Mirrors/coredns
1
0
Fork 0
mirror of https://github.com/coredns/coredns.git synced 2025-12-20 00:55:11 -05:00
Code Issues Packages Projects Releases Wiki Activity
Files
0d8cbb1a6bcb6bc9c1a489865278b8725fa20812
coredns/test/grpc_test.go

201 lines
4.7 KiB
Go
Raw Normal View History

core: add more transports (#574) * core: add listening for other protocols Allow CoreDNS to listen for TLS request coming over port 853. This can be enabled with `tls://` in the config file. Implement listening for grps:// as well. a Corefile like: ~~~ . tls://.:1853 { whoami tls } ~~~ Means we listen on 1853 for tls requests, the `tls` config item allows configuration for TLS parameters. We *might* be tempted to use Caddy's Let's Encrypt implementation here. * Refactor coredns/grpc into CoreDNS This makes gRPC a first class citizen in CoreDNS. Add defines as being just another server. * some cleanups * unexport the servers * Move protobuf dir * Hook up TLS properly * Fix test * listen for TLS as well. README updates * disable test, fix package * fix test * Fix tests * Fix remaining test * Some tests * Make the test work * Add grpc test from #580 * fix crash * Fix tests * Close conn * README cleanups * README * link RFC
2017-03-13 20:24:37 +00:00
package test
import (
Extend presubmit to covert test and request (#1846) Fix the casing *and* fix use of context as we were still referencing the non-std lib context - no wondering how this could have worked...
2018-06-01 15:12:49 +01:00
"context"
Merge commit from fork Add configurable resource limits to prevent potential DoS vectors via connection/stream exhaustion on gRPC, HTTPS, and HTTPS/3 servers. New configuration plugins: - grpc_server: configure max_streams, max_connections - https: configure max_connections - https3: configure max_streams Changes: - Use netutil.LimitListener for connection limiting - Use gRPC MaxConcurrentStreams and message size limits - Add QUIC MaxIncomingStreams for HTTPS/3 stream limiting - Set secure defaults: 256 max streams, 200 max connections - Setting any limit to 0 means unbounded/fallback to previous impl Defaults are applied automatically when plugins are omitted from config. Includes tests and integration tests. Signed-off-by: Ville Vesilehto <ville@vesilehto.fi>
2025-12-18 05:08:59 +02:00
"crypto/tls"
"net"
core: add more transports (#574) * core: add listening for other protocols Allow CoreDNS to listen for TLS request coming over port 853. This can be enabled with `tls://` in the config file. Implement listening for grps:// as well. a Corefile like: ~~~ . tls://.:1853 { whoami tls } ~~~ Means we listen on 1853 for tls requests, the `tls` config item allows configuration for TLS parameters. We *might* be tempted to use Caddy's Let's Encrypt implementation here. * Refactor coredns/grpc into CoreDNS This makes gRPC a first class citizen in CoreDNS. Add defines as being just another server. * some cleanups * unexport the servers * Move protobuf dir * Hook up TLS properly * Fix test * listen for TLS as well. README updates * disable test, fix package * fix test * Fix tests * Fix remaining test * Some tests * Make the test work * Add grpc test from #580 * fix crash * Fix tests * Close conn * README cleanups * README * link RFC
2017-03-13 20:24:37 +00:00
"testing"
Merge commit from fork Add configurable resource limits to prevent potential DoS vectors via connection/stream exhaustion on gRPC, HTTPS, and HTTPS/3 servers. New configuration plugins: - grpc_server: configure max_streams, max_connections - https: configure max_connections - https3: configure max_streams Changes: - Use netutil.LimitListener for connection limiting - Use gRPC MaxConcurrentStreams and message size limits - Add QUIC MaxIncomingStreams for HTTPS/3 stream limiting - Set secure defaults: 256 max streams, 200 max connections - Setting any limit to 0 means unbounded/fallback to previous impl Defaults are applied automatically when plugins are omitted from config. Includes tests and integration tests. Signed-off-by: Ville Vesilehto <ville@vesilehto.fi>
