Parcourir la source

[1579] suggested updates to unit tests.

- consolidated test scenarios for NSEC and NSEC3 to avoid duplicates
- also tested the case for findAll()
- also tested when the zone only has NSEC3PARAM or unsigned
JINMEI Tatuya il y a 13 ans
Parent
commit
be2b8d67e2
1 fichiers modifiés avec 103 ajouts et 102 suppressions
  1. 103 102
      src/lib/datasrc/tests/database_unittest.cc

+ 103 - 102
src/lib/datasrc/tests/database_unittest.cc

@@ -167,7 +167,10 @@ const char* const TEST_RECORDS[][5] = {
      "1234 3600 1800 2419200 7200" },
     {"example.org.", "NS", "3600", "", "ns.example.com."},
     {"example.org.", "A", "3600", "", "192.0.2.1"},
-    {"example.org.", "NSEC", "3600", "", "acnamesig1.example.org. NS A NSEC RRSIG"},
+    // Note that the RDATA text is "normalized", i.e., identical to what
+    // Rdata::toText() would produce.  some tests rely on that behavior.
+    {"example.org.", "NSEC", "3600", "",
+     "acnamesig1.example.org. A NS RRSIG NSEC"},
     {"example.org.", "RRSIG", "3600", "", "SOA 5 3 3600 20000101000000 "
               "20000201000000 12345 example.org. FAKEFAKEFAKE"},
     {"example.org.", "RRSIG", "3600", "", "NSEC 5 3 3600 20000101000000 "
@@ -2292,79 +2295,100 @@ TYPED_TEST(DatabaseClientTest, wildcardNXRRSET_NSEC) {
                Name("*.wild.example.org"), ZoneFinder::FIND_DNSSEC);
 }
 
-TYPED_TEST(DatabaseClientTest, nsec3FlagFindDB) {
-    // ZoneFinder::find() for negative cases and wildcard cases should check
-    // whether the zone is signed with NSEC or NSEC3. If it is signed with
-    // NSEC3, RESULT_NSEC3_SIGNED flag should be returned. That is good for
-    // upper layer caller.
+// Subroutine for dnssecFlagCheck defined below.  It performs some simple
+// checks regarding DNSSEC related result flags for findAll().
+void
+dnssecFlagCheckForAny(ZoneFinder& finder, const Name& name,
+                      ZoneFinder::FindResultFlags sec_flag)
+{
+    std::vector<ConstRRsetPtr> target; // just for placeholder
+    ConstZoneFinderContextPtr all_result =
+        finder.findAll(name, target, ZoneFinder::FIND_DNSSEC);
+    EXPECT_EQ((sec_flag & ZoneFinder::RESULT_NSEC_SIGNED) != 0,
+              all_result->isNSECSigned());
+    EXPECT_EQ((sec_flag & ZoneFinder::RESULT_NSEC3_SIGNED) != 0,
+              all_result->isNSEC3Signed());
+}
 
-    // First off, everything should be okay if no NSEC3PARAM rrset. If
-    // NSEC3PARAM RRset doesn't exist and NSEC RRset exist at apex, it looks
-    // like signed with NSEC, and the RESULT_NSEC_SIGNED flag should be return.
+// Common tests about DNSSEC related result flags.  Shared for the NSEC
+// and NSEC3 cases.
+void
+dnssecFlagCheck(ZoneFinder& finder, ZoneFinder::FindResultFlags sec_flag) {
+    std::vector<std::string> expected_rdatas;
+    std::vector<std::string> expected_sig_rdatas;
 
