malcontent-dns-parental-con.../tests/integration_test.rs

// SPDX-FileCopyrightText: 2022 Matteo Settenvini <matteo.settenvini@montecristosoftware.eu>
// SPDX-License-Identifier: GPL-3.0-or-later

mod common;

use {
    crate::common::{Eai, Restriction, Restrictions},
    anyhow::Result,
    libc::{freeaddrinfo, gai_strerror, getaddrinfo},
    nix::unistd::getuid,
    once_cell::sync::Lazy,
    std::collections::HashMap,
    std::net::{IpAddr, Ipv4Addr, Ipv6Addr},
};

static CLOUDFLARE_PARENTALCONTROL_ADDRS: Lazy<Restrictions> = Lazy::new(|| {
    vec![
        Restriction {
            ip: IpAddr::V4(Ipv4Addr::new(1, 1, 1, 3)),
            hostname: "family.cloudflare-dns.com".into(),
        },
        Restriction {
            ip: IpAddr::V4(Ipv4Addr::new(1, 0, 0, 3)),
            hostname: "family.cloudflare-dns.com".into(),
        },
        Restriction {
            ip: IpAddr::V6(Ipv6Addr::new(0x2606, 0x4700, 0x4700, 0, 0, 0, 0, 0x1113)),
            hostname: "family.cloudflare-dns.com".into(),
        },
        Restriction {
            ip: IpAddr::V6(Ipv6Addr::new(0x2606, 0x4700, 0x4700, 0, 0, 0, 0, 0x1003)),
            hostname: "family.cloudflare-dns.com".into(),
        },
    ]
});

static NO_RESTRICTIONS: Lazy<Restrictions> = Lazy::new(|| vec![]);

fork_test! {
    #[test]
    fn nss_module_is_loaded() -> Result<()> {
        common::setup()?;
        tokio::runtime::Runtime::new().unwrap().block_on(async {
            let _dbus = common::mock_dbus(HashMap::from([(getuid(), vec![NO_RESTRICTIONS.clone()])])).await?;
            common::resolve_with_module(libc::AF_INET, "gnome.org")?;
            Ok(())
        })
    }

    #[test]
    fn application_dns_is_nxdomain() -> Result<()> {
        common::setup()?;
        tokio::runtime::Runtime::new().unwrap().block_on(async {
            let _dbus = common::mock_dbus(HashMap::from([(
                getuid(),
                vec![CLOUDFLARE_PARENTALCONTROL_ADDRS.clone()],
            )])).await?;

            let hostname = std::ffi::CString::new("use-application-dns.net").unwrap();
            unsafe {
                let mut addr = std::ptr::null_mut();
                let getaddrinfo_status = getaddrinfo(
                    hostname.as_ptr(),
                    std::ptr::null(),
                    std::ptr::null(),
                    &mut addr,
                );

                let error = std::ffi::CStr::from_ptr(gai_strerror(getaddrinfo_status));
                assert_eq!(
                    getaddrinfo_status,
                    Eai::NoName.0,
                    "Should have gotten no hostname (NXDOMAIN), instead got {}",
                    error.to_str().unwrap()
                );
                freeaddrinfo(addr);
            };

            Ok(())
        })
    }

    #[test]
    fn getaddrinfo_resolution() -> Result<()> {
        common::setup()?;

        const HOSTNAME: &str = "gnome.org";

        tokio::runtime::Runtime::new().unwrap().block_on(async {
            let _dbus = common::mock_dbus(HashMap::from([(
                getuid(),
                vec![CLOUDFLARE_PARENTALCONTROL_ADDRS.clone()],
            )])).await?;

            unsafe {
                let mut addr = std::ptr::null_mut();
                let getaddrinfo_status = getaddrinfo(
                    std::ffi::CString::new(HOSTNAME)?.as_ptr(),
                    std::ptr::null(),
                    std::ptr::null(),
                    &mut addr,
                );

                let error = std::ffi::CStr::from_ptr(gai_strerror(getaddrinfo_status));
                assert_eq!(
                    getaddrinfo_status,
                    Eai::Success.0,
                    "Should have gotten an hostname, instead got {}",
                    error.to_str().unwrap()
                );
                freeaddrinfo(addr);
            };

