mirror of
https://github.com/isc-projects/bind9.git
synced 2026-06-11 08:09:59 -04:00
Clean up shell tests remnants
Now that all tests are covered by pytest, we can remove the remnants of the shell test script.
This commit is contained in:
Matthijs Mekking
parent
3f5d295e29
commit
29816eb621
2 changed files with 0 additions and 275 deletions
|
|
@ -1,239 +0,0 @@
|
|||
#!/bin/sh
|
||||
|
||||
# Copyright (C) Internet Systems Consortium, Inc. ("ISC")
|
||||
#
|
||||
# SPDX-License-Identifier: MPL-2.0
|
||||
#
|
||||
# This Source Code Form is subject to the terms of the Mozilla Public
|
||||
# License, v. 2.0. If a copy of the MPL was not distributed with this
|
||||
# file, you can obtain one at https://mozilla.org/MPL/2.0/.
|
||||
#
|
||||
# See the COPYRIGHT file distributed with this work for additional
|
||||
# information regarding copyright ownership.
|
||||
|
||||
set -e
|
||||
|
||||
# shellcheck source=conf.sh
|
||||
. ../conf.sh
|
||||
# shellcheck source=kasp.sh
|
||||
. ../kasp.sh
|
||||
|
||||
# Log errors and increment $ret.
|
||||
log_error() {
|
||||
echo_i "error: $1"
|
||||
ret=$((ret + 1))
|
||||
}
|
||||
|
||||
# Call dig with default options.
|
||||
dig_with_opts() {
|
||||
$DIG +tcp +noadd +nosea +nostat +nocmd +dnssec -p "$PORT" "$@"
|
||||
}
|
||||
|
||||
# Call rndc.
|
||||
rndccmd() {
|
||||
"$RNDC" -c ../_common/rndc.conf -p "$CONTROLPORT" -s "$@"
|
||||
}
|
||||
|
||||
# Set zone name ($1) and policy ($2) for testing nsec3.
|
||||
# Also set the expected number of keys ($3) and DNSKEY TTL ($4).
|
||||
set_zone_policy() {
|
||||
ZONE=$1
|
||||
POLICY=$2
|
||||
NUM_KEYS=$3
|
||||
DNSKEY_TTL=$4
|
||||
KEYFILE_TTL=$4
|
||||
# The CDS digest type in these tests are all the default,
|
||||
# which is SHA-256 (2).
|
||||
CDS_SHA256="yes"
|
||||
CDS_SHA384="no"
|
||||
}
|
||||
# Set expected NSEC3 parameters: flags ($1) and salt length ($2).
|
||||
set_nsec3param() {
|
||||
FLAGS=$1
|
||||
SALTLEN=$2
|
||||
# Reset salt.
|
||||
SALT=""
|
||||
}
|
||||
|
||||
# Set expected default dnssec-policy keys values.
|
||||
set_key_default_values() {
|
||||
key_clear $1
|
||||
|
||||
set_keyrole $1 "csk"
|
||||
set_keylifetime $1 "0"
|
||||
set_keyalgorithm $1 "13" "ECDSAP256SHA256" "256"
|
||||
set_keysigning $1 "yes"
|
||||
set_zonesigning $1 "yes"
|
||||
|
||||
set_keystate $1 "GOAL" "omnipresent"
|
||||
set_keystate $1 "STATE_DNSKEY" "rumoured"
|
||||
set_keystate $1 "STATE_KRRSIG" "rumoured"
|
||||
set_keystate $1 "STATE_ZRRSIG" "rumoured"
|
||||
set_keystate $1 "STATE_DS" "hidden"
|
||||
}
|
||||
|
||||
# Set expected rsasha1 dnssec-policy keys values.
|
||||
set_key_rsasha1_values() {
|
||||
key_clear $1
|
||||
|
||||
set_keyrole $1 "csk"
|
||||
set_keylifetime $1 "0"
|
||||
set_keyalgorithm $1 "5" "RSASHA1" "2048"
|
||||
set_keysigning $1 "yes"
|
||||
set_zonesigning $1 "yes"
|
||||
|
||||
set_keystate $1 "GOAL" "omnipresent"
|
||||
set_keystate $1 "STATE_DNSKEY" "rumoured"
|
||||
set_keystate $1 "STATE_KRRSIG" "rumoured"
|
||||
set_keystate $1 "STATE_ZRRSIG" "rumoured"
|
||||
set_keystate $1 "STATE_DS" "hidden"
|
||||
}
|
||||
|
||||
# Update the key states.
|
||||
set_key_states() {
|
||||
set_keystate $1 "GOAL" "$2"
|
||||
set_keystate $1 "STATE_DNSKEY" "$3"
|
||||
set_keystate $1 "STATE_KRRSIG" "$4"
|
||||
set_keystate $1 "STATE_ZRRSIG" "$5"
|
||||
set_keystate $1 "STATE_DS" "$6"