     // Check NXDOMAIN case in NSEC signed zone, and RESULT_NSEC_SIGNED flag
     // should be returned to upper layer caller.
-    this->expected_rdatas_.clear();
-    this->expected_sig_rdatas_.clear();
-    this->expected_rdatas_.push_back("www2.example.org. A AAAA NSEC RRSIG");
-    this->expected_sig_rdatas_.push_back("NSEC 5 3 3600 20000101000000 "
-                                         "20000201000000 12345 example.org. "
-                                         "FAKEFAKEFAKE");
-    boost::shared_ptr<DatabaseClient::Finder> finder(this->getFinder());
-    doFindTest(*finder, isc::dns::Name("www1.example.org."),
-               this->qtype_, isc::dns::RRType::NSEC(), this->rrttl_,
-               ZoneFinder::NXDOMAIN, this->expected_rdatas_,
-               this->expected_sig_rdatas_, ZoneFinder::RESULT_NSEC_SIGNED,
-               Name("www.example.org."), ZoneFinder::FIND_DNSSEC);
+    if ((sec_flag & ZoneFinder::RESULT_NSEC_SIGNED) != 0) {
+        expected_rdatas.push_back("www2.example.org. A AAAA NSEC RRSIG");
+        expected_sig_rdatas.push_back("NSEC 5 3 3600 20000101000000 "
+                                      "20000201000000 12345 example.org. "
+                                      "FAKEFAKEFAKE");
+    }
+    doFindTest(finder, Name("www1.example.org"), RRType::A(), RRType::NSEC(),
+               RRTTL(3600), ZoneFinder::NXDOMAIN, expected_rdatas,
+               expected_sig_rdatas, sec_flag, Name("www.example.org."),
+               ZoneFinder::FIND_DNSSEC);
+    dnssecFlagCheckForAny(finder, Name("www1.example.org"), sec_flag);
 
     // Check NXRRSET case in NSEC signed zone, and RESULT_NSEC_SIGNED flag
     // should be return.
-    this->expected_rdatas_.clear();
-    this->expected_sig_rdatas_.clear();
-    this->expected_rdatas_.push_back("www2.example.org. A AAAA NSEC RRSIG");
-    this->expected_sig_rdatas_.push_back("NSEC 5 3 3600 20000101000000 "
-                                         "20000201000000 12345 example.org. "
-                                         "FAKEFAKEFAKE");
-    doFindTest(*finder, isc::dns::Name("www.example.org."),
-               isc::dns::RRType::TXT(), isc::dns::RRType::NSEC(), this->rrttl_,
-               ZoneFinder::NXRRSET, this->expected_rdatas_,
-               this->expected_sig_rdatas_, ZoneFinder::RESULT_NSEC_SIGNED,
-               isc::dns::Name::ROOT_NAME(), ZoneFinder::FIND_DNSSEC);
+    // No "findAll" test case for this because NXRRSET shouldn't happen for it.
+    expected_rdatas.clear();
+    expected_sig_rdatas.clear();
+    if ((sec_flag & ZoneFinder::RESULT_NSEC_SIGNED) != 0) {
+        expected_rdatas.push_back("www2.example.org. A AAAA NSEC RRSIG");
+        expected_sig_rdatas.push_back("NSEC 5 3 3600 20000101000000 "
+                                      "20000201000000 12345 example.org. "
+                                      "FAKEFAKEFAKE");
+    }
+    doFindTest(finder, Name("www.example.org."), RRType::TXT(), RRType::NSEC(),
+               RRTTL(3600), ZoneFinder::NXRRSET, expected_rdatas,
+               expected_sig_rdatas, sec_flag, Name::ROOT_NAME(),
+               ZoneFinder::FIND_DNSSEC);
 
