Add btest to verify behavior of re-opened MMDBs opened directly via BIFs

The mmdb_open_location_db() and mmdb_open_asn_db() BiFs were untested, and Zeek has a bug that makes any DBs opened that way fall back to looking up DBs via the existing script-level config mechanism (via mmdb_dir), which is at least unexpected and might well be unconfigured if somebody uses the direct BiFs.
ckreibich · Jan 11, 2024 · d79e2c2 · d79e2c2
1 parent 634af46
commit d79e2c2
Show file tree

Hide file tree

Showing 3 changed files with 78 additions and 0 deletions.
diff --git a/testing/btest/Baseline/core.mmdb.explicit-open/out b/testing/btest/Baseline/core.mmdb.explicit-open/out
@@ -0,0 +1,17 @@
+### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63.
+1299466805.0, 1, 128.3.0.1, asn, [number=16, organization=Lawrence Berkeley National Laboratory]
+1299466805.0, 1, 128.3.0.1, location, [country_code=US, region=<uninitialized>, city=Berkeley, latitude=37.751, longitude=-97.822]
+1299466805.0, 1, 131.243.0.1, asn, [number=16, organization=Lawrence Berkeley National Laboratory]
+1299466805.0, 1, 131.243.0.1, location, [country_code=US, region=<uninitialized>, city=Berkeley, latitude=37.751, longitude=-97.822]
+1299470395.0, 2, 128.3.0.1, asn, [number=16, organization=Lawrence Berkeley National Laboratory]
+1299470395.0, 2, 128.3.0.1, location, [country_code=US, region=<uninitialized>, city=Berkeley, latitude=37.751, longitude=-97.822]
+1299470395.0, 2, 131.243.0.1, asn, [number=16, organization=Lawrence Berkeley National Laboratory]
+1299470395.0, 2, 131.243.0.1, location, [country_code=US, region=<uninitialized>, city=Berkeley, latitude=37.751, longitude=-97.822]
+1299470405.0, 3, 128.3.0.1, asn, [number=16, organization=Lawrence Berkeley National Laboratory]
+1299470405.0, 3, 128.3.0.1, location, [country_code=US, region=<uninitialized>, city=Berkeley, latitude=37.751, longitude=-97.822]
+1299470405.0, 3, 131.243.0.1, asn, [number=16, organization=Lawrence Berkeley National Laboratory]
+1299470405.0, 3, 131.243.0.1, location, [country_code=US, region=<uninitialized>, city=Berkeley, latitude=37.751, longitude=-97.822]
+1299473995.0, 4, 128.3.0.1, asn, [number=16, organization=Lawrence Berkeley National Laboratory]
+1299473995.0, 4, 128.3.0.1, location, [country_code=US, region=<uninitialized>, city=Berkeley, latitude=37.751, longitude=-97.822]
+1299473995.0, 4, 131.243.0.1, asn, [number=16, organization=Lawrence Berkeley National Laboratory]
+1299473995.0, 4, 131.243.0.1, location, [country_code=US, region=<uninitialized>, city=Berkeley, latitude=37.751, longitude=-97.822]
diff --git a/testing/btest/Baseline/core.mmdb.explicit-open/reporter.log b/testing/btest/Baseline/core.mmdb.explicit-open/reporter.log
@@ -0,0 +1,11 @@
+### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63.
+ts	level	message	location
+1299470395.000000	Reporter::INFO	Modification time change detected for MaxMind DB [.<...>/GeoLite2-ASN.mmdb]	(empty)
+1299470395.000000	Reporter::INFO	Closing stale MaxMind DB [.<...>/GeoLite2-ASN.mmdb]	(empty)
+1299470395.000000	Reporter::INFO	Modification time change detected for MaxMind DB [.<...>/GeoLite2-City.mmdb]	(empty)
+1299470395.000000	Reporter::INFO	Closing stale MaxMind DB [.<...>/GeoLite2-City.mmdb]	(empty)
+1299473995.000000	Reporter::INFO	Modification time change detected for MaxMind DB [.<...>/GeoLite2-ASN.mmdb]	(empty)
+1299473995.000000	Reporter::INFO	Closing stale MaxMind DB [.<...>/GeoLite2-ASN.mmdb]	(empty)
+1299473995.000000	Reporter::INFO	Modification time change detected for MaxMind DB [.<...>/GeoLite2-City.mmdb]	(empty)
+1299473995.000000	Reporter::INFO	Closing stale MaxMind DB [.<...>/GeoLite2-City.mmdb]	(empty)
+1299473995.000000	Reporter::INFO	received termination signal	(empty)
diff --git a/testing/btest/core/mmdb/explicit-open.zeek b/testing/btest/core/mmdb/explicit-open.zeek
@@ -0,0 +1,50 @@
+# @TEST-DOC: verifies that the explicit BiFs for loading MMDBs work, including when re-opening.
+#
+# Like other MMDB tests, this uses a pcap to use each packet as a driver to
+# touch the DBs involved upon each packet, triggering DB reloads.
+#
+# @TEST-REQUIRES: grep -q "#define USE_GEOIP" $BUILD/zeek-config.h
+#
+# @TEST-EXEC: cp -R $FILES/mmdb ./mmdb
+# @TEST-EXEC: zeek -b -r $TRACES/rotation.trace %INPUT >out
+# @TEST-EXEC: TEST_DIFF_CANONIFIER=$SCRIPTS/diff-remove-abspath btest-diff out
+# @TEST-EXEC: zeek-cut -m < reporter.log > reporter.log.tmp && mv reporter.log.tmp reporter.log
+# @TEST-EXEC: TEST_DIFF_CANONIFIER=$SCRIPTS/diff-remove-abspath btest-diff reporter.log
+
+@load base/frameworks/reporter
+
+global pkt = 0;
+global asn_fn = "./mmdb/GeoLite2-ASN.mmdb";
+global city_fn = "./mmdb/GeoLite2-City.mmdb";
+
+function timestamp(n: count): string
+	{
+	assert n <= 60;
+	return fmt("2020-01-01T00:%s:00", n);
+	}
+
+event new_packet(c: connection, p: pkt_hdr)
+	{
+	++pkt;
+
+	print network_time(), pkt, 128.3.0.1, "asn", lookup_autonomous_system(128.3.0.1);
+	print network_time(), pkt, 128.3.0.1, "location", lookup_location(128.3.0.1);
+	print network_time(), pkt, 131.243.0.1, "asn", lookup_autonomous_system(131.243.0.1);
+	print network_time(), pkt, 131.243.0.1, "location", lookup_location(131.243.0.1);
+
+	# Increment MMDBs' modification time, triggering a re-open.
+	if ( ! piped_exec(fmt("touch -d %s %s", timestamp(pkt), safe_shell_quote(asn_fn)), "") )
+		exit(1);
+
+	if ( ! piped_exec(fmt("touch -d %s %s", timestamp(pkt), safe_shell_quote(city_fn)), "") )
+		exit(1);
+
+	if ( pkt == 4 )
+		terminate();
+	}
+
+event zeek_init()
+	{
+	assert mmdb_open_asn_db(asn_fn);
+	assert mmdb_open_location_db(city_fn);
+	}