homer.py

#!/usr/bin/env python3

# Homer is a DoH (DNS-over-HTTPS) and DoT (DNS-over-TLS) client. Its
# main purpose is to test DoH and DoT resolvers. Reference site is
# <https://framagit.org/bortzmeyer/homer/> See author, documentation,
# etc, there, or in the README.md included with the distribution.

import sys
import getopt
import urllib.parse
import time
import socket
import os.path

try:
    # http://pycurl.io/docs/latest
    import pycurl

    # http://www.dnspython.org/
    import dns.message

    # Octobre 2019: the Python GnuTLS bindings don't work with Python 3. So we use OpenSSL.
    # https://www.pyopenssl.org/
    # https://pyopenssl.readthedocs.io/
    import OpenSSL
except ImportError as e:
    print("Error: missing module")
    print(e)
    sys.exit(1)

import homer

# Values that can be changed from the command line
class opts:
    dot = False # DoH by default
    verbose = False
    debug = False
    insecure = False
    post = False
    head = False
    dnssec = False
    edns = True
    no_ecs = True
    sni = True
    rtype = 'AAAA'
    vhostname = None
    tests = 1 # Number of repeated tests
    key = None # SPKI
    ifile = None # Input file
    delay = None
    forceIPv4 = False
    forceIPv6 = False
    connectTo = None
    pipelining = False
    max_in_flight = 20
    multistreams = False
    display_results = True
    show_time = False
    check = False
    mandatory_level = None
    check_additional = True
    # Monitoring plugin only:
    host = None
    path = None
    expect = None

# For the monitoring plugin
STATE_OK = 0
STATE_WARNING = 1
STATE_CRITICAL = 2
STATE_UNKNOWN = 3
STATE_DEPENDENT = 4

def error(msg=None, exit=True):
    if msg is None:
        msg = "Unknown error"
    if monitoring:
        print("%s: %s" % (url, msg))
        if exit:
            sys.exit(STATE_CRITICAL)
    else:
        print(msg, file=sys.stderr)
        if opts.check:
            print('KO')
        if exit:
            sys.exit(1)

def usage(msg=None):
    if msg:
        print(msg,file=sys.stderr)
    print("Usage: %s [options] url-or-servername [domain-name [DNS type]]" % sys.argv[0], file=sys.stderr)
    print("""Options
    -t --dot            Use DoT (by default use DoH)
    -k --insecure       Do not check the certificate
    -4 --v4only         Force IPv4 resolution of url-or-servername
    -6 --v6only         Force IPv6 resolution of url-or-servername
    -v --verbose        Make the program more talkative
    --debug             Make the program even more talkative than -v
    -r --repeat <N>     Perform N times the query. If used with -f, read up to
                        <N> lines of the <file>
    -d --delay <T>      Time to wait in seconds between each synchronous
                        request (only with --repeat)
    -f --file <file>    Read domain names from <file>, one per row with an
                        optional DNS type. Read the first line only, use
                        --repeat N to read up to N lines of the file
    --check             Perform a set of predefined tests
    --mandatory-level <level>
                        Define the <level> of test to perform (only with
                        --check)
                        Available <level> : legal, necessary, nicetohave
    --no-display-results
                        Disable output of DNS response
    --dnssec            Request DNSSEC data (signatures)
    --noedns            Disable EDNS, default is to indicate EDNS support
    --ecs               Send ECS to authoritative servers, default is to
                        refuse it
    -V --vhost <vhost>  Use a specific virtual host
    -h --help           Print this message

  DoH only options:
    -P --post --POST    Use HTTP POST method for all the transfers
    -e --head --HEAD    Use HTTP HEAD method for all the transfers
    --multistreams      Use HTTP/2 streams, needs an input file with -f
    --time              Display the time elapsed for the query (only with
                        --multistreams)

