auth_srv_unittest.cc 13.5 KB
Newer Older
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25
// Copyright (C) 2010  Internet Systems Consortium, Inc. ("ISC")
//
// Permission to use, copy, modify, and/or distribute this software for any
// purpose with or without fee is hereby granted, provided that the above
// copyright notice and this permission notice appear in all copies.
//
// THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
// REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
// AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
// INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
// LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
// OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
// PERFORMANCE OF THIS SOFTWARE.

// $Id$

#include <gtest/gtest.h>

#include <dns/buffer.h>
#include <dns/name.h>
#include <dns/message.h>
#include <dns/messagerenderer.h>
#include <dns/rrclass.h>
#include <dns/rrtype.h>

26 27
#include <cc/data.h>

28
#include <auth/auth_srv.h>
29
#include <auth/asio_link.h>
30 31 32 33 34 35

#include <dns/tests/unittest_util.h>

using isc::UnitTestUtil;
using namespace std;
using namespace isc::dns;
36
using namespace isc::data;
37
using namespace asio_link;
38 39

namespace {
40 41
const char* CONFIG_TESTDB =
    "{\"database_file\": \"" TEST_DATA_DIR "/example.sqlite3\"}";
42 43 44
// The following file must be non existent and must be non"creatable" (see
// the sqlite3 test).
const char* BADCONFIG_TESTDB =
45
    "{ \"database_file\": \"" TEST_DATA_DIR "/nodir/notexist\"}";
46

47 48 49
class AuthSrvTest : public ::testing::Test {
protected:
    AuthSrvTest() : request_message(Message::RENDER),
50
                    parse_message(Message::PARSE), default_qid(0x1035),
51
                    opcode(Opcode(Opcode::QUERY())), qname("www.example.com"),
52
                    qclass(RRClass::IN()), qtype(RRType::A()),
53
                    io_message(NULL), endpoint(NULL), request_obuffer(0),
54
                    request_renderer(request_obuffer),
55 56
                    response_obuffer(0), response_renderer(response_obuffer)
    {}
57 58
    ~AuthSrvTest() {
        delete io_message;
59
        delete endpoint;
60
    }
61 62 63
    AuthSrv server;
    Message request_message;
    Message parse_message;
64 65 66 67 68
    const qid_t default_qid;
    const Opcode opcode;
    const Name qname;
    const RRClass qclass;
    const RRType qtype;
69 70
    IOMessage* io_message;
    const IOEndpoint* endpoint;
71 72 73 74 75
    OutputBuffer request_obuffer;
    MessageRenderer request_renderer;
    OutputBuffer response_obuffer;
    MessageRenderer response_renderer;
    vector<uint8_t> data;
76

JINMEI Tatuya's avatar
JINMEI Tatuya committed
77
    void createDataFromFile(const char* const datafile, int protocol);
78
    void createRequest(const Opcode& opcode, const Name& request_name,
JINMEI Tatuya's avatar
JINMEI Tatuya committed
79 80
                       const RRClass& rrclass, const RRType& rrtype,
                       int protocol);
81 82
};

83 84 85 86 87 88 89 90 91 92 93 94
// These are flags to indicate whether the corresponding flag bit of the
// DNS header is to be set in the test cases.  (Note that the flag values
// is irrelevant to their wire-format values)
const unsigned int QR_FLAG = 0x1;
const unsigned int AA_FLAG = 0x2;
const unsigned int TC_FLAG = 0x4;
const unsigned int RD_FLAG = 0x8;
const unsigned int RA_FLAG = 0x10;
const unsigned int AD_FLAG = 0x20;
const unsigned int CD_FLAG = 0x40;

void
JINMEI Tatuya's avatar
JINMEI Tatuya committed
95 96 97
AuthSrvTest::createDataFromFile(const char* const datafile,
                                const int protocol = IPPROTO_UDP)
{
98
    delete io_message;
99 100
    data.clear();

101
    delete endpoint;
JINMEI Tatuya's avatar
JINMEI Tatuya committed
102
    endpoint = IOEndpoint::create(protocol, IOAddress("192.0.2.1"), 5300);
103
    UnitTestUtil::readWireData(datafile, data);
104
    io_message = new IOMessage(&data[0], data.size(),
105
                               IOSocket::getDummyUDPSocket(), *endpoint);
106 107
}

