knot-dns/tests/utils/test_kdig_validate.in

#!/bin/sh
# Copyright (C) CZ.NIC, z.s.p.o. and contributors
# SPDX-License-Identifier: GPL-2.0-or-later
# For more information, see <https://www.knot-dns.cz/>

BUILDROOT="@top_builddir@"
SRCROOT="@top_srcdir@"

. "@top_srcdir@/tests/tap/libtap.sh"

TMPDIR=$(cd $(test_tmpdir) && pwd)
if [ -f /etc/crypto-policies/config ] || [ ${#TMPDIR} -gt 85 ]; then
    diag "Test not compatible with strict crypto policy or too long unix socket paths"
    skip_all
    exit 0
fi

SCN=$TMPDIR/scenario.txt
CONF=$TMPDIR/knot.conf
RUNDIR=$TMPDIR/run
LISTEN=$RUNDIR/listen
LISTEN_CTL=$RUNDIR/ctl
VALGRIND=

if [ "$2" = "v" ]; then
    VALGRIND="valgrind --leak-check=full --show-leak-kinds=all"
fi

cat << EOF > $SCN
delegation.signed                deleg         A       NOK!   DS.NODATA.*found          x.deleg       A       NOK!   DS.NODATA.*found
different_signer_name.signed     dns1          A       OK!    answer.found              dns1          TXT     NOK!   NODATA.*found
dname_apex_nsec3.signed          foo           A       OK!    limit.*of.*DNAME          x             TXT     OK!    limit.*of.*DNAME
dnskey_keytags.many              dns1          A       FAILED many.*keytag              dns2          A       FAILED many.*keytag
no_rrsig.signed                  dns1          AAAA    NOK!   missing.RRSIG.*NSEC       dns2          A       NOK!   missing.RRSIG.*NSEC
no_rrsig_with_delegation.signed  deleg         A       NOK!   any.RRSIG                 deleg         DS      NOK!   missing.RRSIG.*NSEC
nsec_broken_chain_01.signed      eee           A       NOK!   invalid.*RRSIG.*NSEC      zzz           A       OK!    wildcard.non.*proven
nsec_broken_chain_02.signed      eee           A       OK!    wildcard.non.*proven      zzz           A       NOK!   wrongly.proves.NXDOMAIN
nsec_missing.signed              www           AAAA    NOK!   NXDOMAIN.*missing         dns2          A       NOK!   invalid.*RRSIG.*NSEC
nsec_multiple.signed             www           AAAA    NOK!   wrongly.proves.NXDOMAIN   zzz           A       NOK!   wrongly.proves.NXDOMAIN
nsec_nonauth.invalid             nonauth.deleg NS      NOK!   invalid.*RRSIG.*DNSKEY    nonauth.deleg DS      NOK!   invalid.*RRSIG.*DNSKEY
nsec_wrong_bitmap_01.signed      www           A       OK!    answer.found              www           AAAA    NOK!   NODATA.*missing
nsec_wrong_bitmap_02.signed      www           A       OK!    answer.found              www           AAAA    NOK!   invalid.*RRSIG.*NSEC
nsec3_chain_01.signed            deleg         A       NOK!   invalid.*RRSIG.*NSEC3     dns2          A       NOK!   overlapping.*NSEC3
nsec3_chain_02.signed            deleg         A       OK!    DS.NODATA.*found          dns2          A       NOK!   overlapping.*NSEC3
nsec3_chain_03.signed            deleg         A       NOK!   invalid.*RRSIG.*NSEC3     dns2          A       NOK!   overlapping.*NSEC3
nsec3_missing.signed             extra         AAAA    NOK!   NXDOMAIN.*missing         extrb         A       NOK!   invalid.*RRSIG.*NSEC3
nsec3_optout_ent.all             x.deleg2.ent  A       OK!    opt-out.*found            ent           A       OK!    NODATA.*unprovable
nsec3_optout_ent.invalid         x.deleg1.ent  A       OK!    DS.NODATA.*found          ent           A       OK!    NODATA.*unprovable
nsec3_optout_ent.valid           x.deleg1.ent  A       OK!    DS.NODATA.*found          ent           A       OK!    NODATA.*found
nsec3_optout.signed              zzz           A       NOK!   DS.non.*missing           xx.zzz        A       NOK!   DS.non.*missing
nsec3_param_invalid.signed       dns1          A       OK!    answer.found              dns2          A       NOK!   any.RRSIG
nsec3_wrong_bitmap_01.signed     example.com.  DNSKEY  OK!    answer.found              example.com.  SSHFP   NOK!   wrongly.proves.NODATA
nsec3_wrong_bitmap_02.signed     dns1          TXT     NOK!   invalid.*RRSIG.*NSEC3     dns1          NSEC    NOK!   NODATA.*missing
rrsig_rdata_ttl.signed           dns1          A       NOK!   invalid.*RRSIG.*A         dns1          TXT     OK!    NODATA.*found
rrsig_signed.signed              dns1          A       OK!    answer.found              dns1          RRSIG   OK!    answer.found
rrsig_ttl.signed                 dns1          A       OK!    answer.found              dns1          AAAA    OK!    NODATA.*found
EOF

