Skip to content

Commit

Permalink
Modify pkispawn to deploy EST
Browse files Browse the repository at this point in the history
EST deployment is included in pkispwn. The installation does not perform
all the steps done for CA and other subsystems so there is no security
domain management and user administration. During the installation there
is no DS or other DBs connection which has to be performed by the user
before or after the installation.
  • Loading branch information
fmarco76 committed Sep 17, 2024
1 parent 0ff1fc4 commit 073547d
Show file tree
Hide file tree
Showing 20 changed files with 726 additions and 11 deletions.
322 changes: 322 additions & 0 deletions .github/workflows/est-ds-realm-test.yml
Original file line number Diff line number Diff line change
@@ -0,0 +1,322 @@
name: EST with ds realm

on: workflow_call

env:
DB_IMAGE: ${{ vars.DB_IMAGE || 'quay.io/389ds/dirsrv' }}

jobs:
# docs/installation/ca/Installing_CA.md
test:
name: Test
runs-on: ubuntu-latest
env:
SHARED: /tmp/workdir/pki
steps:
- name: Clone repository
uses: actions/checkout@v4

- name: Retrieve PKI images
uses: actions/cache@v4
with:
key: pki-images-${{ github.sha }}
path: pki-images.tar

- name: Load PKI images
run: docker load --input pki-images.tar

- name: Create network
run: docker network create example

- name: Set up DS container
run: |
tests/bin/ds-create.sh \
--image=${{ env.DB_IMAGE }} \
--hostname=ds.example.com \
--password=Secret.123 \
ds
- name: Connect DS container to network
run: docker network connect example ds --alias ds.example.com

- name: Set up PKI container
run: |
tests/bin/runner-init.sh pki
env:
HOSTNAME: pki.example.com

- name: Connect PKI container to network
run: docker network connect example pki --alias pki.example.com

