sys-dns-wildcards: always create apex wildcard (*.apex); use explicit_domains for CURRENT_PLAY_DOMAINS_ALL list; update README and unit tests. Ref: https://chatgpt.com/share/68c37a74-7468-800f-a612-765bbbd442de

2025-09-14 14:26:04 +02:00 · 2025-09-12 03:47:37 +02:00
parent 7e5990aa16
commit ce8958cc01
5 changed files with 90 additions and 39 deletions
--- a/tests/unit/roles/sys-dns-wildcards/filter_plugins/test_wildcard_dns.py
+++ b/tests/unit/roles/sys-dns-wildcards/filter_plugins/test_wildcard_dns.py
@@ -48,7 +48,7 @@ class TestWildcardDNS(unittest.TestCase):
    def setUp(self):
        self.wildcard_records = _get_filter()

-    def test_only_wildcards_no_apex_or_base(self):
+    def test_only_wildcards_including_apex(self):
        apex = "example.com"
        cpda = {
            "svc-a": ["c.wiki.example.com", "a.b.example.com"],
@@ -69,19 +69,24 @@ class TestWildcardDNS(unittest.TestCase):

        got = _as_set(recs)
        expected = {
+            # apex wildcard always
+            ("A", "*", "203.0.113.10", True),
+            ("AAAA", "*", "2606:4700:4700::1111", True),
+
+            # derived parents
            ("A", "*.wiki", "203.0.113.10", True),
            ("AAAA", "*.wiki", "2606:4700:4700::1111", True),
            ("A", "*.b", "203.0.113.10", True),
            ("AAAA", "*.b", "2606:4700:4700::1111", True),
-            # now included because www.a.b.example.com promotes a.b.example.com as a parent
+            # www.a.b.example.com promotes a.b.example.com as a parent
            ("A", "*.a.b", "203.0.113.10", True),
            ("AAAA", "*.a.b", "2606:4700:4700::1111", True),
        }
        self.assertEqual(got, expected)

-    def test_min_child_depth_prevents_apex_wildcard(self):
+    def test_min_child_depth_yields_only_apex(self):
        apex = "example.com"
-        cpda = {"svc": ["x.example.com"]}  # depth = 1
+        cpda = {"svc": ["x.example.com"]}  # depth = 1, below threshold

        recs = self.wildcard_records(
            current_play_domains_all=cpda,
@@ -93,13 +98,18 @@ class TestWildcardDNS(unittest.TestCase):
            min_child_depth=2,  # requires >= 2 → no parent derived
            ipv6_enabled=True,
        )
-        self.assertEqual(recs, [])
+        got = _as_set(recs)
+        expected = {
+            ("A", "*", "198.51.100.42", False),
+            ("AAAA", "*", "2606:4700:4700::1111", False),
+        }
+        self.assertEqual(got, expected)

    def test_ipv6_disabled_and_private_ipv6_filtered(self):
        apex = "example.com"
        cpda = {"svc": ["a.b.example.com"]}

-        # IPv6 disabled → only A record
+        # IPv6 disabled → only A records (apex + parent)
        recs1 = self.wildcard_records(
            current_play_domains_all=cpda,
            apex=apex,
@@ -110,9 +120,15 @@ class TestWildcardDNS(unittest.TestCase):
            min_child_depth=2,
            ipv6_enabled=False,
        )
-        self.assertEqual(_as_set(recs1), {("A", "*.b", "203.0.113.9", False)})
+        self.assertEqual(
+            _as_set(recs1),
+            {
+                ("A", "*", "203.0.113.9", False),
+                ("A", "*.b", "203.0.113.9", False),
+            },
+        )

-        # IPv6 enabled but ULA (not global) → skip AAAA
+        # IPv6 enabled but ULA (not global) → skip AAAA (apex + parent)
        recs2 = self.wildcard_records(
            current_play_domains_all=cpda,
            apex=apex,
@@ -123,7 +139,13 @@ class TestWildcardDNS(unittest.TestCase):
            min_child_depth=2,
            ipv6_enabled=True,
        )
-        self.assertEqual(_as_set(recs2), {("A", "*.b", "203.0.113.9", False)})
+        self.assertEqual(
+            _as_set(recs2),
+            {
+                ("A", "*", "203.0.113.9", False),
+                ("A", "*.b", "203.0.113.9", False),
+            },
+        )

    def test_proxied_flag_true_is_set(self):
        recs = self.wildcard_records(
@@ -137,7 +159,13 @@ class TestWildcardDNS(unittest.TestCase):
            ipv6_enabled=True,
        )
        self.assertTrue(all(r.get("proxied") is True for r in recs))
-        self.assertEqual(_as_set(recs), {("A", "*.b", "203.0.113.7", True)})
+        self.assertEqual(
+            _as_set(recs),
+            {
+                ("A", "*", "203.0.113.7", True),
+                ("A", "*.b", "203.0.113.7", True),
+            },
+        )

    def test_explicit_domains_override_source(self):
        cpda = {"svc": ["ignore.me.example.com", "a.b.example.com"]}
@@ -156,6 +184,11 @@ class TestWildcardDNS(unittest.TestCase):
        self.assertEqual(
            _as_set(recs),
            {
+                # apex wildcard always
+                ("A", "*", "203.0.113.5", False),
+                ("AAAA", "*", "2606:4700:4700::1111", False),
+
+                # derived from explicit domain
                ("A", "*.wiki", "203.0.113.5", False),
                ("AAAA", "*.wiki", "2606:4700:4700::1111", False),
            },
@@ -183,11 +216,16 @@ class TestWildcardDNS(unittest.TestCase):
        )
        got = _as_set(recs)
        expected = {
+            # apex wildcard always
+            ("A", "*", "203.0.113.21", False),
+            ("AAAA", "*", "2606:4700:4700::1111", False),
+
+            # derived parents
            ("A", "*.wiki", "203.0.113.21", False),
            ("AAAA", "*.wiki", "2606:4700:4700::1111", False),
            ("A", "*.b", "203.0.113.21", False),
            ("AAAA", "*.b", "2606:4700:4700::1111", False),
-            # now included because www.a.b.example.com promotes a.b.example.com as a parent
+            # www.a.b.example.com promotes a.b.example.com as a parent
            ("A", "*.a.b", "203.0.113.21", False),
            ("AAAA", "*.a.b", "2606:4700:4700::1111", False),
        }