system/acl/tests.sh

	tests.sh revision 7ed4399c6598276b76df95e6dc91ed7b2834abc6
f36c85c3cee0b7022d6a99077fab2e5afc4e357dMark Andrews#!/bin/sh
dafcb997e390efa4423883dafd100c975c4095d6Mark Andrews#
40f53fa8d9c6a4fc38c0014495e7a42b08f52481David Lawrence# Copyright (C) 2008  Internet Systems Consortium, Inc. ("ISC")
7c74e180c206e6ed99e8beb820da5f399d845c3eDavid Lawrence#
7c74e180c206e6ed99e8beb820da5f399d845c3eDavid Lawrence# Permission to use, copy, modify, and/or distribute this software for any
7c74e180c206e6ed99e8beb820da5f399d845c3eDavid Lawrence# purpose with or without fee is hereby granted, provided that the above
40f53fa8d9c6a4fc38c0014495e7a42b08f52481David Lawrence# copyright notice and this permission notice appear in all copies.
dafcb997e390efa4423883dafd100c975c4095d6Mark Andrews#
dafcb997e390efa4423883dafd100c975c4095d6Mark Andrews# THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
dafcb997e390efa4423883dafd100c975c4095d6Mark Andrews# REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
dafcb997e390efa4423883dafd100c975c4095d6Mark Andrews# AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
dafcb997e390efa4423883dafd100c975c4095d6Mark Andrews# INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
dafcb997e390efa4423883dafd100c975c4095d6Mark Andrews# LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
dafcb997e390efa4423883dafd100c975c4095d6Mark Andrews# OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
9c3531d72aeaad6c5f01efe6a1c82023e1379e4dDavid Lawrence# PERFORMANCE OF THIS SOFTWARE.
866d106459313499d0ca7bfccb4b2d23d5e4377cDavid Lawrence
74cb99072c4b0ebd2ccafcfa284288fa760f7a1aMark Andrews# $Id: tests.sh,v 1.4 2008/07/19 00:02:14 each Exp $
866d106459313499d0ca7bfccb4b2d23d5e4377cDavid Lawrence
866d106459313499d0ca7bfccb4b2d23d5e4377cDavid LawrenceSYSTEMTESTTOP=..
7c74e180c206e6ed99e8beb820da5f399d845c3eDavid Lawrence. $SYSTEMTESTTOP/conf.sh
f31446e6b5925395fce4f62adf71f7ad70cea6ceMark Andrews
ea31416b4fcdf23732355a8002f93f29e3b3d2dbAndreas GustafssonDIGOPTS="+tcp +noadd +nosea +nostat +noquest +nocomm +nocmd"
866d106459313499d0ca7bfccb4b2d23d5e4377cDavid Lawrence
03e200df5dc283f24a6a349f0b31d3eab26da893Mark Andrewsstatus=0
a5d43b72413db3edd6b36a58f9bdf2cf6ff692f2Bob Halleyt=0
a5d43b72413db3edd6b36a58f9bdf2cf6ff692f2Bob Halley
be801b0fdbcf9b55b3a8cc6bf042ff6c86be6b11Mark Andrewsecho "I:testing basic ACL processing"
a5d43b72413db3edd6b36a58f9bdf2cf6ff692f2Bob Halley# key "one" should fail
a5d43b72413db3edd6b36a58f9bdf2cf6ff692f2Bob Halleyt=`expr $t + 1`
a5d43b72413db3edd6b36a58f9bdf2cf6ff692f2Bob Halley$DIG $DIGOPTS tsigzone. \
