rollover-multisigner: Update templates

This test does not require a trust chain. However, it does have a setup script. Rewrite the setup shell script to a pytest bootstrap method.
2026-06-09 04:02:04 -04:00 · 2025-11-28 11:59:00 +01:00 · 2025-11-28 11:59:00 +01:00 · b6c091d113
commit b6c091d113
parent 4ed35f02b1
8 changed files with 96 additions and 71 deletions
--- a/bin/tests/system/rollover-lifetime/ns3/limit-lifetime.db
+++ b/bin/tests/system/rollover-lifetime/ns3/limit-lifetime.db
@ -1 +1 @@
-../../rollover/ns3/template.db.in
+template.db.in
--- a/bin/tests/system/rollover-lifetime/ns3/longer-lifetime.db
+++ b/bin/tests/system/rollover-lifetime/ns3/longer-lifetime.db
@ -1 +1 @@
-../../rollover/ns3/template.db.in
+template.db.in
--- a/bin/tests/system/rollover-lifetime/ns3/shorter-lifetime.db
+++ b/bin/tests/system/rollover-lifetime/ns3/shorter-lifetime.db
@ -1 +1 @@
-../../rollover/ns3/template.db.in
+template.db.in
--- a/bin/tests/system/rollover-lifetime/ns3/template.db.in
+++ b/bin/tests/system/rollover-lifetime/ns3/template.db.in
@ -0,0 +1,27 @@
+; Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+;
+; SPDX-License-Identifier: MPL-2.0
+;
+; This Source Code Form is subject to the terms of the Mozilla Public
+; License, v. 2.0.  If a copy of the MPL was not distributed with this
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
+;
+; See the COPYRIGHT file distributed with this work for additional
+; information regarding copyright ownership.
+
+$TTL 300
+@		IN	SOA  mname1. . (
+			1       ; serial
+			20      ; refresh (20 seconds)
+			20      ; retry (20 seconds)
+			1814400 ; expire (3 weeks)
+			3600    ; minimum (1 hour)
+			)
+
+			NS	ns3
+ns3			A	10.53.0.3
+
+a			A	10.0.0.1
+b			A	10.0.0.2
+c			A	10.0.0.3
+
--- a/bin/tests/system/rollover-lifetime/ns3/unlimit-lifetime.db
+++ b/bin/tests/system/rollover-lifetime/ns3/unlimit-lifetime.db
@ -1 +1 @@
-../../rollover/ns3/template.db.in
+template.db.in
--- a/bin/tests/system/rollover-multisigner/ns3/template.db.j2.manual
+++ b/bin/tests/system/rollover-multisigner/ns3/template.db.j2.manual
@ -0,0 +1 @@
+../../rollover/ns3/template.db.j2.manual
--- a/bin/tests/system/rollover-multisigner/setup.sh
+++ b/bin/tests/system/rollover-multisigner/setup.sh
@ -1,67 +0,0 @@
-#!/bin/sh -e
-
-# Copyright (C) Internet Systems Consortium, Inc. ("ISC")
-#
-# SPDX-License-Identifier: MPL-2.0
-#
-# This Source Code Form is subject to the terms of the Mozilla Public
-# License, v. 2.0.  If a copy of the MPL was not distributed with this
-# file, you can obtain one at https://mozilla.org/MPL/2.0/.
-#
-# See the COPYRIGHT file distributed with this work for additional
-# information regarding copyright ownership.
-
-# shellcheck source=conf.sh
-. ../conf.sh
-
-cd "ns3"
-
-setup() {
-  zone="$1"
-  echo_i "setting up zone: $zone"
-  zonefile="${zone}.db"
-  infile="${zone}.db.infile"
-  echo "$zone" >>zones
-}
-
-# Set in the key state files the Predecessor/Successor fields.
-# Key $1 is the predecessor of key $2.
-key_successor() {
-  id1=$(keyfile_to_key_id "$1")
-  id2=$(keyfile_to_key_id "$2")
-  echo "Predecessor: ${id1}" >>"${2}.state"
-  echo "Successor: ${id2}" >>"${1}.state"
-}
-
-# Make lines shorter by storing key states in environment variables.
-H="HIDDEN"
-R="RUMOURED"
-O="OMNIPRESENT"
-U="UNRETENTIVE"
-
-# Multi-signer zones.
-setup "multisigner-model2.kasp"
-cp template.db.in "$zonefile"
-KSK=$($KEYGEN -a $DEFAULT_ALGORITHM -f KSK -L 3600 -M 32768:65535 $zone 2>keygen.out.$zone.1)
-ZSK=$($KEYGEN -a $DEFAULT_ALGORITHM -L 3600 -M 32768:65535 $zone 2>keygen.out.$zone.2)
-cat "${KSK}.key" | grep -v ";.*" >>"${zone}.db"
-cat "${ZSK}.key" | grep -v ";.*" >>"${zone}.db"
-# Import a ZSK of another provider into the DNSKEY RRset.
