From 6700f89cffc41310fb9b5e0ecd8dcd0102a91143 Mon Sep 17 00:00:00 2001 From: Tomas Krizek Date: Aug 09 2018 10:36:42 +0000 Subject: test_dnssec: re-add named-pkcs11 workarounds DNSSEC tests starrted to fail again, probably due to a bug in some underlaying component. This reverts commit 8bc677512296a7e94c29edd0c1a96aa7273f352a and makes the xfail test check less strict - it will no longer mark the test suite red if it passes. Run DNSSEC tests on PR-CI Co-authored-by: Felipe Barreto Related https://pagure.io/freeipa/issue/5348 Reviewed-By: Alexander Bokovoy Reviewed-By: Tibor Dudlak --- diff --git a/ipatests/test_integration/test_dnssec.py b/ipatests/test_integration/test_dnssec.py index 0ce7071..984e124 100644 --- a/ipatests/test_integration/test_dnssec.py +++ b/ipatests/test_integration/test_dnssec.py @@ -6,6 +6,7 @@ import dns.dnssec import dns.resolver import dns.name import time +import pytest from ipatests.test_integration.base import IntegrationTest from ipatests.pytest_plugins.integration import tasks @@ -56,7 +57,6 @@ def wait_until_record_is_signed(nameserver, record, log, rtype="SOA", Returns True if record is signed, or False on timeout :param nameserver: nameserver to query :param record: query - :param log: logger :param rtype: record type :param timeout: :return: True if records is signed, False if timeout @@ -105,6 +105,7 @@ class TestInstallDNSSECLast(IntegrationTest): ] self.master.run_command(args) + tasks.restart_named(self.master, self.replicas[0]) # test master assert wait_until_record_is_signed( self.master.ip, test_zone, self.log, timeout=100 @@ -125,6 +126,7 @@ class TestInstallDNSSECLast(IntegrationTest): ] self.replicas[0].run_command(args) + tasks.restart_named(self.replicas[0]) # test replica assert wait_until_record_is_signed( self.replicas[0].ip, test_zone_repl, self.log, timeout=300 @@ -170,6 +172,7 @@ class TestInstallDNSSECLast(IntegrationTest): ] self.master.run_command(args) + tasks.restart_named(self.master) # test master assert wait_until_record_is_signed( self.master.ip, test_zone, self.log, timeout=100 @@ -217,6 +220,8 @@ class TestInstallDNSSECLast(IntegrationTest): ] self.master.run_command(args) + tasks.restart_named(self.master, self.replicas[0]) + # test master assert wait_until_record_is_signed( self.master.ip, test_zone_repl, self.log, timeout=100 @@ -232,6 +237,75 @@ class TestInstallDNSSECLast(IntegrationTest): assert dnskey_old != dnskey_new, "DNSKEY should be different" +class TestZoneSigningWithoutNamedRestart(IntegrationTest): + """Test if https://pagure.io/freeipa/issue/5348 is already fixed. + """ + num_replicas = 1 + topology = 'star' + + @classmethod + def install(cls, mh): + tasks.install_master(cls.master, setup_dns=False) + args = [ + "ipa-dns-install", + "--dnssec-master", + "--forwarder", cls.master.config.dns_forwarder, + "-U", + ] + cls.master.run_command(args) + + tasks.install_replica(cls.master, cls.replicas[0], setup_dns=True) + + # backup trusted key + tasks.backup_file(cls.master, paths.DNSSEC_TRUSTED_KEY) + tasks.backup_file(cls.replicas[0], paths.DNSSEC_TRUSTED_KEY) + + @classmethod + def uninstall(cls, mh): + # restore trusted key + tasks.restore_files(cls.master) + tasks.restore_files(cls.replicas[0]) + + super(TestZoneSigningWithoutNamedRestart, cls).uninstall(mh) + + def test_sign_root_zone_no_named_restart(self): + args = [ + "ipa", "dnszone-add", root_zone, "--dnssec", "true", + "--skip-overlap-check", + ] + self.master.run_command(args) + + # make BIND happy: add the glue record and delegate zone + args = [ + "ipa", "dnsrecord-add", root_zone, self.master.hostname, + "--a-rec=" + self.master.ip + ] + self.master.run_command(args) + args = [ + "ipa", "dnsrecord-add", root_zone, self.replicas[0].hostname, + "--a-rec=" + self.replicas[0].ip + ] + self.master.run_command(args) + + # sleep a bit until data are provided by bind-dyndb-ldap + time.sleep(10) + + args = [ + "ipa", "dnsrecord-add", root_zone, self.master.domain.name, + "--ns-rec=" + self.master.hostname + ] + self.master.run_command(args) + # test master + assert wait_until_record_is_signed( + self.master.ip, root_zone, timeout=100 + ), "Zone %s is not signed (master)" % root_zone + + # test replica + assert wait_until_record_is_signed( + self.replicas[0].ip, root_zone, timeout=300 + ), "Zone %s is not signed (replica)" % root_zone + + class TestInstallDNSSECFirst(IntegrationTest): """Simple DNSSEC test @@ -290,6 +364,7 @@ class TestInstallDNSSECFirst(IntegrationTest): "--ns-rec=" + self.master.hostname ] self.master.run_command(args) + tasks.restart_named(self.master, self.replicas[0]) # test master assert wait_until_record_is_signed( self.master.ip, root_zone, self.log, timeout=100 @@ -320,6 +395,7 @@ class TestInstallDNSSECFirst(IntegrationTest): "--ns-rec=" + self.master.hostname ] self.master.run_command(args) + tasks.restart_named(self.master, self.replicas[0]) # wait until zone is signed assert wait_until_record_is_signed( self.master.ip, example_test_zone, self.log, timeout=100 @@ -457,6 +533,7 @@ class TestMigrateDNSSECMaster(IntegrationTest): self.master.run_command(args) + tasks.restart_named(self.master, self.replicas[0]) # wait until zone is signed assert wait_until_record_is_signed( self.master.ip, example_test_zone, self.log, timeout=100 @@ -513,6 +590,7 @@ class TestMigrateDNSSECMaster(IntegrationTest): "--skip-overlap-check", ] self.replicas[0].run_command(args) + tasks.restart_named(self.master, self.replicas[0]) # wait until zone is signed assert wait_until_record_is_signed( self.replicas[0].ip, example2_test_zone, self.log, timeout=100 @@ -545,6 +623,7 @@ class TestMigrateDNSSECMaster(IntegrationTest): "--skip-overlap-check", ] self.replicas[1].run_command(args) + tasks.restart_named(self.replicas[0], self.replicas[1]) # wait until zone is signed assert wait_until_record_is_signed( self.replicas[1].ip, example3_test_zone, self.log, timeout=200