Use common test functions for three-is-a-crowd test

Previously, a lot of the checking was re-implemented and duplicated from check_rollover_step(). Use that function where possible and only override the needed checks.
2025-08-31 06:25:31 +00:00 · 2025-06-10 16:03:26 +02:00
parent bd5a55c5b7
commit d6dffe6603
2 changed files with 37 additions and 36 deletions
--- a/bin/tests/system/isctest/kasp.py
+++ b/bin/tests/system/isctest/kasp.py
@@ -1168,7 +1168,7 @@ def check_subdomain(
 def check_rollover_step(server, config, policy, step):
    zone = step["zone"]
    keyprops = step["keyprops"]
-    nextev = step["nextev"]
+    nextev = step.get("nextev", None)
    cdss = step.get("cdss", None)
    keyrelationships = step.get("keyrelationships", None)
    smooth = step.get("smooth", False)
@@ -1244,7 +1244,8 @@ def check_rollover_step(server, config, policy, step):
    def check_next_key_event():
        return next_key_event_equals(server, zone, nextev)

-    isctest.run.retry_with_timeout(check_next_key_event, timeout=5)
+    if nextev is not None:
+        isctest.run.retry_with_timeout(check_next_key_event, timeout=5)


 def verify_update_is_signed(server, fqdn, qname, qtype, rdata, ksks, zsks, tsig=None):
--- a/bin/tests/system/rollover/tests_rollover.py
+++ b/bin/tests/system/rollover/tests_rollover.py
@@ -564,51 +564,52 @@ def test_rollover_ksk_doubleksk(servers):
    iret = Iret(config, zsk=False, ksk=True)

