1#!/bin/sh
2#
3# Copyright (C) 2008  Internet Systems Consortium, Inc. ("ISC")
4#
5# Permission to use, copy, modify, and/or distribute this software for any
6# purpose with or without fee is hereby granted, provided that the above
7# copyright notice and this permission notice appear in all copies.
8#
9# THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
10# REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
11# AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
12# INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
13# LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
14# OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
15# PERFORMANCE OF THIS SOFTWARE.
16
17# $Id: tests.sh,v 1.4 2008/07/19 00:02:14 each Exp $
18
19SYSTEMTESTTOP=..
20. $SYSTEMTESTTOP/conf.sh
21
22DIGOPTS="+tcp +noadd +nosea +nostat +noquest +nocomm +nocmd"
23
24status=0
25t=0
26
27echo "I:testing basic ACL processing"
28# key "one" should fail
29t=`expr $t + 1`
30$DIG $DIGOPTS tsigzone. \
31    	@10.53.0.2 -b 10.53.0.1 axfr -y one:1234abcd8765 -p 5300 > dig.out
32grep "^;" dig.out > /dev/null 2>&1 || { echo "I:test $t failed" ; status=1; }
33
34# any other key should be fine
35t=`expr $t + 1`
36$DIG $DIGOPTS tsigzone. \
37    	@10.53.0.2 -b 10.53.0.1 axfr -y two:1234abcd8765 -p 5300 > dig.out
38grep "^;" dig.out > /dev/null 2>&1 && { echo "I:test $t failed" ; status=1; }
39
40cp -f ns2/named2.conf ns2/named.conf
41$RNDC -c ../common/rndc.conf -s 10.53.0.2 -p 9953 reload 2>&1 | sed 's/^/I:ns2 /'
42sleep 5
43
44# prefix 10/8 should fail
45t=`expr $t + 1`
46$DIG $DIGOPTS tsigzone. \
47    	@10.53.0.2 -b 10.53.0.1 axfr -y one:1234abcd8765 -p 5300 > dig.out
48grep "^;" dig.out > /dev/null 2>&1 || { echo "I:test $t failed" ; status=1; }
49
50# any other address should work, as long as it sends key "one"
51t=`expr $t + 1`
52$DIG $DIGOPTS tsigzone. \
53    	@10.53.0.2 -b 127.0.0.1 axfr -y two:1234abcd8765 -p 5300 > dig.out
54grep "^;" dig.out > /dev/null 2>&1 || { echo "I:test $t failed" ; status=1; }
55
56t=`expr $t + 1`
57$DIG $DIGOPTS tsigzone. \
58    	@10.53.0.2 -b 127.0.0.1 axfr -y one:1234abcd8765 -p 5300 > dig.out
59grep "^;" dig.out > /dev/null 2>&1 && { echo "I:test $t failed" ; status=1; }
60
61echo "I:testing nested ACL processing"
62# all combinations of 10.53.0.{1|2} with key {one|two}, should succeed
63cp -f ns2/named3.conf ns2/named.conf
64$RNDC -c ../common/rndc.conf -s 10.53.0.2 -p 9953 reload 2>&1 | sed 's/^/I:ns2 /'
65sleep 5
66
67# should succeed
68t=`expr $t + 1`
69$DIG $DIGOPTS tsigzone. \
70    	@10.53.0.2 -b 10.53.0.2 axfr -y two:1234abcd8765 -p 5300 > dig.out
71grep "^;" dig.out > /dev/null 2>&1 && { echo "I:test $t failed" ; status=1; }
72
73# should succeed
74t=`expr $t + 1`
75$DIG $DIGOPTS tsigzone. \
76    	@10.53.0.2 -b 10.53.0.2 axfr -y one:1234abcd8765 -p 5300 > dig.out
77grep "^;" dig.out > /dev/null 2>&1 && { echo "I:test $t failed" ; status=1; }
78
79# should succeed
80t=`expr $t + 1`
81$DIG $DIGOPTS tsigzone. \
82    	@10.53.0.2 -b 10.53.0.1 axfr -y two:1234abcd8765 -p 5300 > dig.out
83grep "^;" dig.out > /dev/null 2>&1 && { echo "I:test $t failed" ; status=1; }
84
85# should succeed
86t=`expr $t + 1`
87$DIG $DIGOPTS tsigzone. \
88    	@10.53.0.2 -b 10.53.0.1 axfr -y two:1234abcd8765 -p 5300 > dig.out
89grep "^;" dig.out > /dev/null 2>&1 && { echo "I:test $t failed" ; status=1; }
90
91# but only one or the other should fail
92t=`expr $t + 1`
93$DIG $DIGOPTS tsigzone. \
94    	@10.53.0.2 -b 127.0.0.1 axfr -y one:1234abcd8765 -p 5300 > dig.out
95grep "^;" dig.out > /dev/null 2>&1 || { echo "I:test $t failed" ; status=1; }
96
97t=`expr $t + 1`
98$DIG $DIGOPTS tsigzone. \
99    	@10.53.0.2 -b 10.53.0.2 axfr -p 5300 > dig.out
100grep "^;" dig.out > /dev/null 2>&1 || { echo "I:test $tt failed" ; status=1; }
101
102# and other values? right out
103t=`expr $t + 1`
104$DIG $DIGOPTS tsigzone. \
105    	@10.53.0.2 -b 127.0.0.1 axfr -y three:1234abcd8765 -p 5300 > dig.out
106grep "^;" dig.out > /dev/null 2>&1 || { echo "I:test $t failed" ; status=1; }
107
108# now we only allow 10.53.0.1 *and* key one, or 10.53.0.2 *and* key two
109cp -f ns2/named4.conf ns2/named.conf
110$RNDC -c ../common/rndc.conf -s 10.53.0.2 -p 9953 reload 2>&1 | sed 's/^/I:ns2 /'
111sleep 5
112
113# should succeed
114t=`expr $t + 1`
115$DIG $DIGOPTS tsigzone. \
116    	@10.53.0.2 -b 10.53.0.2 axfr -y two:1234abcd8765 -p 5300 > dig.out
117grep "^;" dig.out > /dev/null 2>&1 && { echo "I:test $t failed" ; status=1; }
118
119# should succeed
120t=`expr $t + 1`
121$DIG $DIGOPTS tsigzone. \
122    	@10.53.0.2 -b 10.53.0.1 axfr -y one:1234abcd8765 -p 5300 > dig.out
123grep "^;" dig.out > /dev/null 2>&1 && { echo "I:test $t failed" ; status=1; }
124
125# should fail
126t=`expr $t + 1`
127$DIG $DIGOPTS tsigzone. \
128    	@10.53.0.2 -b 10.53.0.2 axfr -y one:1234abcd8765 -p 5300 > dig.out
129grep "^;" dig.out > /dev/null 2>&1 || { echo "I:test $t failed" ; status=1; }
130
131# should fail
132t=`expr $t + 1`
133$DIG $DIGOPTS tsigzone. \
134    	@10.53.0.2 -b 10.53.0.1 axfr -y two:1234abcd8765 -p 5300 > dig.out
135grep "^;" dig.out > /dev/null 2>&1 || { echo "I:test $t failed" ; status=1; }
136
137# should fail
138t=`expr $t + 1`
139$DIG $DIGOPTS tsigzone. \
140    	@10.53.0.2 -b 10.53.0.3 axfr -y one:1234abcd8765 -p 5300 > dig.out
141grep "^;" dig.out > /dev/null 2>&1 || { echo "I:test $t failed" ; status=1; }
142
143echo "I:exit status: $status"
144exit $status
145