Convert keystore and rumoured kasp test cases

For 'keystore.kasp', a setting 'key-directories' is used. If set, this will expect a list of two directories, the first one is where the KSKs will be stored, the second in the list is the ZSK key directory. This may be expanded in the future to test more complex key storage cases. The 'rumoured.kasp' zone is weird, the key timings can never match those key states. But it is a regression test for an early day bug, so we convert it, but skip the expected key times check.
2025-09-02 23:55:27 +00:00 · 2025-03-17 15:32:43 +01:00
parent 5f23f750c2
commit ee7120eb34
2 changed files with 42 additions and 120 deletions
--- a/bin/tests/system/kasp/tests.sh
+++ b/bin/tests/system/kasp/tests.sh
@@ -400,120 +400,6 @@ set_keytimes_algorithm_policy() {
  set_addkeytime "KEY3" "REMOVED" "${retired}" 867900
 }

-#
-# Zone: keystore.kasp.
-#
-set_zone "keystore.kasp"
-set_policy "keystore" "2" "303"
-set_server "ns3" "10.53.0.3"
-# Key properties.
-key_clear "KEY1"
-set_keyrole "KEY1" "ksk"
-set_keylifetime "KEY1" "0"
-set_keydir "KEY1" "ns3/ksk"
-set_keyalgorithm "KEY1" "$DEFAULT_ALGORITHM_NUMBER" "$DEFAULT_ALGORITHM" "$DEFAULT_BITS"
-set_keysigning "KEY1" "yes"
-set_zonesigning "KEY1" "no"
-
-key_clear "KEY2"
-set_keyrole "KEY2" "zsk"
-set_keylifetime "KEY2" "0"
-set_keydir "KEY2" "ns3/zsk"
-set_keyalgorithm "KEY2" "$DEFAULT_ALGORITHM_NUMBER" "$DEFAULT_ALGORITHM" "$DEFAULT_BITS"
-set_keysigning "KEY2" "no"
-set_zonesigning "KEY2" "yes"
-
-# KSK: DNSKEY, RRSIG (ksk) published. DS needs to wait.
-# ZSK: DNSKEY, RRSIG (zsk) published.
-set_keystate "KEY1" "GOAL" "omnipresent"
-set_keystate "KEY1" "STATE_DNSKEY" "rumoured"
-set_keystate "KEY1" "STATE_KRRSIG" "rumoured"
-set_keystate "KEY1" "STATE_DS" "hidden"
-
-set_keystate "KEY2" "GOAL" "omnipresent"
-set_keystate "KEY2" "STATE_DNSKEY" "rumoured"
-set_keystate "KEY2" "STATE_ZRRSIG" "rumoured"
-# Two keys only.
-key_clear "KEY3"
-key_clear "KEY4"
-
-check_keys
-check_dnssecstatus "$SERVER" "$POLICY" "$ZONE"
-# Reuse set_keytimes_csk_policy to set the KEY1 keytimes.
-set_keytimes_csk_policy
-created=$(key_get KEY2 CREATED)
-set_keytime "KEY2" "PUBLISHED" "${created}"
-set_keytime "KEY2" "ACTIVE" "${created}"
-check_keytimes
-check_apex
-check_subdomain
-dnssec_verify
-
-# Key properties for tests below.
-key_clear "KEY1"
-set_keyrole "KEY1" "ksk"
-set_keylifetime "KEY1" "315360000"
-set_keyalgorithm "KEY1" "8" "RSASHA256" "2048"
-set_keysigning "KEY1" "yes"
-set_zonesigning "KEY1" "no"
-
-key_clear "KEY2"
-set_keyrole "KEY2" "zsk"
-set_keylifetime "KEY2" "157680000"
-set_keyalgorithm "KEY2" "8" "RSASHA256" "2048"
-set_keysigning "KEY2" "no"
-set_zonesigning "KEY2" "yes"
-
-key_clear "KEY3"
-set_keyrole "KEY3" "zsk"
-set_keylifetime "KEY3" "31536000"
-set_keyalgorithm "KEY3" "8" "RSASHA256" "3072"
-set_keysigning "KEY3" "no"
-set_zonesigning "KEY3" "yes"
-# KSK: DNSKEY, RRSIG (ksk) published. DS needs to wait.
-# ZSK: DNSKEY, RRSIG (zsk) published.
-set_keystate "KEY1" "GOAL" "omnipresent"
-set_keystate "KEY1" "STATE_DNSKEY" "rumoured"
-set_keystate "KEY1" "STATE_KRRSIG" "rumoured"
-set_keystate "KEY1" "STATE_DS" "hidden"
-
-set_keystate "KEY2" "GOAL" "omnipresent"
-set_keystate "KEY2" "STATE_DNSKEY" "rumoured"
-set_keystate "KEY2" "STATE_ZRRSIG" "rumoured"
-
-set_keystate "KEY3" "GOAL" "omnipresent"
-set_keystate "KEY3" "STATE_DNSKEY" "rumoured"
-set_keystate "KEY3" "STATE_ZRRSIG" "rumoured"
-# Three keys only.
-key_clear "KEY4"
-
-#
-# Zone: rumoured.kasp.
-#
-# There are three keys in rumoured state.
-set_zone "rumoured.kasp"
-set_policy "rsasha256" "3" "1234"
-set_server "ns3" "10.53.0.3"
-# Key properties, timings and states same as above.
-
-check_keys
-check_dnssecstatus "$SERVER" "$POLICY" "$ZONE"
-set_keytimes_algorithm_policy
-# Activation date is a day later.
-set_addkeytime "KEY1" "ACTIVE" $(key_get KEY1 ACTIVE) 86400
-set_addkeytime "KEY1" "RETIRED" $(key_get KEY1 RETIRED) 86400
-set_addkeytime "KEY1" "REMOVED" $(key_get KEY1 REMOVED) 86400
-set_addkeytime "KEY2" "ACTIVE" $(key_get KEY2 ACTIVE) 86400
-set_addkeytime "KEY2" "RETIRED" $(key_get KEY2 RETIRED) 86400
-set_addkeytime "KEY2" "REMOVED" $(key_get KEY2 REMOVED) 86400
-set_addkeytime "KEY3" "ACTIVE" $(key_get KEY3 ACTIVE) 86400
-set_addkeytime "KEY3" "RETIRED" $(key_get KEY3 RETIRED) 86400
-set_addkeytime "KEY3" "REMOVED" $(key_get KEY3 REMOVED) 86400
-check_keytimes
-check_apex
-check_subdomain
-dnssec_verify
-
 # TODO: we might want to test:
 # - configuring a zone with too many active keys (should trigger retire).
 # - configuring a zone with keys not matching the policy.
--- a/bin/tests/system/kasp/tests_kasp.py
+++ b/bin/tests/system/kasp/tests_kasp.py
@@ -310,6 +310,13 @@ def test_kasp_cases(servers):
            ttl=ttl, keys=test["key-properties"]
        )
        # Key files.
+        if "key-directories" in test:
+            kdir = test["key-directories"][0]
+            ksks = isctest.kasp.keydir_to_keylist(zone, kdir, in_use=pregenerated)
+            kdir = test["key-directories"][1]
+            zsks = isctest.kasp.keydir_to_keylist(zone, kdir, in_use=pregenerated)
+            keys = ksks + zsks
+        else:
            keys = isctest.kasp.keydir_to_keylist(
                zone, test["config"]["key-directory"], in_use=pregenerated
            )
@@ -326,6 +333,7 @@ def test_kasp_cases(servers):
                test["config"], offset=offset, pregenerated=pregenerated
            )

