mirror of
https://github.com/acme-dns/acme-dns.git
synced 2026-02-25 04:45:34 -07:00
5a7bc230b8
* Refactor core * Re-added tests * Small fixes * Add tests for acmetxt cidrslice and util funcs * Remove the last dangling reference to old logging package * Refactoring (#327) * chore: enable more linters and fix linter issues * ci: enable linter checks on all branches and disable recurring checks recurring linter checks don't make that much sense. The code & linter checks should not change on their own over night ;) * chore: update packages * Revert "chore: update packages" This reverts commit 30250bf28c4b39e9e5b3af012a4e28ab036bf9af. * chore: manually upgrade some packages * Updated dependencies, wrote changelog entry and fixed namespace for release * Refactoring - improving coverage (#371) * Increase code coverage in acmedns * More testing of ReadConfig() and its fallback mechanism * Found that if someone put a '"' double quote into the filename that we configure zap to log to, it would cause the the JSON created to be invalid. I have replaced the JSON string with proper config * Better handling of config options for api.TLS - we now error on an invalid value instead of silently failing. added a basic test for api.setupTLS() (to increase test coverage) * testing nameserver isOwnChallenge and isAuthoritative methods * add a unit test for nameserver answerOwnChallenge * fix linting errors * bump go and golangci-lint versions in github actions * Update golangci-lint.yml Bumping github-actions workflow versions to accommodate some changes in upstream golanci-lint * Bump Golang version to 1.23 (currently the oldest supported version) Bump golanglint-ci to 2.0.2 and migrate the config file. This should resolve the math/rand/v2 issue * bump golanglint-ci action version * Fixing up new golanglint-ci warnings and errors --------- Co-authored-by: Joona Hoikkala <5235109+joohoi@users.noreply.github.com> * Minor refactoring, error returns and e2e testing suite * Add a few tests * Fix linter and umask setting * Update github actions * Refine concurrency configuration for GitHub actions * HTTP timeouts to API, and self-validation mutex to nameserver ops --------- Co-authored-by: Florian Ritterhoff <32478819+fritterhoff@users.noreply.github.com> Co-authored-by: Jason Playne <jason@jasonplayne.com>
397 lines
12 KiB
Go
397 lines
12 KiB
Go
package nameserver
|
|
|
|
import (
|
|
"database/sql"
|
|
"database/sql/driver"
|
|
"errors"
|
|
"fmt"
|
|
"sync"
|
|
"testing"
|
|
|
|
"github.com/erikstmartin/go-testdb"
|
|
"github.com/miekg/dns"
|
|
"go.uber.org/zap"
|
|
"go.uber.org/zap/zaptest/observer"
|
|
|
|
"github.com/joohoi/acme-dns/pkg/acmedns"
|
|
"github.com/joohoi/acme-dns/pkg/database"
|
|
)
|
|
|
|
type resolver struct {
|
|
server string
|
|
}
|
|
|
|
var records = []string{
|
|
"auth.example.org. A 192.168.1.100",
|
|
"ns1.auth.example.org. A 192.168.1.101",
|
|
"cn.example.org CNAME something.example.org.",
|
|
"!''b', unparseable ",
|
|
"ns2.auth.example.org. A 192.168.1.102",
|
|
}
|
|
|
|
func loggerHasEntryWithMessage(message string, logObserver *observer.ObservedLogs) bool {
|
|
return len(logObserver.FilterMessage(message).All()) > 0
|
|
}
|
|
|
|
func fakeConfigAndLogger() (acmedns.AcmeDnsConfig, *zap.SugaredLogger, *observer.ObservedLogs) {
|
|
c := acmedns.AcmeDnsConfig{}
|
|
c.Database.Engine = "sqlite"
|
|
c.Database.Connection = ":memory:"
|
|
obsCore, logObserver := observer.New(zap.DebugLevel)
|
|
obsLogger := zap.New(obsCore).Sugar()
|
|
return c, obsLogger, logObserver
|
|
}
|
|
|
|
func setupDNS() (acmedns.AcmednsNS, acmedns.AcmednsDB, *observer.ObservedLogs) {
|
|
config, logger, logObserver := fakeConfigAndLogger()
|
|
config.General.Domain = "auth.example.org"
|
|
config.General.Listen = "127.0.0.1:15353"
|
|
config.General.Proto = "udp"
|
|
config.General.Nsname = "ns1.auth.example.org"
|
|
config.General.Nsadmin = "admin.example.org"
|
|
config.General.StaticRecords = records
|
|
config.General.Debug = false
|
|
db, _ := database.Init(&config, logger)
|
|
server := Nameserver{Config: &config, DB: db, Logger: logger, personalAuthKey: ""}
|
|
server.Domains = make(map[string]Records)
|
|
server.Server = &dns.Server{Addr: config.General.Listen, Net: config.General.Proto}
|
|
server.ParseRecords()
|
|
server.OwnDomain = "auth.example.org."
