From: Nicki Křížek Date: Thu, 30 Oct 2025 17:12:25 +0000 (+0100) Subject: Use new EDE helper in existing system tests X-Git-Tag: v9.21.16~55^2~1 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=f9858e4739ad589f25ae600fb9e336d8930b7352;p=thirdparty%2Fbind9.git Use new EDE helper in existing system tests Previously, hasattr("extended_errors") was used as a check to detect a mimumum required dnspython version in order to only perform the EDE check if a new-enough dnspython was present. This is now abstracted into isctest.check.ede(). In order to support dnspython<2.2.0, use isctest.compat.EDECode rather than using dns.edns.EDECode directly. --- diff --git a/bin/tests/system/dnssec/tests_validation.py b/bin/tests/system/dnssec/tests_validation.py index a27a8999873..ad298b39e86 100644 --- a/bin/tests/system/dnssec/tests_validation.py +++ b/bin/tests/system/dnssec/tests_validation.py @@ -14,11 +14,12 @@ import re import shutil import time -from dns import edns, flags, name, rdataclass, rdatatype +from dns import flags, name, rdataclass, rdatatype import pytest import isctest +from isctest.compat import EDECode import isctest.mark from isctest.util import param @@ -1131,8 +1132,7 @@ def test_expired_signatures(ns4): res = isctest.query.tcp(msg, "10.53.0.4") isctest.check.servfail(res) isctest.check.noadflag(res) - if hasattr(res, "extended_errors"): - assert res.extended_errors()[0].code == edns.EDECode.SIGNATURE_EXPIRED + isctest.check.ede(res, EDECode.SIGNATURE_EXPIRED) assert grep_q("expired.example/.*: RRSIG has expired", "ns4/named.run") # check future signatures do not validate @@ -1140,8 +1140,7 @@ def test_expired_signatures(ns4): res = isctest.query.tcp(msg, "10.53.0.4") isctest.check.servfail(res) isctest.check.noadflag(res) - if hasattr(res, "extended_errors"): - assert res.extended_errors()[0].code == edns.EDECode.SIGNATURE_NOT_YET_VALID + isctest.check.ede(res, EDECode.SIGNATURE_NOT_YET_VALID) assert grep_q( "future.example/.*: RRSIG validity period has not begun", "ns4/named.run" ) @@ -1301,10 +1300,7 @@ def test_unknown_algorithms(): res = isctest.query.tcp(msg, "10.53.0.4") isctest.check.noerror(res) isctest.check.noadflag(res) - if hasattr(res, "extended_errors"): - assert ( - res.extended_errors()[0].code == edns.EDECode.UNSUPPORTED_DNSKEY_ALGORITHM - ) + isctest.check.ede(res, EDECode.UNSUPPORTED_DNSKEY_ALGORITHM) # check that DNSKEY with an unsupported reserve key validates msg = isctest.query.create("dnskey-unsupported-2.example", "DNSKEY") @@ -1315,18 +1311,14 @@ def test_unknown_algorithms(): # check EDE code 2 for unsupported DS digest algorithm msg = isctest.query.create("a.ds-unsupported.example", "A") res = isctest.query.tcp(msg, "10.53.0.4") - if hasattr(res, "extended_errors"): - assert res.extended_errors()[0].code == edns.EDECode.UNSUPPORTED_DS_DIGEST_TYPE + isctest.check.ede(res, EDECode.UNSUPPORTED_DS_DIGEST_TYPE) # check EDE code 1 for bad algorithm mnemonic msg = isctest.query.create("badalg.secure.example", "A") res = isctest.query.tcp(msg, "10.53.0.4") isctest.check.noerror(res) isctest.check.noadflag(res) - if hasattr(res, "extended_errors"): - assert ( - res.extended_errors()[0].code == edns.EDECode.UNSUPPORTED_DNSKEY_ALGORITHM - ) + isctest.check.ede(res, EDECode.UNSUPPORTED_DNSKEY_ALGORITHM) # check that zone contents are still secure despite disable-algorithms # on query name (name below zone name). @@ -1342,10 +1334,7 @@ def test_unknown_algorithms(): isctest.check.rr_count_eq(res.answer, 2) isctest.check.noerror(res) isctest.check.noadflag(res) - if hasattr(res, "extended_errors"): - assert ( - res.extended_errors()[0].code == edns.EDECode.UNSUPPORTED_DNSKEY_ALGORITHM - ) + isctest.check.ede(res, EDECode.UNSUPPORTED_DNSKEY_ALGORITHM) # check