pending-dns 1.2.5 → 1.3.0

package/test/api.test.js

@@ -0,0 +1,139 @@
+'use strict';
+
+const test = require('node:test');
+const assert = require('node:assert/strict');
+
+const { createServer } = require('../lib/api-server');
+const { flushTestDb, closeDb } = require('./helpers');
+
+let server;
+
+test.before(async () => {
+    server = await createServer();
+    await server.initialize();
+});
+
+test.after(async () => {
+    if (server) {
+        await server.stop();
+    }
+    await closeDb();
+});
+
+test.beforeEach(async () => {
+    await flushTestDb();
+});
+
+const inject = opts => server.inject(opts);
+
+test('GET records returns an empty list for an unknown zone', async () => {
+    const res = await inject({ method: 'GET', url: '/v1/zone/example.com/records' });
+    assert.equal(res.statusCode, 200);
+    const body = JSON.parse(res.payload);
+    assert.equal(body.zone, 'example.com');
+    assert.deepEqual(body.records, []);
+});
+
+test('unknown routes return 404', async () => {
+    const res = await inject({ method: 'GET', url: '/does/not/exist' });
+    assert.equal(res.statusCode, 404);
+});
+
+test('POST creates an A record and GET lists it alongside SOA/NS', async () => {
+    const create = await inject({
+        method: 'POST',
+        url: '/v1/zone/example.com/records',
+        payload: { subdomain: 'www', type: 'A', address: '1.2.3.4' }
+    });
+    assert.equal(create.statusCode, 200);
+    const created = JSON.parse(create.payload);
+    assert.ok(created.record, 'should return the new record id');
+
+    const res = await inject({ method: 'GET', url: '/v1/zone/example.com/records' });
+    const body = JSON.parse(res.payload);
+
+    const a = body.records.find(r => r.type === 'A');
+    assert.ok(a);
+    assert.equal(a.address, '1.2.3.4');
+    assert.equal(a.subdomain, 'www');
+
+    // system records are appended with id=null
+    assert.ok(body.records.some(r => r.type === 'SOA' && r.id === null));
+    assert.ok(body.records.some(r => r.type === 'NS' && r.id === null));
+});
+
+test('POST rejects an A record without an address', async () => {
+    const res = await inject({
+        method: 'POST',
+        url: '/v1/zone/example.com/records',
+        payload: { type: 'A' }
+    });
+    assert.equal(res.statusCode, 400);
+    const body = JSON.parse(res.payload);
+    assert.ok(Array.isArray(body.fields), 'validation errors are reported in the fields array');
+});
+
+test('POST creates a CAA record and stores its tag', async () => {
+    // Regression: the CAA "tag" field must be accepted and persisted.
+    const create = await inject({
+        method: 'POST',
+        url: '/v1/zone/example.com/records',
+        payload: { type: 'CAA', value: 'letsencrypt.org', tag: 'issue', flags: 0 }
+    });
+    assert.equal(create.statusCode, 200, `expected CAA create to succeed, got ${create.payload}`);
+
+    const res = await inject({ method: 'GET', url: '/v1/zone/example.com/records' });
+    const body = JSON.parse(res.payload);
+    const caa = body.records.find(r => r.type === 'CAA' && r.id);
+    assert.ok(caa, 'CAA record should be listed');
+    assert.equal(caa.value, 'letsencrypt.org');
+    assert.equal(caa.tag, 'issue');
+});
+
+test('PUT updates a record and echoes back the record id', async () => {
+    const create = await inject({
+        method: 'POST',
+        url: '/v1/zone/example.com/records',
+        payload: { subdomain: 'www', type: 'A', address: '1.2.3.4' }
+    });
+    const id = JSON.parse(create.payload).record;
+
+    const update = await inject({
+        method: 'PUT',
+        url: `/v1/zone/example.com/records/${id}`,
+        payload: { subdomain: 'www', type: 'A', address: '5.6.7.8' }
+    });
+    assert.equal(update.statusCode, 200);
+    const body = JSON.parse(update.payload);
+    assert.equal(body.zone, 'example.com');
+    assert.ok(body.record, 'PUT should return the (possibly new) record id under "record"');
+});
+
+test('DELETE removes a record', async () => {
+    const create = await inject({
+        method: 'POST',
+        url: '/v1/zone/example.com/records',
+        payload: { type: 'A', address: '1.2.3.4' }
+    });
+    const id = JSON.parse(create.payload).record;
+
+    const del = await inject({ method: 'DELETE', url: `/v1/zone/example.com/records/${id}` });
+    assert.equal(del.statusCode, 200);
+    const body = JSON.parse(del.payload);
+    assert.equal(body.deleted, true);
+
+    const res = await inject({ method: 'GET', url: '/v1/zone/example.com/records' });
+    assert.deepEqual(JSON.parse(res.payload).records, []);
+});
+
+test('POST /v1/acme requires at least one domain', async () => {
+    // Fails Joi validation (min 1) before the handler runs, so no ACME/network work.
+    const res = await inject({ method: 'POST', url: '/v1/acme', payload: { domains: [] } });
+    assert.equal(res.statusCode, 400);
+});
+
+// NB: the "domain without a managed zone" rejection path is intentionally not
+// exercised here - the /v1/acme handler calls acme.init() (a live Let's Encrypt
+// directory fetch) before the zone check, which is slow and network-dependent.
+// The underlying behaviour is covered offline by the zone-store tests
+// (resolveDomainZone returns false for unknown domains).