2025-12-18 05:08:59 +02:00
"time"
core: add more transports (#574) * core: add listening for other protocols Allow CoreDNS to listen for TLS request coming over port 853. This can be enabled with `tls://` in the config file. Implement listening for grps:// as well. a Corefile like: ~~~ . tls://.:1853 { whoami tls } ~~~ Means we listen on 1853 for tls requests, the `tls` config item allows configuration for TLS parameters. We *might* be tempted to use Caddy's Let's Encrypt implementation here. * Refactor coredns/grpc into CoreDNS This makes gRPC a first class citizen in CoreDNS. Add defines as being just another server. * some cleanups * unexport the servers * Move protobuf dir * Hook up TLS properly * Fix test * listen for TLS as well. README updates * disable test, fix package * fix test * Fix tests * Fix remaining test * Some tests * Make the test work * Add grpc test from #580 * fix crash * Fix tests * Close conn * README cleanups * README * link RFC
2017-03-13 20:24:37 +00:00
presubmit: check import path ordering (#3636) Add a test for this as well as it's annoying to point out in every code review. Fix all the import paths that are flagged by this new test. Fixes: #3634 Signed-off-by: Miek Gieben <miek@miek.nl>
2020-01-30 09:19:26 +00:00
"github.com/coredns/coredns/pb"
core: add more transports (#574) * core: add listening for other protocols Allow CoreDNS to listen for TLS request coming over port 853. This can be enabled with `tls://` in the config file. Implement listening for grps:// as well. a Corefile like: ~~~ . tls://.:1853 { whoami tls } ~~~ Means we listen on 1853 for tls requests, the `tls` config item allows configuration for TLS parameters. We *might* be tempted to use Caddy's Let's Encrypt implementation here. * Refactor coredns/grpc into CoreDNS This makes gRPC a first class citizen in CoreDNS. Add defines as being just another server. * some cleanups * unexport the servers * Move protobuf dir * Hook up TLS properly * Fix test * listen for TLS as well. README updates * disable test, fix package * fix test * Fix tests * Fix remaining test * Some tests * Make the test work * Add grpc test from #580 * fix crash * Fix tests * Close conn * README cleanups * README * link RFC
2017-03-13 20:24:37 +00:00
"github.com/miekg/dns"
"google.golang.org/grpc"
Merge commit from fork Add configurable resource limits to prevent potential DoS vectors via connection/stream exhaustion on gRPC, HTTPS, and HTTPS/3 servers. New configuration plugins: - grpc_server: configure max_streams, max_connections - https: configure max_connections - https3: configure max_streams Changes: - Use netutil.LimitListener for connection limiting - Use gRPC MaxConcurrentStreams and message size limits - Add QUIC MaxIncomingStreams for HTTPS/3 stream limiting - Set secure defaults: 256 max streams, 200 max connections - Setting any limit to 0 means unbounded/fallback to previous impl Defaults are applied automatically when plugins are omitted from config. Includes tests and integration tests. Signed-off-by: Ville Vesilehto <ville@vesilehto.fi>
2025-12-18 05:08:59 +02:00
"google.golang.org/grpc/credentials"
add golangci-lint linter (#5499)
2022-07-10 20:06:33 +02:00
"google.golang.org/grpc/credentials/insecure"
core: add more transports (#574) * core: add listening for other protocols Allow CoreDNS to listen for TLS request coming over port 853. This can be enabled with `tls://` in the config file. Implement listening for grps:// as well. a Corefile like: ~~~ . tls://.:1853 { whoami tls } ~~~ Means we listen on 1853 for tls requests, the `tls` config item allows configuration for TLS parameters. We *might* be tempted to use Caddy's Let's Encrypt implementation here. * Refactor coredns/grpc into CoreDNS This makes gRPC a first class citizen in CoreDNS. Add defines as being just another server. * some cleanups * unexport the servers * Move protobuf dir * Hook up TLS properly * Fix test * listen for TLS as well. README updates * disable test, fix package * fix test * Fix tests * Fix remaining test * Some tests * Make the test work * Add grpc test from #580 * fix crash * Fix tests * Close conn * README cleanups * README * link RFC
