Update kasp based system tests to new output

In addition fix some test bugs where we actually were testing against
the wrong policy name.

bin/tests/system/isctest/kasp.py

@@ -486,6 +486,13 @@ class Key:
     def is_zsk(self) -> bool:
         return self.get_metadata("ZSK") == "yes"
 
+    def role(self) -> str:
+        if self.is_ksk() and self.is_zsk():
+            return "CSK"
+        if self.is_ksk():
+            return "KSK"
+        return "ZSK"
+
     @property
     def algorithm(self) -> Algorithm:
         num = int(self.get_metadata("Algorithm"))
@@ -844,25 +851,31 @@ def check_dnssec_verify(server, zone, tsig=None):
     assert verified
 
 
-def check_dnssecstatus(server, zone, keys, policy=None, view=None):
+def check_dnssecstatus(server, zone, keys, policy=None, view=None, verbose=False):
     # Call rndc dnssec -status on 'server' for 'zone'. Expect 'policy' in
     # the output. This is a loose verification, it just tests if the right
     # policy name is returned, and if all expected keys are listed.
     response = ""
+
+    # Verbose output.
+    v = ""
+    if verbose:
+        v = "-v "
+
     if view is None:
-        response = server.rndc(f"dnssec -status {zone}", log=False)
+        response = server.rndc(f"dnssec -status {v}{zone}", log=False)
     else:
-        response = server.rndc(f"dnssec -status {zone} in {view}", log=False)
+        response = server.rndc(f"dnssec -status {v}{zone} in {view}", log=False)
 
     if policy is None:
         assert "Zone does not have dnssec-policy" in response
         return
 
-    assert f"dnssec-policy: {policy}" in response
+    assert f"DNSSEC status for zone '{zone}' using policy '{policy}'" in response
 
     for key in keys:
         if not key.external:
-            assert f"key: {key.tag}" in response
+            assert f"{key.role()} {key.tag}" in response
 
 
 def _check_signatures(
@@ -1250,6 +1263,7 @@ def check_rollover_step(server, config, policy, step):
     check_keytimes_flag = step.get("check-keytimes", True)
     zone_signed = step.get("zone-signed", True)
     manual_mode = step.get("manual-mode", False)
+    verbose = step.get("verbose", False)
 
     isctest.log.info(f"check rollover step {zone}")
 
@@ -1311,7 +1325,7 @@ def check_rollover_step(server, config, policy, step):
     if check_keytimes_flag:
         check_keytimes(keys, expected)
 
-    check_dnssecstatus(server, zone, keys, policy=policy)
+    check_dnssecstatus(server, zone, keys, policy=policy, verbose=verbose)
     check_apex(
         server,
         zone,

bin/tests/system/kasp/tests_kasp.py

@@ -342,7 +342,7 @@ def cb_remove_keyfiles(params, ksks=None, zsks=None):
         pytest.param(
             {
                 "zone": "rsasha1-nsec3.kasp",
-                "policy": "rsasha1",
+                "policy": "rsasha1-nsec3",
                 "config": kasp_config,
                 "key-properties": rsa1_properties(7),
             },
@@ -939,7 +939,7 @@ def test_kasp_dynamic(ns3):
     # Standard dynamic zone.
     isctest.log.info("check dynamic zone is updated and signed after update")
     zone = "dynamic.kasp"
-    policy = "default"
+    policy = "default-dynamic"
 
     isctest.kasp.wait_keymgr_done(ns3, zone)
 
@@ -1005,6 +1005,7 @@ def test_kasp_dynamic(ns3):
 
     # Dynamic, and inline-signing.
     zone = "dynamic-inline-signing.kasp"
+    policy = "default"
 
     isctest.kasp.wait_keymgr_done(ns3, zone)
 

bin/tests/system/ksr/tests_ksr.py

@@ -746,7 +746,9 @@ def test_ksr_common(ns1):
 
     # test zone is correctly signed
     # - check rndc dnssec -status output
-    isctest.kasp.check_dnssecstatus(ns1, zone, overlapping_zsks, policy=policy)
+    isctest.kasp.check_dnssecstatus(
+        ns1, zone, overlapping_zsks, policy=policy, verbose=True
+    )
     # - dnssec_verify
     isctest.kasp.check_dnssec_verify(ns1, zone)
     # - check keys
@@ -818,7 +820,7 @@ def test_ksr_lastbundle(ns1):
 
     # test zone is correctly signed
     # - check rndc dnssec -status output
-    isctest.kasp.check_dnssecstatus(ns1, zone, zsks, policy=policy)
+    isctest.kasp.check_dnssecstatus(ns1, zone, zsks, policy=policy, verbose=True)
     # - dnssec_verify
     isctest.kasp.check_dnssec_verify(ns1, zone)
     # - check keys
@@ -895,7 +897,7 @@ def test_ksr_inthemiddle(ns1):
 
     # test zone is correctly signed
     # - check rndc dnssec -status output
-    isctest.kasp.check_dnssecstatus(ns1, zone, zsks, policy=policy)
+    isctest.kasp.check_dnssecstatus(ns1, zone, zsks, policy=policy, verbose=True)
     # - dnssec_verify
     isctest.kasp.check_dnssec_verify(ns1, zone)
     # - check keys
@@ -1083,7 +1085,7 @@ def test_ksr_unlimited(ns1):
 
     # test zone is correctly signed
     # - check rndc dnssec -status output
-    isctest.kasp.check_dnssecstatus(ns1, zone, zsks, policy=policy)
+    isctest.kasp.check_dnssecstatus(ns1, zone, zsks, policy=policy, verbose=True)
     # - dnssec_verify
     isctest.kasp.check_dnssec_verify(ns1, zone)
     # - check keys
@@ -1192,7 +1194,7 @@ def test_ksr_twotone(ns1):
 
     # test zone is correctly signed
     # - check rndc dnssec -status output
-    isctest.kasp.check_dnssecstatus(ns1, zone, zsks, policy=policy)
+    isctest.kasp.check_dnssecstatus(ns1, zone, zsks, policy=policy, verbose=True)
     # - dnssec_verify
     isctest.kasp.check_dnssec_verify(ns1, zone)
     # - check keys
@@ -1269,7 +1271,7 @@ def test_ksr_kskroll(ns1):
 
     # test zone is correctly signed
     # - check rndc dnssec -status output
-    isctest.kasp.check_dnssecstatus(ns1, zone, zsks, policy=policy)
+    isctest.kasp.check_dnssecstatus(ns1, zone, zsks, policy=policy, verbose=True)
     # - dnssec_verify
     isctest.kasp.check_dnssec_verify(ns1, zone)
     # - check keys

bin/tests/system/rollover-algo-csk/tests_rollover_algo_csk_initial.py

@@ -27,7 +27,7 @@ from rollover.common import (
 @pytest.mark.parametrize(
     "tld, policy",
     [
-        param("kasp", "csk-algoroll"),
+        param("kasp", "csk-algoroll-kasp"),
         param("manual", "csk-algoroll-manual"),
     ],
 )

bin/tests/system/rollover-algo-csk/tests_rollover_algo_csk_reconfig.py

@@ -330,5 +330,7 @@ def test_algoroll_csk_reconfig_step6(tld, ns6, alg, size):
         # keys have an unlimited lifetime.  Fallback to the default
         # loadkeys interval.
         "nextev": TIMEDELTA["PT1H"],
+        # Include hidden keys in output.
+        "verbose": True,
     }
     isctest.kasp.check_rollover_step(ns6, CONFIG, policy, step)

bin/tests/system/rollover-algo-ksk-zsk/tests_rollover_algo_ksk_zsk_reconfig.py

@@ -319,6 +319,8 @@ def test_algoroll_ksk_zsk_reconfig_step5(tld, ns6, alg, size):
         # platforms by subtracting the number of seconds which passed
         # between key creation and invoking 'rndc reconfig'.
         "nextev": ALGOROLL_IRET - ALGOROLL_IRETKSK - ALGOROLL_KEYTTLPROP - TIME_PASSED,
+        # Include hidden keys in output.
+        "verbose": True,
     }
     isctest.kasp.check_rollover_step(ns6, CONFIG, policy, step)
 
