mirror of
https://github.com/isc-projects/bind9.git
synced 2026-06-10 09:49:59 -04:00
Clean up shell tests remnants
Now that all tests are covered by pytest, we can remove the remnants
of the shell test script.
(cherry picked from commit 29816eb621)
This commit is contained in:
Matthijs Mekking
Matthijs Mekking (GitLab job 6509612)
parent
1917cb5d75
commit
f9e5879ef5
2 changed files with 0 additions and 275 deletions
|
|
@ -1,239 +0,0 @@
|
|||
#!/bin/sh
|
||||
|
||||
# Copyright (C) Internet Systems Consortium, Inc. ("ISC")
|
||||
#
|
||||
# SPDX-License-Identifier: MPL-2.0
|
||||
#
|
||||
# This Source Code Form is subject to the terms of the Mozilla Public
|
||||
# License, v. 2.0. If a copy of the MPL was not distributed with this
|
||||
# file, you can obtain one at https://mozilla.org/MPL/2.0/.
|
||||
#
|
||||
# See the COPYRIGHT file distributed with this work for additional
|
||||
# information regarding copyright ownership.
|
||||
|
||||
set -e
|
||||
|
||||
# shellcheck source=conf.sh
|
||||
. ../conf.sh
|
||||
# shellcheck source=kasp.sh
|
||||
. ../kasp.sh
|
||||
|
||||
# Log errors and increment $ret.
|
||||
log_error() {
|
||||
echo_i "error: $1"
|
||||
ret=$((ret + 1))
|
||||
}
|
||||
|
||||
# Call dig with default options.
|
||||
dig_with_opts() {
|
||||
$DIG +tcp +noadd +nosea +nostat +nocmd +dnssec -p "$PORT" "$@"
|
||||
}
|
||||
|
||||
# Call rndc.
|
||||
rndccmd() {
|
||||
"$RNDC" -c ../_common/rndc.conf -p "$CONTROLPORT" -s "$@"
|
||||
}
|
||||
|
||||
# Set zone name ($1) and policy ($2) for testing nsec3.
|
||||
# Also set the expected number of keys ($3) and DNSKEY TTL ($4).
|
||||
set_zone_policy() {
|
||||
ZONE=$1
|
||||
POLICY=$2
|
||||
NUM_KEYS=$3
|
||||
DNSKEY_TTL=$4
|
||||
KEYFILE_TTL=$4
|
||||
# The CDS digest type in these tests are all the default,
|
||||
# which is SHA-256 (2).
|
||||
CDS_SHA256="yes"
|
||||
CDS_SHA384="no"
|
||||
}
|
||||
# Set expected NSEC3 parameters: flags ($1) and salt length ($2).
|
||||
set_nsec3param() {
|
||||
FLAGS=$1
|
||||
SALTLEN=$2
|
||||
# Reset salt.
|
||||
SALT=""
|
||||
}
|
||||
|
||||
# Set expected default dnssec-policy keys values.
|
||||
set_key_default_values() {
|
||||
key_clear $1
|
||||
|
||||
set_keyrole $1 "csk"
|
||||
set_keylifetime $1 "0"
|
||||
set_keyalgorithm $1 "13" "ECDSAP256SHA256" "256"
|
||||
set_keysigning $1 "yes"
|
||||
set_zonesigning $1 "yes"
|
||||
|
||||
set_keystate $1 "GOAL" "omnipresent"
|
||||
set_keystate $1 "STATE_DNSKEY" "rumoured"
|
||||
set_keystate $1 "STATE_KRRSIG" "rumoured"
|
||||
set_keystate $1 "STATE_ZRRSIG" "rumoured"
|
||||
set_keystate $1 "STATE_DS" "hidden"
|
||||
}
|
||||
|
||||
# Set expected rsasha1 dnssec-policy keys values.
|
||||
set_key_rsasha1_values() {
|
||||
key_clear $1
|
||||
|
||||
set_keyrole $1 "csk"
|
||||
set_keylifetime $1 "0"
|
||||
set_keyalgorithm $1 "5" "RSASHA1" "2048"
|
||||
set_keysigning $1 "yes"
|
||||
set_zonesigning $1 "yes"
|
||||
|
||||
set_keystate $1 "GOAL" "omnipresent"
|
||||
set_keystate $1 "STATE_DNSKEY" "rumoured"
|
||||
set_keystate $1 "STATE_KRRSIG" "rumoured"
|
||||
set_keystate $1 "STATE_ZRRSIG" "rumoured"
|
||||
set_keystate $1 "STATE_DS" "hidden"
|
||||
}
|
||||
|
||||
# Update the key states.
|
||||
set_key_states() {
|
||||
set_keystate $1 "GOAL" "$2"
|
||||
set_keystate $1 "STATE_DNSKEY" "$3"
|
||||
set_keystate $1 "STATE_KRRSIG" "$4"
|
||||
set_keystate $1 "STATE_ZRRSIG" "$5"
|
||||
set_keystate $1 "STATE_DS" "$6"
