From 35a3e0226f9e5fb39428a472f82beed1d2d1b917 Mon Sep 17 00:00:00 2001 From: Tim Kimber Date: Mon, 28 Dec 2020 15:21:43 +0000 Subject: [PATCH 1/5] Remove duplicate teardown() function --- test/u2-test-get_auth_dns-drill.bats | 13 ------------- 1 file changed, 13 deletions(-) diff --git a/test/u2-test-get_auth_dns-drill.bats b/test/u2-test-get_auth_dns-drill.bats index c5feadf..33b2277 100644 --- a/test/u2-test-get_auth_dns-drill.bats +++ b/test/u2-test-get_auth_dns-drill.bats @@ -31,19 +31,6 @@ teardown() { } -teardown() { - if [ -f /usr/bin/host.getssl.bak ]; then - mv /usr/bin/host.getssl.bak /usr/bin/host - fi - if [ -f /usr/bin/nslookup.getssl.bak ]; then - mv /usr/bin/nslookup.getssl.bak /usr/bin/nslookup - fi - if [ -f /usr/bin/dig.getssl.bak ]; then - mv /usr/bin/dig.getssl.bak /usr/bin/dig - fi -} - - @test "Check get_auth_dns using drill NS" { if [ ! -f /usr/bin/drill ]; then # Can't find drill package for centos8 From dd3d72a806bfd710beadb101b24618dafc99fa4d Mon Sep 17 00:00:00 2001 From: Tim Kimber Date: Mon, 28 Dec 2020 15:25:25 +0000 Subject: [PATCH 2/5] Add tests for issue #617 --- .../u5-test-get_auth_dns-no-root-servers.bats | 89 +++++++++++++++++ .../u6-test-get_auth_dns-no-root-servers.bats | 99 +++++++++++++++++++ 2 files changed, 188 insertions(+) create mode 100644 test/u5-test-get_auth_dns-no-root-servers.bats create mode 100644 test/u6-test-get_auth_dns-no-root-servers.bats diff --git a/test/u5-test-get_auth_dns-no-root-servers.bats b/test/u5-test-get_auth_dns-no-root-servers.bats new file mode 100644 index 0000000..40d79a4 --- /dev/null +++ b/test/u5-test-get_auth_dns-no-root-servers.bats @@ -0,0 +1,89 @@ +#! /usr/bin/env bats + +load '/bats-support/load.bash' +load '/bats-assert/load.bash' +load '/getssl/test/test_helper.bash' + + +# This is run for every test +setup() { + for app in drill host nslookup + do + if [ -f /usr/bin/${app} ]; then + mv /usr/bin/${app} /usr/bin/${app}.getssl.bak + fi + done + + . /getssl/getssl --source + find_dns_utils + _RUNNING_TEST=1 + _USE_DEBUG=0 +} + + +teardown() { + for app in drill host nslookup + do + if [ -f /usr/bin/${app}.getssl.bak ]; then + mv /usr/bin/${app}.getssl.bak /usr/bin/${app} + fi + done +} + + +@test "Check get_auth_dns doesn't include root servers (dig NS)" { + # Test that get_auth_dns() handles scenario where NS query returns root servers + # Issue #617 + # + # Log output was: + # Verifying example.com + # checking DNS at h.root-servers.net for example.com. Attempt 1/100 gave wrong result, waiting 10 secs before checking again + # ... (retried until max attempts then failed) + + # Disable SOA and CNAME check + _TEST_SKIP_CNAME_CALL=1 + _TEST_SKIP_SOA_CALL=1 + + PUBLIC_DNS_SERVER=8.8.8.8 + CHECK_PUBLIC_DNS_SERVER=false + CHECK_ALL_AUTH_DNS=true + + run get_auth_dns example.com + + # Assert that we've found the primary_ns server + assert_output --regexp 'set primary_ns = ' + # Assert that we had to use dig NS + assert_line --partial 'Using dig NS' + + # Check we didn't include any root servers + refute_line --partial 'IN\WNS\W\.root-servers\.net\.' +} + + +@test "Check get_auth_dns doesn't include root servers (dig SOA)" { + # Test that get_auth_dns() handles scenario where NS query returns root servers + # Issue #617 + # + # Log output was: + # Verifying example.com + # checking DNS at h.root-servers.net for example.com. Attempt 1/100 gave wrong result, waiting 10 secs before checking again + # ... (retried until max attempts then failed) + + # Disable CNAME check, ensure SOA check is enabled + _TEST_SKIP_CNAME_CALL=1 + _TEST_SKIP_SOA_CALL=0 + + PUBLIC_DNS_SERVER=8.8.8.8 + CHECK_PUBLIC_DNS_SERVER=false + CHECK_ALL_AUTH_DNS=true + + run get_auth_dns example.com + + # Assert that we've found the primary_ns server + assert_output --regexp 'set primary_ns = ' + # Assert that we had to use dig SOA + assert_line --partial 'Using dig SOA' + + # Check we didn't include any root servers + refute_line --partial 'IN\WNS\W\.root-servers\.net\.' +} diff --git a/test/u6-test-get_auth_dns-no-root-servers.bats b/test/u6-test-get_auth_dns-no-root-servers.bats new file mode 100644 index 0000000..84012c3 --- /dev/null +++ b/test/u6-test-get_auth_dns-no-root-servers.bats @@ -0,0 +1,99 @@ +#! /usr/bin/env bats + +load '/bats-support/load.bash' +load '/bats-assert/load.bash' +load '/getssl/test/test_helper.bash' + + +# This is run for every test +setup() { + for app in dig host nslookup + do + if [ -f /usr/bin/${app} ]; then + mv /usr/bin/${app} /usr/bin/${app}.getssl.bak + fi + done + + . /getssl/getssl --source + find_dns_utils + _RUNNING_TEST=1 + _USE_DEBUG=0 +} + + +teardown() { + for app in dig host nslookup + do + if [ -f /usr/bin/${app}.getssl.bak ]; then + mv /usr/bin/${app}.getssl.bak /usr/bin/${app} + fi + done +} + + +@test "Check get_auth_dns doesn't include root servers (drill NS)" { + if [ ! -f /usr/bin/drill ]; then + # Can't find drill package for centos8 + skip "Drill not installed on this system" + fi + + # Test that get_auth_dns() handles scenario where NS query returns root servers + # Issue #617 + # + # Log output was: + # Verifying example.com + # checking DNS at h.root-servers.net for example.com. Attempt 1/100 gave wrong result, waiting 10 secs before checking again + # ... (retried until max attempts then failed) + + # Disable CNAME check, ensure SOA check is enabled + _TEST_SKIP_CNAME_CALL=1 + _TEST_SKIP_SOA_CALL=1 + + PUBLIC_DNS_SERVER=8.8.8.8 + CHECK_PUBLIC_DNS_SERVER=false + CHECK_ALL_AUTH_DNS=true + + run get_auth_dns example.com + + # Assert that we've found the primary_ns server + assert_output --regexp 'set primary_ns = ' + # Assert that we had to use drill NS + assert_line --partial 'Using drill NS' + + # Check we didn't include any root servers + refute_line --partial 'IN\WNS\W\.root-servers\.net\.' +} + + +@test "Check get_auth_dns doesn't include root servers (drill SOA)" { + if [ ! -f /usr/bin/drill ]; then + # Can't find drill package for centos8 + skip "Drill not installed on this system" + fi + + # Test that get_auth_dns() handles scenario where NS query returns root servers + # Issue #617 + # + # Log output was: + # Verifying example.com + # checking DNS at h.root-servers.net for example.com. Attempt 1/100 gave wrong result, waiting 10 secs before checking again + # ... (retried until max attempts then failed) + + # Disable SOA and CNAME check + _TEST_SKIP_CNAME_CALL=1 + _TEST_SKIP_SOA_CALL=0 + + PUBLIC_DNS_SERVER=8.8.8.8 + CHECK_PUBLIC_DNS_SERVER=false + CHECK_ALL_AUTH_DNS=true + + run get_auth_dns example.com + + # Assert that we've found the primary_ns server + assert_output --regexp 'set primary_ns = ' + # Assert that we had to use drill SOA + assert_line --partial 'Using drill SOA' + + # Check we didn't include any root servers + refute_line --partial 'IN\WNS\W\.root-servers\.net\.' +} From 630554073e5a54caa5b8a8a538c84361cc0302f7 Mon Sep 17 00:00:00 2001 From: Tim Kimber Date: Mon, 28 Dec 2020 16:15:38 +0000 Subject: [PATCH 3/5] Remove spaces around server when calling dig or drill --- getssl | 11 ++++++----- 1 file changed, 6 insertions(+), 5 deletions(-) diff --git a/getssl b/getssl index eefe4fa..afa5fba 100755 --- a/getssl +++ b/getssl @@ -1310,11 +1310,11 @@ get_auth_dns() { # get the authoritative dns server for a domain (sets primary_n if [[ "$HAS_DIG_OR_DRILL" == "dig" ]]; then