auth_srv_unittest.cc 32.4 KB
Newer Older
1 2 3 4 5 6 7 8 9 10 11 12 13 14
// Copyright (C) 2010  Internet Systems Consortium, Inc. ("ISC")
//
// Permission to use, copy, modify, and/or distribute this software for any
// purpose with or without fee is hereby granted, provided that the above
// copyright notice and this permission notice appear in all copies.
//
// THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
// REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
// AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
// INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
// LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
// OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
// PERFORMANCE OF THIS SOFTWARE.

15
#include <config.h>
16 17 18 19 20 21 22 23 24 25 26 27

#include <vector>

#include <gtest/gtest.h>

#include <dns/message.h>
#include <dns/messagerenderer.h>
#include <dns/name.h>
#include <dns/rrclass.h>
#include <dns/rrtype.h>
#include <dns/rrttl.h>
#include <dns/rdataclass.h>
28
#include <dns/tsig.h>
29

30
#include <server_common/portconfig.h>
31
#include <server_common/keyring.h>
32

JINMEI Tatuya's avatar
JINMEI Tatuya committed
33
#include <datasrc/memory_datasrc.h>
34
#include <auth/auth_srv.h>
35
#include <auth/common.h>
36
#include <auth/statistics.h>
37

38
#include <dns/tests/unittest_util.h>
JINMEI Tatuya's avatar
JINMEI Tatuya committed
39
#include <testutils/dnsmessage_test.h>
40
#include <testutils/srv_test.h>
41
#include <testutils/portconfig.h>
42

JINMEI Tatuya's avatar
JINMEI Tatuya committed
43
using namespace std;
44
using namespace isc::cc;
45
using namespace isc::dns;
46
using namespace isc::util;
47
using namespace isc::dns::rdata;
48
using namespace isc::data;
49
using namespace isc::xfr;
50 51
using namespace isc::asiodns;
using namespace isc::asiolink;
52
using namespace isc::testutils;
53
using namespace isc::server_common::portconfig;
Evan Hunt's avatar
Evan Hunt committed
54
using isc::UnitTestUtil;
55 56

namespace {
57
const char* const CONFIG_TESTDB =
58
    "{\"database_file\": \"" TEST_DATA_DIR "/example.sqlite3\"}";
59 60
// The following file must be non existent and must be non"creatable" (see
// the sqlite3 test).
61
const char* const BADCONFIG_TESTDB =
62
    "{ \"database_file\": \"" TEST_DATA_DIR "/nodir/notexist\"}";
63

64
class AuthSrvTest : public SrvTestBase {
65
protected:
66 67 68 69 70 71
    AuthSrvTest() :
        dnss_(ios_, NULL, NULL, NULL),
        server(true, xfrout),
        rrclass(RRClass::IN())
    {
        server.setDNSService(dnss_);
72
        server.setXfrinSession(&notify_session);
73
        server.setStatisticsSession(&statistics_session);
74
    }
75 76 77 78
    virtual void processMessage() {
        server.processMessage(*io_message, parse_message, response_obuffer,
                              &dnsserv);
    }
79 80
    IOService ios_;
    DNSService dnss_;
81
    MockSession statistics_session;
82
    MockXfroutClient xfrout;
83
    AuthSrv server;
JINMEI Tatuya's avatar
JINMEI Tatuya committed
84
    const RRClass rrclass;
85
    vector<uint8_t> response_data;
86 87
};

88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139 140 141 142 143 144 145 146 147 148 149 150 151 152 153 154 155
// A helper function that builds a response to version.bind/TXT/CH that
// should be identical to the response from our builtin (static) data source
// by default.  The resulting wire-format data will be stored in 'data'.
void
createBuiltinVersionResponse(const qid_t qid, vector<uint8_t>& data) {
    const Name version_name("version.bind");
    Message message(Message::RENDER);

    UnitTestUtil::createRequestMessage(message, Opcode::QUERY(),
                                       qid, version_name,
                                       RRClass::CH(), RRType::TXT());
    message.setHeaderFlag(Message::HEADERFLAG_QR);
    message.setHeaderFlag(Message::HEADERFLAG_AA);
    RRsetPtr rrset_version = RRsetPtr(new RRset(version_name, RRClass::CH(),
                                                RRType::TXT(), RRTTL(0)));
    rrset_version->addRdata(generic::TXT(PACKAGE_STRING));
    message.addRRset(Message::SECTION_ANSWER, rrset_version);

    RRsetPtr rrset_version_ns = RRsetPtr(new RRset(version_name, RRClass::CH(),
                                                   RRType::NS(), RRTTL(0)));
    rrset_version_ns->addRdata(generic::NS(version_name));
    message.addRRset(Message::SECTION_AUTHORITY, rrset_version_ns);

    OutputBuffer obuffer(0);
    MessageRenderer renderer(obuffer);
    message.toWire(renderer);

    data.clear();
    data.assign(static_cast<const uint8_t*>(renderer.getData()),
                static_cast<const uint8_t*>(renderer.getData()) +
                renderer.getLength());
}

// In the following tests we confirm the response data is rendered in
// wire format in the expected way.