@@ -352,5 +354,7 @@ def test_algoroll_ksk_zsk_reconfig_step6(tld, ns6, alg, size):
         # keys have an unlimited lifetime.  Fallback to the default
         # loadkeys interval.
         "nextev": TIMEDELTA["PT1H"],
+        # Include hidden keys in output.
+        "verbose": True,
     }
     isctest.kasp.check_rollover_step(ns6, CONFIG, policy, step)

bin/tests/system/rollover-csk-roll1/tests_rollover_csk_roll1.py

@@ -404,6 +404,8 @@ def test_csk_roll1_step7(tld, alg, size, ns3):
         # This is the Lcsk, minus time passed since the key started signing,
         # minus the prepublication time.
         "nextev": CSK_LIFETIME - IRETZSK - IPUB - KEYTTLPROP,
+        # Include hidden keys in output.
+        "verbose": True,
     }
     isctest.kasp.check_rollover_step(ns3, CONFIG, policy, step)
 

bin/tests/system/rollover-csk-roll2/tests_rollover_csk_roll2.py

@@ -376,6 +376,8 @@ def test_csk_roll2_step6(tld, alg, size, ns3):
         # Next key event is when the new successor needs to be published.
         # This is the Lcsk, minus time passed since the key was published.
         "nextev": CSK_LIFETIME - IRET - IPUB - KEYTTLPROP,
+        # Include hidden keys in output.
+        "verbose": True,
     }
     isctest.kasp.check_rollover_step(ns3, CONFIG, policy, step)
 
@@ -405,5 +407,7 @@ def test_csk_roll2_step7(tld, alg, size, ns3):
         ],
         "keyrelationships": [0, 1],
         "nextev": None,
+        # Include hidden keys in output.
+        "verbose": True,
     }
     isctest.kasp.check_rollover_step(ns3, CONFIG, policy, step)

bin/tests/system/rollover-ksk-doubleksk/tests_rollover_ksk_doubleksk.py

@@ -316,6 +316,8 @@ def test_ksk_doubleksk_step5(tld, alg, size, ns3):
         # Next key event is when the new successor needs to be published.
         # This is the KSK lifetime minus Ipub minus Iret minus time elapsed.
         "nextev": KSK_LIFETIME - KSK_IPUB - KSK_IRET - KSK_KEYTTLPROP,
+        # Include hidden keys in output.
+        "verbose": True,
     }
     isctest.kasp.check_rollover_step(ns3, KSK_CONFIG, policy, step)
 

bin/tests/system/rollover-zsk-prepub/tests_rollover_zsk_prepublication.py

@@ -229,7 +229,7 @@ def test_zsk_prepub_step3(tld, alg, size, ns3):
 
     step["smooth"] = False
     step["nextev"] = Iret(CONFIG, smooth=False)
-    isctest.kasp.check_rollover_step(ns3, CONFIG, POLICY, step)
+    isctest.kasp.check_rollover_step(ns3, CONFIG, policy, step)
 
 
 @pytest.mark.parametrize(
@@ -322,6 +322,8 @@ def test_zsk_prepub_step5(tld, alg, size, ns3):
         # this is the zsk lifetime minus IRET minus IPUB minus time
         # elapsed.
         "nextev": ZSK_LIFETIME - IRET - IPUB - KEYTTLPROP,
+        # Include hidden keys in output.
+        "verbose": True,
     }
     isctest.kasp.check_rollover_step(ns3, CONFIG, policy, step)