tests(refactor): open_dkim.bats (#3060)

* tests(refactor): Make test cases for opendkim keysizes DRY

- These all do roughly the same logic that can be split into two separate methods.
- `_should_generate_dkim_key()` covers a bit more logic as it can be leveraged to handle other test cases that also perform the same logic.
- The `config/opendkim/` doesn't seem necessary for tests. Only the first few test cases here are testing against it, so we can conditionally make that available. `process_check_restart.bats` also depended on it to run OpenDKIM successfully, but this was due to the `setup-stack.sh` config defaults failing to find an "empty" file forcing `supervisord` to constantly restart the process..
- With this, there we inverse the default opendkim config, so we don't have to mount unique / empty subfolders for each test case, followed by copying over the two extra configs.

* tests(refactor): DRY up more test cases

All the remaining test cases but the last one were refactored here for a clean commit diff. The last test case will be refactored in the following commit.

Plenty of repeated logic spread across these test cases, now condensed into shared methods.

* tests(refactor): Make final test case DRY

* chore: Migrate to new testing helpers

* chore: Revise test case descriptions

* tests(refactor): Improve and simplify assertions

* tests(refactor): Use common container setup instead of `docker run`

- As the majority of test cases are only running `open-dkim` helper, we don't actually have to wait for a full container setup. So an alternative container start is called.
- Also improves assertions a bit more instead of just counting lines.
- Some test cases don't bind mount all of `/tmp/docker-mailserver` contents, thus don't raise permission errors on subsequent test runs.
- Instead of `rm -f` on some config files, have opted to mount them read-only instead, or alternatively mount an anonymous empty volume instead.
- Collapsed the first three test cases into one, thus no `setup_file()` necessary.
- Shift the `_wait_for_finished_setup_in_container()` method into `_common_container_setup()` instead since nothing else is using `_common_container_start()` yet, this allows for avoiding the wait.

* tests(refactor): Collapse dkim key size test cases into single test case

This makes these tests a bit more DRY, and enhances the raised quality issue with these tests. Now not only is the domain checked in the generated DNS dkim record, but we also verify the key size is corrected in the public and private keys via openssl.

* chore: Revise container names

* chore: Swap order of test case 1 and 2

* tests(refactor): Assert generated log output

- `__should_have_tables_trustedhosts_for_domain` shifted in each test case to just after generating the domains keys.
- Asserts `open-dkim` logs instead of just counting them.
- Added checks for domains that should not be present in a test case.
- Additional coverage and notes about the alias from vhost `@localdomain.com`
- Single assert statement with switch statement as all are using common args.

* chore: Minor changes

* tests(refactor):  Share `find` logic in helpers and tests

* tests(fix): Listing file content does not need to match line order

The order printed from local system vs CI differed causing the CI to fail. The order of lines is irrelevant so `--index` is not required.

Additionally correct the prefix of the called method to be only one `_` now that it's a `common.bash` helper method.

* chore: Collapse custom DKIM selector test into custom DKIM domain test

These cover the same test logic for the most part, the first domain could also be testing the custom selector.

`special_use_folders.bats` + `mailbox_format_dbox` can assert lines instead, removing the need for `--partial`.

* Apply suggestions from code review

Co-authored-by: Georg Lauterbach <44545919+georglauterbach@users.noreply.github.com>

* chore: Split switch statement method into wrapper methods

---------

Co-authored-by: Georg Lauterbach <44545919+georglauterbach@users.noreply.github.com>

target/scripts/startup/setup-stack.sh

@@ -646,7 +646,9 @@ function _setup_dkim_dmarc
 
   _log 'debug' 'Setting up DKIM'
 
-  mkdir -p /etc/opendkim/keys/ && touch /etc/opendkim/SigningTable
+  mkdir -p /etc/opendkim/keys/
+  touch /etc/opendkim/SigningTable
+  touch /etc/opendkim/TrustedHosts
 
   _log 'trace' "Adding OpenDKIM to Postfix's milters"
   # shellcheck disable=SC2016

test/helper/common.bash

@@ -405,22 +405,27 @@ function _container_is_running() {
 #
 # @param ${1} = directory
 # @param ${2} = number of files that should be in ${1}
-# @param ${3} = container name [OPTIONAL]
 function _count_files_in_directory_in_container()
 {
   local DIRECTORY=${1:?No directory provided}
   local NUMBER_OF_LINES=${2:?No line count provided}
-  local CONTAINER_NAME=$(__handle_container_name "${3:-}")
-
-  _run_in_container_bash "[[ -d ${DIRECTORY} ]]"
-  assert_success
-
-  _run_in_container_bash "find ${DIRECTORY} -maxdepth 1 -type f"
-  assert_success
 
+  _should_have_content_in_directory "${DIRECTORY}" '-type f'
   _should_output_number_of_lines "${NUMBER_OF_LINES}"
 }
 
+# Checks if the directory exists and then list the top-level content.
+#
+# @param ${1} = directory
+# @param ${2} = Additional options to `find`
+function _should_have_content_in_directory() {
+  local DIRECTORY=${1:?No directory provided}
+  local FIND_OPTIONS=${2:-}
+
+  _run_in_container_bash "[[ -d ${DIRECTORY} ]] && find ${DIRECTORY} -mindepth 1 -maxdepth 1 ${FIND_OPTIONS} -printf '%f\n'"
+  assert_success
+}
+
 # Filters a service's logs (under `/var/log/supervisor/<SERVICE>.log`) given
 # a specific string.
 #

test/helper/setup.bash

@@ -183,8 +183,6 @@ function _common_container_create() {
 function _common_container_start() {
   run docker start "${CONTAINER_NAME:?Container name must be set}"
   assert_success
-
-  _wait_for_finished_setup_in_container "${CONTAINER_NAME}"
 }
 