// The most primitive check: checking the result of the processMessage()
// method
TEST_F(AuthSrvTest, builtInQuery) {
    UnitTestUtil::createRequestMessage(request_message, Opcode::QUERY(),
                                       default_qid, Name("version.bind"),
                                       RRClass::CH(), RRType::TXT());
    createRequestPacket(request_message, IPPROTO_UDP);
    server.processMessage(*io_message, parse_message, response_obuffer,
                          &dnsserv);
    createBuiltinVersionResponse(default_qid, response_data);
    EXPECT_PRED_FORMAT4(UnitTestUtil::matchWireData,
                        response_obuffer->getData(),
                        response_obuffer->getLength(),
                        &response_data[0], response_data.size());
}

// Same test emulating the UDPServer class behavior (defined in libasiolink).
// This is not a good test in that it assumes internal implementation details
// of UDPServer, but we've encountered a regression due to the introduction
// of that class, so we add a test for that case to prevent such a regression
// in future.
// Besides, the generalization of UDPServer is probably too much for the
// authoritative only server in terms of performance, and it's quite likely
// we need to drop it for the authoritative server implementation.
// At that point we can drop this test, too.
TEST_F(AuthSrvTest, builtInQueryViaDNSServer) {
    UnitTestUtil::createRequestMessage(request_message, Opcode::QUERY(),
                                       default_qid, Name("version.bind"),
                                       RRClass::CH(), RRType::TXT());
    createRequestPacket(request_message, IPPROTO_UDP);

    (*server.getDNSLookupProvider())(*io_message, parse_message,
156
                                     response_message,
157 158
                                     response_obuffer, &dnsserv);
    (*server.getDNSAnswerProvider())(*io_message, parse_message,
159
                                     response_message, response_obuffer);
160 161 162 163 164 165 166 167 168 169 170 171

    createBuiltinVersionResponse(default_qid, response_data);
    EXPECT_PRED_FORMAT4(UnitTestUtil::matchWireData,
                        response_obuffer->getData(),
                        response_obuffer->getLength(),
                        &response_data[0], response_data.size());
}

// Same type of test as builtInQueryViaDNSServer but for an error response.
TEST_F(AuthSrvTest, iqueryViaDNSServer) {
    createDataFromFile("iquery_fromWire.wire");
    (*server.getDNSLookupProvider())(*io_message, parse_message,
172
                                     response_message,
173 174
                                     response_obuffer, &dnsserv);
    (*server.getDNSAnswerProvider())(*io_message, parse_message,
175
                                     response_message, response_obuffer);
176 177 178 179 180 181 182 183 184

    UnitTestUtil::readWireData("iquery_response_fromWire.wire",
                               response_data);
    EXPECT_PRED_FORMAT4(UnitTestUtil::matchWireData,
                        response_obuffer->getData(),
                        response_obuffer->getLength(),
                        &response_data[0], response_data.size());
}

185 186
// Unsupported requests.  Should result in NOTIMP.
TEST_F(AuthSrvTest, unsupportedRequest) {
187
    unsupportedRequest();
188
}
189

190 191
// Simple API check
TEST_F(AuthSrvTest, verbose) {
192 193 194 195 196
    EXPECT_FALSE(server.getVerbose());
    server.setVerbose(true);
    EXPECT_TRUE(server.getVerbose());
    server.setVerbose(false);
    EXPECT_FALSE(server.getVerbose());
197 198
}

199 200
// Multiple questions.  Should result in FORMERR.
TEST_F(AuthSrvTest, multiQuestion) {
201
    multiQuestion();
202 203
}

204 205 206
// Incoming data doesn't even contain the complete header.  Must be silently
// dropped.
TEST_F(AuthSrvTest, shortMessage) {
207
    shortMessage();
208 209 210 211 212
}

// Response messages.  Must be silently dropped, whether it's a valid response
// or malformed or could otherwise cause a protocol error.
TEST_F(AuthSrvTest, response) {
213
    response();
214 215 216 217
}

// Query with a broken question
TEST_F(AuthSrvTest, shortQuestion) {
218
    shortQuestion();
219
}
220

221 222
// Query with a broken answer section
TEST_F(AuthSrvTest, shortAnswer) {
223
    shortAnswer();
224 225
}

226 227
// Query with unsupported version of EDNS.
TEST_F(AuthSrvTest, ednsBadVers) {
228
    ednsBadVers();
229 230
}

JINMEI Tatuya's avatar
JINMEI Tatuya committed
231
TEST_F(AuthSrvTest, AXFROverUDP) {
232
    axfrOverUDP();
JINMEI Tatuya's avatar
JINMEI Tatuya committed
233 234
}

235 236
TEST_F(AuthSrvTest, AXFRSuccess) {
    EXPECT_FALSE(xfrout.isConnected());
Evan Hunt's avatar
Evan Hunt committed
237 238 239
    UnitTestUtil::createRequestMessage(request_message, opcode, default_qid,
                         Name("example.com"), RRClass::IN(), RRType::AXFR());
    createRequestPacket(request_message, IPPROTO_TCP);
240 241
    // On success, the AXFR query has been passed to a separate process,
    // so we shouldn't have to respond.
Evan Hunt's avatar
Evan Hunt committed
242 243
    server.processMessage(*io_message, parse_message, response_obuffer, &dnsserv);
    EXPECT_FALSE(dnsserv.hasAnswer());
244
    EXPECT_TRUE(xfrout.isConnected());
245 246
}

