diff options
Diffstat (limited to 'bin/tests/system/acl')
-rw-r--r-- | bin/tests/system/acl/clean.sh | 25 | ||||
-rw-r--r-- | bin/tests/system/acl/ns2/named1.conf | 61 | ||||
-rw-r--r-- | bin/tests/system/acl/ns2/named2.conf | 65 | ||||
-rw-r--r-- | bin/tests/system/acl/ns2/named3.conf | 74 | ||||
-rw-r--r-- | bin/tests/system/acl/ns2/named4.conf | 73 | ||||
-rw-r--r-- | bin/tests/system/acl/setup.sh | 21 | ||||
-rw-r--r-- | bin/tests/system/acl/tests.sh | 144 |
7 files changed, 463 insertions, 0 deletions
diff --git a/bin/tests/system/acl/clean.sh b/bin/tests/system/acl/clean.sh new file mode 100644 index 0000000..80ce516 --- /dev/null +++ b/bin/tests/system/acl/clean.sh @@ -0,0 +1,25 @@ +#!/bin/sh +# +# Copyright (C) 2008 Internet Systems Consortium, Inc. ("ISC") +# +# Permission to use, copy, modify, and/or distribute this software for any +# purpose with or without fee is hereby granted, provided that the above +# copyright notice and this permission notice appear in all copies. +# +# THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH +# REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY +# AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT, +# INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM +# LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE +# OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR +# PERFORMANCE OF THIS SOFTWARE. + +# $Id: clean.sh,v 1.3 2008/01/10 23:47:01 tbox Exp $ + +# +# Clean up after zone transfer tests. +# + +rm -f dig.out +rm -f ns2/example.db ns2/tsigzone.db ns2/example.db.jnl ns2/named.conf +rm -f */named.memstats diff --git a/bin/tests/system/acl/ns2/named1.conf b/bin/tests/system/acl/ns2/named1.conf new file mode 100644 index 0000000..b70d1dd --- /dev/null +++ b/bin/tests/system/acl/ns2/named1.conf @@ -0,0 +1,61 @@ +/* + * Copyright (C) 2008 Internet Systems Consortium, Inc. ("ISC") + * + * Permission to use, copy, modify, and/or distribute this software for any + * purpose with or without fee is hereby granted, provided that the above + * copyright notice and this permission notice appear in all copies. + * + * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH + * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY + * AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT, + * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM + * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE + * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR + * PERFORMANCE OF THIS SOFTWARE. + */ + +/* $Id: named1.conf,v 1.2 2008/01/10 01:10:01 marka Exp $ */ + +controls { /* empty */ }; + +options { + query-source address 10.53.0.2; + notify-source 10.53.0.2; + transfer-source 10.53.0.2; + port 5300; + pid-file "named.pid"; + listen-on { 10.53.0.2; }; + listen-on-v6 { none; }; + recursion no; + notify yes; + ixfr-from-differences yes; + check-integrity no; +}; + +include "../../common/controls.conf"; + +key one { + algorithm hmac-md5; + secret "1234abcd8765"; +}; + +key two { + algorithm hmac-md5; + secret "1234abcd8765"; +}; + +zone "." { + type hint; + file "../../common/root.hint"; +}; + +zone "example" { + type master; + file "example.db"; +}; + +zone "tsigzone" { + type master; + file "tsigzone.db"; + allow-transfer { !key one; any; }; +}; diff --git a/bin/tests/system/acl/ns2/named2.conf b/bin/tests/system/acl/ns2/named2.conf new file mode 100644 index 0000000..bcd7e0d --- /dev/null +++ b/bin/tests/system/acl/ns2/named2.conf @@ -0,0 +1,65 @@ +/* + * Copyright (C) 2008 Internet Systems Consortium, Inc. ("ISC") + * + * Permission to use, copy, modify, and/or distribute this software for any + * purpose with or without fee is hereby granted, provided that the above + * copyright notice and this permission notice appear in all copies. + * + * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH + * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY + * AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT, + * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM + * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE + * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR + * PERFORMANCE OF THIS SOFTWARE. + */ + +/* $Id: named2.conf,v 1.3 2008/01/21 20:38:54 each Exp $ */ + +controls { /* empty */ }; + +options { + query-source address 10.53.0.2; + notify-source 10.53.0.2; + transfer-source 10.53.0.2; + port 5300; + pid-file "named.pid"; + listen-on { 10.53.0.2; }; + listen-on-v6 { none; }; + recursion no; + notify yes; + ixfr-from-differences yes; + check-integrity no; +}; + +include "../../common/controls.conf"; + +key one { + algorithm hmac-md5; + secret "1234abcd8765"; +}; + +key two { + algorithm hmac-md5; + secret "1234abcd8765"; +}; + +zone "." { + type hint; + file "../../common/root.hint"; +}; + +zone "example" { + type master; + file "example.db"; +}; + +zone "tsigzone" { + type master; + file "tsigzone.db"; + /* + * 0a00::/8 and 10/8 are the same bits, but different address + * families. This should *not* match IPv4 queries from 10.*. + */ + allow-transfer { 0a00::/8; !10/8; key one; }; +}; diff --git a/bin/tests/system/acl/ns2/named3.conf b/bin/tests/system/acl/ns2/named3.conf new file mode 100644 index 0000000..ea2cbcb --- /dev/null +++ b/bin/tests/system/acl/ns2/named3.conf @@ -0,0 +1,74 @@ +/* + * Copyright (C) 2008 Internet Systems Consortium, Inc. ("ISC") + * + * Permission to use, copy, modify, and/or distribute this software for any + * purpose with or without fee is hereby granted, provided that the above + * copyright notice and this permission notice appear in all copies. + * + * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH + * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY + * AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT, + * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM + * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE + * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR + * PERFORMANCE OF THIS SOFTWARE. + */ + +/* $Id: named3.conf,v 1.2 2008/01/10 01:10:01 marka Exp $ */ + +controls { /* empty */ }; + +options { + query-source address 10.53.0.2; + notify-source 10.53.0.2; + transfer-source 10.53.0.2; + port 5300; + pid-file "named.pid"; + listen-on { 10.53.0.2; }; + listen-on-v6 { none; }; + recursion no; + notify yes; + ixfr-from-differences yes; + check-integrity no; +}; + +include "../../common/controls.conf"; + +key one { + algorithm hmac-md5; + secret "1234abcd8765"; +}; + +key two { + algorithm hmac-md5; + secret "1234abcd8765"; +}; + +key three { + algorithm hmac-md5; + secret "1234abcd8765"; +}; + +acl reject { + !key one; !key two; any; +}; + +acl accept { + 10.53.0.1; 10.53.0.2; +}; + +zone "." { + type hint; + file "../../common/root.hint"; +}; + +zone "example" { + type master; + file "example.db"; +}; + +zone "tsigzone" { + type master; + file "tsigzone.db"; + allow-transfer { !reject; accept; }; +}; diff --git a/bin/tests/system/acl/ns2/named4.conf b/bin/tests/system/acl/ns2/named4.conf new file mode 100644 index 0000000..99edf7e --- /dev/null +++ b/bin/tests/system/acl/ns2/named4.conf @@ -0,0 +1,73 @@ +/* + * Copyright (C) 2008 Internet Systems Consortium, Inc. ("ISC") + * + * Permission to use, copy, modify, and/or distribute this software for any + * purpose with or without fee is hereby granted, provided that the above + * copyright notice and this permission notice appear in all copies. + * + * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH + * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY + * AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT, + * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM + * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE + * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR + * PERFORMANCE OF THIS SOFTWARE. + */ + +/* $Id: named4.conf,v 1.2 2008/01/10 01:10:01 marka Exp $ */ + +controls { /* empty */ }; + +options { + query-source address 10.53.0.2; + notify-source 10.53.0.2; + transfer-source 10.53.0.2; + port 5300; + pid-file "named.pid"; + listen-on { 10.53.0.2; }; + listen-on-v6 { none; }; + recursion no; + notify yes; + ixfr-from-differences yes; + check-integrity no; +}; + +include "../../common/controls.conf"; + +key one { + algorithm hmac-md5; + secret "1234abcd8765"; +}; + +key two { + algorithm hmac-md5; + secret "1234abcd8765"; +}; + +acl rejectkeys { + !key one; !key two; any; +}; + +acl rejectaddrs { + !10.53.0.1; !10.53.0.2; any; +}; + +acl check1 { !key one; 10.53.0.1; }; + +acl check2 { !key two; 10.53.0.2; }; + +zone "." { + type hint; + file "../../common/root.hint"; +}; + +zone "example" { + type master; + file "example.db"; +}; + +zone "tsigzone" { + type master; + file "tsigzone.db"; + allow-transfer { !rejectkeys; !rejectaddrs; !check1; !check2; any; }; +}; diff --git a/bin/tests/system/acl/setup.sh b/bin/tests/system/acl/setup.sh new file mode 100644 index 0000000..9cc07f1 --- /dev/null +++ b/bin/tests/system/acl/setup.sh @@ -0,0 +1,21 @@ +#!/bin/sh +# +# Copyright (C) 2008 Internet Systems Consortium, Inc. ("ISC") +# +# Permission to use, copy, modify, and/or distribute this software for any +# purpose with or without fee is hereby granted, provided that the above +# copyright notice and this permission notice appear in all copies. +# +# THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH +# REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY +# AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT, +# INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM +# LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE +# OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR +# PERFORMANCE OF THIS SOFTWARE. + +# $Id: setup.sh,v 1.3 2008/01/10 23:47:01 tbox Exp $ + +sh ../genzone.sh 2 3 >ns2/example.db +sh ../genzone.sh 2 3 >ns2/tsigzone.db +cp -f ns2/named1.conf ns2/named.conf diff --git a/bin/tests/system/acl/tests.sh b/bin/tests/system/acl/tests.sh new file mode 100644 index 0000000..8d2d564 --- /dev/null +++ b/bin/tests/system/acl/tests.sh @@ -0,0 +1,144 @@ +#!/bin/sh +# +# Copyright (C) 2008 Internet Systems Consortium, Inc. ("ISC") +# +# Permission to use, copy, modify, and/or distribute this software for any +# purpose with or without fee is hereby granted, provided that the above +# copyright notice and this permission notice appear in all copies. +# +# THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH +# REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY +# AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT, +# INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM +# LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE +# OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR +# PERFORMANCE OF THIS SOFTWARE. + +# $Id: tests.sh,v 1.4 2008/07/19 00:02:14 each Exp $ + +SYSTEMTESTTOP=.. +. $SYSTEMTESTTOP/conf.sh + +DIGOPTS="+tcp +noadd +nosea +nostat +noquest +nocomm +nocmd" + +status=0 +t=0 + +echo "I:testing basic ACL processing" +# key "one" should fail +t=`expr $t + 1` +$DIG $DIGOPTS tsigzone. \ + @10.53.0.2 -b 10.53.0.1 axfr -y one:1234abcd8765 -p 5300 > dig.out +grep "^;" dig.out > /dev/null 2>&1 || { echo "I:test $t failed" ; status=1; } + +# any other key should be fine +t=`expr $t + 1` +$DIG $DIGOPTS tsigzone. \ + @10.53.0.2 -b 10.53.0.1 axfr -y two:1234abcd8765 -p 5300 > dig.out +grep "^;" dig.out > /dev/null 2>&1 && { echo "I:test $t failed" ; status=1; } + +cp -f ns2/named2.conf ns2/named.conf +$RNDC -c ../common/rndc.conf -s 10.53.0.2 -p 9953 reload 2>&1 | sed 's/^/I:ns2 /' +sleep 5 + +# prefix 10/8 should fail +t=`expr $t + 1` +$DIG $DIGOPTS tsigzone. \ + @10.53.0.2 -b 10.53.0.1 axfr -y one:1234abcd8765 -p 5300 > dig.out +grep "^;" dig.out > /dev/null 2>&1 || { echo "I:test $t failed" ; status=1; } + +# any other address should work, as long as it sends key "one" +t=`expr $t + 1` +$DIG $DIGOPTS tsigzone. \ + @10.53.0.2 -b 127.0.0.1 axfr -y two:1234abcd8765 -p 5300 > dig.out +grep "^;" dig.out > /dev/null 2>&1 || { echo "I:test $t failed" ; status=1; } + +t=`expr $t + 1` +$DIG $DIGOPTS tsigzone. \ + @10.53.0.2 -b 127.0.0.1 axfr -y one:1234abcd8765 -p 5300 > dig.out +grep "^;" dig.out > /dev/null 2>&1 && { echo "I:test $t failed" ; status=1; } + +echo "I:testing nested ACL processing" +# all combinations of 10.53.0.{1|2} with key {one|two}, should succeed +cp -f ns2/named3.conf ns2/named.conf +$RNDC -c ../common/rndc.conf -s 10.53.0.2 -p 9953 reload 2>&1 | sed 's/^/I:ns2 /' +sleep 5 + +# should succeed +t=`expr $t + 1` +$DIG $DIGOPTS tsigzone. \ + @10.53.0.2 -b 10.53.0.2 axfr -y two:1234abcd8765 -p 5300 > dig.out +grep "^;" dig.out > /dev/null 2>&1 && { echo "I:test $t failed" ; status=1; } + +# should succeed +t=`expr $t + 1` +$DIG $DIGOPTS tsigzone. \ + @10.53.0.2 -b 10.53.0.2 axfr -y one:1234abcd8765 -p 5300 > dig.out +grep "^;" dig.out > /dev/null 2>&1 && { echo "I:test $t failed" ; status=1; } + +# should succeed +t=`expr $t + 1` +$DIG $DIGOPTS tsigzone. \ + @10.53.0.2 -b 10.53.0.1 axfr -y two:1234abcd8765 -p 5300 > dig.out +grep "^;" dig.out > /dev/null 2>&1 && { echo "I:test $t failed" ; status=1; } + +# should succeed +t=`expr $t + 1` +$DIG $DIGOPTS tsigzone. \ + @10.53.0.2 -b 10.53.0.1 axfr -y two:1234abcd8765 -p 5300 > dig.out +grep "^;" dig.out > /dev/null 2>&1 && { echo "I:test $t failed" ; status=1; } + +# but only one or the other should fail +t=`expr $t + 1` +$DIG $DIGOPTS tsigzone. \ + @10.53.0.2 -b 127.0.0.1 axfr -y one:1234abcd8765 -p 5300 > dig.out +grep "^;" dig.out > /dev/null 2>&1 || { echo "I:test $t failed" ; status=1; } + +t=`expr $t + 1` +$DIG $DIGOPTS tsigzone. \ + @10.53.0.2 -b 10.53.0.2 axfr -p 5300 > dig.out +grep "^;" dig.out > /dev/null 2>&1 || { echo "I:test $tt failed" ; status=1; } + +# and other values? right out +t=`expr $t + 1` +$DIG $DIGOPTS tsigzone. \ + @10.53.0.2 -b 127.0.0.1 axfr -y three:1234abcd8765 -p 5300 > dig.out +grep "^;" dig.out > /dev/null 2>&1 || { echo "I:test $t failed" ; status=1; } + +# now we only allow 10.53.0.1 *and* key one, or 10.53.0.2 *and* key two +cp -f ns2/named4.conf ns2/named.conf +$RNDC -c ../common/rndc.conf -s 10.53.0.2 -p 9953 reload 2>&1 | sed 's/^/I:ns2 /' +sleep 5 + +# should succeed +t=`expr $t + 1` +$DIG $DIGOPTS tsigzone. \ + @10.53.0.2 -b 10.53.0.2 axfr -y two:1234abcd8765 -p 5300 > dig.out +grep "^;" dig.out > /dev/null 2>&1 && { echo "I:test $t failed" ; status=1; } + +# should succeed +t=`expr $t + 1` +$DIG $DIGOPTS tsigzone. \ + @10.53.0.2 -b 10.53.0.1 axfr -y one:1234abcd8765 -p 5300 > dig.out +grep "^;" dig.out > /dev/null 2>&1 && { echo "I:test $t failed" ; status=1; } + +# should fail +t=`expr $t + 1` +$DIG $DIGOPTS tsigzone. \ + @10.53.0.2 -b 10.53.0.2 axfr -y one:1234abcd8765 -p 5300 > dig.out +grep "^;" dig.out > /dev/null 2>&1 || { echo "I:test $t failed" ; status=1; } + +# should fail +t=`expr $t + 1` +$DIG $DIGOPTS tsigzone. \ + @10.53.0.2 -b 10.53.0.1 axfr -y two:1234abcd8765 -p 5300 > dig.out +grep "^;" dig.out > /dev/null 2>&1 || { echo "I:test $t failed" ; status=1; } + +# should fail +t=`expr $t + 1` +$DIG $DIGOPTS tsigzone. \ + @10.53.0.2 -b 10.53.0.3 axfr -y one:1234abcd8765 -p 5300 > dig.out +grep "^;" dig.out > /dev/null 2>&1 || { echo "I:test $t failed" ; status=1; } + +echo "I:exit status: $status" +exit $status |