 # Using `create` and `start` instead of only `run` allows to modify
@@ -196,6 +194,8 @@ function _common_container_start() {
 function _common_container_setup() {
   _common_container_create "${@}"
   _common_container_start
+
+  _wait_for_finished_setup_in_container "${CONTAINER_NAME}"
 }
 
 # Can be used in BATS' `teardown_file` function as a default value.

test/tests/parallel/set1/dovecot/mailbox_format_dbox.bats

@@ -30,11 +30,10 @@ function teardown() { _default_teardown ; }
   _wait_for_empty_mail_queue_in_container
 
   # Mail received should be stored as `u.1` (one file per message)
-  local MAILBOX_STORAGE='/var/mail/localhost.localdomain/user1/mailboxes/INBOX/dbox-Mails'
+  _count_files_in_directory_in_container '/var/mail/localhost.localdomain/user1/mailboxes/INBOX/dbox-Mails' 3
-  _count_files_in_directory_in_container "${MAILBOX_STORAGE}" 3
+  assert_line 'dovecot.index.log'
-  assert_output --partial "${MAILBOX_STORAGE}/dovecot.index.log"
+  assert_line 'u.1'
-  assert_output --partial "${MAILBOX_STORAGE}/u.1"
+  assert_line 'dovecot.index.cache'
-  assert_output --partial "${MAILBOX_STORAGE}/dovecot.index.cache"
 }
 
 @test "(ENV DOVECOT_MAILBOX_FORMAT=mdbox) should store received mail at expected location" {
@@ -52,8 +51,7 @@ function teardown() { _default_teardown ; }
   _wait_for_empty_mail_queue_in_container
 
   # Mail received should be stored in `m.1` (1 or more messages)
-  local MAILBOX_STORAGE='/var/mail/localhost.localdomain/user1/storage'
+  _count_files_in_directory_in_container '/var/mail/localhost.localdomain/user1/storage' 2
-  _count_files_in_directory_in_container "${MAILBOX_STORAGE}" 2
+  assert_line 'dovecot.map.index.log'
-  assert_output --partial "${MAILBOX_STORAGE}/dovecot.map.index.log"
+  assert_line 'm.1'
-  assert_output --partial "${MAILBOX_STORAGE}/m.1"
 }

test/tests/parallel/set1/dovecot/special_use_folders.bats

@@ -21,11 +21,10 @@ function teardown_file() { _default_teardown ; }
 }
 
 @test "(IMAP) special-use folders should not exist yet" {
-  _run_in_container find /var/mail/localhost.localdomain/user1 -maxdepth 1 -type d
+  _should_have_content_in_directory '/var/mail/localhost.localdomain/user1'
-  assert_success
+  refute_line '.Drafts'
-  refute_output --partial '.Drafts'
+  refute_line '.Sent'
-  refute_output --partial '.Sent'
+  refute_line '.Trash'
-  refute_output --partial '.Trash'
 }
 
 @test "(IMAP) special-use folders should be created when necessary" {

test/tests/parallel/set3/mta/account_management.bats

@@ -58,8 +58,7 @@ function teardown_file() { _default_teardown ; }
 }
 
 @test "should not accidentally parse comments in 'postfix-accounts.cf' as accounts" {
-  _run_in_container find /var/mail -maxdepth 1
+  _should_have_content_in_directory '/var/mail'
-  assert_success
   refute_output --partial 'comment'
 }
 

test/tests/serial/open_dkim.bats

@@ -1,465 +1,279 @@
-load "${REPOSITORY_ROOT}/test/test_helper/common"
+load "${REPOSITORY_ROOT}/test/helper/common"
+load "${REPOSITORY_ROOT}/test/helper/setup"
 
-export IMAGE_NAME CONTAINER_NAME TEST_FILE
+BATS_TEST_NAME_PREFIX='[OpenDKIM] '
+CONTAINER1_NAME='dms-test_opendkim_key-sizes'
+CONTAINER2_NAME='dms-test_opendkim_with-config-volume'
+CONTAINER3_NAME='dms-test_opendkim_without-config-volume'
+CONTAINER4_NAME='dms-test_opendkim_without-accounts'
+CONTAINER5_NAME='dms-test_opendkim_without-virtual'
+CONTAINER6_NAME='dms-test_opendkim_with-args'
 
-IMAGE_NAME="${NAME:?Image name must be set}"
+function teardown() { _default_teardown ; }
-CONTAINER_NAME='open-dkim'
-TEST_FILE='checking OpenDKIM: '
 
-# WHY IS THIS CONTAINER EVEN CREATED WHEN MOST TESTS DO NOT USE IT?
+# TODO: Neither of these are too important, but might be worth covering:
-function setup_file
+# - May want to also add test cases for log: 'No entries found, no keys to make'
-{
+# - May want to also do a redundant 2nd run for matching no log output? (Bad UX?)
-  local PRIVATE_CONFIG
-  PRIVATE_CONFIG=$(duplicate_config_for_container . "${CONTAINER_NAME}")
 
-  docker run -d \
+@test "should support creating keys of different sizes" {
-    --name "${CONTAINER_NAME}" \
+  export CONTAINER_NAME=${CONTAINER2_NAME}
-    -v "${PRIVATE_CONFIG}":/tmp/docker-mailserver \
-    -v "${PWD}/test/test-files":/tmp/docker-mailserver-test:ro \
-    -e DEFAULT_RELAY_HOST=default.relay.host.invalid:25 \
-    -e PERMIT_DOCKER=host \
-    -e LOG_LEVEL='trace' \
-    -h mail.my-domain.com \
-    -t "${IMAGE_NAME}"
 
