auth_srv_unittest.cc 34 KB
Newer Older
1 2 3 4 5 6 7 8 9 10 11 12 13 14
// Copyright (C) 2010  Internet Systems Consortium, Inc. ("ISC")
//
// Permission to use, copy, modify, and/or distribute this software for any
// purpose with or without fee is hereby granted, provided that the above
// copyright notice and this permission notice appear in all copies.
//
// THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
// REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
// AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
// INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
// LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
// OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
// PERFORMANCE OF THIS SOFTWARE.

15
#include <config.h>
16 17 18 19 20 21 22 23 24 25 26 27

#include <vector>

#include <gtest/gtest.h>

#include <dns/message.h>
#include <dns/messagerenderer.h>
#include <dns/name.h>
#include <dns/rrclass.h>
#include <dns/rrtype.h>
#include <dns/rrttl.h>
#include <dns/rdataclass.h>
28
#include <dns/tsig.h>
29

30
#include <server_common/portconfig.h>
31
#include <server_common/keyring.h>
32

JINMEI Tatuya's avatar
JINMEI Tatuya committed
33
#include <datasrc/memory_datasrc.h>
34
#include <auth/auth_srv.h>
35
#include <auth/common.h>
36
#include <auth/statistics.h>
37

38
#include <dns/tests/unittest_util.h>
JINMEI Tatuya's avatar
JINMEI Tatuya committed
39
#include <testutils/dnsmessage_test.h>
40
#include <testutils/srv_test.h>
41
#include <testutils/portconfig.h>
42

JINMEI Tatuya's avatar
JINMEI Tatuya committed
43
using namespace std;
44
using namespace isc::cc;
45
using namespace isc::dns;
46
using namespace isc::util;
47
using namespace isc::dns::rdata;
48
using namespace isc::data;
49
using namespace isc::xfr;
50 51
using namespace isc::asiodns;
using namespace isc::asiolink;
52
using namespace isc::testutils;
53
using namespace isc::server_common::portconfig;
Evan Hunt's avatar
Evan Hunt committed
54
using isc::UnitTestUtil;
55 56

namespace {
57
const char* const CONFIG_TESTDB =
58
    "{\"database_file\": \"" TEST_DATA_DIR "/example.sqlite3\"}";
59 60
// The following file must be non existent and must be non"creatable" (see
// the sqlite3 test).
61
const char* const BADCONFIG_TESTDB =
62
    "{ \"database_file\": \"" TEST_DATA_DIR "/nodir/notexist\"}";
63

64
class AuthSrvTest : public SrvTestBase {
65
protected:
66 67 68 69 70 71
    AuthSrvTest() :
        dnss_(ios_, NULL, NULL, NULL),
        server(true, xfrout),
        rrclass(RRClass::IN())
    {
        server.setDNSService(dnss_);
72
        server.setXfrinSession(&notify_session);
73
        server.setStatisticsSession(&statistics_session);
74
    }
75 76 77 78
    virtual void processMessage() {
        server.processMessage(*io_message, parse_message, response_obuffer,
                              &dnsserv);
    }
79 80
    IOService ios_;
    DNSService dnss_;
81
    MockSession statistics_session;
82
    MockXfroutClient xfrout;
83
    AuthSrv server;
JINMEI Tatuya's avatar
JINMEI Tatuya committed
84
    const RRClass rrclass;
85
    vector<uint8_t> response_data;
86 87
};

88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139 140 141 142 143 144 145 146 147 148 149 150 151 152 153 154 155
// A helper function that builds a response to version.bind/TXT/CH that
// should be identical to the response from our builtin (static) data source
// by default.  The resulting wire-format data will be stored in 'data'.
void
createBuiltinVersionResponse(const qid_t qid, vector<uint8_t>& data) {
    const Name version_name("version.bind");
    Message message(Message::RENDER);

    UnitTestUtil::createRequestMessage(message, Opcode::QUERY(),
                                       qid, version_name,
                                       RRClass::CH(), RRType::TXT());
    message.setHeaderFlag(Message::HEADERFLAG_QR);
    message.setHeaderFlag(Message::HEADERFLAG_AA);
    RRsetPtr rrset_version = RRsetPtr(new RRset(version_name, RRClass::CH(),
                                                RRType::TXT(), RRTTL(0)));
    rrset_version->addRdata(generic::TXT(PACKAGE_STRING));
    message.addRRset(Message::SECTION_ANSWER, rrset_version);

    RRsetPtr rrset_version_ns = RRsetPtr(new RRset(version_name, RRClass::CH(),
                                                   RRType::NS(), RRTTL(0)));
    rrset_version_ns->addRdata(generic::NS(version_name));
    message.addRRset(Message::SECTION_AUTHORITY, rrset_version_ns);

    OutputBuffer obuffer(0);
    MessageRenderer renderer(obuffer);
    message.toWire(renderer);

    data.clear();
    data.assign(static_cast<const uint8_t*>(renderer.getData()),
                static_cast<const uint8_t*>(renderer.getData()) +
                renderer.getLength());
}

// In the following tests we confirm the response data is rendered in
// wire format in the expected way.