247 248 249 250
// Try giving the server a TSIG signed request and see it can anwer signed as
// well
TEST_F(AuthSrvTest, TSIGSigned) {
    // Prepare key, the client message, etc
251
    const TSIGKey key("key:c2VjcmV0Cg==:hmac-sha1");
252 253 254 255 256
    TSIGContext context(key);
    UnitTestUtil::createRequestMessage(request_message, opcode, default_qid,
                         Name("version.bind"), RRClass::CH(), RRType::TXT());
    createRequestPacket(request_message, IPPROTO_UDP, &context);

257
    // Run the message through the server
258 259 260 261 262 263 264 265 266 267 268 269 270
    isc::server_common::keyring.reset(new TSIGKeyRing);
    isc::server_common::keyring->add(key);
    server.processMessage(*io_message, parse_message, response_obuffer,
                          &dnsserv);
    isc::server_common::keyring.reset();

    // What did we get?
    EXPECT_TRUE(dnsserv.hasAnswer());
    headerCheck(*parse_message, default_qid, Rcode::NOERROR(),
                opcode.getCode(), QR_FLAG | AA_FLAG, 1, 1, 1, 0);
    // We need to parse the message ourself, or getTSIGRecord won't work
    InputBuffer ib(response_obuffer->getData(), response_obuffer->getLength());
    Message m(Message::PARSE);
271
    m.fromWire(ib);
272 273

    const TSIGRecord* tsig = m.getTSIGRecord();
274
    ASSERT_TRUE(tsig != NULL) << "Missing TSIG signature";
275 276 277 278 279 280 281 282
    TSIGError error(context.verify(tsig, response_obuffer->getData(),
                                   response_obuffer->getLength()));
    EXPECT_EQ(TSIGError::NOERROR(), error) <<
        "The server signed the response, but it doesn't seem to be valid";
}

// Give the server a signed request, but don't give it the key. It will
// not be able to verify it, returning BADKEY
283
TEST_F(AuthSrvTest, TSIGSignedBadKey) {
284 285 286 287 288 289 290 291 292 293 294 295 296 297 298 299 300 301
    TSIGKey key("key:c2VjcmV0Cg==:hmac-sha1");
    TSIGContext context(key);
    UnitTestUtil::createRequestMessage(request_message, opcode, default_qid,
                         Name("version.bind"), RRClass::CH(), RRType::TXT());
    createRequestPacket(request_message, IPPROTO_UDP, &context);

    // Process the message, but use a different key there
    isc::server_common::keyring.reset(new TSIGKeyRing);
    server.processMessage(*io_message, parse_message, response_obuffer,
                          &dnsserv);
    isc::server_common::keyring.reset();

    EXPECT_TRUE(dnsserv.hasAnswer());
    headerCheck(*parse_message, default_qid, TSIGError::BAD_KEY().toRcode(),
                opcode.getCode(), QR_FLAG, 1, 0, 0, 0);
    // We need to parse the message ourself, or getTSIGRecord won't work
    InputBuffer ib(response_obuffer->getData(), response_obuffer->getLength());
    Message m(Message::PARSE);
302
    m.fromWire(ib);
303 304

    const TSIGRecord* tsig = m.getTSIGRecord();
305
    ASSERT_TRUE(tsig != NULL) <<
306
        "Missing TSIG signature (we should have one even at error)";
307
    EXPECT_EQ(TSIGError::BAD_KEY_CODE, tsig->getRdata().getError());
308 309
    EXPECT_EQ(0, tsig->getRdata().getMACSize()) <<
        "It should be unsigned with this error";
310 311 312 313 314 315 316 317 318 319 320 321
}

// Give the server a signed request, but signed by a different key
// (with the same name). It should return BADSIG
TEST_F(AuthSrvTest, TSIGBadSig) {
    TSIGKey key("key:c2VjcmV0Cg==:hmac-sha1");
    TSIGContext context(key);
    UnitTestUtil::createRequestMessage(request_message, opcode, default_qid,
                         Name("version.bind"), RRClass::CH(), RRType::TXT());
    createRequestPacket(request_message, IPPROTO_UDP, &context);

    isc::server_common::keyring.reset(new TSIGKeyRing);
322
    isc::server_common::keyring->add(TSIGKey("key:QkFECg==:hmac-sha1"));
323 324 325 326 327
    server.processMessage(*io_message, parse_message, response_obuffer,
                          &dnsserv);
    isc::server_common::keyring.reset();

    EXPECT_TRUE(dnsserv.hasAnswer());
328
    headerCheck(*parse_message, default_qid, TSIGError::BAD_SIG().toRcode(),
329 330 331 332
                opcode.getCode(), QR_FLAG, 1, 0, 0, 0);
    // We need to parse the message ourself, or getTSIGRecord won't work
    InputBuffer ib(response_obuffer->getData(), response_obuffer->getLength());
    Message m(Message::PARSE);
333
    m.fromWire(ib);
334 335

    const TSIGRecord* tsig = m.getTSIGRecord();
336
    ASSERT_TRUE(tsig != NULL) <<
337
        "Missing TSIG signature (we should have one even at error)";
338
    EXPECT_EQ(TSIGError::BAD_SIG_CODE, tsig->getRdata().getError());
339 340
    EXPECT_EQ(0, tsig->getRdata().getMACSize()) <<
        "It should be unsigned with this error";
341 342
}

