upstream/bind9
1
0
Fork 0
mirror of https://github.com/isc-projects/bind9.git synced 2026-02-27 20:11:12 -05:00
Code Issues Projects Releases Packages Wiki Activity Actions
bind9/bin/tests/system/conf.sh.common
Petr Špaček 1d4fbe2511
Add tests for the "tkey-gssapi-credential" option 
Four named instances in the "nsupdate" system test have GSS-TSIG support
enabled.  All of them currently use "tkey-gssapi-keytab".  Configure two
of them with "tkey-gssapi-credential" to test that option.

As "tkey-gssapi-keytab" and "tkey-gssapi-credential" both provide the
same functionality, no test modifications are required.  The difference
between the two options is that the value of "tkey-gssapi-keytab" is an
explicit path to the keytab file to acquire credentials from, while the
value of "tkey-gssapi-credential" is the name of the principal whose
credentials should be used; those credentials are looked up in the
keytab file expected by the Kerberos library, i.e. /etc/krb5.keytab by
default.  The path to the default keytab file can be overridden using by
setting the KRB5_KTNAME environment variable.  Utilize that variable to
use existing keytab files with the "tkey-gssapi-credential" option.

The KRB5_KTNAME environment variable should not interfere with the
"tkey-gssapi-keytab" option.  Nevertheless, rename one of the keytab
files used with "tkey-gssapi-keytab" to something else than the contents
of the KRB5_KTNAME environment variable in order to make sure that both
"tkey-gssapi-keytab" and "tkey-gssapi-credential" are actually tested.

(cherry picked from commit 1746d2e84a)
2021-04-23 09:19:45 +02:00

745 lines
19 KiB
Bash
Raw Blame History

#!/bin/sh
#
# Copyright (C) Internet Systems Consortium, Inc. ("ISC")
#
# This Source Code Form is subject to the terms of the Mozilla Public
# License, v. 2.0. If a copy of the MPL was not distributed with this
# file, you can obtain one at https://mozilla.org/MPL/2.0/.
#
# See the COPYRIGHT file distributed with this work for additional
# information regarding copyright ownership.
testsock6() {
if test -n "$PERL" && $PERL -e "use IO::Socket::INET6;" 2> /dev/null
then
$PERL "$TOP/bin/tests/system/testsock6.pl" "$@"
else
false
fi
}
export LANG=C
. ${TOP}/version
#
# Common lists of system tests to run.
#
# The "stress" test is not run by default since it creates enough
# load on the machine to make it unusable to other users.
# The "dialup", "delzone", and "dupsigs" tests are also not run by
# default because they take a very long time to complete.
#
# The following tests are hard-coded to use ports 5300 and 9953. For
# this reason, these must be run sequentially.
#
# Sequential tests that only run on unix/linux should be added to
# SEQUENTIAL_UNIX in conf.sh.in; those that only run on windows should
# be added to SEQUENTIAL_WINDOWS in conf.sh.win32.
#
SEQUENTIAL_COMMON="ecdsa eddsa tkey"