package/test/cached-resolver.test.js

@@ -0,0 +1,57 @@
+'use strict';
+
+const test = require('node:test');
+const assert = require('node:assert/strict');
+
+const cachedResolver = require('../lib/cached-resolver');
+const { db, flushTestDb, closeDb } = require('./helpers');
+
+test.after(async () => {
+    await closeDb();
+});
+
+test.beforeEach(async () => {
+    await flushTestDb();
+});
+
+const cacheKey = (target, type) => ['d', 'cache', target, type].join(':');
+
+test('successful lookups are cached in Redis with a TTL', async t => {
+    let resolved;
+    try {
+        resolved = await cachedResolver('one.one.one.one', 'A');
+    } catch (err) {
+        t.skip(`network unavailable: ${err.message}`);
+        return;
+    }
+
+    assert.ok(Array.isArray(resolved) && resolved.length, 'should resolve at least one address');
+
+    const ttl = await db.redisRead.ttl(cacheKey('one.one.one.one', 'A'));
+    assert.ok(ttl > 0, 'a positive TTL should be set on the cache entry');
+
+    // a second call returns the cached value
+    const again = await cachedResolver('one.one.one.one', 'A');
+    assert.deepEqual(again.slice().sort(), resolved.slice().sort());
+});
+
+test('failed lookups cache an error with a bounded TTL', async t => {
+    const bogus = 'does-not-exist-pendingdns-test.invalid';
+
+    let threw = false;
+    try {
+        await cachedResolver(bogus, 'A');
+    } catch (err) {
+        threw = true;
+    }
+
+    if (!threw) {
+        t.skip('resolver unexpectedly succeeded; cannot exercise the error path');
+        return;
+    }
+
+    const ttl = await db.redisRead.ttl(cacheKey(bogus, 'A'));
+    // Regression: the error entry must have a real, positive expiry (not NaN/-1).
+    assert.ok(ttl > 0, `error cache entry must expire (ttl was ${ttl})`);
+    assert.ok(ttl <= 60 * 60, 'error TTL should be bounded by errorMaxTtl (1h)');
+});

package/test/certs.test.js

@@ -0,0 +1,34 @@
+'use strict';
+
+const test = require('node:test');
+const assert = require('node:assert/strict');
+const crypto = require('node:crypto');
+
+const { pem2jwk } = require('pem-jwk');
+const certs = require('../lib/certs');
+const { closeDb } = require('./helpers');
+
+const { generateKey } = certs.testables;
+
+test.after(async () => {
+    await closeDb();
+});
+
+test('generateKey returns a PKCS#1 RSA private key PEM', async () => {
+    const pem = await generateKey(2048);
+    assert.match(pem, /^-----BEGIN RSA PRIVATE KEY-----/);
+    assert.match(pem, /-----END RSA PRIVATE KEY-----\s*$/);
+
+    // the key must be loadable by Node's crypto
+    const keyObject = crypto.createPrivateKey(pem);
+    assert.equal(keyObject.asymmetricKeyType, 'rsa');
+    assert.equal(keyObject.asymmetricKeyDetails.modulusLength, 2048);
+});
+
+test('generated key converts to a JWK via pem-jwk (as the ACME flow needs)', async () => {
+    const pem = await generateKey(2048);
+    const jwk = pem2jwk(pem);
+    assert.equal(jwk.kty, 'RSA');
+    assert.ok(jwk.n, 'modulus present');
+    assert.ok(jwk.d, 'private exponent present');
+});