-  wait_for_finished_setup_in_container "${CONTAINER_NAME}"
+  __init_container_without_waiting
+
+  # The default size created should be 4096-bit:
+  __should_support_creating_key_of_size
+  # Explicit sizes:
+  __should_support_creating_key_of_size '4096'
+  __should_support_creating_key_of_size '2048'
+  __should_support_creating_key_of_size '1024'
 }
 
-function teardown_file
+# NOTE: This pre-generated opendkim config was before the alias `localdomain2.com`
-{
+# was present or supported by open-dkim? (when sourcing domains from generated vhost entries)
-  docker rm -f "${CONTAINER_NAME}"
+@test "providing config volume should setup /etc/opendkim" {
-}
+  export CONTAINER_NAME=${CONTAINER1_NAME}
 
-# -----------------------------------------------
+  _init_with_defaults
-# --- Actual Tests ------------------------------
+  mv "${TEST_TMP_CONFIG}/example-opendkim/" "${TEST_TMP_CONFIG}/opendkim/"
-# -----------------------------------------------
+  _common_container_setup
 
-@test "${TEST_FILE}/etc/opendkim/KeyTable should contain 2 entries" {
+  _run_in_container cat '/etc/opendkim/KeyTable'
-  run docker exec "${CONTAINER_NAME}" /bin/bash -c "cat /etc/opendkim/KeyTable | wc -l"
   assert_success
-  assert_output 2
+  __assert_has_entry_in_keytable 'localhost.localdomain'
-}
+  __assert_has_entry_in_keytable 'otherdomain.tld'
+  _should_output_number_of_lines 2
 
-# TODO piping ls into grep ...
+  _should_have_content_in_directory '/etc/opendkim/keys/'
-@test "${TEST_FILE}/etc/opendkim/keys/ should contain 2 entries" {
+  assert_output --partial 'localhost.localdomain'
-  run docker exec "${CONTAINER_NAME}" /bin/bash -c "ls -l /etc/opendkim/keys/ | grep '^d' | wc -l"
+  assert_output --partial 'otherdomain.tld'
-  assert_success
+  _should_output_number_of_lines 2
-  assert_output 2
-}
 
-@test "${TEST_FILE}/etc/opendkim.conf contains nameservers copied from /etc/resolv.conf" {
+  # /etc/opendkim.conf should contain nameservers copied from /etc/resolv.conf
-  run docker exec "${CONTAINER_NAME}" /bin/bash -c \
+  _run_in_container grep -E \
-    "grep -E '^Nameservers ((25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.){3}(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)' \
+    '^Nameservers ((25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.){3}(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)' \
-    /etc/opendkim.conf"
+    /etc/opendkim.conf
   assert_success
 }
 
-# this set of tests is of low quality.                                                       WHAT? <- DELETE AFTER REWRITE
+# No default config supplied to /tmp/docker-mailserver/opendkim
-# It does not test the RSA-Key size properly via openssl or similar                          WHAT??? <- DELETE AFTER REWRITE
+# Generating key should create keys and tables + TrustedHosts files:
-# Instead it tests the file-size (here 861) - which may differ with a different domain names WWHHHHHHAAAT??? <- DELETE AFTER REWRITE
+@test "should create keys and config files (with defaults)" {
+  export CONTAINER_NAME=${CONTAINER3_NAME}
 
-# TODO Needs complete re-write
+  __init_container_without_waiting
-@test "${TEST_FILE}generator creates default keys size" {
-  local PRIVATE_CONFIG
-  PRIVATE_CONFIG=$(duplicate_config_for_container . mail_default_key_size)
 
-  # Prepare default key size 4096
+  __should_generate_dkim_key 6
-  rm -rf "${PRIVATE_CONFIG}/keyDefault"
+  __assert_outputs_common_dkim_logs
-  mkdir -p "${PRIVATE_CONFIG}/keyDefault"
 
-  run docker run --rm \
+  __should_have_tables_trustedhosts_for_domain
-    -e LOG_LEVEL='trace' \
-    -v "${PRIVATE_CONFIG}/keyDefault/":/tmp/docker-mailserver/ \
-    -v "${PRIVATE_CONFIG}/postfix-accounts.cf":/tmp/docker-mailserver/postfix-accounts.cf \
-    -v "${PRIVATE_CONFIG}/postfix-virtual.cf":/tmp/docker-mailserver/postfix-virtual.cf \
-    "${IMAGE_NAME}" /bin/bash -c 'open-dkim | wc -l'
 
-  assert_success
+  __should_have_key_for_domain 'localhost.localdomain'
-  assert_output 6
+  __should_have_key_for_domain 'localdomain2.com'
-
+  __should_have_key_for_domain 'otherdomain.tld'
-  run docker run --rm \
-    -v "${PRIVATE_CONFIG}/keyDefault/opendkim":/etc/opendkim \
-    "${IMAGE_NAME}" \
-    /bin/bash -c 'stat -c%s /etc/opendkim/keys/localhost.localdomain/mail.txt'
-
-  assert_success
-  assert_output 861
 }
 
-# this set of tests is of low quality. It does not test the RSA-Key size properly via openssl or similar <- DELETE AFTER REWRITE
+@test "should create keys and config files (without postfix-accounts.cf)" {
-# Instead it tests the file-size (here 861) - which may differ with a different domain names <- DELETE AFTER REWRITE
+  export CONTAINER_NAME=${CONTAINER4_NAME}
 