+        if "rumoured" not in test:
            isctest.kasp.check_keytimes(keys, expected)

        check_all(server, zone, policy, ksks, zsks, zsk_missing=zsk_missing)
@@ -458,6 +466,27 @@ def test_kasp_cases(servers):
            "config": kasp_config,
            "key-properties": fips_properties(8),
        },
+        {
+            "zone": "keystore.kasp",
+            "policy": "keystore",
+            "config": {
+                "dnskey-ttl": timedelta(seconds=303),
+                "ds-ttl": timedelta(days=1),
+                "key-directory": keydir,
+                "max-zone-ttl": timedelta(days=1),
+                "parent-propagation-delay": timedelta(hours=1),
+                "publish-safety": timedelta(hours=1),
+                "retire-safety": timedelta(hours=1),
+                "signatures-refresh": timedelta(days=5),
+                "signatures-validity": timedelta(days=14),
+                "zone-propagation-delay": timedelta(minutes=5),
+            },
+            "key-directories": [f"{keydir}/ksk", f"{keydir}/zsk"],
+            "key-properties": [
+                f"ksk unlimited {alg} {size} goal:omnipresent dnskey:rumoured krrsig:rumoured ds:hidden",
+                f"zsk unlimited {alg} {size} goal:omnipresent dnskey:rumoured zrrsig:rumoured",
+            ],
+        },
        {
            "zone": "legacy-keys.kasp",
            "policy": "migrate-to-dnssec-policy",
@@ -493,6 +522,13 @@ def test_kasp_cases(servers):
            "config": kasp_config,
            "key-properties": fips_properties(10),
        },
+        {
+            "zone": "rumoured.kasp",
+            "policy": "rsasha256",
+            "config": kasp_config,
+            "rumoured": True,
+            "key-properties": fips_properties(8),
+        },
        {
            "zone": "secondary.kasp",
            "policy": "rsasha256",