system/verify/tests_verify.py

    1.1  christos # Copyright (C) Internet Systems Consortium, Inc. ("ISC")
    1.1  christos #
    1.1  christos # SPDX-License-Identifier: MPL-2.0
    1.1  christos #
    1.1  christos # This Source Code Form is subject to the terms of the Mozilla Public
    1.1  christos # License, v. 2.0.  If a copy of the MPL was not distributed with this
    1.1  christos # file, you can obtain one at https://mozilla.org/MPL/2.0/.
    1.1  christos #
    1.1  christos # See the COPYRIGHT file distributed with this work for additional
    1.1  christos # information regarding copyright ownership.
    1.1  christos
    1.1  christos import os
    1.1  christos import re
1.1.1.3  christos from re import compile as Re
    1.1  christos
    1.1  christos import pytest
    1.1  christos
    1.1  christos import isctest
    1.1  christos
    1.1  christos pytestmark = pytest.mark.extra_artifacts(
    1.1  christos     [
    1.1  christos         "verify.out.*",
    1.1  christos         "zones/K*",
    1.1  christos         "zones/dsset-*",
    1.1  christos         "zones/*.bad",
    1.1  christos         "zones/*.good",
    1.1  christos         "zones/*.out*",
    1.1  christos         "zones/*.tmp",
    1.1  christos         "zones/updated*",
    1.1  christos     ]
    1.1  christos )
    1.1  christos
    1.1  christos VERIFY = os.environ.get("VERIFY")
    1.1  christos
    1.1  christos
    1.1  christos @pytest.mark.parametrize(
    1.1  christos     "zone",
    1.1  christos     [
    1.1  christos         "ksk-only.nsec3",
    1.1  christos         "ksk-only.nsec",
    1.1  christos         "ksk+zsk.nsec3.apex-dname",
    1.1  christos         "ksk+zsk.nsec3",
    1.1  christos         "ksk+zsk.nsec.apex-dname",
    1.1  christos         "ksk+zsk.nsec",
    1.1  christos         "ksk+zsk.optout",
    1.1  christos         "zsk-only.nsec3",
    1.1  christos         "zsk-only.nsec",
    1.1  christos     ],
    1.1  christos )
    1.1  christos def test_verify_good_zone_files(zone):
1.1.1.2  christos     isctest.run.cmd([VERIFY, "-z", "-o", zone, f"zones/{zone}.good"])
    1.1  christos
    1.1  christos
    1.1  christos def test_verify_good_zone_nsec_next_name_case_mismatch():
    1.1  christos     isctest.run.cmd(
    1.1  christos         [
    1.1  christos             VERIFY,
    1.1  christos             "-o",
    1.1  christos             "nsec-next-name-case-mismatch",
    1.1  christos             "zones/nsec-next-name-case-mismatch.good",
    1.1  christos         ],
    1.1  christos     )
    1.1  christos
    1.1  christos
1.1.1.3  christos def verify_bad_zone(zone):
1.1.1.3  christos     only_opt = ["-z"] if re.search(r"^[zk]sk-only", zone) else []
1.1.1.3  christos     cmd = isctest.run.cmd(
    1.1  christos         [VERIFY, *only_opt, "-o", zone, f"zones/{zone}.bad"],
    1.1  christos         raise_on_exception=False,
    1.1  christos     )
1.1.1.3  christos     assert cmd.rc != 0
1.1.1.3  christos     return cmd
    1.1  christos
    1.1  christos
    1.1  christos @pytest.mark.parametrize(
    1.1  christos     "zone",
    1.1  christos     [
    1.1  christos         "ksk-only.dnskeyonly",
    1.1  christos         "ksk+zsk.dnskeyonly",
    1.1  christos         "zsk-only.dnskeyonly",
    1.1  christos     ],
    1.1  christos )
    1.1  christos def test_verify_bad_zone_files_dnskeyonly(zone):
1.1.1.3  christos     cmd = verify_bad_zone(zone)
1.1.1.3  christos     assert "DNSKEY is not signed" in cmd.err
    1.1  christos
    1.1  christos
    1.1  christos @pytest.mark.parametrize(
    1.1  christos     "zone",
    1.1  christos     [
    1.1  christos         "ksk-only.nsec3.expired",
    1.1  christos         "ksk-only.nsec.expired",
    1.1  christos         "ksk+zsk.nsec3.expired",
    1.1  christos         "ksk+zsk.nsec.expired",
    1.1  christos         "ksk+zsk.nsec.ksk-expired",
    1.1  christos         "zsk-only.nsec3.expired",
    1.1  christos         "zsk-only.nsec.expired",
