rollover-ksk-3crowd: From setup.sh to pytest bootstrap

Similar to rollover-ksk-doubleksk. (cherry picked from commit 4ed35f02b1)
2026-05-27 12:13:20 -04:00 · 2025-11-28 11:49:59 +01:00 · 2025-11-28 11:49:59 +01:00 · 7b92adde63
commit 7b92adde63
parent f8ce10ea24
8 changed files with 88 additions and 83 deletions
--- a/bin/tests/system/rollover-ksk-3crowd/ns1
+++ b/bin/tests/system/rollover-ksk-3crowd/ns1
@ -0,0 +1 @@
+../rollover/ns1
--- a/bin/tests/system/rollover-ksk-3crowd/ns2
+++ b/bin/tests/system/rollover-ksk-3crowd/ns2
@ -0,0 +1 @@
+../rollover/ns2
--- a/bin/tests/system/rollover-ksk-3crowd/ns3/kasp.conf
+++ b/bin/tests/system/rollover-ksk-3crowd/ns3/kasp.conf
@ -1 +1 @@
-../../rollover-ksk-doubleksk/ns3/kasp.conf.j2
+../../rollover-ksk-doubleksk/ns3/kasp.conf
--- a/bin/tests/system/rollover-ksk-3crowd/ns3/template.db.j2.manual
+++ b/bin/tests/system/rollover-ksk-3crowd/ns3/template.db.j2.manual
@ -0,0 +1 @@
+../../rollover/ns3/template.db.j2.manual
--- a/bin/tests/system/rollover-ksk-3crowd/ns3/trusted.conf.j2
+++ b/bin/tests/system/rollover-ksk-3crowd/ns3/trusted.conf.j2
@ -0,0 +1 @@
+../../_common/trusted.conf.j2
--- a/bin/tests/system/rollover-ksk-3crowd/setup.sh
+++ b/bin/tests/system/rollover-ksk-3crowd/setup.sh
@ -1,82 +0,0 @@
-#!/bin/sh -e
-
-# Copyright (C) Internet Systems Consortium, Inc. ("ISC")
-#
-# SPDX-License-Identifier: MPL-2.0
-#
-# This Source Code Form is subject to the terms of the Mozilla Public
-# License, v. 2.0.  If a copy of the MPL was not distributed with this
-# file, you can obtain one at https://mozilla.org/MPL/2.0/.
-#
-# See the COPYRIGHT file distributed with this work for additional
-# information regarding copyright ownership.
-
-# shellcheck source=conf.sh
-. ../conf.sh
-
-cd "ns3"
-
-setup() {
-  zone="$1"
-  echo_i "setting up zone: $zone"
-  zonefile="${zone}.db"
-  infile="${zone}.db.infile"
-  echo "$zone" >>zones
-}
-
-# Set in the key state files the Predecessor/Successor fields.
-# Key $1 is the predecessor of key $2.
-key_successor() {
-  id1=$(keyfile_to_key_id "$1")
-  id2=$(keyfile_to_key_id "$2")
-  echo "Predecessor: ${id1}" >>"${2}.state"
-  echo "Successor: ${id2}" >>"${1}.state"
-}
-
-# Make lines shorter by storing key states in environment variables.
-H="HIDDEN"
-R="RUMOURED"
-O="OMNIPRESENT"
-U="UNRETENTIVE"
-
-# Test #2375, the "three is a crowd" bug, where a new key is introduced but the
-# previous rollover has not finished yet. In other words, we have a key KEY2
-# that is the successor of key KEY1, and we introduce a new key KEY3 that is
-# the successor of key KEY2:
-#
-#     KEY1 < KEY2 < KEY3.
-#
-# The expected behavior is that all three keys remain in the zone, and not
-# the bug behavior where KEY2 is removed and immediately replaced with KEY3.
-#
-# Set up a zone that has a KSK (KEY1) and have the successor key (KEY2)
-# published as well.
-setup three-is-a-crowd.kasp
-# These times are the same as step3.ksk-doubleksk.autosign.
-TpubN="now-60d"
-TactN="now-1413h"
-TretN="now"
-TremN="now+50h"
-TpubN1="now-27h"
-TsbmN1="now"
-TactN1="${TretN}"
-TretN1="now+60d"
-TremN1="now+1490h"
-ksktimes="-P ${TpubN}  -A ${TpubN}  -P sync ${TactN}  -I ${TretN}  -D ${TremN} -D sync ${TactN1}"
-newtimes="-P ${TpubN1} -A ${TactN1} -P sync ${TsbmN1} -I ${TretN1} -D ${TremN1}"
-zsktimes="-P ${TpubN}  -A ${TpubN}"
-KSK1=$($KEYGEN -a $DEFAULT_ALGORITHM -L 7200 -f KSK $ksktimes $zone 2>keygen.out.$zone.1)
-KSK2=$($KEYGEN -a $DEFAULT_ALGORITHM -L 7200 -f KSK $newtimes $zone 2>keygen.out.$zone.2)
-ZSK=$($KEYGEN -a $DEFAULT_ALGORITHM -L 7200 $zsktimes $zone 2>keygen.out.$zone.3)
-$SETTIME -s -g $H -k $O $TactN -r $O $TactN -d $O $TactN "$KSK1" >settime.out.$zone.1 2>&1
-$SETTIME -s -g $O -k $R $TpubN1 -r $R $TpubN1 -d $H $TpubN1 "$KSK2" >settime.out.$zone.2 2>&1
-$SETTIME -s -g $O -k $O $TactN -z $O $TactN "$ZSK" >settime.out.$zone.3 2>&1
-# Set key rollover relationship.
-key_successor $KSK1 $KSK2
-# Sign zone.
-cat template.db.in "${KSK1}.key" "${KSK2}.key" "${ZSK}.key" >"$infile"
-private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$KSK1" >>"$infile"
-private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$KSK2" >>"$infile"
-private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$ZSK" >>"$infile"
-cp $infile $zonefile
-$SIGNER -S -x -G "cds:sha-256" -s now-1h -e now+2w -o $zone -O raw -f "${zonefile}.signed" $infile >signer.out.$zone.1 2>&1
--- a/bin/tests/system/rollover-ksk-3crowd/tests_rollover_three_is_a_crowd.py
+++ b/bin/tests/system/rollover-ksk-3crowd/tests_rollover_three_is_a_crowd.py
@ -24,6 +24,11 @@ from rollover.common import (
    KSK_IPUB,
    KSK_IRET,
 )
+from rollover.setup import (
+    configure_root,
+    configure_tld,
+    configure_ksk_3crowd,
+)