  DoT only options:
    --key <key>         Authenticate a DoT resolver with its public <key> in
                        base64
    --nosni             Do not perform SNI
    --pipelining        Pipeline the requests, needs an input file with -f
    --max-in-flight <M> Maximum number of concurrent requests in parallel (only
                        with --pipelining)

    url-or-servername   The URL or domain name of the DoT/DoH server
    domain-name         The domain name to resolve, not required if -f is
                        provided
    DNS type            The DNS record type to resolve, default AAAA
    """, file=sys.stderr)
    print("See the README.md for more details.", file=sys.stderr)

def get_next_domain(input_file):
    name, rtype = 'framagit.org', 'AAAA'
    line = input_file.readline()
    if line[:-1] == "":
        error("Not enough data in %s for the %i tests" % (opts.ifile, opts.tests))
    if line.find(' ') == -1:
        name = line[:-1]
        rtype = 'AAAA'
    else:
        (name, rtype) = line.split()
    return name, rtype

def print_result(connection, request, prefix=None, display_err=True):
    ok = request.ok
    dot = connection.dot
    server = connection.server
    rcode = request.rcode
    msg = request.response
    size = request.response_size
    if (dot and rcode) or (not dot and rcode == 200):
        if not monitoring:
            if not opts.dot and opts.show_time:
                connection.print_time(connection.curl_handle)
            if opts.display_results and (not opts.check or opts.verbose):
                print(msg)
        else:
            if opts.expect is not None and opts.expect not in str(request.response):
                ok = False
                print("%s Cannot find \"%s\" in response" % (server, opts.expect))
                sys.exit(STATE_CRITICAL)
            if ok and size is not None and size > 0:
                print("%s OK - %s" % (server, "No error for %s/%s, %i bytes received" % (name, opts.rtype, size)))
            else:
                print("%s OK - %s" % (server, "No error"))
            sys.exit(STATE_OK)
    else:
        if not monitoring:
            if display_err:
                if opts.check:
                    print(connection.connect_to, end=': ', file=sys.stderr)
                if prefix:
                    print(prefix, end=': ', file=sys.stderr)
                if dot:
                    print("Error: %s" % msg, file=sys.stderr)
                else:
                   try:
                       msg = msg.decode()
                   except (UnicodeDecodeError, AttributeError):
                       pass # Sometimes, msg can be binary, or Latin-1
                   print("HTTP error %i: %s" % (rcode, msg), file=sys.stderr) 
        else:
            if not dot:
                print("%s HTTP error - %i: %s" % (server, rcode, msg))
            else:
                print("%s Error - %i: %s" % (server, rcode, msg))
            sys.exit(STATE_CRITICAL)
        ok = False
    return ok

def run_check_default(connection):
    ok = True
    req_args = { 'qname': name, 'qtype': opts.rtype, 'use_edns': opts.edns, 'want_dnssec': opts.dnssec, 'no_ecs': opts.no_ecs}
    requests = homer.create_requests_list(dot=connection.dot, **req_args)
    for request_pack in requests:
        if connection.dot:
            test_name, request, level = request_pack
        else:
            test_name, request, method, level = request_pack
        if connection.verbose:
            print(test_name)
        if connection.dot:
            bundle = request
        else:
            if method == homer.DOH_POST:
                request.post = True
            elif method == homer.DOH_HEAD:
                request.head = True
            handle = connection.curl_handle
            handle.prepare(handle, connection, request)
            bundle = handle
        try:
            connection.send_and_receive(bundle)
        except (homer.ConnectionException, homer.DOHException) as e:
            # GET and POST are mandatory and therefore if an error is caught
            # here, print it and exit
            if method == homer.DOH_GET or method == homer.DOH_POST:
                error(e)
            else:
                print(e, file=sys.stderr)
                return False
        request.check_response(connection.debug)
        if not print_result(connection, request, prefix=test_name, display_err=False):
            if level >= opts.mandatory_level:
                print_result(connection, request, prefix=test_name, display_err=True)
                ok = False
            if connection.verbose:
                print()
            break
        if connection.verbose:
            print()
    return ok

def run_check_mime(connection, accept="application/dns-message", content_type="application/dns-message"):
    # change the MIME value and see what happens
    # based on the RFC only application/dns-message must be supported, any
    # other MIME type can be also supported, but nothing is said on that
    if connection.dot:
        return True
    ok = True
    header = [f"Accept: {accept}", f"Content-type: {content_type}"]
    if connection.verbose:
        test_name = f'Test mime: {", ".join(h for h in header)}'
        print(test_name)
    req_args = { 'qname': name, 'qtype': opts.rtype, 'use_edns': opts.edns, 'want_dnssec': opts.dnssec, 'no_ecs': opts.no_ecs}
    request = homer.create_request(**req_args)
    handle = connection.curl_handle
    handle.setopt(pycurl.HTTPHEADER, header)
    handle.prepare(handle, connection, request)
    try:
        connection.send_and_receive(handle)
    except (homer.ConnectionException, homer.DOHException) as e:
        print(e, file=sys.stderr)
        return False
    request.check_response(connection.debug)
    if not print_result(connection, request, prefix=f"Test Header {', '.join(header)}"):
        ok = False
    default = "application/dns-message"
    default_header = [f"Accept: {default}", f"Content-type: {default}"]
    handle.setopt(pycurl.HTTPHEADER, default_header)
    if connection.verbose:
        print()
    return ok

