From 0310794243b1b64c7afcdbd4419b7d72e80a2706 Mon Sep 17 00:00:00 2001 From: Marco Fargetta Date: Mon, 9 Sep 2024 19:03:06 +0200 Subject: [PATCH] Add EST pkispawn intallation test --- .github/workflows/est-default-realm-test.yml | 358 +++++++++++++++++++ .github/workflows/est-tests.yml | 5 + 2 files changed, 363 insertions(+) create mode 100644 .github/workflows/est-default-realm-test.yml diff --git a/.github/workflows/est-default-realm-test.yml b/.github/workflows/est-default-realm-test.yml new file mode 100644 index 00000000000..443b2563dc4 --- /dev/null +++ b/.github/workflows/est-default-realm-test.yml @@ -0,0 +1,358 @@ +name: EST with default realm + +on: workflow_call + +env: + DB_IMAGE: ${{ vars.DB_IMAGE || 'quay.io/389ds/dirsrv' }} + +jobs: + # docs/installation/ca/Installing_CA.md + test: + name: Test + runs-on: ubuntu-latest + env: + SHARED: /tmp/workdir/pki + steps: + - name: Clone repository + uses: actions/checkout@v4 + + - name: Retrieve PKI images + uses: actions/cache@v4 + with: + key: pki-images-${{ github.sha }} + path: pki-images.tar + + - name: Load PKI images + run: docker load --input pki-images.tar + + - name: Create network + run: docker network create example + + - name: Set up DS container + run: | + tests/bin/ds-create.sh \ + --image=${{ env.DB_IMAGE }} \ + --hostname=ds.example.com \ + --password=Secret.123 \ + ds + + - name: Connect DS container to network + run: docker network connect example ds --alias ds.example.com + + - name: Set up PKI container + run: | + tests/bin/runner-init.sh pki + env: + HOSTNAME: pki.example.com + + - name: Connect PKI container to network + run: docker network connect example pki --alias pki.example.com + + - name: Install CA + run: | + docker exec pki pkispawn \ + -f /usr/share/pki/server/examples/installation/ca.cfg \ + -s CA \ + -D pki_ds_url=ldap://ds.example.com:3389 \ + -v + + - name: Initialize PKI client + run: | + docker exec pki pki-server cert-export ca_signing --cert-file ca_signing.crt + + docker exec pki pki nss-cert-import \ + --cert ca_signing.crt \ + --trust CT,C,C \ + ca_signing + + docker exec pki pki pkcs12-import \ + --pkcs12 /root/.dogtag/pki-tomcat/ca_admin_cert.p12 \ + --pkcs12-password Secret.123 + + docker exec pki pki info + + - name: Add est user + run: | + docker exec pki pki -n caadmin ca-group-add "EST RA Agents" + + docker exec pki pki -n caadmin ca-user-add \ + est-ra-1 --fullName "EST RA 1" --password Secret.123 + + docker exec pki pki -n caadmin ca-group-member-add "EST RA Agents" est-ra-1 + + - name: Configure est profile + run: | + docker exec pki pki -n caadmin -n caadmin \ + ca-profile-add --raw /usr/share/pki/ca/profiles/ca/estServiceCert.cfg + + docker exec pki pki -n caadmin ca-profile-enable estServiceCert + docker exec pki pki-server restart --wait + + - name: Install EST + run: | + docker exec pki pkispawn \ + -f /usr/share/pki/server/examples/installation/est.cfg \ + -s EST \ + -D pki_ds_url=ldap://ds.example.com:3389 \ + -D pki_est_ca_user=est-ra-1 -D pki_est_ca_password=Secret.123 \ + -D pki_est_ca_certificate= \ + -v + + - name: Create EST users + run: | + docker exec -i pki ldapadd -x -H ldap://ds.example.com:3389 \ + -D "cn=Directory Manager" -w Secret.123 << EOF + dn: dc=est,dc=pki,dc=example,dc=com + objectClass: domain + dc: est + + dn: ou=people,dc=est,dc=pki,dc=example,dc=com + ou: people + objectClass: top + objectClass: organizationalUnit + + dn: ou=groups,dc=est,dc=pki,dc=example,dc=com + ou: groups + objectClass: top + objectClass: organizationalUnit + + dn: uid=est-test-user,ou=people,dc=est,dc=pki,dc=example,dc=com + objectClass: top + objectClass: person + objectClass: organizationalPerson + objectClass: inetOrgPerson + objectClass: cmsuser + uid: est-test-user + sn: EST TEST USER + cn: EST TEST USER + usertype: undefined + userPassword: Secret.123 + + dn: cn=estclient,ou=groups,dc=est,dc=pki,dc=example,dc=com + objectClass: top + objectClass: groupOfUniqueNames + cn: estclient + uniqueMember: uid=est-test-user,ou=People,dc=est,dc=pki,dc=example,dc=com + EOF + + + - name: Check PKI server base dir after installation + run: | + # check file types, owners, and permissions + docker exec pki ls -l /var/lib/pki/pki-tomcat \ + | sed \ + -e '/^total/d' \ + -e 's/^\(\S*\) *\S* *\(\S*\) *\(\S*\) *\S* *\S* *\S* *\S* *\(.