-# TODO Needs complete re-write
+  # Only mount single config file (postfix-virtual.cf):
-@test "${TEST_FILE}generator creates key size 4096" {
+  __init_container_without_waiting "${PWD}/test/config/postfix-virtual.cf:/tmp/docker-mailserver/postfix-virtual.cf:ro"
-  local PRIVATE_CONFIG
-  PRIVATE_CONFIG=$(duplicate_config_for_container . mail_key_size_4096)
 
-  rm -rf "${PRIVATE_CONFIG}/key4096"
+  __should_generate_dkim_key 5
-  mkdir -p "${PRIVATE_CONFIG}/config/key4096"
+  __assert_outputs_common_dkim_logs
 
-  run docker run --rm \
+  __should_have_tables_trustedhosts_for_domain
-    -e LOG_LEVEL='trace' \
-    -v "${PRIVATE_CONFIG}/key2048/":/tmp/docker-mailserver/ \
-    -v "${PRIVATE_CONFIG}/postfix-accounts.cf":/tmp/docker-mailserver/postfix-accounts.cf \
-    -v "${PRIVATE_CONFIG}/postfix-virtual.cf":/tmp/docker-mailserver/postfix-virtual.cf \
-    "${IMAGE_NAME}" /bin/bash -c 'open-dkim keysize 4096 | wc -l'
 
-  assert_success
+  __should_have_key_for_domain 'localhost.localdomain'
-  assert_output 6
+  __should_have_key_for_domain 'localdomain2.com'
-
+  # NOTE: This would only be present if supplying the default postfix-accounts.cf:
-  run docker run --rm \
+  __should_not_have_key_for_domain 'otherdomain.tld'
-    -v "${PRIVATE_CONFIG}/key2048/opendkim":/etc/opendkim \
-    "${IMAGE_NAME}" \
-    /bin/bash -c 'stat -c%s /etc/opendkim/keys/localhost.localdomain/mail.txt'
-
-  assert_success
-  assert_output 861
 }
 
-# Instead it tests the file-size (here 511) - which may differ with a different domain names <- DELETE AFTER REWRITE
+@test "should create keys and config files (without postfix-virtual.cf)" {
-# This test may be re-used as a global test to provide better test coverage. <- DELETE AFTER REWRITE
+  export CONTAINER_NAME=${CONTAINER5_NAME}
 
-# TODO Needs complete re-write
+  # Only mount single config file (postfix-accounts.cf):
-@test "${TEST_FILE}generator creates key size 2048" {
+  __init_container_without_waiting "${PWD}/test/config/postfix-accounts.cf:/tmp/docker-mailserver/postfix-accounts.cf:ro"
-  local PRIVATE_CONFIG
-  PRIVATE_CONFIG=$(duplicate_config_for_container . mail_key_size_2048)
 
-  rm -rf "${PRIVATE_CONFIG}/key2048"
+  __should_generate_dkim_key 5
-  mkdir -p "${PRIVATE_CONFIG}/config/key2048"
+  __assert_outputs_common_dkim_logs
 
-  run docker run --rm \
+  __should_have_tables_trustedhosts_for_domain
-    -e LOG_LEVEL='trace' \
-    -v "${PRIVATE_CONFIG}/key2048/":/tmp/docker-mailserver/ \
-    -v "${PRIVATE_CONFIG}/postfix-accounts.cf":/tmp/docker-mailserver/postfix-accounts.cf \
-    -v "${PRIVATE_CONFIG}/postfix-virtual.cf":/tmp/docker-mailserver/postfix-virtual.cf \
-    "${IMAGE_NAME}" /bin/bash -c 'open-dkim keysize 2048 | wc -l'
 
-  assert_success
+  __should_have_key_for_domain 'localhost.localdomain'
-  assert_output 6
+  __should_have_key_for_domain 'otherdomain.tld'
-
+  # NOTE: This would only be present if supplying the default postfix-virtual.cf:
-  run docker run --rm \
+  __should_not_have_key_for_domain 'localdomain2.com'
-    -v "${PRIVATE_CONFIG}/key2048/opendkim":/etc/opendkim \
-    "${IMAGE_NAME}" \
-    /bin/bash -c 'stat -c%s /etc/opendkim/keys/localhost.localdomain/mail.txt'
-
-  assert_success
-  assert_output 511
 }
 
-# this set of tests is of low quality. It does not test the RSA-Key size properly via openssl or similar <- DELETE AFTER REWRITE
+@test "should create keys and config files (with custom domains and selector)" {
-# Instead it tests the file-size (here 329) - which may differ with a different domain names <- DELETE AFTER REWRITE
+  export CONTAINER_NAME=${CONTAINER6_NAME}
 
