3008. [func] Response policy zones (RPZ) support. [RT #21726]

2011-01-13 01:59:28 +00:00
parent 100b78748b
commit 87708bde16
45 changed files with 4191 additions and 220 deletions
--- a/bin/tests/system/rpz/tests.sh
+++ b/bin/tests/system/rpz/tests.sh
@@ -0,0 +1,223 @@
+# Copyright (C) 2010  Internet Systems Consortium, Inc. ("ISC")
+#
+# Permission to use, copy, modify, and/or distribute this software for any
+# purpose with or without fee is hereby granted, provided that the above
+# copyright notice and this permission notice appear in all copies.
+#
+# THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+# REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+# AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+# INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+# LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+# OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+# PERFORMANCE OF THIS SOFTWARE.
+
+# $Id: tests.sh,v 1.2 2011/01/13 01:59:26 marka Exp $
+
+# test response policy zones (RPZ)
+
+SYSTEMTESTTOP=..
+. $SYSTEMTESTTOP/conf.sh
+
+root=10.53.0.1
+s2=10.53.0.2
+s3=10.53.0.3
+
+DIGCMD="$DIG +noadd +nosea +nocmd -p 5300"
+
+
+USAGE="$0: [-x]"
+while getopts "x" c; do
+    case $c in
+	x) set -x;;
+	*) echo "$USAGE" 1>&2; exit 1;;
+    esac
+done
+shift `expr $OPTIND - 1 || true`
+if test "$#" -ne 0; then
+    echo "$USAGE" 1>&2
+    exit 1
+fi
+# really quit on control-C
+trap 'exit 1' 1 2 15
+
+
+# set DIGNM=file name for dig output
+# $1=target domain  $2=optional query type  $3=optional string
+dignm () {
+    DIGNM=dig.out-$DIGNM_SUB-$1
+    if test -n "$3"; then
+	DIGNM=$DIGNM-$3
+    fi
+    if test -n "$2"; then
+	DIGNM=$DIGNM-`expr "x$2" : 'x-t *\(.*\)'`
+    fi
+}
+
+setret () {
+    ret=1
+    echo "$*"
+}
+
+# check rewrite to NXDOMAIN
+# $1=target domain  $2=optional query type
+nxdomain () {
+    dignm $1 "$2"
+    $DIGCMD +noauth $1 $2 @$s3 >$DIGNM
+    $PERL ../digcomp.pl dig.out-nxdomain $DIGNM || setret "   in $DIGNM"
+}
+
+# check rewrite to NODATA
+# $1=target domain  $2=optional query type
+nodata () {
+    dignm $1 "$2"
+    $DIGCMD +noauth $1 $2 @$s3 >$DIGNM
+    $PERL ../digcomp.pl dig.out-nodata $DIGNM ||  setret "   in $DIGNM"
+}
+
+# check rewrite to "A 12.12.12.12"
+#   modify the output so that it is easily matched, but save the original line
+# $1=target domain  $2=optional query type
+a12 () {
+    dignm $1 "$2"
+    $DIGCMD +noauth $1 $2 @$s3						\
+	| sed -e "/^$1\.	/{"					\
+	    -e "s/.*/;xxx &/p" -e "s/^;xxx $1/a12.tld2/" -e '}'		\
+	>$DIGNM
+    $PERL ../digcomp.pl dig.out-a12 $DIGNM || ret=1
+}
+
+# check that a response is not rewritten
+# $1=target domain  $2=optional query type
+nochange () {
+    dignm $1 "$2" ok
+    DIGNM_OK=$DIGNM
+    dignm $1 "$2"
+    $DIGCMD $1 $2 @$s3 >$DIGNM
+    $DIGCMD $1 $2 @$s2 >$DIGNM_OK