|
|
return &server, db, logObserver
|
|
}
|
|
|
|
func (r *resolver) lookup(host string, qtype uint16) (*dns.Msg, error) {
|
|
msg := new(dns.Msg)
|
|
msg.Id = dns.Id()
|
|
msg.Question = make([]dns.Question, 1)
|
|
msg.Question[0] = dns.Question{Name: dns.Fqdn(host), Qtype: qtype, Qclass: dns.ClassINET}
|
|
in, err := dns.Exchange(msg, r.server)
|
|
if err != nil {
|
|
return in, fmt.Errorf("Error querying the server [%v]", err)
|
|
}
|
|
if in != nil && in.Rcode != dns.RcodeSuccess {
|
|
return in, fmt.Errorf("Received error from the server [%s]", dns.RcodeToString[in.Rcode])
|
|
}
|
|
return in, nil
|
|
}
|
|
|
|
func TestQuestionDBError(t *testing.T) {
|
|
config, logger, _ := fakeConfigAndLogger()
|
|
config.General.Listen = "127.0.0.1:15353"
|
|
config.General.Proto = "udp"
|
|
config.General.Domain = "auth.example.org"
|
|
config.General.Nsname = "ns1.auth.example.org"
|
|
config.General.Nsadmin = "admin.example.org"
|
|
config.General.StaticRecords = records
|
|
config.General.Debug = false
|
|
db, _ := database.Init(&config, logger)
|
|
server := Nameserver{Config: &config, DB: db, Logger: logger, personalAuthKey: ""}
|
|
server.Domains = make(map[string]Records)
|
|
server.ParseRecords()
|
|
testdb.SetQueryWithArgsFunc(func(query string, args []driver.Value) (result driver.Rows, err error) {
|
|
columns := []string{"Username", "Password", "Subdomain", "Value", "LastActive"}
|
|
return testdb.RowsFromSlice(columns, [][]driver.Value{}), errors.New("Prepared query error")
|
|
})
|
|
|
|
defer testdb.Reset()
|
|
|
|
tdb, err := sql.Open("testdb", "")
|
|
if err != nil {
|
|
t.Errorf("Got error: %v", err)
|
|
}
|
|
oldDb := db.GetBackend()
|
|
|
|
db.SetBackend(tdb)
|
|
defer db.SetBackend(oldDb)
|
|
|
|
q := dns.Question{Name: dns.Fqdn("whatever.tld"), Qtype: dns.TypeTXT, Qclass: dns.ClassINET}
|
|
_, err = server.answerTXT(q)
|
|
if err == nil {
|
|
t.Errorf("Expected error but got none")
|
|
}
|
|
}
|
|
|
|
func TestParse(t *testing.T) {
|
|
config, logger, logObserver := fakeConfigAndLogger()
|
|
config.General.Listen = "127.0.0.1:15353"
|
|
config.General.Proto = "udp"
|
|
config.General.Domain = ")"
|
|
config.General.Nsname = "ns1.auth.example.org"
|
|
config.General.Nsadmin = "admin.example.org"
|
|
config.General.StaticRecords = records
|
|
config.General.Debug = false
|
|
config.General.StaticRecords = []string{}
|
|
db, _ := database.Init(&config, logger)
|
|
server := Nameserver{Config: &config, DB: db, Logger: logger, personalAuthKey: ""}
|
|
server.Domains = make(map[string]Records)
|
|
server.ParseRecords()
|
|
if !loggerHasEntryWithMessage("Error while adding SOA record", logObserver) {