            Ok(())
        })
    }

    #[test]
    fn wikipedia_is_unrestricted() -> Result<()> {
        common::setup()?;

        const HOSTNAME: &str = "wikipedia.org";

        tokio::runtime::Runtime::new().unwrap().block_on(async {
            for family in [libc::AF_INET, libc::AF_INET6] {
                let _dbus = common::mock_dbus(HashMap::from([(
                    getuid(),
                    vec![CLOUDFLARE_PARENTALCONTROL_ADDRS.clone()],
                )])).await?;

                let system_addr = common::resolve_with_system(family, HOSTNAME)?;
                let our_addrs = common::resolve_with_module(family, HOSTNAME)?;
                assert!(our_addrs.contains(&system_addr));
            }
            Ok(())
        })
    }

    #[test]
    fn adultsite_is_restricted_ipv4() -> Result<()> {
        common::setup()?;

        const HOSTNAME: &str = "nudity.testcategory.com";

        tokio::runtime::Runtime::new().unwrap().block_on(async {
            let _dbus = common::mock_dbus(HashMap::from([(
                getuid(),
                vec![CLOUDFLARE_PARENTALCONTROL_ADDRS.clone()],
            )])).await?;

            let system_addr = common::resolve_with_system(libc::AF_INET, HOSTNAME)?;
            let our_addrs = common::resolve_with_module(libc::AF_INET, HOSTNAME)?;
            assert!(!our_addrs.contains(&system_addr));
            assert_eq!(our_addrs, [IpAddr::V4(Ipv4Addr::UNSPECIFIED)]);
            Ok(())
        })
    }

    #[test]
    fn adultsite_is_restricted_ipv6() -> Result<()> {
        common::setup()?;

        const HOSTNAME: &str = "nudity.testcategory.com";

        tokio::runtime::Runtime::new().unwrap().block_on(async {
            let _dbus = common::mock_dbus(HashMap::from([(
                getuid(),
                vec![CLOUDFLARE_PARENTALCONTROL_ADDRS.clone()],
            )])).await;

            let system_addr = common::resolve_with_system(libc::AF_INET6, HOSTNAME)?;
            let our_addrs = common::resolve_with_module(libc::AF_INET6, HOSTNAME)?;
            assert!(!our_addrs.contains(&system_addr));
            assert_eq!(our_addrs, [IpAddr::V6(Ipv6Addr::UNSPECIFIED)]);
            Ok(())
        })
    }

    #[test]
    fn privileged_user_bypasses_restrictions() -> Result<()> {
        common::setup()?;

        const HOSTNAME: &str = "malware.testcategory.com";

        tokio::runtime::Runtime::new().unwrap().block_on(async {
            for family in [libc::AF_INET, libc::AF_INET6] {
                let _dbus = common::mock_dbus(HashMap::from([(getuid(), vec![NO_RESTRICTIONS.clone()])])).await?;
                let system_addr = common::resolve_with_system(family, HOSTNAME)?;
                let our_addrs = common::resolve_with_module(family, HOSTNAME)?;
                assert!(our_addrs.contains(&system_addr));
            }
            Ok(())
        })
    }
}
Add basic test 2022-08-13 17:04:22 +02:00			`// SPDX-FileCopyrightText: 2022 Matteo Settenvini <matteo.settenvini@montecristosoftware.eu>`
			`// SPDX-License-Identifier: GPL-3.0-or-later`