|
||||
}
|
||||
|
||||
# The apex NSEC3PARAM record indicates that it is signed.
|
||||
_wait_for_nsec3param() {
|
||||
dig_with_opts +noquestion "@${SERVER}" "$ZONE" NSEC3PARAM >"dig.out.test$n.wait" || return 1
|
||||
grep "${ZONE}\..*IN.*NSEC3PARAM 1 0 0.*${SALT}" "dig.out.test$n.wait" >/dev/null || return 1
|
||||
grep "${ZONE}\..*IN.*RRSIG" "dig.out.test$n.wait" >/dev/null || return 1
|
||||
return 0
|
||||
}
|
||||
# The apex NSEC record indicates that it is signed.
|
||||
_wait_for_nsec() {
|
||||
dig_with_opts +noquestion "@${SERVER}" "$ZONE" NSEC >"dig.out.test$n.wait" || return 1
|
||||
grep "NS SOA" "dig.out.test$n.wait" >/dev/null || return 1
|
||||
grep "${ZONE}\..*IN.*RRSIG" "dig.out.test$n.wait" >/dev/null || return 1
|
||||
grep "${ZONE}\..*IN.*NSEC3PARAM" "dig.out.test$n.wait" >/dev/null && return 1
|
||||
return 0
|
||||
}
|
||||
|
||||
# Wait for the zone to be signed.
|
||||
wait_for_zone_is_signed() {
|
||||
n=$((n + 1))
|
||||
ret=0
|
||||
echo_i "wait for ${ZONE} to be signed with $1 ($n)"
|
||||
|
||||
if [ "$1" = "nsec3" ]; then
|
||||
retry_quiet 10 _wait_for_nsec3param || log_error "wait for ${ZONE} to be signed failed"
|
||||
else
|
||||
retry_quiet 10 _wait_for_nsec || log_error "wait for ${ZONE} to be signed failed"
|
||||
fi
|
||||
|
||||
test "$ret" -eq 0 || echo_i "failed"
|
||||
status=$((status + ret))
|
||||
}
|
||||
|
||||
# Test: check DNSSEC verify
|
||||
_check_dnssec_verify() {
|
||||
dig_with_opts @$SERVER "${ZONE}" AXFR >"dig.out.test$n.axfr.$ZONE" || return 1
|
||||
$VERIFY -z -o "$ZONE" "dig.out.test$n.axfr.$ZONE" >"verify.out.test$n.$ZONE" 2>&1 || return 1
|
||||
return 0
|
||||
}
|
||||
|
||||
# Test: check NSEC in answers
|
||||
_check_nsec_nsec3param() {
|
||||
dig_with_opts +noquestion @$SERVER "${ZONE}" NSEC3PARAM >"dig.out.test$n.nsec3param.$ZONE" || return 1
|
||||
grep "NSEC3PARAM" "dig.out.test$n.nsec3param.$ZONE" >/dev/null && return 1
|
||||
return 0
|
||||
}
|
||||
|
||||
_check_nsec_nxdomain() {
|
||||
dig_with_opts @$SERVER "nosuchname.${ZONE}" >"dig.out.test$n.nxdomain.$ZONE" || return 1
|
||||
grep "${ZONE}.*IN.*NSEC.*NS.*SOA.*RRSIG.*NSEC.*DNSKEY" "dig.out.test$n.nxdomain.$ZONE" >/dev/null || return 1
|
||||
grep "NSEC3" "dig.out.test$n.nxdomain.$ZONE" >/dev/null && return 1
|
||||
return 0
|
||||
}
|
||||
|
||||
check_nsec() {
|
||||
wait_for_zone_is_signed "nsec"
|
||||
|
||||
n=$((n + 1))
|
||||
echo_i "check DNSKEY rrset is signed correctly for zone ${ZONE} ($n)"
|
||||
ret=0
|
||||
check_keys
|
||||
retry_quiet 10 _check_apex_dnskey || log_error "bad DNSKEY RRset for zone ${ZONE}"
|
||||
test "$ret" -eq 0 || echo_i "failed"
|
||||
status=$((status + ret))
|
||||
|
||||
n=$((n + 1))
|
||||
echo_i "verify DNSSEC for zone ${ZONE} ($n)"
|
||||
ret=0
|
||||
retry_quiet 10 _check_dnssec_verify || log_error "DNSSEC verify failed for zone ${ZONE}"
|
||||
test "$ret" -eq 0 || echo_i "failed"
|
||||
status=$((status + ret))
|
||||
|
||||
n=$((n + 1))
|
||||
echo_i "check NSEC3PARAM response for zone ${ZONE} ($n)"
|
||||
ret=0
|
||||
retry_quiet 10 _check_nsec_nsec3param || log_error "unexpected NSEC3PARAM in response for zone ${ZONE}"
|
||||
test "$ret" -eq 0 || echo_i "failed"
|
||||
status=$((status + ret))
|
||||
|
||||
n=$((n + 1))
|
||||