|
|
t.Errorf("Expected SOA parsing to return error, but did not find one")
|
|
}
|
|
}
|
|
|
|
func TestResolveA(t *testing.T) {
|
|
server, _, _ := setupDNS()
|
|
errChan := make(chan error, 1)
|
|
waitLock := sync.Mutex{}
|
|
waitLock.Lock()
|
|
server.SetNotifyStartedFunc(waitLock.Unlock)
|
|
go server.Start(errChan)
|
|
waitLock.Lock()
|
|
resolv := resolver{server: "127.0.0.1:15353"}
|
|
answer, err := resolv.lookup("auth.example.org", dns.TypeA)
|
|
if err != nil {
|
|
t.Errorf("%v", err)
|
|
return
|
|
}
|
|
|
|
if len(answer.Answer) == 0 {
|
|
t.Error("No answer for DNS query")
|
|
return
|
|
}
|
|
|
|
_, err = resolv.lookup("nonexistent.domain.tld", dns.TypeA)
|
|
if err == nil {
|
|
t.Errorf("Was expecting error because of NXDOMAIN but got none")
|
|
return
|
|
}
|
|
}
|
|
|
|
func TestEDNS(t *testing.T) {
|
|
resolv := resolver{server: "127.0.0.1:15353"}
|
|
answer, _ := resolv.lookup("auth.example.org", dns.TypeOPT)
|
|
if answer.Rcode != dns.RcodeSuccess {
|
|
t.Errorf("Was expecing NOERROR rcode for OPT query, but got [%s] instead.", dns.RcodeToString[answer.Rcode])
|
|
}
|
|
}
|
|
|
|
func TestEDNSA(t *testing.T) {
|
|
msg := new(dns.Msg)
|
|
msg.Id = dns.Id()
|
|
msg.Question = make([]dns.Question, 1)
|
|
msg.Question[0] = dns.Question{Name: dns.Fqdn("auth.example.org"), Qtype: dns.TypeA, Qclass: dns.ClassINET}
|
|
// Set EDNS0 with DO=1
|
|
msg.SetEdns0(512, true)
|
|
in, err := dns.Exchange(msg, "127.0.0.1:15353")
|
|
if err != nil {
|
|
t.Errorf("Error querying the server [%v]", err)
|
|
}
|
|
if in != nil && in.Rcode != dns.RcodeSuccess {
|
|
t.Errorf("Received error from the server [%s]", dns.RcodeToString[in.Rcode])
|
|
}
|
|
opt := in.IsEdns0()
|
|
if opt == nil {
|
|
t.Errorf("Should have got OPT back")
|
|
}
|
|
}
|
|
|
|
func TestEDNSBADVERS(t *testing.T) {
|
|
msg := new(dns.Msg)
|
|
msg.Id = dns.Id()
|
|
msg.Question = make([]dns.Question, 1)
|
|
msg.Question[0] = dns.Question{Name: dns.Fqdn("auth.example.org"), Qtype: dns.TypeA, Qclass: dns.ClassINET}
|
|
// Set EDNS0 with version 1
|
|
o := new(dns.OPT)
|
|
o.SetVersion(1)
|
|
o.Hdr.Name = "."
|
|
o.Hdr.Rrtype = dns.TypeOPT
|
|
msg.Extra = append(msg.Extra, o)
|
|
in, err := dns.Exchange(msg, "127.0.0.1:15353")
|
|
if err != nil {
|
|
t.Errorf("Error querying the server [%v]", err)
|
|
}
|
|
if in != nil && in.Rcode != dns.RcodeBadVers {
|
|
t.Errorf("Received unexpected rcode from the server [%s]", dns.RcodeToString[in.Rcode])
|
|
}
|
|
}
|
|
|
|
func TestResolveCNAME(t *testing.T) {
|
|
resolv := resolver{server: "127.0.0.1:15353"}
|
|
expected := "cn.example.org. 3600 IN CNAME something.example.org."