2017-03-13 20:24:37 +00:00
)
Merge commit from fork Add configurable resource limits to prevent potential DoS vectors via connection/stream exhaustion on gRPC, HTTPS, and HTTPS/3 servers. New configuration plugins: - grpc_server: configure max_streams, max_connections - https: configure max_connections - https3: configure max_streams Changes: - Use netutil.LimitListener for connection limiting - Use gRPC MaxConcurrentStreams and message size limits - Add QUIC MaxIncomingStreams for HTTPS/3 stream limiting - Set secure defaults: 256 max streams, 200 max connections - Setting any limit to 0 means unbounded/fallback to previous impl Defaults are applied automatically when plugins are omitted from config. Includes tests and integration tests. Signed-off-by: Ville Vesilehto <ville@vesilehto.fi>
2025-12-18 05:08:59 +02:00
var grpcCorefile = `grpc://.:0 {
whoami
}`
var grpcLimitCorefile = `grpc://.:0 {
grpc_server {
max_streams 2
}
whoami
}`
var grpcConnectionLimitCorefile = `grpc://.:0 {
tls ../plugin/tls/test_cert.pem ../plugin/tls/test_key.pem ../plugin/tls/test_ca.pem
grpc_server {
max_connections 2
}
whoami
}`
core: add more transports (#574) * core: add listening for other protocols Allow CoreDNS to listen for TLS request coming over port 853. This can be enabled with `tls://` in the config file. Implement listening for grps:// as well. a Corefile like: ~~~ . tls://.:1853 { whoami tls } ~~~ Means we listen on 1853 for tls requests, the `tls` config item allows configuration for TLS parameters. We *might* be tempted to use Caddy's Let's Encrypt implementation here. * Refactor coredns/grpc into CoreDNS This makes gRPC a first class citizen in CoreDNS. Add defines as being just another server. * some cleanups * unexport the servers * Move protobuf dir * Hook up TLS properly * Fix test * listen for TLS as well. README updates * disable test, fix package * fix test * Fix tests * Fix remaining test * Some tests * Make the test work * Add grpc test from #580 * fix crash * Fix tests * Close conn * README cleanups * README * link RFC
2017-03-13 20:24:37 +00:00
func TestGrpc(t *testing.T) {
Merge commit from fork Add configurable resource limits to prevent potential DoS vectors via connection/stream exhaustion on gRPC, HTTPS, and HTTPS/3 servers. New configuration plugins: - grpc_server: configure max_streams, max_connections - https: configure max_connections - https3: configure max_streams Changes: - Use netutil.LimitListener for connection limiting - Use gRPC MaxConcurrentStreams and message size limits - Add QUIC MaxIncomingStreams for HTTPS/3 stream limiting - Set secure defaults: 256 max streams, 200 max connections - Setting any limit to 0 means unbounded/fallback to previous impl Defaults are applied automatically when plugins are omitted from config. Includes tests and integration tests. Signed-off-by: Ville Vesilehto <ville@vesilehto.fi>
2025-12-18 05:08:59 +02:00
corefile := grpcCorefile
Fix mixed indentation within tests (#3855) Signed-off-by: Ambrose Chua <ambrose@chua.family>
2020-04-25 14:08:36 +08:00
tests: CoreDNSServerAndPorts (#972) * tests: CoreDNSServerAndPorts Copy from kubernetes.go and renamed to fit the style, adapted almost all callers. This is a mechanicl change, no testdata was changed. * typos
2017-08-24 11:35:14 +01:00
g, _, tcp, err := CoreDNSServerAndPorts(corefile)