+    $PERL ../digcomp.pl $DIGNM_OK $DIGNM || ret=1
+}
+
+flush_db () {
+    if $RNDC -c ../common/rndc.conf -s $s3 -p 9953 freeze; then : ; else
+	echo "I:failed to freeze policy zone $1"
+	exit 1
+    fi
+    if $RNDC -c ../common/rndc.conf -s $s3 -p 9953 thaw; then : ; else
+	echo "I:failed to thaw policy zone $1"
+	exit 1
+    fi
+}
+
+# $1=message  $2=test file
+start_test () {
+    ret=0
+    if test -n "$1"; then
+	echo "I:checking $1"
+    fi
+    PREV_FILE=$2
+    if test -n "$2"; then
+	DIGNM_SUB=`expr "$2" : 'test\(.\)'`
+	if $NSUPDATE -v $PREV_FILE; then : ; else
+	    echo "I:failed to update policy zone $1 with $2"
+	    exit 1
+	fi
+	#flush_db
+    else
+	DIGNM_SUB="${DIGNM_SUB}x"
+    fi
+}
+
+end_test () {
+    if test $ret != 0; then
+	echo "I:failed"
+    else
+	rm -f dig.out-${DIGNM_SUB}*
+    fi
+    if test -n "$PREV_FILE"; then
+	sed -e 's/ add / delete /' $PREV_FILE | $NSUPDATE
+	status=`expr $status + $ret`
+	#flush_db
+    fi
+}
+
+
+# make NXDOMAIN and NODATA prototypes
+echo "I:making prototype RPZ NXDOMAIN, NODATA, and CNAME results"
+$DIGCMD +noauth nonexistent @$s2 >dig.out-nxdomain
+$DIGCMD +noauth nodata.tld2 @$s2 >dig.out-nodata
+$DIGCMD +noauth a12.tld2    @$s2 >dig.out-a12
+
+status=0
+
+start_test "RPZ QNAME rewrites" test1
+nxdomain a0-1.tld2
+nodata a3-1.tld2
+a12 a4-1.sub1.tld2
+end_test
+
+start_test "RPZ IP rewrites" test2
+nodata a3-1.tld2
+nochange a3-2.tld2
+nxdomain a3-99.tld2
+nochange a4-1.tld2
+nxdomain a4-2.tld2
+nochange a4-2.tld2 -taaaa
+nochange a4-2.tld2 -ttxt
+nxdomain a4-2.tld2 -tany
+nodata a4-3.tld2
+nxdomain a3-1.tld2 -tAAAA
+nochange a4-1-aaaa.tld2 -tAAAA
+end_test
+
+start_test "RPZ radix tree deletions"
+nochange a3-1.tld2
+nochange a3-2.tld2
+nochange a4-1.tld2
+nochange a4-2.tld2
+nochange a4-2.tld2 -taaaa
+nochange a4-2.tld2 -ttxt
+nochange a4-2.tld2 -tany
+nochange a4-3.tld2
+nochange a3-1.tld2 -tAAAA
+nochange a4-1-aaaa.tld2 -tAAAA
+end_test
+
+if ./rpz nsdname; then
+    start_test "RPZ NSDNAME rewrites" test3
+    nochange a3-1.tld2
+    nxdomain a3-1.sub1.tld2
+    nxdomain a3-1.sub2.sub1.tld2
+    end_test
+else
+    echo "I:RPZ NSDNAME not checked; named was not built with --enable-rpz-nsdname"
+fi
+
+if ./rpz nsip; then
+    start_test "RPZ NSIP rewrites" test4
+    nxdomain a3-1.tld2
+    nochange .
+    end_test
+else
+    echo "I:RPZ NSIP not checked; named was not built with --enable-rpz-nsip"
+fi
+
+start_test "RPZ policy overrides" test5
+nxdomain a3-1.tld2
+nochange a3-2.tld2
+nodata a3-3.tld2
+nxdomain a3-4.tld2
+dignm a3-5.tld2 -tany
+$DIGCMD +noauth a3-5.tld2 -tany @$s3 >$DIGNM
+if grep CNAME $DIGNM >/dev/null; then : ; else
+    echo "'policy cname' failed"
+    ret=1
+fi
+end_test
+
+if test "$status" -eq 0; then
+    rm -f dig.out*
+fi
+
+echo "I:exit status: $status"
+exit $status