-ZSK1=$($KEYGEN -K ../ -a $DEFAULT_ALGORITHM -L 3600 -M 0:32767 $zone 2>keygen.out.$zone.3)
-cat "../${ZSK1}.key" | grep -v ";.*" >>"${zone}.db"
-
-# We are changing an existing single-signed zone to multi-signed
-# zone where the key tags do not match the dnssec-policy key tag range
-setup single-to-multisigner.kasp
-T="now-7d"
-S="now-8635mi" # T - 1d5m
-keytimes="-P $T -A $T"
-cdstimes="-P sync $S"
-KSK=$($KEYGEN -a $DEFAULT_ALGORITHM -M 0:32767 -L 3600 -f KSK $keytimes $cdstimes $zone 2>keygen.out.$zone.1)
-ZSK=$($KEYGEN -a $DEFAULT_ALGORITHM -M 0:32767 -L 3600 $keytimes $zone 2>keygen.out.$zone.2)
-$SETTIME -s -g $O -d $O $T -k $O $T -r $O $T "$KSK" >settime.out.$zone.1 2>&1
-$SETTIME -s -g $O -k $O $T -z $O $T "$ZSK" >settime.out.$zone.2 2>&1
-cat template.db.in "${KSK}.key" "${ZSK}.key" >"$infile"
-$SIGNER -PS -z -x -s now-2w -e now-1mi -o $zone -f "${zonefile}" $infile >signer.out.$zone.1 2>&1
-echo "Lifetime: 0" >>"${KSK}".state
-echo "Lifetime: 0" >>"${ZSK}".state
--- a/bin/tests/system/rollover-multisigner/tests_rollover_multisigner.py
+++ b/bin/tests/system/rollover-multisigner/tests_rollover_multisigner.py
@ -26,6 +26,70 @@ from rollover.common import (
    alg,
    size,
 )
+from rollover.setup import CmdHelper, fake_lifetime, render_and_sign_zone
+
+
+def bootstrap():
+    templates = isctest.template.TemplateEngine(".")
+
+    # Multi-signer zones.
+    keygen = CmdHelper("KEYGEN", "-a ECDSA256 -L 3600")
+    settime = CmdHelper("SETTIME", "-s")
+
+    # Model 2.
+    zonename = "multisigner-model2.kasp"
+    isctest.log.info(f"setup {zonename}")
+    # Key generation.
+    ksk_name = keygen(f"-M 32768:65535 -f KSK {zonename}", cwd="ns3").strip()
+    zsk_name = keygen(f"-M 32768:65535 {zonename}", cwd="ns3").strip()
+    # Signing.
+    dnskeys = []
+    for key_name in [ksk_name, zsk_name]:
+        key = isctest.kasp.Key(key_name, keydir="ns3")
+        dnskeys.append(key.dnskey)
+    # Import a ZSK of another provider into the DNSKEY RRset.
+    zsk_extra = keygen(f"-M 0:32767 {zonename}").strip()
+    key = isctest.kasp.Key(zsk_extra)
+    dnskeys.append(key.dnskey)
+    # Render zone file.
+    outfile = f"{zonename}.db"
+    templates = isctest.template.TemplateEngine(".")
+    template = "template.db.j2.manual"
+    tdata = {
+        "fqdn": f"{zonename}.",
+        "dnskeys": dnskeys,
+        "privaterrs": [],
+    }
+    templates.render(f"ns3/{outfile}", tdata, template=f"ns3/{template}")
+
+    # We are changing an existing single-signed zone to multi-signed
+    # zone where the key tags do not match the dnssec-policy key tag range
+    zonename = "single-to-multisigner.kasp"
+    isctest.log.info(f"setup {zonename}")
+    # Timing metadata.
+    TpubN = "now-7d"
+    TsbmN = "now-8635mi"  # T - 1d5m
+    keytimes = f"-P {TpubN} -A {TpubN}"
+    cdstimes = f"-P sync {TsbmN}"
+    # Key generation.
+    ksk_name = keygen(
+        f"-M 0:32767 -f KSK {keytimes} {cdstimes} {zonename}", cwd="ns3"
+    ).strip()
+    zsk_name = keygen(f"-M 0:32767 {keytimes} {zonename}", cwd="ns3").strip()
+    settime(
+        f"-g OMNIPRESENT -d OMNIPRESENT {TpubN} -k OMNIPRESENT {TpubN} -r OMNIPRESENT {TpubN} {ksk_name}",
+        cwd="ns3",
+    )
+    settime(
+        f"-g OMNIPRESENT -k OMNIPRESENT {TpubN} -z OMNIPRESENT {TpubN} {zsk_name}",
+        cwd="ns3",
+    )
+    # Signing.
+    fake_lifetime(ksk_name, 0)
+    fake_lifetime(zsk_name, 0)
+    render_and_sign_zone(zonename, [ksk_name, zsk_name])
+
+    return {}


 def test_rollover_multisigner(ns3, alg, size):