#
# These tests can use ports assigned by the caller (other than 5300
# and 9953). Because separate blocks of ports can be used for teach
# test, these tests can be run in parallel.
#
# Parallel tests that only run on unix/linux should be added to
# PARALLEL_UNIX in conf.sh.in; those that only run on windows should
# be added to PARALLEL_WINDOWS in conf.sh.win32.
#
# Note: some of the longer-running tests such as serve-stale and
# rpzrecurse are scheduled first, in order to get more benefit from
# parallelism.
#
PARALLEL_COMMON="dnssec rpzrecurse serve-stale \
acl \
additional \
addzone \
allow-query \
auth \
autosign \
builtin \
cacheclean \
case \
catz \
cds \
chain \
checkconf \
checknames \
checkzone \
database \
digdelv \
dlz \
dlzexternal \
dns64 \
dscp \
dsdigest \
dyndb \
ednscompliance \
emptyzones \
fetchlimit \
filter-aaaa \
formerr \
forward \
geoip2 \
glue \
idna \
inline \
integrity \
ixfr \
journal \
kasp \
keepalive \
keymgr2kasp \
legacy \
limits \
masterfile \
masterformat \
metadata \
mirror \
mkeys \
names \
notify \
nsec3 \
nslookup \
nsupdate \
nzd2nzf \
padding \
pending \
pipelined \
qmin \
reclimit \
redirect \
resolver \
rndc \
rootkeysentinel \
rpz \
rrchecker \
rrl \
rrsetorder \
rsabigexponent \
runtime \
sfcache \
shutdown \
smartsign \
sortlist \
spf \
staticstub \
statistics \
statschannel \
stub \
synthfromdnssec \
timeouts \
tcp \
tools \
tsig \
tsiggss \
ttl \
unknown \
upforwd \
verify \
views \
wildcard \
xfer \
xferquota \
zero \
zonechecks"
#
# Set up color-coded test output
#
if [ ${SYSTEMTEST_FORCE_COLOR:-0} -eq 1 ] || test -t 1 && type tput > /dev/null 2>&1 && tput setaf 7 > /dev/null 2>&1 ; then
COLOR_END=`tput setaf 4` # blue
COLOR_FAIL=`tput setaf 1` # red
COLOR_INFO=`tput bold` # bold
COLOR_NONE=`tput sgr0`
COLOR_PASS=`tput setaf 2` # green
COLOR_START=`tput setaf 4` # blue
COLOR_WARN=`tput setaf 3` # yellow
else
# set to empty strings so printf succeeds
COLOR_END=''
COLOR_FAIL=''
COLOR_INFO=''
COLOR_NONE=''
COLOR_PASS=''
COLOR_START=''
COLOR_WARN=''
fi
SYSTESTDIR="`basename $PWD`"
if type printf > /dev/null 2>&1
then
echofail () {
printf "${COLOR_FAIL}%s${COLOR_NONE}\n" "$*"
}
echowarn () {
printf "${COLOR_WARN}%s${COLOR_NONE}\n" "$*"
}
echopass () {
printf "${COLOR_PASS}%s${COLOR_NONE}\n" "$*"
}
echoinfo () {
printf "${COLOR_INFO}%s${COLOR_NONE}\n" "$*"
}
echostart () {
printf "${COLOR_START}%s${COLOR_NONE}\n" "$*"
}
echoend () {
printf "${COLOR_END}%s${COLOR_NONE}\n" "$*"
}
echo_i() {
printf '%s\n' "$*" | while read -r __LINE ; do
echoinfo "I:$SYSTESTDIR:$__LINE"
done
}
echo_ic() {
printf '%s\n' "$*" | while read -r __LINE ; do
echoinfo "I:$SYSTESTDIR: $__LINE"
done
}
echo_d() {
printf '%s\n' "$*" | while read -r __LINE ; do
echoinfo "D:$SYSTESTDIR:$__LINE"
done
}
else
echofail () {
echo "$*"
}
echowarn () {
echo "$*"
}
echopass () {
echo "$*"
}
echoinfo () {
echo "$*"
}
echostart () {
echo "$*"
}
echoend () {
echo "$*"
}
echo_i() {
echo "$@" | while read -r __LINE ; do
echoinfo "I:$SYSTESTDIR:$__LINE"
done
}
echo_ic() {
echo "$@" | while read -r __LINE ; do
echoinfo "I:$SYSTESTDIR: $__LINE"
done
}
echo_d() {
echo "$@" | while read -r __LINE ; do
echoinfo "D:$SYSTESTDIR:$__LINE"
done
}
fi
cat_i() {
while read -r __LINE ; do
echoinfo "I:$SYSTESTDIR:$__LINE"
done
}
cat_d() {
while read -r __LINE ; do
echoinfo "D:$SYSTESTDIR:$__LINE"
done
}
digcomp() {
output=`$PERL $SYSTEMTESTTOP/digcomp.pl "$@"`
result=$?
