fix(dns): query _gondulf subdomain for domain verification

The DNS TXT verification was querying the base domain instead of _gondulf.{domain}, causing verification to always fail even when users had correctly configured their DNS records. 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude <noreply@anthropic.com>
2025-11-22 17:46:38 -07:00
parent bf69588426
commit 1ef5cd9229
5 changed files with 548 additions and 5 deletions
--- a/tests/unit/test_dns.py
+++ b/tests/unit/test_dns.py
@@ -201,6 +201,114 @@ class TestVerifyTxtRecord:
        assert result is True


+class TestGondulfDomainVerification:
+    """Tests for Gondulf domain verification (queries _gondulf.{domain})."""
+
+    @patch("gondulf.dns.dns.resolver.Resolver.resolve")
+    def test_gondulf_verification_queries_prefixed_subdomain(self, mock_resolve):
+        """
+        Test Gondulf domain verification queries _gondulf.{domain}.
+
+        This is the critical bug fix test - verifies we query the correct
+        subdomain (_gondulf.example.com) not the base domain (example.com).
+        """
+        mock_rdata = MagicMock()
+        mock_rdata.strings = [b"gondulf-verify-domain"]
+        mock_resolve.return_value = [mock_rdata]
+
+        service = DNSService()
+        result = service.verify_txt_record("example.com", "gondulf-verify-domain")
+
+        assert result is True
+        # Critical: verify we queried _gondulf.example.com, not example.com
+        mock_resolve.assert_called_once_with("_gondulf.example.com", "TXT")
+
+    @patch("gondulf.dns.dns.resolver.Resolver.resolve")
+    def test_gondulf_verification_with_missing_txt_record(self, mock_resolve):
+        """Test Gondulf verification fails when no TXT records exist at _gondulf subdomain."""
+        mock_resolve.side_effect = dns.resolver.NoAnswer()
+
+        service = DNSService()
+        result = service.verify_txt_record("example.com", "gondulf-verify-domain")
+
+        assert result is False
+        mock_resolve.assert_called_once_with("_gondulf.example.com", "TXT")
+
+    @patch("gondulf.dns.dns.resolver.Resolver.resolve")
+    def test_gondulf_verification_with_wrong_txt_value(self, mock_resolve):
+        """Test Gondulf verification fails when TXT value doesn't match."""
+        mock_rdata = MagicMock()
+        mock_rdata.strings = [b"wrong-value"]
+        mock_resolve.return_value = [mock_rdata]
+
+        service = DNSService()
+        result = service.verify_txt_record("example.com", "gondulf-verify-domain")
+
+        assert result is False
+        mock_resolve.assert_called_once_with("_gondulf.example.com", "TXT")
+
+    @patch("gondulf.dns.dns.resolver.Resolver.resolve")
+    def test_non_gondulf_verification_queries_base_domain(self, mock_resolve):
+        """
+        Test non-Gondulf TXT verification still queries base domain.
+
+        Ensures backward compatibility - other TXT verification uses
+        should not be affected by the _gondulf prefix fix.
+        """
+        mock_rdata = MagicMock()
+        mock_rdata.strings = [b"some-other-value"]
+        mock_resolve.return_value = [mock_rdata]
+
+        service = DNSService()
+        result = service.verify_txt_record("example.com", "some-other-value")
+
+        assert result is True
+        # Should query example.com directly, not _gondulf.example.com
+        mock_resolve.assert_called_once_with("example.com", "TXT")
+
+    @patch("gondulf.dns.dns.resolver.Resolver.resolve")
+    def test_gondulf_verification_with_nxdomain(self, mock_resolve):
+        """Test Gondulf verification handles NXDOMAIN for _gondulf subdomain."""
+        mock_resolve.side_effect = dns.resolver.NXDOMAIN()
+
+        service = DNSService()
+        result = service.verify_txt_record("example.com", "gondulf-verify-domain")
+
+        assert result is False
+        mock_resolve.assert_called_once_with("_gondulf.example.com", "TXT")
+
+    @patch("gondulf.dns.dns.resolver.Resolver.resolve")
+    def test_gondulf_verification_among_multiple_txt_records(self, mock_resolve):
+        """Test Gondulf verification finds value among multiple TXT records."""
+        mock_rdata1 = MagicMock()
+        mock_rdata1.strings = [b"v=spf1 include:example.com ~all"]
+        mock_rdata2 = MagicMock()
+        mock_rdata2.strings = [b"gondulf-verify-domain"]
+        mock_rdata3 = MagicMock()
+        mock_rdata3.strings = [b"other-record"]
+        mock_resolve.return_value = [mock_rdata1, mock_rdata2, mock_rdata3]
+
+        service = DNSService()
+        result = service.verify_txt_record("example.com", "gondulf-verify-domain")
+
+        assert result is True
+        mock_resolve.assert_called_once_with("_gondulf.example.com", "TXT")
+
+    @patch("gondulf.dns.dns.resolver.Resolver.resolve")
+    def test_gondulf_verification_with_subdomain(self, mock_resolve):
+        """Test Gondulf verification works correctly with subdomains."""
+        mock_rdata = MagicMock()
+        mock_rdata.strings = [b"gondulf-verify-domain"]
+        mock_resolve.return_value = [mock_rdata]
+
+        service = DNSService()
+        result = service.verify_txt_record("blog.example.com", "gondulf-verify-domain")
+
+        assert result is True
+        # Should query _gondulf.blog.example.com
+        mock_resolve.assert_called_once_with("_gondulf.blog.example.com", "TXT")
+
+
 class TestCheckDomainExists:
    """Tests for check_domain_exists method."""