|
||||
}
|
||||
|
||||
# The apex NSEC3PARAM record indicates that it is signed.
|
||||
_wait_for_nsec3param() {
|
||||
dig_with_opts +noquestion "@${SERVER}" "$ZONE" NSEC3PARAM >"dig.out.test$n.wait" || return 1
|
||||
grep "${ZONE}\..*IN.*NSEC3PARAM 1 0 0.*${SALT}" "dig.out.test$n.wait" >/dev/null || return 1
|
||||
grep "${ZONE}\..*IN.*RRSIG" "dig.out.test$n.wait" >/dev/null || return 1
|
||||
return 0
|
||||
}
|
||||
# The apex NSEC record indicates that it is signed.
|
||||
_wait_for_nsec() {
|
||||
dig_with_opts +noquestion "@${SERVER}" "$ZONE" NSEC >"dig.out.test$n.wait" || return 1
|
||||
grep "NS SOA" "dig.out.test$n.wait" >/dev/null || return 1
|
||||
grep "${ZONE}\..*IN.*RRSIG" "dig.out.test$n.wait" >/dev/null || return 1
|
||||
grep "${ZONE}\..*IN.*NSEC3PARAM" "dig.out.test$n.wait" >/dev/null && return 1
|
||||
return 0
|
||||
}
|
||||
|
||||
# Wait for the zone to be signed.
|
||||
wait_for_zone_is_signed() {
|
||||
n=$((n + 1))
|
||||
ret=0
|
||||
echo_i "wait for ${ZONE} to be signed with $1 ($n)"
|
||||
|
||||
if [ "$1" = "nsec3" ]; then
|
||||
retry_quiet 10 _wait_for_nsec3param || log_error "wait for ${ZONE} to be signed failed"
|
||||
else
|
||||
retry_quiet 10 _wait_for_nsec || log_error "wait for ${ZONE} to be signed failed"
|
||||
fi
|
||||
|
||||
test "$ret" -eq 0 || echo_i "failed"
|
||||
status=$((status + ret))
|
||||
}
|
||||
|
||||
# Test: check DNSSEC verify
|
||||
_check_dnssec_verify() {
|
||||
dig_with_opts @$SERVER "${ZONE}" AXFR >"dig.out.test$n.axfr.$ZONE" || return 1
|
||||
$VERIFY -z -o "$ZONE" "dig.out.test$n.axfr.$ZONE" >"verify.out.test$n.$ZONE" 2>&1 || return 1
|
||||
return 0
|
||||
}
|
||||
|
||||
# Test: check NSEC in answers
|
||||
_check_nsec_nsec3param() {
|
||||
dig_with_opts +noquestion @$SERVER "${ZONE}" NSEC3PARAM >"dig.out.test$n.nsec3param.$ZONE" || return 1
|
||||
grep "NSEC3PARAM" "dig.out.test$n.nsec3param.$ZONE" >/dev/null && return 1
|
||||
return 0
|
||||
}
|
||||
|
||||
_check_nsec_nxdomain() {
|
||||
dig_with_opts @$SERVER "nosuchname.${ZONE}" >"dig.out.test$n.nxdomain.$ZONE" || return 1
|
||||
grep "${ZONE}.*IN.*NSEC.*NS.*SOA.*RRSIG.*NSEC.*DNSKEY" "dig.out.test$n.nxdomain.$ZONE" >/dev/null || return 1
|
||||
grep "NSEC3" "dig.out.test$n.nxdomain.$ZONE" >/dev/null && return 1
|
||||
return 0
|
||||
}
|
||||
|
||||
check_nsec() {
|
||||
wait_for_zone_is_signed "nsec"
|
||||
|
||||
n=$((n + 1))
|
||||
echo_i "check DNSKEY rrset is signed correctly for zone ${ZONE} ($n)"
|
||||
ret=0
|
||||
check_keys
|
||||
retry_quiet 10 _check_apex_dnskey || log_error "bad DNSKEY RRset for zone ${ZONE}"
|
||||
test "$ret" -eq 0 || echo_i "failed"
|
||||
status=$((status + ret))
|
||||
|
||||
n=$((n + 1))
|
||||
echo_i "verify DNSSEC for zone ${ZONE} ($n)"
|
||||
ret=0
|
||||
retry_quiet 10 _check_dnssec_verify || log_error "DNSSEC verify failed for zone ${ZONE}"
|
||||
test "$ret" -eq 0 || echo_i "failed"
|
||||
status=$((status + ret))
|
||||
|
||||
n=$((n + 1))
|
||||
echo_i "check NSEC3PARAM response for zone ${ZONE} ($n)"
|
||||
ret=0
|
||||
retry_quiet 10 _check_nsec_nsec3param || log_error "unexpected NSEC3PARAM in response for zone ${ZONE}"
|
||||
test "$ret" -eq 0 || echo_i "failed"
|
||||
status=$((status + ret))
|
||||
|
||||
n=$((n + 1))
|
||||