[ -n "$output" ] && { echo "digcomp failed:"; echo "$output"; } | cat_i
return $result
}
start_server() {
$PERL "$TOP_SRCDIR/bin/tests/system/start.pl" "$@"
}
stop_server() {
$PERL "$TOP_SRCDIR/bin/tests/system/stop.pl" "$@"
}
send() {
$PERL "$TOP_SRCDIR/bin/tests/system/send.pl" "$@"
}
#
# Useful variables in test scripts
#
# Default algorithm for testing.
DEFAULT_ALGORITHM=ECDSAP256SHA256
DEFAULT_ALGORITHM_NUMBER=13
DEFAULT_BITS=256
# This is an alternative algorithm for test cases that require more than
# one algorithm (for example algorithm rollover). Must be different from
# DEFAULT_ALGORITHM.
ALTERNATIVE_ALGORITHM=RSASHA256
ALTERNATIVE_ALGORITHM_NUMBER=8
ALTERNATIVE_BITS=1280
# This is an algorithm that is used for tests against the
# "disable-algorithms" configuration option. Must be different from above
# algorithms.
DISABLED_ALGORITHM=ECDSAP384SHA384
DISABLED_ALGORITHM_NUMBER=14
DISABLED_BITS=384
#
# Useful functions in test scripts
#
# assert_int_equal: compare two integer variables, $1 and $2
#
# If $1 and $2 are equal, return 0; if $1 and $2 are not equal, report
# the error using the description of the tested variable provided in $3
# and return 1.
assert_int_equal() {
found="$1"
expected="$2"
description="$3"
if [ "${expected}" -ne "${found}" ]; then
echo_i "incorrect ${description}: got ${found}, expected ${expected}"
return 1
fi
return 0
}
# keyfile_to_keys_section: helper function for keyfile_to_*_keys() which
# converts keyfile data into a key-style trust anchor configuration
# section using the supplied parameters
keyfile_to_keys() {
section_name=$1
key_prefix=$2
shift
shift
echo "$section_name {"
for keyname in $*; do
awk '!/^; /{
printf "\t\""$1"\" "
printf "'"$key_prefix "'"
printf $4 " " $5 " " $6 " \""
for (i=7; i<=NF; i++) printf $i
printf "\";\n"
}' $keyname.key
done
echo "};"
}
# keyfile_to_dskeys_section: helper function for keyfile_to_*_dskeys()
# converts keyfile data into a DS-style trust anchor configuration
# section using the supplied parameters
keyfile_to_dskeys() {
section_name=$1
key_prefix=$2
shift
shift
echo "$section_name {"
for keyname in $*; do
$DSFROMKEY $keyname.key | \
awk '!/^; /{
printf "\t\""$1"\" "
printf "'"$key_prefix "'"
printf $4 " " $5 " " $6 " \""
for (i=7; i<=NF; i++) printf $i
printf "\";\n"
}'
done
echo "};"
}
# keyfile_to_trusted_keys: convert key data contained in the keyfile(s)
# provided to a "trust-keys" section suitable for including in a
# resolver's configuration file
keyfile_to_trusted_keys() {
keyfile_to_keys "trusted-keys" "" $*
}
# keyfile_to_static_keys: convert key data contained in the keyfile(s)
# provided to a *static-key* "trust-anchors" section suitable for including in
# a resolver's configuration file
keyfile_to_static_keys() {
keyfile_to_keys "trust-anchors" "static-key" $*
}
# keyfile_to_initial_keys: convert key data contained in the keyfile(s)
# provided to an *initial-key* "trust-anchors" section suitable for including
# in a resolver's configuration file
keyfile_to_initial_keys() {
keyfile_to_keys "trust-anchors" "initial-key" $*
}
# keyfile_to_static_ds_keys: convert key data contained in the keyfile(s)
# provided to a *static-ds* "trust-anchors" section suitable for including in a
# resolver's configuration file
keyfile_to_static_ds() {
keyfile_to_dskeys "trust-anchors" "static-ds" $*
}
# keyfile_to_initial_ds_keys: convert key data contained in the keyfile(s)
# provided to an *initial-ds* "trust-anchors" section suitable for including
# in a resolver's configuration file
keyfile_to_initial_ds() {
keyfile_to_dskeys "trust-anchors" "initial-ds" $*
}
# keyfile_to_key_id: convert a key file name to a key ID
#
# For a given key file name (e.g. "Kexample.+013+06160") provided as $1,
# print the key ID with leading zeros stripped ("6160" for the
# aforementioned example).
keyfile_to_key_id() {
echo "$1" | sed "s/.*+0\{0,4\}//"