343 344 345
TEST_F(AuthSrvTest, AXFRConnectFail) {
    EXPECT_FALSE(xfrout.isConnected()); // check prerequisite
    xfrout.disableConnect();
Evan Hunt's avatar
Evan Hunt committed
346 347 348 349 350
    UnitTestUtil::createRequestMessage(request_message, opcode, default_qid,
                         Name("example.com"), RRClass::IN(), RRType::AXFR());
    createRequestPacket(request_message, IPPROTO_TCP);
    server.processMessage(*io_message, parse_message, response_obuffer, &dnsserv);
    EXPECT_TRUE(dnsserv.hasAnswer());
351
    headerCheck(*parse_message, default_qid, Rcode::SERVFAIL(),
352 353 354 355 356 357 358
                opcode.getCode(), QR_FLAG, 1, 0, 0, 0);
    EXPECT_FALSE(xfrout.isConnected());
}

TEST_F(AuthSrvTest, AXFRSendFail) {
    // first send a valid query, making the connection with the xfr process
    // open.
Evan Hunt's avatar
Evan Hunt committed
359 360 361 362
    UnitTestUtil::createRequestMessage(request_message, opcode, default_qid,
                         Name("example.com"), RRClass::IN(), RRType::AXFR());
    createRequestPacket(request_message, IPPROTO_TCP);
    server.processMessage(*io_message, parse_message, response_obuffer, &dnsserv);
363
    EXPECT_TRUE(xfrout.isConnected());
364 365

    xfrout.disableSend();
366 367
    parse_message->clear(Message::PARSE);
    response_obuffer->clear();
Evan Hunt's avatar
Evan Hunt committed
368 369 370 371 372
    UnitTestUtil::createRequestMessage(request_message, opcode, default_qid,
                         Name("example.com"), RRClass::IN(), RRType::AXFR());
    createRequestPacket(request_message, IPPROTO_TCP);
    server.processMessage(*io_message, parse_message, response_obuffer, &dnsserv);
    EXPECT_TRUE(dnsserv.hasAnswer());
373
    headerCheck(*parse_message, default_qid, Rcode::SERVFAIL(),
374 375 376 377 378 379 380 381 382 383 384
                opcode.getCode(), QR_FLAG, 1, 0, 0, 0);

    // The connection should have been closed due to the send failure.
    EXPECT_FALSE(xfrout.isConnected());
}

TEST_F(AuthSrvTest, AXFRDisconnectFail) {
    // In our usage disconnect() shouldn't fail.  So we'll see the exception
    // should it be thrown.
    xfrout.disableSend();
    xfrout.disableDisconnect();
Evan Hunt's avatar
Evan Hunt committed
385 386 387
    UnitTestUtil::createRequestMessage(request_message, opcode, default_qid,
                         Name("example.com"), RRClass::IN(), RRType::AXFR());
    createRequestPacket(request_message, IPPROTO_TCP);
388
    EXPECT_THROW(server.processMessage(*io_message, parse_message,
Evan Hunt's avatar
Evan Hunt committed
389
                                       response_obuffer, &dnsserv),
390 391 392 393 394 395 396
                 XfroutError);
    EXPECT_TRUE(xfrout.isConnected());
    // XXX: we need to re-enable disconnect.  otherwise an exception would be
    // thrown via the destructor of the server.
    xfrout.enableDisconnect();
}

397
TEST_F(AuthSrvTest, notify) {
Evan Hunt's avatar
Evan Hunt committed
398 399
    UnitTestUtil::createRequestMessage(request_message, Opcode::NOTIFY(), default_qid,
                         Name("example.com"), RRClass::IN(), RRType::SOA());
400
    request_message.setHeaderFlag(Message::HEADERFLAG_AA);
Evan Hunt's avatar
Evan Hunt committed
401 402 403
    createRequestPacket(request_message, IPPROTO_UDP);
    server.processMessage(*io_message, parse_message, response_obuffer, &dnsserv);
    EXPECT_TRUE(dnsserv.hasAnswer());
404 405 406

    // An internal command message should have been created and sent to an
    // external module.  Check them.
Evan Hunt's avatar
Evan Hunt committed
407
    EXPECT_EQ("Zonemgr", notify_session.getMessageDest());
408
    EXPECT_EQ("notify",
Evan Hunt's avatar
Evan Hunt committed
409
              notify_session.getSentMessage()->get("command")->get(0)->stringValue());
410
    ConstElementPtr notify_args =
Evan Hunt's avatar
Evan Hunt committed
411
        notify_session.getSentMessage()->get("command")->get(1);
412 413 414
    EXPECT_EQ("example.com.", notify_args->get("zone_name")->stringValue());
    EXPECT_EQ(DEFAULT_REMOTE_ADDRESS,
              notify_args->get("master")->stringValue());
415
    EXPECT_EQ("IN", notify_args->get("zone_class")->stringValue());
416 417

    // On success, the server should return a response to the notify.
418
    headerCheck(*parse_message, default_qid, Rcode::NOERROR(),
419 420
                Opcode::NOTIFY().getCode(), QR_FLAG | AA_FLAG, 1, 0, 0, 0);