echo_i "check NXDOMAIN response for zone ${ZONE} ($n)"
|
||||
ret=0
|
||||
retry_quiet 10 _check_nsec_nxdomain || log_error "bad NXDOMAIN response for zone ${ZONE}"
|
||||
test "$ret" -eq 0 || echo_i "failed"
|
||||
status=$((status + ret))
|
||||
}
|
||||
|
||||
# Test: check NSEC3 parameters in answers
|
||||
_check_nsec3_nsec3param() {
|
||||
dig_with_opts +noquestion @$SERVER "${ZONE}" NSEC3PARAM >"dig.out.test$n.nsec3param.$ZONE" || return 1
|
||||
grep "${ZONE}.*0.*IN.*NSEC3PARAM.*1.*0.*0.*${SALT}" "dig.out.test$n.nsec3param.$ZONE" >/dev/null || return 1
|
||||
|
||||
if [ -z "$SALT" ]; then
|
||||
SALT=$(awk '$4 == "NSEC3PARAM" { print $8 }' dig.out.test$n.nsec3param.$ZONE)
|
||||
fi
|
||||
return 0
|
||||
}
|
||||
|
||||
_check_nsec3_nxdomain() {
|
||||
dig_with_opts @$SERVER "nosuchname.${ZONE}" >"dig.out.test$n.nxdomain.$ZONE" || return 1
|
||||
grep ".*\.${ZONE}.*IN.*NSEC3.*1.${FLAGS}.*0.*${SALT}" "dig.out.test$n.nxdomain.$ZONE" >/dev/null || return 1
|
||||
return 0
|
||||
}
|
||||
|
||||
check_nsec3() {
|
||||
wait_for_zone_is_signed "nsec3"
|
||||
|
||||
n=$((n + 1))
|
||||
echo_i "check that NSEC3PARAM 1 0 0 ${SALT} is published zone ${ZONE} ($n)"
|
||||
ret=0
|
||||
retry_quiet 10 _check_nsec3_nsec3param || log_error "bad NSEC3PARAM response for ${ZONE}"
|
||||
test "$ret" -eq 0 || echo_i "failed"
|
||||
status=$((status + ret))
|
||||
|
||||
n=$((n + 1))
|
||||
echo_i "check NXDOMAIN response has correct NSEC3 1 ${FLAGS} 0 ${SALT} for zone ${ZONE} ($n)"
|
||||
ret=0
|
||||
retry_quiet 10 _check_nsec3_nxdomain || log_error "bad NXDOMAIN response for zone ${ZONE}"
|
||||
test "$ret" -eq 0 || echo_i "failed"
|
||||
status=$((status + ret))
|
||||
|
||||
n=$((n + 1))
|
||||
echo_i "verify DNSSEC for zone ${ZONE} ($n)"
|
||||
ret=0
|
||||
retry_quiet 10 _check_dnssec_verify || log_error "DNSSEC verify failed for zone ${ZONE}"
|
||||
test "$ret" -eq 0 || echo_i "failed"
|
||||
status=$((status + ret))
|
||||
}
|
||||
|
||||
start_time="$(TZ=UTC date +%s)"
|
||||
status=0
|
||||
n=0
|
||||
|
||||
key_clear "KEY1"
|
||||
key_clear "KEY2"
|
||||
key_clear "KEY3"
|
||||
key_clear "KEY4"
|
||||
|
||||
echo_i "exit status: $status"
|
||||
[ $status -eq 0 ] || exit 1
|
||||
|
|
@ -1,36 +0,0 @@
|
|||
# Copyright (C) Internet Systems Consortium, Inc. ("ISC")
|
||||
#
|
||||
# SPDX-License-Identifier: MPL-2.0
|
||||
#
|
||||
# This Source Code Form is subject to the terms of the Mozilla Public
|
||||
# License, v. 2.0. If a copy of the MPL was not distributed with this
|
||||
# file, you can obtain one at https://mozilla.org/MPL/2.0/.
|
||||
#
|
||||
# See the COPYRIGHT file distributed with this work for additional
|
||||
# information regarding copyright ownership.
|
||||
|
||||
import pytest
|
||||
|
||||
pytestmark = pytest.mark.extra_artifacts(
|
||||
[
|
||||
"*.created",
|
||||
"dig.out.*",
|
||||
"rndc.reload.*",
|
||||
"rndc.signing.*",
|
||||
"update.out.*",
|
||||
"verify.out.*",
|
||||
"ns*/dsset-**",
|
||||
"ns*/K*",
|
||||
"ns*/settime.out.*",
|
||||
"ns*/*.db",
|
||||
"ns*/*.jbk",
|
||||
"ns*/*.jnl",
|
||||
"ns*/*.signed",
|
||||
"ns*/keygen.out.*",
|
||||
"ns3/named-fips.conf",
|
||||
]
|
||||
)
|
||||
|
||||
|
||||
def test_nsec3(run_tests_sh):
|
||||
run_tests_sh()
|
||||
Loading…
Reference in a new issue