// The most primitive check: checking the result of the processMessage()
// method
TEST_F(AuthSrvTest, builtInQuery) {
    UnitTestUtil::createRequestMessage(request_message, Opcode::QUERY(),
                                       default_qid, Name("version.bind"),
                                       RRClass::CH(), RRType::TXT());
    createRequestPacket(request_message, IPPROTO_UDP);
    server.processMessage(*io_message, parse_message, response_obuffer,
                          &dnsserv);
    createBuiltinVersionResponse(default_qid, response_data);
    EXPECT_PRED_FORMAT4(UnitTestUtil::matchWireData,
                        response_obuffer->getData(),
                        response_obuffer->getLength(),
                        &response_data[0], response_data.size());
}

// Same test emulating the UDPServer class behavior (defined in libasiolink).
// This is not a good test in that it assumes internal implementation details
// of UDPServer, but we've encountered a regression due to the introduction
// of that class, so we add a test for that case to prevent such a regression
// in future.
// Besides, the generalization of UDPServer is probably too much for the
// authoritative only server in terms of performance, and it's quite likely
// we need to drop it for the authoritative server implementation.
// At that point we can drop this test, too.
TEST_F(AuthSrvTest, builtInQueryViaDNSServer) {
    UnitTestUtil::createRequestMessage(request_message, Opcode::QUERY(),
                                       default_qid, Name("version.bind"),
                                       RRClass::CH(), RRType::TXT());
    createRequestPacket(request_message, IPPROTO_UDP);

    (*server.getDNSLookupProvider())(*io_message, parse_message,
156
                                     response_message,
157 158
                                     response_obuffer, &dnsserv);
    (*server.getDNSAnswerProvider())(*io_message, parse_message,
159
                                     response_message, response_obuffer);
160 161 162 163 164 165 166 167 168 169 170 171

    createBuiltinVersionResponse(default_qid, response_data);
    EXPECT_PRED_FORMAT4(UnitTestUtil::matchWireData,
                        response_obuffer->getData(),
                        response_obuffer->getLength(),
                        &response_data[0], response_data.size());
}

// Same type of test as builtInQueryViaDNSServer but for an error response.
TEST_F(AuthSrvTest, iqueryViaDNSServer) {
    createDataFromFile("iquery_fromWire.wire");
    (*server.getDNSLookupProvider())(*io_message, parse_message,
172
                                     response_message,
173 174
                                     response_obuffer, &dnsserv);
    (*server.getDNSAnswerProvider())(*io_message, parse_message,
175
                                     response_message, response_obuffer);
176 177 178 179 180 181 182 183 184

    UnitTestUtil::readWireData("iquery_response_fromWire.wire",
                               response_data);
    EXPECT_PRED_FORMAT4(UnitTestUtil::matchWireData,
                        response_obuffer->getData(),
                        response_obuffer->getLength(),
                        &response_data[0], response_data.size());
}

185 186
// Unsupported requests.  Should result in NOTIMP.
TEST_F(AuthSrvTest, unsupportedRequest) {
187
    unsupportedRequest();
188
}
189

190 191
// Simple API check
TEST_F(AuthSrvTest, verbose) {
192 193 194 195 196
    EXPECT_FALSE(server.getVerbose());
    server.setVerbose(true);
    EXPECT_TRUE(server.getVerbose());
    server.setVerbose(false);
    EXPECT_FALSE(server.getVerbose());
197 198
}

199 200
// Multiple questions.  Should result in FORMERR.
TEST_F(AuthSrvTest, multiQuestion) {
201
    multiQuestion();
202 203
}

204 205 206
// Incoming data doesn't even contain the complete header.  Must be silently
// dropped.
TEST_F(AuthSrvTest, shortMessage) {
207
    shortMessage();
208 209 210 211 212
}

// Response messages.  Must be silently dropped, whether it's a valid response
// or malformed or could otherwise cause a protocol error.
TEST_F(AuthSrvTest, response) {
213
    response();
214 215 216 217
}

// Query with a broken question
TEST_F(AuthSrvTest, shortQuestion) {
218
    shortQuestion();
219
}
220

221 222
// Query with a broken answer section
TEST_F(AuthSrvTest, shortAnswer) {
223
    shortAnswer();
224 225
}

226 227
// Query with unsupported version of EDNS.
TEST_F(AuthSrvTest, ednsBadVers) {
228
    ednsBadVers();
229 230
}

JINMEI Tatuya's avatar
JINMEI Tatuya committed
231
TEST_F(AuthSrvTest, AXFROverUDP) {
232
    axfrOverUDP();
JINMEI Tatuya's avatar
JINMEI Tatuya committed
233 234
}

235 236
TEST_F(AuthSrvTest, AXFRSuccess) {
    EXPECT_FALSE(xfrout.isConnected());
Evan Hunt's avatar
Evan Hunt committed
237 238 239
    UnitTestUtil::createRequestMessage(request_message, opcode, default_qid,
                         Name("example.com"), RRClass::IN(), RRType::AXFR());
    createRequestPacket(request_message, IPPROTO_TCP);
240 241
    // On success, the AXFR query has been passed to a separate process,
    // so we shouldn't have to respond.
Evan Hunt's avatar
Evan Hunt committed
242 243
    server.processMessage(*io_message, parse_message, response_obuffer, &dnsserv);
    EXPECT_FALSE(dnsserv.hasAnswer());
244
    EXPECT_TRUE(xfrout.isConnected());
245 246
}

247 248 249 250
// Try giving the server a TSIG signed request and see it can anwer signed as
// well
TEST_F(AuthSrvTest, TSIGSigned) {
    // Prepare key, the client message, etc
251
    const TSIGKey key("key:c2VjcmV0Cg==:hmac-sha1");
252 253 254 255 256
    TSIGContext context(key);
    UnitTestUtil::createRequestMessage(request_message, opcode, default_qid,
                         Name("version.bind"), RRClass::CH(), RRType::TXT());
    createRequestPacket(request_message, IPPROTO_UDP, &context);