core: add more transports (#574) * core: add listening for other protocols Allow CoreDNS to listen for TLS request coming over port 853. This can be enabled with `tls://` in the config file. Implement listening for grps:// as well. a Corefile like: ~~~ . tls://.:1853 { whoami tls } ~~~ Means we listen on 1853 for tls requests, the `tls` config item allows configuration for TLS parameters. We *might* be tempted to use Caddy's Let's Encrypt implementation here. * Refactor coredns/grpc into CoreDNS This makes gRPC a first class citizen in CoreDNS. Add defines as being just another server. * some cleanups * unexport the servers * Move protobuf dir * Hook up TLS properly * Fix test * listen for TLS as well. README updates * disable test, fix package * fix test * Fix tests * Fix remaining test * Some tests * Make the test work * Add grpc test from #580 * fix crash * Fix tests * Close conn * README cleanups * README * link RFC
2017-03-13 20:24:37 +00:00
if err != nil {
t.Fatalf("Could not get CoreDNS serving instance: %s", err)
}
defer g.Stop()
Fixup grpc test (#6844) Remove deprecated `grpc.WithBlock()`. This option is a noop with `grpc.NewClient()`. Signed-off-by: SuperQ <superq@gmail.com>
2024-08-18 16:18:00 +02:00
conn, err := grpc.NewClient(tcp, grpc.WithTransportCredentials(insecure.NewCredentials()))
core: add more transports (#574) * core: add listening for other protocols Allow CoreDNS to listen for TLS request coming over port 853. This can be enabled with `tls://` in the config file. Implement listening for grps:// as well. a Corefile like: ~~~ . tls://.:1853 { whoami tls } ~~~ Means we listen on 1853 for tls requests, the `tls` config item allows configuration for TLS parameters. We *might* be tempted to use Caddy's Let's Encrypt implementation here. * Refactor coredns/grpc into CoreDNS This makes gRPC a first class citizen in CoreDNS. Add defines as being just another server. * some cleanups * unexport the servers * Move protobuf dir * Hook up TLS properly * Fix test * listen for TLS as well. README updates * disable test, fix package * fix test * Fix tests * Fix remaining test * Some tests * Make the test work * Add grpc test from #580 * fix crash * Fix tests * Close conn * README cleanups * README * link RFC
2017-03-13 20:24:37 +00:00
if err != nil {
t.Fatalf("Expected no error but got: %s", err)
}
defer conn.Close()
client := pb.NewDnsServiceClient(conn)
m := new(dns.Msg)
m.SetQuestion("whoami.example.org.", dns.TypeA)
msg, _ := m.Pack()
reply, err := client.Query(context.TODO(), &pb.DnsPacket{Msg: msg})
if err != nil {
t.Errorf("Expected no error but got: %s", err)
}
d := new(dns.Msg)
lint: enable protogetter linter (#7336) Enable protogetter in golangci config and update all protobuf field access to use getter methods instead of direct field access. Getter methods provide safer nil pointer handling and return appropriate default values, following protobuf best practices. Signed-off-by: Ville Vesilehto <ville@vesilehto.fi>
2025-05-31 01:29:32 +03:00
err = d.Unpack(reply.GetMsg())
core: add more transports (#574) * core: add listening for other protocols Allow CoreDNS to listen for TLS request coming over port 853. This can be enabled with `tls://` in the config file. Implement listening for grps:// as well. a Corefile like: ~~~ . tls://.:1853 { whoami tls } ~~~ Means we listen on 1853 for tls requests, the `tls` config item allows configuration for TLS parameters. We *might* be tempted to use Caddy's Let's Encrypt implementation here. * Refactor coredns/grpc into CoreDNS This makes gRPC a first class citizen in CoreDNS. Add defines as being just another server. * some cleanups * unexport the servers * Move protobuf dir * Hook up TLS properly * Fix test * listen for TLS as well. README updates * disable test, fix package * fix test * Fix tests * Fix remaining test * Some tests * Make the test work * Add grpc test from #580 * fix crash * Fix tests * Close conn * README cleanups * README * link RFC
2017-03-13 20:24:37 +00:00
if err != nil {
t.Errorf("Expected no error but got: %s", err)
}
if d.Rcode != dns.RcodeSuccess {
cleanup: go vet and golint run (#736) * cleanup: go vet and golint run Various cleanups trickered by go vet and golint. * Fix tests and lowercase all errors Lowercase all errors, some tests in kubernetes use errors from kubernetes which do start with a capital letter.
