From a2317425bcd511477de21140a7182f494b5080e5 Mon Sep 17 00:00:00 2001 From: Matthijs Mekking Date: Mon, 19 Aug 2024 09:46:56 +0200 Subject: [PATCH] Add additional test case with purged key Test that if a key to be purged is in the keyring, it does not prevent the keymgr from running. Normally a key that is in the keyring should be available again on the next run, but that is not true for a key that can be purged. In addition, fix some wait_for_log calls, by adding the missing '|| ret=1' parts. --- bin/tests/system/kasp/ns3/setup.sh | 6 ++++++ bin/tests/system/kasp/tests.sh | 10 +++++----- 2 files changed, 11 insertions(+), 5 deletions(-) diff --git a/bin/tests/system/kasp/ns3/setup.sh b/bin/tests/system/kasp/ns3/setup.sh index b136d572d7..85a88f5856 100644 --- a/bin/tests/system/kasp/ns3/setup.sh +++ b/bin/tests/system/kasp/ns3/setup.sh @@ -322,6 +322,12 @@ private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$ZSK" >>"$infile" cp $infile $zonefile $SIGNER -PS -x -s now-2w -e now-1mi -o $zone -O raw -f "${zonefile}.signed" $infile >signer.out.$zone.1 2>&1 $SETTIME -s -g HIDDEN "$ZSK" >settime.out.$zone.3 2>&1 +# An old key that is being purged should not prevent keymgr to be run. +T1="now-1y" +T2="now-2y" +oldtimes="-P $T2 -A $T2 -I $T1 -D $T1" +OLD=$($KEYGEN -a $DEFAULT_ALGORITHM -L 300 $oldtimes $zone 2>keygen.out.$zone.3) +$SETTIME -s -g $H -k $H $T1 -z $H $T1 "$OLD" >settime.out.$zone.3 2>&1 # # The zones at enable-dnssec.autosign represent the various steps of the diff --git a/bin/tests/system/kasp/tests.sh b/bin/tests/system/kasp/tests.sh index 40b971b261..cea5eb42a2 100644 --- a/bin/tests/system/kasp/tests.sh +++ b/bin/tests/system/kasp/tests.sh @@ -318,7 +318,7 @@ state_stat=$(key_get KEY1 STATE_STAT) nextpart $DIR/named.run >/dev/null rndccmd 10.53.0.3 loadkeys "$ZONE" >/dev/null || log_error "rndc loadkeys zone ${ZONE} failed" -wait_for_log 3 "keymgr: $ZONE done" $DIR/named.run +wait_for_log 3 "keymgr: $ZONE done" $DIR/named.run || ret=1 privkey_stat2=$(key_stat "${basefile}.private") pubkey_stat2=$(key_stat "${basefile}.key") state_stat2=$(key_stat "${basefile}.state") @@ -334,7 +334,7 @@ ret=0 nextpart $DIR/named.run >/dev/null rndccmd 10.53.0.3 loadkeys "$ZONE" >/dev/null || log_error "rndc loadkeys zone ${ZONE} failed" -wait_for_log 3 "keymgr: $ZONE done" $DIR/named.run +wait_for_log 3 "keymgr: $ZONE done" $DIR/named.run || ret=1 privkey_stat2=$(key_stat "${basefile}.private") pubkey_stat2=$(key_stat "${basefile}.key") state_stat2=$(key_stat "${basefile}.state") @@ -1651,7 +1651,7 @@ check_rrsig_refresh echo_i "load keys for $ZONE, making sure a recently purged key is not an issue when verifying keys ($n)" ret=0 rndccmd 10.53.0.3 loadkeys "$ZONE" >/dev/null || log_error "rndc loadkeys zone ${ZONE} failed" -wait_for_log 3 "keymgr: $ZONE done" $DIR/named.run +wait_for_log 3 "keymgr: $ZONE done" $DIR/named.run || ret=1 grep "zone $ZONE/IN (signed): zone_rekey:zone_verifykeys failed: some key files are missing" $DIR/named.run && ret=1 test "$ret" -eq 0 || echo_i "failed" status=$((status + ret)) @@ -5270,7 +5270,7 @@ dig_with_opts @10.53.0.6 example SOA >dig.out.ns6.test$n.soa1 || ret=1 cp ns6/example2.db.in ns6/example.db || ret=1 nextpart ns6/named.run >/dev/null rndccmd 10.53.0.6 reload || ret=1 -wait_for_log 3 "all zones loaded" ns6/named.run +wait_for_log 3 "all zones loaded" ns6/named.run || ret=1 # Check that the SOA SERIAL increases and check the TTLs (should be 300 as # defined in ns6/example2.db.in). retry_quiet 10 _check_soa_ttl 300 300 || ret=1 @@ -5288,7 +5288,7 @@ cp ns6/example3.db.in ns6/example.db || ret=1 rm ns6/example.db.jnl nextpart ns6/named.run >/dev/null start_server --noclean --restart --port ${PORT} ns6 -wait_for_log 3 "all zones loaded" ns6/named.run +wait_for_log 3 "all zones loaded" ns6/named.run || ret=1 # Check that the SOA SERIAL increases and check the TTLs (should be changed # from 300 to 400 as defined in ns6/example3.db.in). retry_quiet 10 _check_soa_ttl 300 400 || ret=1