257
    // Run the message through the server
258 259 260 261 262 263 264 265 266 267 268 269 270
    isc::server_common::keyring.reset(new TSIGKeyRing);
    isc::server_common::keyring->add(key);
    server.processMessage(*io_message, parse_message, response_obuffer,
                          &dnsserv);
    isc::server_common::keyring.reset();

    // What did we get?
    EXPECT_TRUE(dnsserv.hasAnswer());
    headerCheck(*parse_message, default_qid, Rcode::NOERROR(),
                opcode.getCode(), QR_FLAG | AA_FLAG, 1, 1, 1, 0);
    // We need to parse the message ourself, or getTSIGRecord won't work
    InputBuffer ib(response_obuffer->getData(), response_obuffer->getLength());
    Message m(Message::PARSE);
271
    m.fromWire(ib);
272 273

    const TSIGRecord* tsig = m.getTSIGRecord();
274
    ASSERT_TRUE(tsig != NULL) << "Missing TSIG signature";
275 276 277 278 279 280 281 282
    TSIGError error(context.verify(tsig, response_obuffer->getData(),
                                   response_obuffer->getLength()));
    EXPECT_EQ(TSIGError::NOERROR(), error) <<
        "The server signed the response, but it doesn't seem to be valid";
}

// Give the server a signed request, but don't give it the key. It will
// not be able to verify it, returning BADKEY
283
TEST_F(AuthSrvTest, TSIGSignedBadKey) {
284 285 286 287 288 289 290 291 292 293 294 295 296 297 298 299 300 301
    TSIGKey key("key:c2VjcmV0Cg==:hmac-sha1");
    TSIGContext context(key);
    UnitTestUtil::createRequestMessage(request_message, opcode, default_qid,
                         Name("version.bind"), RRClass::CH(), RRType::TXT());
    createRequestPacket(request_message, IPPROTO_UDP, &context);

    // Process the message, but use a different key there
    isc::server_common::keyring.reset(new TSIGKeyRing);
    server.processMessage(*io_message, parse_message, response_obuffer,
                          &dnsserv);
    isc::server_common::keyring.reset();

    EXPECT_TRUE(dnsserv.hasAnswer());
    headerCheck(*parse_message, default_qid, TSIGError::BAD_KEY().toRcode(),
                opcode.getCode(), QR_FLAG, 1, 0, 0, 0);
    // We need to parse the message ourself, or getTSIGRecord won't work
    InputBuffer ib(response_obuffer->getData(), response_obuffer->getLength());
    Message m(Message::PARSE);
302
    m.fromWire(ib);
303 304

    const TSIGRecord* tsig = m.getTSIGRecord();
305
    ASSERT_TRUE(tsig != NULL) <<
306
        "Missing TSIG signature (we should have one even at error)";
307
    EXPECT_EQ(TSIGError::BAD_KEY_CODE, tsig->getRdata().getError());
308 309
    EXPECT_EQ(0, tsig->getRdata().getMACSize()) <<
        "It should be unsigned with this error";
310 311 312 313 314 315 316 317 318 319 320 321
}

// Give the server a signed request, but signed by a different key
// (with the same name). It should return BADSIG
TEST_F(AuthSrvTest, TSIGBadSig) {
    TSIGKey key("key:c2VjcmV0Cg==:hmac-sha1");
    TSIGContext context(key);
    UnitTestUtil::createRequestMessage(request_message, opcode, default_qid,
                         Name("version.bind"), RRClass::CH(), RRType::TXT());
    createRequestPacket(request_message, IPPROTO_UDP, &context);

    isc::server_common::keyring.reset(new TSIGKeyRing);
322
    isc::server_common::keyring->add(TSIGKey("key:QkFECg==:hmac-sha1"));
323 324 325 326 327
    server.processMessage(*io_message, parse_message, response_obuffer,
                          &dnsserv);
    isc::server_common::keyring.reset();

    EXPECT_TRUE(dnsserv.hasAnswer());
328
    headerCheck(*parse_message, default_qid, TSIGError::BAD_SIG().toRcode(),
329 330 331 332
                opcode.getCode(), QR_FLAG, 1, 0, 0, 0);
    // We need to parse the message ourself, or getTSIGRecord won't work
    InputBuffer ib(response_obuffer->getData(), response_obuffer->getLength());
    Message m(Message::PARSE);
333
    m.fromWire(ib);
334 335

    const TSIGRecord* tsig = m.getTSIGRecord();
336
    ASSERT_TRUE(tsig != NULL) <<
337
        "Missing TSIG signature (we should have one even at error)";
338
    EXPECT_EQ(TSIGError::BAD_SIG_CODE, tsig->getRdata().getError());
339 340
    EXPECT_EQ(0, tsig->getRdata().getMACSize()) <<
        "It should be unsigned with this error";
341 342
}

343 344 345 346 347 348 349 350 351 352 353 354 355 356 357 358 359 360 361 362 363 364 365 366 367 368 369 370 371 372 373 374 375 376 377
// Give the server a signed unsupported request with a bad signature.
// This checks the server first verifies the signature before anything
// else.
TEST_F(AuthSrvTest, TSIGCheckFirst) {
    TSIGKey key("key:c2VjcmV0Cg==:hmac-sha1");
    TSIGContext context(key);
    // Pass a wrong opcode there. The server shouldn't know what to do
    // about it.
    UnitTestUtil::createRequestMessage(request_message, Opcode::RESERVED14(),
                                       default_qid, Name("version.bind"),
                                       RRClass::CH(), RRType::TXT());
    createRequestPacket(request_message, IPPROTO_UDP, &context);

    isc::server_common::keyring.reset(new TSIGKeyRing);
    isc::server_common::keyring->add(TSIGKey("key:QkFECg==:hmac-sha1"));
    server.processMessage(*io_message, parse_message, response_obuffer,
                          &dnsserv);
    isc::server_common::keyring.reset();