-# TODO Needs complete re-write
+  # Create without config volume (creates an empty anonymous volume instead):
-@test "${TEST_FILE}generator creates key size 1024" {
+  __init_container_without_waiting '/tmp/docker-mailserver'
-  local PRIVATE_CONFIG
-  PRIVATE_CONFIG=$(duplicate_config_for_container . mail_key_size_1024)
-
-  rm -rf "${PRIVATE_CONFIG}/key1024"
-  mkdir -p "${PRIVATE_CONFIG}/key1024"
-
-  run docker run --rm \
-    -e LOG_LEVEL='trace' \
-    -v "${PRIVATE_CONFIG}/key1024/":/tmp/docker-mailserver/ \
-    -v "${PRIVATE_CONFIG}/postfix-accounts.cf":/tmp/docker-mailserver/postfix-accounts.cf \
-    -v "${PRIVATE_CONFIG}/postfix-virtual.cf":/tmp/docker-mailserver/postfix-virtual.cf \
-    "${IMAGE_NAME}" /bin/bash -c 'open-dkim keysize 1024 | wc -l'
-
-  assert_success
-  assert_output 6
-
-  run docker run --rm \
-    -v "${PRIVATE_CONFIG}/key1024/opendkim":/etc/opendkim \
-    "${IMAGE_NAME}" \
-    /bin/bash -c 'stat -c%s /etc/opendkim/keys/localhost.localdomain/mail.txt'
-
-  assert_success
-  assert_output 329
-}
-
-@test "${TEST_FILE}generator creates keys, tables and TrustedHosts" {
-  local PRIVATE_CONFIG
-  PRIVATE_CONFIG=$(duplicate_config_for_container . mail_dkim_generator_creates_keys_tables_TrustedHosts)
-
-  rm -rf "${PRIVATE_CONFIG}/empty"
-  mkdir -p "${PRIVATE_CONFIG}/empty"
-
-  run docker run --rm \
-    -e LOG_LEVEL='trace' \
-    -v "${PRIVATE_CONFIG}/empty/":/tmp/docker-mailserver/ \
-    -v "${PRIVATE_CONFIG}/postfix-accounts.cf":/tmp/docker-mailserver/postfix-accounts.cf \
-    -v "${PRIVATE_CONFIG}/postfix-virtual.cf":/tmp/docker-mailserver/postfix-virtual.cf \
-    "${IMAGE_NAME}" /bin/bash -c 'open-dkim | wc -l'
-
-  assert_success
-  assert_output 6
-
-  # check keys for localhost.localdomain
-  run docker run --rm \
-    -v "${PRIVATE_CONFIG}/empty/opendkim":/etc/opendkim \
-    "${IMAGE_NAME}" /bin/bash -c 'ls -1 /etc/opendkim/keys/localhost.localdomain/ | wc -l'
-
-  assert_success
-  assert_output 2
-
-  # check keys for otherdomain.tld
-  run docker run --rm \
-    -v "${PRIVATE_CONFIG}/empty/opendkim":/etc/opendkim \
-    "${IMAGE_NAME}" /bin/bash -c 'ls -1 /etc/opendkim/keys/otherdomain.tld | wc -l'
-
-  assert_success
-  assert_output 2
-
-  # check presence of tables and TrustedHosts
-  run docker run --rm \
-    -v "${PRIVATE_CONFIG}/empty/opendkim":/etc/opendkim \
-    "${IMAGE_NAME}" /bin/bash -c "ls -1 /etc/opendkim | grep -E 'KeyTable|SigningTable|TrustedHosts|keys'|wc -l"
-
-  assert_success
-  assert_output 4
-}
-
-@test "${TEST_FILE}generator creates keys, tables and TrustedHosts without postfix-accounts.cf" {
-  local PRIVATE_CONFIG
-  PRIVATE_CONFIG=$(duplicate_config_for_container . )
-
-  rm -rf "${PRIVATE_CONFIG}/without-accounts"
-  mkdir -p "${PRIVATE_CONFIG}/without-accounts"
-
-  run docker run --rm \
-    -e LOG_LEVEL='trace' \
-    -v "${PRIVATE_CONFIG}/without-accounts/":/tmp/docker-mailserver/ \
-    -v "${PRIVATE_CONFIG}/postfix-virtual.cf":/tmp/docker-mailserver/postfix-virtual.cf \
-    "${IMAGE_NAME}" /bin/bash -c 'open-dkim | wc -l'
-
-  assert_success
-  assert_output 5
-
-  # check keys for localhost.localdomain
-  run docker run --rm \
-    -e LOG_LEVEL='trace' \
-    -v "${PRIVATE_CONFIG}/without-accounts/opendkim":/etc/opendkim \
-    "${IMAGE_NAME}" /bin/bash -c 'ls -1 /etc/opendkim/keys/localhost.localdomain/ | wc -l'
-
-  assert_success
-  assert_output 2
-
-  # check keys for otherdomain.tld
-  # run docker run --rm \
-  #   -v "${PRIVATE_CONFIG}/without-accounts/opendkim":/etc/opendkim \
-  #   "${IMAGE_NAME}" /bin/bash -c 'ls -1 /etc/opendkim/keys/otherdomain.tld | wc -l'
-  # assert_success
-  # [ "${output}" -eq 0 ]
-
-  # check presence of tables and TrustedHosts
-  run docker run --rm \
-    -e LOG_LEVEL='trace' \
-    -v "${PRIVATE_CONFIG}/without-accounts/opendkim":/etc/opendkim \
-    "${IMAGE_NAME}" /bin/bash -c "ls -1 /etc/opendkim | grep -E 'KeyTable|SigningTable|TrustedHosts|keys'|wc -l"
-
-  assert_success
-  assert_output 4
-}
-
-@test "${TEST_FILE}generator creates keys, tables and TrustedHosts without postfix-virtual.cf" {
-  local PRIVATE_CONFIG
-  PRIVATE_CONFIG=$(duplicate_config_for_container . "${BATS_TEST_NAME}")
-
-  rm -rf "${PRIVATE_CONFIG}/without-virtual"
-  mkdir -p "${PRIVATE_CONFIG}/without-virtual"
-
-  run docker run --rm \
-    -e LOG_LEVEL='trace' \
-    -v "${PRIVATE_CONFIG}/without-virtual/":/tmp/docker-mailserver/ \
-    -v "${PRIVATE_CONFIG}/postfix-accounts.cf":/tmp/docker-mailserver/postfix-accounts.cf \
-    "${IMAGE_NAME}" /bin/bash -c 'open-dkim | wc -l'
-
-  assert_success
-  assert_output 5
-
-  # check keys for localhost.localdomain
-  run docker run --rm \
-    -e LOG_LEVEL='trace' \
-    -v "${PRIVATE_CONFIG}/without-virtual/opendkim":/etc/opendkim \
-    "${IMAGE_NAME}" /bin/bash -c 'ls -1 /etc/opendkim/keys/localhost.localdomain/ | wc -l'
-
-  assert_success
-  assert_output 2
-
-  # check keys for otherdomain.tld
-  run docker run --rm \
-    -e LOG_LEVEL='trace' \
-    -v "${PRIVATE_CONFIG}/without-virtual/opendkim":/etc/opendkim \
-    "${IMAGE_NAME}" /bin/bash -c 'ls -1 /etc/opendkim/keys/otherdomain.tld | wc -l'
-
-  assert_success
-  assert_output 2
-
-  # check presence of tables and TrustedHosts
-  run docker run --rm \
-    -e LOG_LEVEL='trace' \
-    -v "${PRIVATE_CONFIG}/without-virtual/opendkim":/etc/opendkim \
-    "${IMAGE_NAME}" /bin/bash -c "ls -1 /etc/opendkim | grep -E 'KeyTable|SigningTable|TrustedHosts|keys'|wc -l"
-
-  assert_success
-  assert_output 4
-}
-
-@test "${TEST_FILE}generator creates keys, tables and TrustedHosts using manual provided domain name" {
-  local PRIVATE_CONFIG
-  PRIVATE_CONFIG=$(duplicate_config_for_container . "${BATS_TEST_NAME}")
-  rm -rf "${PRIVATE_CONFIG}/with-domain" && mkdir -p "${PRIVATE_CONFIG}/with-domain"
-
-  # generate first key
-  run docker run --rm \
-    -e LOG_LEVEL='trace' \
-    -v "${PRIVATE_CONFIG}/with-domain/":/tmp/docker-mailserver/ \
-    "${IMAGE_NAME}" /bin/bash -c 'open-dkim keysize 2048 domain domain1.tld | wc -l'
-
-  assert_success
-  assert_output 4
 
