Use new EDE helper in existing system tests

Previously, hasattr("extended_errors") was used as a check to detect a
mimumum required dnspython version in order to only perform the EDE
check if a new-enough dnspython was present. This is now abstracted into
isctest.check.ede().

In order to support dnspython<2.2.0, use isctest.compat.EDECode rather
than using dns.edns.EDECode directly.

diff --git a/bin/tests/system/dnssec/tests_validation.py b/bin/tests/system/dnssec/tests_validation.py
index a27a8999873b7016d2c9b5b27d9e6de4f4a7a6ac..ad298b39e867684db105af045b3026c373af1a94 100644 (file)
--- a/bin/tests/system/dnssec/tests_validation.py
+++ b/bin/tests/system/dnssec/tests_validation.py
@@ -14,11 +14,12 @@ import re
 import shutil
 import time
 
-from dns import edns, flags, name, rdataclass, rdatatype
+from dns import flags, name, rdataclass, rdatatype
 
 import pytest
 
 import isctest
+from isctest.compat import EDECode
 import isctest.mark
 from isctest.util import param
 
@@ -1131,8 +1132,7 @@ def test_expired_signatures(ns4):
     res = isctest.query.tcp(msg, "10.53.0.4")
     isctest.check.servfail(res)
     isctest.check.noadflag(res)
-    if hasattr(res, "extended_errors"):
-        assert res.extended_errors()[0].code == edns.EDECode.SIGNATURE_EXPIRED
+    isctest.check.ede(res, EDECode.SIGNATURE_EXPIRED)
     assert grep_q("expired.example/.*: RRSIG has expired", "ns4/named.run")
 
     # check future signatures do not validate
@@ -1140,8 +1140,7 @@ def test_expired_signatures(ns4):
     res = isctest.query.tcp(msg, "10.53.0.4")
     isctest.check.servfail(res)
     isctest.check.noadflag(res)
-    if hasattr(res, "extended_errors"):
-        assert res.extended_errors()[0].code == edns.EDECode.SIGNATURE_NOT_YET_VALID
+    isctest.check.ede(res, EDECode.SIGNATURE_NOT_YET_VALID)
     assert grep_q(
         "future.example/.*: RRSIG validity period has not begun", "ns4/named.run"
     )
@@ -1301,10 +1300,7 @@ def test_unknown_algorithms():
     res = isctest.query.tcp(msg, "10.53.0.4")
     isctest.check.noerror(res)
     isctest.check.noadflag(res)
-    if hasattr(res, "extended_errors"):
-        assert (
-            res.extended_errors()[0].code == edns.EDECode.UNSUPPORTED_DNSKEY_ALGORITHM
-        )
+    isctest.check.ede(res, EDECode.UNSUPPORTED_DNSKEY_ALGORITHM)
 
     # check that DNSKEY with an unsupported reserve key validates
     msg = isctest.query.create("dnskey-unsupported-2.example", "DNSKEY")
@@ -1315,18 +1311,14 @@ def test_unknown_algorithms():
     # check EDE code 2 for unsupported DS digest algorithm
     msg = isctest.query.create("a.ds-unsupported.example", "A")
     res = isctest.query.tcp(msg, "10.53.0.4")
-    if hasattr(res, "extended_errors"):
-        assert res.extended_errors()[0].code == edns.EDECode.UNSUPPORTED_DS_DIGEST_TYPE
+    isctest.check.ede(res, EDECode.UNSUPPORTED_DS_DIGEST_TYPE)
 
     # check EDE code 1 for bad algorithm mnemonic
     msg = isctest.query.create("badalg.secure.example", "A")
     res = isctest.query.tcp(msg, "10.53.0.4")
     isctest.check.noerror(res)
     isctest.check.noadflag(res)
-    if hasattr(res, "extended_errors"):
-        assert (
-            res.extended_errors()[0].code == edns.EDECode.UNSUPPORTED_DNSKEY_ALGORITHM
-        )
+    isctest.check.ede(res, EDECode.UNSUPPORTED_DNSKEY_ALGORITHM)
 
     # check that zone contents are still secure despite disable-algorithms
     # on query name (name below zone name).
@@ -1342,10 +1334,7 @@ def test_unknown_algorithms():
     isctest.check.rr_count_eq(res.answer, 2)
     isctest.check.noerror(res)
     isctest.check.noadflag(res)
-    if hasattr(res, "extended_errors"):
-        assert (
-            res.extended_errors()[0].code == edns.EDECode.UNSUPPORTED_DNSKEY_ALGORITHM
-        )
+    isctest.check.ede(res, EDECode.UNSUPPORTED_DNSKEY_ALGORITHM)
 