ccdac53c027e8964753b36c4d8c7b0e98af501c2Michael Graff        @10.53.0.2 -b 10.53.0.1 axfr -y one:1234abcd8765 -p 5300 > dig.out
ccdac53c027e8964753b36c4d8c7b0e98af501c2Michael Graffgrep "^;" dig.out > /dev/null 2>&1 || { echo "I:test $t failed" ; status=1; }
ccdac53c027e8964753b36c4d8c7b0e98af501c2Michael Graff
a903095bf4512dae561c7f6fc7854a51bebf334aMark Andrews# any other key should be fine
ccdac53c027e8964753b36c4d8c7b0e98af501c2Michael Grafft=`expr $t + 1`
ccdac53c027e8964753b36c4d8c7b0e98af501c2Michael Graff$DIG $DIGOPTS tsigzone. \
ccdac53c027e8964753b36c4d8c7b0e98af501c2Michael Graff        @10.53.0.2 -b 10.53.0.1 axfr -y two:1234abcd8765 -p 5300 > dig.out
ccdac53c027e8964753b36c4d8c7b0e98af501c2Michael Graffgrep "^;" dig.out > /dev/null 2>&1 && { echo "I:test $t failed" ; status=1; }
3d776d762914d1b675b4fd49728ce353ccf6f77eBrian Wellington
ccdac53c027e8964753b36c4d8c7b0e98af501c2Michael Graffcp -f ns2/named2.conf ns2/named.conf
03e200df5dc283f24a6a349f0b31d3eab26da893Mark Andrews$RNDC -c ../common/rndc.conf -s 10.53.0.2 -p 9953 reload 2>&1 | sed 's/^/I:ns2 /'
03e200df5dc283f24a6a349f0b31d3eab26da893Mark Andrewssleep 5
03e200df5dc283f24a6a349f0b31d3eab26da893Mark Andrews
03e200df5dc283f24a6a349f0b31d3eab26da893Mark Andrews# prefix 10/8 should fail
03e200df5dc283f24a6a349f0b31d3eab26da893Mark Andrewst=`expr $t + 1`
03e200df5dc283f24a6a349f0b31d3eab26da893Mark Andrews$DIG $DIGOPTS tsigzone. \
03e200df5dc283f24a6a349f0b31d3eab26da893Mark Andrews        @10.53.0.2 -b 10.53.0.1 axfr -y one:1234abcd8765 -p 5300 > dig.out
75a4dd0d377dca2f85cea44e28bf110314c1fe8cDavid Lawrencegrep "^;" dig.out > /dev/null 2>&1 || { echo "I:test $t failed" ; status=1; }
75a4dd0d377dca2f85cea44e28bf110314c1fe8cDavid Lawrence
75a4dd0d377dca2f85cea44e28bf110314c1fe8cDavid Lawrence# any other address should work, as long as it sends key "one"
75a4dd0d377dca2f85cea44e28bf110314c1fe8cDavid Lawrencet=`expr $t + 1`
75a4dd0d377dca2f85cea44e28bf110314c1fe8cDavid Lawrence$DIG $DIGOPTS tsigzone. \
91306d962f9d147d94b82fb14edb28f8d907cae7Andreas Gustafsson        @10.53.0.2 -b 127.0.0.1 axfr -y two:1234abcd8765 -p 5300 > dig.out
91306d962f9d147d94b82fb14edb28f8d907cae7Andreas Gustafssongrep "^;" dig.out > /dev/null 2>&1 || { echo "I:test $t failed" ; status=1; }
91306d962f9d147d94b82fb14edb28f8d907cae7Andreas Gustafsson
91306d962f9d147d94b82fb14edb28f8d907cae7Andreas Gustafssont=`expr $t + 1`
91306d962f9d147d94b82fb14edb28f8d907cae7Andreas Gustafsson$DIG $DIGOPTS tsigzone. \
e893dce91279d7313a579f72caae3941f6dc5a27David Lawrence        @10.53.0.2 -b 127.0.0.1 axfr -y one:1234abcd8765 -p 5300 > dig.out
e893dce91279d7313a579f72caae3941f6dc5a27David Lawrencegrep "^;" dig.out > /dev/null 2>&1 && { echo "I:test $t failed" ; status=1; }
e893dce91279d7313a579f72caae3941f6dc5a27David Lawrence
e893dce91279d7313a579f72caae3941f6dc5a27David Lawrenceecho "I:testing nested ACL processing"
e893dce91279d7313a579f72caae3941f6dc5a27David Lawrence# all combinations of 10.53.0.{1|2} with key {one|two}, should succeed
e893dce91279d7313a579f72caae3941f6dc5a27David Lawrencecp -f ns2/named3.conf ns2/named.conf
e893dce91279d7313a579f72caae3941f6dc5a27David Lawrence$RNDC -c ../common/rndc.conf -s 10.53.0.2 -p 9953 reload 2>&1 | sed 's/^/I:ns2 /'
e893dce91279d7313a579f72caae3941f6dc5a27David Lawrencesleep 5
e893dce91279d7313a579f72caae3941f6dc5a27David Lawrence
e893dce91279d7313a579f72caae3941f6dc5a27David Lawrence# should succeed
3b77946b751f39bd4db5a7d1fe48a81e6b1e7a28Bob Halleyt=`expr $t + 1`
3b77946b751f39bd4db5a7d1fe48a81e6b1e7a28Bob Halley$DIG $DIGOPTS tsigzone. \
3b77946b751f39bd4db5a7d1fe48a81e6b1e7a28Bob Halley        @10.53.0.2 -b 10.53.0.2 axfr -y two:1234abcd8765 -p 5300 > dig.out
8e06cea14c857429ab7e7299af2dce5eeeaa5ff0Michael Graffgrep "^;" dig.out > /dev/null 2>&1 && { echo "I:test $t failed" ; status=1; }
ce8c568e0d6106bb87069453505e09bc66754b40Andreas Gustafsson
3b77946b751f39bd4db5a7d1fe48a81e6b1e7a28Bob Halley# should succeed
3b77946b751f39bd4db5a7d1fe48a81e6b1e7a28Bob Halleyt=`expr $t + 1`
3b77946b751f39bd4db5a7d1fe48a81e6b1e7a28Bob Halley$DIG $DIGOPTS tsigzone. \
3b77946b751f39bd4db5a7d1fe48a81e6b1e7a28Bob Halley        @10.53.0.2 -b 10.53.0.2 axfr -y one:1234abcd8765 -p 5300 > dig.out
3b77946b751f39bd4db5a7d1fe48a81e6b1e7a28Bob Halleygrep "^;" dig.out > /dev/null 2>&1 && { echo "I:test $t failed" ; status=1; }
3b77946b751f39bd4db5a7d1fe48a81e6b1e7a28Bob Halley
3b77946b751f39bd4db5a7d1fe48a81e6b1e7a28Bob Halley# should succeed
3b77946b751f39bd4db5a7d1fe48a81e6b1e7a28Bob Halleyt=`expr $t + 1`
3b77946b751f39bd4db5a7d1fe48a81e6b1e7a28Bob Halley$DIG $DIGOPTS tsigzone. \
3b77946b751f39bd4db5a7d1fe48a81e6b1e7a28Bob Halley        @10.53.0.2 -b 10.53.0.1 axfr -y two:1234abcd8765 -p 5300 > dig.out
3b77946b751f39bd4db5a7d1fe48a81e6b1e7a28Bob Halleygrep "^;" dig.out > /dev/null 2>&1 && { echo "I:test $t failed" ; status=1; }
3b77946b751f39bd4db5a7d1fe48a81e6b1e7a28Bob Halley
3b77946b751f39bd4db5a7d1fe48a81e6b1e7a28Bob Halley# should succeed
8e06cea14c857429ab7e7299af2dce5eeeaa5ff0Michael Grafft=`expr $t + 1`
8e06cea14c857429ab7e7299af2dce5eeeaa5ff0Michael Graff$DIG $DIGOPTS tsigzone. \
