diff options
author | Oleg Fayans <ofayans@redhat.com> | 2016-05-11 12:08:38 +0200 |
---|---|---|
committer | Martin Basti <mbasti@redhat.com> | 2016-05-11 13:16:43 +0200 |
commit | 5567dff4b46cc05bf0ea44dd03afdd12645143a5 (patch) | |
tree | 5853b22f2a8cf3428e9fd844f38039f18f546b9a /ipatests/test_integration | |
parent | ea794f3dec52694c58689c6dac267a42b71e5af9 (diff) | |
download | freeipa-5567dff4b46cc05bf0ea44dd03afdd12645143a5.tar.gz freeipa-5567dff4b46cc05bf0ea44dd03afdd12645143a5.tar.xz freeipa-5567dff4b46cc05bf0ea44dd03afdd12645143a5.zip |
A workaround for ticket N 5348
A freshly created dnssec-enabled zone does not always display the signature
until you restart named-pkcs11. Added restarting of this service after each
dnssec-enabled zone.
https://fedorahosted.org/freeipa/ticket/5348
Reviewed-By: Martin Basti <mbasti@redhat.com>
Diffstat (limited to 'ipatests/test_integration')
-rw-r--r-- | ipatests/test_integration/test_dnssec.py | 97 |
1 files changed, 90 insertions, 7 deletions
diff --git a/ipatests/test_integration/test_dnssec.py b/ipatests/test_integration/test_dnssec.py index e90fb1f47..35cf8636d 100644 --- a/ipatests/test_integration/test_dnssec.py +++ b/ipatests/test_integration/test_dnssec.py @@ -6,6 +6,7 @@ import dns.dnssec import dns.resolver import dns.name import time +import pytest from ipatests.test_integration.base import IntegrationTest from ipatests.test_integration import tasks @@ -71,6 +72,14 @@ def wait_until_record_is_signed(nameserver, record, log, rtype="SOA", return False +def restart_named(*args): + # A workaround for ticket N 5348 + time.sleep(20) # wait till dnssec key is exported to named + for host in args: + host.run_command(["systemctl", "restart", + "named-pkcs11.service"]) + + class TestInstallDNSSECLast(IntegrationTest): """Simple DNSSEC test @@ -105,6 +114,7 @@ class TestInstallDNSSECLast(IntegrationTest): ] self.master.run_command(args) + restart_named(self.master, self.replicas[0]) # test master assert wait_until_record_is_signed( self.master.ip, test_zone, self.log, timeout=100 @@ -125,6 +135,7 @@ class TestInstallDNSSECLast(IntegrationTest): ] self.replicas[0].run_command(args) + restart_named(self.replicas[0]) # test replica assert wait_until_record_is_signed( self.replicas[0].ip, test_zone_repl, self.log, timeout=300 @@ -170,8 +181,7 @@ class TestInstallDNSSECLast(IntegrationTest): ] self.master.run_command(args) - time.sleep(20) # sleep a bit until LDAP changes are applied to DNS - + restart_named(self.master) # test master assert wait_until_record_is_signed( self.master.ip, test_zone, self.log, timeout=100 @@ -219,7 +229,7 @@ class TestInstallDNSSECLast(IntegrationTest): ] self.master.run_command(args) - time.sleep(20) # sleep a bit until LDAP changes are applied to DNS + restart_named(self.master, self.replicas[0]) # test master assert wait_until_record_is_signed( @@ -235,6 +245,78 @@ class TestInstallDNSSECLast(IntegrationTest): self.log, rtype="DNSKEY").rrset assert dnskey_old != dnskey_new, "DNSKEY should be different" + +class TestZoneSigningWithoutNamedRestart(IntegrationTest): + """Test whether https://fedorahosted.org/freeipa/ticket/5348 is already + fixed. If the issue is not fixed, the test will expectedly fail. When + fixed, it will pass, which will cause the whole run to become "red" + """ + num_replicas = 1 + topology = 'star' + + @classmethod + def install(cls, mh): + tasks.install_master(cls.master, setup_dns=False) + args = [ + "ipa-dns-install", + "--dnssec-master", + "--forwarder", cls.master.config.dns_forwarder, + "-U", + ] + cls.master.run_command(args) + + tasks.install_replica(cls.master, cls.replicas[0], setup_dns=True) + + # backup trusted key + tasks.backup_file(cls.master, paths.DNSSEC_TRUSTED_KEY) + tasks.backup_file(cls.replicas[0], paths.DNSSEC_TRUSTED_KEY) + + @classmethod + def uninstall(cls, mh): + # restore trusted key + tasks.restore_files(cls.master) + tasks.restore_files(cls.replicas[0]) + + super(TestZoneSigningWithoutNamedRestart, cls).uninstall(mh) + + @pytest.mark.xfail(strict=True) + def test_sign_root_zone_no_named_restart(self): + args = [ + "ipa", "dnszone-add", root_zone, "--dnssec", "true", + "--skip-overlap-check", + ] + self.master.run_command(args) + + # make BIND happy: add the glue record and delegate zone + args = [ + "ipa", "dnsrecord-add", root_zone, self.master.hostname, + "--a-rec=" + self.master.ip + ] + self.master.run_command(args) + args = [ + "ipa", "dnsrecord-add", root_zone, self.replicas[0].hostname, + "--a-rec=" + self.replicas[0].ip + ] + self.master.run_command(args) + + time.sleep(10) # sleep a bit until data are provided by bind-dyndb-ldap + + args = [ + "ipa", "dnsrecord-add", root_zone, self.master.domain.name, + "--ns-rec=" + self.master.hostname + ] + self.master.run_command(args) + # test master + assert wait_until_record_is_signed( + self.master.ip, root_zone, self.log, timeout=100 + ), "Zone %s is not signed (master)" % root_zone + + # test replica + assert wait_until_record_is_signed( + self.replicas[0].ip, root_zone, self.log, timeout=300 + ), "Zone %s is not signed (replica)" % root_zone + + class TestInstallDNSSECFirst(IntegrationTest): """Simple DNSSEC test @@ -288,7 +370,7 @@ class TestInstallDNSSECFirst(IntegrationTest): "--ns-rec=" + self.master.hostname ] self.master.run_command(args) - + restart_named(self.master, self.replicas[0]) # test master assert wait_until_record_is_signed( self.master.ip, root_zone, self.log, timeout=100 @@ -319,7 +401,7 @@ class TestInstallDNSSECFirst(IntegrationTest): "--ns-rec=" + self.master.hostname ] self.master.run_command(args) - + restart_named(self.master, self.replicas[0]) # wait until zone is signed assert wait_until_record_is_signed( self.master.ip, example_test_zone, self.log, timeout=100 @@ -457,6 +539,7 @@ class TestMigrateDNSSECMaster(IntegrationTest): self.master.run_command(args) + restart_named(self.master, self.replicas[0]) # wait until zone is signed assert wait_until_record_is_signed( self.master.ip, example_test_zone, self.log, timeout=100 @@ -513,7 +596,7 @@ class TestMigrateDNSSECMaster(IntegrationTest): "--skip-overlap-check", ] self.replicas[0].run_command(args) - + restart_named(self.master, self.replicas[0]) # wait until zone is signed assert wait_until_record_is_signed( self.replicas[0].ip, example2_test_zone, self.log, timeout=100 @@ -546,7 +629,7 @@ class TestMigrateDNSSECMaster(IntegrationTest): "--skip-overlap-check", ] self.replicas[1].run_command(args) - + restart_named(self.replicas[0], self.replicas[1]) # wait until zone is signed assert wait_until_record_is_signed( self.replicas[1].ip, example3_test_zone, self.log, timeout=200 |