 CDSS = ["CDS (SHA-256)"]
@ -33,6 +38,23 @@ OFFSET2 = -int(timedelta(hours=27).total_seconds())
 TTL = int(KSK_CONFIG["dnskey-ttl"].total_seconds())


+def bootstrap():
+    data = {
+        "tlds": [],
+        "trust_anchors": [],
+    }
+
+    tlds = []
+    tld_name = "kasp"
+    delegations = configure_ksk_3crowd(tld_name)
+    tld = configure_tld(tld_name, delegations)
+    tlds.append(tld)
+    data["tlds"].append(tld_name)
+    ta = configure_root(tlds)
+    data["trust_anchors"].append(ta)
+    return data
+
+
 def test_rollover_ksk_three_is_a_crowd(alg, size, ns3):
    """Test #2375: Scheduled rollovers are happening faster than they can finish."""
    zone = "three-is-a-crowd.kasp"
--- a/bin/tests/system/rollover/setup.py
+++ b/bin/tests/system/rollover/setup.py
@ -1620,3 +1620,64 @@ def configure_ksk_doubleksk(tld: str) -> List[Zone]:
    )

    return zones
+
+
+def configure_ksk_3crowd(tld: str) -> List[Zone]:
+    # Test #2375, the "three is a crowd" bug, where a new key is introduced but the
+    # previous rollover has not finished yet. In other words, we have a key KEY2
+    # that is the successor of key KEY1, and we introduce a new key KEY3 that is
+    # the successor of key KEY2:
+    #
+    #     KEY1 < KEY2 < KEY3.
+    #
+    # The expected behavior is that all three keys remain in the zone, and not
+    # the bug behavior where KEY2 is removed and immediately replaced with KEY3.
+    #
+    zones = []
+    cds = "cds:sha-256"
+    keygen = CmdHelper("KEYGEN", "-a ECDSAP256SHA256 -L 7200")
+    settime = CmdHelper("SETTIME", "-s")
+
+    # Set up a zone that has a KSK (KEY1) and have the successor key (KEY2)
+    # published as well.
+    zonename = f"three-is-a-crowd.{tld}"
+    zones.append(Zone(zonename, f"{zonename}.db", Nameserver("ns3", "10.53.0.3")))
+    isctest.log.info(f"setup {zonename}")
+    # These times are the same as step3.ksk-doubleksk.autosign.
+    TpubN = "now-60d"
+    TactN = "now-1413h"
+    TretN = "now"
+    TremN = "now+50h"
+    TpubN1 = "now-27h"
+    TactN1 = TretN
+    TretN1 = "now+60d"
+    TremN1 = "now+1490h"
+    ksktimes = (
+        f"-P {TpubN} -A {TpubN} -P sync {TactN} -I {TretN} -D {TremN} -D sync {TactN1}"
+    )
+    newtimes = f"-P {TpubN1} -A {TactN1} -P sync {TactN1} -I {TretN1} -D {TremN1}"
+    zsktimes = f"-P {TpubN}  -A {TpubN}"
+    # Key generation.
+    ksk1_name = keygen(f"-f KSK {ksktimes} {zonename}", cwd="ns3").strip()
+    ksk2_name = keygen(f"-f KSK {newtimes} {zonename}", cwd="ns3").strip()
+    zsk_name = keygen(f"{zsktimes} {zonename}", cwd="ns3").strip()
+    settime(
+        f"-g HIDDEN -k OMNIPRESENT {TactN} -r OMNIPRESENT {TactN} -d OMNIPRESENT {TactN} {ksk1_name}",
+        cwd="ns3",
+    )
+    settime(
+        f"-g OMNIPRESENT -k RUMOURED {TpubN1} -r RUMOURED {TpubN1} -d HIDDEN {TpubN1} {ksk2_name}",
+        cwd="ns3",
+    )
+    settime(
+        f"-g OMNIPRESENT -k OMNIPRESENT {TpubN} -z OMNIPRESENT {TpubN} {zsk_name}",
+        cwd="ns3",
+    )
+    # Set key rollover relationship.
+    set_key_relationship(ksk1_name, ksk2_name)
+    # Signing.
+    render_and_sign_zone(
+        zonename, [ksk1_name, ksk2_name, zsk_name], extra_options=f"-G {cds}"
+    )
+
+    return zones