    EXPECT_TRUE(dnsserv.hasAnswer());
    headerCheck(*parse_message, default_qid, TSIGError::BAD_SIG().toRcode(),
                Opcode::RESERVED14().getCode(), QR_FLAG, 0, 0, 0, 0);
    // We need to parse the message ourself, or getTSIGRecord won't work
    InputBuffer ib(response_obuffer->getData(), response_obuffer->getLength());
    Message m(Message::PARSE);
    m.fromWire(ib);

    const TSIGRecord* tsig = m.getTSIGRecord();
    ASSERT_TRUE(tsig != NULL) <<
        "Missing TSIG signature (we should have one even at error)";
    EXPECT_EQ(TSIGError::BAD_SIG_CODE, tsig->getRdata().getError());
    EXPECT_EQ(0, tsig->getRdata().getMACSize()) <<
        "It should be unsigned with this error";
}

378 379 380
TEST_F(AuthSrvTest, AXFRConnectFail) {
    EXPECT_FALSE(xfrout.isConnected()); // check prerequisite
    xfrout.disableConnect();
Evan Hunt's avatar
Evan Hunt committed
381 382 383 384 385
    UnitTestUtil::createRequestMessage(request_message, opcode, default_qid,
                         Name("example.com"), RRClass::IN(), RRType::AXFR());
    createRequestPacket(request_message, IPPROTO_TCP);
    server.processMessage(*io_message, parse_message, response_obuffer, &dnsserv);
    EXPECT_TRUE(dnsserv.hasAnswer());
386
    headerCheck(*parse_message, default_qid, Rcode::SERVFAIL(),
387 388 389 390 391 392 393
                opcode.getCode(), QR_FLAG, 1, 0, 0, 0);
    EXPECT_FALSE(xfrout.isConnected());
}

TEST_F(AuthSrvTest, AXFRSendFail) {
    // first send a valid query, making the connection with the xfr process
    // open.
Evan Hunt's avatar
Evan Hunt committed
394 395 396 397
    UnitTestUtil::createRequestMessage(request_message, opcode, default_qid,
                         Name("example.com"), RRClass::IN(), RRType::AXFR());
    createRequestPacket(request_message, IPPROTO_TCP);
    server.processMessage(*io_message, parse_message, response_obuffer, &dnsserv);
398
    EXPECT_TRUE(xfrout.isConnected());
399 400

    xfrout.disableSend();
401 402
    parse_message->clear(Message::PARSE);
    response_obuffer->clear();
Evan Hunt's avatar
Evan Hunt committed
403 404 405 406 407
    UnitTestUtil::createRequestMessage(request_message, opcode, default_qid,
                         Name("example.com"), RRClass::IN(), RRType::AXFR());
    createRequestPacket(request_message, IPPROTO_TCP);
    server.processMessage(*io_message, parse_message, response_obuffer, &dnsserv);
    EXPECT_TRUE(dnsserv.hasAnswer());
408
    headerCheck(*parse_message, default_qid, Rcode::SERVFAIL(),
409 410 411 412 413 414 415 416 417 418 419
                opcode.getCode(), QR_FLAG, 1, 0, 0, 0);

    // The connection should have been closed due to the send failure.
    EXPECT_FALSE(xfrout.isConnected());
}

TEST_F(AuthSrvTest, AXFRDisconnectFail) {
    // In our usage disconnect() shouldn't fail.  So we'll see the exception
    // should it be thrown.
    xfrout.disableSend();
    xfrout.disableDisconnect();
Evan Hunt's avatar
Evan Hunt committed
420 421 422
    UnitTestUtil::createRequestMessage(request_message, opcode, default_qid,
                         Name("example.com"), RRClass::IN(), RRType::AXFR());
    createRequestPacket(request_message, IPPROTO_TCP);
423
    EXPECT_THROW(server.processMessage(*io_message, parse_message,
Evan Hunt's avatar
Evan Hunt committed
424
                                       response_obuffer, &dnsserv),
425 426 427 428 429 430 431
                 XfroutError);
    EXPECT_TRUE(xfrout.isConnected());
    // XXX: we need to re-enable disconnect.  otherwise an exception would be
    // thrown via the destructor of the server.
    xfrout.enableDisconnect();
}

432
TEST_F(AuthSrvTest, notify) {
Evan Hunt's avatar
Evan Hunt committed
433 434
    UnitTestUtil::createRequestMessage(request_message, Opcode::NOTIFY(), default_qid,
                         Name("example.com"), RRClass::IN(), RRType::SOA());
435
    request_message.setHeaderFlag(Message::HEADERFLAG_AA);
Evan Hunt's avatar
Evan Hunt committed
436 437 438
    createRequestPacket(request_message, IPPROTO_UDP);
    server.processMessage(*io_message, parse_message, response_obuffer, &dnsserv);
    EXPECT_TRUE(dnsserv.hasAnswer());
439 440 441