def run_check_trunc(connection):
    # send truncated DNS request to the server and expect a HTTP return code
    # either equal to 200 or in the 400 range
    # in case the server answers with 200, look for a FORMERR error in the DNS
    # response
    ok = True
    test_name = 'Test truncated data'
    if opts.verbose:
        print(test_name)
    req_args = { 'qname': name, 'qtype': opts.rtype, 'use_edns': opts.edns, 'want_dnssec': opts.dnssec, 'no_ecs': opts.no_ecs}
    if connection.dot:
        request = homer.create_request(dot=connection.dot, trunc=True, **req_args)
        bundle = request
    else:
        request = homer.create_request(trunc=True, **req_args)
        request.post = True
        handle = connection.curl_handle
        handle.prepare(handle, connection, request)
        bundle = handle
    try:
        # 8.8.8.8 replies FORMERR but most DoT servers violently shut down the connection (which is legal)
        connection.send_and_receive(bundle, dump=connection.debug)
    except OpenSSL.SSL.ZeroReturnError: # This is acceptable
        return ok
    except dns.exception.FormError: # This is also acceptable
        # Some DSN resolvers will echo mangled requests with
        # the RCODE set to FORMERR
        # so response can not be parsed in this case
        return ok
    except homer.DOHException as e:
        print(e, file=sys.stderr)
        return False
    if request.check_response(connection.debug): # FORMERR is expected
        if connection.dot:
            ok = request.rcode == dns.rcode.FORMERR
        else:
            ok = (request.response.rcode() == dns.rcode.FORMERR)
    else:
        if connection.dot:
            ok = False
        else: # only a 400 range HTTP code is acceptable
              # if we send garbage to the server, it seems reasonable that it
              # does not fail, which means we don't accept a 500 range HTTP
              # error code (even so it means the server failed to process the
              # input data)
            ok = (request.rcode >= 400 and request.rcode < 500)
    print_result(connection, request, prefix=test_name, display_err=not ok)
    if connection.verbose:
        print()
    return ok

def run_check_additionals(connection):
    if not run_check_trunc(connection):
        return False
    # The DoH server is right to reject these (Example: 'HTTP
    # error 415: only Content-Type: application/dns-message is
    # supported')
    run_check_mime(connection, accept="text/html")
    run_check_mime(connection, content_type="text/html")
    return True

def run_check(connection):
    if not run_check_default(connection):
        return False
    if opts.check_additional and not run_check_additionals(connection):
        return False
    return True

def resolved_ips(host, port, family, dot=False):
    try:
        addr_list = socket.getaddrinfo(host, port, family)
    except socket.gaierror:
        error("Could not resolve \"%s\"" % host)
    ip_set = { addr[4][0] for addr in addr_list }
    return ip_set