3ecf3394e37dc2848a09ffc643565d454e9e6974Andreas Gustafsson        @10.53.0.2 -b 10.53.0.1 axfr -y two:1234abcd8765 -p 5300 > dig.out
3ecf3394e37dc2848a09ffc643565d454e9e6974Andreas Gustafssongrep "^;" dig.out > /dev/null 2>&1 && { echo "I:test $t failed" ; status=1; }
3ecf3394e37dc2848a09ffc643565d454e9e6974Andreas Gustafsson
3ecf3394e37dc2848a09ffc643565d454e9e6974Andreas Gustafsson# but only one or the other should fail
3ecf3394e37dc2848a09ffc643565d454e9e6974Andreas Gustafssont=`expr $t + 1`
3ecf3394e37dc2848a09ffc643565d454e9e6974Andreas Gustafsson$DIG $DIGOPTS tsigzone. \
df3c4c7988b9bae7d121a8ac9ed17a23366a948dDavid Lawrence        @10.53.0.2 -b 127.0.0.1 axfr -y one:1234abcd8765 -p 5300 > dig.out
df3c4c7988b9bae7d121a8ac9ed17a23366a948dDavid Lawrencegrep "^;" dig.out > /dev/null 2>&1 || { echo "I:test $t failed" ; status=1; }
df3c4c7988b9bae7d121a8ac9ed17a23366a948dDavid Lawrence
b587e1d83f007ce68a9ae93097c461d8eb7aa373Mark Andrewst=`expr $t + 1`
df3c4c7988b9bae7d121a8ac9ed17a23366a948dDavid Lawrence$DIG $DIGOPTS tsigzone. \
df3c4c7988b9bae7d121a8ac9ed17a23366a948dDavid Lawrence        @10.53.0.2 -b 10.53.0.2 axfr -p 5300 > dig.out
df3c4c7988b9bae7d121a8ac9ed17a23366a948dDavid Lawrencegrep "^;" dig.out > /dev/null 2>&1 || { echo "I:test $tt failed" ; status=1; }
df3c4c7988b9bae7d121a8ac9ed17a23366a948dDavid Lawrence
df3c4c7988b9bae7d121a8ac9ed17a23366a948dDavid Lawrence# and other values? right out
df3c4c7988b9bae7d121a8ac9ed17a23366a948dDavid Lawrencet=`expr $t + 1`
df3c4c7988b9bae7d121a8ac9ed17a23366a948dDavid Lawrence$DIG $DIGOPTS tsigzone. \
df3c4c7988b9bae7d121a8ac9ed17a23366a948dDavid Lawrence        @10.53.0.2 -b 127.0.0.1 axfr -y three:1234abcd8765 -p 5300 > dig.out
df3c4c7988b9bae7d121a8ac9ed17a23366a948dDavid Lawrencegrep "^;" dig.out > /dev/null 2>&1 || { echo "I:test $t failed" ; status=1; }
df3c4c7988b9bae7d121a8ac9ed17a23366a948dDavid Lawrence
df3c4c7988b9bae7d121a8ac9ed17a23366a948dDavid Lawrence# now we only allow 10.53.0.1 *and* key one, or 10.53.0.2 *and* key two
df3c4c7988b9bae7d121a8ac9ed17a23366a948dDavid Lawrencecp -f ns2/named4.conf ns2/named.conf
df3c4c7988b9bae7d121a8ac9ed17a23366a948dDavid Lawrence$RNDC -c ../common/rndc.conf -s 10.53.0.2 -p 9953 reload 2>&1 | sed 's/^/I:ns2 /'
df3c4c7988b9bae7d121a8ac9ed17a23366a948dDavid Lawrencesleep 5
df3c4c7988b9bae7d121a8ac9ed17a23366a948dDavid Lawrence
df3c4c7988b9bae7d121a8ac9ed17a23366a948dDavid Lawrence# should succeed
ae4cbb69eef32ced103fe4561e8d2031ee4c3497David Lawrencet=`expr $t + 1`
289ae548d52bc8f982d9823af64cafda7bd92232Mark Andrews$DIG $DIGOPTS tsigzone. \