}
# nextpart*() - functions for reading files incrementally
#
# These functions aim to facilitate looking for (or waiting for)
# messages which may be logged more than once throughout the lifetime of
# a given named instance by outputting just the part of the file which
# has been appended since the last time we read it.
#
# Calling some of these functions causes temporary *.prev files to be
# created that need to be cleaned up manually (usually by a given system
# test's clean.sh script).
#
# Note that unlike other nextpart*() functions, nextpartread() is not
# meant to be directly used in system tests; its sole purpose is to
# reduce code duplication below.
#
# A quick usage example:
#
# $ echo line1 > named.log
# $ echo line2 >> named.log
# $ nextpart named.log
# line1
# line2
# $ echo line3 >> named.log
# $ nextpart named.log
# line3
# $ nextpart named.log
# $ echo line4 >> named.log
# $ nextpartpeek named.log
# line4
# $ nextpartpeek named.log
# line4
# $ nextpartreset named.log
# $ nextpartpeek named.log
# line1
# line2
# line3
# line4
# $ nextpart named.log
# line1
# line2
# line3
# line4
# $ nextpart named.log
# $
# nextpartreset: reset the marker used by nextpart() and nextpartpeek()
# so that it points to the start of the given file
nextpartreset() {
echo "0" > $1.prev
}
# nextpartread: read everything that's been appended to a file since the
# last time nextpart() was called and print it to stdout, print the
# total number of lines read from that file so far to stderr
nextpartread() {
[ -f $1.prev ] || nextpartreset $1
prev=`cat $1.prev`
awk "NR > $prev "'{ print }
END { print NR > "/dev/stderr" }' $1
}
# nextpart: read everything that's been appended to a file since the
# last time nextpart() was called
nextpart() {
nextpartread $1 2> $1.prev.tmp
mv $1.prev.tmp $1.prev
}
# nextpartpeek: read everything that's been appended to a file since the
# last time nextpart() was called
nextpartpeek() {
nextpartread $1 2> /dev/null
}
# _search_log: look for message $1 in file $2 with nextpart().
_search_log() (
msg="$1"
file="$2"
nextpart "$file" | grep -F -e "$msg" > /dev/null
)
# _search_log_peek: look for message $1 in file $2 with nextpartpeek().
_search_log_peek() (
msg="$1"
file="$2"
nextpartpeek "$file" | grep -F -e "$msg" > /dev/null
)
# wait_for_log: wait until message $2 in file $3 appears. Bail out after
# $1 seconds. This needs to be used in conjunction with a prior call to
# nextpart() or nextpartreset() on the same file to guarantee the offset is
# set correctly. Tests using wait_for_log() are responsible for cleaning up
# the created <file>.prev files.
wait_for_log() (
timeout="$1"
msg="$2"
file="$3"
retry_quiet "$timeout" _search_log "$msg" "$file" && return 0
echo_i "exceeded time limit waiting for '$msg' in $file"
return 1
)
