URL: https://github.com/freeipa/freeipa/pull/1559
Author: tiran
 Title: #1559: test_dnssec: re-add named-pkcs11 workarounds
Action: opened

PR body:
"""
DNSSEC tests starrted to fail again, probably due to a bug in
some underlaying component.

This reverts commit 8bc677512296a7e94c29edd0c1a96aa7273f352a
and makes the xfail test check less strict - it will no longer
mark the test suite red if it passes.

Related https://pagure.io/freeipa/issue/5348

Clone of @tomaskrizek PR #973 
"""

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/1559/head:pr1559
git checkout pr1559
From 2a5b9fe693e92b2ac344b677169ab1f436a548f0 Mon Sep 17 00:00:00 2001
From: Tomas Krizek <tkri...@redhat.com>
Date: Tue, 15 Aug 2017 10:27:03 +0200
Subject: [PATCH] test_dnssec: re-add named-pkcs11 workarounds

DNSSEC tests starrted to fail again, probably due to a bug in
some underlaying component.

This reverts commit 8bc677512296a7e94c29edd0c1a96aa7273f352a
and makes the xfail test check less strict - it will no longer
mark the test suite red if it passes.

Related https://pagure.io/freeipa/issue/5348
---
 ipatests/test_integration/test_dnssec.py | 84 +++++++++++++++++++++++++++++++-
 1 file changed, 83 insertions(+), 1 deletion(-)

diff --git a/ipatests/test_integration/test_dnssec.py b/ipatests/test_integration/test_dnssec.py
index 11c76e48b2..7ac5cb0345 100644
--- a/ipatests/test_integration/test_dnssec.py
+++ b/ipatests/test_integration/test_dnssec.py
@@ -8,6 +8,7 @@
 import dns.resolver
 import dns.name
 import time
+import pytest
 
 from ipatests.test_integration.base import IntegrationTest
 from ipatests.pytest_plugins.integration import tasks
@@ -61,7 +62,6 @@ def wait_until_record_is_signed(nameserver, record, rtype="SOA",
     Returns True if record is signed, or False on timeout
     :param nameserver: nameserver to query
     :param record: query
-    :param log: logger
     :param rtype: record type
     :param timeout:
     :return: True if records is signed, False if timeout
@@ -110,6 +110,7 @@ def test_if_zone_is_signed_master(self):
         ]
         self.master.run_command(args)
 
+        tasks.restart_named(self.master, self.replicas[0])
         # test master
         assert wait_until_record_is_signed(
             self.master.ip, test_zone, timeout=100
@@ -130,6 +131,7 @@ def test_if_zone_is_signed_replica(self):
         ]
         self.replicas[0].run_command(args)
 
+        tasks.restart_named(self.replicas[0])
         # test replica
         assert wait_until_record_is_signed(
             self.replicas[0].ip, test_zone_repl, timeout=300
@@ -175,6 +177,7 @@ def test_disable_reenable_signing_master(self):
         ]
         self.master.run_command(args)
 
+        tasks.restart_named(self.master)
         # test master
         assert wait_until_record_is_signed(
             self.master.ip, test_zone, timeout=100
@@ -222,6 +225,8 @@ def test_disable_reenable_signing_replica(self):
         ]
         self.master.run_command(args)
 
+        tasks.restart_named(self.master, self.replicas[0])
+
         # test master
         assert wait_until_record_is_signed(
             self.master.ip, test_zone_repl, timeout=100
@@ -237,6 +242,78 @@ def test_disable_reenable_signing_replica(self):
         assert dnskey_old != dnskey_new, "DNSKEY should be different"
 
