From: Remi Gacogne <remi.gacogne@powerdns.com>
Date: Thu, 24 Apr 2025 13:04:35 +0000 (+0200)
Subject: dnsdist: Test that we can iterate on DNSCrypt binds and reload their certificates
X-Git-Tag: dnsdist-2.0.0-alpha2~41^2~1
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=e2264a1cddae620bcaff5563407252a6e20d9df4;p=thirdparty%2Fpdns.git

dnsdist: Test that we can iterate on DNSCrypt binds and reload their certificates
---

diff --git a/regression-tests.dnsdist/test_DNSCrypt.py b/regression-tests.dnsdist/test_DNSCrypt.py
index 9a9a91b23f..05f96d94e4 100644
--- a/regression-tests.dnsdist/test_DNSCrypt.py
+++ b/regression-tests.dnsdist/test_DNSCrypt.py
@@ -375,45 +375,60 @@ class TestDNSCryptWithCache(DNSCryptTest):
 class TestDNSCryptAutomaticRotation(DNSCryptTest):
     _config_template = """
     setKey("%s")
-    controlSocket("127.0.0.1:%s")
+    controlSocket("127.0.0.1:%d")
     generateDNSCryptCertificate("DNSCryptProviderPrivate.key", "DNSCryptResolver.cert", "DNSCryptResolver.key", %d, %d, %d)
     addDNSCryptBind("127.0.0.1:%d", "%s", "DNSCryptResolver.cert", "DNSCryptResolver.key")
-    newServer{address="127.0.0.1:%s"}
+    addDNSCryptBind("127.0.0.1:%d", "%s", "DNSCryptResolver.cert", "DNSCryptResolver.key")
+    newServer{address="127.0.0.1:%d"}
 
     local last = 0
-    serial = %d
+    local serial = %d
+    dnscrypt_errors = 0
+
     function reloadCallback()
       local now = os.time()
       if ((now - last) > 2) then
         serial = serial + 1
-        getDNSCryptBind(0):generateAndLoadInMemoryCertificate('DNSCryptProviderPrivate.key', serial, now - 60, now + 120)
+        for idx = 0, getDNSCryptBindCount() - 1 do
+          if not getDNSCryptBind(idx):generateAndLoadInMemoryCertificate('DNSCryptProviderPrivate.key', serial, now - 60, now + 120) then
+            dnscrypt_errors = dnscrypt_errors + 1
+            break
+          end
+        end
         last = now
       end
     end
+
     addMaintenanceCallback(reloadCallback)
     """
 
-    _config_params = ['_consoleKeyB64', '_consolePort', '_resolverCertificateSerial', '_resolverCertificateValidFrom', '_resolverCertificateValidUntil', '_dnsDistPortDNSCrypt', '_providerName', '_testServerPort', '_resolverCertificateSerial']
+    _dnsDistPortDNSCrypt2 = pickAvailablePort()
+    _config_params = ['_consoleKeyB64', '_consolePort', '_resolverCertificateSerial', '_resolverCertificateValidFrom', '_resolverCertificateValidUntil', '_dnsDistPortDNSCrypt', '_providerName', '_dnsDistPortDNSCrypt2', '_providerName', '_testServerPort', '_resolverCertificateSerial']
 
     def testCertRotation(self):
         """
         DNSCrypt: automatic certificate rotation
         """
-        client = dnscrypt.DNSCryptClient(self._providerName, self._providerFingerprint, "127.0.0.1", self._dnsDistPortDNSCrypt)
-
-        client.refreshResolverCertificates()
-        cert = client.getResolverCertificate()
-        self.assertTrue(cert)
-        firstSerial = cert.serial
-        self.assertGreaterEqual(cert.serial, self._resolverCertificateSerial)
+        clients = []
+        serials = {}
+        for port in [self._dnsDistPortDNSCrypt, self._dnsDistPortDNSCrypt2]:
+            clients.append(dnscrypt.DNSCryptClient(self._providerName, self._providerFingerprint, "127.0.0.1", port))
+
+        for client in clients:
+            client.refreshResolverCertificates()
+            cert = client.getResolverCertificate()
+            self.assertTrue(cert)
+            serials[client] = cert.serial
+            self.assertGreaterEqual(cert.serial, self._resolverCertificateSerial)
 
         time.sleep(3)
 
-        client.refreshResolverCertificates()
-        cert = client.getResolverCertificate()
-        self.assertTrue(cert)
-        secondSerial = cert.serial
-        self.assertGreater(cert.serial, firstSerial)
+        for client in clients:
+            client.refreshResolverCertificates()
+            cert = client.getResolverCertificate()
+            self.assertTrue(cert)
+            secondSerial = cert.serial
+            self.assertGreater(cert.serial, serials[client])
 
         name = 'automatic-rotation.dnscrypt.tests.powerdns.com.'
         query = dns.message.make_query(name, 'A', 'IN')
@@ -425,5 +440,9 @@ class TestDNSCryptAutomaticRotation(DNSCryptTest):
                                     '192.2.0.1')
         response.answer.append(rrset)
 
-        self.doDNSCryptQuery(client, query, response, False)
-        self.doDNSCryptQuery(client, query, response, True)
+        for client in clients:
+            self.doDNSCryptQuery(client, query, response, False)
+            self.doDNSCryptQuery(client, query, response, True)
+
+        counter = self.sendConsoleCommand("return dnscrypt_errors")
+        self.assertEqual(counter.strip(), "0")