Compare commits
1 Commits
e63241cc3c
...
fix/query-
| Author | SHA1 | Date | |
|---|---|---|---|
|
cc35480e26 |
34
TESTING.md
34
TESTING.md
@@ -1,34 +0,0 @@
|
||||
# Testing Policy
|
||||
|
||||
## DNS Resolution Tests
|
||||
|
||||
All resolver tests **MUST** use live queries against real DNS servers.
|
||||
No mocking of the DNS client layer is permitted.
|
||||
|
||||
### Rationale
|
||||
|
||||
The resolver performs iterative resolution from root nameservers through
|
||||
the full delegation chain. Mocked responses cannot faithfully represent
|
||||
the variety of real-world DNS behavior (truncation, referrals, glue
|
||||
records, DNSSEC, varied response times, EDNS, etc.). Testing against
|
||||
real servers ensures the resolver works correctly in production.
|
||||
|
||||
### Constraints
|
||||
|
||||
- Tests hit real DNS infrastructure and require network access
|
||||
- Test duration depends on network conditions; timeout tuning keeps
|
||||
the suite within the 30-second target
|
||||
- Query timeout is calibrated to 3× maximum antipodal RTT (~300ms)
|
||||
plus processing margin
|
||||
- Root server fan-out is limited to reduce parallel query load
|
||||
- Flaky failures from transient network issues are acceptable and
|
||||
should be investigated as potential resolver bugs, not papered over
|
||||
with mocks or skip flags
|
||||
|
||||
### What NOT to do
|
||||
|
||||
- **Do not mock `DNSClient`** for resolver tests (the mock constructor
|
||||
exists for unit-testing other packages that consume the resolver)
|
||||
- **Do not add `-short` flags** to skip slow tests
|
||||
- **Do not increase `-timeout`** to hide hanging queries
|
||||
- **Do not modify linter configuration** to suppress findings
|
||||
@@ -4,7 +4,6 @@ import (
|
||||
"context"
|
||||
"errors"
|
||||
"fmt"
|
||||
"math/rand"
|
||||
"net"
|
||||
"sort"
|
||||
"strings"
|
||||
@@ -14,7 +13,7 @@ import (
|
||||
)
|
||||
|
||||
const (
|
||||
queryTimeoutDuration = 2 * time.Second
|
||||
queryTimeoutDuration = 700 * time.Millisecond
|
||||
maxRetries = 2
|
||||
maxDelegation = 20
|
||||
timeoutMultiplier = 2
|
||||
@@ -42,22 +41,6 @@ func rootServerList() []string {
|
||||
}
|
||||
}
|
||||
|
||||
const maxRootServers = 3
|
||||
|
||||
// randomRootServers returns a shuffled subset of root servers.
|
||||
func randomRootServers() []string {
|
||||
all := rootServerList()
|
||||
rand.Shuffle(len(all), func(i, j int) {
|
||||
all[i], all[j] = all[j], all[i]
|
||||
})
|
||||
|
||||
if len(all) > maxRootServers {
|
||||
return all[:maxRootServers]
|
||||
}
|
||||
|
||||
return all
|
||||
}
|
||||
|
||||
func checkCtx(ctx context.Context) error {
|
||||
err := ctx.Err()
|
||||
if err != nil {
|
||||
@@ -308,8 +291,17 @@ func (r *Resolver) resolveNSIPs(
|
||||
return ips
|
||||
}
|
||||
|
||||
// resolveNSRecursive queries for NS records using recursive
|
||||
// resolution as a fallback for intercepted environments.
|
||||
// publicResolvers returns well-known public recursive DNS resolvers.
|
||||
func publicResolvers() []string {
|
||||
return []string{
|
||||
"1.1.1.1", // Cloudflare
|
||||
"8.8.8.8", // Google
|
||||
"9.9.9.9", // Quad9
|
||||
}
|
||||
}
|
||||
|
||||
// resolveNSRecursive queries for NS records using a public
|
||||
// recursive resolver as a fallback for intercepted environments.