     # check that DS records are still treated as secure at the
     # disable-algorithm name
@@ -1360,10 +1349,8 @@ def test_unknown_algorithms():
     msg = isctest.query.create("a.digest-alg-unsupported.example", "A")
     res = isctest.query.tcp(msg, "10.53.0.4")
     isctest.check.noadflag(res)
-    if hasattr(res, "extended_errors"):
-        codes = {ede.code for ede in res.extended_errors()}
-        assert edns.EDECode.UNSUPPORTED_DNSKEY_ALGORITHM in codes
-        assert edns.EDECode.UNSUPPORTED_DS_DIGEST_TYPE in codes
+    isctest.check.ede(res, EDECode.UNSUPPORTED_DNSKEY_ALGORITHM)
+    isctest.check.ede(res, EDECode.UNSUPPORTED_DS_DIGEST_TYPE)
 
     # check that unknown DNSKEY algorithm + unknown NSEC3 hash algorithm
     # validates as insecure

diff --git a/bin/tests/system/dnssec/tests_validation_many_anchors.py b/bin/tests/system/dnssec/tests_validation_many_anchors.py
index 90b071ec584db69121007f1aff1b770a7539c828..a9865db2dce2037bc955e15afa34c35d1fa061c0 100644 (file)
--- a/bin/tests/system/dnssec/tests_validation_many_anchors.py
+++ b/bin/tests/system/dnssec/tests_validation_many_anchors.py
@@ -9,11 +9,11 @@
 # See the COPYRIGHT file distributed with this work for additional
 # information regarding copyright ownership.
 
-from dns import edns
 
 import pytest
 
 import isctest
+from isctest.compat import EDECode
 from isctest.util import param
 
 # isctest.asyncserver requires dnspython >= 2.0.0
@@ -60,8 +60,7 @@ def test_trust_anchors():
     isctest.check.noerror(res1)
     isctest.check.noerror(res2)
     isctest.check.adflag(res2)
-    if hasattr(res2, "extended_errors"):
-        assert not res2.extended_errors()
+    isctest.check.noede(res2)
 
     msg = isctest.query.create("a.secure.managed", "A")
     res1 = isctest.query.tcp(msg, "10.53.0.3")
@@ -69,18 +68,14 @@ def test_trust_anchors():
     isctest.check.noerror(res1)
     isctest.check.noerror(res2)
     isctest.check.adflag(res2)
-    if hasattr(res2, "extended_errors"):
-        assert not res2.extended_errors()
+    isctest.check.noede(res2)
 
     # check that an unsupported signing algorithm yields insecure
     msg = isctest.query.create("a.unsupported.trusted", "A")
     res1 = isctest.query.tcp(msg, "10.53.0.3")
     res2 = isctest.query.tcp(msg, "10.53.0.5")
     isctest.check.noerror(res1)
-    if hasattr(res2, "extended_errors"):
-        assert (
-            res2.extended_errors()[0].code == edns.EDECode.UNSUPPORTED_DNSKEY_ALGORITHM
-        )
+    isctest.check.ede(res2, EDECode.UNSUPPORTED_DNSKEY_ALGORITHM)
     isctest.check.noerror(res2)
     isctest.check.noadflag(res2)
 
@@ -88,10 +83,7 @@ def test_trust_anchors():
     res1 = isctest.query.tcp(msg, "10.53.0.3")
     res2 = isctest.query.tcp(msg, "10.53.0.5")
     isctest.check.noerror(res1)
-    if hasattr(res2, "extended_errors"):
-        assert (
-            res2.extended_errors()[0].code == edns.EDECode.UNSUPPORTED_DNSKEY_ALGORITHM
-        )
+    isctest.check.ede(res2, EDECode.UNSUPPORTED_DNSKEY_ALGORITHM)
     isctest.check.noerror(res2)
     isctest.check.noadflag(res2)
 

diff --git a/bin/tests/system/ede24/common.py b/bin/tests/system/ede24/common.py
index 89b37b2993c152b8e6fcf11804c450bca06e2d8a..069ddd2ef5971cbd20ae61d2202a13c44bd9b24f 100644 (file)
--- a/bin/tests/system/ede24/common.py
+++ b/bin/tests/system/ede24/common.py
@@ -10,6 +10,7 @@
 # information regarding copyright ownership.
 
 import isctest
+from isctest.compat import EDECode
 
 
 def check_soa_noerror():
@@ -22,13 +23,7 @@ def check_soa_servfail_ede24(edemsg):
     msg = isctest.query.create("foo.fr", "SOA")
     res = isctest.query.udp(msg, "10.53.0.2")
     isctest.check.servfail(res)
-
-    # Few CI machines uses old version of dnspython which doesn't supports
-    # EDNS, so we effectively bypass the check for those one. (It's fine, a
-    # bunch of other CI machines _does_ have recent version of dnspython).
-    if hasattr(res, "extended_errors"):
-        assert len(res.extended_errors()) == 1
-        assert res.extended_errors()[0].to_text() == f"EDE 24 (Invalid Data): {edemsg}"
+    isctest.check.ede(res, EDECode.INVALID_DATA, edemsg)
 
 
 def check_ns2_ready(ns2):