From: Matthijs Mekking Date: Wed, 15 Oct 2025 14:37:15 +0000 (+0200) Subject: Update kasp based system tests to new output X-Git-Tag: v9.21.16~11^2~1 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=ef332721810e141b3a52a0f7118f2dce108fa6de;p=thirdparty%2Fbind9.git Update kasp based system tests to new output In addition fix some test bugs where we actually were testing against the wrong policy name. --- diff --git a/bin/tests/system/isctest/kasp.py b/bin/tests/system/isctest/kasp.py index 486b2063157..1a657a26dbb 100644 --- a/bin/tests/system/isctest/kasp.py +++ b/bin/tests/system/isctest/kasp.py @@ -486,6 +486,13 @@ class Key: def is_zsk(self) -> bool: return self.get_metadata("ZSK") == "yes" + def role(self) -> str: + if self.is_ksk() and self.is_zsk(): + return "CSK" + if self.is_ksk(): + return "KSK" + return "ZSK" + @property def algorithm(self) -> Algorithm: num = int(self.get_metadata("Algorithm")) @@ -844,25 +851,31 @@ def check_dnssec_verify(server, zone, tsig=None): assert verified -def check_dnssecstatus(server, zone, keys, policy=None, view=None): +def check_dnssecstatus(server, zone, keys, policy=None, view=None, verbose=False): # Call rndc dnssec -status on 'server' for 'zone'. Expect 'policy' in # the output. This is a loose verification, it just tests if the right # policy name is returned, and if all expected keys are listed. response = "" + + # Verbose output. + v = "" + if verbose: + v = "-v " + if view is None: - response = server.rndc(f"dnssec -status {zone}", log=False) + response = server.rndc(f"dnssec -status {v}{zone}", log=False) else: - response = server.rndc(f"dnssec -status {zone} in {view}", log=False) + response = server.rndc(f"dnssec -status {v}{zone} in {view}", log=False) if policy is None: assert "Zone does not have dnssec-policy" in response return - assert f"dnssec-policy: {policy}" in response + assert f"DNSSEC status for zone '{zone}' using policy '{policy}'" in response for key in keys: if not key.external: - assert f"key: {key.tag}" in response + assert f"{key.role()} {key.tag}" in response def _check_signatures( @@ -1250,6 +1263,7 @@ def check_rollover_step(server, config, policy, step): check_keytimes_flag = step.get("check-keytimes", True) zone_signed = step.get("zone-signed", True) manual_mode = step.get("manual-mode", False) + verbose = step.get("verbose", False) isctest.log.info(f"check rollover step {zone}") @@ -1311,7 +1325,7 @@ def check_rollover_step(server, config, policy, step): if check_keytimes_flag: check_keytimes(keys, expected) - check_dnssecstatus(server, zone, keys, policy=policy) + check_dnssecstatus(server, zone, keys, policy=policy, verbose=verbose) check_apex( server, zone, diff --git a/bin/tests/system/kasp/tests_kasp.py b/bin/tests/system/kasp/tests_kasp.py index c494b7a13cb..2d6aa4b46e8 100644 --- a/bin/tests/system/kasp/tests_kasp.py +++ b/bin/tests/system/kasp/tests_kasp.py @@ -342,7 +342,7 @@ def cb_remove_keyfiles(params, ksks=None, zsks=None): pytest.param( { "zone": "rsasha1-nsec3.kasp", - "policy": "rsasha1", + "policy": "rsasha1-nsec3", "config": kasp_config, "key-properties": rsa1_properties(7), }, @@ -939,7 +939,7 @@ def test_kasp_dynamic(ns3): # Standard dynamic zone. isctest.log.info("check dynamic zone is updated and signed after update") zone = "dynamic.kasp" - policy = "default" + policy = "default-dynamic" isctest.kasp.wait_keymgr_done(ns3, zone) @@ -1005,6 +1005,7 @@ def test_kasp_dynamic(ns3): # Dynamic, and inline-signing. zone = "dynamic-inline-signing.kasp" + policy = "default" isctest.kasp.wait_keymgr_done(ns3, zone) diff --git a/bin/tests/system/ksr/tests_ksr.py b/bin/tests/system/ksr/tests_ksr.py index 23faab0eae1..374865b042e 100644 --- a/bin/tests/system/ksr/tests_ksr.py +++ b/bin/tests/system/ksr/tests_ksr.py @@ -746,7 +746,9 @@ def