that DS records are still treated as secure at the # disable-algorithm name @@ -1360,10 +1349,8 @@ def test_unknown_algorithms(): msg = isctest.query.create("a.digest-alg-unsupported.example", "A") res = isctest.query.tcp(msg, "10.53.0.4") isctest.check.noadflag(res) - if hasattr(res, "extended_errors"): - codes = {ede.code for ede in res.extended_errors()} - assert edns.EDECode.UNSUPPORTED_DNSKEY_ALGORITHM in codes - assert edns.EDECode.UNSUPPORTED_DS_DIGEST_TYPE in codes + isctest.check.ede(res, EDECode.UNSUPPORTED_DNSKEY_ALGORITHM) + isctest.check.ede(res, EDECode.UNSUPPORTED_DS_DIGEST_TYPE) # check that unknown DNSKEY algorithm + unknown NSEC3 hash algorithm # validates as insecure diff --git a/bin/tests/system/dnssec/tests_validation_many_anchors.py b/bin/tests/system/dnssec/tests_validation_many_anchors.py index 90b071ec584..a9865db2dce 100644 --- a/bin/tests/system/dnssec/tests_validation_many_anchors.py +++ b/bin/tests/system/dnssec/tests_validation_many_anchors.py @@ -9,11 +9,11 @@ # See the COPYRIGHT file distributed with this work for additional # information regarding copyright ownership. -from dns import edns import pytest import isctest +from isctest.compat import EDECode from isctest.util import param # isctest.asyncserver requires dnspython >= 2.0.0 @@ -60,8 +60,7 @@ def test_trust_anchors(): isctest.check.noerror(res1) isctest.check.noerror(res2) isctest.check.adflag(res2) - if hasattr(res2, "extended_errors"): - assert not res2.extended_errors() + isctest.check.noede(res2) msg = isctest.query.create("a.secure.managed", "A") res1 = isctest.query.tcp(msg, "10.53.0.3") @@ -69,18 +68,14 @@ def test_trust_anchors(): isctest.check.noerror(res1) isctest.check.noerror(res2) isctest.check.adflag(res2) - if hasattr(res2, "extended_errors"): - assert not res2.extended_errors() + isctest.check.noede(res2) # check that an unsupported signing algorithm yields insecure msg = isctest.query.create("a.unsupported.trusted", "A") res1 = isctest.query.tcp(msg, "10.53.0.3") res2 = isctest.query.tcp(msg, "10.53.0.5") isctest.check.noerror(res1) - if hasattr(res2, "extended_errors"): - assert ( - res2.extended_errors()[0].code == edns.EDECode.UNSUPPORTED_DNSKEY_ALGORITHM - ) + isctest.check.ede(res2, EDECode.UNSUPPORTED_DNSKEY_ALGORITHM) isctest.check.noerror(res2) isctest.check.noadflag(res2) @@ -88,10 +83,7 @@ def test_trust_anchors(): res1 = isctest.query.tcp(msg, "10.53.0.3") res2 = isctest.query.tcp(msg, "10.53.0.5") isctest.check.noerror(res1) - if hasattr(res2, "extended_errors"): - assert ( - res2.extended_errors()[0].code == edns.EDECode.UNSUPPORTED_DNSKEY_ALGORITHM - ) + isctest.check.ede(res2, EDECode.UNSUPPORTED_DNSKEY_ALGORITHM) isctest.check.noerror(res2) isctest.check.noadflag(res2) diff --git a/bin/tests/system/ede24/common.py b/bin/tests/system/ede24/common.py index 89b37b2993c..069ddd2ef59 100644 --- a/bin/tests/system/ede24/common.py +++ b/bin/tests/system/ede24/common.py @@ -10,6 +10,7 @@ # information regarding copyright ownership. import isctest +from isctest.compat import EDECode def check_soa_noerror(): @@ -22,13 +23,7 @@ def check_soa_servfail_ede24(edemsg): msg = isctest.query.create("foo.fr", "SOA") res = isctest.query.udp(msg, "10.53.0.2") isctest.check.servfail(res) - - # Few CI machines uses old version of dnspython which doesn't supports - # EDNS, so we effectively bypass the check for those one. (It's fine, a - # bunch of other CI machines _does_ have recent version of dnspython). - if hasattr(res, "extended_errors"): - assert len(res.extended_errors()) == 1 - assert res.extended_errors()[0].to_text() == f"EDE 24 (Invalid Data): {edemsg}" + isctest.check.ede(res, EDECode.INVALID_DATA, edemsg) def check_ns2_ready(ns2):