dnsdist: Add regression tests for DoT and DoH backends

rgacogne · Dec 12, 2024 · 579f484 · 579f484
1 parent 0c36e78
commit 579f484
Show file tree

Hide file tree

Showing 2 changed files with 117 additions and 1 deletion.
diff --git a/regression-tests.dnsdist/test_OutgoingDOH.py b/regression-tests.dnsdist/test_OutgoingDOH.py
@@ -334,6 +334,80 @@ def startResponders(cls):
         cls._DOHResponder.daemon = True
         cls._DOHResponder.start()
 
+class TestOutgoingDOHOpenSSLYaml(DNSDistTest, OutgoingDOHTests):
+    _tlsBackendPort = pickAvailablePort()
+    _tlsProvider = 'openssl'
+    _consoleKey = DNSDistTest.generateConsoleKey()
+    _consoleKeyB64 = base64.b64encode(_consoleKey).decode('ascii')
+    _config_params = []
+    _config_template = ""
+    _yaml_config_template = """---
+console:
+  key: "%s"
+  listen-address: "127.0.0.1:%d"
+  acl:
+    - 127.0.0.0/8
+backends:
+  - address: "127.0.0.1:%d"
+    protocol: "DoH"
+    pools:
+      - ""
+      - "cache"
+    tls:
+      provider: "%s"
+      validate-certificate: true
+      ca-store: "ca.pem"
+      subject-name: "powerdns.com"
+    doh:
+      path: "/dns-query"
+    health-checks:
+      mode: "UP"
+webserver:
+  listen-address: "127.0.0.1:%d"
+  password: "%s"
+  api-key: "%s"
+  acl:
+    - 127.0.0.0/8
+tuning:
+  tcp:
+    worker-threads: 1
+pools:
+  - name: "cache"
+    packet-cache: "pc"
+packet-caches:
+  - name: "pc"
+    size: 100
+query-rules:
+  - name: "suffix to pool"
+    selector:
+      type: "QNameSuffix"
+      suffixes:
+        - "cached.outgoing-doh.test.powerdns.com."
+    action:
+      type: "Pool"
+      pool-name: "cache"
+"""
+    _yaml_config_params = ['_consoleKeyB64', '_consolePort', '_tlsBackendPort', '_tlsProvider', '_webServerPort', '_webServerBasicAuthPasswordHashed', '_webServerAPIKeyHashed']
+
+    @staticmethod
+    def sniCallback(sslSocket, sni, sslContext):
+        assert(sni == 'powerdns.com')
+        return None
+
+    @classmethod
+    def startResponders(cls):
+        tlsContext = ssl.SSLContext(ssl.PROTOCOL_TLS_SERVER)
+        tlsContext.set_alpn_protocols(["h2"])
+        tlsContext.load_cert_chain('server.chain', 'server.key')
+        # requires Python 3.7+
+        if hasattr(tlsContext, 'sni_callback'):
+            tlsContext.sni_callback = cls.sniCallback
+
+        print("Launching DOH responder..")
+        cls._DOHResponder = threading.Thread(name='DOH Responder', target=cls.DOHResponder, args=[cls._tlsBackendPort, cls._toResponderQueue, cls._fromResponderQueue, False, False, None, tlsContext])
+        cls._DOHResponder.daemon = True
+        cls._DOHResponder.start()
+
 class TestOutgoingDOHOpenSSLWrongCertName(DNSDistTest, BrokenOutgoingDOHTests):
     _tlsBackendPort = pickAvailablePort()
     _config_params = ['_tlsBackendPort', '_webServerPort', '_webServerBasicAuthPasswordHashed', '_webServerAPIKeyHashed']

diff --git a/regression-tests.dnsdist/test_OutgoingTLS.py b/regression-tests.dnsdist/test_OutgoingTLS.py
@@ -15,7 +15,6 @@ class OutgoingTLSTests(object):
     _webServerAPIKey = 'apisecret'
     _webServerBasicAuthPasswordHashed = '$scrypt$ln=10,p=1,r=8$6DKLnvUYEeXWh3JNOd3iwg==$kSrhdHaRbZ7R74q3lGBqO1xetgxRxhmWzYJ2Qvfm7JM='
     _webServerAPIKeyHashed = '$scrypt$ln=10,p=1,r=8$9v8JxDfzQVyTpBkTbkUqYg==$bDQzAOHeK1G9UvTPypNhrX48w974ZXbFPtRKS34+aso='
-    _verboseMode = True
 
     def checkOnlyTLSResponderHit(self, numberOfTLSQueries=1):
         self.assertNotIn('UDP Responder', self._responsesCounter)
@@ -164,6 +163,49 @@ def startResponders(cls):
         cls._TLSResponder.daemon = True
         cls._TLSResponder.start()
 
+class TestOutgoingTLSOpenSSLYaml(DNSDistTest, OutgoingTLSTests):
+    _tlsBackendPort = pickAvailablePort()
+    _config_params = []
+    _config_template = ""
+    _yaml_config_template = """---
+backends:
+  - address: "127.0.0.1:%d"
+    protocol: "DoT"
+    tls:
+      provider: "openssl"
+      validate-certificate: true
+      ca-store: "ca.pem"
+      subject-name: "powerdns.com"
+webserver:
+  listen-address: "127.0.0.1:%d"
+  password: "%s"
+  api-key: "%s"
+  acl:
+    - 127.0.0.0/8
+tuning:
+  tcp:
+    worker-threads: 1
+    """
+    _yaml_config_params = ['_tlsBackendPort', '_webServerPort', '_webServerBasicAuthPasswordHashed', '_webServerAPIKeyHashed']
+
+    @staticmethod
+    def sniCallback(sslSocket, sni, sslContext):
+        assert(sni == 'powerdns.com')
+        return None
+
+    @classmethod
+    def startResponders(cls):
+        tlsContext = ssl.SSLContext(ssl.PROTOCOL_TLS_SERVER)
+        tlsContext.load_cert_chain('server.chain', 'server.key')
+        # requires Python 3.7+
+        if hasattr(tlsContext, 'sni_callback'):
+            tlsContext.sni_callback = cls.sniCallback
+
+        print("Launching TLS responder..")
+        cls._TLSResponder = threading.Thread(name='TLS Responder', target=cls.TCPResponder, args=[cls._tlsBackendPort, cls._toResponderQueue, cls._fromResponderQueue, False, False, None, tlsContext])
+        cls._TLSResponder.daemon = True
+        cls._TLSResponder.start()
+
 class TestOutgoingTLSGnuTLS(DNSDistTest, OutgoingTLSTests):
     _tlsBackendPort = pickAvailablePort()
     _config_params = ['_tlsBackendPort', '_webServerPort', '_webServerBasicAuthPasswordHashed', '_webServerAPIKeyHashed']