diff options
author | Daniel Kesselberg <mail@danielkesselberg.de> | 2023-09-12 11:17:37 +0200 |
---|---|---|
committer | Daniel Kesselberg <mail@danielkesselberg.de> | 2023-09-12 14:04:23 +0200 |
commit | f8f985602b65fd5d4f1bf04939ae873c8d55b0a6 (patch) | |
tree | bc9ff8e1fc5fd68d0e4655f60357530b771509ef /tests | |
parent | 7dfeaa6901b750a85cd096539a4239b61abd4437 (diff) | |
download | nextcloud-server-f8f985602b65fd5d4f1bf04939ae873c8d55b0a6.tar.gz nextcloud-server-f8f985602b65fd5d4f1bf04939ae873c8d55b0a6.zip |
test: add tests for dns pin middleware
Signed-off-by: Daniel Kesselberg <mail@danielkesselberg.de>
Diffstat (limited to 'tests')
-rw-r--r-- | tests/lib/Http/Client/DnsPinMiddlewareTest.php | 563 |
1 files changed, 563 insertions, 0 deletions
diff --git a/tests/lib/Http/Client/DnsPinMiddlewareTest.php b/tests/lib/Http/Client/DnsPinMiddlewareTest.php new file mode 100644 index 00000000000..2fa868e6963 --- /dev/null +++ b/tests/lib/Http/Client/DnsPinMiddlewareTest.php @@ -0,0 +1,563 @@ +<?php + +declare(strict_types=1); + +/** + * @copyright Copyright (c) 2023 Daniel Kesselberg <mail@danielkesselberg.de> + * + * @author Daniel Kesselberg <mail@danielkesselberg.de> + * + * @license GNU AGPL version 3 or any later version + * + * This program is free software: you can redistribute it and/or modify + * it under the terms of the GNU Affero General Public License as + * published by the Free Software Foundation, either version 3 of the + * License, or (at your option) any later version. + * + * This program is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU Affero General Public License for more details. + * + * You should have received a copy of the GNU Affero General Public License + * along with this program. If not, see <http://www.gnu.org/licenses/>. + * + */ + +namespace lib\Http\Client; + +use GuzzleHttp\Handler\MockHandler; +use GuzzleHttp\HandlerStack; +use GuzzleHttp\Psr7\Request; +use GuzzleHttp\Psr7\Response; +use OC\Http\Client\DnsPinMiddleware; +use OC\Http\Client\NegativeDnsCache; +use OC\Memcache\NullCache; +use OC\Net\IpAddressClassifier; +use OCP\Http\Client\LocalServerException; +use OCP\ICacheFactory; +use Psr\Http\Message\RequestInterface; +use Test\TestCase; + +class DnsPinMiddlewareTest extends TestCase { + private DnsPinMiddleware $dnsPinMiddleware; + + protected function setUp(): void { + parent::setUp(); + + $cacheFactory = $this->createMock(ICacheFactory::class); + $cacheFactory + ->method('createLocal') + ->willReturn(new NullCache()); + + $ipAddressClassifier = new IpAddressClassifier(); + $negativeDnsCache = new NegativeDnsCache($cacheFactory); + + $this->dnsPinMiddleware = $this->getMockBuilder(DnsPinMiddleware::class) + ->setConstructorArgs([$negativeDnsCache, $ipAddressClassifier]) + ->onlyMethods(['dnsGetRecord']) + ->getMock(); + } + + public function testPopulateDnsCacheIPv4() { + $mockHandler = new MockHandler([ + static function (RequestInterface $request, array $options) { + self::arrayHasKey('curl', $options); + self::arrayHasKey(CURLOPT_RESOLVE, $options['curl']); + self::assertEquals([ + 'www.example.com:80:1.1.1.1', + 'www.example.com:443:1.1.1.1' + ], $options['curl'][CURLOPT_RESOLVE]); + return new Response(200); + }, + ]); + + $this->dnsPinMiddleware + ->method('dnsGetRecord') + ->willReturnCallback(function (string $hostname, int $type) { + // example.com SOA + if ($hostname === 'example.com') { + return