xref: /netbsd-src/external/mpl/bind/dist/bin/tests/system/tsiggss/tests.sh (revision e670fd5c413e99c2f6a37901bb21c537fcd322d2) 
1#!/bin/sh
2#
3# Copyright (C) Internet Systems Consortium, Inc. ("ISC")
4#
5# This Source Code Form is subject to the terms of the Mozilla Public
6# License, v. 2.0. If a copy of the MPL was not distributed with this
7# file, you can obtain one at https://mozilla.org/MPL/2.0/.
8#
9# See the COPYRIGHT file distributed with this work for additional
10# information regarding copyright ownership.
11
12# tests for TSIG-GSS updates
13
14SYSTEMTESTTOP=..
15. $SYSTEMTESTTOP/conf.sh
16
17status=0
18n=1
19
20DIGOPTS="@10.53.0.1 -p ${PORT}"
21
22test_update () {
23    num="$1"
24    host="$2"
25    type="$3"
26    cmd="$4"
27    digout="$5"
28
29    cat <<EOF > ns1/update.txt
30server 10.53.0.1 ${PORT}
31update add $host $cmd
32send
33answer
34EOF
35    echo_i "testing update for $host $type $cmd"
36    $NSUPDATE -g -d ns1/update.txt > nsupdate.out${num} 2>&1 || {
37	echo_i "update failed for $host $type $cmd"
38	sed "s/^/I:/" nsupdate.out${num}
39	return 1
40    }
41
42    # Verify that TKEY response is signed.
43    tkeyout=`awk '/recvmsg reply from GSS-TSIG query/,/Sending update to/' nsupdate.out${num}`
44    pattern="recvmsg reply from GSS-TSIG query .* opcode: QUERY, status: NOERROR, id: .* flags: qr; QUESTION: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1 ;; QUESTION SECTION: ;.* ANY TKEY ;; ANSWER SECTION: .* 0 ANY TKEY gss-tsig\. .* ;; TSIG PSEUDOSECTION: .* 0 ANY TSIG gss-tsig\. .* NOERROR 0"
45    echo $tkeyout | grep "$pattern" > /dev/null || {
46	echo_i "bad tkey response (not tsig signed)"
47	return 1
48    }
49
50    # Weak verification that TKEY response is signed.
51    grep -q "flags: qr; QUESTION: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1" nsupdate.out${num} || {
52	echo_i "bad tkey response (not tsig signed)"
53	return 1
54    }
55
56    out=`$DIG $DIGOPTS -t $type -q $host | egrep "^${host}"`
57    lines=`echo "$out" | grep "$digout" | wc -l`
58    [ $lines -eq 1 ] || {
59	echo_i "dig output incorrect for $host $type $cmd: $out"
60	return 1
61    }
62    return 0
63}
64
65
66# Testing updates with good credentials.
67KRB5CCNAME="FILE:"`pwd`/ns1/administrator.ccache
68export KRB5CCNAME
69
70echo_i "testing updates to testdc1 as administrator ($n)"
71ret=0
72test_update $n testdc1.example.nil. A "86400 A 10.53.0.10" "10.53.0.10" || ret=1
73n=$((n+1))
74if [ "$ret" -ne 0 ]; then echo_i "failed"; fi
75status=$((status+ret))
76
77echo_i "testing updates to testdc2 as administrator ($n)"
78ret=0
79test_update $n testdc2.example.nil. A "86400 A 10.53.0.11" "10.53.0.11" || ret=1
80n=$((n+1))
81if [ "$ret" -ne 0 ]; then echo_i "failed"; fi
82status=$((status+ret))
83
84echo_i "testing updates to denied as administrator ($n)"
85ret=0
86test_update $n denied.example.nil. TXT "86400 TXT helloworld" "helloworld" > /dev/null && ret=1
87n=$((n+1))
88if [ "$ret" -ne 0 ]; then echo_i "failed"; fi
89status=$((status+ret))
90
91
92# Testing denied updates.