108 109
void
AuthSrvTest::createRequest(const Opcode& opcode, const Name& request_name,
JINMEI Tatuya's avatar
JINMEI Tatuya committed
110 111
                           const RRClass& rrclass, const RRType& rrtype,
                           const int protocol = IPPROTO_UDP)
112 113
{
    request_message.setOpcode(opcode);
JINMEI Tatuya's avatar
JINMEI Tatuya committed
114
    request_message.setQid(default_qid);
115 116 117 118
    request_message.addQuestion(Question(request_name, rrclass, rrtype));
    request_message.toWire(request_renderer);

    delete io_message;
JINMEI Tatuya's avatar
JINMEI Tatuya committed
119
    endpoint = IOEndpoint::create(protocol, IOAddress("192.0.2.1"), 5300);
120 121 122 123 124
    io_message = new IOMessage(request_renderer.getData(),
                               request_renderer.getLength(),
                               IOSocket::getDummyUDPSocket(), *endpoint);
}

125 126 127 128 129 130 131 132 133 134
void
headerCheck(const Message& message, const qid_t qid, const Rcode& rcode,
            const uint16_t opcodeval, const unsigned int flags,
            const unsigned int qdcount,
            const unsigned int ancount, const unsigned int nscount,
            const unsigned int arcount)
{
    EXPECT_EQ(qid, message.getQid());
    EXPECT_EQ(rcode, message.getRcode());
    EXPECT_EQ(opcodeval, message.getOpcode().getCode());
135 136 137 138 139 140 141
    EXPECT_EQ((flags & QR_FLAG) != 0, message.getHeaderFlag(MessageFlag::QR()));
    EXPECT_EQ((flags & AA_FLAG) != 0, message.getHeaderFlag(MessageFlag::AA()));
    EXPECT_EQ((flags & TC_FLAG) != 0, message.getHeaderFlag(MessageFlag::TC()));
    EXPECT_EQ((flags & RA_FLAG) != 0, message.getHeaderFlag(MessageFlag::RA()));
    EXPECT_EQ((flags & RD_FLAG) != 0, message.getHeaderFlag(MessageFlag::RD()));
    EXPECT_EQ((flags & AD_FLAG) != 0, message.getHeaderFlag(MessageFlag::AD()));
    EXPECT_EQ((flags & CD_FLAG) != 0, message.getHeaderFlag(MessageFlag::CD()));
142 143 144 145 146 147 148 149 150 151 152

    EXPECT_EQ(qdcount, message.getRRCount(Section::QUESTION()));
    EXPECT_EQ(ancount, message.getRRCount(Section::ANSWER()));
    EXPECT_EQ(nscount, message.getRRCount(Section::AUTHORITY()));
    EXPECT_EQ(arcount, message.getRRCount(Section::ADDITIONAL()));
}

// Unsupported requests.  Should result in NOTIMP.
TEST_F(AuthSrvTest, unsupportedRequest) {
    for (unsigned int i = 1; i < 16; ++i) {
        // set Opcode to 'i', which iterators over all possible codes except
Han Feng's avatar
Han Feng committed
153 154 155
        // the standard query (0) and notify(4)
        if (i == 4)
            continue;
156
        createDataFromFile("simplequery_fromWire");
157 158 159
        data[2] = ((i << 3) & 0xff);

        parse_message.clear(Message::PARSE);
160 161
        EXPECT_EQ(true, server.processMessage(*io_message, parse_message,
                                              response_renderer));
162 163 164
        headerCheck(parse_message, default_qid, Rcode::NOTIMP(), i, QR_FLAG,
                    0, 0, 0, 0);
    }
165
}
166

167 168 169 170 171 172 173 174 175
// Simple API check
TEST_F(AuthSrvTest, verbose) {
    EXPECT_FALSE(server.getVerbose());
    server.setVerbose(true);
    EXPECT_TRUE(server.getVerbose());
    server.setVerbose(false);
    EXPECT_FALSE(server.getVerbose());
}