echo_i "check NXDOMAIN response for zone ${ZONE} ($n)"
|
||||
ret=0
|
||||
retry_quiet 10 _check_nsec_nxdomain || log_error "bad NXDOMAIN response for zone ${ZONE}"
|
||||
test "$ret" -eq 0 || echo_i "failed"
|
||||
status=$((status + ret))
|
||||
}
|
||||
|
||||
# Test: check NSEC3 parameters in answers
|
||||
_check_nsec3_nsec3param() {
|
||||
dig_with_opts +noquestion @$SERVER "${ZONE}" NSEC3PARAM >"dig.out.test$n.nsec3param.$ZONE" || return 1
|
||||
grep "${ZONE}.*0.*IN.*NSEC3PARAM.*1.*0.*0.*${SALT}" "dig.out.test$n.nsec3param.$ZONE" >/dev/null || return 1
|
||||
|
||||
if [ -z "$SALT" ]; then
|
||||
SALT=$(awk '$4 == "NSEC3PARAM" { print $8 }' dig.out.test$n.nsec3param.$ZONE)
|
||||
fi
|
||||
return 0
|
||||
}
|
||||
|
||||
_check_nsec3_nxdomain() {
|
||||
dig_with_opts @$SERVER "nosuchname.${ZONE}" >"dig.out.test$n.nxdomain.$ZONE" || return 1
|
||||
grep ".*\.${ZONE}.*IN.*NSEC3.*1.${FLAGS}.*0.*${SALT}" "dig.out.test$n.nxdomain.$ZONE" >/dev/null || return 1
|
||||
return 0
|
||||
}
|
||||
|
||||
check_nsec3() {
|
||||
wait_for_zone_is_signed "nsec3"
|
||||
|
||||
n=$((n + 1))
|
||||
echo_i "check that NSEC3PARAM 1 0 0 ${SALT} is published zone ${ZONE} ($n)"
|
||||
ret=0
|
||||
retry_quiet 10 _check_nsec3_nsec3param || log_error "bad NSEC3PARAM response for ${ZONE}"
|
||||
test "$ret" -eq 0 || echo_i "failed"
|
||||
status=$((status + ret))
|
||||
|
||||
n=$((n + 1))
|
||||
echo_i "check NXDOMAIN response has correct NSEC3 1 ${FLAGS} 0 ${SALT} for zone ${ZONE} ($n)"
|
||||
ret=0
|
||||
retry_quiet 10 _check_nsec3_nxdomain || log_error "bad NXDOMAIN response for zone ${ZONE}"
|
||||
test "$ret" -eq 0 || echo_i "failed"
|
||||
status=$((status + ret))
|
||||
|
||||
n=$((n + 1))
|
||||
echo_i "verify DNSSEC for zone ${ZONE} ($n)"
|
||||
ret=0
|
||||
retry_quiet 10 _check_dnssec_verify || log_error "DNSSEC verify failed for zone ${ZONE}"
|
||||
test "$ret" -eq 0 || echo_i "failed"
|
||||
status=$((status + ret))
|
||||
}
|
||||
|
||||
start_time="$(TZ=UTC date +%s)"
|
||||
status=0
|
||||
n=0
|
||||
|
||||
key_clear "KEY1"
|
||||
key_clear "KEY2"
|
||||
key_clear "KEY3"
|
||||
key_clear "KEY4"
|
||||
|
||||
echo_i "exit status: $status"
|
||||
[ $status -eq 0 ] || exit 1
|
||||
|
|
@ -1,36 +0,0 @@
|
|||
# Copyright (C) Internet Systems Consortium, Inc. ("ISC")
|
||||
#
|
||||
# SPDX-License-Identifier: MPL-2.0
|
||||
#
|
||||
# This Source Code Form is subject to the terms of the Mozilla Public
|
||||
# License, v. 2.0. If a copy of the MPL was not distributed with this
|
||||
# file, you can obtain one at https://mozilla.org/MPL/2.0/.
|
||||
#
|
||||
# See the COPYRIGHT file distributed with this work for additional
|
||||
# information regarding copyright ownership.
|
||||
|
||||
import pytest
|
||||
|
||||
pytestmark = pytest.mark.extra_artifacts(
|
||||
[
|
||||
"*.created",
|
||||
"dig.out.*",
|
||||
"rndc.reload.*",
|
||||
"rndc.signing.*",
|
||||
"update.out.*",
|
||||
"verify.out.*",
|
||||
"ns*/dsset-**",
|
||||
"ns*/K*",
|
||||
"ns*/settime.out.*",
|
||||
"ns*/*.db",
|
||||
"ns*/*.jbk",
|
||||
"ns*/*.jnl",
|
||||
"ns*/*.signed",
|
||||
"ns*/keygen.out.*",
|
||||
"ns3/named-fips.conf",
|
||||
]
|
||||
)
|
||||
|
||||
|
||||
def test_nsec3(run_tests_sh):
|
||||
run_tests_sh()
|
||||
Loading…
Reference in a new issue