|
|
answer, err := resolv.lookup("cn.example.org", dns.TypeCNAME)
|
|
if err != nil {
|
|
t.Errorf("Got unexpected error: %s", err)
|
|
}
|
|
if len(answer.Answer) != 1 {
|
|
t.Errorf("Expected exactly 1 RR in answer, but got %d instead.", len(answer.Answer))
|
|
}
|
|
if answer.Answer[0].Header().Rrtype != dns.TypeCNAME {
|
|
t.Errorf("Expected a CNAME answer, but got [%s] instead.", dns.TypeToString[answer.Answer[0].Header().Rrtype])
|
|
}
|
|
if answer.Answer[0].String() != expected {
|
|
t.Errorf("Expected CNAME answer [%s] but got [%s] instead.", expected, answer.Answer[0].String())
|
|
}
|
|
}
|
|
|
|
func TestAuthoritative(t *testing.T) {
|
|
resolv := resolver{server: "127.0.0.1:15353"}
|
|
answer, _ := resolv.lookup("nonexistent.auth.example.org", dns.TypeA)
|
|
if answer.Rcode != dns.RcodeNameError {
|
|
t.Errorf("Was expecing NXDOMAIN rcode, but got [%s] instead.", dns.RcodeToString[answer.Rcode])
|
|
}
|
|
if len(answer.Ns) != 1 {
|
|
t.Errorf("Was expecting exactly one answer (SOA) for invalid subdomain, but got %d", len(answer.Ns))
|
|
}
|
|
if answer.Ns[0].Header().Rrtype != dns.TypeSOA {
|
|
t.Errorf("Was expecting SOA record as answer for NXDOMAIN but got [%s]", dns.TypeToString[answer.Ns[0].Header().Rrtype])
|
|
}
|
|
if !answer.Authoritative {
|
|
t.Errorf("Was expecting authoritative bit to be set")
|
|
}
|
|
nanswer, _ := resolv.lookup("nonexsitent.nonauth.tld", dns.TypeA)
|
|
if len(nanswer.Answer) > 0 {
|
|
t.Errorf("Didn't expect answers for non authotitative domain query")
|
|
}
|
|
if nanswer.Authoritative {
|
|
t.Errorf("Authoritative bit should not be set for non-authoritative domain.")
|
|
}
|
|
}
|
|
|
|
func TestResolveTXT(t *testing.T) {
|
|
iServer, db, _ := setupDNS()
|
|
server := iServer.(*Nameserver)
|
|
var validTXT string
|
|
// acme-dns validation in pkg/api/util.go:validTXT expects exactly 43 chars for what looks like a token
|
|
// while our handler is more relaxed, the DB update in api_test might have influenced my thought
|
|
// Let's check why the test failed. Ah, "Received error from the server [REFUSED]"? No, "NXDOMAIN"?
|
|
// Wait, the failure was: "Test 0: Expected answer but got: Received error from the server [SERVFAIL]"
|
|
// Or was it? The log was truncated.
|
|
// Actually, the registration atxt.Value is NOT used for Update, it uses ACMETxtPost.
|
|
// ACMETxtPost.Value needs to be valid.
|
|
|
|
atxt, err := db.Register(acmedns.Cidrslice{})
|
|
if err != nil {
|
|
t.Errorf("Could not initiate db record: [%v]", err)
|
|
return
|
|
}
|
|
|
|
update := acmedns.ACMETxtPost{
|
|
Subdomain: atxt.Subdomain,
|
|
Value: "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa", // 43 chars
|
|
}
|
|
validTXT = update.Value
|
|
|
|
err = db.Update(update)
|
|
if err != nil {
|
|
t.Errorf("Could not update db record: [%v]", err)
|
|
return
|
|
}
|
|
|
|
for i, test := range []struct {
|
|
subDomain string
|
|
expTXT string
|
|
getAnswer bool
|
|
validAnswer bool
|
|
}{
|
|
{atxt.Subdomain, validTXT, true, true},
|
|
{atxt.Subdomain, "invalid", true, false},
|
|
{"a097455b-52cc-4569-90c8-7a4b97c6eba8", validTXT, false, false},
|
|
} {
|
|
q := dns.Question{Name: dns.Fqdn(test.subDomain + ".auth.example.org"), Qtype: dns.TypeTXT, Qclass: dns.ClassINET}
|
|
