From e2a51d3ee31e4d1a0e2a9c565bb1bc744d75d34d Mon Sep 17 00:00:00 2001 From: halderen Date: Tue, 28 Jun 2016 10:16:36 +0200 Subject: [PATCH] Repair change ttl test - removed ununsed purgekeys, sharekeys, hsm capacity from configuration - automatickeygeneration period set to actual period tested. - rewrote test from time leap attach style to time leap based on expected time to pass, which is less dependent on implementation. No knowledge of number of leaps is required, the time to leap is actually derived from the settings of the kasp (which is part of the test). - proper test that the keys do not go omnipresent before the 3600 seconds period. --- .../enforcer.policy.ttl_change/conf.xml | 7 ++- .../enforcer.policy.ttl_change/kasp.xml | 8 +--- .../enforcer.policy.ttl_change/test.sh | 44 +++++++------------ 3 files changed, 20 insertions(+), 39 deletions(-) diff --git a/testing/test-cases.d/enforcer.policy.ttl_change/conf.xml b/testing/test-cases.d/enforcer.policy.ttl_change/conf.xml index 6d54e62bb6..c41d30c6b0 100644 --- a/testing/test-cases.d/enforcer.policy.ttl_change/conf.xml +++ b/testing/test-cases.d/enforcer.policy.ttl_change/conf.xml @@ -6,7 +6,6 @@ @SOFTHSM_MODULE@ OpenDNSSEC 1234 - 10000 @@ -19,11 +18,11 @@ @INSTALL_ROOT@/var/opendnssec/kasp.db - PT1M - 0 + P1Y + 1 @INSTALL_ROOT@/var/opendnssec/signer - 4 + 1 diff --git a/testing/test-cases.d/enforcer.policy.ttl_change/kasp.xml b/testing/test-cases.d/enforcer.policy.ttl_change/kasp.xml index b8dcf658d3..8a79ed781c 100644 --- a/testing/test-cases.d/enforcer.policy.ttl_change/kasp.xml +++ b/testing/test-cases.d/enforcer.policy.ttl_change/kasp.xml @@ -25,20 +25,14 @@ PT1H PT0S PT0S - - P5M - 5 - P5M - + P1Y SoftHSM - 5 P5M - SoftHSM diff --git a/testing/test-cases.d/enforcer.policy.ttl_change/test.sh b/testing/test-cases.d/enforcer.policy.ttl_change/test.sh index b614146799..dd279cefa0 100644 --- a/testing/test-cases.d/enforcer.policy.ttl_change/test.sh +++ b/testing/test-cases.d/enforcer.policy.ttl_change/test.sh @@ -17,41 +17,31 @@ fi && ods_reset_env -i && ods_start_enforcer && -echo "################## ZONE ADD 1 ###########################" && +echo "################## ZONE ADD 1" && echo -n "LINE: ${LINENO} " && ods-enforcer zone add --zone ods1 && +ods_enforcer_idle && +ods-enforcer zone list && -echo "################## LEAP TO OMNIPRESENT ZSK DNSKEY ###########################" && -echo -n "LINE: ${LINENO} " && ods-enforcer time leap --attach && -echo -n "LINE: ${LINENO} " && ods-enforcer time leap --attach && -echo -n "LINE: ${LINENO} " && ods-enforcer time leap --attach && +echo "################## LEAP TO OMNIPRESENT ZSK DNSKEY" && +echo -n "LINE: ${LINENO} " && ods_enforcer_leap_over 120 && -echo "################## LOWER TTL AND RESTART ###########################" && -ods_stop_enforcer && +echo "################## LOWER TTL AND RESTART" && echo -n "LINE: ${LINENO} " && cp kasp-short-ttl.xml "$INSTALL_ROOT/etc/opendnssec/kasp.xml" && -ods_start_enforcer && echo -n "LINE: ${LINENO} " && ods-enforcer policy import && -echo -n "LINE: ${LINENO} " && ods-enforcer time leap --attach && -echo "################## START ZSK ROLL ##########################" && +echo "################## START ZSK ROLL" && echo -n "LINE: ${LINENO} " && ods-enforcer key rollover -t ZSK -z ods1 && -echo -n "LINE: ${LINENO} " && ods-enforcer time leap --attach && - -echo "################## RECORD T_0 #########################" && -echo -n "LINE: ${LINENO} " && T0=`ods-enforcer queue | grep "It is now" | - sed -r "s/^.*\(([0-9]+) .*$/\1/"` && - -echo "################## LEAP TO OMNIPRESENT ########################" && -echo -n "LINE: ${LINENO} " && ods-enforcer time leap --attach && -echo "################## MUST HAVE 2 OMNIPRESENT ZSKS ######################" && +echo "################## TESTING 2ND ZSK IS NOT ACTIVE FOR ENOUGH TIME" && +echo -n "LINE: ${LINENO} " && ods_enforcer_leap_to 3600 && +ods-enforcer key list -d -p | grep ZSK && +COUNT=`ods-enforcer key list -d -p |grep ZSK|cut -f 4 -d ";" |grep -c omnipresent` && +[ $COUNT -eq 1 ] && +echo "################## BUT A MOMENT LATER IT IS" && +echo -n "LINE: ${LINENO} " && ods-enforcer time leap && COUNT=`ods-enforcer key list -d -p |grep ZSK|cut -f 4 -d ";" |grep -c omnipresent` && [ $COUNT -eq 2 ] && -echo "################## RECORD T_1 #########################" && -echo -n "LINE: ${LINENO} " && T1=`ods-enforcer queue | grep "It is now" | - sed -r "s/^.*\(([0-9]+) .*$/\1/"` && - -echo "################## DID ENOUGH TIME PASS? ########################" && ############################################################################### ## NOTICE: we would expect roughly an hour + a minute here. (Old TTL + margins) ## If we would botch it up we expect a minute + a minute. (New TTL + margin) @@ -61,15 +51,13 @@ echo "################## DID ENOUGH TIME PASS? ########################" && ## so it will still succeed if we once fix that bug. (i.e. anything more than ## an hour is okay) ############################################################################### -echo "T1 - T0 = $T1 - $T0 = $((T1 - T0))" && -[ $((T1 - T0)) -gt 3600 ] && -echo "################## TEST TEARDOWN ###########################" && +echo "################## TEST TEARDOWN" && echo -n "LINE: ${LINENO} " && ods_stop_enforcer && exit 0 -echo "################## ERROR: CURRENT STATE ###########################" +echo "################## ERROR: CURRENT STATE" && echo "DEBUG: " && ods-enforcer key list -d -p echo "DEBUG: " && ods-enforcer key list -v echo "DEBUG: " && ods-enforcer queue