    // An internal command message should have been created and sent to an
    // external module.  Check them.
Evan Hunt's avatar
Evan Hunt committed
442
    EXPECT_EQ("Zonemgr", notify_session.getMessageDest());
443
    EXPECT_EQ("notify",
Evan Hunt's avatar
Evan Hunt committed
444
              notify_session.getSentMessage()->get("command")->get(0)->stringValue());
445
    ConstElementPtr notify_args =
Evan Hunt's avatar
Evan Hunt committed
446
        notify_session.getSentMessage()->get("command")->get(1);
447 448 449
    EXPECT_EQ("example.com.", notify_args->get("zone_name")->stringValue());
    EXPECT_EQ(DEFAULT_REMOTE_ADDRESS,
              notify_args->get("master")->stringValue());
450
    EXPECT_EQ("IN", notify_args->get("zone_class")->stringValue());
451 452

    // On success, the server should return a response to the notify.
453
    headerCheck(*parse_message, default_qid, Rcode::NOERROR(),
454 455
                Opcode::NOTIFY().getCode(), QR_FLAG | AA_FLAG, 1, 0, 0, 0);

456
    // The question must be identical to that of the received notify
457
    ConstQuestionPtr question = *parse_message->beginQuestion();
458 459 460 461 462
    EXPECT_EQ(Name("example.com"), question->getName());
    EXPECT_EQ(RRClass::IN(), question->getClass());
    EXPECT_EQ(RRType::SOA(), question->getType());
}

463 464
TEST_F(AuthSrvTest, notifyForCHClass) {
    // Same as the previous test, but for the CH RRClass.
Evan Hunt's avatar
Evan Hunt committed
465 466
    UnitTestUtil::createRequestMessage(request_message, Opcode::NOTIFY(), default_qid,
                         Name("example.com"), RRClass::CH(), RRType::SOA());
467
    request_message.setHeaderFlag(Message::HEADERFLAG_AA);
Evan Hunt's avatar
Evan Hunt committed
468 469 470
    createRequestPacket(request_message, IPPROTO_UDP);
    server.processMessage(*io_message, parse_message, response_obuffer, &dnsserv);
    EXPECT_TRUE(dnsserv.hasAnswer());
471 472 473

    // Other conditions should be the same, so simply confirm the RR class is
    // set correctly.
474
    ConstElementPtr notify_args =
Evan Hunt's avatar
Evan Hunt committed
475
        notify_session.getSentMessage()->get("command")->get(1);
476
    EXPECT_EQ("CH", notify_args->get("zone_class")->stringValue());
477 478
}

479 480 481
TEST_F(AuthSrvTest, notifyEmptyQuestion) {
    request_message.clear(Message::RENDER);
    request_message.setOpcode(Opcode::NOTIFY());
482
    request_message.setRcode(Rcode::NOERROR());
483
    request_message.setHeaderFlag(Message::HEADERFLAG_AA);
484 485
    request_message.setQid(default_qid);
    request_message.toWire(request_renderer);
Evan Hunt's avatar
Evan Hunt committed
486 487 488
    createRequestPacket(request_message, IPPROTO_UDP);
    server.processMessage(*io_message, parse_message, response_obuffer, &dnsserv);
    EXPECT_TRUE(dnsserv.hasAnswer());
489
    headerCheck(*parse_message, default_qid, Rcode::FORMERR(),
490 491 492 493
                Opcode::NOTIFY().getCode(), QR_FLAG, 0, 0, 0, 0);
}

TEST_F(AuthSrvTest, notifyMultiQuestions) {
Evan Hunt's avatar
Evan Hunt committed
494 495
    UnitTestUtil::createRequestMessage(request_message, Opcode::NOTIFY(), default_qid,
                         Name("example.com"), RRClass::IN(), RRType::SOA());
496 497 498
    // add one more SOA question
    request_message.addQuestion(Question(Name("example.com"), RRClass::IN(),
                                         RRType::SOA()));
499
    request_message.setHeaderFlag(Message::HEADERFLAG_AA);
Evan Hunt's avatar
Evan Hunt committed
500 501 502
    createRequestPacket(request_message, IPPROTO_UDP);
    server.processMessage(*io_message, parse_message, response_obuffer, &dnsserv);
    EXPECT_TRUE(dnsserv.hasAnswer());
503
    headerCheck(*parse_message, default_qid, Rcode::FORMERR(),
504 505 506 507
                Opcode::NOTIFY().getCode(), QR_FLAG, 2, 0, 0, 0);
}

TEST_F(AuthSrvTest, notifyNonSOAQuestion) {
Evan Hunt's avatar
Evan Hunt committed
508 509
    UnitTestUtil::createRequestMessage(request_message, Opcode::NOTIFY(), default_qid,
                         Name("example.com"), RRClass::IN(), RRType::NS());
510
    request_message.setHeaderFlag(Message::HEADERFLAG_AA);
Evan Hunt's avatar
Evan Hunt committed
511 512 513
    createRequestPacket(request_message, IPPROTO_UDP);
    server.processMessage(*io_message, parse_message, response_obuffer, &dnsserv);
    EXPECT_TRUE(dnsserv.hasAnswer());
514
    headerCheck(*parse_message, default_qid, Rcode::FORMERR(),
515 516 517 518 519
                Opcode::NOTIFY().getCode(), QR_FLAG, 1, 0, 0, 0);
}

