diff --git a/.gitlab-ci.yml b/.gitlab-ci.yml index 085707d..4e762ab 100644 --- a/.gitlab-ci.yml +++ b/.gitlab-ci.yml @@ -12,8 +12,6 @@ cache: before_script: - docker info - docker login -u gitlab-ci-token -p $CI_JOB_TOKEN $CI_REGISTRY - only: - - tags tags: - share @@ -33,9 +31,6 @@ cache: - chmod +x ./ci/travis.sh tags: - share - only: - - tags - images_build: stage: build @@ -44,14 +39,17 @@ images_build: UNITTEST_IMAGE_TAG: unittest-tsg-diagnose:latest WPR_IMAGE_TAG: wpr-tsg-diagnose:latest BADSSL_IMAGE_TAG: badssl-tsg-diagnose:latest + DNS_IMAGES_TAGE: dns-server-diagnose:latest script: - mkdir -p images - docker build -t $UNITTEST_IMAGE_TAG -f ./unittest_python/Dockerfile ./unittest_python/ - docker save $UNITTEST_IMAGE_TAG > images/unittest.tar - docker build -t $WPR_IMAGE_TAG -f ./wpr_golang/Dockerfile ./wpr_golang/ - docker save $WPR_IMAGE_TAG > images/wpr.tar - - docker build -t $BADSSL_IMAGE_TAG -f ./badssl.com/Dockerfile ./badssl.com/ - - docker save $BADSSL_IMAGE_TAG > images/badssl.tar + #- docker build -t $BADSSL_IMAGE_TAG -f ./badssl.com/Dockerfile ./badssl.com/ + #- docker save $BADSSL_IMAGE_TAG > images/badssl.tar + - docker build -t $DNS_IMAGES_TAGE -f ./dnsmasq/Dockerfile ./dnsmasq + - docker save $DNS_IMAGES_TAGE > images/dns.tar rpm_build: diff --git a/cmake/Package.cmake b/cmake/Package.cmake index 850ad44..aef4ae8 100644 --- a/cmake/Package.cmake +++ b/cmake/Package.cmake @@ -25,6 +25,7 @@ install(FILES docker-compose/docker-compose.yml DESTINATION ./compose) install(FILES unittest_python/unittest/etc/tsg-diagnose.config DESTINATION ./etc) install(FILES wpr_golang/wpr/wpr_cert.pem DESTINATION ./etc) install(FILES docker-compose/tsg-diagnose.service DESTINATION /usr/lib/systemd/system) +install(FILES dnsmasq/config/dnsmasq.conf DESTINATION /opt/tsg/tsg-diagnose/etc/) install(DIRECTORY images/ DESTINATION ./images) install(DIRECTORY deploy/ DESTINATION ./deploy) diff --git a/cmake/PostInstall.in b/cmake/PostInstall.in index be8ce76..6fb746d 100644 --- a/cmake/PostInstall.in +++ b/cmake/PostInstall.in @@ -3,7 +3,9 @@ if [ $1 == 2 ]; then docker rmi -f badssl-tsg-diagnose docker rmi -f unittest-tsg-diagnose docker rmi -f wpr-tsg-diagnose + docker rmi -f dns-server-diagnose fi docker load < /opt/tsg/tsg-diagnose/images/badssl.tar docker load < /opt/tsg/tsg-diagnose/images/unittest.tar -docker load < /opt/tsg/tsg-diagnose/images/wpr.tar \ No newline at end of file +docker load < /opt/tsg/tsg-diagnose/images/wpr.tar +docker load < /opt/tsg/tsg-diagnose/images/dns.tar diff --git a/cmake/PostunInstall.in b/cmake/PostunInstall.in index 3fc02fc..3251a06 100644 --- a/cmake/PostunInstall.in +++ b/cmake/PostunInstall.in @@ -2,4 +2,5 @@ if [ $1 == 0 ]; then docker rmi -f badssl-tsg-diagnose docker rmi -f unittest-tsg-diagnose docker rmi -f wpr-tsg-diagnose -fi \ No newline at end of file + docker rmi -f dns-server-diagnose +fi diff --git a/dnsmasq/Dockerfile b/dnsmasq/Dockerfile new file mode 100644 index 0000000..f1398b8 --- /dev/null +++ b/dnsmasq/Dockerfile @@ -0,0 +1,19 @@ +FROM alpine:latest as builder +RUN set -eux && sed -i 's/dl-cdn.alpinelinux.org/mirrors.ustc.edu.cn/g' /etc/apk/repositories +LABEL maintainer="dev@jpillora.com" +# webproc release settings +ENV