def parse_opts(opts):
    name = None
    rtype = opts.rtype

    try:
        optlist, args = getopt.getopt (sys.argv[1:], "hvPkeV:r:f:d:t46",
                                       ["help", "verbose", "debug", "dot",
                                        "head", "HEAD", "post", "POST",
                                        "insecure", "vhost=", "multistreams",
                                        "pipelining", "max-in-flight=", "key=",
                                        "dnssec", "noedns", "ecs", "nosni",
                                        "no-display-results", "time",
                                        "file=", "repeat=", "delay=",
                                        "v4only", "v6only",
                                        "check", "mandatory-level="])
        for option, value in optlist:
            if option == "--help" or option == "-h":
                usage()
                sys.exit(0)
            elif option == "--dot" or option == "-t":
                opts.dot = True
            elif option == "--verbose" or option == "-v":
                opts.verbose = True
            elif option == "--debug":
                opts.debug = True
                opts.verbose = True
            elif option == "--HEAD" or option == "--head" or option == "-e":
                opts.head = True
            elif option == "--POST" or option == "--post" or option == "-P":
                opts.post = True
            elif option == "--vhost" or option == "-V":
                opts.vhostname = value
            elif option == "--insecure" or option == "-k":
                opts.insecure = True
            elif option == "--multistreams":
                opts.multistreams = True
            elif option == "--no-display-results":
                opts.display_results = False
            elif option == "--time":
                opts.show_time = True
            elif option == "--dnssec":
                opts.dnssec = True
            elif option == "--nosni":
                opts.sni = False
            elif option == "--noedns": # Warning: it will mean the
                                       # resolver may send ECS
                                       # information to the
                                       # authoritative name servers.
                opts.edns = False
            elif option == "--ecs":
                opts.no_ecs = False
            elif option == "--repeat" or option == "-r":
                opts.tests = int(value)
                if opts.tests <= 1:
                    error("--repeat needs a value > 1")
            elif option == "--delay" or option == "-d":
                opts.delay = float(value)
                if delay <= 0:
                    error("--delay needs a value > 0")
            elif option == "--file" or option == "-f":
                opts.ifile = value
            elif option == "--key":
                opts.key = value
            elif option == "-4" or option == "--v4only":
                opts.forceIPv4 = True
            elif option == "-6" or option == "--v6only":
                opts.forceIPv6 = True
            elif option == "--pipelining":
                opts.pipelining = True
            elif option == "--max-in-flight":
                opts.max_in_flight = int(value)
                if max_in_flight <= 0:
                    error("--max_in_flight but be > 0")
                if max_in_flight >= 65536:
                    error("Because of a limit of the DNS protocol (the size of the query ID) --max_in_flight must be < 65 536")
            elif option == "--check":
                opts.check = True
                opts.display_results = False
            elif option == "--mandatory-level":
                opts.mandatory_level = value
            else:
                error("Unknown option %s" % option)
    except (getopt.error, ValueError) as reason:
        error(reason)
        sys.exit(1)

    if opts.delay is not None and opts.multistreams:
        error("--delay makes no sense with multistreams")
    if opts.tests <= 1 and opts.delay is not None:
        error("--delay makes no sense if there is no repetition")
    if not opts.dot and opts.pipelining:
        error("Pipelining is only accepted for DoT")
        sys.exit(1)
    if opts.dot and (opts.post or opts.head):
        error("POST or HEAD makes non sense for DoT")
        sys.exit(1)    
    if opts.post and opts.head:
        error("POST or HEAD but not both")
        sys.exit(1)
    if opts.pipelining and opts.ifile is None:
        error("Pipelining requires an input file")
        sys.exit(1)
    if opts.check and opts.multistreams:
        error("--check and --multistreams are not compatible")
        sys.exit(1)
    if opts.dot and opts.multistreams:
        error("Multi-streams makes no sense for DoT")
        sys.exit(1)
    if opts.multistreams and opts.ifile is None:
        error("Multi-streams requires an input file")
        sys.exit(1)
    if opts.show_time and opts.dot:
        error("--time cannot be used with --dot")
        sys.exit(1)
    if not opts.edns and not opts.no_ecs:
        error("ECS requires EDNS")
        sys.exit(1)
    if opts.mandatory_level is not None and \
       opts.mandatory_level not in homer.mandatory_levels.keys():
        error("Unknown mandatory level \"%s\"" % opts.mandatory_level)
        sys.exit(1)
    if opts.mandatory_level is not None and not opts.check:
        error("--mandatory-level only makes sense with --check")
        sys.exit(1)
    if opts.mandatory_level is None:
        opts.mandatory_level = "necessary"
    opts.mandatory_level = homer.mandatory_levels[opts.mandatory_level]
    if opts.ifile is None and (len(args) != 2 and len(args) != 3):
        error("Wrong number of arguments")
        sys.exit(1)
    if opts.ifile is not None and len(args) != 1:
        error("Wrong number of arguments (if --file is used, do not indicate the domain name)")
        sys.exit(1)
    url = args[0]
    if opts.ifile is None:
        name = args[1]
        if len(args) == 3:
            opts.rtype = args[2]

    return (url, name)

def parse_opts_monitoring(me, opts):
    name = None
    opts.dot = (me == "check_dot")
    rtype = opts.rtype