test_ksr_common(ns1): # test zone is correctly signed # - check rndc dnssec -status output - isctest.kasp.check_dnssecstatus(ns1, zone, overlapping_zsks, policy=policy) + isctest.kasp.check_dnssecstatus( + ns1, zone, overlapping_zsks, policy=policy, verbose=True + ) # - dnssec_verify isctest.kasp.check_dnssec_verify(ns1, zone) # - check keys @@ -818,7 +820,7 @@ def test_ksr_lastbundle(ns1): # test zone is correctly signed # - check rndc dnssec -status output - isctest.kasp.check_dnssecstatus(ns1, zone, zsks, policy=policy) + isctest.kasp.check_dnssecstatus(ns1, zone, zsks, policy=policy, verbose=True) # - dnssec_verify isctest.kasp.check_dnssec_verify(ns1, zone) # - check keys @@ -895,7 +897,7 @@ def test_ksr_inthemiddle(ns1): # test zone is correctly signed # - check rndc dnssec -status output - isctest.kasp.check_dnssecstatus(ns1, zone, zsks, policy=policy) + isctest.kasp.check_dnssecstatus(ns1, zone, zsks, policy=policy, verbose=True) # - dnssec_verify isctest.kasp.check_dnssec_verify(ns1, zone) # - check keys @@ -1083,7 +1085,7 @@ def test_ksr_unlimited(ns1): # test zone is correctly signed # - check rndc dnssec -status output - isctest.kasp.check_dnssecstatus(ns1, zone, zsks, policy=policy) + isctest.kasp.check_dnssecstatus(ns1, zone, zsks, policy=policy, verbose=True) # - dnssec_verify isctest.kasp.check_dnssec_verify(ns1, zone) # - check keys @@ -1192,7 +1194,7 @@ def test_ksr_twotone(ns1): # test zone is correctly signed # - check rndc dnssec -status output - isctest.kasp.check_dnssecstatus(ns1, zone, zsks, policy=policy) + isctest.kasp.check_dnssecstatus(ns1, zone, zsks, policy=policy, verbose=True) # - dnssec_verify isctest.kasp.check_dnssec_verify(ns1, zone) # - check keys @@ -1269,7 +1271,7 @@ def test_ksr_kskroll(ns1): # test zone is correctly signed # - check rndc dnssec -status output - isctest.kasp.check_dnssecstatus(ns1, zone, zsks, policy=policy) + isctest.kasp.check_dnssecstatus(ns1, zone, zsks, policy=policy, verbose=True) # - dnssec_verify isctest.kasp.check_dnssec_verify(ns1, zone) # - check keys diff --git a/bin/tests/system/rollover-algo-csk/tests_rollover_algo_csk_initial.py b/bin/tests/system/rollover-algo-csk/tests_rollover_algo_csk_initial.py index d8178f623ef..0b96fb73289 100644 --- a/bin/tests/system/rollover-algo-csk/tests_rollover_algo_csk_initial.py +++ b/bin/tests/system/rollover-algo-csk/tests_rollover_algo_csk_initial.py @@ -27,7 +27,7 @@ from rollover.common import ( @pytest.mark.parametrize( "tld, policy", [ - param("kasp", "csk-algoroll"), + param("kasp", "csk-algoroll-kasp"), param("manual", "csk-algoroll-manual"), ], ) diff --git a/bin/tests/system/rollover-algo-csk/tests_rollover_algo_csk_reconfig.py b/bin/tests/system/rollover-algo-csk/tests_rollover_algo_csk_reconfig.py index 8b152b754fe..2fcbd6290af 100644 --- a/bin/tests/system/rollover-algo-csk/tests_rollover_algo_csk_reconfig.py +++ b/bin/tests/system/rollover-algo-csk/tests_rollover_algo_csk_reconfig.py @@ -330,5 +330,7 @@ def test_algoroll_csk_reconfig_step6(tld, ns6, alg, size): # keys have an unlimited lifetime. Fallback to the default # loadkeys interval. "nextev": TIMEDELTA["PT1H"], + # Include hidden keys in output. + "verbose": True, } isctest.kasp.check_rollover_step(ns6, CONFIG, policy, step) diff --git a/bin/tests/system/rollover-algo-ksk-zsk/tests_rollover_algo_ksk_zsk_reconfig.py b/bin/tests/system/rollover-algo-ksk-zsk/tests_rollover_algo_ksk_zsk_reconfig.py index 9de15ba2f13..590dc4ec3ca 100644 --- a/bin/tests/system/rollover-algo-ksk-zsk/tests_rollover_algo_ksk_zsk_reconfig.py +++ b/bin/tests/system/rollover-algo-ksk-zsk/tests_rollover_algo_ksk_zsk_reconfig.py @@ -319,6 +319,8 @@ def test_algoroll_ksk_zsk_reconfig_step5(tld, ns6, alg, size): # platforms by subtracting the number of seconds which passed # between key creation