Add a template for TA and generate it from isctest.kasp.Key

Add isctest.kasp.Key.into_ta() method which convert the key into DS /
DNSKEY trust anchor for BIND config. Add a shared template
trusted.conf.j2 which can be linked to in tests to create the trust
anchor configuration from trust anchor data returned from bootstrap()
function.

This is basically a python replacement for the keyfile_to_static_ds (and
friends) from the conf.sh shell framework.

diff --git a/bin/tests/system/_common/trusted.conf.j2 b/bin/tests/system/_common/trusted.conf.j2
new file mode 100644 (file)
index 0000000..fef3a77
--- /dev/null
+++ b/bin/tests/system/_common/trusted.conf.j2
@@ -0,0 +1,18 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0.  If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+trust-anchors {
+{% for ta in trust_anchors %}
+       "@ta.domain@" @ta.type@ @ta.contents@;
+{% endfor %}
+};

diff --git a/bin/tests/system/isctest/kasp.py b/bin/tests/system/isctest/kasp.py
index 517fe1c5d9eef94c331f6483774d424d78e6ca58..a86277e50e785eab7195a19aa09c4a5b9a043430 100644 (file)
--- a/bin/tests/system/isctest/kasp.py
+++ b/bin/tests/system/isctest/kasp.py
@@ -20,6 +20,8 @@ import time
 from typing import Dict, List, Optional, Tuple, Union
 
 import dns
+import dns.dnssec
+from dns.dnssectypes import DSDigest
 import dns.rdatatype
 import dns.rrset
 import dns.tsig
@@ -30,6 +32,7 @@ import isctest.log
 import isctest.query
 import isctest.util
 from isctest.instance import NamedInstance
+from isctest.template import TrustAnchor
 from isctest.vars.algorithms import Algorithm, ALL_ALGORITHMS_BY_NUM
 
 DEFAULT_TTL = 300
@@ -464,6 +467,19 @@ class Key:
         ), f"DNSKEY not found in {self.keyfile}"
         return dnskey_rr
 
+    def into_ta(self, ta_type: str, dsdigest=DSDigest.SHA256) -> TrustAnchor:
+        dnskey = self.dnskey
+        if ta_type in ["static-ds", "initial-ds"]:
+            ds = dns.dnssec.make_ds(dnskey.name, dnskey[0], dsdigest)
+            parts = str(ds).split()
+            contents = " ".join(parts[:3]) + f' "{parts[3]}"'
+        elif ta_type in ["static-key", "initial-key"]:
+            parts = str(dnskey).split()
+            contents = " ".join(parts[4:7]) + f' "{"".join(parts[7:])}"'
+        else:
+            raise ValueError(f"invalid trust anchor type: {ta_type}")
+        return TrustAnchor(str(dnskey.name), ta_type, contents)
+
     def is_ksk(self) -> bool:
         return self.get_metadata("KSK") == "yes"
 

diff --git a/bin/tests/system/isctest/template.py b/bin/tests/system/isctest/template.py
index 7ac7c8b4f0fb3e3625efe98877b94610c3c5ef38..4e27a219d147fb25e416fa55afbcfdb68873d952 100644 (file)
--- a/bin/tests/system/isctest/template.py
+++ b/bin/tests/system/isctest/template.py
@@ -11,6 +11,7 @@
 # See the COPYRIGHT file distributed with this work for additional
 # information regarding copyright ownership.
 
+from dataclasses import dataclass
 from pathlib import Path
 from typing import Any, Dict, Optional, Union
 
@@ -79,3 +80,10 @@ class TemplateEngine:
         ]
         for template in templates:
             self.render(template[:-3], data)
+
+
+@dataclass
+class TrustAnchor:
+    domain: str
+    type: str
+    contents: str