421
    // The question must be identical to that of the received notify
422
    ConstQuestionPtr question = *parse_message->beginQuestion();
423 424 425 426 427
    EXPECT_EQ(Name("example.com"), question->getName());
    EXPECT_EQ(RRClass::IN(), question->getClass());
    EXPECT_EQ(RRType::SOA(), question->getType());
}

428 429
TEST_F(AuthSrvTest, notifyForCHClass) {
    // Same as the previous test, but for the CH RRClass.
Evan Hunt's avatar
Evan Hunt committed
430 431
    UnitTestUtil::createRequestMessage(request_message, Opcode::NOTIFY(), default_qid,
                         Name("example.com"), RRClass::CH(), RRType::SOA());
432
    request_message.setHeaderFlag(Message::HEADERFLAG_AA);
Evan Hunt's avatar
Evan Hunt committed
433 434 435
    createRequestPacket(request_message, IPPROTO_UDP);
    server.processMessage(*io_message, parse_message, response_obuffer, &dnsserv);
    EXPECT_TRUE(dnsserv.hasAnswer());
436 437 438

    // Other conditions should be the same, so simply confirm the RR class is
    // set correctly.
439
    ConstElementPtr notify_args =
Evan Hunt's avatar
Evan Hunt committed
440
        notify_session.getSentMessage()->get("command")->get(1);
441
    EXPECT_EQ("CH", notify_args->get("zone_class")->stringValue());
442 443
}

444 445 446
TEST_F(AuthSrvTest, notifyEmptyQuestion) {
    request_message.clear(Message::RENDER);
    request_message.setOpcode(Opcode::NOTIFY());
447
    request_message.setRcode(Rcode::NOERROR());
448
    request_message.setHeaderFlag(Message::HEADERFLAG_AA);
449 450
    request_message.setQid(default_qid);
    request_message.toWire(request_renderer);
Evan Hunt's avatar
Evan Hunt committed
451 452 453
    createRequestPacket(request_message, IPPROTO_UDP);
    server.processMessage(*io_message, parse_message, response_obuffer, &dnsserv);
    EXPECT_TRUE(dnsserv.hasAnswer());
454
    headerCheck(*parse_message, default_qid, Rcode::FORMERR(),
455 456 457 458
                Opcode::NOTIFY().getCode(), QR_FLAG, 0, 0, 0, 0);
}

TEST_F(AuthSrvTest, notifyMultiQuestions) {
Evan Hunt's avatar
Evan Hunt committed
459 460
    UnitTestUtil::createRequestMessage(request_message, Opcode::NOTIFY(), default_qid,
                         Name("example.com"), RRClass::IN(), RRType::SOA());
461 462 463
    // add one more SOA question
    request_message.addQuestion(Question(Name("example.com"), RRClass::IN(),
                                         RRType::SOA()));
464
    request_message.setHeaderFlag(Message::HEADERFLAG_AA);
Evan Hunt's avatar
Evan Hunt committed
465 466 467
    createRequestPacket(request_message, IPPROTO_UDP);
    server.processMessage(*io_message, parse_message, response_obuffer, &dnsserv);
    EXPECT_TRUE(dnsserv.hasAnswer());
468
    headerCheck(*parse_message, default_qid, Rcode::FORMERR(),
469 470 471 472
                Opcode::NOTIFY().getCode(), QR_FLAG, 2, 0, 0, 0);
}

TEST_F(AuthSrvTest, notifyNonSOAQuestion) {
Evan Hunt's avatar
Evan Hunt committed
473 474
    UnitTestUtil::createRequestMessage(request_message, Opcode::NOTIFY(), default_qid,
                         Name("example.com"), RRClass::IN(), RRType::NS());
475
    request_message.setHeaderFlag(Message::HEADERFLAG_AA);
Evan Hunt's avatar
Evan Hunt committed
476 477 478
    createRequestPacket(request_message, IPPROTO_UDP);
    server.processMessage(*io_message, parse_message, response_obuffer, &dnsserv);
    EXPECT_TRUE(dnsserv.hasAnswer());
479
    headerCheck(*parse_message, default_qid, Rcode::FORMERR(),
480 481 482 483 484
                Opcode::NOTIFY().getCode(), QR_FLAG, 1, 0, 0, 0);
}

TEST_F(AuthSrvTest, notifyWithoutAA) {
    // implicitly leave the AA bit off.  our implementation will accept it.
Evan Hunt's avatar
Evan Hunt committed
485 486 487 488 489
    UnitTestUtil::createRequestMessage(request_message, Opcode::NOTIFY(), default_qid,
                         Name("example.com"), RRClass::IN(), RRType::SOA());
    createRequestPacket(request_message, IPPROTO_UDP);
    server.processMessage(*io_message, parse_message, response_obuffer, &dnsserv);
    EXPECT_TRUE(dnsserv.hasAnswer());
490
    headerCheck(*parse_message, default_qid, Rcode::NOERROR(),
491 492 493 494
                Opcode::NOTIFY().getCode(), QR_FLAG | AA_FLAG, 1, 0, 0, 0);
}