# wait_for_log_peek: similar to wait_for_log() but peeking, so the file offset
# does not change.
wait_for_log_peek() (
timeout="$1"
msg="$2"
file="$3"
retry_quiet "$timeout" _search_log_peek "$msg" "$file" && return 0
echo_i "exceeded time limit waiting for '$msg' in $file"
return 1
)
# _retry: keep running a command until it succeeds, up to $1 times, with
# one-second intervals, optionally printing a message upon every attempt
_retry() {
__retries="${1}"
shift
while :; do
if "$@"; then
return 0
fi
__retries=$((__retries-1))
if [ "${__retries}" -gt 0 ]; then
if [ "${__retry_quiet}" -ne 1 ]; then
echo_i "retrying"
fi
sleep 1
else
return 1
fi
done
}
# retry: call _retry() in verbose mode
retry() {
__retry_quiet=0
_retry "$@"
}
# retry_quiet: call _retry() in silent mode
retry_quiet() {
__retry_quiet=1
_retry "$@"
}
# _repeat: keep running command up to $1 times, unless it fails
_repeat() (
__retries="${1}"
shift
while :; do
if ! "$@"; then
return 1
fi
__retries=$((__retries-1))
if [ "${__retries}" -le 0 ]; then
break
fi
done
return 0
)
rndc_reload() {
echo_i "`$RNDC -c ../common/rndc.conf -s $2 -p ${CONTROLPORT} reload $3 2>&1 | sed 's/^/'$1' /'`"
# reloading single zone is synchronous, if we're reloading whole server
# we need to wait for reload to finish
if [ -z "$3" ]; then
for __try in 0 1 2 3 4 5 6 7 8 9; do
$RNDC -c ../common/rndc.conf -s $2 -p ${CONTROLPORT} status | grep "reload/reconfig in progress" > /dev/null || break
sleep 1
done
fi
}
rndc_reconfig() {
echo_i "`$RNDC -c ../common/rndc.conf -s $2 -p ${CONTROLPORT} reconfig 2>&1 | sed 's/^/'$1' /'`"
for __try in 0 1 2 3 4 5 6 7 8 9; do
$RNDC -c ../common/rndc.conf -s $2 -p ${CONTROLPORT} status | grep "reload/reconfig in progress" > /dev/null || break
sleep 1
done
}
# rndc_dumpdb: call "rndc dumpdb [...]" and wait until it completes
#
# The first argument is the name server instance to send the command to, in the
# form of "nsX" (where "X" is the instance number), e.g. "ns5". The remaining
# arguments, if any, are appended to the rndc command line after "dumpdb".
#
# Control channel configuration for the name server instance to send the
# command to must match the contents of bin/tests/system/common/rndc.conf.
#
# rndc output is stored in a file called rndc.out.test${n}; the "n" variable is
# required to be set by the calling tests.sh script.
#
# Return 0 if the dump completes successfully; return 1 if rndc returns an exit
# code other than 0 or if the "; Dump complete" string does not appear in the
# dump within 10 seconds.
rndc_dumpdb() {
__ret=0
__dump_complete=0
__server="${1}"
__ip="10.53.0.$(echo "${__server}" | tr -c -d "0-9")"
shift
${RNDC} -c ../common/rndc.conf -p "${CONTROLPORT}" -s "${__ip}" dumpdb "$@" > "rndc.out.test${n}" 2>&1 || __ret=1
for _ in 0 1 2 3 4 5 6 7 8 9
do
if grep '^; Dump complete$' "${__server}/named_dump.db" > /dev/null; then
mv "${__server}/named_dump.db" "${__server}/named_dump.db.test${n}"
__dump_complete=1
break
fi
sleep 1
done
if [ ${__dump_complete} -eq 0 ]; then
echo_i "timed out waiting for 'rndc dumpdb' to finish"
__ret=1
fi
return ${__ret}
}
# get_dig_xfer_stats: extract transfer statistics from dig output stored
# in $1, converting them to a format used by some system tests.
get_dig_xfer_stats() {
LOGFILE="$1"
sed -n "s/^;; XFR size: .*messages \([0-9][0-9]*\).*/messages=\1/p" "${LOGFILE}"
sed -n "s/^;; XFR size: \([0-9][0-9]*\) records.*/records=\1/p" "${LOGFILE}"
sed -n "s/^;; XFR size: .*bytes \([0-9][0-9]*\).*/bytes=\1/p" "${LOGFILE}"
}
# get_named_xfer_stats: from named log file $1, extract transfer
# statistics for the last transfer for peer $2 and zone $3 (from a log
# message which has to contain the string provided in $4), converting
# them to a format used by some system tests.
get_named_xfer_stats() {
LOGFILE="$1"
PEER="`echo $2 | sed 's/\./\\\\./g'`"
ZONE="`echo $3 | sed 's/\./\\\\./g'`"
MESSAGE="$4"
