Commit Graph
6287 Commits
Author SHA1 Message Date
Nicki Křížek 80967a2c66 Allow re-run of mkeys system test
On some slow systems, the test might intermittently fail due to inherent
timing issues. In our CI, this most often happens in the
system:gcc:8fips:amd64 jobs.

(cherry picked from commit a299650a6f)
2024-11-25 14:35:54 +00:00
Ondřej Surý 58a15d38c2 Remove redundant parentheses from the return statement
(cherry picked from commit 0258850f20)
2024-11-19 14:26:52 +01:00
Nicki Křížek 9ba60be870 Fix clean.sh removal omissions
- Ensure keyfromlabel token is cleaned up
- Remove forgotten clean.sh file
- Add missing enginepkcs11 test artifact

(cherry picked from commit 7dde34afac)
2024-11-12 11:21:15 +01:00
Nicki Křížek 0b9d3fbfea Ensure pytest runner get proper outcome from flaky reruns
When a test is re-run by the flaky plugin, the TestReport outcomes
collected in the pytest_runtest_makereport() hook should be overriden.
Each of the setup/call/teardown phases is reported again and since we
care about the overall outcome, their respective results should be
overriden so that only the outcome from the final test (re)run gets
reported.

Prior to this change, it lead to a situation where an extra_artifact
generated during the test might be ignored. This was caused because the
check was skipped, since the test was incorrectly considered as "failed"
in the case where the test would fail on the first run, but pass on a
subsequent flaky rerun.

(cherry picked from commit b66fb31dcb)
2024-11-12 10:20:27 +00:00
Nicki Křížek 0ed39d76dc Remove invocations and mentions of clean.sh
(cherry picked from commit f2cb2e5723)
2024-11-08 15:39:50 +01:00
Nicki Křížek c3a0af96ad Replace clean.sh files with extra_artifacts mark
The artifact lists in clean.sh and extra_artifacts might be slightly
different. The list was updated for each test to reflect the current
state.

(cherry picked from commit 7c259fe254)
2024-11-08 15:39:50 +01:00
Michał KępieńandNicki Křížek 95d3bbd5dc Add pytest fixture for checking test artifacts
Prior to introducing the pytest runner, clean.sh files were used as a
list of files that the test is expected to leave around as artifacts and
check that no extra files were created.

With the pytest runner, those scripts are no longer used, but the
ability to detect extraneous files is still useful. Add a new
"extra_artifacts" mark which can be used for the same purpose.

(cherry picked from commit 3a9f4edddc)
2024-11-08 15:39:50 +01:00
Matthijs MekkingandMark Andrews 1fcc346729 Add KSK roll test case
Add a test case for Offline KSK where during the lifespan of the Signed
Key Response a KSK rollover happens. Ensure that the correct DNSKEY,
CDNSKEY, and CDS records are published at the right times.

(cherry picked from commit 8cf5f972f4)
2024-11-04 01:10:34 +00:00
Matthijs MekkingandMark Andrews 2e5a2f4e81 Allow empty CDNSKEY/CDS RRset in ksr system test
When the zone is initially signed, the CDNSKEY/CDS RRset is not
immediately published. The DNSKEY and signatures must propagate first.
Adjust the test to allow for this case.

(cherry picked from commit 708927e03d)
2024-11-04 01:10:34 +00:00
Matthijs MekkingandMark Andrews a92fb659d3 dnssec-ksr keygen -o to create KSKs
Add an option to dnssec-ksr keygen, -o, to create KSKs instead of ZSKs.
This way, we can create a set of KSKS for a given period too.

For KSKs we also need to set timing metadata, including "SyncPublish"
and "SyncDelete". This functionality already exists in keymgr.c so
let's make the function accessible.

Replace dnssec-keygen calls with dnssec-ksr keygen for KSK in the
ksr system test and check keys for created KSKs as well. This requires
a slight modification of the check_keys function to take into account
KSK timings and metadata.

(cherry picked from commit 680aedb595)
2024-11-04 01:10:34 +00:00
Mark Andrews f793b28de4 Add missing $FEATURETEST --have-fips-dh
Notify over TLS only works if FIPS DH is supported.  Skip the system
tests parts that depend on it.