			`mod common;`

Ensure loading of NSS module in tests 2022-08-14 23:03:59 +02:00			`use {`
Add TLS support to resolver, implement DBus ifaces 2022-08-24 14:46:14 +02:00			`crate::common::{Eai, Restriction, Restrictions},`
Start implementing and testing gethostbyname4_r 2022-08-15 22:55:35 +02:00			`anyhow::Result,`
Ensure loading of NSS module in tests 2022-08-14 23:03:59 +02:00			`libc::{freeaddrinfo, gai_strerror, getaddrinfo},`
Move to rust stable, introduce mock for dbus in tests 2022-08-18 13:59:11 +02:00			`nix::unistd::getuid,`
			`once_cell::sync::Lazy,`
			`std::collections::HashMap,`
			`std::net::{IpAddr, Ipv4Addr, Ipv6Addr},`
Ensure loading of NSS module in tests 2022-08-14 23:03:59 +02:00			`};`
Add basic test 2022-08-13 17:04:22 +02:00
Add TLS support to resolver, implement DBus ifaces 2022-08-24 14:46:14 +02:00			`static CLOUDFLARE_PARENTALCONTROL_ADDRS: Lazy<Restrictions> = Lazy::new(\|\| {`
Move to rust stable, introduce mock for dbus in tests 2022-08-18 13:59:11 +02:00			`vec![`
Add TLS support to resolver, implement DBus ifaces 2022-08-24 14:46:14 +02:00			`Restriction {`
			`ip: IpAddr::V4(Ipv4Addr::new(1, 1, 1, 3)),`
Finish implementation of gethostbyname 2022-09-05 23:15:29 +02:00			`hostname: "family.cloudflare-dns.com".into(),`
Add TLS support to resolver, implement DBus ifaces 2022-08-24 14:46:14 +02:00			`},`
			`Restriction {`
			`ip: IpAddr::V4(Ipv4Addr::new(1, 0, 0, 3)),`
Finish implementation of gethostbyname 2022-09-05 23:15:29 +02:00			`hostname: "family.cloudflare-dns.com".into(),`
Add TLS support to resolver, implement DBus ifaces 2022-08-24 14:46:14 +02:00			`},`
			`Restriction {`
Finish implementation of gethostbyname 2022-09-05 23:15:29 +02:00			`ip: IpAddr::V6(Ipv6Addr::new(0x2606, 0x4700, 0x4700, 0, 0, 0, 0, 0x1113)),`
			`hostname: "family.cloudflare-dns.com".into(),`
Add TLS support to resolver, implement DBus ifaces 2022-08-24 14:46:14 +02:00			`},`
			`Restriction {`
Finish implementation of gethostbyname 2022-09-05 23:15:29 +02:00			`ip: IpAddr::V6(Ipv6Addr::new(0x2606, 0x4700, 0x4700, 0, 0, 0, 0, 0x1003)),`
			`hostname: "family.cloudflare-dns.com".into(),`
Add TLS support to resolver, implement DBus ifaces 2022-08-24 14:46:14 +02:00			`},`
Move to rust stable, introduce mock for dbus in tests 2022-08-18 13:59:11 +02:00			`]`
			`});`

Finish implementation of gethostbyname 2022-09-05 23:15:29 +02:00			`static NO_RESTRICTIONS: Lazy<Restrictions> = Lazy::new(\|\| vec![]);`

Use an async context for module and refactor 2022-08-21 14:47:37 +02:00			`fork_test! {`
			`#[test]`
			`fn nss_module_is_loaded() -> Result<()> {`
			`common::setup()?;`
Finish implementation of gethostbyname 2022-09-05 23:15:29 +02:00			`tokio::runtime::Runtime::new().unwrap().block_on(async {`
			`let _dbus = common::mock_dbus(HashMap::from([(getuid(), vec![NO_RESTRICTIONS.clone()])])).await?;`
			`common::resolve_with_module(libc::AF_INET, "gnome.org")?;`
			`Ok(())`
			`})`
Use an async context for module and refactor 2022-08-21 14:47:37 +02:00			`}`

			`#[test]`
			`fn application_dns_is_nxdomain() -> Result<()> {`
			`common::setup()?;`
			`tokio::runtime::Runtime::new().unwrap().block_on(async {`
Use unique name for dbus connection during integration testing 2022-08-25 01:00:18 +02:00			`let _dbus = common::mock_dbus(HashMap::from([(`
Use an async context for module and refactor 2022-08-21 14:47:37 +02:00			`getuid(),`
			`vec![CLOUDFLARE_PARENTALCONTROL_ADDRS.clone()],`
Use unique name for dbus connection during integration testing 2022-08-25 01:00:18 +02:00			`)])).await?;`
Use an async context for module and refactor 2022-08-21 14:47:37 +02:00
			`let hostname = std::ffi::CString::new("use-application-dns.net").unwrap();`
			`unsafe {`
			`let mut addr = std::ptr::null_mut();`
			`let getaddrinfo_status = getaddrinfo(`
			`hostname.as_ptr(),`
			`std::ptr::null(),`
			`std::ptr::null(),`
			`&mut addr,`
			`);`

			`let error = std::ffi::CStr::from_ptr(gai_strerror(getaddrinfo_status));`
			`assert_eq!(`
			`getaddrinfo_status,`
			`Eai::NoName.0,`
			`"Should have gotten no hostname (NXDOMAIN), instead got {}",`
			`error.to_str().unwrap()`
			`);`
			`freeaddrinfo(addr);`
			`};`

Use unique name for dbus connection during integration testing 2022-08-25 01:00:18 +02:00			`Ok(())`
Use an async context for module and refactor 2022-08-21 14:47:37 +02:00			`})`
			`}`