TEST_F(AuthSrvTest, notifyWithoutAA) {
    // implicitly leave the AA bit off.  our implementation will accept it.
Evan Hunt's avatar
Evan Hunt committed
520 521 522 523 524
    UnitTestUtil::createRequestMessage(request_message, Opcode::NOTIFY(), default_qid,
                         Name("example.com"), RRClass::IN(), RRType::SOA());
    createRequestPacket(request_message, IPPROTO_UDP);
    server.processMessage(*io_message, parse_message, response_obuffer, &dnsserv);
    EXPECT_TRUE(dnsserv.hasAnswer());
525
    headerCheck(*parse_message, default_qid, Rcode::NOERROR(),
526 527 528 529
                Opcode::NOTIFY().getCode(), QR_FLAG | AA_FLAG, 1, 0, 0, 0);
}

TEST_F(AuthSrvTest, notifyWithErrorRcode) {
Evan Hunt's avatar
Evan Hunt committed
530 531
    UnitTestUtil::createRequestMessage(request_message, Opcode::NOTIFY(), default_qid,
                         Name("example.com"), RRClass::IN(), RRType::SOA());
532
    request_message.setHeaderFlag(Message::HEADERFLAG_AA);
533
    request_message.setRcode(Rcode::SERVFAIL());
Evan Hunt's avatar
Evan Hunt committed
534 535 536
    createRequestPacket(request_message, IPPROTO_UDP);
    server.processMessage(*io_message, parse_message, response_obuffer, &dnsserv);
    EXPECT_TRUE(dnsserv.hasAnswer());
537
    headerCheck(*parse_message, default_qid, Rcode::NOERROR(),
538
                Opcode::NOTIFY().getCode(), QR_FLAG | AA_FLAG, 1, 0, 0, 0);
Han Feng's avatar
Han Feng committed
539 540
}

541
TEST_F(AuthSrvTest, notifyWithoutSession) {
542
    server.setXfrinSession(NULL);
543

Evan Hunt's avatar
Evan Hunt committed
544 545
    UnitTestUtil::createRequestMessage(request_message, Opcode::NOTIFY(), default_qid,
                         Name("example.com"), RRClass::IN(), RRType::SOA());
546
    request_message.setHeaderFlag(Message::HEADERFLAG_AA);
Evan Hunt's avatar
Evan Hunt committed
547
    createRequestPacket(request_message, IPPROTO_UDP);
548 549 550

    // we simply ignore the notify and let it be resent if an internal error
    // happens.
Evan Hunt's avatar
Evan Hunt committed
551 552
    server.processMessage(*io_message, parse_message, response_obuffer, &dnsserv);
    EXPECT_FALSE(dnsserv.hasAnswer());
553 554 555 556 557
}

TEST_F(AuthSrvTest, notifySendFail) {
    notify_session.disableSend();

Evan Hunt's avatar
Evan Hunt committed
558 559
    UnitTestUtil::createRequestMessage(request_message, Opcode::NOTIFY(), default_qid,
                         Name("example.com"), RRClass::IN(), RRType::SOA());
560
    request_message.setHeaderFlag(Message::HEADERFLAG_AA);
Evan Hunt's avatar
Evan Hunt committed
561
    createRequestPacket(request_message, IPPROTO_UDP);
562

Evan Hunt's avatar
Evan Hunt committed
563 564
    server.processMessage(*io_message, parse_message, response_obuffer, &dnsserv);
    EXPECT_FALSE(dnsserv.hasAnswer());
565 566 567 568 569
}

TEST_F(AuthSrvTest, notifyReceiveFail) {
    notify_session.disableReceive();

Evan Hunt's avatar
Evan Hunt committed
570 571
    UnitTestUtil::createRequestMessage(request_message, Opcode::NOTIFY(), default_qid,
                         Name("example.com"), RRClass::IN(), RRType::SOA());
572
    request_message.setHeaderFlag(Message::HEADERFLAG_AA);
Evan Hunt's avatar
Evan Hunt committed
573 574 575
    createRequestPacket(request_message, IPPROTO_UDP);
    server.processMessage(*io_message, parse_message, response_obuffer, &dnsserv);
    EXPECT_FALSE(dnsserv.hasAnswer());
576 577 578
}

TEST_F(AuthSrvTest, notifyWithBogusSessionMessage) {
579
    notify_session.setMessage(Element::fromJSON("{\"foo\": 1}"));
580

Evan Hunt's avatar
Evan Hunt committed
581 582
    UnitTestUtil::createRequestMessage(request_message, Opcode::NOTIFY(), default_qid,
                         Name("example.com"), RRClass::IN(), RRType::SOA());
583
    request_message.setHeaderFlag(Message::HEADERFLAG_AA);
Evan Hunt's avatar
Evan Hunt committed
584 585 586
    createRequestPacket(request_message, IPPROTO_UDP);
    server.processMessage(*io_message, parse_message, response_obuffer, &dnsserv);
    EXPECT_FALSE(dnsserv.hasAnswer());
587 588 589 590
}

TEST_F(AuthSrvTest, notifyWithSessionMessageError) {
    notify_session.setMessage(
591
        Element::fromJSON("{\"result\": [1, \"FAIL\"]}"));
592

Evan Hunt's avatar
Evan Hunt committed
593 594
    UnitTestUtil::createRequestMessage(request_message, Opcode::NOTIFY(), default_qid,
                         Name("example.com"), RRClass::IN(), RRType::SOA());
595
    request_message.setHeaderFlag(Message::HEADERFLAG_AA);
Evan Hunt's avatar
Evan Hunt committed
596 597 598
    createRequestPacket(request_message, IPPROTO_UDP);
    server.processMessage(*io_message, parse_message, response_obuffer, &dnsserv);
    EXPECT_FALSE(dnsserv.hasAnswer());
599 600
}