+  # generate first key (with a custom selector)
+  __should_generate_dkim_key 4 '2048' 'domain1.tld' 'mailer'
+  __assert_outputs_common_dkim_logs
   # generate two additional keys different to the previous one
-  run docker run --rm \
+  __should_generate_dkim_key 2 '2048' 'domain2.tld,domain3.tld'
-    -e LOG_LEVEL='trace' \
+  __assert_logged_dkim_creation 'domain2.tld'
-    -v "${PRIVATE_CONFIG}/with-domain/":/tmp/docker-mailserver/ \
+  __assert_logged_dkim_creation 'domain3.tld'
-    "${IMAGE_NAME}" /bin/bash -c 'open-dkim keysize 2048 domain "domain2.tld,domain3.tld" | wc -l'
-
-  assert_success
-  assert_output 2
-
   # generate an additional key whilst providing already existing domains
-  run docker run --rm \
+  __should_generate_dkim_key 1 '2048' 'domain3.tld,domain4.tld'
-    -e LOG_LEVEL='trace' \
+  __assert_logged_dkim_creation 'domain4.tld'
-    -v "${PRIVATE_CONFIG}/with-domain/":/tmp/docker-mailserver/ \
-    "${IMAGE_NAME}" /bin/bash -c 'open-dkim keysize 2048 domain "domain3.tld,domain4.tld" | wc -l'
 
-  assert_success
+  __should_have_tables_trustedhosts_for_domain
-  assert_output 1
 
-  # check keys for domain1.tld
+  __should_have_key_for_domain 'domain1.tld' 'mailer'
-  run docker run --rm \
+  __should_have_key_for_domain 'domain2.tld'
-    -e LOG_LEVEL='trace' \
+  __should_have_key_for_domain 'domain3.tld'
-    -v "${PRIVATE_CONFIG}/with-domain/opendkim":/etc/opendkim \
+  __should_have_key_for_domain 'domain4.tld'
-    "${IMAGE_NAME}" /bin/bash -c 'ls -1 /etc/opendkim/keys/domain1.tld/ | wc -l'
+  # This would be created by default (from vhost) if no domain was given to open-dkim:
+  __should_not_have_key_for_domain 'localhost.localdomain'
+  # Without the default account configs, neither of these should be present:
+  __should_not_have_key_for_domain 'otherdomain.tld'
+  __should_not_have_key_for_domain 'localdomain2.com'
 
-  assert_success
+  _run_in_container cat "/tmp/docker-mailserver/opendkim/KeyTable"
-  assert_output 2
+  __assert_has_entry_in_keytable 'domain1.tld' 'mailer'
+  __assert_has_entry_in_keytable 'domain2.tld'
+  __assert_has_entry_in_keytable 'domain3.tld'
+  __assert_has_entry_in_keytable 'domain4.tld'
+  _should_output_number_of_lines 4
 
