def test_zone_deletion(api_user_domain: DeSECAPIV1Client):
name = api_user_domain.domain
assert_eventually(lambda: query_replication(name, "", 'SOA') is not None,
timeout=20)
api_user_domain.domain_destroy(name)
assert_eventually(lambda: query_replication(name, "", 'SOA') is None,
timeout=20)
def test_signature_rotation(api_user_domain: DeSECAPIV1Client):
name = random_domainname()
api_user_domain.domain_create(name)
rrsig = return_eventually(
lambda: query_replication(name, "", 'RRSIG', covers='SOA'), timeout=20)
faketime_add(days=7)
assert_eventually(
lambda: rrsig != query_replication(name, "", 'RRSIG', covers='SOA'),
timeout=60)
def test_register_login_email_case_variation(api_user: DeSECAPIV1Client, api_anon: DeSECAPIV1Client):
# Invert email casing
email2 = ''.join(l.lower() if l.isupper() else l.upper() for l in api_user.email)
password2 = "foobar13"
# Try registering an account (should always return success, even if address with any casing is taken)
assert api_anon.register(email2, password2)[1].json() == {"detail": "Welcome!"}
# Verify that login is possible regardless of email spelling, but only with the first user's password
assert api_anon.login(email2, password2).status_code == 403
assert "token" in api_anon.login(email2, api_user.password).json()
def test_create_valid_non_canonical(api_user_domain: DeSECAPIV1Client,
rr_type: str, value: str):
domain_name = api_user_domain.domain
expected = set()
subname = 'a'
if rr_type in ('CDNSKEY', 'CDS', 'DNSKEY'):
expected |= api_user_domain.get_key_params(domain_name, rr_type)
subname = ''
if value is not None:
assert api_user_domain.rr_set_create(
domain_name, rr_type, [value], subname=subname).status_code == 201
expected.add(value)
rrset = NSLordClient.query(f'{subname}.{domain_name}'.strip('.'), rr_type)
assert len(rrset) == len(expected)
assert_eventually(lambda: len(
query_replication(domain_name, subname, rr_type)) == len(expected))
def test_create_valid_non_canonical(api_user_domain: DeSECAPIV1Client,
ns_lord: NSClient, rr_type: str,
value: str):
assert api_user_domain.rr_set_create(api_user_domain.domains[0],
rr_type, [value],
subname="a").status_code == 201
assert len(ns_lord.query(f"a.{api_user_domain.domains[0]}", rr_type)) == 1
def test_get_desec_io(api_anon: DeSECAPIV1Client):
response = api_anon.get("https://get.desec." +
os.environ['DESECSTACK_DOMAIN'],
allow_redirects=False)
assert 300 < response.status_code < 400
assert response.headers[
'Location'] == f"https://desec.{os.environ['DESECSTACK_DOMAIN']}/"
def test_register2(api_user: DeSECAPIV1Client):
user = api_user.get("/auth/account/").json()
# Verify that email address local part is stored as provided, and hostname is lowercased
email_name, domain_part = api_user.email.strip().rsplit('@', 1)
assert user["email"] == email_name + '@' + domain_part.lower()
assert api_user.headers['Authorization'].startswith('Token ')
assert len(api_user.headers['Authorization']) > len('Token ') + 10
def test_create_long_subname(api_user_domain: DeSECAPIV1Client):
subname = 'a' * 63
assert api_user_domain.rr_set_create(api_user_domain.domain,
"AAAA", ["::1"],
subname=subname).status_code == 201
assert NSLordClient.query(f"{subname}.{api_user_domain.domain}",
"AAAA") == {"::1"}
assert_eventually(lambda: query_replication(api_user_domain.domain,
subname, "AAAA") == {"::1"})
def test_register(api_anon: DeSECAPIV1Client):
email = "*****@*****.**"
password = "******"
assert api_anon.register(email, password)[1].json() == {"detail": "Welcome!"}
assert "token" in api_anon.login(email, password).json()
api = api_anon
assert api.get("/").json() == {
"domains": f"{api.base_url}/domains/",
"tokens": f"{api.base_url}/auth/tokens/",
"logout": f"{api.base_url}/auth/logout/",
"account": {
"change-email": f"{api.base_url}/auth/account/change-email/",
"delete": f"{api.base_url}/auth/account/delete/",
"reset-password": f"{api.base_url}/auth/account/reset-password/",