Implement hostent handling 2022-08-23 11:07:17 +02:00			`#[test]`
			`fn getaddrinfo_resolution() -> Result<()> {`
			`common::setup()?;`
Add TLS support to resolver, implement DBus ifaces 2022-08-24 14:46:14 +02:00
			`const HOSTNAME: &str = "gnome.org";`

Implement hostent handling 2022-08-23 11:07:17 +02:00			`tokio::runtime::Runtime::new().unwrap().block_on(async {`
Use unique name for dbus connection during integration testing 2022-08-25 01:00:18 +02:00			`let _dbus = common::mock_dbus(HashMap::from([(`
Implement hostent handling 2022-08-23 11:07:17 +02:00			`getuid(),`
			`vec![CLOUDFLARE_PARENTALCONTROL_ADDRS.clone()],`
Use unique name for dbus connection during integration testing 2022-08-25 01:00:18 +02:00			`)])).await?;`
Implement hostent handling 2022-08-23 11:07:17 +02:00
			`unsafe {`
			`let mut addr = std::ptr::null_mut();`
			`let getaddrinfo_status = getaddrinfo(`
Add TLS support to resolver, implement DBus ifaces 2022-08-24 14:46:14 +02:00			`std::ffi::CString::new(HOSTNAME)?.as_ptr(),`
Implement hostent handling 2022-08-23 11:07:17 +02:00			`std::ptr::null(),`
			`std::ptr::null(),`
			`&mut addr,`
			`);`

			`let error = std::ffi::CStr::from_ptr(gai_strerror(getaddrinfo_status));`
			`assert_eq!(`
			`getaddrinfo_status,`
			`Eai::Success.0,`
			`"Should have gotten an hostname, instead got {}",`
			`error.to_str().unwrap()`
			`);`
			`freeaddrinfo(addr);`
			`};`

Use unique name for dbus connection during integration testing 2022-08-25 01:00:18 +02:00			`Ok(())`
Implement hostent handling 2022-08-23 11:07:17 +02:00			`})`
			`}`

Use an async context for module and refactor 2022-08-21 14:47:37 +02:00			`#[test]`
			`fn wikipedia_is_unrestricted() -> Result<()> {`
			`common::setup()?;`

Add TLS support to resolver, implement DBus ifaces 2022-08-24 14:46:14 +02:00			`const HOSTNAME: &str = "wikipedia.org";`
Use an async context for module and refactor 2022-08-21 14:47:37 +02:00
Add TLS support to resolver, implement DBus ifaces 2022-08-24 14:46:14 +02:00			`tokio::runtime::Runtime::new().unwrap().block_on(async {`
Use an async context for module and refactor 2022-08-21 14:47:37 +02:00			`for family in [libc::AF_INET, libc::AF_INET6] {`
Use unique name for dbus connection during integration testing 2022-08-25 01:00:18 +02:00			`let _dbus = common::mock_dbus(HashMap::from([(`
Add TLS support to resolver, implement DBus ifaces 2022-08-24 14:46:14 +02:00			`getuid(),`
			`vec![CLOUDFLARE_PARENTALCONTROL_ADDRS.clone()],`
Use unique name for dbus connection during integration testing 2022-08-25 01:00:18 +02:00			`)])).await?;`
Add TLS support to resolver, implement DBus ifaces 2022-08-24 14:46:14 +02:00
Use an async context for module and refactor 2022-08-21 14:47:37 +02:00			`let system_addr = common::resolve_with_system(family, HOSTNAME)?;`
Finish implementation of gethostbyname 2022-09-05 23:15:29 +02:00			`let our_addrs = common::resolve_with_module(family, HOSTNAME)?;`
			`assert!(our_addrs.contains(&system_addr));`
Add TLS support to resolver, implement DBus ifaces 2022-08-24 14:46:14 +02:00			`}`
Refactor code to reduce duplication among gethostbyname(3\|4)_r 2022-08-22 23:12:34 +02:00			`Ok(())`
Use an async context for module and refactor 2022-08-21 14:47:37 +02:00			`})`
			`}`

			`#[test]`
Add TLS support to resolver, implement DBus ifaces 2022-08-24 14:46:14 +02:00			`fn adultsite_is_restricted_ipv4() -> Result<()> {`
Use an async context for module and refactor 2022-08-21 14:47:37 +02:00			`common::setup()?;`

Add TLS support to resolver, implement DBus ifaces 2022-08-24 14:46:14 +02:00			`const HOSTNAME: &str = "nudity.testcategory.com";`