debug Using "$HAS_DIG_OR_DRILL SOA +trace +nocomments $gad_d $gad_s" to find primary nameserver test_output "Using $HAS_DIG_OR_DRILL SOA" - res=$($HAS_DIG_OR_DRILL SOA +trace +nocomments "$gad_d" "$gad_s" 2>/dev/null | grep "IN\WNS\W") + res=$($HAS_DIG_OR_DRILL SOA +trace +nocomments "$gad_d" $gad_s 2>/dev/null | grep "IN\WNS\W") else debug Using "$HAS_DIG_OR_DRILL -T $gad_d $gad_s" to find primary nameserver test_output "Using $HAS_DIG_OR_DRILL SOA" - res=$($HAS_DIG_OR_DRILL -T SOA "$gad_d" "$gad_s" 2>/dev/null | grep "IN\WNS\W") + res=$($HAS_DIG_OR_DRILL -T SOA "$gad_d" $gad_s 2>/dev/null | grep "IN\WNS\W") fi fi @@ -1324,12 +1324,12 @@ get_auth_dns() { # get the authoritative dns server for a domain (sets primary_n # Two options here; either dig CNAME will return the CNAME and the NS or just the CNAME debug Checking for CNAME using "$HAS_DIG_OR_DRILL CNAME $gad_d $gad_s" - res=$($HAS_DIG_OR_DRILL CNAME "$gad_d" "$gad_s"| grep "^$gad_d") + res=$($HAS_DIG_OR_DRILL CNAME "$gad_d" $gad_s| grep "^$gad_d") cname=$(echo "$res"| awk '$4 ~ "CNAME" {print $5}' |sed 's/\.$//g') if [[ $_TEST_SKIP_CNAME_CALL == 0 ]]; then debug Checking if CNAME result contains NS records - res=$($HAS_DIG_OR_DRILL CNAME "$gad_d" "$gad_s"| grep -E "IN\W(NS|SOA)\W") + res=$($HAS_DIG_OR_DRILL CNAME "$gad_d" $gad_s| grep -E "IN\W(NS|SOA)\W") else res="" fi @@ -1385,7 +1385,8 @@ get_auth_dns() { # get the authoritative dns server for a domain (sets primary_n if [[ -z "$gad_s" ]]; then res=$(host -t NS "$gad_d"| grep "name server") else - res=$(host -t NS "$gad_d" "$gad_s"| grep "name server") + # shellcheck disable=SC2086 + res=$(host -t NS "$gad_d" $gad_s| grep "name server") fi if [[ -n "$res" ]]; then all_auth_dns_servers=$(echo "$res" | awk '{print $4}' | sed 's/\.$//g'|tr '\n' ' ') From f8f3e5b901eb0d622795fad0b88be43946b9b952 Mon Sep 17 00:00:00 2001 From: Tim Kimber Date: Tue, 29 Dec 2020 21:36:44 +0000 Subject: [PATCH 4/5] Updated tests to reproduce bug in #617 --- .../u5-test-get_auth_dns-no-root-servers.bats | 15 ++- .../u6-test-get_auth_dns-no-root-servers.bats | 99 ------------------- 2 files changed, 11 insertions(+), 103 deletions(-) delete mode 100644 test/u6-test-get_auth_dns-no-root-servers.bats diff --git a/test/u5-test-get_auth_dns-no-root-servers.bats b/test/u5-test-get_auth_dns-no-root-servers.bats index 40d79a4..b88fd41 100644 --- a/test/u5-test-get_auth_dns-no-root-servers.bats +++ b/test/u5-test-get_auth_dns-no-root-servers.bats @@ -7,6 +7,12 @@ load '/getssl/test/test_helper.bash' # This is run for every test setup() { + cp /etc/resolv.conf /etc/resolv.conf.getssl + cat <<- EOF > /etc/resolv.conf +nameserver 8.8.8.8 +options ndots:0 +EOF + for app in drill host nslookup do if [ -f /usr/bin/${app} ]; then @@ -22,6 +28,7 @@ setup() { teardown() { + cat /etc/resolv.conf.getssl > /etc/resolv.conf for app in drill host nslookup do if [ -f /usr/bin/${app}.getssl.bak ]; then @@ -44,7 +51,7 @@ teardown() { _TEST_SKIP_CNAME_CALL=1 _TEST_SKIP_SOA_CALL=1 - PUBLIC_DNS_SERVER=8.8.8.8 + PUBLIC_DNS_SERVER= CHECK_PUBLIC_DNS_SERVER=false CHECK_ALL_AUTH_DNS=true @@ -56,7 +63,7 @@ teardown() { assert_line --partial 'Using dig NS' # Check we didn't include any root servers - refute_line --partial 'IN\WNS\W\.root-servers\.net\.' + refute_line --partial 'root-servers.net' } @@ -73,7 +80,7 @@ teardown() { _TEST_SKIP_CNAME_CALL=1 _TEST_SKIP_SOA_CALL=0 - PUBLIC_DNS_SERVER=8.8.8.8 + PUBLIC_DNS_SERVER= CHECK_PUBLIC_DNS_SERVER=false CHECK_ALL_AUTH_DNS=true @@ -85,5 +92,5 @@ teardown() { assert_line --partial 'Using dig SOA' # Check we didn't include any root servers - refute_line --partial 'IN\WNS\W\.root-servers\.net\.' + refute_line --partial 'root-servers.net' } diff --git a/test/u6-test-get_auth_dns-no-root-servers.bats b/test/u6-test-get_auth_dns-no-root-servers.bats deleted file mode 100644 index 84012c3..0000000 --- a/test/u6-test-get_auth_dns-no-root-servers.bats +++ /dev/null @@ -1,99 +0,0 @@ -#! /usr/bin/env bats - -load '/bats-support/load.bash' -load '/bats-assert/load.bash' -load '/getssl/test/test_helper.bash' - - -# This is run for every test -setup() { - for app in dig host nslookup - do - if [ -f /usr/bin/${app} ]; then - mv /usr/bin/${app} /usr/bin/${app}.getssl.bak - fi - done - - . /getssl/getssl --source - find_dns_utils - _RUNNING_TEST=1 - _USE_DEBUG=0 -} - - -teardown() { - for app in dig host nslookup - do - if [ -f /usr/bin/${app}.getssl.bak ]; then - mv /usr/bin/${app}.getssl.bak /usr/bin/${app} - fi - done -} - - -@test "Check get_auth_dns doesn't include root servers (drill NS)" { - if [ ! -f /usr/bin/drill ]; then - # Can't find drill package for centos8 - skip "Drill not installed on this system" - fi - - # Test that get_auth_dns() handles scenario where NS query returns root servers - # Issue #617 - # - # Log output was: - # Verifying example.com - # checking DNS at h.root-servers.net for example.com. Attempt 1/100 gave wrong result, waiting 10 secs before checking again - # ... (retried until max attempts then failed) - - # Disable CNAME check, ensure SOA check is enabled - _TEST_SKIP_CNAME_CALL=1 - _TEST_SKIP_SOA_CALL=1 - - PUBLIC_DNS_SERVER=8.8.8.8 - CHECK_PUBLIC_DNS_SERVER=false - CHECK_ALL_AUTH_DNS=true - - run get_auth_dns example.com - - # Assert that we've found the primary_ns server - assert_output --regexp 'set primary_ns = ' - # Assert that we had to use drill NS - assert_line --partial 'Using drill NS' - - # Check we didn't include any root servers - refute_line --partial 'IN\WNS\W\.root-servers\.net\.' -} - - -@test "Check get_auth_dns doesn't include root servers (drill SOA)" { - if [ ! -f /usr/bin/drill ]; then - # Can't find drill package for centos8 - skip "Drill not installed on this system" - fi - - # Test that get_auth_dns() handles scenario where NS query returns root servers - # Issue #617 - # - # Log output was: - # Verifying example.com - # checking DNS at h.root-servers.net for example.com. Attempt 1/100 gave wrong result, waiting 10 secs before checking again - # ... (retried until max attempts then failed) - - # Disable SOA and CNAME check - _TEST_SKIP_CNAME_CALL=1 - _TEST_SKIP_SOA_CALL=0 - - PUBLIC_DNS_SERVER=8.8.8.8 - CHECK_PUBLIC_DNS_SERVER=false - CHECK_ALL_AUTH_DNS=true - - run get_auth_dns example.com - - # Assert that we've found the primary_ns server - assert_output --regexp 'set primary_ns = ' - # Assert that we had to use drill SOA - assert_line --partial 'Using drill SOA' - - # Check we didn't include any root servers - refute_line --partial 'IN\WNS\W\.root-servers\.net\.' -} From a1d4eb00ccb8102faf8c4ae3095c49a060913c4f Mon Sep 17 00:00:00 2001 From: Tim Kimber Date: Tue, 29 Dec 2020 21:39:50 +0000 Subject: [PATCH 5/5] Update version and revision history --- getssl | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/getssl b/getssl index afa5fba..a20a9bd 100755 --- a/getssl +++ b/getssl @@ -247,11 +247,12 @@ # 2020-12-18 Wrong SANS when domain contains a minus character (atisne) # 2020-12-22 Fixes to get_auth_dns # 2020-12-22 Check that dig doesn't return an error (#611)(2.32) +# 2020-12-29 Fix dig SOA lookup (#617)(2.33) # ---------------------------------------------------------------------------------------- PROGNAME=${0##*/} PROGDIR="$(cd "$(dirname "$0")" || exit; pwd -P;)" -VERSION="2.32" +VERSION="2.33" # defaults ACCOUNT_KEY_LENGTH=4096