WEBPROC_VERSION 0.2.2 +ENV WEBPROC_URL https://github.com/jpillora/webproc/releases/download/$WEBPROC_VERSION/webproc_linux_amd64.gz +# fetch dnsmasq and webproc binary +RUN apk update \ + && apk --no-cache add dnsmasq \ + && apk add --no-cache --virtual .build-deps curl \ + && curl -sL $WEBPROC_URL | gzip -d - > /usr/local/bin/webproc \ + && chmod +x /usr/local/bin/webproc \ + && apk del .build-deps +#configure dnsmasq +RUN mkdir -p /etc/default/ +RUN echo -e "ENABLED=1\nIGNORE_RESOLVCONF=yes" > /etc/default/dnsmasq +COPY dnsmasq.conf /etc/dnsmasq.conf +#run! +ENTRYPOINT ["webproc","--config","/etc/dnsmasq.conf","--","dnsmasq","--no-daemon"] diff --git a/dnsmasq/README.md b/dnsmasq/README.md new file mode 100644 index 0000000..baa82db --- /dev/null +++ b/dnsmasq/README.md @@ -0,0 +1,84 @@ +# docker-dnsmasq + +dnsmasq in a docker container, configurable via a [simple web UI](https://github.com/jpillora/webproc) + +[![Docker Pulls](https://img.shields.io/docker/pulls/jpillora/dnsmasq.svg)][dockerhub] +[![Image Size](https://images.microbadger.com/badges/image/jpillora/dnsmasq.svg)][dockerhub] + +### Usage + +1. Create a [`/opt/dnsmasq.conf`](http://oss.segetech.com/intra/srv/dnsmasq.conf) file on the Docker host + + ```ini + #dnsmasq config, for a complete example, see: + # http://oss.segetech.com/intra/srv/dnsmasq.conf + #log all dns queries + log-queries + #dont use hosts nameservers + no-resolv + #use cloudflare as default nameservers, prefer 1^4 + server=1.0.0.1 + server=1.1.1.1 + strict-order + #serve all .company queries using a specific nameserver + server=/company/10.0.0.1 + #explicitly define host-ip mappings + address=/myhost.company/10.0.0.2 + ``` + +1. Run the container + + ``` + $ docker run \ + --name dnsmasq \ + -d \ + -p 53:53/udp \ + -p 5380:8080 \ + -v /opt/dnsmasq.conf:/etc/dnsmasq.conf \ + --log-opt "max-size=100m" \ + -e "HTTP_USER=foo" \ + -e "HTTP_PASS=bar" \ + --restart always \ + jpillora/dnsmasq + ``` + +1. Visit `http://:5380`, authenticate with `foo/bar` and you should see + + screen shot 2017-10-15 at 1 41 21 am + +1. Test it out with + + ``` + $ host myhost.company + Using domain server: + Name: + Address: #53 + Aliases: + + myhost.company has address 10.0.0.2 + ``` + +#### MIT License + +Copyright © 2018 Jaime Pillora <dev@jpillora.com> + +Permission is hereby granted, free of charge, to any person obtaining +a copy of this software and associated documentation files (the +'Software'), to deal in the Software without restriction, including +without limitation the rights to use, copy, modify, merge, publish, +distribute, sublicense, and/or sell copies of the Software, and to +permit persons to whom the Software is furnished to do so, subject to +the following conditions: + +The above copyright notice and this permission notice shall be +included in all copies or substantial portions of the Software. + +THE SOFTWARE IS PROVIDED 'AS IS', WITHOUT WARRANTY OF ANY KIND, +EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF +MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. +IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY +CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, +TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE +SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE. + +[dockerhub]: https://hub.docker.com/r/jpillora/dnsmasq/ diff --git a/dnsmasq/config/dnsmasq.conf b/dnsmasq/config/dnsmasq.conf new file mode 100644 index 0000000..e782b53 --- /dev/null +++ b/dnsmasq/config/dnsmasq.conf @@ -0,0 +1,10 @@ +#dns解析日志 +log-queries +#域名与IP映射 +address=/www.1test-ipv4.com/10.1.2.3 +address=/www.2test-ipv4.com/20.1.2.3 +address=/www.3test-ipv4.com/30.1.2.3 +address=/www.1test-ipv6.com/11aa:11:22::33 +address=/www.2test-ipv6.com/22aa:11:22::33 +address=/www.3test-ipv6.com/33aa:11:22::33 +cname=www.1test-cname.com,www.1testanswer-cname.com diff --git a/dnsmasq/dnsmasq.conf b/dnsmasq/dnsmasq.conf new file mode 100644 index 0000000..5cd4fa5 --- /dev/null +++ b/dnsmasq/dnsmasq.conf @@ -0,0 +1,17 @@ +#dns解析日志 +log-queries +#域名与IP映射 +address=/www.1test-ipv4.com/10.1.2.3 +address=/www.2test-ipv4.com/20.1.2.3 +address=/www.3test-ipv4.com/30.1.2.3 +address=/www.4test-ipv4.com/40.1.2.3 +address=/www.5test-ipv4.com/50.1.2.3 +address=/www.1test-ipv6.com/11aa:11:22::33 +address=/www.2test-ipv6.com/22aa:11:22::33 +address=/www.3test-ipv6.com/33aa:11:22::33 +address=/www.4test-ipv6.com/44aa:11:22::33 +address=/www.5test-ipv6.com/55aa:11:22::33 +cname=www.1test-cname.com,www.1testanswer-cname.com + +#设置time-to-live的时间,如果未设置返回0 +local-ttl=60 diff --git a/docker-compose/docker-compose.yml b/docker-compose/docker-compose.yml index 38e9407..9fd751f 100644 --- a/docker-compose/docker-compose.yml +++ b/docker-compose/docker-compose.yml @@ -45,13 +45,37 @@ services: arp -i eth0 -s 192.0.2.3 02:42:C0:A8:FD:03 /root/wpr/wpr replay --http_port=80 --https_port=443 --host=0.0.0.0 --quiet_mode /root/wpr/archive.wprgo & tail -f /dev/null - + + dns_server: + image: "dns-server-diagnose:latest" + container_name: "dns-server-diagnose" + tty: true + privileged: true + networks: + vlan_ssl_net: + ipv4_address: 192.0.2.135 + ipv6_address: fd00:a1bf:2c3d:ef5a:1e2f:3d4c:56ab:1015 + bridge_net: + ipv4_address: 192.51.100.5 + volumes: + - /etc/localtime:/etc/localtime:ro + entrypoint: /bin/sh + command: + - -c + - | + ifconfig eth0 hw ether 02:42:C0:A8:FD:85 + arp -i eth0 -s 192.0.2.3 02:42:C0:A8:FD:03 + echo 66.66.66.66 www.1testanswer-cname.com >> /etc/hosts + webproc --config /etc/dnsmasq.conf -- dnsmasq --no-daemon & + tail -f /dev/null + unittest_client: image: "unittest-tsg-diagnose:latest" container_name: "unittest_tsg-diagnose" depends_on: - badssl_server - wpr_server + - dns_server tty: true privileged: true networks: @@ -74,6 +98,7 @@ services: ifconfig eth0 hw ether 02:42:C0:A8:FD:03 arp -i eth0 -s 192.0.2.130 02:42:c0:a8:fd:82 arp -i eth0 -s 192.0.2.131 02:42:C0:A8:FD:83 + arp -i eth0 -s 192.0.2.135 02:42:C0:A8:FD:85 mkdir -p /root/result_tsg_diagnose/unittest mkdir -p /root/result_tsg_diagnose/conn_traffic_status cp -rf /root/cafile_dict/certs/sets/current/gen/crt/ca-root.crt /usr/local/share/ca-certificates @@ -83,6 +108,7 @@ services: echo '0 2 * * * /usr/local/bin/python /root/unittest/clear_file_timeout.py -d /root/result_tsg_diagnose/conn_traffic_status' > /etc/crontabs/root crond python /root/unittest/tsg_diagnose.py -l -w NEZHA + tail -f /dev/null networks: @@ -99,7 +125,7 @@ networks: driver: macvlan enable_ipv6: true driver_opts: - parent: enp1s1 + parent: eth_vf_dign_s ipam: config: - subnet: 192.0.2.0/24 @@ -114,7 +140,7 @@ networks: driver: macvlan enable_ipv6: true driver_opts: - parent: ens1f1 + parent: eth_vf_dign_c ipam: config: - subnet: 192.0.2.0/24 diff --git a/unittest_python/Dockerfile b/unittest_python/Dockerfile index 2e4bb45..a146ee1 100644 --- a/unittest_python/Dockerfile +++ b/unittest_python/Dockerfile @@ -10,7 +10,8 @@ RUN sed -i s@/dl-cdn.alpinelinux.org/@/mirrors.ustc.edu.cn/@g /etc/apk/repositor && pip3 install pycurl \ && pip3 install httpstat \ && pip3 install CIUnitTest \ - && pip3 install pytelegraf + && pip3 install pytelegraf \ + && pip3 install dnspython WORKDIR /root/unittest diff --git a/unittest_python/unittest/etc/tsg-diagnose.config b/unittest_python/unittest/etc/tsg-diagnose.config index b9e2108..d8cd740 100644 --- a/unittest_python/unittest/etc/tsg-diagnose.config +++ b/unittest_python/unittest/etc/tsg-diagnose.config @@ -6,6 +6,47 @@ conn_timeout = 1 #max_recv_speed_large byte/s max_recv_speed_large = 6553600 +[test_dnsRequest_deny_drop] +enabled = 1 +conn_timeout = 3 +max_recv_speed_large = 6553600 + +[test_dnsRequest_deny_redirect_a] +enabled = 1 +conn_timeout = 3 +max_recv_speed_large = 6553600 + +[test_dnsRequest_deny_redirect_aaaa] +enabled = 1 +conn_timeout = 3 +max_recv_speed_large = 6553600 + +[test_dnsRequest_deny_redirect_a_range_ttl] +enabled = 1 +conn_timeout = 3 +max_recv_speed_large = 6553600 + +[test_dnsRequest_deny_redirect_aaaa_range_ttl] +enabled = 1 +conn_timeout = 3 +max_recv_speed_large = 6553600 + + +[test_dnsRequest_allow_rdtype_a] +enabled = 1 +conn_timeout = 3 +max_recv_speed_large = 6553600 + +[test_dnsRequest_allow_rdtype_aaaa] +enabled = 1 +conn_timeout = 3 +max_recv_speed_large = 6553600 + +[test_dnsRequest_allow_rdtype_cname] +enabled = 1 +conn_timeout = 3 +max_recv_speed_large = 6553600 + [test_securityPolicy_intercept] enabled = 1 conn_timeout = 1 diff --git a/unittest_python/unittest/tsg_diagnose.py b/unittest_python/unittest/tsg_diagnose.py index 6a83d0b..cf3a7a3 100644 --- a/unittest_python/unittest/tsg_diagnose.py +++ b/unittest_python/unittest/tsg_diagnose.py @@ -13,9 +13,20 @@ from telegraf.client import TelegrafClient import hashlib from configparser import ConfigParser import random +import dns.exception +import dns.resolver +import sys suite_test_config_dict = {'test_securityPolicy_bypass': {'enabled':1,'conn_timeout':1,'max_recv_speed_large':6553600}, + 'test_dnsRequest_deny_drop': {'enabled':1,'conn_timeout':1,'max_recv_speed_large':6553600}, + 'test_dnsRequest_deny_redirect_a': {'enabled':1,'conn_timeout':1,'max_recv_speed_large':6553600}, + 'test_dnsRequest_deny_redirect_aaaa': {'enabled':1,'conn_timeout':1,'max_recv_speed_large':6553600}, + 'test_dnsRequest_deny_redirect_a_range_ttl': {'enabled':1,'conn_timeout':1,'max_recv_speed_large':6553600}, + 'test_dnsRequest_deny_redirect_aaaa_range_ttl': {'enabled':1,'conn_timeout':1,'max_recv_speed_large':6553600}, + 'test_dnsRequest_allow_rdtype_a': {'enabled':1,'conn_timeout':1,'max_recv_speed_large':6553600}, + 'test_dnsRequest_allow_rdtype_aaaa': {'enabled':1,'conn_timeout':1,'max_recv_speed_large':6553600}, + 'test_dnsRequest_allow_rdtype_cname': {'enabled':1,'conn_timeout':1,'max_recv_speed_large':6553600}, 