package/test/dns-handler.test.js

@@ -0,0 +1,140 @@
+'use strict';
+
+const test = require('node:test');
+const assert = require('node:assert/strict');
+
+const dns2 = require('dns2');
+const Packet = dns2.Packet;
+
+const dnsHandler = require('../lib/dns-handler');
+const { zoneStore } = require('../lib/zone-store');
+const { db, flushTestDb, closeDb } = require('./helpers');
+
+const { formatTXTData, shuffle, filterUnhealthy, reversedTypes } = dnsHandler.testables;
+
+test.after(async () => {
+    await closeDb();
+});
+
+// ---------------------------------------------------------------------------
+// Pure helpers
+// ---------------------------------------------------------------------------
+
+test('formatTXTData always returns an array of chunks', () => {
+    const short = formatTXTData('hello');
+    assert.ok(Array.isArray(short));
+    assert.deepEqual(short, ['hello']);
+});
+
+test('formatTXTData splits long values into <=255 byte chunks that recombine', () => {
+    const long = 'x'.repeat(600);
+    const chunks = formatTXTData(long);
+    assert.ok(Array.isArray(chunks));
+    assert.ok(chunks.length > 1);
+    for (const chunk of chunks) {
+        assert.ok(chunk.length <= 255);
+    }
+    assert.equal(chunks.join(''), long);
+});
+
+test('formatTXTData coerces non-strings', () => {
+    assert.deepEqual(formatTXTData(undefined), ['']);
+    assert.deepEqual(formatTXTData(null), ['']);
+});
+
+test('shuffle returns the same elements (a permutation)', () => {
+    const input = [1, 2, 3, 4, 5, 6, 7, 8];
+    const out = shuffle(input.slice());
+    assert.equal(out.length, input.length);
+    assert.deepEqual(out.slice().sort((a, b) => a - b), input);
+});
+
+test('filterUnhealthy drops unhealthy entries when at least one is healthy', () => {
+    const list = [
+        { address: '1.1.1.1', health: { status: true } },
+        { address: '2.2.2.2', health: { status: false } },
+        { address: '3.3.3.3' } // no health info -> treated as healthy
+    ];
+    const out = filterUnhealthy(list);
+    assert.deepEqual(
+        out.map(e => e.address),
+        ['1.1.1.1', '3.3.3.3']
+    );
+});
+
+test('filterUnhealthy returns all entries when none are healthy', () => {
+    const list = [
+        { address: '1.1.1.1', health: { status: false } },
+        { address: '2.2.2.2', health: { status: false } }
+    ];
+    const out = filterUnhealthy(list);
+    assert.equal(out.length, 2);
+});
+
+test('reversedTypes maps numeric DNS types back to strings', () => {
+    assert.equal(reversedTypes.get(Packet.TYPE.A), 'A');
+    assert.equal(reversedTypes.get(Packet.TYPE.AAAA), 'AAAA');
+    assert.equal(reversedTypes.get(Packet.TYPE.MX), 'MX');
+});
+
+// ---------------------------------------------------------------------------
+// Handler integration (Redis backed)
+// ---------------------------------------------------------------------------
+
+const buildRequest = (name, type) => {
+    const req = new Packet({});
+    req.questions = [{ name, type: Packet.TYPE[type], class: Packet.CLASS.IN }];
+    req.source = { type: 'udp', address: '127.0.0.1', port: 5353 };
+    return req;
+};
+
+test('dnsHandler answers an A query from stored records', async () => {
+    await flushTestDb();
+    await zoneStore.add('example.com', '', 'A', ['9.8.7.6']);
+
+    const response = await dnsHandler(buildRequest('example.com', 'A'));
+    const addresses = response.answers.filter(a => a.type === Packet.TYPE.A).map(a => a.address);
+    assert.ok(addresses.includes('9.8.7.6'));
+});
+
+test('dnsHandler returns configured NS records when none are stored', async () => {
+    await flushTestDb();
+    const response = await dnsHandler(buildRequest('example.com', 'NS'));
+    const nsAnswers = response.answers.filter(a => a.type === Packet.TYPE.NS);
+    assert.ok(nsAnswers.length >= 1, 'should fall back to configured name servers');
+});
+
+test('dnsHandler synthesises a SOA record', async () => {
+    await flushTestDb();
+    const response = await dnsHandler(buildRequest('example.com', 'SOA'));
+    const soa = response.answers.find(a => a.type === Packet.TYPE.SOA);
+    assert.ok(soa, 'a SOA record should be returned');
+});
+
+test('dnsHandler filters unhealthy AAAA records', async () => {
+    await flushTestDb();
+    // Two AAAA records with health checks; mark one unhealthy in the health store.
+    const healthyId = await zoneStore.add('example.com', '', 'AAAA', ['2001:db8::1', 'tcp://check:1']);
+    const unhealthyId = await zoneStore.add('example.com', '', 'AAAA', ['2001:db8::2', 'tcp://check:2']);
+    assert.ok(healthyId && unhealthyId);
+
+    // Health results are keyed by "<zone-name>:<record-id>"
+    const zoneName = zoneStore.domainToName('example.com');
+    await db.redisWrite.hset('d:health:r', `${zoneName}:${unhealthyId}`, JSON.stringify({ status: false }));
+
+    const response = await dnsHandler(buildRequest('example.com', 'AAAA'));
+    const aaaa = response.answers.filter(a => a.type === Packet.TYPE.AAAA);
+    assert.equal(aaaa.length, 1, 'the unhealthy AAAA record should be filtered out');
+});
+
+test('dnsHandler resolves CNAME chains', async () => {
+    await flushTestDb();
+    await zoneStore.add('example.com', 'alias', 'CNAME', ['example.com']);
+    await zoneStore.add('example.com', '', 'A', ['4.4.4.4']);
+
+    const response = await dnsHandler(buildRequest('alias.example.com', 'A'));
+    const types = response.answers.map(a => a.type);
+    assert.ok(types.includes(Packet.TYPE.CNAME), 'should include the CNAME answer');
+    const addresses = response.answers.filter(a => a.type === Packet.TYPE.A).map(a => a.address);
+    assert.ok(addresses.includes('4.4.4.4'), 'should follow the CNAME to the A record');
+});