    try:
        optlist, args = getopt.getopt (sys.argv[1:], "H:n:p:V:t:e:Pih46k:x")
        for option, value in optlist:
            if option == "-H":
                opts.host = value
            elif option == "-V":
                opts.vhostname = value
            elif option == "-n":
                name = value
            elif option == "-t":
                opts.rtype = value
            elif option == "-e":
                opts.expect = value
            elif option == "-p":
                opts.path = value
            elif option == "-P":
                opts.post = True
            elif option == "-h":
                opts.head = True
            elif option == "-i":
                opts.insecure = True
            elif option == "-x":
                opts.sni = False
            elif option == "-4":
                opts.forceIPv4 = True
            elif option == "-6":
                opts.forceIPv6 = True
            elif option == "-k":
                opts.key = value
            else:
                # Should never occur, it is trapped by getopt
                print("Unknown option %s" % option)
                sys.exit(STATE_UNKNOWN)
    except getopt.error as reason:
        print("Option parsing problem %s" % reason)
        sys.exit(STATE_UNKNOWN)

    if len(args) > 0:
        print("Too many arguments (\"%s\")" % args)
        sys.exit(STATE_UNKNOWN)
    if opts.host is None or name is None:
        print("Host (-H) and name to lookup (-n) are necessary")
        sys.exit(STATE_UNKNOWN)
    if opts.post and opts.head:
        print("POST or HEAD but not both")
        sys.exit(STATE_UNKNOWN)
    if opts.dot and (opts.post or opts.head):
        print("POST or HEAD makes no sense for DoT")
        sys.exit(STATE_UNKNOWN)
    if opts.dot and opts.path:
        print("URL path makes no sense for DoT")
        sys.exit(STATE_UNKNOWN)
    if opts.dot:
        url = opts.host
    else:
        if opts.vhostname is None or opts.vhostname == opts.host:
            opts.connectTo = None
            url = "https://%s/" % opts.host
        else:
            opts.connectTo = opts.host
            url = "https://%s/" % opts.vhostname
        if opts.path is not None:
            if opts.path.startswith("/"):
                opts.path = opts.path[1:]
            url += opts.path

    return (url, name)

def run_default(name, connection, opts):
    ok = True
    start = time.time()
    if opts.multistreams:
        connection.init_multi()
    for i in range (0, opts.tests):
        if opts.tests > 1 and (opts.verbose or opts.display_results):
            print("\nTest %i" % i)
        if opts.ifile is not None:
            name, opts.rtype = get_next_domain(input)
        request = homer.create_request(name, qtype=opts.rtype, use_edns=opts.edns,
                     want_dnssec=opts.dnssec, no_ecs=opts.no_ecs, dot=opts.dot)
        request.i = i
        if not opts.dot:
            request.head = opts.head
            request.post = opts.post
        if not opts.pipelining:
            try:
                connection.do_test(request, synchronous = not opts.multistreams)
            except (OpenSSL.SSL.Error, homer.DOHException) as e:
                ok = False
                error(e)
                break
            if not opts.multistreams:
                if not print_result(connection, request):
                    ok = False
            if opts.tests > 1 and i == 0:
                start2 = time.time()
            if opts.delay is not None:
                time.sleep(opts.delay)
        else: # We do pipelining
            connection.pipelining_add_request(request)
    if opts.multistreams:
        connection.perform_multi(opts.show_time, display_results=opts.display_results)
    if opts.dot and opts.pipelining:
        print("")
        done = 0
        current = connection.pipelining_init_pending(opts.max_in_flight)
        while done < opts.tests:
            if time.time() > start + homer.MAX_DURATION: # if we send thousands of requests
                                                   # MAX_DURATION will be reached
                                                   # need to increase MAX_DURATION based
                                                   # on the number of queries
                                                   # or to define a relation such as
                                                   # f(tests) = MAX_DURATION
                print("Elapsed time too long, %i requests never got a reply" % (opts.tests-done))
                ok = False
                break
            id = connection.read_result(connection, connection.pending, display_results=opts.display_results)
            if id is None: # Probably a timeout
                time.sleep(homer.SLEEP_TIMEOUT)
                continue
            done += 1
            over, rank, request = connection.pending[id]
            if not over:
                error("Internal error, request %i should be over" % id)
            if current < len(connection.all_requests):
                connection.pipelining_fill_pending(current)
                current += 1
    stop = time.time()
    if opts.tests > 1 and not opts.pipelining and not opts.multistreams:
        extra = ", %.2f ms/request if we ignore the first one" % ((stop-start2)*1000/(opts.tests-1))
    else:
        extra = ""
    if not monitoring and (not opts.check or opts.verbose):
        time_tot = stop - start
        time_per_request = time_tot / opts.tests * 1000
        print("\nTotal elapsed time: %.2f seconds (%.2f ms/request%s)" % (time_tot, time_per_request, extra))
    if opts.multistreams and opts.verbose:
        for rcode, n in conn.finished['http'].items():
            print("HTTP %d : %d %.2f%%" % (rcode, n, n / opts.tests * 100))
    return ok