'test_securityPolicy_intercept': {'enabled':1,'conn_timeout':1,'max_recv_speed_large':6553600}, 'test_securityPolicy_intercept_certerrExpired': {'enabled':1,'conn_timeout':1,'max_recv_speed_large':6553600}, 'test_securityPolicy_intercept_certerrSelf_signed': {'enabled':1,'conn_timeout':1,'max_recv_speed_large':6553600}, @@ -123,6 +134,215 @@ URLSslFirewallAllow = "https://sha512.badssl.self-test.geedge.net" URLSslFirewallDenyDrop = "https://rsa2048.badssl.self-test.geedge.net" URLSslFirewallDenyRst = "https://rsa4096.badssl.self-test.geedge.net" +DNS_SERVER_ALLOW_TTL = 60 +DNS_SERVER_REDIRECT_TTL = 333 +DNS_SERVER_REDIRECT_RANGE_LOW = 400 +DNS_SERVER_REDIRECT_RANGE_HIGH = 500 +DNS_SERVER_IP = ["192.0.2.135"] +DnsRequestFirewallDenyDrop = "Dns request timeout is deny drop sucess" +DnsARequestFireWallDenyRedirect = "Dns rdtype A request is deny reidrect sucess" +DnsAAAARequestFireWallDenyRedirect = "Dns rdtype AAAA request is deny redirect sucess" +DnsARequestFireWallDenyRedirectRangTTL = "Dns rdtype A request is deny reidrect and range ttl sucess" +DnsAAAARequestFireWallDenyRedirectRangTTL = "Dns rdtype AAAA request is deny redirect and range ttl sucess" +DnsARequestFirewallAllow = "Dns rdtype A request data is sucess" +DnsAAAARequestFirewallAllow = "Dns rdtype AAAA request data is sucess" +DnsCNAMERequestFirewallAllow = "Dns rdtype CNAME request data is sucess" + + +class DNSCheckRequestBuild: + def dns_action_deny_subaction_drop(self): + dns_resolver=dns.resolver.Resolver() + dns_resolver.nameservers = DNS_SERVER_IP + dns_resolver.timeout = float(3) + dns_resolver.lifetime = float(3) + + try: + dns_answer = dns_resolver.query("www.3test-ipv4.com", 'A') + except dns.exception.DNSException as errorinfo: + if type(errorinfo) == dns.exception.Timeout: + raise Exception(DnsRequestFirewallDenyDrop) + else: + raise Exception("Error: The dns_action_deny_subaction_drop check failure, code: %s" % errorinfo) + else: + raise Exception("Error: The dns_action_deny_subaction_drop test deny drop failure" ) + + def dns_action_deny_subaction_redirect_a(self): + dns_resolver=dns.resolver.Resolver() + dns_resolver.nameservers = DNS_SERVER_IP + dns_resolver.timeout = float(3) + dns_resolver.lifetime = float(3) + + try: + dns_answer = dns_resolver.query("www.2test-ipv4.com", 'A') + except dns.exception.DNSException as errorinfo: + raise Exception("Error: The dns_action_deny_subaction_redirect_a check failure, code: %s" % errorinfo) + else: # drop-redirect and respond rdtype A ipv4 + if dns_answer.rrset.ttl != DNS_SERVER_REDIRECT_TTL: + raise Exception("Error: The dns_action_deny_subaction_redirect_a check failure: ttl(%s) is not DNS_SERVER_REDIRECT_TTL(%d)"%(dns_answer.rrset.ttl, DNS_SERVER_REDIRECT_TTL)) + return + for i in dns_answer.response.answer: + for j in i.items: + if j.rdtype == 1: #'rdtype is A: ipv4' + if j.address == "99.99.99.99": + raise Exception(DnsARequestFireWallDenyRedirect) + else: + raise Exception("Error: The dns request rdtype A drop redirect check failure: respond value error") + else: + raise Exception("Error: The dns request rdtype A drop redirect check failure: respond rdtype error") + + def