package/test/dns-server.test.js

@@ -0,0 +1,69 @@
+'use strict';
+
+const test = require('node:test');
+const assert = require('node:assert/strict');
+const { Resolver } = require('node:dns').promises;
+
+const initDnsServer = require('../lib/dns-server');
+const { zoneStore } = require('../lib/zone-store');
+const { config, flushTestDb, closeDb } = require('./helpers');
+
+let servers;
+let resolver;
+
+test.before(async () => {
+    await flushTestDb();
+
+    servers = await initDnsServer();
+
+    resolver = new Resolver();
+    resolver.setServers([`127.0.0.1:${config.dns.port}`]);
+
+    await zoneStore.add('example.com', '', 'A', ['9.8.7.6']);
+    await zoneStore.add('example.com', 'host', 'AAAA', ['2001:db8::1']);
+    await zoneStore.add('example.com', 'txt', 'TXT', ['hello world']);
+    // a value longer than a single 255-byte DNS character-string, but still
+    // small enough to fit in a 512-byte UDP response
+    await zoneStore.add('example.com', 'long', 'TXT', ['y'.repeat(300)]);
+    await zoneStore.add('example.com', 'mail', 'MX', ['mx.example.com', 10]);
+});
+
+test.after(async () => {
+    if (servers) {
+        servers.udpServer.close();
+        await new Promise(resolve => servers.tcpServer.close(resolve));
+    }
+    await closeDb();
+});
+
+test('resolves A records over the wire', async () => {
+    const addrs = await resolver.resolve4('example.com');
+    assert.deepEqual(addrs, ['9.8.7.6']);
+});
+
+test('resolves AAAA records over the wire', async () => {
+    const addrs = await resolver.resolve6('host.example.com');
+    assert.ok(addrs.includes('2001:db8::1'));
+});
+
+test('resolves a TXT record over the wire', async () => {
+    const txt = await resolver.resolveTxt('txt.example.com');
+    const flat = txt.map(chunks => chunks.join(''));
+    assert.ok(flat.includes('hello world'));
+});
+
+test('resolves a long, multi-chunk TXT record over the wire', async () => {
+    const txt = await resolver.resolveTxt('long.example.com');
+    const flat = txt.map(chunks => chunks.join(''));
+    assert.ok(flat.includes('y'.repeat(300)));
+});
+
+test('resolves MX records over the wire', async () => {
+    const mx = await resolver.resolveMx('mail.example.com');
+    assert.ok(mx.some(rec => rec.exchange === 'mx.example.com' && rec.priority === 10));
+});
+
+test('returns configured NS records over the wire', async () => {
+    const ns = await resolver.resolveNs('example.com');
+    assert.ok(Array.isArray(ns) && ns.length >= 1);
+});

