mirror of
https://github.com/NLnetLabs/unbound.git
synced 2025-12-27 18:20:02 -05:00
ad21dbd1c2
* - cookie-secret-file, define struct. * - cookie-secret-file, add config option, create, read and delete struct. * - cookie-secret-file, check cookie secrets for cookie validation. * - cookie-secret-file, unbound-control add_cookie_secret, drop_cookie_secret, activate_cookie_secret and print_cookie_secrets. * - cookie-secret-file, test and fix locks, renew writes a fresh cookie, staging cookies get a fresh cookie and spelling in error message. * - cookie-secret-file, remove unused variable from cookie file unit test. * Remove unshare and faketime dependencies for cookie_file test; documentation nits. --------- Co-authored-by: Yorgos Thessalonikefs <yorgos@nlnetlabs.nl>
248 lines
6.2 KiB
Text
248 lines
6.2 KiB
Text
# #-- cookie_file.test --#
|
|
# source the master var file when it's there
|
|
[ -f ../.tpkg.var.master ] && source ../.tpkg.var.master
|
|
# use .tpkg.var.test for in test variable passing
|
|
[ -f .tpkg.var.test ] && source .tpkg.var.test
|
|
PRE="../.."
|
|
. ../common.sh
|
|
|
|
first_secret=dd3bdf9344b678b185a6f5cb60fca715
|
|
second_secret=445536bcd2513298075a5d379663c962
|
|
|
|
|
|
teststep "Add first secret"
|
|
echo ">> add_cookie_secret $first_secret"
|
|
$PRE/unbound-control -c ub.conf add_cookie_secret $first_secret
|
|
# check secret is persisted
|
|
outfile=cookie_secrets.1
|
|
$PRE/unbound-control -c ub.conf print_cookie_secrets > $outfile
|
|
if ! grep -q "$first_secret" $outfile
|
|
then
|
|
sleep 1
|
|
$PRE/unbound-control -c ub.conf print_cookie_secrets > $outfile
|
|
fi
|
|
if ! grep -q "$first_secret" $outfile
|
|
then
|
|
sleep 1
|
|
$PRE/unbound-control -c ub.conf print_cookie_secrets > $outfile
|
|
fi
|
|
if ! grep -q "$first_secret" $outfile
|
|
then
|
|
sleep 1
|
|
$PRE/unbound-control -c ub.conf print_cookie_secrets > $outfile
|
|
fi
|
|
if ! grep -q "^active.*$first_secret" $outfile
|
|
then
|
|
cat $outfile
|
|
echo "First secret was not provisioned"
|
|
exit 1
|
|
fi
|
|
echo ">> print_cookie_secrets"
|
|
cat $outfile
|
|
|
|
|
|
teststep "Get a valid cookie for this secret"
|
|
outfile=dig.output.1
|
|
dig version.server ch txt @127.0.0.1 -p $SERVER_PORT +cookie=3132333435363738 > $outfile
|
|
if ! grep -q "BADCOOKIE" $outfile
|
|
then
|
|
cat $outfile
|
|
echo "Did not get a BADCOOKIE response for a client-only cookie"
|
|
exit 1
|
|
fi
|
|
if ! grep -q "COOKIE: 3132333435363738" $outfile
|
|
then
|
|
cat $outfile
|
|
echo "Did not get a cookie in the response"
|
|
exit 1
|
|
fi
|
|
first_cookie=$(grep "; COOKIE:" $outfile | cut -d ' ' -f 3)
|
|
cat $outfile
|
|
echo "first cookie: $first_cookie"
|
|
|
|
|
|
teststep "Verify the first cookie can be reused"
|
|
outfile=dig.output.2
|
|
dig version.server ch txt @127.0.0.1 -p $SERVER_PORT +cookie=$first_cookie > $outfile
|
|
if grep -q "BADCOOKIE" $outfile
|
|
then
|
|
cat $outfile
|
|
echo "Got BADCOOKIE response for a valid cookie"
|
|
exit 1
|
|
fi
|
|
if ! grep -q "COOKIE: $first_cookie" $outfile
|
|
then
|
|
cat $outfile
|
|
echo "Did not get the same first cookie in the response"
|
|
exit 1
|
|
fi
|
|
|
|
|
|
teststep "Add second secret"
|
|
outfile=cookie_secrets.2
|
|
echo ">> add_cookie_secret $second_secret"
|
|
$PRE/unbound-control -c ub.conf add_cookie_secret $second_secret
|
|
$PRE/unbound-control -c ub.conf print_cookie_secrets > $outfile
|
|
if ! grep -q "$second_secret" $outfile
|
|
then
|
|
sleep 1
|
|
$PRE/unbound-control -c ub.conf print_cookie_secrets > $outfile
|
|
fi
|
|
if ! grep -q "$second_secret" $outfile
|
|
then
|
|
sleep 1
|
|
$PRE/unbound-control -c ub.conf print_cookie_secrets > $outfile
|
|
fi
|
|
if ! grep -q "$second_secret" $outfile
|
|
then
|
|
sleep 1
|
|
$PRE/unbound-control -c ub.conf print_cookie_secrets > $outfile
|
|
fi
|
|
if ! grep -q "^staging.*$second_secret" $outfile \
|
|
|| ! grep -q "^active.*$first_secret" $outfile
|
|
then
|
|
cat $outfile
|
|
echo "Secrets were not provisioned"
|
|
exit 1
|
|
fi
|
|
echo ">> print_cookie_secrets"
|
|
