Convert some special kasp test cases to pytest

This converts a special characters test case, a max-zone-ttl error check, and two cases of insecure zones. We no longer assert for having more than one DNSKEY and/or RRSIG records. If the zone is insecure, this is no longer always true. And we already check for the expected number of records in the check_dnskeys/check_signatures functions.
2025-08-31 06:25:31 +00:00 · 2025-03-14 13:42:30 +01:00
parent 0b41afbd15
commit 07ac0e6036
3 changed files with 50 additions and 64 deletions
--- a/bin/tests/system/isctest/kasp.py
+++ b/bin/tests/system/isctest/kasp.py
@@ -971,16 +971,13 @@ def check_apex(server, zone, ksks, zsks, tsig=None):

    # test dnskey query
    dnskeys, rrsigs = _query_rrset(server, fqdn, dns.rdatatype.DNSKEY, tsig=tsig)
-    assert len(dnskeys) > 0
    check_dnskeys(dnskeys, ksks, zsks)
-    assert len(rrsigs) > 0
    check_signatures(rrsigs, dns.rdatatype.DNSKEY, fqdn, ksks, zsks)

    # test soa query
    soa, rrsigs = _query_rrset(server, fqdn, dns.rdatatype.SOA, tsig=tsig)
    assert len(soa) == 1
    assert f"{zone}. {DEFAULT_TTL} IN SOA" in soa[0].to_text()
-    assert len(rrsigs) > 0
    check_signatures(rrsigs, dns.rdatatype.SOA, fqdn, ksks, zsks)

    # test cdnskey query
@@ -1016,7 +1013,6 @@ def check_subdomain(server, zone, ksks, zsks, tsig=None):
        else:
            assert match in rrset.to_text()

-    assert len(rrsigs) > 0
    check_signatures(rrsigs, qtype, fqdn, ksks, zsks)


--- a/bin/tests/system/kasp/tests.sh
+++ b/bin/tests/system/kasp/tests.sh
@@ -85,15 +85,6 @@ retry_quiet 30 _wait_for_done_apexnsec || ret=1
 test "$ret" -eq 0 || echo_i "failed"
 status=$((status + ret))

-# Test max-zone-ttl rejects zones with too high TTL.
-n=$((n + 1))
-echo_i "check that max-zone-ttl rejects zones with too high TTL ($n)"
-ret=0
-set_zone "max-zone-ttl.kasp"
-grep "loading from master file ${ZONE}.db failed: out of range" "ns3/named.run" >/dev/null || ret=1
-test "$ret" -eq 0 || echo_i "failed"
-status=$((status + ret))
-
 set_keytimes_csk_policy() {
  # The first key is immediately published and activated.
  created=$(key_get KEY1 CREATED)
@@ -119,16 +110,6 @@ set_keystate "KEY1" "STATE_KRRSIG" "rumoured"
 set_keystate "KEY1" "STATE_ZRRSIG" "rumoured"
 set_keystate "KEY1" "STATE_DS" "hidden"

-#
-# A zone with special characters.
-#
-set_zone "i-am.\":\;?&[]\@!\$*+,|=\.\(\)special.kasp."
-set_policy "default" "1" "3600"
-set_server "ns3" "10.53.0.3"
-# It is non-trivial to adapt the tests to deal with all possible different
-# escaping characters, so we will just try to verify the zone.
-dnssec_verify
-
 #
 # Zone: checkds-ksk.kasp.
 #
@@ -474,53 +455,16 @@ if [ $RSASHA1_SUPPORTED = 1 ]; then
  dnssec_verify
 fi

-#
-# Zone: unsigned.kasp.
-#
-set_zone "unsigned.kasp"
-set_policy "none" "0" "0"
-set_server "ns3" "10.53.0.3"
-
-key_clear "KEY1"
-key_clear "KEY2"
-key_clear "KEY3"
-key_clear "KEY4"
-
-check_keys
-check_dnssecstatus "$SERVER" "$POLICY" "$ZONE"
-check_apex
-check_subdomain
-# Make sure the zone file is untouched.
-n=$((n + 1))
-echo_i "Make sure the zonefile for zone ${ZONE} is not edited ($n)"
-ret=0
-diff "${DIR}/${ZONE}.db.infile" "${DIR}/${ZONE}.db" || ret=1
-test "$ret" -eq 0 || echo_i "failed"
-status=$((status + ret))
-
-#
-# Zone: insecure.kasp.
-#
-set_zone "insecure.kasp"
-set_policy "insecure" "0" "0"
-set_server "ns3" "10.53.0.3"
-
-key_clear "KEY1"
-key_clear "KEY2"
-key_clear "KEY3"
-key_clear "KEY4"
-
-check_keys
-check_dnssecstatus "$SERVER" "$POLICY" "$ZONE"
-check_apex
-check_subdomain
-
 #
 # Zone: unlimited.kasp.
 #
 set_zone "unlimited.kasp"
 set_policy "unlimited" "1" "1234"
 set_server "ns3" "10.53.0.3"
+key_clear "KEY1"
+key_clear "KEY2"
+key_clear "KEY3"
+key_clear "KEY4"
 # Key properties.
 set_keyrole "KEY1" "csk"
 set_keylifetime "KEY1" "0"
--- a/bin/tests/system/kasp/tests_kasp.py
+++ b/bin/tests/system/kasp/tests_kasp.py
@@ -338,6 +338,52 @@ def test_kasp_dynamic(servers):
    assert f"zone_resigninc: zone {zone}/IN (unsigned): enter" not in "ns3/named.run"


+def test_kasp_special_characters(servers):
+    server = servers["ns3"]
+
+    # A zone with special characters.
+    isctest.log.info("check special characters")
+
+    zone = r'i-am.":\;?&[]\@!\$*+,|=\.\(\)special.kasp'
+    # It is non-trivial to adapt the tests to deal with all possible different
+    # escaping characters, so we will just try to verify the zone.
+    isctest.kasp.check_dnssec_verify(server, zone)
+
+
+def test_kasp_insecure(servers):
+    server = servers["ns3"]
+
+    # Insecure zones.
+    isctest.log.info("check insecure zones")
+
+    zone = "insecure.kasp"
+    expected = []
+    keys = isctest.kasp.keydir_to_keylist(zone, "ns3")
+    isctest.kasp.check_keys(zone, keys, expected)
+    isctest.kasp.check_dnssecstatus(server, zone, keys, policy="insecure")
+    isctest.kasp.check_apex(server, zone, keys, [])
+    isctest.kasp.check_subdomain(server, zone, keys, [])
+
+    zone = "unsigned.kasp"
+    expected = []
+    keys = isctest.kasp.keydir_to_keylist(zone, "ns3")
+    isctest.kasp.check_keys(zone, keys, expected)
+    isctest.kasp.check_dnssecstatus(server, zone, keys, policy=None)
+    isctest.kasp.check_apex(server, zone, keys, [])
+    isctest.kasp.check_subdomain(server, zone, keys, [])
+    # Make sure the zone file is untouched.
+    isctest.check.file_contents_equal(f"ns3/{zone}.db.infile", f"ns3/{zone}.db")
+
+
+def test_kasp_bad_maxzonettl(servers):
+    server = servers["ns3"]
+
+    # check that max-zone-ttl rejects zones with too high TTL.
+    isctest.log.info("check max-zone-ttl rejects zones with too high TTL")
+    zone = "max-zone-ttl.kasp"
+    assert f"loading from master file {zone}.db failed: out of range" in server.log
+
+
 def test_kasp_dnssec_keygen():
    def keygen(zone, policy, keydir=None):
        if keydir is None: