xref: /netbsd-src/external/mpl/bind/dist/bin/tests/system/tsiggss/tests.sh (revision 06dfa8449cb5e76c0044ec0f3badf7d5180af0f5) 
1#!/bin/sh
2
3# Copyright (C) Internet Systems Consortium, Inc. ("ISC")
4#
5# SPDX-License-Identifier: MPL-2.0
6#
7# This Source Code Form is subject to the terms of the Mozilla Public
8# License, v. 2.0.  If a copy of the MPL was not distributed with this
9# file, you can obtain one at https://mozilla.org/MPL/2.0/.
10#
11# See the COPYRIGHT file distributed with this work for additional
12# information regarding copyright ownership.
13
14# tests for TSIG-GSS updates
15
16SYSTEMTESTTOP=..
17. $SYSTEMTESTTOP/conf.sh
18
19status=0
20n=1
21
22DIGOPTS="@10.53.0.1 -p ${PORT}"
23
24test_update () {
25    num="$1"
26    host="$2"
27    type="$3"
28    cmd="$4"
29    digout="$5"
30
31    cat <<EOF > ns1/update.txt
32server 10.53.0.1 ${PORT}
33update add $host $cmd
34send
35answer
36EOF
37    echo_i "testing update for $host $type $cmd"
38    $NSUPDATE -g -d ns1/update.txt > nsupdate.out${num} 2>&1 || {
39	echo_i "update failed for $host $type $cmd"
40	sed "s/^/I:/" nsupdate.out${num}
41	return 1
42    }
43
44    # Verify that TKEY response is signed.
45    tkeyout=`awk '/recvmsg reply from GSS-TSIG query/,/Sending update to/' nsupdate.out${num}`
46    pattern="recvmsg reply from GSS-TSIG query .* opcode: QUERY, status: NOERROR, id: .* flags: qr; QUESTION: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1 ;; QUESTION SECTION: ;.* ANY TKEY ;; ANSWER SECTION: .* 0 ANY TKEY gss-tsig\. .* ;; TSIG PSEUDOSECTION: .* 0 ANY TSIG gss-tsig\. .* NOERROR 0"
47    echo $tkeyout | grep "$pattern" > /dev/null || {
48	echo_i "bad tkey response (not tsig signed)"
49	return 1
50    }
51
52    # Weak verification that TKEY response is signed.
53    grep -q "flags: qr; QUESTION: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1" nsupdate.out${num} || {
54	echo_i "bad tkey response (not tsig signed)"
55	return 1
56    }
57
58    out=`$DIG $DIGOPTS -t $type -q $host | grep -E "^${host}"`
59    lines=`echo "$out" | grep "$digout" | wc -l`
60    [ $lines -eq 1 ] || {
61	echo_i "dig output incorrect for $host $type $cmd: $out"
62	return 1
63    }
64    return 0
65}
66
67
68# Testing updates with good credentials.
69KRB5CCNAME="FILE:"`pwd`/ns1/administrator.ccache
70export KRB5CCNAME
71
72echo_i "testing updates to testdc1 as administrator ($n)"
73ret=0
74test_update $n testdc1.example.nil. A "86400 A 10.53.0.10" "10.53.0.10" || ret=1
75n=$((n+1))
76if [ "$ret" -ne 0 ]; then echo_i "failed"; fi
77status=$((status+ret))
78
79echo_i "testing updates to testdc2 as administrator ($n)"
80ret=0
81test_update $n testdc2.example.nil. A "86400 A 10.53.0.11" "10.53.0.11" || ret=1
82n=$((n+1))
83if [ "$ret" -ne 0 ]; then echo_i "failed"; fi
84status=$((status+ret))
85
86echo_i "testing updates to denied as administrator ($n)"
87ret=0
88test_update $n denied.example.nil. TXT "86400 TXT helloworld" "helloworld" > /dev/null && ret=1
89n=$((n+1))
90if [ "$ret" -ne 0 ]; then echo_i "failed"; fi
91status=$((status+ret))
92
93
94# Testing denied updates.
95KRB5CCNAME="FILE:"`pwd`/ns1/testdenied.ccache
96export KRB5CCNAME
97
98echo_i "testing updates to denied (A) as a user ($n)"
99ret=0
100test_update $n testdenied.example.nil. A "86400 A 10.53.0.12" "10.53.0.12" > /dev/null && ret=1
101n=$((n+1))
102if [ "$ret" -ne 0 ]; then echo_i "failed"; fi
103status=$((status+ret))
104
105echo_i "testing updates to denied (TXT) as a user ($n)"
106ret=0
107test_update $n testdenied.example.nil. TXT "86400 TXT helloworld" "helloworld" || ret=1
108n=$((n+1))
109if [ "$ret" -ne 0 ]; then echo_i "failed"; fi
110status=$((status+ret))
111
112echo_i "testing external update policy (CNAME) ($n)"
113ret=0
114test_update $n testcname.example.nil. CNAME "86400 CNAME testdenied.example.nil" "testdenied" > /dev/null && ret=1
115n=$((n+1))
116if [ "$ret" -ne 0 ]; then echo_i "failed"; fi
117status=$((status+ret))
118
119echo_i "testing external update policy (CNAME) with auth sock ($n)"
120ret=0
121$PERL ./authsock.pl --type=CNAME --path=ns1/auth.sock --pidfile=authsock.pid --timeout=120 > /dev/null 2>&1 &
122sleep 1
123test_update $n testcname.example.nil. CNAME "86400 CNAME testdenied.example.nil" "testdenied" || ret=1
124n=$((n+1))
125if [ "$ret" -ne 0 ]; then echo_i "failed"; fi
126status=$((status+ret))
127
128echo_i "testing external update policy (A) ($n)"
129ret=0
130test_update $n testcname.example.nil. A "86400 A 10.53.0.13" "10.53.0.13" > /dev/null && ret=1
131n=$((n+1))
132if [ "$ret" -ne 0 ]; then echo_i "failed"; fi
133status=$((status+ret))
134
135echo_i "testing external policy with SIG(0) key ($n)"
136ret=0
137$NSUPDATE -k ns1/Kkey.example.nil.*.private <<END > /dev/null 2>&1 || ret=1
138server 10.53.0.1 ${PORT}
139zone example.nil
140update add fred.example.nil 120 cname foo.bar.
141send
142END
143output=`$DIG $DIGOPTS +short cname fred.example.nil.`
144[ -n "$output" ] || ret=1
145[ $ret -eq 0 ] || echo_i "failed"
146n=$((n+1))
147if [ "$ret" -ne 0 ]; then echo_i "failed"; fi
148status=$((status+ret))
149
150echo_i "ensure too long realm name is fatal in non-interactive mode ($n)"
151ret=0
152$NSUPDATE <<END > nsupdate.out${n} 2>&1 && ret=1
153    realm namenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamename
154END
155grep "realm is too long" nsupdate.out${n} > /dev/null || ret=1
156grep "syntax error" nsupdate.out${n} > /dev/null || ret=1
157n=$((n+1))
158if [ "$ret" -ne 0 ]; then echo_i "failed"; fi
159status=$((status+ret))
160
161echo_i "ensure too long realm name is not fatal in interactive mode ($n)"
162ret=0
163$NSUPDATE -i <<END > nsupdate.out${n} 2>&1 || ret=1
164    realm namenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamename
165END
166grep "realm is too long" nsupdate.out${n} > /dev/null || ret=1
167[ $ret = 0 ] || { echo_i "failed"; status=1; }
168n=$((n+1))
169if [ "$ret" -ne 0 ]; then echo_i "failed"; fi
170status=$((status+ret))
171
172[ $status -eq 0 ] && echo_i "tsiggss tests all OK"
173
174kill `cat authsock.pid`
175
176echo_i "exit status: $status"
177[ $status -eq 0 ] || exit 1
178