    # Test #2375: Scheduled rollovers are happening faster than they can finish.
-    zone = "three-is-a-crowd.kasp"
    isctest.log.info(
        "check that fast rollovers do not remove dependent keys from zone (#2375)"
    )
    offset1 = -int(timedelta(days=60).total_seconds())
    offset2 = -int(timedelta(hours=27).total_seconds())
-    isctest.kasp.check_dnssec_verify(server, zone)
-    keyprops = [
-        f"ksk {lifetime_policy} {alg} {size} goal:hidden dnskey:omnipresent krrsig:omnipresent ds:unretentive offset:{offset1}",
-        f"ksk {lifetime_policy} {alg} {size} goal:omnipresent dnskey:omnipresent krrsig:omnipresent ds:rumoured offset:{offset2}",
-        f"zsk unlimited {alg} {size} goal:omnipresent dnskey:omnipresent zrrsig:omnipresent offset:{offset1}",
-    ]
-    expected = isctest.kasp.policy_to_properties(ttl, keyprops)
-    keys = isctest.kasp.keydir_to_keylist(zone, server.identifier)
-    ksks = [k for k in keys if k.is_ksk()]
-    zsks = [k for k in keys if not k.is_ksk()]
-    isctest.kasp.check_keys(zone, keys, expected)
-    expected[0].metadata["Successor"] = expected[1].key.tag
-    expected[1].metadata["Predecessor"] = expected[0].key.tag
-    isctest.kasp.check_keyrelationships(keys, expected)
-    for kp in expected:
-        kp.set_expected_keytimes(config, offset=None)
-    isctest.kasp.check_keytimes(keys, expected)
-    isctest.kasp.check_dnssecstatus(server, zone, keys, policy=policy)
-    isctest.kasp.check_apex(server, zone, ksks, zsks, cdss=cdss)
-    isctest.kasp.check_subdomain(server, zone, ksks, zsks)
+    zone = "three-is-a-crowd.kasp"
+    step = {
+        "zone": zone,
+        "cdss": cdss,
+        "keyprops": [
+            f"ksk {lifetime_policy} {alg} {size} goal:hidden dnskey:omnipresent krrsig:omnipresent ds:unretentive offset:{offset1}",
+            f"ksk {lifetime_policy} {alg} {size} goal:omnipresent dnskey:omnipresent krrsig:omnipresent ds:rumoured offset:{offset2}",
+            f"zsk unlimited {alg} {size} goal:omnipresent dnskey:omnipresent zrrsig:omnipresent offset:{offset1}",
+        ],
+        "keyrelationships": [0, 1],
+    }
+    isctest.kasp.check_rollover_step(servers["ns3"], config, policy, step)
+
    # Rollover successor KSK (with DS in rumoured state).
+    expected = isctest.kasp.policy_to_properties(ttl, step["keyprops"])
+    keys = isctest.kasp.keydir_to_keylist(zone, server.identifier)
+    isctest.kasp.check_keys(zone, keys, expected)
    key = expected[1].key
    now = KeyTimingMetadata.now()
    with server.watch_log_from_here() as watcher:
        server.rndc(f"dnssec -rollover -key {key.tag} -when {now} {zone}")
        watcher.wait_for_line(f"keymgr: {zone} done")
-    isctest.kasp.check_dnssec_verify(server, zone)
+
    # We now expect four keys (3x KSK, 1x ZSK).
-    keyprops = [
-        f"ksk {lifetime_policy} {alg} {size} goal:hidden dnskey:omnipresent krrsig:omnipresent ds:unretentive offset:{offset1}",
-        f"ksk {lifetime_policy} {alg} {size} goal:hidden dnskey:omnipresent krrsig:omnipresent ds:rumoured offset:{offset2}",
-        f"ksk {lifetime_policy} {alg} {size} goal:omnipresent dnskey:rumoured krrsig:rumoured ds:hidden offset:0",
-        f"zsk unlimited {alg} {size} goal:omnipresent dnskey:omnipresent zrrsig:omnipresent offset:{offset1}",
-    ]
-    expected = isctest.kasp.policy_to_properties(ttl, keyprops)
+    step = {
+        "zone": zone,
+        "cdss": cdss,
+        "keyprops": [
+            f"ksk {lifetime_policy} {alg} {size} goal:hidden dnskey:omnipresent krrsig:omnipresent ds:unretentive offset:{offset1}",
+            f"ksk {lifetime_policy} {alg} {size} goal:hidden dnskey:omnipresent krrsig:omnipresent ds:rumoured offset:{offset2}",
+            f"ksk {lifetime_policy} {alg} {size} goal:omnipresent dnskey:rumoured krrsig:rumoured ds:hidden offset:0",
+            f"zsk unlimited {alg} {size} goal:omnipresent dnskey:omnipresent zrrsig:omnipresent offset:{offset1}",
+        ],
+        "check-keytimes": False,  # checked manually with modified values
+    }
+    isctest.kasp.check_rollover_step(servers["ns3"], config, policy, step)
+
+    expected = isctest.kasp.policy_to_properties(ttl, step["keyprops"])
    keys = isctest.kasp.keydir_to_keylist(zone, server.identifier)
-    ksks = [k for k in keys if k.is_ksk()]
-    zsks = [k for k in keys if not k.is_ksk()]
    isctest.kasp.check_keys(zone, keys, expected)
+
    expected[0].metadata["Successor"] = expected[1].key.tag
    expected[1].metadata["Predecessor"] = expected[0].key.tag
    # Three is a crowd scenario.
@@ -617,10 +618,9 @@ def test_rollover_ksk_doubleksk(servers):
    isctest.kasp.check_keyrelationships(keys, expected)
    for kp in expected:
        kp.set_expected_keytimes(config, offset=None)
+
    # The first successor KSK is already being retired.
    expected[1].timing["Retired"] = now + ipub
    expected[1].timing["Removed"] = now + ipub + iret
+
    isctest.kasp.check_keytimes(keys, expected)
-    isctest.kasp.check_dnssecstatus(server, zone, keys, policy=policy)
-    isctest.kasp.check_apex(server, zone, ksks, zsks, cdss=cdss)
-    isctest.kasp.check_subdomain(server, zone, ksks, zsks)