Stop using "tkey-gssapi-credential" in tests

Since the "tkey-gssapi-credential" statement is now deprecated and is
about to be removed, migrate the only system test using it ("nsupdate")
to "tkey-gssapi-keytab".

Currently, the GSS-TSIG parts of the "nsupdate" system test require
properly setting up a combination of:

  - "tkey-gssapi-credential" statements in named.conf files,
  - the KRB5_KTNAME environment variable.

Specifically, this configuration causes named startup to include
acquiring the credential that GSS-API is allowed to match keys against
from a keytab file specified by the KRB5_KTNAME environment variable.

By contrast, the revised configuration uses the "tkey-gssapi-keytab"
statement, which makes GSS-API match keys against any credential present
in the specified keytab file.

Since both keytabs in question (ns9/dns.keytab, ns10/dns.keytab) only
contain a single credential, the two configurations are functionally
equivalent, with the revised one being significantly more readable and
simpler to prepare.

diff --git a/bin/tests/system/isctest/vars/basic.py b/bin/tests/system/isctest/vars/basic.py
index 07709d4ebbf7fc16c7138d5702d3ea0bb19b867e..683bb600b73cdcd8e2adec168e7ee6cca5e9cd52 100644 (file)
--- a/bin/tests/system/isctest/vars/basic.py
+++ b/bin/tests/system/isctest/vars/basic.py
@@ -54,7 +54,6 @@ BASIC_VARS = {
     "PIPEQUERIES": f"{BUILD_VARS['TOP_BUILDDIR']}/pipequeries",
     "TMPDIR": os.getenv("TMPDIR", "/tmp"),
     "KRB5_CONFIG": "/dev/null",  # we don't want a KRB5_CONFIG setting breaking the tests
-    "KRB5_KTNAME": "dns.keytab",  # use local keytab instead of default /etc/krb5.keytab
     "LC_ALL": "C",
     "ANS_LOG_LEVEL": "debug",
     "DYLIB": ("dylib" if os.uname().sysname == "Darwin" else "so"),

diff --git a/bin/tests/system/nsupdate/ns10/named.conf.in b/bin/tests/system/nsupdate/ns10/named.conf.in
index 51a0b4f587373d972a9615687e706f07665c31e6..1ba82fa3d99cff787ba15b704631a553adf77887 100644 (file)
--- a/bin/tests/system/nsupdate/ns10/named.conf.in
+++ b/bin/tests/system/nsupdate/ns10/named.conf.in
@@ -26,7 +26,7 @@ options {
        notify yes;
        minimal-responses no;
        dnssec-validation no;
-       @TKEY_CONFIGURATION@
+       tkey-gssapi-keytab "dns.keytab";
 };
 
 key rndc_key {

diff --git a/bin/tests/system/nsupdate/ns9/named.conf.in b/bin/tests/system/nsupdate/ns9/named.conf.in
index 07e38d2d41a07b2df0bae59e20f2856ea185f696..7c3141ed4b6118e248297bd791d5abf53a5c9ccc 100644 (file)
--- a/bin/tests/system/nsupdate/ns9/named.conf.in
+++ b/bin/tests/system/nsupdate/ns9/named.conf.in
@@ -24,7 +24,7 @@ options {
        notify yes;
        minimal-responses no;
        dnssec-validation no;
-       @TKEY_CONFIGURATION@
+       tkey-gssapi-keytab "dns.keytab";
 };
 
 key rndc_key {

diff --git a/bin/tests/system/nsupdate/setup.sh b/bin/tests/system/nsupdate/setup.sh
index 38942ba2970ae0c2f13d6f99795455198f19ef09..d42af7f1e3db963b64bc43cca5fb1057858fef91 100644 (file)
--- a/bin/tests/system/nsupdate/setup.sh
+++ b/bin/tests/system/nsupdate/setup.sh
@@ -27,23 +27,8 @@ copy_setports ns5/named.conf.in ns5/named.conf
 copy_setports ns6/named.conf.in ns6/named.conf
 copy_setports ns7/named1.conf.in ns7/named.conf
 copy_setports ns8/named.conf.in ns8/named.conf
-
-# If "tkey-gssapi-credential" is set in the configuration and GSSAPI support is
-# not available, named will refuse to start.  As the test system framework does
-# not support starting named instances conditionally, ensure that
-# "tkey-gssapi-credential" is only present in named.conf if GSSAPI support is
-# available.
-copy_setports ns9/named.conf.in ns9/named.conf.in.tkey
-copy_setports ns10/named.conf.in ns10/named.conf.in.tkey
-if $FEATURETEST --gssapi; then
-  sed 's|@TKEY_CONFIGURATION@|tkey-gssapi-credential "DNS/ns9.example.com@EXAMPLE.COM";|' ns9/named.conf.in.tkey >ns9/named.conf
-  sed 's|@TKEY_CONFIGURATION@|tkey-gssapi-credential "DNS/ns10.example.com@EXAMPLE.COM";|' ns10/named.conf.in.tkey >ns10/named.conf
-else
-  sed 's|@TKEY_CONFIGURATION@||' ns9/named.conf.in.tkey >ns9/named.conf
-  sed 's|@TKEY_CONFIGURATION@||' ns10/named.conf.in.tkey >ns10/named.conf
-fi
-rm -f ns9/named.conf.in.tkey
-rm -f ns10/named.conf.in.tkey
+copy_setports ns9/named.conf.in ns9/named.conf
+copy_setports ns10/named.conf.in ns10/named.conf
 
 copy_setports verylarge.in verylarge