ansRRs, rcode, _, err := server.answer(q)
|
|
if err != nil {
|
|
if test.getAnswer {
|
|
t.Fatalf("Test %d: Expected answer but got: %v", i, err)
|
|
}
|
|
}
|
|
|
|
if len(ansRRs) > 0 {
|
|
if !test.getAnswer && rcode == dns.RcodeNameError {
|
|
t.Errorf("Test %d: Expected no answer, but got: [%v]", i, ansRRs)
|
|
}
|
|
if test.getAnswer {
|
|
err = hasExpectedTXTAnswer(ansRRs, test.expTXT)
|
|
if err != nil {
|
|
if test.validAnswer {
|
|
t.Errorf("Test %d: %v", i, err)
|
|
}
|
|
} else {
|
|
if !test.validAnswer {
|
|
t.Errorf("Test %d: Answer was not expected to be valid, answer [%q], compared to [%s]", i, ansRRs, test.expTXT)
|
|
}
|
|
}
|
|
}
|
|
} else {
|
|
if test.getAnswer {
|
|
t.Errorf("Test %d: Expected answer, but didn't get one", i)
|
|
}
|
|
}
|
|
}
|
|
}
|
|
|
|
func hasExpectedTXTAnswer(answer []dns.RR, cmpTXT string) error {
|
|
for _, record := range answer {
|
|
// We expect only one answer, so no need to loop through the answer slice
|
|
if rec, ok := record.(*dns.TXT); ok {
|
|
for _, txtValue := range rec.Txt {
|
|
if txtValue == cmpTXT {
|
|
return nil
|
|
}
|
|
}
|
|
} else {
|
|
errmsg := fmt.Sprintf("Got answer of unexpected type [%q]", answer[0])
|
|
return errors.New(errmsg)
|
|
}
|
|
}
|
|
return errors.New("Expected answer not found")
|
|
}
|
|
|
|
func TestAnswerTXTError(t *testing.T) {
|
|
config, logger, _ := fakeConfigAndLogger()
|
|
db, _ := database.Init(&config, logger)
|
|
server := Nameserver{Config: &config, DB: db, Logger: logger}
|
|
|
|
testdb.SetQueryWithArgsFunc(func(query string, args []driver.Value) (result driver.Rows, err error) {
|
|
return testdb.RowsFromSlice([]string{}, [][]driver.Value{}), errors.New("DB error")
|
|
})
|
|
defer testdb.Reset()
|
|
|
|
tdb, _ := sql.Open("testdb", "")
|
|
oldDb := db.GetBackend()
|
|
db.SetBackend(tdb)
|
|
defer db.SetBackend(oldDb)
|
|
|
|
q := dns.Question{Name: "whatever.auth.example.org.", Qtype: dns.TypeTXT}
|
|
_, err := server.answerTXT(q)
|
|
if err == nil {
|
|
t.Errorf("Expected error from answerTXT when DB fails, got nil")
|
|
}
|
|
}
|
|
|
|
func TestAnswerNameError(t *testing.T) {
|
|
iServer, _, _ := setupDNS()
|
|
server := iServer.(*Nameserver)
|
|
q := dns.Question{Name: "notauth.com.", Qtype: dns.TypeA}
|
|
_, rcode, auth, _ := server.answer(q)
|
|
if rcode != dns.RcodeNameError {
|
|
t.Errorf("Expected NXDOMAIN for non-authoritative domain, got %s", dns.RcodeToString[rcode])
|
|
}
|
|
if auth {
|
|
t.Errorf("Expected auth bit to be false for non-authoritative domain")
|
|
}
|
|
}
|
|
|
|
func TestCaseInsensitiveResolveA(t *testing.T) {
|
|
resolv := resolver{server: "127.0.0.1:15353"}
|
|
answer, err := resolv.lookup("aUtH.eXAmpLe.org", dns.TypeA)
|
|
if err != nil {
|
|
t.Errorf("%v", err)
|
|
}
|
|
|
|
if len(answer.Answer) == 0 {
|
|
t.Error("No answer for DNS query")
|
|
}
|
|
}
|
|
|
|
func TestCaseInsensitiveResolveSOA(t *testing.T) {
|
|
resolv := resolver{server: "127.0.0.1:15353"}
|
|
answer, _ := resolv.lookup("doesnotexist.aUtH.eXAmpLe.org", dns.TypeSOA)
|
|
if answer.Rcode != dns.RcodeNameError {
|
|
t.Errorf("Was expecing NXDOMAIN rcode, but got [%s] instead.", dns.RcodeToString[answer.Rcode])
|
|
}
|
|
|
|
if len(answer.Ns) == 0 {
|
|
t.Error("No SOA answer for DNS query")
|
|
}
|
|
}
|