2017-06-14 09:37:10 -07:00
t.Errorf("Expected success but got %d", d.Rcode)
core: add more transports (#574) * core: add listening for other protocols Allow CoreDNS to listen for TLS request coming over port 853. This can be enabled with `tls://` in the config file. Implement listening for grps:// as well. a Corefile like: ~~~ . tls://.:1853 { whoami tls } ~~~ Means we listen on 1853 for tls requests, the `tls` config item allows configuration for TLS parameters. We *might* be tempted to use Caddy's Let's Encrypt implementation here. * Refactor coredns/grpc into CoreDNS This makes gRPC a first class citizen in CoreDNS. Add defines as being just another server. * some cleanups * unexport the servers * Move protobuf dir * Hook up TLS properly * Fix test * listen for TLS as well. README updates * disable test, fix package * fix test * Fix tests * Fix remaining test * Some tests * Make the test work * Add grpc test from #580 * fix crash * Fix tests * Close conn * README cleanups * README * link RFC
2017-03-13 20:24:37 +00:00
}
if len(d.Extra) != 2 {
cleanup: go vet and golint run (#736) * cleanup: go vet and golint run Various cleanups trickered by go vet and golint. * Fix tests and lowercase all errors Lowercase all errors, some tests in kubernetes use errors from kubernetes which do start with a capital letter.
2017-06-14 09:37:10 -07:00
t.Errorf("Expected 2 RRs in additional section, but got %d", len(d.Extra))
core: add more transports (#574) * core: add listening for other protocols Allow CoreDNS to listen for TLS request coming over port 853. This can be enabled with `tls://` in the config file. Implement listening for grps:// as well. a Corefile like: ~~~ . tls://.:1853 { whoami tls } ~~~ Means we listen on 1853 for tls requests, the `tls` config item allows configuration for TLS parameters. We *might* be tempted to use Caddy's Let's Encrypt implementation here. * Refactor coredns/grpc into CoreDNS This makes gRPC a first class citizen in CoreDNS. Add defines as being just another server. * some cleanups * unexport the servers * Move protobuf dir * Hook up TLS properly * Fix test * listen for TLS as well. README updates * disable test, fix package * fix test * Fix tests * Fix remaining test * Some tests * Make the test work * Add grpc test from #580 * fix crash * Fix tests * Close conn * README cleanups * README * link RFC
2017-03-13 20:24:37 +00:00
}
}
Merge commit from fork Add configurable resource limits to prevent potential DoS vectors via connection/stream exhaustion on gRPC, HTTPS, and HTTPS/3 servers. New configuration plugins: - grpc_server: configure max_streams, max_connections - https: configure max_connections - https3: configure max_streams Changes: - Use netutil.LimitListener for connection limiting - Use gRPC MaxConcurrentStreams and message size limits - Add QUIC MaxIncomingStreams for HTTPS/3 stream limiting - Set secure defaults: 256 max streams, 200 max connections - Setting any limit to 0 means unbounded/fallback to previous impl Defaults are applied automatically when plugins are omitted from config. Includes tests and integration tests. Signed-off-by: Ville Vesilehto <ville@vesilehto.fi>
2025-12-18 05:08:59 +02:00