289ae548d52bc8f982d9823af64cafda7bd92232Mark Andrews        @10.53.0.2 -b 10.53.0.2 axfr -y two:1234abcd8765 -p 5300 > dig.out
289ae548d52bc8f982d9823af64cafda7bd92232Mark Andrewsgrep "^;" dig.out > /dev/null 2>&1 && { echo "I:test $t failed" ; status=1; }
289ae548d52bc8f982d9823af64cafda7bd92232Mark Andrews
289ae548d52bc8f982d9823af64cafda7bd92232Mark Andrews# should succeed
289ae548d52bc8f982d9823af64cafda7bd92232Mark Andrewst=`expr $t + 1`
289ae548d52bc8f982d9823af64cafda7bd92232Mark Andrews$DIG $DIGOPTS tsigzone. \
289ae548d52bc8f982d9823af64cafda7bd92232Mark Andrews        @10.53.0.2 -b 10.53.0.1 axfr -y one:1234abcd8765 -p 5300 > dig.out
289ae548d52bc8f982d9823af64cafda7bd92232Mark Andrewsgrep "^;" dig.out > /dev/null 2>&1 && { echo "I:test $t failed" ; status=1; }
289ae548d52bc8f982d9823af64cafda7bd92232Mark Andrews
289ae548d52bc8f982d9823af64cafda7bd92232Mark Andrews# should fail
289ae548d52bc8f982d9823af64cafda7bd92232Mark Andrewst=`expr $t + 1`
ae4cbb69eef32ced103fe4561e8d2031ee4c3497David Lawrence$DIG $DIGOPTS tsigzone. \
ae4cbb69eef32ced103fe4561e8d2031ee4c3497David Lawrence        @10.53.0.2 -b 10.53.0.2 axfr -y one:1234abcd8765 -p 5300 > dig.out
df3c4c7988b9bae7d121a8ac9ed17a23366a948dDavid Lawrencegrep "^;" dig.out > /dev/null 2>&1 || { echo "I:test $t failed" ; status=1; }
df3c4c7988b9bae7d121a8ac9ed17a23366a948dDavid Lawrence
df3c4c7988b9bae7d121a8ac9ed17a23366a948dDavid Lawrence# should fail
df3c4c7988b9bae7d121a8ac9ed17a23366a948dDavid Lawrencet=`expr $t + 1`
df3c4c7988b9bae7d121a8ac9ed17a23366a948dDavid Lawrence$DIG $DIGOPTS tsigzone. \
df3c4c7988b9bae7d121a8ac9ed17a23366a948dDavid Lawrence        @10.53.0.2 -b 10.53.0.1 axfr -y two:1234abcd8765 -p 5300 > dig.out
df3c4c7988b9bae7d121a8ac9ed17a23366a948dDavid Lawrencegrep "^;" dig.out > /dev/null 2>&1 || { echo "I:test $t failed" ; status=1; }
df3c4c7988b9bae7d121a8ac9ed17a23366a948dDavid Lawrence
0293ad13207aa29bd5844cdc87d085ffc009d749David Lawrence# should fail
0293ad13207aa29bd5844cdc87d085ffc009d749David Lawrencet=`expr $t + 1`
289ae548d52bc8f982d9823af64cafda7bd92232Mark Andrews$DIG $DIGOPTS tsigzone. \
289ae548d52bc8f982d9823af64cafda7bd92232Mark Andrews        @10.53.0.2 -b 10.53.0.3 axfr -y one:1234abcd8765 -p 5300 > dig.out
289ae548d52bc8f982d9823af64cafda7bd92232Mark Andrewsgrep "^;" dig.out > /dev/null 2>&1 || { echo "I:test $t failed" ; status=1; }
289ae548d52bc8f982d9823af64cafda7bd92232Mark Andrews
289ae548d52bc8f982d9823af64cafda7bd92232Mark Andrewsecho "I:exit status: $status"
289ae548d52bc8f982d9823af64cafda7bd92232Mark Andrewsexit $status
289ae548d52bc8f982d9823af64cafda7bd92232Mark Andrews