# Main program
me = os.path.basename(sys.argv[0])

# Are we using the script as monitor ?
# the monitoring code should move somewhere else
monitoring = (me == "check_doh" or me == "check_dot")

if not monitoring:
    url, name = parse_opts(opts)
else: # Monitoring plugin
    url, name = parse_opts_monitoring(me, opts)

# retrieve all ips when using --check
# not necessary if connectTo is already defined
# as it is the case with --monitoring
if not opts.check or opts.connectTo is not None:
    ip_set = {opts.connectTo, }
else:
    if opts.dot:
        port = homer.PORT_DOT
        if not homer.is_valid_hostname(url):
            error("DoT requires a host name or IP address, not \"%s\"" % url)
        netloc = url
    else:
        port = homer.PORT_DOH
        if not homer.is_valid_url(url):
            error("DoH requires a valid HTTPS URL, not \"%s\"" % url)
        try:
            url_parts = urllib.parse.urlparse(url) # A very poor validation, many
            # errors (for instance whitespaces, IPv6 address litterals without
            # brackets...) are ignored.
        except ValueError:
            error("The provided url \"%s\" could not be parsed" % url)
        netloc = url_parts.netloc
    if opts.forceIPv4:
        family = socket.AF_INET
    elif opts.forceIPv6:
        family = socket.AF_INET6
    else:
        family = 0
    ip_set = resolved_ips(netloc, port, family, opts.dot)

ok = True
for ip in ip_set:
    if opts.dot and opts.vhostname is not None:
        extracheck = opts.vhostname
    else:
        extracheck = None
    if opts.verbose and opts.check and ip:
        print("Checking \"%s\" on %s ..." % (url, ip))
    try:
        if opts.dot:
            conn = homer.ConnectionDOT(url, servername=extracheck, connect_to=ip,
                                 forceIPv4=opts.forceIPv4, forceIPv6=opts.forceIPv6,
                                 insecure=opts.insecure, verbose=opts.verbose, debug=opts.debug,
                                 sni=opts.sni, key=opts.key, pipelining=opts.pipelining)
        else:
            conn = homer.ConnectionDOH(url, servername=extracheck, connect_to=ip,
                                 forceIPv4=opts.forceIPv4, forceIPv6=opts.forceIPv6,
                                 insecure=opts.insecure, verbose=opts.verbose, debug=opts.debug,
                                 multistreams=opts.multistreams)
    except TimeoutError:
        error("timeout")
    except ConnectionRefusedError:
        error("Connection to server refused")
    except ValueError:
        error("\"%s\" not a name or an IP address" % url)
    except socket.gaierror:
        error("Could not resolve \"%s\"" % url)
    except homer.ConnectionDOTException as e:
        if not monitoring:
            print(e, file=sys.stderr)
            err = "Could not connect to \"%s\"" % url
            if opts.connectTo is not None:
                err += " on %s" % opts.connectTo
            error(err)
        else:
            error(e)
    except (homer.ConnectionException, homer.DOHException) as e:
        error(e)
    if conn.dot and not conn.success:
        ok = False
        continue
    if opts.ifile is not None:
        input = open(opts.ifile)
    if not opts.check:
        ok = run_default(name, conn, opts)
    else:
        ok = run_check(conn) and ok # need to run run_check first
    if opts.ifile is not None:
        input.close()
    conn.end()

if ok:
    if opts.check or opts.pipelining:
        print('OK')
    sys.exit(0)
else:
    print('KO')
    sys.exit(1)