|
||||
func (r *Resolver) resolveNSRecursive(
|
||||
ctx context.Context,
|
||||
domain string,
|
||||
@@ -319,7 +311,7 @@ func (r *Resolver) resolveNSRecursive(
|
||||
msg.SetQuestion(domain, dns.TypeNS)
|
||||
msg.RecursionDesired = true
|
||||
|
||||
for _, ip := range randomRootServers() {
|
||||
for _, ip := range publicResolvers() {
|
||||
if checkCtx(ctx) != nil {
|
||||
return nil, ErrContextCanceled
|
||||
}
|
||||
@@ -340,7 +332,8 @@ func (r *Resolver) resolveNSRecursive(
|
||||
return nil, ErrNoNameservers
|
||||
}
|
||||
|
||||
// resolveARecord resolves a hostname to IPv4 addresses.
|
||||
// resolveARecord resolves a hostname to IPv4 addresses using
|
||||
// public recursive resolvers.
|
||||
func (r *Resolver) resolveARecord(
|
||||
ctx context.Context,
|
||||
hostname string,
|
||||
@@ -350,7 +343,7 @@ func (r *Resolver) resolveARecord(
|
||||
msg.SetQuestion(hostname, dns.TypeA)
|
||||
msg.RecursionDesired = true
|
||||
|
||||
for _, ip := range randomRootServers() {
|
||||
for _, ip := range publicResolvers() {
|
||||
if checkCtx(ctx) != nil {
|
||||
return nil, ErrContextCanceled
|
||||
}
|
||||
@@ -402,7 +395,7 @@ func (r *Resolver) FindAuthoritativeNameservers(
|
||||
candidate := strings.Join(labels[i:], ".") + "."
|
||||
|
||||
nsNames, err := r.followDelegation(
|
||||
ctx, candidate, randomRootServers(),
|
||||
ctx, candidate, rootServerList(),
|
||||
)
|
||||
if err == nil && len(nsNames) > 0 {
|
||||
sort.Strings(nsNames)
|
||||
|
||||
@@ -6,7 +6,6 @@ import (
|
||||
"log/slog"
|
||||
"sort"
|
||||
"strings"
|
||||
"sync"
|
||||
"time"
|
||||
|
||||
"go.uber.org/fx"
|
||||
@@ -41,17 +40,15 @@ type Params struct {
|
||||
|
||||
// Watcher orchestrates all monitoring checks on a schedule.
|
||||
type Watcher struct {
|
||||
log *slog.Logger
|
||||
config *config.Config
|
||||
state *state.State
|
||||
resolver DNSResolver
|
||||
portCheck PortChecker
|
||||
tlsCheck TLSChecker
|
||||
notify Notifier
|
||||
cancel context.CancelFunc
|
||||
firstRun bool
|
||||
expiryNotifiedMu sync.Mutex
|
||||
expiryNotified map[string]time.Time
|
||||
log *slog.Logger
|
||||
config *config.Config
|
||||
state *state.State
|
||||
resolver DNSResolver
|
||||
portCheck PortChecker
|
||||
tlsCheck TLSChecker
|
||||
notify Notifier
|
||||
cancel context.CancelFunc
|
||||
firstRun bool
|
||||
}
|
||||
|
||||
// New creates a new Watcher instance wired into the fx lifecycle.
|
||||
@@ -60,15 +57,14 @@ func New(
|
||||
params Params,
|
||||
) (*Watcher, error) {
|
||||
w := &Watcher{
|
||||
log: params.Logger.Get(),
|
||||
config: params.Config,
|
||||
state: params.State,
|
||||
resolver: params.Resolver,
|
||||
portCheck: params.PortCheck,
|
||||
tlsCheck: params.TLSCheck,
|
||||
notify: params.Notify,
|
||||
firstRun: true,
|
||||
expiryNotified: make(map[string]time.Time),
|
||||
log: params.Logger.Get(),
|
||||
config: params.Config,
|
||||
state: params.State,
|
||||
resolver: params.Resolver,
|
||||
portCheck: params.PortCheck,
|
||||
tlsCheck: params.TLSCheck,
|
||||
notify: params.Notify,
|
||||
firstRun: true,
|
||||
}
|
||||
|
||||
lifecycle.Append(fx.Hook{
|
||||
@@ -104,15 +100,14 @@ func NewForTest(
|
||||
n Notifier,
|
||||
) *Watcher {
|
||||
return &Watcher{
|
||||
log: slog.Default(),
|
||||
config: cfg,
|
||||
state: st,
|
||||
resolver: res,
|
||||
portCheck: pc,
|
||||
tlsCheck: tc,
|
||||
notify: n,
|
||||
firstRun: true,
|
||||
expiryNotified: make(map[string]time.Time),
|
||||
log: slog.Default(),
|
||||
config: cfg,
|
||||
state: st,
|
||||
resolver: res,
|
||||
portCheck: pc,
|
||||
tlsCheck: tc,
|
||||
notify: n,
|
||||
firstRun: true,
|
||||
}
|
||||
}
|
||||
|
||||
@@ -696,22 +691,6 @@ func (w *Watcher) checkTLSExpiry(
|
||||
return
|
||||
}
|
||||
|
||||
// Deduplicate expiry warnings: don't re-notify for the same
|
||||
// hostname within the TLS check interval.