TEST_F(AuthSrvTest, notifyWithErrorRcode) {
Evan Hunt's avatar
Evan Hunt committed
495 496
    UnitTestUtil::createRequestMessage(request_message, Opcode::NOTIFY(), default_qid,
                         Name("example.com"), RRClass::IN(), RRType::SOA());
497
    request_message.setHeaderFlag(Message::HEADERFLAG_AA);
498
    request_message.setRcode(Rcode::SERVFAIL());
Evan Hunt's avatar
Evan Hunt committed
499 500 501
    createRequestPacket(request_message, IPPROTO_UDP);
    server.processMessage(*io_message, parse_message, response_obuffer, &dnsserv);
    EXPECT_TRUE(dnsserv.hasAnswer());
502
    headerCheck(*parse_message, default_qid, Rcode::NOERROR(),
503
                Opcode::NOTIFY().getCode(), QR_FLAG | AA_FLAG, 1, 0, 0, 0);
Han Feng's avatar
Han Feng committed
504 505
}

506
TEST_F(AuthSrvTest, notifyWithoutSession) {
507
    server.setXfrinSession(NULL);
508

Evan Hunt's avatar
Evan Hunt committed
509 510
    UnitTestUtil::createRequestMessage(request_message, Opcode::NOTIFY(), default_qid,
                         Name("example.com"), RRClass::IN(), RRType::SOA());
511
    request_message.setHeaderFlag(Message::HEADERFLAG_AA);
Evan Hunt's avatar
Evan Hunt committed
512
    createRequestPacket(request_message, IPPROTO_UDP);
513 514 515

    // we simply ignore the notify and let it be resent if an internal error
    // happens.
Evan Hunt's avatar
Evan Hunt committed
516 517
    server.processMessage(*io_message, parse_message, response_obuffer, &dnsserv);
    EXPECT_FALSE(dnsserv.hasAnswer());
518 519 520 521 522
}

TEST_F(AuthSrvTest, notifySendFail) {
    notify_session.disableSend();

Evan Hunt's avatar
Evan Hunt committed
523 524
    UnitTestUtil::createRequestMessage(request_message, Opcode::NOTIFY(), default_qid,
                         Name("example.com"), RRClass::IN(), RRType::SOA());
525
    request_message.setHeaderFlag(Message::HEADERFLAG_AA);
Evan Hunt's avatar
Evan Hunt committed
526
    createRequestPacket(request_message, IPPROTO_UDP);
527

Evan Hunt's avatar
Evan Hunt committed
528 529
    server.processMessage(*io_message, parse_message, response_obuffer, &dnsserv);
    EXPECT_FALSE(dnsserv.hasAnswer());
530 531 532 533 534
}

TEST_F(AuthSrvTest, notifyReceiveFail) {
    notify_session.disableReceive();

Evan Hunt's avatar
Evan Hunt committed
535 536
    UnitTestUtil::createRequestMessage(request_message, Opcode::NOTIFY(), default_qid,
                         Name("example.com"), RRClass::IN(), RRType::SOA());
537
    request_message.setHeaderFlag(Message::HEADERFLAG_AA);
Evan Hunt's avatar
Evan Hunt committed
538 539 540
    createRequestPacket(request_message, IPPROTO_UDP);
    server.processMessage(*io_message, parse_message, response_obuffer, &dnsserv);
    EXPECT_FALSE(dnsserv.hasAnswer());
541 542 543
}

TEST_F(AuthSrvTest, notifyWithBogusSessionMessage) {
544
    notify_session.setMessage(Element::fromJSON("{\"foo\": 1}"));
545

Evan Hunt's avatar
Evan Hunt committed
546 547
    UnitTestUtil::createRequestMessage(request_message, Opcode::NOTIFY(), default_qid,
                         Name("example.com"), RRClass::IN(), RRType::SOA());
548
    request_message.setHeaderFlag(Message::HEADERFLAG_AA);
Evan Hunt's avatar
Evan Hunt committed
549 550 551
    createRequestPacket(request_message, IPPROTO_UDP);
    server.processMessage(*io_message, parse_message, response_obuffer, &dnsserv);
    EXPECT_FALSE(dnsserv.hasAnswer());
552 553 554 555
}

TEST_F(AuthSrvTest, notifyWithSessionMessageError) {
    notify_session.setMessage(
556
        Element::fromJSON("{\"result\": [1, \"FAIL\"]}"));
557

Evan Hunt's avatar
Evan Hunt committed
558 559
    UnitTestUtil::createRequestMessage(request_message, Opcode::NOTIFY(), default_qid,
                         Name("example.com"), RRClass::IN(), RRType::SOA());
560
    request_message.setHeaderFlag(Message::HEADERFLAG_AA);
Evan Hunt's avatar
Evan Hunt committed
561 562 563
    createRequestPacket(request_message, IPPROTO_UDP);
    server.processMessage(*io_message, parse_message, response_obuffer, &dnsserv);
    EXPECT_FALSE(dnsserv.hasAnswer());
564 565
}

566
void
JINMEI Tatuya's avatar
JINMEI Tatuya committed
567
updateConfig(AuthSrv* server, const char* const config_data,
568 569
             const bool expect_success)
{
570
    ConstElementPtr config_answer =
JINMEI Tatuya's avatar
JINMEI Tatuya committed
571
        server->updateConfig(Element::fromJSON(config_data));
572 573 574
    EXPECT_EQ(Element::map, config_answer->getType());
    EXPECT_TRUE(config_answer->contains("result"));