-  # check keys for domain2.tld
+  _run_in_container cat "/tmp/docker-mailserver/opendkim/SigningTable"
-  run docker run --rm \
+  __assert_has_entry_in_signingtable 'domain1.tld' 'mailer'
-    -e LOG_LEVEL='trace' \
+  __assert_has_entry_in_signingtable 'domain2.tld'
-    -v "${PRIVATE_CONFIG}/with-domain/opendkim":/etc/opendkim \
+  __assert_has_entry_in_signingtable 'domain3.tld'
-    "${IMAGE_NAME}" /bin/bash -c 'ls -1 /etc/opendkim/keys/domain2.tld | wc -l'
+  __assert_has_entry_in_signingtable 'domain4.tld'
-
+  _should_output_number_of_lines 4
-  assert_success
-  assert_output 2
-
-  # check keys for domain3.tld
-  run docker run --rm \
-    -e LOG_LEVEL='trace' \
-    -v "${PRIVATE_CONFIG}/with-domain/opendkim":/etc/opendkim \
-    "${IMAGE_NAME}" /bin/bash -c 'ls -1 /etc/opendkim/keys/domain3.tld | wc -l'
-
-  assert_success
-  assert_output 2
-
-  # check keys for domain4.tld
-  run docker run --rm \
-    -e LOG_LEVEL='trace' \
-    -v "${PRIVATE_CONFIG}/with-domain/opendkim":/etc/opendkim \
-    "${IMAGE_NAME}" /bin/bash -c 'ls -1 /etc/opendkim/keys/domain4.tld | wc -l'
-
-  assert_success
-  assert_output 2
-
-  # check presence of tables and TrustedHosts
-  run docker run --rm \
-    -e LOG_LEVEL='trace' \
-    -v "${PRIVATE_CONFIG}/with-domain/opendkim":/etc/opendkim \
-    "${IMAGE_NAME}" /bin/bash -c "ls -1 /etc/opendkim | grep -E 'KeyTable|SigningTable|TrustedHosts|keys' | wc -l"
-
-  assert_success
-  assert_output 4
-
-  # check valid entries actually present in KeyTable
-  run docker run --rm \
-    -e LOG_LEVEL='trace' \
-    -v "${PRIVATE_CONFIG}/with-domain/opendkim":/etc/opendkim \
-    "${IMAGE_NAME}" /bin/bash -c \
-    "egrep 'domain1.tld|domain2.tld|domain3.tld|domain4.tld' /etc/opendkim/KeyTable | wc -l"
-
-  assert_success
-  assert_output 4
-
-  # check valid entries actually present in SigningTable
-  run docker run --rm \
-    -e LOG_LEVEL='trace' \
-    -v "${PRIVATE_CONFIG}/with-domain/opendkim":/etc/opendkim \
-    "${IMAGE_NAME}" /bin/bash -c \
-    "egrep 'domain1.tld|domain2.tld|domain3.tld|domain4.tld' /etc/opendkim/SigningTable | wc -l"
-
-  assert_success
-  assert_output 4
 }
 