Use an async context for module and refactor 2022-08-21 14:47:37 +02:00			`tokio::runtime::Runtime::new().unwrap().block_on(async {`
Use unique name for dbus connection during integration testing 2022-08-25 01:00:18 +02:00			`let _dbus = common::mock_dbus(HashMap::from([(`
Use an async context for module and refactor 2022-08-21 14:47:37 +02:00			`getuid(),`
			`vec![CLOUDFLARE_PARENTALCONTROL_ADDRS.clone()],`
Use unique name for dbus connection during integration testing 2022-08-25 01:00:18 +02:00			`)])).await?;`
Use an async context for module and refactor 2022-08-21 14:47:37 +02:00
			`let system_addr = common::resolve_with_system(libc::AF_INET, HOSTNAME)?;`
Finish implementation of gethostbyname 2022-09-05 23:15:29 +02:00			`let our_addrs = common::resolve_with_module(libc::AF_INET, HOSTNAME)?;`
			`assert!(!our_addrs.contains(&system_addr));`
			`assert_eq!(our_addrs, [IpAddr::V4(Ipv4Addr::UNSPECIFIED)]);`
Use unique name for dbus connection during integration testing 2022-08-25 01:00:18 +02:00			`Ok(())`
Add TLS support to resolver, implement DBus ifaces 2022-08-24 14:46:14 +02:00			`})`
			`}`

			`#[test]`
			`fn adultsite_is_restricted_ipv6() -> Result<()> {`
			`common::setup()?;`

			`const HOSTNAME: &str = "nudity.testcategory.com";`

			`tokio::runtime::Runtime::new().unwrap().block_on(async {`
Use unique name for dbus connection during integration testing 2022-08-25 01:00:18 +02:00			`let _dbus = common::mock_dbus(HashMap::from([(`
Add TLS support to resolver, implement DBus ifaces 2022-08-24 14:46:14 +02:00			`getuid(),`
			`vec![CLOUDFLARE_PARENTALCONTROL_ADDRS.clone()],`
Use unique name for dbus connection during integration testing 2022-08-25 01:00:18 +02:00			`)])).await;`
Add TLS support to resolver, implement DBus ifaces 2022-08-24 14:46:14 +02:00
Use an async context for module and refactor 2022-08-21 14:47:37 +02:00			`let system_addr = common::resolve_with_system(libc::AF_INET6, HOSTNAME)?;`
Finish implementation of gethostbyname 2022-09-05 23:15:29 +02:00			`let our_addrs = common::resolve_with_module(libc::AF_INET6, HOSTNAME)?;`
			`assert!(!our_addrs.contains(&system_addr));`
			`assert_eq!(our_addrs, [IpAddr::V6(Ipv6Addr::UNSPECIFIED)]);`
Use unique name for dbus connection during integration testing 2022-08-25 01:00:18 +02:00			`Ok(())`
Use an async context for module and refactor 2022-08-21 14:47:37 +02:00			`})`
			`}`

			`#[test]`
			`fn privileged_user_bypasses_restrictions() -> Result<()> {`
			`common::setup()?;`

Finish implementation of gethostbyname 2022-09-05 23:15:29 +02:00			`const HOSTNAME: &str = "malware.testcategory.com";`
Use an async context for module and refactor 2022-08-21 14:47:37 +02:00
Add TLS support to resolver, implement DBus ifaces 2022-08-24 14:46:14 +02:00			`tokio::runtime::Runtime::new().unwrap().block_on(async {`
Use an async context for module and refactor 2022-08-21 14:47:37 +02:00			`for family in [libc::AF_INET, libc::AF_INET6] {`
Finish implementation of gethostbyname 2022-09-05 23:15:29 +02:00			`let _dbus = common::mock_dbus(HashMap::from([(getuid(), vec![NO_RESTRICTIONS.clone()])])).await?;`
Use an async context for module and refactor 2022-08-21 14:47:37 +02:00			`let system_addr = common::resolve_with_system(family, HOSTNAME)?;`
Finish implementation of gethostbyname 2022-09-05 23:15:29 +02:00			`let our_addrs = common::resolve_with_module(family, HOSTNAME)?;`
			`assert!(our_addrs.contains(&system_addr));`
Use an async context for module and refactor 2022-08-21 14:47:37 +02:00			`}`
Refactor code to reduce duplication among gethostbyname(3\|4)_r 2022-08-22 23:12:34 +02:00			`Ok(())`
Use an async context for module and refactor 2022-08-21 14:47:37 +02:00			`})`
			`}`
Add basic test 2022-08-13 17:04:22 +02:00			`}`