575
    ConstElementPtr result = config_answer->get("result");
576
    EXPECT_EQ(Element::list, result->getType());
577
    EXPECT_EQ(expect_success ? 0 : 1, result->get(0)->intValue());
578 579 580 581
}

// Install a Sqlite3 data source with testing data.
TEST_F(AuthSrvTest, updateConfig) {
582
    updateConfig(&server, CONFIG_TESTDB, true);
583 584 585 586

    // query for existent data in the installed data source.  The resulting
    // response should have the AA flag on, and have an RR in each answer
    // and authority section.
587
    createDataFromFile("examplequery_fromWire.wire");
Evan Hunt's avatar
Evan Hunt committed
588 589
    server.processMessage(*io_message, parse_message, response_obuffer, &dnsserv);
    EXPECT_TRUE(dnsserv.hasAnswer());
590
    headerCheck(*parse_message, default_qid, Rcode::NOERROR(), opcode.getCode(),
591 592 593 594
                QR_FLAG | AA_FLAG, 1, 1, 1, 0);
}

TEST_F(AuthSrvTest, datasourceFail) {
595
    updateConfig(&server, CONFIG_TESTDB, true);
596 597 598 599 600

    // This query will hit a corrupted entry of the data source (the zoneload
    // tool and the data source itself naively accept it).  This will result
    // in a SERVFAIL response, and the answer and authority sections should
    // be empty.
601
    createDataFromFile("badExampleQuery_fromWire.wire");
Evan Hunt's avatar
Evan Hunt committed
602 603
    server.processMessage(*io_message, parse_message, response_obuffer, &dnsserv);
    EXPECT_TRUE(dnsserv.hasAnswer());
604
    headerCheck(*parse_message, default_qid, Rcode::SERVFAIL(),
605
                opcode.getCode(), QR_FLAG, 1, 0, 0, 0);
606
}
607 608 609 610 611 612 613 614 615

TEST_F(AuthSrvTest, updateConfigFail) {
    // First, load a valid data source.
    updateConfig(&server, CONFIG_TESTDB, true);

    // Next, try to update it with a non-existent one.  This should fail.
    updateConfig(&server, BADCONFIG_TESTDB, false);

    // The original data source should still exist.
616
    createDataFromFile("examplequery_fromWire.wire");
Evan Hunt's avatar
Evan Hunt committed
617 618
    server.processMessage(*io_message, parse_message, response_obuffer, &dnsserv);
    EXPECT_TRUE(dnsserv.hasAnswer());
619
    headerCheck(*parse_message, default_qid, Rcode::NOERROR(), opcode.getCode(),
620 621
                QR_FLAG | AA_FLAG, 1, 1, 1, 0);
}
JINMEI Tatuya's avatar
JINMEI Tatuya committed
622

JINMEI Tatuya's avatar
JINMEI Tatuya committed
623 624 625 626 627 628 629 630 631 632 633
TEST_F(AuthSrvTest, updateWithMemoryDataSrc) {
    // Test configuring memory data source.  Detailed test cases are covered
    // in the configuration tests.  We only check the AuthSrv interface here.

    // By default memory data source isn't enabled
    EXPECT_EQ(AuthSrv::MemoryDataSrcPtr(), server.getMemoryDataSrc(rrclass));
    updateConfig(&server,
                 "{\"datasources\": [{\"type\": \"memory\"}]}", true);
    // after successful configuration, we should have one (with empty zoneset).
    ASSERT_NE(AuthSrv::MemoryDataSrcPtr(), server.getMemoryDataSrc(rrclass));
    EXPECT_EQ(0, server.getMemoryDataSrc(rrclass)->getZoneCount());
Jerry's avatar
Jerry committed
634

635
    // The memory data source is empty, should return REFUSED rcode.
Jerry's avatar
Jerry committed
636
    createDataFromFile("examplequery_fromWire.wire");
637 638 639 640 641 642 643 644 645 646 647 648 649 650 651 652 653 654 655
    server.processMessage(*io_message, parse_message, response_obuffer,
                          &dnsserv);
    EXPECT_TRUE(dnsserv.hasAnswer());
    headerCheck(*parse_message, default_qid, Rcode::REFUSED(),
                opcode.getCode(), QR_FLAG, 1, 0, 0, 0);
}

TEST_F(AuthSrvTest, chQueryWithMemoryDataSrc) {
    // Configure memory data source for class IN
    updateConfig(&server, "{\"datasources\": "
                 "[{\"class\": \"IN\", \"type\": \"memory\"}]}", true);

    // This shouldn't affect the result of class CH query
    UnitTestUtil::createRequestMessage(request_message, Opcode::QUERY(),
                                       default_qid, Name("version.bind"),
                                       RRClass::CH(), RRType::TXT());
    createRequestPacket(request_message, IPPROTO_UDP);
    server.processMessage(*io_message, parse_message, response_obuffer,
                          &dnsserv);
656
    EXPECT_TRUE(dnsserv.hasAnswer());
657 658
    headerCheck(*parse_message, default_qid, Rcode::NOERROR(),
                opcode.getCode(), QR_FLAG | AA_FLAG, 1, 1, 1, 0);
JINMEI Tatuya's avatar
JINMEI Tatuya committed
659 660
}