176 177
// Multiple questions.  Should result in FORMERR.
TEST_F(AuthSrvTest, multiQuestion) {
178
    createDataFromFile("multiquestion_fromWire");
179 180
    EXPECT_EQ(true, server.processMessage(*io_message, parse_message,
                                          response_renderer));
181
    headerCheck(parse_message, default_qid, Rcode::FORMERR(), opcode.getCode(),
182 183 184 185 186 187 188 189 190 191 192 193
                QR_FLAG, 2, 0, 0, 0);

    QuestionIterator qit = parse_message.beginQuestion();
    EXPECT_EQ(Name("example.com"), (*qit)->getName());
    EXPECT_EQ(RRClass::IN(), (*qit)->getClass());
    EXPECT_EQ(RRType::A(), (*qit)->getType());
    ++qit;
    EXPECT_EQ(Name("example.com"), (*qit)->getName());
    EXPECT_EQ(RRClass::IN(), (*qit)->getClass());
    EXPECT_EQ(RRType::AAAA(), (*qit)->getType());
    ++qit;
    EXPECT_TRUE(qit == parse_message.endQuestion());
194 195
}

196 197 198
// Incoming data doesn't even contain the complete header.  Must be silently
// dropped.
TEST_F(AuthSrvTest, shortMessage) {
199
    createDataFromFile("shortmessage_fromWire");
200 201
    EXPECT_EQ(false, server.processMessage(*io_message, parse_message,
                                           response_renderer));
202 203 204 205 206 207
}

// Response messages.  Must be silently dropped, whether it's a valid response
// or malformed or could otherwise cause a protocol error.
TEST_F(AuthSrvTest, response) {
    // A valid (although unusual) response
208
    createDataFromFile("simpleresponse_fromWire");
209 210
    EXPECT_EQ(false, server.processMessage(*io_message, parse_message,
                                           response_renderer));
211 212 213

    // A response with a broken question section.  must be dropped rather than
    // returning FORMERR.
214
    createDataFromFile("shortresponse_fromWire");
215 216
    EXPECT_EQ(false, server.processMessage(*io_message, parse_message,
                                           response_renderer));
217 218

    // A response to iquery.  must be dropped rather than returning NOTIMP.
219
    createDataFromFile("iqueryresponse_fromWire");
220 221
    EXPECT_EQ(false, server.processMessage(*io_message, parse_message,
                                           response_renderer));
222 223 224 225
}

// Query with a broken question
TEST_F(AuthSrvTest, shortQuestion) {
226
    createDataFromFile("shortquestion_fromWire");
227 228
    EXPECT_EQ(true, server.processMessage(*io_message, parse_message,
                                          response_renderer));
229 230 231 232 233
    // Since the query's question is broken, the question section of the
    // response should be empty.
    headerCheck(parse_message, default_qid, Rcode::FORMERR(), opcode.getCode(),
                QR_FLAG, 0, 0, 0, 0);
}
234

235 236
// Query with a broken answer section
TEST_F(AuthSrvTest, shortAnswer) {
237
    createDataFromFile("shortanswer_fromWire");
238 239
    EXPECT_EQ(true, server.processMessage(*io_message, parse_message,
                                          response_renderer));
240 241 242

    // This is a bogus query, but question section is valid.  So the response
    // should copy the question section.
243 244 245
    headerCheck(parse_message, default_qid, Rcode::FORMERR(), opcode.getCode(),
                QR_FLAG, 1, 0, 0, 0);

246 247 248 249 250 251
    QuestionIterator qit = parse_message.beginQuestion();
    EXPECT_EQ(Name("example.com"), (*qit)->getName());
    EXPECT_EQ(RRClass::IN(), (*qit)->getClass());
    EXPECT_EQ(RRType::A(), (*qit)->getType());
    ++qit;
    EXPECT_TRUE(qit == parse_message.endQuestion());
252 253
}

254 255
// Query with unsupported version of EDNS.
TEST_F(AuthSrvTest, ednsBadVers) {
256
    createDataFromFile("queryBadEDNS_fromWire");
257 258
    EXPECT_EQ(true, server.processMessage(*io_message, parse_message,
                                          response_renderer));
259 260 261 262 263 264 265 266 267 268

