTS tsigzone. \
65	@10.53.0.2 -b 10.53.0.2 axfr -y two:1234abcd8765 > dig.out.${t}
66grep "^;" dig.out.${t} > /dev/null 2>&1 && { echo_i "test $t failed" ; status=1; }
67
68# should succeed
69t=`expr $t + 1`
70$DIG $DIGOPTS tsigzone. \
71	@10.53.0.2 -b 10.53.0.2 axfr -y one:1234abcd8765 > dig.out.${t}
72grep "^;" dig.out.${t} > /dev/null 2>&1 && { echo_i "test $t failed" ; status=1; }
73
74# should succeed
75t=`expr $t + 1`
76$DIG $DIGOPTS tsigzone. \
77	@10.53.0.2 -b 10.53.0.1 axfr -y two:1234abcd8765 > dig.out.${t}
78grep "^;" dig.out.${t} > /dev/null 2>&1 && { echo_i "test $t failed" ; status=1; }
79
80# should succeed
81t=`expr $t + 1`
82$DIG $DIGOPTS tsigzone. \
83	@10.53.0.2 -b 10.53.0.1 axfr -y two:1234abcd8765 > dig.out.${t}
84grep "^;" dig.out.${t} > /dev/null 2>&1 && { echo_i "test $t failed" ; status=1; }
85
86# but only one or the other should fail
87t=`expr $t + 1`
88$DIG $DIGOPTS tsigzone. \
89	@10.53.0.2 -b 127.0.0.1 axfr -y one:1234abcd8765 > dig.out.${t}
90grep "^;" dig.out.${t} > /dev/null 2>&1 || { echo_i "test $t failed" ; status=1; }
91
92t=`expr $t + 1`
93$DIG $DIGOPTS tsigzone. \
94	@10.53.0.2 -b 10.53.0.2 axfr > dig.out.${t}
95grep "^;" dig.out.${t} > /dev/null 2>&1 || { echo_i "test $tt failed" ; status=1; }
96
97# and other values? right out
98t=`expr $t + 1`
99$DIG $DIGOPTS tsigzone. \
100	@10.53.0.2 -b 127.0.0.1 axfr -y three:1234abcd8765 > dig.out.${t}
101grep "^;" dig.out.${t} > /dev/null 2>&1 || { echo_i "test $t failed" ; status=1; }
102
103# now we only allow 10.53.0.1 *and* key one, or 10.53.0.2 *and* key two
104copy_setports ns2/named4.conf.in ns2/named.conf
105rndc_reload ns2 10.53.0.2
106sleep 5
107
108# should succeed
109t=`expr $t + 1`
110$DIG $DIGOPTS tsigzone. \
111	@10.53.0.2 -b 10.53.0.2 axfr -y two:1234abcd8765 > dig.out.${t}
112grep "^;" dig.out.${t} > /dev/null 2>&1 && { echo_i "test $t failed" ; status=1; }
113
114# should succeed
115t=`expr $t + 1`
116$DIG $DIGOPTS tsigzone. \
117	@10.53.0.2 -b 10.53.0.1 axfr -y one:1234abcd8765 > dig.out.${t}
118grep "^;" dig.out.${t} > /dev/null 2>&1 && { echo_i "test $t failed" ; status=1; }
119
120# should fail
121t=`expr $t + 1`
122$DIG $DIGOPTS tsigzone. \
123	@10.53.0.2 -b 10.53.0.2 axfr -y one:1234abcd8765 > dig.out.${t}
124grep "^;" dig.out.${t} > /dev/null 2>&1 || { echo_i "test $t failed" ; status=1; }
125
126# should fail
127t=`expr $t + 1`
128$DIG $DIGOPTS tsigzone. \
129	@10.53.0.2 -b 10.53.0.1 axfr -y two:1234abcd8765 > dig.out.${t}
130grep "^;" dig.out.${t} > /dev/null 2>&1 || { echo_i "test $t failed" ; status=1; }
131
132# should fail
133t=`expr $t + 1`
134$DIG $DIGOPTS tsigzone. \
135	@10.53.0.2 -b 10.53.0.3 axfr -y one:1234abcd8765 > dig.out.${t}
136grep "^;" dig.out.${t} > /dev/null 2>&1 || { echo_i "test $t failed" ; status=1; }
137
138echo_i "testing allow-query-on ACL processing"
139copy_setports ns2/named5.conf.in ns2/named.conf
140rndc_reload ns2 10.53.0.2
141sleep 5
142t=`expr $t + 1`
143$DIG -p ${PORT} +tcp soa example. \
144	@10.53.0.2 -b 10.53.0.3 > dig.out.${t}