-@test "${TEST_FILE}generator creates keys, tables and TrustedHosts using manual provided selector name" {
+function __init_container_without_waiting {
-  local PRIVATE_CONFIG
+  _init_with_defaults
-  PRIVATE_CONFIG=$(duplicate_config_for_container . "${BATS_TEST_NAME}")
+  # Override the default config volume:
-  rm -rf "${PRIVATE_CONFIG}/with-selector" && mkdir -p "${PRIVATE_CONFIG}/with-selector"
+  [[ -n ${1} ]] && TEST_CONFIG_VOLUME="${1}"
-
+  _common_container_create
-  # Generate first key
+  _common_container_start
-  run docker run --rm \
+}
-    -e LOG_LEVEL='trace' \
+
-    -v "${PRIVATE_CONFIG}/with-selector/":/tmp/docker-mailserver/ \
+function __assert_has_entry_in_keytable() {
-    "${IMAGE_NAME:?}" /bin/sh -c "open-dkim keysize 2048 domain 'domain1.tld' selector mailer| wc -l"
+  local EXPECTED_DOMAIN=${1}
-
+  local EXPECTED_SELECTOR=${2:-mail}
-  assert_success
+
-  assert_output 4
+  # EXAMPLE: mail._domainkey.domain1.tld domain1.tld:mail:/etc/opendkim/keys/domain1.tld/mail.private
-
+  assert_output --partial "${EXPECTED_SELECTOR}._domainkey.${EXPECTED_DOMAIN} ${EXPECTED_DOMAIN}:${EXPECTED_SELECTOR}:/etc/opendkim/keys/${EXPECTED_DOMAIN}/${EXPECTED_SELECTOR}.private"
-  # Check keys for domain1.tld
+}
-  run docker run --rm \
+
-    -e LOG_LEVEL='trace' \
+function __assert_has_entry_in_signingtable() {
-    -v "${PRIVATE_CONFIG}/with-selector/opendkim":/etc/opendkim \
+  local EXPECTED_DOMAIN=${1}
-    "${IMAGE_NAME:?}" /bin/sh -c 'ls -1 /etc/opendkim/keys/domain1.tld/ | wc -l'
+  local EXPECTED_SELECTOR=${2:-mail}
-
+
-  assert_success
+  # EXAMPLE: *@domain1.tld mail._domainkey.domain1.tld
-  assert_output 2
+  assert_output --partial "*@${EXPECTED_DOMAIN} ${EXPECTED_SELECTOR}._domainkey.${EXPECTED_DOMAIN}"
-
+}
-  # Check key names with selector for domain1.tld
+
-  run docker run --rm \
+function __assert_logged_dkim_creation() {
-    -e LOG_LEVEL='trace' \
+  local EXPECTED_DOMAIN=${1}
-    -v "${PRIVATE_CONFIG}/with-selector/opendkim":/etc/opendkim \
+  local EXPECTED_SELECTOR=${2:-mail}
-    "${IMAGE_NAME:?}" /bin/sh -c "ls -1 /etc/opendkim/keys/domain1.tld | grep -E 'mailer.private|mailer.txt' | wc -l"
+
-
+  assert_output --partial "Creating DKIM private key '/tmp/docker-mailserver/opendkim/keys/${EXPECTED_DOMAIN}/${EXPECTED_SELECTOR}.private'"
-  assert_success
+}
-  assert_output 2
+
-
+function __assert_outputs_common_dkim_logs() {
-  # Check presence of tables and TrustedHosts
+  refute_output --partial 'No entries found, no keys to make'
-  run docker run --rm \
+  assert_output --partial 'Creating DKIM KeyTable'
-    -e LOG_LEVEL='trace' \
+  assert_output --partial 'Creating DKIM SigningTable'
-    -v "${PRIVATE_CONFIG}/with-selector/opendkim":/etc/opendkim \
+  assert_output --partial 'Creating DKIM TrustedHosts'
-    "${IMAGE_NAME:?}" /bin/sh -c "ls -1 /etc/opendkim | grep -E 'KeyTable|SigningTable|TrustedHosts|keys' | wc -l"
+}
-
+
-  assert_success
+function __should_support_creating_key_of_size() {
-  assert_output 4
+  local EXPECTED_KEYSIZE=${1:-}
-
+
-  # Check valid entries actually present in KeyTable
+  __should_generate_dkim_key 6 "${EXPECTED_KEYSIZE}"
-  run docker run --rm \
+  __assert_outputs_common_dkim_logs
-    -e LOG_LEVEL='trace' \
+  __assert_logged_dkim_creation 'localdomain2.com'
-    -v "${PRIVATE_CONFIG}/with-selector/opendkim":/etc/opendkim \
+  __assert_logged_dkim_creation 'localhost.localdomain'
-    "${IMAGE_NAME:?}" /bin/sh -c \
+  __assert_logged_dkim_creation 'otherdomain.tld'
-    "grep 'domain1.tld' /etc/opendkim/KeyTable | wc -l"
+
-
+  __should_have_expected_files "${EXPECTED_KEYSIZE:-4096}"
-  assert_success
+  _run_in_container rm -r /tmp/docker-mailserver/opendkim
-  assert_output 1
+}
-
+
-  # Check valid entries actually present in SigningTable
+function __should_generate_dkim_key() {
-  run docker run --rm \
+  local EXPECTED_LINES=${1}
-    -e LOG_LEVEL='trace' \
+  local ARG_KEYSIZE=${2:-}
-    -v "${PRIVATE_CONFIG}/with-selector/opendkim":/etc/opendkim \
+  local ARG_DOMAINS=${3:-}
-    "${IMAGE_NAME:?}" /bin/sh -c \
+  local ARG_SELECTOR=${4:-}
-    "grep 'domain1.tld' /etc/opendkim/SigningTable | wc -l"
+
-
+  local DKIM_CMD='open-dkim'
-  assert_success
+  [[ -n ${ARG_KEYSIZE}  ]] && DKIM_CMD+=" keysize ${ARG_KEYSIZE}"
-  assert_output 1
+  [[ -n ${ARG_DOMAINS}  ]] && DKIM_CMD+=" domain '${ARG_DOMAINS}'"
+  [[ -n ${ARG_SELECTOR} ]] && DKIM_CMD+=" selector '${ARG_SELECTOR}'"
+
+  _run_in_container_bash "${DKIM_CMD}"
+
+  assert_success
+  _should_output_number_of_lines "${EXPECTED_LINES}"
+}
+
+function __should_have_expected_files() {
+  local EXPECTED_KEYSIZE=${1:?Keysize must be provided}
+  local DKIM_DOMAIN='localhost.localdomain'
+  local TARGET_DIR="/tmp/docker-mailserver/opendkim/keys/${DKIM_DOMAIN}"
+
+  # DKIM private key for signing, parse it to verify private key size is correct:
+  _run_in_container_bash "openssl rsa -in '${TARGET_DIR}/mail.private' -noout -text"
+  assert_success
+  assert_line --index 0 "RSA Private-Key: (${EXPECTED_KEYSIZE} bit, 2 primes)"
+
+  # DKIM record, extract public key (base64 encoded, potentially multi-line)
+  # - tail to exclude first line,
+  # - then sed to extract values within quoted lines, then remove `p=` from the start,
+  # - and finally echo to concatenate all lines into single string
+  # Next decode and parse it with openssl to verify public-key key size is correct:
+  _run_in_container_bash "echo \$( \
+    tail -n +2 '${TARGET_DIR}/mail.txt' \
+    | sed -nE -e 's/.*\"(.*)\".*/\1/p' \
+    | sed -e 's/^p=//' \
+  ) | openssl enc -base64 -d | openssl pkey -inform DER -pubin -noout -text
+  "
+  assert_success
+  assert_line --index 0 "RSA Public-Key: (${EXPECTED_KEYSIZE} bit)"
+
+  # Contents is for expected DKIM_DOMAIN and selector (mail):
+  _run_in_container cat "${TARGET_DIR}/mail.txt"
+  assert_output --regexp "; ----- DKIM key mail for ${DKIM_DOMAIN}$"
+}
+
+function __should_have_key_for_domain() {
+  local KEY_DOMAIN=${1}
+  local KEY_SELECTOR=${2:-mail}
+
+  _should_have_content_in_directory "/tmp/docker-mailserver/opendkim/keys/${KEY_DOMAIN}"
+
+  assert_success
+  assert_line "${KEY_SELECTOR}.private"
+  assert_line "${KEY_SELECTOR}.txt"
+  _should_output_number_of_lines 2
+}
+
+function __should_not_have_key_for_domain() {
+  local KEY_DOMAIN=${1:?Domain must be provided}
+  local KEY_SELECTOR=${2:-mail}
+  local TARGET_DIR="/tmp/docker-mailserver/opendkim/keys/${KEY_DOMAIN}"
+
+  _run_in_container_bash "[[ -d ${TARGET_DIR} ]]"
+  assert_failure
+}
+
+function __should_have_tables_trustedhosts_for_domain() {
+  _should_have_content_in_directory '/tmp/docker-mailserver/opendkim'
+
+  assert_success
+  assert_line 'keys'
+  assert_line 'KeyTable'
+  assert_line 'SigningTable'
+  assert_line 'TrustedHosts'
 }