"show": f"{api.base_url}/auth/account/",
},
}
def test_add_remove_DNSKEY(api_user_domain: DeSECAPIV1Client):
domain_name = api_user_domain.domain
auto_dnskeys = api_user_domain.get_key_params(domain_name, 'DNSKEY')
# After adding another DNSKEY, we expect it to be part of the nameserver's response (along with the automatic ones)
value = '257 3 13 aCoEWYBBVsP9Fek2oC8yqU8ocKmnS1iD SFZNORnQuHKtJ9Wpyz+kNryquB78Pyk/ NTEoai5bxoipVQQXzHlzyg=='
assert api_user_domain.rr_set_create(domain_name,
'DNSKEY', [value],
subname='').status_code == 201
assert NSLordClient.query(domain_name, 'DNSKEY') == auto_dnskeys | {value}
assert_eventually(lambda: query_replication(domain_name, '', 'DNSKEY') ==
auto_dnskeys | {value})
# After deleting it, we expect that the automatically managed ones are still there
assert api_user_domain.rr_set_delete(domain_name, "DNSKEY",
subname='').status_code == 204
assert NSLordClient.query(domain_name, 'DNSKEY') == auto_dnskeys
assert_eventually(
lambda: query_replication(domain_name, '', 'DNSKEY') == auto_dnskeys)
def test_create_invalid(api_user_domain: DeSECAPIV1Client, rr_type: str,
value: str):
assert api_user_domain.rr_set_create(api_user_domain.domain, rr_type,
[value]).status_code == 400
def test_signature_rotation_performance(api_user_domain: DeSECAPIV1Client):
root_domain = api_user_domain.domain
# test configuration
bulk_block_size = 500
domain_sizes = {
# number of delegations: number of zones
2000: 1,
1000: 2,
10: 10,
}
# create test domains
domain_names = {
num_delegations: [
random_domainname() + f'.num-ds-{num_delegations}.' + root_domain
for _ in range(num_zones)
]
for num_delegations, num_zones in domain_sizes.items()
}
for num_delegations, names in domain_names.items():
for name in names:
# create a domain with name `name` and `num_delegations` delegations
api_user_domain.domain_create(name)
for a in range(
0, num_delegations, bulk_block_size
): # run block-wise to avoid exceeding max request size
r = api_user_domain.rr_set_create_bulk(
name, [{
"subname": f'x{i}',
"type": "DS",
"ttl": 3600,
"records": some_ds_records
} for i in range(a, a + bulk_block_size)] +
[{
"subname": f'x{i}',
"type": "NS",
"ttl": 3600,
"records": ['ns1.test.', 'ns2.test.']
} for i in range(a, a + bulk_block_size)])
assert r.status_code == 200
# retrieve all SOA RRSIGs
soa_rrsig = {}
for names in domain_names.values():
for name in names:
soa_rrsig[name] = return_eventually(
lambda: query_replication(name, "", 'RRSIG', covers='SOA'),
timeout=20)
# rotate signatures
faketime_add(7)
# assert SOA RRSIG has been updated
for names in domain_names.values():
for name in names:
assert_eventually(
lambda: soa_rrsig[name] != query_replication(
name, "", 'RRSIG', covers='SOA'),
timeout=
600, # depending on number of domains in the database, this value requires increase
)
def test_create(api_user: DeSECAPIV1Client):
assert len(api_user.domain_list()) == 0
assert api_user.domain_create(random_domainname()).status_code == 201
assert len(api_user.domain_list()) == 1
def test_create(api_user: DeSECAPIV1Client, random_domainname):
assert api_user.domain_create(random_domainname()).status_code == 201
def test_homepage(api_anon: DeSECAPIV1Client):
assert api_anon.get("/").json() == {
"register": f"{api_anon.base_url}/auth/",
"login": f"{api_anon.base_url}/auth/login/",
"reset-password": f"{api_anon.base_url}/auth/account/reset-password/",
}
def test_destroy(api_user_domain: DeSECAPIV1Client):
n = len(api_user_domain.domain_list().json())
assert api_user_domain.domain_destroy(
api_user_domain.domains[0]).status_code == 204
assert len(api_user_domain.domain_list().json()) == n - 1
def test_register2(api_user: DeSECAPIV1Client):
user = api_user.get("/auth/account/").json()
assert user["email"] == api_user.email
assert api_user.headers['Authorization'].startswith('Token ')
assert len(api_user.headers['Authorization']) > len('Token ') + 10