dns_action_deny_subaction_redirect_aaaa(self): + dns_resolver=dns.resolver.Resolver() + dns_resolver.nameservers = DNS_SERVER_IP + dns_resolver.timeout = float(3) + dns_resolver.lifetime = float(3) + + try: + dns_answer = dns_resolver.query("www.2test-ipv6.com", 'AAAA') + except dns.exception.DNSException as errorinfo: + raise Exception("Error: The dns_action_deny_subaction_redirect_aaaa check failure, code: %s" % errorinfo) + else: # drop-redirect and respond rdtype A ipv6 + if dns_answer.rrset.ttl != DNS_SERVER_REDIRECT_TTL: + raise Exception("Error: The dns_action_deny_subaction_redirect_aaaa check failure: ttl(%s) is not DNS_SERVER_REDIRECT_TTL(%d)"%(dns_answer.rrset.ttl, DNS_SERVER_REDIRECT_TTL)) + return + + for i in dns_answer.response.answer: + for j in i.items: + if j.rdtype == 28: #'rdtype is A: ipv6' + if j.address == "99:99::99:99": + raise Exception(DnsAAAARequestFireWallDenyRedirect) + else: + raise Exception("Error: The dns request rdtype AAAA drop redirect check failure: respond value error") + else: + raise Exception("Error: The dns request rdtype AAAA drop redirect check failure: respond rdtype error") + + def dns_action_deny_subaction_redirect_a_rang_ttl(self): + dns_resolver=dns.resolver.Resolver() + dns_resolver.nameservers = DNS_SERVER_IP + dns_resolver.timeout = float(3) + dns_resolver.lifetime = float(3) + + try: + dns_answer = dns_resolver.query("www.4test-ipv4.com", 'A') + except dns.exception.DNSException as errorinfo: + raise Exception("Error: The dns_action_deny_subaction_redirect_a_rang_ttl check failure, code: %s" % errorinfo) + else: # drop-redirect and respond rdtype A ipv4 + if DNS_SERVER_REDIRECT_RANGE_LOW > dns_answer.rrset.ttl or dns_answer.rrset.ttl > DNS_SERVER_REDIRECT_RANGE_HIGH: + raise Exception("Error: The dns_action_deny_subaction_redirect_a_rang_ttl check failure: ttl(%d) is not DNS_SERVER_REDIRECT_RANG_TTL(%d-%d)"%(dns_answer.rrset.ttl,DNS_SERVER_REDIRECT_RANGE_LOW, DNS_SERVER_REDIRECT_RANGE_HIGH)) + return + + for i in dns_answer.response.answer: + for j in i.items: + if j.rdtype == 1: #'rdtype is A: ipv4' + if j.address == "99.99.99.99": + raise Exception(DnsARequestFireWallDenyRedirectRangTTL) + else: + raise Exception("Error: The dns request rdtype A drop redirect range ttl check failure: respond value error") + else: + raise Exception("Error: The dns request rdtype A drop redirect range ttl check failure: respond rdtype error") + + def dns_action_deny_subaction_redirect_aaaa_rang_ttl(self): + dns_resolver=dns.resolver.Resolver() + dns_resolver.nameservers = DNS_SERVER_IP + dns_resolver.timeout = float(3) + dns_resolver.lifetime = float(3) + + try: + dns_answer = dns_resolver.query("www.4test-ipv6.com", 'AAAA') + except dns.exception.DNSException as errorinfo: + raise Exception("Error: The dns_action_deny_subaction_redirect_aaaa range ttl check failure, code: %s" % errorinfo) + else: # drop-redirect and respond rdtype A ipv6 + if DNS_SERVER_REDIRECT_RANGE_LOW > dns_answer.rrset.ttl or dns_answer.rrset.ttl > DNS_SERVER_REDIRECT_RANGE_HIGH: + raise Exception("Error: The dns_action_deny_subaction_redirect_aaaa_rang_ttl check failure: ttl(%d) is not DNS_SERVER_REDIRECT_RANG_TTL(%d-%d)"%(dns_answer.rrset.ttl, DNS_SERVER_REDIRECT_RANGE_LOW, DNS_SERVER_REDIRECT_RANGE_HIGH)) + return + + for