145grep "status: NOERROR" dig.out.${t} > /dev/null 2>&1 || { echo_i "test $t failed" ; status=1; }
146
147echo_i "testing blackhole ACL processing"
148t=`expr $t + 1`
149ret=0
150$DIG -p ${PORT} +tcp soa example. \
151	@10.53.0.2 -b 10.53.0.3 > dig.out.1.${t}
152grep "status: NOERROR" dig.out.1.${t} > /dev/null 2>&1 || ret=1
153$DIG -p ${PORT} +tcp soa example. \
154	@10.53.0.2 -b 10.53.0.8 > dig.out.2.${t}
155grep "status: NOERROR" dig.out.2.${t} > /dev/null 2>&1 && ret=1
156grep "communications error" dig.out.2.${t} > /dev/null 2>&1 || ret=1
157$DIG -p ${PORT} soa example. \
158	@10.53.0.2 -b 10.53.0.3 > dig.out.3.${t}
159grep "status: NOERROR" dig.out.3.${t} > /dev/null 2>&1 || ret=1
160$DIG -p ${PORT} soa example. \
161	@10.53.0.2 -b 10.53.0.8 > dig.out.4.${t}
162grep "status: NOERROR" dig.out.4.${t} > /dev/null 2>&1 && ret=1
163grep "connection timed out" dig.out.4.${t} > /dev/null 2>&1 || ret=1
164[ $ret -eq 0 ] || echo_i "failed"
165status=`expr $status + $ret`
166
167# AXFR tests against ns3
168
169echo_i "testing allow-transfer ACLs against ns3 (no existing zones)"
170
171echo_i "calling addzone example.com on ns3"
172$RNDCCMD 10.53.0.3 addzone 'example.com {type primary; file "example.db"; }; '
173sleep 1
174
175t=`expr $t + 1`
176ret=0
177echo_i "checking AXFR of example.com from ns3 with ACL allow-transfer { none; }; (${t})"
178$DIG -p ${PORT} @10.53.0.3 example.com axfr > dig.out.${t} 2>&1
179grep "Transfer failed." dig.out.${t} >/dev/null 2>&1 || ret=1
180[ $ret -eq 0 ] || echo_i "failed"
181status=`expr $status + $ret`
182
183echo_i "calling rndc reconfig"
184rndc_reconfig ns3 10.53.0.3
185
186sleep 1
187
188t=`expr $t + 1`
189ret=0
190echo_i "re-checking AXFR of example.com from ns3 with ACL allow-transfer { none; }; (${t})"
191$DIG -p ${PORT} @10.53.0.3 example.com axfr > dig.out.${t} 2>&1
192grep "Transfer failed." dig.out.${t} >/dev/null 2>&1 || ret=1
193[ $ret -eq 0 ] || echo_i "failed"
194status=`expr $status + $ret`
195
196# AXFR tests against ns4
197
198echo_i "testing allow-transfer ACLs against ns4 (1 pre-existing zone)"
199
200echo_i "calling addzone example.com on ns4"
201$RNDCCMD 10.53.0.4 addzone 'example.com {type primary; file "example.db"; }; '
202sleep 1
203
204t=`expr $t + 1`
205ret=0
206echo_i "checking AXFR of example.com from ns4 with ACL allow-transfer { none; }; (${t})"
207$DIG -p ${PORT} @10.53.0.4 example.com axfr > dig.out.${t} 2>&1
208grep "Transfer failed." dig.out.${t} >/dev/null 2>&1 || ret=1
209[ $ret -eq 0 ] || echo_i "failed"
210status=`expr $status + $ret`
211
212echo_i "calling rndc reconfig"
213rndc_reconfig ns4 10.53.0.4
214
215sleep 1
216
217t=`expr $t + 1`
218ret=0
219echo_i "re-checking AXFR of example.com from ns4 with ACL allow-transfer { none; }; (${t})"
220$DIG -p ${PORT} @10.53.0.4 example.com axfr > dig.out.${t} 2>&1
221grep "Transfer failed." dig.out.${t} >/dev/null 2>&1 || ret=1
222[ $ret -eq 0 ] || echo_i "failed"
223status=`expr $status + $ret`
224
225echo_i "exit status: $status"
226[ $status -eq 0 ] || exit 1
227