601
void
JINMEI Tatuya's avatar
JINMEI Tatuya committed
602
updateConfig(AuthSrv* server, const char* const config_data,
603 604
             const bool expect_success)
{
605
    ConstElementPtr config_answer =
JINMEI Tatuya's avatar
JINMEI Tatuya committed
606
        server->updateConfig(Element::fromJSON(config_data));
607 608 609
    EXPECT_EQ(Element::map, config_answer->getType());
    EXPECT_TRUE(config_answer->contains("result"));

610
    ConstElementPtr result = config_answer->get("result");
611
    EXPECT_EQ(Element::list, result->getType());
612
    EXPECT_EQ(expect_success ? 0 : 1, result->get(0)->intValue());
613 614 615 616
}

// Install a Sqlite3 data source with testing data.
TEST_F(AuthSrvTest, updateConfig) {
617
    updateConfig(&server, CONFIG_TESTDB, true);
618 619 620 621

    // query for existent data in the installed data source.  The resulting
    // response should have the AA flag on, and have an RR in each answer
    // and authority section.
622
    createDataFromFile("examplequery_fromWire.wire");
Evan Hunt's avatar
Evan Hunt committed
623 624
    server.processMessage(*io_message, parse_message, response_obuffer, &dnsserv);
    EXPECT_TRUE(dnsserv.hasAnswer());
625
    headerCheck(*parse_message, default_qid, Rcode::NOERROR(), opcode.getCode(),
626 627 628 629
                QR_FLAG | AA_FLAG, 1, 1, 1, 0);
}

TEST_F(AuthSrvTest, datasourceFail) {
630
    updateConfig(&server, CONFIG_TESTDB, true);
631 632 633 634 635

    // This query will hit a corrupted entry of the data source (the zoneload
    // tool and the data source itself naively accept it).  This will result
    // in a SERVFAIL response, and the answer and authority sections should
    // be empty.
636
    createDataFromFile("badExampleQuery_fromWire.wire");
Evan Hunt's avatar
Evan Hunt committed
637 638
    server.processMessage(*io_message, parse_message, response_obuffer, &dnsserv);
    EXPECT_TRUE(dnsserv.hasAnswer());
639
    headerCheck(*parse_message, default_qid, Rcode::SERVFAIL(),
640
                opcode.getCode(), QR_FLAG, 1, 0, 0, 0);
641
}
642 643 644 645 646 647 648 649 650

TEST_F(AuthSrvTest, updateConfigFail) {
    // First, load a valid data source.
    updateConfig(&server, CONFIG_TESTDB, true);

    // Next, try to update it with a non-existent one.  This should fail.
    updateConfig(&server, BADCONFIG_TESTDB, false);

    // The original data source should still exist.
651
    createDataFromFile("examplequery_fromWire.wire");
Evan Hunt's avatar
Evan Hunt committed
652 653
    server.processMessage(*io_message, parse_message, response_obuffer, &dnsserv);
    EXPECT_TRUE(dnsserv.hasAnswer());
654
    headerCheck(*parse_message, default_qid, Rcode::NOERROR(), opcode.getCode(),
655 656
                QR_FLAG | AA_FLAG, 1, 1, 1, 0);
}
JINMEI Tatuya's avatar
JINMEI Tatuya committed
657

JINMEI Tatuya's avatar
JINMEI Tatuya committed
658 659 660 661 662 663 664 665 666 667 668
TEST_F(AuthSrvTest, updateWithMemoryDataSrc) {
    // Test configuring memory data source.  Detailed test cases are covered
    // in the configuration tests.  We only check the AuthSrv interface here.

    // By default memory data source isn't enabled
    EXPECT_EQ(AuthSrv::MemoryDataSrcPtr(), server.getMemoryDataSrc(rrclass));
    updateConfig(&server,
                 "{\"datasources\": [{\"type\": \"memory\"}]}", true);
    // after successful configuration, we should have one (with empty zoneset).
    ASSERT_NE(AuthSrv::MemoryDataSrcPtr(), server.getMemoryDataSrc(rrclass));
    EXPECT_EQ(0, server.getMemoryDataSrc(rrclass)->getZoneCount());
Jerry's avatar
Jerry committed
669

670
    // The memory data source is empty, should return REFUSED rcode.
Jerry's avatar
Jerry committed
671
    createDataFromFile("examplequery_fromWire.wire");
672 673 674 675 676 677 678 679 680 681 682 683 684 685 686 687 688 689 690
    server.processMessage(*io_message, parse_message, response_obuffer,
                          &dnsserv);
    EXPECT_TRUE(dnsserv.hasAnswer());
    headerCheck(*parse_message, default_qid, Rcode::REFUSED(),
                opcode.getCode(), QR_FLAG, 1, 0, 0, 0);
}

TEST_F(AuthSrvTest, chQueryWithMemoryDataSrc) {
    // Configure memory data source for class IN
    updateConfig(&server, "{\"datasources\": "
                 "[{\"class\": \"IN\", \"type\": \"memory\"}]}", true);

    // This shouldn't affect the result of class CH query
    UnitTestUtil::createRequestMessage(request_message, Opcode::QUERY(),
                                       default_qid, Name("version.bind"),
                                       RRClass::CH(), RRType::TXT());
    createRequestPacket(request_message, IPPROTO_UDP);
    server.processMessage(*io_message, parse_message, response_obuffer,
                          &dnsserv);
691
    EXPECT_TRUE(dnsserv.hasAnswer());
692 693
    headerCheck(*parse_message, default_qid, Rcode::NOERROR(),
                opcode.getCode(), QR_FLAG | AA_FLAG, 1, 1, 1, 0);
JINMEI Tatuya's avatar
JINMEI Tatuya committed
694 695
}