i in dns_answer.response.answer: + for j in i.items: + if j.rdtype == 28: #'rdtype is A: ipv6' + if j.address == "99:99::99:99": + raise Exception(DnsAAAARequestFireWallDenyRedirectRangTTL) + else: + raise Exception("Error: The dns request rdtype AAAA drop redirect check failure: respond value error") + else: + raise Exception("Error: The dns request rdtype AAAA drop redirect check failure: respond rdtype error") + + + + def dns_action_allow_rdtype_a(self): + dns_resolver=dns.resolver.Resolver() + dns_resolver.nameservers = DNS_SERVER_IP + dns_resolver.timeout = float(3) + dns_resolver.lifetime = float(3) + + try: + dns_answer = dns_resolver.query("www.1test-ipv4.com", 'A') + except dns.exception.DNSException as errorinfo: + raise Exception("Error: The dns request rdtype A allow check failure, code: %s" % errorinfo) + else: + if dns_answer.rrset.ttl != DNS_SERVER_ALLOW_TTL: + raise Exception("Error: The dns request rdtype A allow check failure: ttl(%d) is not DNS_SERVER_ALLOW_TTL(%d)"%(dns_answer.rrset.ttl, DNS_SERVER_ALLOW_TTL)) + return + + for i in dns_answer.response.answer: + for j in i.items: + if j.rdtype == 1: #'rdtype is A: ipv4' + if j.address == "10.1.2.3": + raise Exception(DnsARequestFirewallAllow) + else: + raise Exception("Error: The dns request rdtype A allow check failure: respond value error") + + else: + raise Exception("Error: The dns request rdtype A allow check failure: respond rdtype error") + + def dns_action_allow_rdtype_aaaa(self): + dns_resolver=dns.resolver.Resolver() + dns_resolver.nameservers = DNS_SERVER_IP + dns_resolver.timeout = float(3) + dns_resolver.lifetime = float(3) + + try: + dns_answer = dns_resolver.query("www.1test-ipv6.com", 'AAAA') + except dns.exception.DNSException as errorinfo: + raise Exception("Error: The dns request rdtype AAAA allow check failure, code: %s" % errorinfo) + else: + if dns_answer.rrset.ttl != DNS_SERVER_ALLOW_TTL: + raise Exception("Error: The dns request rdtype A allow check failure: ttl(%d) is not DNS_SERVER_ALLOW_TTL(%d)"%(dns_answer.rrset.ttl, DNS_SERVER_ALLOW_TTL)) + return + + for i in dns_answer.response.answer: + for j in i.items: + if j.rdtype == 28: #'rdtype is AAAA: ipv6' + if j.address == "11aa:11:22::33": + raise Exception(DnsAAAARequestFirewallAllow) + else: + raise Exception("Error: The dns request rdtype AAAA allow check failure: respond value error") + else: + raise Exception("Error: The dns request rdtype AAAA allow check failure: response rdtype error") + + def dns_action_allow_rdtype_cname(self): + dns_resolver=dns.resolver.Resolver() + dns_resolver.nameservers = DNS_SERVER_IP + dns_resolver.timeout = float(3) + dns_resolver.lifetime = float(3) + + try: + dns_answer = dns_resolver.query("www.1test-cname.com", 'CNAME') + except dns.exception.DNSException as errorinfo: + raise Exception("Error: The dns request rdtype CNAME allow check failure, code: %s" % errorinfo) + else: + if dns_answer.rrset.ttl != DNS_SERVER_ALLOW_TTL: + raise Exception("Error: The dns request rdtype A allow check failure: ttl(%d) is not DNS_SERVER_ALLOW_TTL(%d)"%(dns_answer.rrset.ttl, DNS_SERVER_ALLOW_TTL)) + return + + for i in dns_answer.response.answer: + for j in i.items: + if j.rdtype == 5: #'CNAME: tag(www.xxx.com)' + m=str(j) + if