cat << EOF > $CONF
server:
    rundir: $RUNDIR
    listen: $LISTEN
    tcp-workers: 1
    udp-workers: 1
    background-workers: 1
control:
    listen: $LISTEN_CTL
database:
    storage: $RUNDIR
    timer-db-sync: never
zone:
  - domain: example.com.
    storage: $RUNDIR
    file: example.com.zone
log:
  - target: stdout
    any: debug
EOF

plan $(( $(cat "$SCN" | wc -l) * 4 ))

q() {
    QN="$2"
    OUTCOME=$(echo "$4" | sed 's/NOK/Invalid/;s/OK/Valid/;s/FAILED/VALIDATION failed to proceed/')
    case "$QN" in
        *.) ;;
        *) QN="$QN.example.com." ;;
    esac
    CMD="$VALGRIND $BUILDROOT/src/kdig @$LISTEN +tcp +validate +nocrypto $QN -t $3"
    echo "$1 $CMD" >&2
    RESP=$(sh -c "$CMD" 2>&1)
    echo "$RESP" >&2
    echo "$RESP" | grep -q "$OUTCOME"
    ok "$1 outcome '$OUTCOME'" test $? -eq 0
    echo "$RESP" | grep -q "$5"
    ok "$1 point '$5'" test $? -eq 0
}

rm -rf $RUNDIR; mkdir $RUNDIR
$BUILDROOT/src/knotd -c $CONF > $RUNDIR/knot.log &
PID=$!
while ! grep -q 'server started' $RUNDIR/knot.log; do
    sleep 0.02
    continue
done

i=0
while read ZFILE QNAME QTYPE OUT POINT QNAME2 QTYPE2 OUT2 POINT2; do
    i=$((i+1))
    if [ -n "$1" ] && [ "$1" != "$i" ]; then
        continue
    fi
    NLOADED_WAS=$(grep -c 'loaded, serial' $RUNDIR/knot.log)
    cat $SRCROOT/tests/knot/semantic_check_data/$ZFILE > $RUNDIR/example.com.zone
    $BUILDROOT/src/knotc -s $LISTEN_CTL -f zone-reload >&2
    while [ $(grep -c 'loaded, serial' $RUNDIR/knot.log) = "$NLOADED_WAS" ]; do
        sleep 0.02
    done
    q "(${i}a)" "$QNAME" "$QTYPE" "$OUT" "$POINT"
    q "(${i}b)" "$QNAME2" "$QTYPE2" "$OUT2" "$POINT2"
done < "$SCN"


kill -TERM $PID
sleep 0.1
rm -rf $RUNDIR $SCN $CONF