// TestGRPCWithLimits tests that the server starts and works with configured limits
func TestGRPCWithLimits(t *testing.T) {
g, _, tcp, err := CoreDNSServerAndPorts(grpcLimitCorefile)
if err != nil {
t.Fatalf("Could not get CoreDNS serving instance: %s", err)
}
defer g.Stop()
conn, err := grpc.NewClient(tcp, grpc.WithTransportCredentials(insecure.NewCredentials()))
if err != nil {
t.Fatalf("Expected no error but got: %s", err)
}
defer conn.Close()
client := pb.NewDnsServiceClient(conn)
m := new(dns.Msg)
m.SetQuestion("whoami.example.org.", dns.TypeA)
msg, _ := m.Pack()
reply, err := client.Query(context.Background(), &pb.DnsPacket{Msg: msg})
if err != nil {
t.Fatalf("Query failed: %s", err)
}
d := new(dns.Msg)
if err := d.Unpack(reply.GetMsg()); err != nil {
t.Fatalf("Failed to unpack: %s", err)
}
if d.Rcode != dns.RcodeSuccess {
t.Errorf("Expected success but got %d", d.Rcode)
}
}
// TestGRPCConnectionLimit tests that connection limits are enforced
func TestGRPCConnectionLimit(t *testing.T) {
g, _, tcp, err := CoreDNSServerAndPorts(grpcConnectionLimitCorefile)
if err != nil {
t.Fatalf("Could not get CoreDNS serving instance: %s", err)
}
defer g.Stop()
const maxConns = 2
// Create TLS connections to hold them open
tlsConfig := &tls.Config{InsecureSkipVerify: true}
conns := make([]net.Conn, 0, maxConns+1)
defer func() {
for _, c := range conns {
c.Close()
}
}()
// Open connections up to the limit - these should succeed
for i := range maxConns {
conn, err := tls.Dial("tcp", tcp, tlsConfig)
if err != nil {
t.Fatalf("Connection %d failed (should succeed): %v", i+1, err)
}
conns = append(conns, conn)
}
// Try to open more connections beyond the limit - should timeout
conn, err := tls.DialWithDialer(
&net.Dialer{Timeout: 100 * time.Millisecond},
"tcp", tcp, tlsConfig,
)
if err == nil {
conn.Close()
t.Fatal("Connection beyond limit should have timed out")
}
// Close one connection and verify a new one can be established
conns[0].Close()
conns = conns[1:]
time.Sleep(10 * time.Millisecond)
conn, err = tls.Dial("tcp", tcp, tlsConfig)
if err != nil {
t.Fatalf("Connection after freeing slot failed: %v", err)
}
conns = append(conns, conn)
}
// TestGRPCTLSWithLimits tests that gRPC with TLS starts and works with configured limits
func TestGRPCTLSWithLimits(t *testing.T) {
g, _, tcp, err := CoreDNSServerAndPorts(grpcConnectionLimitCorefile)
if err != nil {
t.Fatalf("Could not get CoreDNS serving instance: %s", err)
}
defer g.Stop()
tlsConfig := &tls.Config{InsecureSkipVerify: true}
creds := credentials.NewTLS(tlsConfig)
conn, err := grpc.NewClient(tcp, grpc.WithTransportCredentials(creds))
if err != nil {
t.Fatalf("Expected no error but got: %s", err)
}
defer conn.Close()
client := pb.NewDnsServiceClient(conn)
m := new(dns.Msg)
m.SetQuestion("whoami.example.org.", dns.TypeA)
msg, _ := m.Pack()
reply, err := client.Query(context.Background(), &pb.DnsPacket{Msg: msg})
if err != nil {
t.Fatalf("Query failed: %s", err)
}
d := new(dns.Msg)
if err := d.Unpack(reply.GetMsg()); err != nil {
t.Fatalf("Failed to unpack: %s", err)
}
if d.Rcode != dns.RcodeSuccess {
t.Errorf("Expected success but got %d", d.Rcode)
}
}
Reference in New Issue Copy Permalink