(cherry picked from commit 4f7e3e29a7)
2024-11-02 06:02:51 +00:00
Matthijs Mekking 9621369524 Match algorithms when checking signatures
In the ksr system test, the test_ksr_twotone case may fail if there
are two keys with the same keytag (but different algorithms), because
one key is expected to be signing and the other is not.

Switch to regular expression matching and include the algorithm in the
search string.

(cherry picked from commit 795fcc9f80)
2024-11-01 14:16:38 +00:00
Michal Nowak ba1d4cc4db Rewrite rsabigexponent system test to pytest
(cherry picked from commit cacff68e78)
2024-10-31 18:15:14 +00:00
Nicki Křížek 668544ec74 Support jinja2 templates in pytest runner
Configuration files in system tests which require some variables (e.g.
port numbers) filled in during test setup, can now use jinja2 templates
when `jinja2` python package is available.

Any `*.j2` file found within the system test directory will be
automatically rendered with the environment variables into a file
without the `.j2` extension by the pytest runner. E.g.
`ns1/named.conf.j2` will become `ns1/named.conf` during test setup. To
avoid automatic rendering, use `.j2.manual` extension and render the
files manually at test time.

New `templates` pytest fixture has been added. Its `render()` function
can be used to render a template with custom test variables. This can be
useful to fill in different config options during the test. With
advanced jinja2 template syntax, it can also be used to include/omit
entire sections of the config file rather than using `named1.conf.in`,
`named2.conf.in` etc.

(cherry picked from commit 60e118c4fb)
2024-10-31 09:40:46 +00:00
Matthijs Mekking 5c724d4c25 Fix CID 510858: Null ptr derefs in check_keys
Coverity Scan reported a new issue for the ksr system test. There
is allegedly a null pointer dereference (FORWARD_NULL) in check_keys().

This popped up because previously we set 'retired' to 0 in case of
unlimited lifetime, but we changed it to None.

It is actually a false positive, because if lifetime is unlimited
there will be only one key in 'keys'.

However, the code would be better if we always initialized 'active'
and if it is not the first key and retired is set, set the successor
key's active time to the retire time of the predecessor key.

(cherry picked from commit e777efb576)
2024-10-25 11:22:26 +00:00
Matthijs Mekking 8a598cb3bf Fix intermittent ksr test failure
The test_ksr_twotwone may fail if the key id is shorter than 5 digits.
Add a leading space to the expected strings which start with the key
tag to avoid the issue.

(cherry picked from commit d5f32f6990)
2024-10-25 07:47:01 +00:00
Nicki Křížek 93356d6b3a Add legacy.run.sh to .gitignore
While this file is no longer created / used in the main branch, it may
linger around when switching from maintenance branches.

(cherry picked from commit 6262d002bf)
2024-10-24 11:55:18 +00:00
Nicki Křížek 04200e4025 Make system tests compatible with pytest 8.0.0+
The pytest collection mechanism has been overhauled in pytest 8.0.0,
resulting in a different node tree when collecting the tests. Ensure the
paths / names we're using that are derived from the node tree are
consistent across different pytest versions.

Particularly, this has affected the convenience symlink name (which is
supposed to be in the form of e.g. dns64_sh_dns64 for the dns64 module
and tests_sh_dns64.py module) and the test name that's logged at the
start of the test, which is supposed to include the system test
directory relative to the root system test directory as well as the
module name (e.g. dns64/tests_sh_dns64.py).

Related https://github.com/pytest-dev/pytest/issues/7777

(cherry picked from commit 7118cbed98)
2024-10-24 11:55:18 +00:00
Timo EisenmannandMark Andrews a9faeb86aa Use correct certificates for TLS notify tests
Use tls-forward-secrecy instead of tls-expired for tls-x2 and regenerate
the expired certificate for tls-x6 to reflect the swap of ns2 and ns3.

(cherry picked from commit bbdc6b26aa)
2024-10-24 03:11:50 +00:00
Mark Andrews 08f12c70e6 swap ns2 and ns3 rolls in tls notify tests
Still need to regenerate the expired certificate as it has
the wrong IP address

(cherry picked from commit 87e287c984)
2024-10-24 03:11:50 +00:00
Timo EisenmannandMark Andrews 1b59467e82 Add system tests for notify over TLS
We use ns2 as the primary, and ns3 as the secondary server.