93KRB5CCNAME="FILE:"`pwd`/ns1/testdenied.ccache
94export KRB5CCNAME
95
96echo_i "testing updates to denied (A) as a user ($n)"
97ret=0
98test_update $n testdenied.example.nil. A "86400 A 10.53.0.12" "10.53.0.12" > /dev/null && ret=1
99n=$((n+1))
100if [ "$ret" -ne 0 ]; then echo_i "failed"; fi
101status=$((status+ret))
102
103echo_i "testing updates to denied (TXT) as a user ($n)"
104ret=0
105test_update $n testdenied.example.nil. TXT "86400 TXT helloworld" "helloworld" || ret=1
106n=$((n+1))
107if [ "$ret" -ne 0 ]; then echo_i "failed"; fi
108status=$((status+ret))
109
110echo_i "testing external update policy (CNAME) ($n)"
111ret=0
112test_update $n testcname.example.nil. CNAME "86400 CNAME testdenied.example.nil" "testdenied" > /dev/null && ret=1
113n=$((n+1))
114if [ "$ret" -ne 0 ]; then echo_i "failed"; fi
115status=$((status+ret))
116
117echo_i "testing external update policy (CNAME) with auth sock ($n)"
118ret=0
119$PERL ./authsock.pl --type=CNAME --path=ns1/auth.sock --pidfile=authsock.pid --timeout=120 > /dev/null 2>&1 &
120sleep 1
121test_update $n testcname.example.nil. CNAME "86400 CNAME testdenied.example.nil" "testdenied" || ret=1
122n=$((n+1))
123if [ "$ret" -ne 0 ]; then echo_i "failed"; fi
124status=$((status+ret))
125
126echo_i "testing external update policy (A) ($n)"
127ret=0
128test_update $n testcname.example.nil. A "86400 A 10.53.0.13" "10.53.0.13" > /dev/null && ret=1
129n=$((n+1))
130if [ "$ret" -ne 0 ]; then echo_i "failed"; fi
131status=$((status+ret))
132
133echo_i "testing external policy with SIG(0) key ($n)"
134ret=0
135$NSUPDATE -k ns1/Kkey.example.nil.*.private <<END > /dev/null 2>&1 || ret=1
136server 10.53.0.1 ${PORT}
137zone example.nil
138update add fred.example.nil 120 cname foo.bar.
139send
140END
141output=`$DIG $DIGOPTS +short cname fred.example.nil.`
142[ -n "$output" ] || ret=1
143[ $ret -eq 0 ] || echo_i "failed"
144n=$((n+1))
145if [ "$ret" -ne 0 ]; then echo_i "failed"; fi
146status=$((status+ret))
147
148echo_i "ensure too long realm name is fatal in non-interactive mode ($n)"
149ret=0
150$NSUPDATE <<END > nsupdate.out${n} 2>&1 && ret=1
151    realm namenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamename
152END
153grep "realm is too long" nsupdate.out${n} > /dev/null || ret=1
154grep "syntax error" nsupdate.out${n} > /dev/null || ret=1
155n=$((n+1))
156if [ "$ret" -ne 0 ]; then echo_i "failed"; fi
157status=$((status+ret))
158
159echo_i "ensure too long realm name is not fatal in interactive mode ($n)"
160ret=0
161$NSUPDATE -i <<END > nsupdate.out${n} 2>&1 || ret=1
162    realm namenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamenamename
163END
164grep "realm is too long" nsupdate.out${n} > /dev/null || ret=1
165[ $ret = 0 ] || { echo_i "failed"; status=1; }
166n=$((n+1))
167if [ "$ret" -ne 0 ]; then echo_i "failed"; fi
168status=$((status+ret))
169
170[ $status -eq 0 ] && echo_i "tsiggss tests all OK"
171
172kill `cat authsock.pid`
173
174echo_i "exit status: $status"
175[ $status -eq 0 ] || exit 1
176