-    // Check wildcase cases, and the RESULT_NSEC_SIGNED should be return.
-    this->expected_rdatas_.clear();
-    this->expected_sig_rdatas_.clear();
-    this->expected_rdatas_.push_back("192.0.2.5");
-    this->expected_sig_rdatas_.push_back("A 5 3 3600 20000101000000 "
-                                         "20000201000000 12345 example.org. "
-                                         "FAKEFAKEFAKE");
-    doFindTest(*finder, isc::dns::Name("b.a.wild.example.org"),
-               isc::dns::RRType::A(), isc::dns::RRType::A(),
-               this->rrttl_, ZoneFinder::SUCCESS, this->expected_rdatas_,
-               this->expected_sig_rdatas_,
-               (ZoneFinder::RESULT_WILDCARD | ZoneFinder::RESULT_NSEC_SIGNED),
+    // Wildcard match
+    expected_rdatas.clear();
+    expected_sig_rdatas.clear();
+    expected_rdatas.push_back("192.0.2.5");
+    expected_sig_rdatas.push_back("A 5 3 3600 20000101000000 "
+                                  "20000201000000 12345 example.org. "
+                                  "FAKEFAKEFAKE");
+    doFindTest(finder, Name("b.a.wild.example.org"), RRType::A(),
+               RRType::A(), RRTTL(3600), ZoneFinder::SUCCESS, expected_rdatas,
+               expected_sig_rdatas, (ZoneFinder::RESULT_WILDCARD | sec_flag),
                Name("b.a.wild.example.org"), ZoneFinder::FIND_DNSSEC);
-    this->expected_rdatas_.clear();
-    this->expected_sig_rdatas_.clear();
-    this->expected_rdatas_.push_back("cancel.here.wild.example.org. A NSEC "
-                                     "RRSIG");
-    this->expected_sig_rdatas_.push_back("NSEC 5 3 3600 20000101000000 "
-                                         "20000201000000 12345 example.org. "
-                                         "FAKEFAKEFAKE");
-    doFindTest(*finder, isc::dns::Name("b.a.wild.example.org"),
-               isc::dns::RRType::TXT(), isc::dns::RRType::NSEC(),
-               this->rrttl_, ZoneFinder::NXRRSET, this->expected_rdatas_,
-               this->expected_sig_rdatas_,
-               (ZoneFinder::RESULT_WILDCARD | ZoneFinder::RESULT_NSEC_SIGNED),
+    dnssecFlagCheckForAny(finder, Name("b.a.wild.example.org"), sec_flag);
+
+    // Wildcard + NXRRSET (no "findAll" test for this case)
+    expected_rdatas.clear();
+    expected_sig_rdatas.clear();
+    if ((sec_flag & ZoneFinder::RESULT_NSEC_SIGNED) != 0) {
+        expected_rdatas.push_back("cancel.here.wild.example.org. "
+                                  "A NSEC RRSIG");
+        expected_sig_rdatas.push_back("NSEC 5 3 3600 20000101000000 "
+                                      "20000201000000 12345 example.org. "
+                                      "FAKEFAKEFAKE");
+    }
+    doFindTest(finder, Name("b.a.wild.example.org"),
+               RRType::TXT(), RRType::NSEC(), RRTTL(3600), ZoneFinder::NXRRSET,
+               expected_rdatas, expected_sig_rdatas,
+               (ZoneFinder::RESULT_WILDCARD | sec_flag),
                Name("*.wild.example.org"), ZoneFinder::FIND_DNSSEC);
+}
+
+TYPED_TEST(DatabaseClientTest, dnssecResultFlags) {
+    // ZoneFinder::find() for negative cases and wildcard cases should check
+    // whether the zone is signed with NSEC or NSEC3.
 
-    // Then, if NSEC3PARAM exists at the apex, the flags of result should
-    // contain RESULT_NSEC3_SIGNED flag when NXDOMAIN NXRRSET or wildcard
-    // cases.
+    // In the default test setup, the zone should be considered NSEC-signed
+    // (the apex node has an NSEC RR).
+    dnssecFlagCheck(*this->getFinder(), ZoneFinder::RESULT_NSEC_SIGNED);
 
-    // Add NSEC3PARAM RRSET at the apex of the zone. It looks weird if the
-    // zone only has NSEC3PARM RRset (but no NSEC3s), but it is okay for unit
-    // test.
+    // Then add an NSEC3PARAM RRset at the apex (it may look weird if the
+    // zone only has NSEC3PARM RRset (but no NSEC3s), but it is okay for the
+    // purpose of this test).  The zone should now be considered NSEC3-signed.
+    // Note that the apex NSEC still exists; NSEC3 should override NSEC.
     this->updater_ = this->client_->getUpdater(this->zname_, false);
     this->rrset_.reset(new RRset(this->zname_, this->qclass_,
                                  RRType::NSEC3PARAM(), this->rrttl_));
@@ -2372,47 +2396,24 @@ TYPED_TEST(DatabaseClientTest, nsec3FlagFindDB) {
                                               this->rrset_->getClass(),
                                               "1 0 12 aabbccdd"));
     this->updater_->addRRset(*this->rrset_);
+    dnssecFlagCheck(this->updater_->getFinder(),
+                    ZoneFinder::RESULT_NSEC3_SIGNED);
 