match ($type) { + DNS_SOA => [ + [ + 'host' => 'example.com', + 'class' => 'IN', + 'ttl' => 7079, + 'type' => 'SOA', + 'minimum-ttl' => 3600, + ] + ], + }; + } + + // example.com A, AAAA, CNAME + if ($hostname === 'www.example.com') { + return match ($type) { + DNS_A => [], + DNS_AAAA => [], + DNS_CNAME => [ + [ + 'host' => 'www.example.com', + 'class' => 'IN', + 'ttl' => 1800, + 'type' => 'A', + 'target' => 'www.example.net' + ] + ], + }; + } + + // example.net SOA + if ($hostname === 'example.net') { + return match ($type) { + DNS_SOA => [ + [ + 'host' => 'example.net', + 'class' => 'IN', + 'ttl' => 7079, + 'type' => 'SOA', + 'minimum-ttl' => 3600, + ] + ], + }; + } + + // example.net A, AAAA, CNAME + if ($hostname === 'www.example.net') { + return match ($type) { + DNS_A => [ + [ + 'host' => 'www.example.net', + 'class' => 'IN', + 'ttl' => 1800, + 'type' => 'A', + 'ip' => '1.1.1.1' + ] + ], + DNS_AAAA => [], + DNS_CNAME => [], + }; + } + + return false; + }); + + $stack = new HandlerStack($mockHandler); + $stack->push($this->dnsPinMiddleware->addDnsPinning()); + $handler = $stack->resolve(); + + $handler( + new Request('GET', 'https://www.example.com'), + ['nextcloud' => ['allow_local_address' => false]] + ); + } + + public function testPopulateDnsCacheIPv6() { + $mockHandler = new MockHandler([ + static function (RequestInterface $request, array $options) { + self::arrayHasKey('curl', $options); + self::arrayHasKey(CURLOPT_RESOLVE, $options['curl']); + self::assertEquals([ + 'www.example.com:80:1.1.1.1,1.0.0.1,2606:4700:4700::1111,2606:4700:4700::1001', + 'www.example.com:443:1.1.1.1,1.0.0.1,2606:4700:4700::1111,2606:4700:4700::1001' + ], $options['curl'][CURLOPT_RESOLVE]); + return new Response(200); + }, + ]); + + $this->dnsPinMiddleware + ->method('dnsGetRecord') + ->willReturnCallback(function (string $hostname, int $type) { + // example.com SOA + if ($hostname === 'example.com') { + return match ($type) { + DNS_SOA => [ + [ + 'host' => 'example.com', + 'class' => 'IN', + 'ttl' => 7079, + 'type' => 'SOA', + 'minimum-ttl' => 3600, + ] + ], + }; + } + + // example.com A, AAAA, CNAME + if ($hostname === 'www.example.com') { + return match ($type) { + DNS_A => [], + DNS_AAAA => [], + DNS_CNAME => [ + [ + 'host' => 'www.example.com', + 'class' => 'IN', + 'ttl' => 1800, + 'type' => 'A', + 'target' => 'www.example.net' + ] + ], + }; + } + + // example.net SOA + if ($hostname === 'example.net') { + return match ($type) { + DNS_SOA => [ + [ + 'host' => 'example.net', + 'class' => 'IN', + 'ttl' => 7079, + 'type' => 'SOA', + 'minimum-ttl' => 3600, + ] + ], + }; + } + + // example.net A, AAAA, CNAME + if ($hostname === 'www.example.net') { + return match ($type) { + DNS_A => [ + [ + 'host' => 'www.example.net', + 'class' => 'IN', + 'ttl' => 1800, + 'type' => 'A', + 'ip' => '1.1.1.1' + ], + [ + 'host' => 'www.example.net', + 'class' => 'IN', + 'ttl' => 1800, + 'type' => 'A', + 'ip' => '1.0.0.1' + ], + ], + DNS_AAAA => [ + [ + 'host' => 'www.example.net', + 'class' => 'IN', + 'ttl' => 1800, + 'type' => 'AAAA', + 'ip' => '2606:4700:4700::1111' + ], + [ + 'host' => 'www.example.net', + 'class' => 'IN', + 'ttl' => 1800, + 'type' => 'AAAA', + 'ip' => '2606:4700:4700::1001' + ], + ], + DNS_CNAME => [], + }; + } + + return false; + }); + + $stack = new HandlerStack($mockHandler); + $stack->push($this->dnsPinMiddleware->addDnsPinning()); + $handler = $stack->resolve(); + + $handler( + new Request('GET', 'https://www.example.com'), + ['nextcloud' => ['allow_local_address' => false]] + ); + } + + public function testAllowLocalAddress() { + $mockHandler = new MockHandler([ + static function (RequestInterface $request, array $options) { + self::assertArrayNotHasKey('curl', $options); + return new Response(200); + }, + ]); + + $stack = new HandlerStack($mockHandler); + $stack->push($this->dnsPinMiddleware->addDnsPinning()); + $handler = $stack->resolve(); + + $handler( + new Request('GET', 'https://www.example.com'), + ['nextcloud' => ['allow_local_address' => true]] + ); + } + + public function testRejectIPv4() { + $this->expectException(LocalServerException::class); + $this->expectExceptionMessage('Host violates local access rules'); + + $mockHandler = new MockHandler([ + static function (RequestInterface $request, array $options) { + // The handler should not be called + }, + ]); + + $this->dnsPinMiddleware + ->method('dnsGetRecord') + ->willReturnCallback(function (string $hostname, int $type) { + return match ($type) { + DNS_SOA => [ + [ + 'host' => 'example.com', + 'class' => 'IN', + 'ttl' => 7079, + 'type' => 'SOA', + 'minimum-ttl' => 3600, + ] + ], + DNS_A => [ + [ + 'host' => 'example.com', + 'class' => 'IN', + 'ttl' => 1800, + 'type' => 'A', + 'ip' => '192.168.0.1' + ] + ], + DNS_AAAA => [], + DNS_CNAME => [], + }; + }); + + $stack = new HandlerStack($mockHandler); + $stack->push($this->dnsPinMiddleware->addDnsPinning()); + $handler = $stack->resolve(); + + $handler( + new Request('GET', 'https://www.example.com'), + ['nextcloud' => ['allow_local_address' => false]] + ); + } + + public function testRejectIPv6() { + $this->expectException(LocalServerException::class); + $this->expectExceptionMessage('Host violates local access rules'); + + $mockHandler = new MockHandler([ + static function (RequestInterface $request, array $options) { + // The handler should not be called + }, + ]); + + $this->dnsPinMiddleware + ->method('dnsGetRecord') + ->willReturnCallback(function (string $hostname, int $type) { + return match ($type) { + DNS_SOA => [ + [ + 'host' => 'example.com', + 'class' => 'IN', + 'ttl' => 7079, + 'type' => 'SOA', + 'minimum-ttl' => 3600, + ] + ], + DNS_A => [], + DNS_AAAA => [ + [ + 'host' => 'ipv6.example.com', + 'class' => 'IN', + 'ttl' => 1800, + 'type' => 'AAAA', + 'ipv6' => 'fd12:3456:789a:1::1' + ] + ], + DNS_CNAME => [], + }; + }); + + $stack = new HandlerStack($mockHandler); + $stack->push($this->dnsPinMiddleware->addDnsPinning()); + $handler = $stack->resolve(); + + $handler( + new Request('GET', 'https://ipv6.example.com'), + ['nextcloud' => ['allow_local_address' => false]] + ); + } + + public function testRejectCanonicalName() { + $this->expectException(LocalServerException::class); + $this->expectExceptionMessage('Host violates local access rules'); + + $mockHandler = new MockHandler([ + static function (RequestInterface $request, array $options) { + // The handler should not be called + }, + ]); + + $this->dnsPinMiddleware + ->method('dnsGetRecord') + ->willReturnCallback(function (string $hostname, int $type) { + // example.com SOA + if ($hostname === 'example.com') { + return match ($type) { + DNS_SOA => [ + [ + 'host' => 'example.com', + 'class' => 'IN', + 'ttl' => 7079, + 'type' => 'SOA', + 'minimum-ttl' => 3600, + ] + ], + }; + } + + // example.com A, AAAA, CNAME + if ($hostname === 'www.example.com') { + return match ($type) { + DNS_A => [], + DNS_AAAA => [], + DNS_CNAME => [ + [ + 'host' => 'www.example.com', + 'class' => 'IN', + 'ttl' => 1800, + 'type' => 'A', + 'target' => 'www.example.net' + ] + ], + }; + } + + // example.net SOA + if ($hostname === 'example.net') { + return match ($type) { + DNS_SOA => [ + [ + 'host' => 'example.net', + 'class' => 'IN', + 'ttl' => 7079, + 'type' => 'SOA', + 'minimum-ttl' => 3600, + ] + ], + }; + } + + // example.net A, AAAA, CNAME + if ($hostname === 'www.example.net') { + return match ($type) { + DNS_A => [ + [ + 'host' => 'www.example.net', + 'class' => 'IN', + 'ttl' => 1800, + 'type' => 'A', + 'ip' => '192.168.0.2' + ] + ], + DNS_AAAA => [], + DNS_CNAME => [], + }; + } + + return false; + }); + + $stack = new HandlerStack($mockHandler); + $stack->push($this->dnsPinMiddleware->addDnsPinning()); + $handler = $stack->resolve(); + + $handler( + new Request('GET', 'https://www.example.com'), + ['nextcloud' => ['allow_local_address' => false]] + ); + } + + public function testRejectFaultyResponse() { + $this->expectException(LocalServerException::class); + $this->expectExceptionMessage('No DNS record found for www.example.com'); + + $mockHandler = new MockHandler([ + static function (RequestInterface $request, array $options) { + // The handler should not be called + }, + ]); + + $this->dnsPinMiddleware + ->method('dnsGetRecord') + ->willReturnCallback(function (string $hostname, int $type) { + return false; + }); + + $stack = new HandlerStack($mockHandler); + $stack->push($this->dnsPinMiddleware->addDnsPinning()); + $handler = $stack->resolve(); + + $handler( + new Request('GET', 'https://www.example.com'), + ['nextcloud' => ['allow_local_address' => false]] + ); + } + + public function testIgnoreSubdomainForSoaQuery() { + $mockHandler = new MockHandler([ + static function (RequestInterface $request, array $options) { + // The handler should not be called + }, + ]); + + $dnsQueries = []; + + $this->dnsPinMiddleware + ->method('dnsGetRecord') + ->willReturnCallback(function (string $hostname, int $type) use (&$dnsQueries) { + // log query + $dnsQueries[] = $hostname . $type; + + // example.com SOA + if ($hostname === 'example.com') { + return match ($type) { + DNS_SOA => [ + [ + 'host' => 'example.com', + 'class' => 'IN', + 'ttl' => 7079, + 'type' => 'SOA', + 'minimum-ttl' => 3600, + ] + ], + }; + } + + // example.net A, AAAA, CNAME + if ($hostname === 'subsubdomain.subdomain.example.com') { + return match ($type) { + DNS_A => [ + [ + 'host' => 'subsubdomain.subdomain.example.com', + 'class' => 'IN', + 'ttl' => 1800, + 'type' => 'A', + 'ip' => '1.1.1.1' + ] + ], + DNS_AAAA => [], + DNS_CNAME => [], + }; + } + + return false; + }); + + $stack = new HandlerStack($mockHandler); + $stack->push($this->dnsPinMiddleware->addDnsPinning()); + $handler = $stack->resolve(); + + $handler( + new Request('GET', 'https://subsubdomain.subdomain.example.com'), + ['nextcloud' => ['allow_local_address' => false]] + ); + + $this->assertCount(4, $dnsQueries); + $this->assertContains('example.com' . DNS_SOA, $dnsQueries); + $this->assertContains('subsubdomain.subdomain.example.com' . DNS_A, $dnsQueries); + $this->assertContains('subsubdomain.subdomain.example.com' . DNS_AAAA, $dnsQueries); + $this->assertContains('subsubdomain.subdomain.example.com' . DNS_CNAME, $dnsQueries); + } +} |