JINMEI Tatuya's avatar
JINMEI Tatuya committed
696 697 698 699 700 701 702 703 704
TEST_F(AuthSrvTest, cacheSlots) {
    // simple check for the get/set operations
    server.setCacheSlots(10);    // 10 = arbitrary choice
    EXPECT_EQ(10, server.getCacheSlots());

    // 0 is a valid size
    server.setCacheSlots(0);
    EXPECT_EQ(00, server.getCacheSlots());
}
705

706 707 708
// Submit UDP normal query and check query counter
TEST_F(AuthSrvTest, queryCounterUDPNormal) {
    // The counter should be initialized to 0.
709
    EXPECT_EQ(0, server.getCounter(AuthCounters::COUNTER_UDP_QUERY));
710 711 712 713 714 715 716
    // Create UDP message and process.
    UnitTestUtil::createRequestMessage(request_message, Opcode::QUERY(),
                                       default_qid, Name("example.com"),
                                       RRClass::IN(), RRType::NS());
    createRequestPacket(request_message, IPPROTO_UDP);
    server.processMessage(*io_message, parse_message, response_obuffer,
                          &dnsserv);
717
    // After processing UDP query, the counter should be 1.
718
    EXPECT_EQ(1, server.getCounter(AuthCounters::COUNTER_UDP_QUERY));
719 720
}

721 722 723
// Submit TCP normal query and check query counter
TEST_F(AuthSrvTest, queryCounterTCPNormal) {
    // The counter should be initialized to 0.
724
    EXPECT_EQ(0, server.getCounter(AuthCounters::COUNTER_TCP_QUERY));
725 726 727 728 729 730 731
    // Create TCP message and process.
    UnitTestUtil::createRequestMessage(request_message, Opcode::QUERY(),
                                       default_qid, Name("example.com"),
                                       RRClass::IN(), RRType::NS());
    createRequestPacket(request_message, IPPROTO_TCP);
    server.processMessage(*io_message, parse_message, response_obuffer,
                          &dnsserv);
732
    // After processing TCP query, the counter should be 1.
733
    EXPECT_EQ(1, server.getCounter(AuthCounters::COUNTER_TCP_QUERY));
734 735 736 737 738
}

// Submit TCP AXFR query and check query counter
TEST_F(AuthSrvTest, queryCounterTCPAXFR) {
    // The counter should be initialized to 0.
739
    EXPECT_EQ(0, server.getCounter(AuthCounters::COUNTER_TCP_QUERY));
740 741 742 743 744 745
    UnitTestUtil::createRequestMessage(request_message, opcode, default_qid,
                         Name("example.com"), RRClass::IN(), RRType::AXFR());
    createRequestPacket(request_message, IPPROTO_TCP);
    // On success, the AXFR query has been passed to a separate process,
    // so we shouldn't have to respond.
    server.processMessage(*io_message, parse_message, response_obuffer, &dnsserv);
746
    // After processing TCP AXFR query, the counter should be 1.
747
    EXPECT_EQ(1, server.getCounter(AuthCounters::COUNTER_TCP_QUERY));
748 749 750 751 752 753 754 755 756 757 758 759 760 761 762 763 764 765 766
}

// class for queryCounterUnexpected test
// getProtocol() returns IPPROTO_IP
class DummyUnknownSocket : public IOSocket {
public:
    DummyUnknownSocket() {}
    virtual int getNative() const { return (0); }
    virtual int getProtocol() const { return (IPPROTO_IP); }
};

// function for queryCounterUnexpected test
// returns a reference to a static object of DummyUnknownSocket
IOSocket&
getDummyUnknownSocket() {
    static DummyUnknownSocket socket;
    return (socket);
}

767
// Submit unexpected type of query and check it throws isc::Unexpected
768
TEST_F(AuthSrvTest, queryCounterUnexpected) {
769 770 771 772
    // This code isn't exception safe, but we'd rather keep the code
    // simpler and more readable as this is only for tests and if it throws
    // the program would immediately terminate anyway.

773
    // Create UDP query packet.
774 775 776 777
    UnitTestUtil::createRequestMessage(request_message, Opcode::QUERY(),
                                       default_qid, Name("example.com"),
                                       RRClass::IN(), RRType::NS());
    createRequestPacket(request_message, IPPROTO_UDP);
778

779
    // Modify the message.
780 781
    delete io_message;
    endpoint = IOEndpoint::create(IPPROTO_UDP,
782
                                  IOAddress(DEFAULT_REMOTE_ADDRESS), 53210);
783 784 785 786 787
    io_message = new IOMessage(request_renderer.getData(),
                               request_renderer.getLength(),
                               getDummyUnknownSocket(), *endpoint);

    EXPECT_THROW(server.processMessage(*io_message, parse_message,
788
                                       response_obuffer, &dnsserv),
789
                 isc::Unexpected);
790
}
791 792 793 794 795

TEST_F(AuthSrvTest, stop) {
    // normal case is covered in command_unittest.cc.  we should primarily
    // test it here, but the current design of the stop test takes time,
    // so we consolidate the cases in the command tests.
796 797
    // If/when the interval timer has finer granularity we'll probably add
    // our own tests here, so we keep this empty test case.
798
}
799 800

TEST_F(AuthSrvTest, listenAddresses) {
801
    isc::testutils::portconfig::listenAddresses(server);
802
}
803

804
}