(cherry picked from commit e00beca8c5)
2024-10-24 03:11:50 +00:00
Nicki Křížek 2cdb8c90d1 Use UTC timezone when handling keys in kasp test library
When working with key timestamps, ensure we correctly set the UTC
timezone in order for the tests to work consistently regardless of the
local time setting.

(cherry picked from commit f840deba33)
2024-10-22 10:51:53 +02:00
Nicki Křížek fb9a87e8c5 Disable too-many/too-few pylint checks
Enforcing pylint standards and default for our test code seems
counter-productive. Since most of the newly added code are tests or is
test-related, encountering these checks rarely make us refactor the code
in other ways and we just disable these checks individually. Code that
is too complex or convoluted will be pointed out in reviews anyways.

(cherry picked from commit 7639c58c48)
2024-10-22 09:14:06 +02:00
Matthijs Mekking b46ddad5df Retry dnssec-verify in kasp test code
It is possible that the zone is not yet fully signed because it is
signed in batches. Retry the AXFR and verify command a couple of times.

(cherry picked from commit b8b3df0676)
2024-10-22 06:24:42 +00:00
Nicki KřížekandMatthijs Mekking f1fc2e1db4 Address pylint issues
(cherry picked from commit 3c6124a093)
2024-10-22 06:24:42 +00:00
Nicki KřížekandMatthijs Mekking fafb75ff8e Use difflib rather than diff cmd
(cherry picked from commit b7207fa3e7)
2024-10-22 06:24:42 +00:00
Nicki KřížekandMatthijs Mekking 36ab7489f7 Move algorithm defaults to check_keys()
(cherry picked from commit c9ecd2a618)
2024-10-22 06:24:42 +00:00
Nicki KřížekandMatthijs Mekking ba2fe0a830 Use f-strings
(cherry picked from commit 55ec9f94bc)
2024-10-22 06:24:42 +00:00
Nicki KřížekandMatthijs Mekking 3cffc34551 Simplify command invocation
(cherry picked from commit 732a959d9a)
2024-10-22 06:24:42 +00:00
Nicki KřížekandMatthijs Mekking 00ec96e6e6 Remove unused isctest/kasp code
(cherry picked from commit b5633462bf)
2024-10-22 06:24:42 +00:00
Nicki KřížekandMatthijs Mekking e806d8c6f5 Rename kasp function to check_*
If a function is expected to assert / raise on failure (rather than
return boolean), its name should start with "check_".

(cherry picked from commit 67957d1f54)
2024-10-22 06:24:42 +00:00
Nicki KřížekandMatthijs Mekking f5adeb6800 Use convenience wrappers for kasp key operations
(cherry picked from commit 2b0a8fcfb5)
2024-10-22 06:24:42 +00:00
Matthijs Mekking 288dce213a Convert ksr system test to pytest
Move all test cases from tests.sh to tests_ksr.py. The only test that
is not moved is the check that key id's match expected keys. The
shell-based system test checks two earlier set environment variables
against each other that has become redundant in the pytest variant,
because we now check the signed key response against a list of keys
and for each key we take into account the timing metadata. So we
already ensure that each published key is in the correct key bundle.

(cherry picked from commit a15bf6704b)
2024-10-22 06:24:42 +00:00
Matthijs Mekking 5d0144d006 Introduce pytest kasp library
Write initial pytest kasp library. This contains everything that is
required for testing Offline KSK functionality with pytest.

This includes:
- addtime: adding a value to a timing metadata
- get_timing_metdata: retrieve timing metadata from keyfile
- get_metadata/get_keystate: retrieve metadata from statefile
- get_keytag: retrieve keytag from base keyfile string
- get_keyrole: get key role from statefile
- dnskey_equals: compare DNSKEY record from file against a string
- cds_equals: compare CDS derived from file against a string
- zone_is_signed: wait until a zone is completely signed
- dnssec_verify: verify a DNSSEC signed zone with dnssec-verify
- check_dnssecstatus: check rndc dnssec -status output
- check_signatures: check that signatures for a given RRset are correct
- check_dnskeys: check that the published DNSKEY RRset is correct
- check_cds: check that the published CDS RRset is correct
- check_apex: check SOA, DNSKEY, CDNSKEY, and CDS RRset
- check_subdomain: check an RRset below the apex

(cherry picked from commit a3829990fd)
2024-10-22 06:24:42 +00:00
Matthijs Mekking 761758b0b1 Change dnssec-ksr key sorting
Sort keys on algorithm, then keytag. This is more convenient for
testing.