*\)$/\1 \2 \3 \4/' \ + | tee output + + # TODO: review permissions + cat > expected << EOF + lrwxrwxrwx pkiuser pkiuser alias -> /var/lib/pki/pki-tomcat/conf/alias + lrwxrwxrwx pkiuser pkiuser bin -> /usr/share/tomcat/bin + drwxrwx--- pkiuser pkiuser ca + drwxrwx--- pkiuser pkiuser common + lrwxrwxrwx pkiuser pkiuser conf -> /etc/pki/pki-tomcat + drwxrwx--- pkiuser pkiuser est + lrwxrwxrwx pkiuser pkiuser lib -> /usr/share/pki/server/lib + lrwxrwxrwx pkiuser pkiuser logs -> /var/log/pki/pki-tomcat + drwxrwx--- pkiuser pkiuser temp + drwxr-xr-x pkiuser pkiuser webapps + drwxrwx--- pkiuser pkiuser work + EOF + + diff expected output + + + - name: Check EST conf dir + run: | + # check file types, owners, and permissions + docker exec pki ls -l /var/lib/pki/pki-tomcat/conf/est \ + | sed \ + -e '/^total/d' \ + -e 's/^\(\S*\) *\S* *\(\S*\) *\(\S*\) *\S* *\S* *\S* *\S* *\(.*\)$/\1 \2 \3 \4/' \ + -e '/^.* CS\.cfg\..*$/d' \ + | tee output + + # TODO: review permissions + cat > expected << EOF + -rw-rw-r-- pkiuser pkiuser CS.cfg + -rw-rw---- pkiuser pkiuser authorizer.conf + -rw-rw---- pkiuser pkiuser backend.conf + -rw-rw---- pkiuser pkiuser realm.conf + -rw-rw-r-- pkiuser pkiuser registry.cfg + EOF + + diff expected output + + diff expected actual + + - name: Check webapps + run: | + docker exec pki pki-server webapp-find | tee output + + # CA instance should have ROOT, ca, and pki webapps + echo "ROOT" > expected + echo "ca" >> expected + echo "esst" >> expected + echo "pki" >> expected + sed -n 's/^ *Webapp ID: *\(.*\)$/\1/p' output > actual + diff expected actual + + docker exec pki pki-server webapp-show ROOT + docker exec pki pki-server webapp-show ca + docker exec pki pki-server webapp-show est + docker exec pki pki-server webapp-show pki + + - name: Check est subsystem + run: | + docker exec pki pki-server subsystem-show est | tee output + + # CA instance should have CA subsystem + echo "est" > expected + sed -n 's/^ *Subsystem ID: *\(.*\)$/\1/p' output > actual + diff expected actual + + echo "True" > expected + sed -n 's/^ *Enabled: *\(.*\)$/\1/p' output > actual + diff expected actual + + - name: Test CA certs + run: | + docker exec pki curl -o cacert.p7 -k https://pki.example.com:8443/.well-known/est/cacerts + docker exec openssl base64 -d --in cacert.p7 --out cacert.p7.der + docker exec openssl pkcs7 --in cacert.p7.der -inform DER -print_certs -out cacert.pem + docker exec openssl x509 -in cacert.pem -text -noout | tee actual + docker exec openssl x509 -in ca_signing.crt -text -noout | tee exected + diff expected actual + + - name: Install est client + run: | + docker exec pki dnf copr enable -y @pki/libest + docker exec pki dnf install -y libest + + - name: Enroll certificate + run: | + docker exec -e EST_OPENSSL_CACERT=cacert.pem pki estclient -e -s pki.example.com -p 8443 \ + --common-name test.example.com -o . -u est-test-user -h Secret.123 + + docker exec pki openssl base64 -d --in cert-0-0.pkcs7 --out cert-0-0.pkcs7.der + docker exec pki openssl pkcs7 -in cert-0-0.pkcs7.der -inform DER -print_certs -out cert.pem + docker exec pki openssl x509 -in cert.pem -subject -noout | tee actual + echo "subject=CN=test.example.com" > exptected + diff expected actual + + - name: Remove EST + run: docker exec pki pkidestroy -i pki-tomcat -s EST -v + + - name: Remove CA + run: docker exec pki pkidestroy -i pki-tomcat -s CA -v + + - name: Check PKI server base dir after removal + run: | + # check file types, owners, and permissions + docker exec pki ls -l /var/lib/pki/pki-tomcat \ + | sed \ + -e '/^total/d' \ + -e 's/^\(\S*\) *\S* *\(\S*\) *\(\S*\) *\S* *\S* *\S* *\S* *\(.