package/test/helpers.js

@@ -0,0 +1,25 @@
+'use strict';
+
+// Shared helpers for the test suite. Tests must run with NODE_ENV=test so that
+// config/test.toml points Redis at the dedicated test database (db 15).
+
+const config = require('wild-config');
+const db = require('../lib/db');
+
+const isTestDatabase = () => /\/15(\?|$)/.test((config.dbs.redis || '').toString());
+
+// Flush the dedicated test database. Refuses to run unless Redis is pointed at
+// db 15 to avoid wiping development (db 2) or production data by accident.
+const flushTestDb = async () => {
+    if (!isTestDatabase()) {
+        throw new Error(`Refusing to flush Redis: expected the test database (db 15) but config points at "${config.dbs.redis}". Run tests with NODE_ENV=test.`);
+    }
+    await db.redisWrite.flushdb();
+};
+
+// Close Redis connections so the test process can exit cleanly.
+const closeDb = async () => {
+    await Promise.allSettled([db.redisRead.quit(), db.redisWrite.quit()]);
+};
+
+module.exports = { config, db, flushTestDb, closeDb, isTestDatabase };

package/test/sentry.test.js

@@ -0,0 +1,21 @@
+'use strict';
+
+const test = require('node:test');
+const assert = require('node:assert/strict');
+
+const { initSentry } = require('../lib/sentry');
+const logger = require('../lib/logger');
+
+test('initSentry is a no-op when no DSN is configured', () => {
+    // Ensure the disabled path: no env DSN, and config.sentry.dsn is empty in the test config
+    delete process.env.SENTRY_DSN;
+
+    assert.doesNotThrow(() => initSentry('test'));
+
+    // error reporting stays disabled, so closeProcess() keeps owning the exit
+    assert.ok(!logger.errorReportingEnabled);
+
+    // notifyError keeps its safe no-op default from lib/logger.js
+    assert.equal(typeof logger.notifyError, 'function');
+    assert.equal(logger.notifyError(new Error('boom')), false);
+});

package/test/tools.test.js

@@ -0,0 +1,48 @@
+'use strict';
+
+const test = require('node:test');
+const assert = require('node:assert/strict');
+
+const { isemail, normalizeDomain } = require('../lib/tools');
+const { closeDb } = require('./helpers');
+
+// lib/tools transitively opens Redis connections (via cached-resolver); close
+// them so the test process exits cleanly.
+test.after(async () => {
+    await closeDb();
+});
+
+test('isemail accepts valid addresses', () => {
+    assert.equal(isemail('user@example.com'), true);
+    assert.equal(isemail('first.last+tag@sub.example.org'), true);
+});
+
+test('isemail rejects invalid addresses', () => {
+    assert.equal(isemail(''), false);
+    assert.equal(isemail('not-an-email'), false);
+    assert.equal(isemail('foo@'), false);
+    assert.equal(isemail('@example.com'), false);
+    assert.equal(isemail(null), false);
+    assert.equal(isemail(undefined), false);
+});
+
+test('normalizeDomain lowercases and trims', () => {
+    assert.equal(normalizeDomain('  Example.COM '), 'example.com');
+    assert.equal(normalizeDomain('WWW.Example.Com'), 'www.example.com');
+});
+
+test('normalizeDomain decodes punycode (xn--) to unicode', () => {
+    // xn--nxasmq6b is the punycode for a Greek/test label; use a well-known one
+    // "münchen.de" -> xn--mnchen-3ya.de
+    assert.equal(normalizeDomain('xn--mnchen-3ya.de'), 'münchen.de');
+});
+
+test('normalizeDomain is idempotent on already-unicode input', () => {
+    assert.equal(normalizeDomain('münchen.de'), 'münchen.de');
+});
+
+test('normalizeDomain handles empty / nullish input', () => {
+    assert.equal(normalizeDomain(''), '');
+    assert.equal(normalizeDomain(null), '');
+    assert.equal(normalizeDomain(undefined), '');
+});