and invoking 'rndc reconfig'. "nextev": ALGOROLL_IRET - ALGOROLL_IRETKSK - ALGOROLL_KEYTTLPROP - TIME_PASSED, + # Include hidden keys in output. + "verbose": True, } isctest.kasp.check_rollover_step(ns6, CONFIG, policy, step) @@ -352,5 +354,7 @@ def test_algoroll_ksk_zsk_reconfig_step6(tld, ns6, alg, size): # keys have an unlimited lifetime. Fallback to the default # loadkeys interval. "nextev": TIMEDELTA["PT1H"], + # Include hidden keys in output. + "verbose": True, } isctest.kasp.check_rollover_step(ns6, CONFIG, policy, step) diff --git a/bin/tests/system/rollover-csk-roll1/tests_rollover_csk_roll1.py b/bin/tests/system/rollover-csk-roll1/tests_rollover_csk_roll1.py index b9c5861d86e..b4b31df6fde 100644 --- a/bin/tests/system/rollover-csk-roll1/tests_rollover_csk_roll1.py +++ b/bin/tests/system/rollover-csk-roll1/tests_rollover_csk_roll1.py @@ -404,6 +404,8 @@ def test_csk_roll1_step7(tld, alg, size, ns3): # This is the Lcsk, minus time passed since the key started signing, # minus the prepublication time. "nextev": CSK_LIFETIME - IRETZSK - IPUB - KEYTTLPROP, + # Include hidden keys in output. + "verbose": True, } isctest.kasp.check_rollover_step(ns3, CONFIG, policy, step) diff --git a/bin/tests/system/rollover-csk-roll2/tests_rollover_csk_roll2.py b/bin/tests/system/rollover-csk-roll2/tests_rollover_csk_roll2.py index f63c565fc0b..d18b13fe5d2 100644 --- a/bin/tests/system/rollover-csk-roll2/tests_rollover_csk_roll2.py +++ b/bin/tests/system/rollover-csk-roll2/tests_rollover_csk_roll2.py @@ -376,6 +376,8 @@ def test_csk_roll2_step6(tld, alg, size, ns3): # Next key event is when the new successor needs to be published. # This is the Lcsk, minus time passed since the key was published. "nextev": CSK_LIFETIME - IRET - IPUB - KEYTTLPROP, + # Include hidden keys in output. + "verbose": True, } isctest.kasp.check_rollover_step(ns3, CONFIG, policy, step) @@ -405,5 +407,7 @@ def test_csk_roll2_step7(tld, alg, size, ns3): ], "keyrelationships": [0, 1], "nextev": None, + # Include hidden keys in output. + "verbose": True, } isctest.kasp.check_rollover_step(ns3, CONFIG, policy, step) diff --git a/bin/tests/system/rollover-ksk-doubleksk/tests_rollover_ksk_doubleksk.py b/bin/tests/system/rollover-ksk-doubleksk/tests_rollover_ksk_doubleksk.py index 9f01fdaca94..68dc712b0be 100644 --- a/bin/tests/system/rollover-ksk-doubleksk/tests_rollover_ksk_doubleksk.py +++ b/bin/tests/system/rollover-ksk-doubleksk/tests_rollover_ksk_doubleksk.py @@ -316,6 +316,8 @@ def test_ksk_doubleksk_step5(tld, alg, size, ns3): # Next key event is when the new successor needs to be published. # This is the KSK lifetime minus Ipub minus Iret minus time elapsed. "nextev": KSK_LIFETIME - KSK_IPUB - KSK_IRET - KSK_KEYTTLPROP, + # Include hidden keys in output. + "verbose": True, } isctest.kasp.check_rollover_step(ns3, KSK_CONFIG, policy, step) diff --git a/bin/tests/system/rollover-zsk-prepub/tests_rollover_zsk_prepublication.py b/bin/tests/system/rollover-zsk-prepub/tests_rollover_zsk_prepublication.py index 702c0f26ad4..30a5104c8b1 100644 --- a/bin/tests/system/rollover-zsk-prepub/tests_rollover_zsk_prepublication.py +++ b/bin/tests/system/rollover-zsk-prepub/tests_rollover_zsk_prepublication.py @@ -229,7 +229,7 @@ def test_zsk_prepub_step3(tld, alg, size, ns3): step["smooth"] = False step["nextev"] = Iret(CONFIG, smooth=False) - isctest.kasp.check_rollover_step(ns3, CONFIG, POLICY, step) + isctest.kasp.check_rollover_step(ns3, CONFIG, policy, step) @pytest.mark.parametrize( @@ -322,6 +322,8 @@ def test_zsk_prepub_step5(tld, alg, size, ns3): # this is the zsk lifetime minus IRET minus IPUB minus time # elapsed. "nextev": ZSK_LIFETIME - IRET - IPUB - KEYTTLPROP, + # Include hidden keys in output. + "verbose": True, } isctest.kasp.check_rollover_step(ns3, CONFIG, policy, step)