grep " ${PEER}#.*${MESSAGE}:" "${LOGFILE}" | \
sed -n "s/.* '${ZONE}\/.* \([0-9][0-9]*\) messages.*/messages=\1/p" | tail -1
grep " ${PEER}#.*${MESSAGE}:" "${LOGFILE}" | \
sed -n "s/.* '${ZONE}\/.* \([0-9][0-9]*\) records.*/records=\1/p" | tail -1
grep " ${PEER}#.*${MESSAGE}:" "${LOGFILE}" | \
sed -n "s/.* '${ZONE}\/.* \([0-9][0-9]*\) bytes.*/bytes=\1/p" | tail -1
}
# copy_setports - Copy Configuration File and Replace Ports
#
# Convenience function to copy a configuration file, replacing the tokens
# QUERYPORT, CONTROLPORT and EXTRAPORT[1-8] with the values of the equivalent
# environment variables. (These values are set by "run.sh", which calls the
# scripts invoking this function.)
#
# Usage:
# copy_setports infile outfile
#
copy_setports() {
# The indirect method of handling the substitution of the PORT variables
# (defining "atsign" then substituting for it in the "sed" statement) is
# required to prevent the "Configure" script (in the win32utils/ directory)
# from replacing the <at>PORT<at> substitution tokens when it processes
# this file and produces conf.sh.
atsign="@"
sed -e "s/${atsign}PORT${atsign}/${PORT}/g" \
-e "s/${atsign}EXTRAPORT1${atsign}/${EXTRAPORT1}/g" \
-e "s/${atsign}EXTRAPORT2${atsign}/${EXTRAPORT2}/g" \
-e "s/${atsign}EXTRAPORT3${atsign}/${EXTRAPORT3}/g" \
-e "s/${atsign}EXTRAPORT4${atsign}/${EXTRAPORT4}/g" \
-e "s/${atsign}EXTRAPORT5${atsign}/${EXTRAPORT5}/g" \
-e "s/${atsign}EXTRAPORT6${atsign}/${EXTRAPORT6}/g" \
-e "s/${atsign}EXTRAPORT7${atsign}/${EXTRAPORT7}/g" \
-e "s/${atsign}EXTRAPORT8${atsign}/${EXTRAPORT8}/g" \
-e "s/${atsign}CONTROLPORT${atsign}/${CONTROLPORT}/g" \
-e "s/${atsign}DEFAULT_ALGORITHM${atsign}/${DEFAULT_ALGORITHM}/g" \
-e "s/${atsign}DEFAULT_ALGORITHM_NUMBER${atsign}/${DEFAULT_ALGORITHM_NUMBER}/g" \
-e "s/${atsign}DEFAULT_BITS${atsign}/${DEFAULT_BITS}/g" \
-e "s/${atsign}ALTERNATIVE_ALGORITHM${atsign}/${ALTERNATIVE_ALGORITHM}/g" \
-e "s/${atsign}ALTERNATIVE_ALGORITHM_NUMBER${atsign}/${ALTERNATIVE_ALGORITHM_NUMBER}/g" \
-e "s/${atsign}ALTERNATIVE_BITS${atsign}/${ALTERNATIVE_BITS}/g" \
-e "s/${atsign}DISABLED_ALGORITHM${atsign}/${DISABLED_ALGORITHM}/g" \
-e "s/${atsign}DISABLED_ALGORITHM_NUMBER${atsign}/${DISABLED_ALGORITHM_NUMBER}/g" \
-e "s/${atsign}DISABLED_BITS${atsign}/${DISABLED_BITS}/g" \
$1 > $2
}
#
# Export command paths
#
export ARPANAME
export BIGKEY
export CDS
export CHECKZONE
export CYGWIN
export DESCRIPTION
export DIG
export FEATURETEST
export FSTRM_CAPTURE
export GENCHECK
export JOURNALPRINT
export KEYCREATE
export KEYDELETE
export KEYFRLAB
export KEYGEN
export KEYSETTOOL
export KEYSIGNER
export KRB5_CONFIG
export KRB5_KTNAME
export MAKEJOURNAL
export MDIG
export NAMED
export NSEC3HASH
export NSLOOKUP
export NSUPDATE
export NZD2NZF
export PERL
export PIPEQUERIES
export PK11DEL
export PK11GEN
export PK11LIST
export PSSUSPEND
export PYTHON
export RESOLVE
export RNDC
export RRCHECKER
export SIGNER
export SUBDIRS
export TMPDIR
export TSIGKEYGEN
export WIRETEST
Reference in a new issue View git blame Copy permalink