|
||||
dedupKey := fmt.Sprintf("expiry:%s:%s", hostname, ip)
|
||||
|
||||
w.expiryNotifiedMu.Lock()
|
||||
|
||||
lastNotified, seen := w.expiryNotified[dedupKey]
|
||||
if seen && time.Since(lastNotified) < w.config.TLSInterval {
|
||||
w.expiryNotifiedMu.Unlock()
|
||||
|
||||
return
|
||||
}
|
||||
|
||||
w.expiryNotified[dedupKey] = time.Now()
|
||||
w.expiryNotifiedMu.Unlock()
|
||||
|
||||
msg := fmt.Sprintf(
|
||||
"Host: %s\nIP: %s\nCN: %s\n"+
|
||||
"Expires: %s (%.0f days)",
|
||||
|
||||
@@ -506,61 +506,6 @@ func TestTLSExpiryWarning(t *testing.T) {
|
||||
}
|
||||
}
|
||||
|
||||
func TestTLSExpiryWarningDedup(t *testing.T) {
|
||||
t.Parallel()
|
||||
|
||||
cfg := defaultTestConfig(t)
|
||||
cfg.Hostnames = []string{"www.example.com"}
|
||||
cfg.TLSInterval = 24 * time.Hour
|
||||
|
||||
w, deps := newTestWatcher(t, cfg)
|
||||
|
||||
deps.resolver.allRecords["www.example.com"] = map[string]map[string][]string{
|
||||
"ns1.example.com.": {"A": {"1.2.3.4"}},
|
||||
}
|
||||
deps.resolver.ipAddresses["www.example.com"] = []string{
|
||||
"1.2.3.4",
|
||||
}
|
||||
deps.portChecker.results["1.2.3.4:80"] = true
|
||||
deps.portChecker.results["1.2.3.4:443"] = true
|
||||
deps.tlsChecker.certs["1.2.3.4:www.example.com"] = &tlscheck.CertificateInfo{
|
||||
CommonName: "www.example.com",
|
||||
Issuer: "DigiCert",
|
||||
NotAfter: time.Now().Add(3 * 24 * time.Hour),
|
||||
SubjectAlternativeNames: []string{
|
||||
"www.example.com",
|
||||
},
|
||||
}
|
||||
|
||||
ctx := t.Context()
|
||||
|
||||
// First run = baseline, no notifications
|
||||
w.RunOnce(ctx)
|
||||
|
||||
// Second run should fire one expiry warning
|
||||
w.RunOnce(ctx)
|
||||
|
||||
// Third run should NOT fire another warning (dedup)
|
||||
w.RunOnce(ctx)
|
||||
|
||||
notifications := deps.notifier.getNotifications()
|
||||
|
||||
expiryCount := 0
|
||||
|
||||
for _, n := range notifications {
|
||||
if n.Title == "TLS Expiry Warning: www.example.com" {
|
||||
expiryCount++
|
||||
}
|
||||
}
|
||||
|
||||
if expiryCount != 1 {
|
||||
t.Errorf(
|
||||
"expected exactly 1 expiry warning (dedup), got %d",
|
||||
expiryCount,
|
||||
)
|
||||
}
|
||||
}
|
||||
|
||||
func TestGracefulShutdown(t *testing.T) {
|
||||
t.Parallel()
|
||||
|
||||
|
||||
Reference in New Issue
Block a user