    // The response must have an EDNS OPT RR in the additional section.
    // Note that the DNSSEC DO bit is cleared even if this bit in the query
    // is set.  This is a limitation of the current implementation.
    headerCheck(parse_message, default_qid, Rcode::BADVERS(), opcode.getCode(),
                QR_FLAG, 1, 0, 0, 1);
    EXPECT_EQ(4096, parse_message.getUDPSize());
    EXPECT_FALSE(parse_message.isDNSSECSupported());
}

JINMEI Tatuya's avatar
JINMEI Tatuya committed
269 270 271 272 273 274 275 276 277 278
TEST_F(AuthSrvTest, AXFROverUDP) {
    // AXFR over UDP is invalid and should result in FORMERR.
    createRequest(opcode, Name("example.com"), RRClass::IN(), RRType::AXFR(),
                  IPPROTO_UDP);
    EXPECT_EQ(true, server.processMessage(*io_message, parse_message,
                                          response_renderer));
    headerCheck(parse_message, default_qid, Rcode::FORMERR(), opcode.getCode(),
                QR_FLAG, 1, 0, 0, 0);
}

Han Feng's avatar
Han Feng committed
279
TEST_F(AuthSrvTest, notifyInTest) {
280 281
    createRequest(Opcode::NOTIFY(), Name("example.com"), RRClass::IN(),
                  RRType::SOA());
282
    EXPECT_EQ(false, server.processMessage(*io_message, parse_message,
283
                                           response_renderer));
Han Feng's avatar
Han Feng committed
284 285
}

286
void
287 288 289
updateConfig(AuthSrv* server, const char* const dbfile,
             const bool expect_success)
{
290 291 292 293 294 295 296
    const ElementPtr config_answer =
        server->updateConfig(Element::createFromString(dbfile));
    EXPECT_EQ(Element::map, config_answer->getType());
    EXPECT_TRUE(config_answer->contains("result"));

    const ElementPtr result = config_answer->get("result");
    EXPECT_EQ(Element::list, result->getType());
297
    EXPECT_EQ(expect_success ? 0 : 1, result->get(0)->intValue());
298 299 300 301
}

// Install a Sqlite3 data source with testing data.
TEST_F(AuthSrvTest, updateConfig) {
302
    updateConfig(&server, CONFIG_TESTDB, true);
303 304 305 306

    // query for existent data in the installed data source.  The resulting
    // response should have the AA flag on, and have an RR in each answer
    // and authority section.
307
    createDataFromFile("examplequery_fromWire");
308 309
    EXPECT_EQ(true, server.processMessage(*io_message, parse_message,
                                          response_renderer));
310 311 312 313 314
    headerCheck(parse_message, default_qid, Rcode::NOERROR(), opcode.getCode(),
                QR_FLAG | AA_FLAG, 1, 1, 1, 0);
}

TEST_F(AuthSrvTest, datasourceFail) {
315
    updateConfig(&server, CONFIG_TESTDB, true);
316 317 318 319 320

    // This query will hit a corrupted entry of the data source (the zoneload
    // tool and the data source itself naively accept it).  This will result
    // in a SERVFAIL response, and the answer and authority sections should
    // be empty.
321
    createDataFromFile("badExampleQuery_fromWire");
322 323
    EXPECT_EQ(true, server.processMessage(*io_message, parse_message,
                                          response_renderer));
324 325 326
    headerCheck(parse_message, default_qid, Rcode::SERVFAIL(), opcode.getCode(),
                QR_FLAG, 1, 0, 0, 0);
}
327 328 329 330 331 332 333 334 335

TEST_F(AuthSrvTest, updateConfigFail) {
    // First, load a valid data source.
    updateConfig(&server, CONFIG_TESTDB, true);

    // Next, try to update it with a non-existent one.  This should fail.
    updateConfig(&server, BADCONFIG_TESTDB, false);

    // The original data source should still exist.
336
    createDataFromFile("examplequery_fromWire");
337 338
    EXPECT_EQ(true, server.processMessage(*io_message, parse_message,
                                          response_renderer));
339 340 341
    headerCheck(parse_message, default_qid, Rcode::NOERROR(), opcode.getCode(),
                QR_FLAG | AA_FLAG, 1, 1, 1, 0);
}
342
}