 
+class TestZoneSigningWithoutNamedRestart(IntegrationTest):
+    """Test whether https://fedorahosted.org/freeipa/ticket/5348 is already
+    fixed. If the issue is not fixed, the test will expectedly fail. When
+    fixed, it will pass
+    """
+    num_replicas = 1
+    topology = 'star'
+
+    @classmethod
+    def install(cls, mh):
+        tasks.install_master(cls.master, setup_dns=False)
+        args = [
+            "ipa-dns-install",
+            "--dnssec-master",
+            "--forwarder", cls.master.config.dns_forwarder,
+            "-U",
+        ]
+        cls.master.run_command(args)
+
+        tasks.install_replica(cls.master, cls.replicas[0], setup_dns=True)
+
+        # backup trusted key
+        tasks.backup_file(cls.master, paths.DNSSEC_TRUSTED_KEY)
+        tasks.backup_file(cls.replicas[0], paths.DNSSEC_TRUSTED_KEY)
+
+    @classmethod
+    def uninstall(cls, mh):
+        # restore trusted key
+        tasks.restore_files(cls.master)
+        tasks.restore_files(cls.replicas[0])
+
+        super(TestZoneSigningWithoutNamedRestart, cls).uninstall(mh)
+
+    @pytest.mark.xfail()
+    def test_sign_root_zone_no_named_restart(self):
+        args = [
+            "ipa", "dnszone-add", root_zone, "--dnssec", "true",
+            "--skip-overlap-check",
+        ]
+        self.master.run_command(args)
+
+        # make BIND happy: add the glue record and delegate zone
+        args = [
+            "ipa", "dnsrecord-add", root_zone, self.master.hostname,
+            "--a-rec=" + self.master.ip
+        ]
+        self.master.run_command(args)
+        args = [
+            "ipa", "dnsrecord-add", root_zone, self.replicas[0].hostname,
+            "--a-rec=" + self.replicas[0].ip
+        ]
+        self.master.run_command(args)
+
+        # sleep a bit until data are provided by bind-dyndb-ldap
+        time.sleep(10)
+
+        args = [
+            "ipa", "dnsrecord-add", root_zone, self.master.domain.name,
+            "--ns-rec=" + self.master.hostname
+        ]
+        self.master.run_command(args)
+        # test master
+        assert wait_until_record_is_signed(
+            self.master.ip, root_zone, timeout=100
+        ), "Zone %s is not signed (master)" % root_zone
+
+        # test replica
+        assert wait_until_record_is_signed(
+            self.replicas[0].ip, root_zone, timeout=300
+        ), "Zone %s is not signed (replica)" % root_zone
+
+
 class TestInstallDNSSECFirst(IntegrationTest):
     """Simple DNSSEC test
 
@@ -295,6 +372,7 @@ def test_sign_root_zone(self):
             "--ns-rec=" + self.master.hostname
         ]
         self.master.run_command(args)
+        tasks.restart_named(self.master, self.replicas[0])
         # test master
         assert wait_until_record_is_signed(
             self.master.ip, root_zone, timeout=100
@@ -325,6 +403,7 @@ def test_chain_of_trust(self):
             "--ns-rec=" + self.master.hostname
         ]
         self.master.run_command(args)
+        tasks.restart_named(self.master, self.replicas[0])
         # wait until zone is signed
         assert wait_until_record_is_signed(
             self.master.ip, example_test_zone, timeout=100
@@ -462,6 +541,7 @@ def test_migrate_dnssec_master(self):
 
         self.master.run_command(args)
 
+        tasks.restart_named(self.master, self.replicas[0])
         # wait until zone is signed
         assert wait_until_record_is_signed(
             self.master.ip, example_test_zone, timeout=100
@@ -518,6 +598,7 @@ def test_migrate_dnssec_master(self):
             "--skip-overlap-check",
         ]
         self.replicas[0].run_command(args)
+        tasks.restart_named(self.master, self.replicas[0])
         # wait until zone is signed
         assert wait_until_record_is_signed(
             self.replicas[0].ip, example2_test_zone, timeout=100
@@ -550,6 +631,7 @@ def test_migrate_dnssec_master(self):
             "--skip-overlap-check",
         ]
         self.replicas[1].run_command(args)
+        tasks.restart_named(self.replicas[0], self.replicas[1])
         # wait until zone is signed
         assert wait_until_record_is_signed(
             self.replicas[1].ip, example3_test_zone, timeout=200
_______________________________________________
FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org
To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org

Reply via email to