m == "www.1testanswer-cname.com.": + raise Exception(DnsCNAMERequestFirewallAllow) + else: + raise Exception("Error: The dns request rdtype CNAME allow check failure: respond value error") + else: + raise Exception("Error: The dns request rdtype CNAME allow check failure: respond rdtype error") class SSLCheckRequestBuild: @@ -548,6 +768,46 @@ class SslFirewallActionBuild: class SslUnitTest(unittest.TestCase): + def test_dnsRequest_deny_drop(self): + dnsHandler = DNSCheckRequestBuild() + with self.assertRaisesRegex(Exception, DnsRequestFirewallDenyDrop): + dnsHandler.dns_action_deny_subaction_drop() + + def test_dnsRequest_deny_redirect_a(self): + dnsHandler = DNSCheckRequestBuild() + with self.assertRaisesRegex(Exception, DnsARequestFireWallDenyRedirect): + dnsHandler.dns_action_deny_subaction_redirect_a() + + def test_dnsRequest_deny_redirect_aaaa(self): + dnsHandler = DNSCheckRequestBuild() + with self.assertRaisesRegex(Exception, DnsAAAARequestFireWallDenyRedirect): + dnsHandler.dns_action_deny_subaction_redirect_aaaa() + + def test_dnsRequest_deny_redirect_a_range_ttl(self): + dnsHandler = DNSCheckRequestBuild() + with self.assertRaisesRegex(Exception, DnsARequestFireWallDenyRedirectRangTTL): + dnsHandler.dns_action_deny_subaction_redirect_a_rang_ttl() + + def test_dnsRequest_deny_redirect_aaaa_range_ttl(self): + dnsHandler = DNSCheckRequestBuild() + with self.assertRaisesRegex(Exception, DnsAAAARequestFireWallDenyRedirectRangTTL): + dnsHandler.dns_action_deny_subaction_redirect_aaaa_rang_ttl() + + def test_dnsRequest_allow_rdtype_a(self): + dnsHandler = DNSCheckRequestBuild() + with self.assertRaisesRegex(Exception, DnsARequestFirewallAllow): + dnsHandler.dns_action_allow_rdtype_a() + + def test_dnsRequest_allow_rdtype_aaaa(self): + dnsHandler = DNSCheckRequestBuild() + with self.assertRaisesRegex(Exception, DnsAAAARequestFirewallAllow): + dnsHandler.dns_action_allow_rdtype_aaaa() + + def test_dnsRequest_allow_rdtype_cname(self): + dnsHandler = DNSCheckRequestBuild() + with self.assertRaisesRegex(Exception, DnsCNAMERequestFirewallAllow): + dnsHandler.dns_action_allow_rdtype_cname() + def test_securityPolicy_bypass(self): sslHandler = SSLCheckRequestBuild() with self.assertRaisesRegex(Exception, ssl_bypass_info_re): @@ -764,6 +1024,14 @@ class TsgDiagnoseRun: def _init_suite(self): self.suite = unittest.TestSuite() self.suite._cleanup = False + self._add_suite('test_dnsRequest_deny_drop') + self._add_suite('test_dnsRequest_deny_redirect_a') + self._add_suite('test_dnsRequest_deny_redirect_aaaa') + self._add_suite('test_dnsRequest_deny_redirect_a_range_ttl') + self._add_suite('test_dnsRequest_deny_redirect_aaaa_range_ttl') + self._add_suite('test_dnsRequest_allow_rdtype_a') + self._add_suite('test_dnsRequest_allow_rdtype_aaaa') + self._add_suite('test_dnsRequest_allow_rdtype_cname') self._add_suite('test_securityPolicy_bypass') self._add_suite('test_securityPolicy_intercept') self._add_suite('test_securityPolicy_intercept_certerrExpired') @@ -887,4 +1155,4 @@ class TsgDiagnoseRun: if __name__ == '__main__': tsg_diagnose_run = TsgDiagnoseRun() - tsg_diagnose_run.execute_suite_tsg_diagnose() \ No newline at end of file + tsg_diagnose_run.execute_suite_tsg_diagnose()