*\)$/\1 \2 \3 \4/' \ + | tee output + + # TODO: review permissions + cat > expected << EOF + lrwxrwxrwx pkiuser pkiuser conf -> /etc/pki/pki-tomcat + lrwxrwxrwx pkiuser pkiuser logs -> /var/log/pki/pki-tomcat + EOF + + diff expected output + + - name: Check PKI server conf dir after removal + run: | + # check file types, owners, and permissions + docker exec pki ls -l /etc/pki/pki-tomcat \ + | sed \ + -e '/^total/d' \ + -e 's/^\(\S*\) *\S* *\(\S*\) *\(\S*\) *\S* *\S* *\S* *\S* *\(.*\)$/\1 \2 \3 \4/' \ + | tee output + + # TODO: review permissions + cat > expected << EOF + drwxrwx--- pkiuser pkiuser Catalina + drwxrwx--- pkiuser pkiuser alias + drwxrwx--- pkiuser pkiuser ca + -rw-r--r-- pkiuser pkiuser catalina.policy + lrwxrwxrwx pkiuser pkiuser catalina.properties -> /usr/share/pki/server/conf/catalina.properties + drwxrwx--- pkiuser pkiuser certs + lrwxrwxrwx pkiuser pkiuser context.xml -> /etc/tomcat/context.xml + lrwxrwxrwx pkiuser pkiuser logging.properties -> /usr/share/pki/server/conf/logging.properties + -rw-rw---- pkiuser pkiuser password.conf + -rw-rw---- pkiuser pkiuser server.xml + -rw-rw---- pkiuser pkiuser serverCertNick.conf + -rw-rw---- pkiuser pkiuser tomcat.conf + lrwxrwxrwx pkiuser pkiuser web.xml -> /etc/tomcat/web.xml + EOF + + diff expected output + + - name: Check PKI server logs dir after removal + run: | + # check file types, owners, and permissions + docker exec pki ls -l /var/log/pki/pki-tomcat \ + | sed \ + -e '/^total/d' \ + -e 's/^\(\S*\) *\S* *\(\S*\) *\(\S*\) *\S* *\S* *\S* *\S* *\(.*\)$/\1 \2 \3 \4/' \ + | tee output + + DATE=$(date +'%Y-%m-%d') + + # TODO: review permissions + cat > expected << EOF + drwxr-x--- pkiuser pkiuser backup + drwxrwx--- pkiuser pkiuser ca + -rw-rw-r-- pkiuser pkiuser catalina.$DATE.log + drwxrwx--- pkiuser pkiuser est + -rw-rw-r-- pkiuser pkiuser host-manager.$DATE.log + -rw-rw-r-- pkiuser pkiuser localhost.$DATE.log + -rw-r--r-- pkiuser pkiuser localhost_access_log.$DATE.txt + -rw-rw-r-- pkiuser pkiuser manager.$DATE.log + drwxr-xr-x pkiuser pkiuser pki + EOF + + diff expected output + + - name: Check DS server systemd journal + if: always() + run: | + docker exec ds journalctl -x --no-pager -u dirsrv@localhost.service + + - name: Check DS container logs + if: always() + run: | + docker logs ds + + - name: Check PKI server systemd journal + if: always() + run: | + docker exec pki journalctl -x --no-pager -u pki-tomcatd@pki-tomcat.service + + - name: Check CA debug log + if: always() + run: | + docker exec pki find /var/lib/pki/pki-tomcat/logs/ca -name "debug.*" -exec cat {} \; + + - name: Check EST debug log + if: always() + run: | + docker exec pki find /var/lib/pki/pki-tomcat/logs/est -name "debug.*" -exec cat {} \; + + - name: Gather artifacts + if: always() + run: | + tests/bin/ds-artifacts-save.sh ds + tests/bin/pki-artifacts-save.sh pki + continue-on-error: true + + - name: Upload artifacts + if: always() + uses: actions/upload-artifact@v4 + with: + name: ca-basic + path: /tmp/artifacts diff --git a/.github/workflows/est-tests.yml b/.github/workflows/est-tests.yml index 0f195a24a61..98fa4e8d017 100644 --- a/.github/workflows/est-tests.yml +++ b/.github/workflows/est-tests.yml @@ -40,3 +40,8 @@ jobs: ansible-playbook -e 'pki_subsystem="est"' tests/ansible/pki-playbook.yml env: ANSIBLE_CONFIG: ${{ github.workspace }}/tests/ansible/ansible.cfg + + est-default-realm-test: + name: EST with default realm + needs: build + uses: ./.github/workflows/est-default-realm-test.yml