Test manual-mode while enabling DNSSEC

Similar to previous commit.

Parametrize each test case and in case of manual-mode, execute
additional checks. First a keymgr run should not change the existing
key state (with exceptions of timing events such as moving from
RUMOURED to OMNIPRESENT, and from UNRETENTIVE to HIDDEN). Appropriate
messages must be logged.

After enforcing the next step with 'rndc dnssec -step', the key state
should be the same as if the step were to be taken automatically.

diff --git a/bin/tests/system/rollover-enable-dnssec/tests_rollover_enable_dnssec.py b/bin/tests/system/rollover-enable-dnssec/tests_rollover_enable_dnssec.py
index 9c4dd31b85cb0853e53cc9997c8b205e950d1b51..2cb805a6741add91684d21dd0ce7ab1c4af22dd2 100644 (file)
--- a/bin/tests/system/rollover-enable-dnssec/tests_rollover_enable_dnssec.py
+++ b/bin/tests/system/rollover-enable-dnssec/tests_rollover_enable_dnssec.py
@@ -11,8 +11,11 @@
 
 # pylint: disable=redefined-outer-name,unused-import
 
+import pytest
+
 import isctest
 from isctest.kasp import Ipub, IpubC, Iret
+from isctest.util import param
 from rollover.common import (
     pytestmark,
     alg,
@@ -44,11 +47,40 @@ OFFSETS["step3"] = -int(IRETZSK.total_seconds())
 OFFSETS["step4"] = -int(IPUBC.total_seconds() + IRETKSK.total_seconds())
 
 
-def test_rollover_enable_dnssec_step1(alg, size, ns3):
-    zone = "step1.enable-dnssec.autosign"
+@pytest.mark.parametrize(
+    "tld",
+    [
+        param("autosign"),
+        param("manual"),
+    ],
+)
+def test_rollover_enable_dnssec_step1(tld, alg, size, ns3):
+    zone = f"step1.enable-dnssec.{tld}"
+    policy = f"{POLICY}-{tld}"
 
     isctest.kasp.wait_keymgr_done(ns3, zone)
 
+    if tld == "manual":
+        # Same as insecure.
+        step = {
+            "zone": zone,
+            "cdss": CDSS,
+            "keyprops": [],
+            "manual-mode": True,
+            "zone-signed": False,
+            "nextev": None,
+        }
+        isctest.kasp.check_rollover_step(ns3, CONFIG, policy, step)
+
+        # Check logs.
+        msg = f"keymgr-manual-mode: block new key generation for zone {zone} (policy {policy})"
+        ns3.log.expect(msg)
+
+        # Force step.
+        with ns3.watch_log_from_here() as watcher:
+            ns3.rndc(f"dnssec -step {zone}")
+            watcher.wait_for_line(f"keymgr: {zone} done")
+
     step = {
         "zone": zone,
         "cdss": CDSS,
@@ -59,14 +91,24 @@ def test_rollover_enable_dnssec_step1(alg, size, ns3):
         # after the publication interval.
         "nextev": IPUB,
     }
-    isctest.kasp.check_rollover_step(ns3, CONFIG, POLICY, step)
+    isctest.kasp.check_rollover_step(ns3, CONFIG, policy, step)
 
 
-def test_rollover_enable_dnssec_step2(alg, size, ns3):
-    zone = "step2.enable-dnssec.autosign"
+@pytest.mark.parametrize(
+    "tld",
+    [
+        param("autosign"),
+        param("manual"),
+    ],
+)
+def test_rollover_enable_dnssec_step2(tld, alg, size, ns3):
+    zone = f"step2.enable-dnssec.{tld}"
+    policy = f"{POLICY}-{tld}"
 
     isctest.kasp.wait_keymgr_done(ns3, zone)
 
+    # manual-mode: Nothing changing in the zone, no 'dnssec -step' required.
+
     step = {
         "zone": zone,
         "cdss": CDSS,
@@ -81,14 +123,45 @@ def test_rollover_enable_dnssec_step2(alg, size, ns3):
         # Minus the time already elapsed.
         "nextev": IRETZSK - IPUB,
     }
-    isctest.kasp.check_rollover_step(ns3, CONFIG, POLICY, step)
+    isctest.kasp.check_rollover_step(ns3, CONFIG, policy, step)
 
 
-def test_rollover_enable_dnssec_step3(alg, size, ns3):
-    zone = "step3.enable-dnssec.autosign"
+@pytest.mark.parametrize(
+    "tld",
+    [
+        param("autosign"),
+        param("manual"),
+    ],
+)
+def test_rollover_enable_dnssec_step3(tld, alg, size, ns3):
+    zone = f"step3.enable-dnssec.{tld}"
+    policy = f"{POLICY}-{tld}"
 
     isctest.kasp.wait_keymgr_done(ns3, zone)
 
+    if tld == "manual":
+        # Same as step 2, but zone signatures have become OMNIPRESENT.
+        step = {
+            "zone": zone,
+            "cdss": CDSS,
+            "keyprops": [
+                f"csk unlimited {alg} {size} goal:omnipresent dnskey:omnipresent krrsig:omnipresent zrrsig:omnipresent ds:hidden offset:{OFFSETS['step3']}",
+            ],
+            "manual-mode": True,
+            "nextev": None,
+        }
+        keys = isctest.kasp.check_rollover_step(ns3, CONFIG, policy, step)
+
+        # Check logs.
+        tag = keys[0].key.tag
+        msg = f"keymgr-manual-mode: block transition CSK {zone}/ECDSAP256SHA256/{tag} type DS state HIDDEN to state RUMOURED"
+        ns3.log.expect(msg)
+
+        # Force step.
+        with ns3.watch_log_from_here() as watcher:
+            ns3.rndc(f"dnssec -step {zone}")
+            watcher.wait_for_line(f"keymgr: {zone} done")
+
     step = {
         "zone": zone,
         "cdss": CDSS,
@@ -102,14 +175,24 @@ def test_rollover_enable_dnssec_step3(alg, size, ns3):
         # This is after the retire interval.
         "nextev": IRETKSK,
     }
-    isctest.kasp.check_rollover_step(ns3, CONFIG, POLICY, step)
+    isctest.kasp.check_rollover_step(ns3, CONFIG, policy, step)
 
 
-def test_rollover_enable_dnssec_step4(alg, size, ns3):
-    zone = "step4.enable-dnssec.autosign"
+@pytest.mark.parametrize(
+    "tld",
+    [
+        param("autosign"),
+        param("manual"),
+    ],
+)
+def test_rollover_enable_dnssec_step4(tld, alg, size, ns3):
+    zone = f"step4.enable-dnssec.{tld}"
+    policy = f"{POLICY}-{tld}"
 
     isctest.kasp.wait_keymgr_done(ns3, zone)
 
+    # manual-mode: Nothing changing in the zone, no 'dnssec -step' required.
+
     step = {
         "zone": zone,
         "cdss": CDSS,
@@ -122,4 +205,4 @@ def test_rollover_enable_dnssec_step4(alg, size, ns3):
         # established. So we fall back to the default loadkeys interval.
         "nextev": TIMEDELTA["PT1H"],
     }
-    isctest.kasp.check_rollover_step(ns3, CONFIG, POLICY, step)
+    isctest.kasp.check_rollover_step(ns3, CONFIG, policy, step)