-    // check NXDOMAIN, it should set RESULT_NSEC3_SIGNED in the flags.
-    this->expected_rdatas_.clear();
-    this->expected_sig_rdatas_.clear();
-    doFindTest(this->updater_->getFinder(), Name("www1.example.org."),
-               this->qtype_, this->qtype_, this->rrttl_, ZoneFinder::NXDOMAIN,
-               this->expected_rdatas_, this->expected_sig_rdatas_,
-               ZoneFinder::RESULT_NSEC3_SIGNED,Name::ROOT_NAME(),
-               ZoneFinder::FIND_DNSSEC);
-
-    // check NXRRSET, it should set RESULT_NSEC3_SIGNED in the flags.
-    this->expected_rdatas_.clear();
-    this->expected_sig_rdatas_.clear();
-    doFindTest(this->updater_->getFinder(), Name("www.example.org."),
-               RRType::TXT(), RRType::TXT(), this->rrttl_,
-               ZoneFinder::NXRRSET, this->expected_rdatas_,
-               this->expected_sig_rdatas_, ZoneFinder::RESULT_NSEC3_SIGNED,
-               Name::ROOT_NAME(), ZoneFinder::FIND_DNSSEC);
-
-    // check flags if wildcard matches, it should set RESULT_NSEC3_SIGNED in
-    // the flags.
-    this->expected_rdatas_.push_back("192.0.2.5");
-    this->expected_sig_rdatas_.push_back("A 5 3 3600 20000101000000 "
-                                         "20000201000000 12345 example.org. "
-                                         "FAKEFAKEFAKE");
-    doFindTest(this->updater_->getFinder(), Name("b.a.wild.example.org"),
-               this->qtype_, this->qtype_, this->rrttl_, ZoneFinder::SUCCESS,
-               this->expected_rdatas_, this->expected_sig_rdatas_,
-               ZoneFinder::RESULT_WILDCARD | ZoneFinder::RESULT_NSEC3_SIGNED,
-               Name::ROOT_NAME(), ZoneFinder::FIND_DNSSEC);
-
-    // check flags if NXRRSET in wildcard case, it should set
-    // RESULT_NSEC3_SIGNED in the flags.
-    this->expected_rdatas_.clear();
-    this->expected_sig_rdatas_.clear();
-    doFindTest(this->updater_->getFinder(), Name("b.a.wild.example.org"),
-               RRType::TXT(), RRType::TXT(), this->rrttl_,
-               ZoneFinder::NXRRSET, this->expected_rdatas_,
-               this->empty_rdatas_, (ZoneFinder::RESULT_WILDCARD |
-               ZoneFinder::RESULT_NSEC3_SIGNED), Name::ROOT_NAME(),
-               ZoneFinder::FIND_DNSSEC);
+    // Next, delete the apex NSEC.  Since NSEC3PARAM remains, the zone should
+    // still be considered NSEC3-signed.
+    RRsetPtr nsec_rrset(new RRset(this->zname_, this->qclass_, RRType::NSEC(),
+                                  this->rrttl_));
+    nsec_rrset->addRdata(rdata::createRdata(RRType::NSEC(), this->qclass_,
+                                            "acnamesig1.example.org. NS A "
+                                            "NSEC RRSIG"));
+    this->updater_->deleteRRset(*nsec_rrset);
+    dnssecFlagCheck(this->updater_->getFinder(),
+                    ZoneFinder::RESULT_NSEC3_SIGNED);
+
+    // Finally, delete the NSEC3PARAM we just added above.  The zone should
+    // then be considered unsigned.
+    this->updater_->deleteRRset(*this->rrset_);
+    dnssecFlagCheck(this->updater_->getFinder(), ZoneFinder::RESULT_DEFAULT);
 }
 
 TYPED_TEST(DatabaseClientTest, NXDOMAIN_NSEC) {