(cherry picked from commit ea1fc5c47b)
2024-10-22 06:24:42 +00:00
Mark Andrews 7116dd327a Add regression test for [GL #4991]
(cherry picked from commit 5a78f6b21b)
2024-10-22 00:12:32 +00:00
Michal Nowak 771a09ea71 Rewrite verify system test to pytest
(cherry picked from commit 091968f5fa)
2024-10-21 12:01:01 +00:00
Michal Nowak f814095b1a xfail upforwd system test if DNSTAP is enabled
(cherry picked from commit 0579e0a429)
2024-10-21 12:58:19 +02:00
Michal Nowak 02ac58e8ea Add with_dnstap mark
(cherry picked from commit a8b70abca1)
2024-10-21 12:58:17 +02:00
Mark Andrews 10a599d3e8 Add regression test for [GL #4987]
(cherry picked from commit 677abded6b)
2024-10-17 22:05:22 +00:00
Michal Nowak 369bbd9dad Remove unused sbytes, stime, n, response, and rtime variables
(cherry picked from commit 4857da271d)
2024-10-15 18:49:29 +00:00
Michal Nowak b5118a7e70 Rewrite tools system test to pytest
(cherry picked from commit 3f8e59330d)
2024-10-15 17:28:37 +00:00
Nicki Křížek 1dbeee61f8 Support dnspython 2.7.0
CookieOption with new .server/.client attributes (rather than .data) was
added to dnspython. Adjust the code to use the new attributes if
available and fall back to the old code for dnspython<2.7.0
compatibility.

(cherry picked from commit 0d90b13646)
2024-10-15 10:29:57 +00:00
Mark Andrews fd2f1bdf02 Test that the correct NSEC3 closest encloser is returned
(cherry picked from commit b457f64d4a)
2024-10-14 23:55:09 +00:00
Matthijs Mekking 25f39228e0 Test removing DNSKEYs from other providers
In a multi-signer setup, removing DNSKEY records from the zone should
not be treated as a key that previously exists in the keyring, thus
blocking the keymgr. Add a test case to make sure.

(cherry picked from commit 5f552293d7)
2024-10-14 10:03:59 +02:00
Matthijs Mekking 80d5b3877a Add additional test case with purged key
Test that if a key to be purged is in the keyring, it does not
prevent the keymgr from running. Normally a key that is in the keyring
should be available again on the next run, but that is not true for
a key that can be purged.

In addition, fix some wait_for_log calls, by adding the missing
'|| ret=1' parts.

(cherry picked from commit a2317425bc)
2024-10-14 10:03:19 +02:00
Matthijs Mekking 24e8e4294a Fix some system test cases
Some test cases were working but for the wrong reasons. These started
to fail when I implemented the first approach for #4763, where the
existence of a DNSKEY together with an empty keyring is suspicious and
would prevent the keymgr from running.

These are:

1. kasp: The multisigner-model2.kasp zone has ZSKs from other providers
   in the zone, but not yet its own keys. Pregenerate signing keys and
   add them to the unsigned zone as well.

2. kasp: The dynamic-signed-inline-signing.kasp zone has a key generated
   and added in the raw version of the zone. But the key file is stored
   outside the key-directory for the given zone. Add '-K keys' to the
   dnssec-keygen command.

(cherry picked from commit d1e263ef13)
2024-10-14 10:03:12 +02:00
Matthijs Mekking 2494275a8e Verify new key files before running keymgr
Prior to running the keymgr, first make sure that existing keys
are present in the new keylist. If not, treat this as an operational
error where the keys are made offline (temporarily), possibly unwanted.

(cherry picked from commit 5fdad05a8a)
2024-10-14 10:03:00 +02:00
Matthijs Mekking 04ae34cff6 Add test for missing key files, don't roll
In this specific case the key files are temporary unavailable, for
example because of an operator error, or a mount failure). In such
cases, BIND should not try to roll over these keys.

(cherry picked from commit a3afbd9d6f)
2024-10-14 07:19:37 +00:00
Matthijs Mekking d768dd1f5d Revert "fix: chg: Improve performance when looking for the closest encloser when returning NSEC3 proofs"
This reverts merge request !9436

(cherry picked from commit 0396bf98ee)
2024-10-10 09:29:52 +00:00