JINMEI Tatuya's avatar
JINMEI Tatuya committed
661 662 663 664 665 666 667 668 669
TEST_F(AuthSrvTest, cacheSlots) {
    // simple check for the get/set operations
    server.setCacheSlots(10);    // 10 = arbitrary choice
    EXPECT_EQ(10, server.getCacheSlots());

    // 0 is a valid size
    server.setCacheSlots(0);
    EXPECT_EQ(00, server.getCacheSlots());
}
670

671 672 673
// Submit UDP normal query and check query counter
TEST_F(AuthSrvTest, queryCounterUDPNormal) {
    // The counter should be initialized to 0.
674
    EXPECT_EQ(0, server.getCounter(AuthCounters::COUNTER_UDP_QUERY));
675 676 677 678 679 680 681
    // Create UDP message and process.
    UnitTestUtil::createRequestMessage(request_message, Opcode::QUERY(),
                                       default_qid, Name("example.com"),
                                       RRClass::IN(), RRType::NS());
    createRequestPacket(request_message, IPPROTO_UDP);
    server.processMessage(*io_message, parse_message, response_obuffer,
                          &dnsserv);
682
    // After processing UDP query, the counter should be 1.
683
    EXPECT_EQ(1, server.getCounter(AuthCounters::COUNTER_UDP_QUERY));
684 685
}

686 687 688
// Submit TCP normal query and check query counter
TEST_F(AuthSrvTest, queryCounterTCPNormal) {
    // The counter should be initialized to 0.
689
    EXPECT_EQ(0, server.getCounter(AuthCounters::COUNTER_TCP_QUERY));
690 691 692 693 694 695 696
    // Create TCP message and process.
    UnitTestUtil::createRequestMessage(request_message, Opcode::QUERY(),
                                       default_qid, Name("example.com"),
                                       RRClass::IN(), RRType::NS());
    createRequestPacket(request_message, IPPROTO_TCP);
    server.processMessage(*io_message, parse_message, response_obuffer,
                          &dnsserv);
697
    // After processing TCP query, the counter should be 1.
698
    EXPECT_EQ(1, server.getCounter(AuthCounters::COUNTER_TCP_QUERY));
699 700 701 702 703
}

// Submit TCP AXFR query and check query counter
TEST_F(AuthSrvTest, queryCounterTCPAXFR) {
    // The counter should be initialized to 0.
704
    EXPECT_EQ(0, server.getCounter(AuthCounters::COUNTER_TCP_QUERY));
705 706 707 708 709 710
    UnitTestUtil::createRequestMessage(request_message, opcode, default_qid,
                         Name("example.com"), RRClass::IN(), RRType::AXFR());
    createRequestPacket(request_message, IPPROTO_TCP);
    // On success, the AXFR query has been passed to a separate process,
    // so we shouldn't have to respond.
    server.processMessage(*io_message, parse_message, response_obuffer, &dnsserv);
711
    // After processing TCP AXFR query, the counter should be 1.
712
    EXPECT_EQ(1, server.getCounter(AuthCounters::COUNTER_TCP_QUERY));
713 714 715 716 717 718 719 720 721 722 723 724 725 726 727 728 729 730 731
}

// class for queryCounterUnexpected test
// getProtocol() returns IPPROTO_IP
class DummyUnknownSocket : public IOSocket {
public:
    DummyUnknownSocket() {}
    virtual int getNative() const { return (0); }
    virtual int getProtocol() const { return (IPPROTO_IP); }
};

// function for queryCounterUnexpected test
// returns a reference to a static object of DummyUnknownSocket
IOSocket&
getDummyUnknownSocket() {
    static DummyUnknownSocket socket;
    return (socket);
}

732
// Submit unexpected type of query and check it throws isc::Unexpected
733
TEST_F(AuthSrvTest, queryCounterUnexpected) {
734 735 736 737
    // This code isn't exception safe, but we'd rather keep the code
    // simpler and more readable as this is only for tests and if it throws
    // the program would immediately terminate anyway.

738
    // Create UDP query packet.
739 740 741 742
    UnitTestUtil::createRequestMessage(request_message, Opcode::QUERY(),
                                       default_qid, Name("example.com"),
                                       RRClass::IN(), RRType::NS());
    createRequestPacket(request_message, IPPROTO_UDP);
743

744
    // Modify the message.
745 746
    delete io_message;
    endpoint = IOEndpoint::create(IPPROTO_UDP,
747
                                  IOAddress(DEFAULT_REMOTE_ADDRESS), 53210);
748 749 750 751 752
    io_message = new IOMessage(request_renderer.getData(),
                               request_renderer.getLength(),
                               getDummyUnknownSocket(), *endpoint);

    EXPECT_THROW(server.processMessage(*io_message, parse_message,
753
                                       response_obuffer, &dnsserv),
754
                 isc::Unexpected);
755
}
756 757 758 759 760

TEST_F(AuthSrvTest, stop) {
    // normal case is covered in command_unittest.cc.  we should primarily
    // test it here, but the current design of the stop test takes time,
    // so we consolidate the cases in the command tests.
761 762
    // If/when the interval timer has finer granularity we'll probably add
    // our own tests here, so we keep this empty test case.
763
}
764 765

TEST_F(AuthSrvTest, listenAddresses) {
766
    isc::testutils::portconfig::listenAddresses(server);
767
}
768

769
}