    1.1  christos         "ksk+zsk.nsec3.ksk-expired",
    1.1  christos     ],
    1.1  christos )
    1.1  christos def test_verify_bad_zone_files_expired(zone):
1.1.1.3  christos     cmd = verify_bad_zone(zone)
1.1.1.3  christos     assert Re("signature has expired|No self-signed DNSKEY found") in cmd.err
    1.1  christos
    1.1  christos
    1.1  christos @pytest.mark.parametrize(
    1.1  christos     "zone",
    1.1  christos     [
    1.1  christos         "ksk+zsk.nsec.out-of-zone-nsec",
    1.1  christos         "ksk+zsk.nsec.below-bottom-of-zone-nsec",
    1.1  christos         "ksk+zsk.nsec.below-dname-nsec",
    1.1  christos     ],
    1.1  christos )
    1.1  christos def test_verify_bad_zone_files_unexpected_nsec_rrset(zone):
1.1.1.3  christos     cmd = verify_bad_zone(zone)
1.1.1.3  christos     assert "unexpected NSEC RRset at" in cmd.err
    1.1  christos
    1.1  christos
    1.1  christos def test_verify_bad_zone_files_bad_nsec_record():
1.1.1.3  christos     cmd = verify_bad_zone("ksk+zsk.nsec.broken-chain")
1.1.1.3  christos     assert Re("Bad NSEC record for.*, next name mismatch") in cmd.err
    1.1  christos
    1.1  christos
    1.1  christos def test_verify_bad_zone_files_bad_bitmap():
1.1.1.3  christos     cmd = verify_bad_zone("ksk+zsk.nsec.bad-bitmap")
1.1.1.3  christos     assert "bit map mismatch" in cmd.err
    1.1  christos
    1.1  christos
    1.1  christos def test_verify_bad_zone_files_missing_nsec3_record():
1.1.1.3  christos     cmd = verify_bad_zone("ksk+zsk.nsec3.missing-empty")
1.1.1.3  christos     assert "Missing NSEC3 record for" in cmd.err
    1.1  christos
    1.1  christos
    1.1  christos def test_verify_bad_zone_files_no_dnssec_keys():
1.1.1.3  christos     cmd = verify_bad_zone("unsigned")
1.1.1.3  christos     assert "Zone contains no DNSSEC keys" in cmd.err
    1.1  christos
    1.1  christos
    1.1  christos def test_verify_bad_zone_files_unequal_nsec3_chains():
1.1.1.3  christos     cmd = verify_bad_zone("ksk+zsk.nsec3.extra-nsec3")
1.1.1.3  christos     assert "Expected and found NSEC3 chains not equal" in cmd.err
    1.1  christos
    1.1  christos
    1.1  christos # checking error message when -o is not used
    1.1  christos # and a SOA record not at top of zone is found
    1.1  christos def test_verify_soa_not_at_top_error():
    1.1  christos     # when -o is not used, origin is set to zone file name,
    1.1  christos     # which should cause an error in this case
1.1.1.3  christos     cmd = isctest.run.cmd([VERIFY, "zones/ksk+zsk.nsec.good"], raise_on_exception=False)
1.1.1.3  christos     assert "not at top of zone" in cmd.err
1.1.1.3  christos     assert "use -o to specify a different zone origin" in cmd.err
    1.1  christos
    1.1  christos
    1.1  christos # checking error message when an invalid -o is specified
    1.1  christos # and a SOA record not at top of zone is found
    1.1  christos def test_verify_invalid_o_option_soa_not_at_top_error():
1.1.1.3  christos     cmd = isctest.run.cmd(
    1.1  christos         [VERIFY, "-o", "invalid.origin", "zones/ksk+zsk.nsec.good"],
    1.1  christos         raise_on_exception=False,
1.1.1.3  christos     )
1.1.1.3  christos     assert "not at top of zone" in cmd.err
1.1.1.3  christos     assert "use -o to specify a different zone origin" not in cmd.err
    1.1  christos
    1.1  christos
    1.1  christos # checking dnssec-verify -J reads journal file
    1.1  christos def test_verify_j_reads_journal_file():
1.1.1.3  christos     cmd = isctest.run.cmd(
    1.1  christos         [
    1.1  christos             VERIFY,
    1.1  christos             "-o",
    1.1  christos             "updated",
    1.1  christos             "-J",
    1.1  christos             "zones/updated.other.jnl",
    1.1  christos             "zones/updated.other",
    1.1  christos         ]
1.1.1.3  christos     )
1.1.1.3  christos     assert "Loading zone 'updated' from file 'zones/updated.other'" in cmd.out