cat $outfile
|
|
echo ">> cookie_secrets.txt"
|
|
cat cookie_secrets.txt
|
|
|
|
|
|
teststep "Verify the first cookie can be reused"
|
|
outfile=dig.output.3
|
|
dig version.server ch txt @127.0.0.1 -p $SERVER_PORT +cookie=$first_cookie > $outfile
|
|
if grep -q "BADCOOKIE" $outfile
|
|
then
|
|
cat $outfile
|
|
echo "Got BADCOOKIE response for a valid cookie"
|
|
exit 1
|
|
fi
|
|
if ! grep -q "COOKIE: $first_cookie" $outfile
|
|
then
|
|
cat $outfile
|
|
echo "Did not get the same first cookie in the response"
|
|
exit 1
|
|
fi
|
|
|
|
|
|
teststep "Secret rollover"
|
|
outfile=cookie_secrets.3
|
|
$PRE/unbound-control -c ub.conf activate_cookie_secret
|
|
$PRE/unbound-control -c ub.conf print_cookie_secrets > $outfile
|
|
if ! grep -q "^active.*$second_secret" $outfile
|
|
then
|
|
sleep 1
|
|
$PRE/unbound-control -c ub.conf print_cookie_secrets > $outfile
|
|
fi
|
|
if ! grep -q "^active.*$second_secret" $outfile
|
|
then
|
|
sleep 1
|
|
$PRE/unbound-control -c ub.conf print_cookie_secrets > $outfile
|
|
fi
|
|
if ! grep -q "^active.*$second_secret" $outfile
|
|
then
|
|
sleep 1
|
|
$PRE/unbound-control -c ub.conf print_cookie_secrets > $outfile
|
|
fi
|
|
if ! grep -q "^active.*$second_secret" $outfile \
|
|
|| ! grep -q "^staging.*$first_secret" $outfile
|
|
then
|
|
cat $outfile
|
|
echo "Second secret was not activated"
|
|
exit 1
|
|
fi
|
|
echo ">> activate cookie secret, printout"
|
|
cat $outfile
|
|
echo ">> cookie_secrets.txt"
|
|
cat cookie_secrets.txt
|
|
|
|
|
|
teststep "Verify the first cookie can be reused but a new cookie is returned from the second secret"
|
|
outfile=dig.output.4
|
|
dig version.server ch txt @127.0.0.1 -p $SERVER_PORT +cookie=$first_cookie > $outfile
|
|
if grep -q "BADCOOKIE" $outfile
|
|
then
|
|
cat $outfile
|
|
echo "Got BADCOOKIE response for a valid cookie"
|
|
exit 1
|
|
fi
|
|
if ! grep -q "COOKIE: 3132333435363738" $outfile
|
|
then
|
|
cat $outfile
|
|
echo "Did not get a cookie in the response"
|
|
exit 1
|
|
fi
|
|
if grep -q "COOKIE: $first_cookie" $outfile
|
|
then
|
|
cat $outfile
|
|
echo "Got the same first cookie in the response while the second secret is active"
|
|
exit 1
|
|
fi
|
|
second_cookie=$(grep "; COOKIE:" $outfile | cut -d ' ' -f 3)
|
|
cat $outfile
|
|
echo "second cookie: $second_cookie"
|
|
|
|
|
|
teststep "Drop cookie secret"
|
|
outfile=cookie_secrets.4
|
|
$PRE/unbound-control -c ub.conf drop_cookie_secret
|
|
$PRE/unbound-control -c ub.conf print_cookie_secrets > $outfile
|
|
if grep -q "^staging.*$first_secret" $outfile
|
|
then
|
|
sleep 1
|
|
$PRE/unbound-control -c ub.conf print_cookie_secrets > $outfile
|
|
fi
|
|
if grep -q "^staging.*$first_secret" $outfile
|
|
then
|
|
sleep 1
|
|
$PRE/unbound-control -c ub.conf print_cookie_secrets > $outfile
|
|
fi
|
|
if grep -q "^staging.*$first_secret" $outfile
|
|
then
|
|
sleep 1
|
|
$PRE/unbound-control -c ub.conf print_cookie_secrets > $outfile
|
|
fi
|
|
if grep -q "^staging.*$first_secret" $outfile
|
|
then
|
|
cat $outfile
|
|
echo "First secret was not dropped"
|
|
exit 1
|
|
fi
|
|
echo ">> drop cookie secret, printout"
|
|
cat $outfile
|
|
echo ">> cookie_secrets.txt"
|
|
cat cookie_secrets.txt
|
|
|
|
|
|
teststep "Verify the first cookie can not be reused and the second cookie is returned instead"
|
|
outfile=dig.output.4
|
|
dig version.server ch txt @127.0.0.1 -p $SERVER_PORT +cookie=$first_cookie > $outfile
|
|
if ! grep -q "BADCOOKIE" $outfile
|
|
then
|
|
cat $outfile
|
|
echo "Did not get BADCOOKIE response for an invalid cookie"
|
|
exit 1
|
|
fi
|
|
if ! grep -q "COOKIE: 3132333435363738" $outfile
|
|
then
|
|
cat $outfile
|
|
echo "Did not get a cookie in the response"
|
|
exit 1
|
|
fi
|
|
if grep -q "COOKIE: $first_cookie" $outfile
|
|
then
|
|
cat $outfile
|
|
echo "Got the same first cookie in the response while the second secret is active"
|
|
exit 1
|
|
fi
|
|
if ! grep -q "COOKIE: $second_cookie" $outfile
|
|
then
|
|
cat $outfile
|
|
echo "Did not get the same second cookie in the response"
|
|
exit 1
|
|
fi
|
|
|
|
exit 0
|