- name: Install CA
run: |
docker exec pki pkispawn \
-f /usr/share/pki/server/examples/installation/ca.cfg \
-s CA \
-D pki_ds_url=ldap://ds.example.com:3389 \
-v
- name: Initialize PKI client
run: |
docker exec pki pki-server cert-export ca_signing --cert-file ca_signing.crt
docker exec pki pki nss-cert-import \
--cert ca_signing.crt \
--trust CT,C,C \
ca_signing
docker exec pki pki pkcs12-import \
--pkcs12 /root/.dogtag/pki-tomcat/ca_admin_cert.p12 \
--pkcs12-password Secret.123
docker exec pki pki info
- name: Add CA EST user
run: |
docker exec pki pki -n caadmin ca-group-add "EST RA Agents"
docker exec pki pki -n caadmin ca-user-add \
est-ra-1 --fullName "EST RA 1" --password Secret.est
docker exec pki pki -n caadmin ca-group-member-add "EST RA Agents" est-ra-1
- name: Configure CA est profile
run: |
docker exec pki cp /usr/share/pki/ca/profiles/ca/estServiceCert.cfg estServiceCert.cfg
docker exec pki sed -i 's/EST RA Agents/Subsystem Group/' estServiceCert.cfg
docker exec pki pki -n caadmin ca-profile-add \
--raw ./estServiceCert.cfg
docker exec pki pki -n caadmin ca-profile-enable estServiceCert
docker exec pki pki-server restart --wait
- name: Install EST
run: |
docker exec pki pkispawn \
-f /usr/share/pki/server/examples/installation/est.cfg \
-s EST \
-D est_realm_url=ldap://ds.example.com:3389 \
-v
- name: Check EST backend config
if: always()
run: |
docker exec pki cat /etc/pki/pki-tomcat/est/backend.conf
- name: Check EST authorizer config
if: always()
run: |
docker exec pki cat /etc/pki/pki-tomcat/est/authorizer.conf
- name: Check EST realm config
if: always()
run: |
docker exec pki cat /etc/pki/pki-tomcat/est/realm.conf
- name: Check webapps
run: |
docker exec pki pki-server webapp-find | tee output
# CA instance should have ROOT, ca, and pki webapps
echo "ROOT" > expected
echo "ca" >> expected
echo "est" >> expected
echo "pki" >> expected
sed -n 's/^ *Webapp ID: *\(.*\)$/\1/p' output > actual
diff expected actual
docker exec pki pki-server webapp-show ROOT
docker exec pki pki-server webapp-show ca
docker exec pki pki-server webapp-show est
docker exec pki pki-server webapp-show pki
- name: Create EST users
run: |
docker exec -i pki ldapadd -x -H ldap://ds.example.com:3389 \
-D "cn=Directory Manager" -w Secret.123 << EOF
dn: dc=est,dc=pki,dc=example,dc=com
objectClass: domain
dc: est
dn: ou=people,dc=est,dc=pki,dc=example,dc=com
ou: people
objectClass: top
objectClass: organizationalUnit
dn: ou=groups,dc=est,dc=pki,dc=example,dc=com
ou: groups
objectClass: top
objectClass: organizationalUnit
dn: uid=est-test-user,ou=people,dc=est,dc=pki,dc=example,dc=com
objectClass: top
objectClass: person
objectClass: organizationalPerson
objectClass: inetOrgPerson
objectClass: cmsuser
uid: est-test-user
sn: EST TEST USER
cn: EST TEST USER
usertype: undefined
userPassword: Secret.123
dn: cn=estclient,ou=groups,dc=est,dc=pki,dc=example,dc=com
objectClass: top
objectClass: groupOfUniqueNames
cn: estclient
uniqueMember: uid=est-test-user,ou=People,dc=est,dc=pki,dc=example,dc=com
EOF
- name: Check EST subsystem
run: |
docker exec pki pki-server subsystem-show est | tee output
# CA instance should have CA subsystem
echo "est" > expected
sed -n 's/^ *Subsystem ID: *\(.*\)$/\1/p' output > actual
diff expected actual
echo "True" > expected
sed -n 's/^ *Enabled: *\(.*\)$/\1/p' output > actual
diff expected actual
- name: Test CA certs
run: |
docker exec pki curl -o cacert.p7 -k https://pki.example.com:8443/.well-known/est/cacerts
docker exec pki openssl base64 -d --in cacert.p7 --out cacert.p7.der
docker exec pki openssl pkcs7 --in cacert.p7.der -inform DER -print_certs -out cacert.pem
docker exec pki openssl x509 -in cacert.pem -text -noout | tee actual
docker exec pki openssl x509 -in ca_signing.crt -text -noout | tee expected
diff expected actual
- name: Install est client
run: |
docker exec pki dnf copr enable -y @pki/libest
docker exec pki dnf install -y libest
- name: Enroll certificate
run: |
docker exec -e EST_OPENSSL_CACERT=cacert.pem pki estclient -e -s pki.example.com -p 8443 \
--common-name test.example.com -o . -u est-test-user -h Secret.123
docker exec pki openssl base64 -d --in cert-0-0.pkcs7 --out cert-0-0.pkcs7.der
docker exec pki openssl pkcs7 -in cert-0-0.pkcs7.der -inform DER -print_certs -out cert.pem
docker exec pki openssl x509 -in cert.pem -subject -noout | tee actual
echo "subject=CN=test.example.com" > expected
diff expected actual
- name: Remove EST
run: |
docker exec pki pki-server est-undeploy --wait
docker exec pki pki-server est-remove
- name: Remove CA
run: docker exec pki pkidestroy -i pki-tomcat -s CA -v

- name: Check PKI server base dir after removal
run: |
# check file types, owners, and permissions
docker exec pki ls -l /var/lib/pki/pki-tomcat \
| sed \
-e '/^total/d' \
-e 's/^\(\S*\) *\S* *\(\S*\) *\(\S*\) *\S* *\S* *\S* *\S* *\(.*\)$/\1 \2 \3 \4/' \
| tee output
# TODO: review permissions
cat > expected << EOF
lrwxrwxrwx pkiuser pkiuser conf -> /etc/pki/pki-tomcat
lrwxrwxrwx pkiuser pkiuser logs -> /var/log/pki/pki-tomcat
EOF
diff expected output
- name: Check PKI server conf dir after removal
run: |
# check file types, owners, and permissions
docker exec pki ls -l /etc/pki/pki-tomcat \
| sed \
-e '/^total/d' \
-e 's/^\(\S*\) *\S* *\(\S*\) *\(\S*\) *\S* *\S* *\S* *\S* *\(.*\)$/\1 \2 \3 \4/' \
| tee output
# TODO: review permissions
cat > expected << EOF
drwxrwx--- pkiuser pkiuser Catalina
drwxrwx--- pkiuser pkiuser alias
drwxrwx--- pkiuser pkiuser ca
-rw-r--r-- pkiuser pkiuser catalina.policy
lrwxrwxrwx pkiuser pkiuser catalina.properties -> /usr/share/pki/server/conf/catalina.properties
drwxrwx--- pkiuser pkiuser certs
lrwxrwxrwx pkiuser pkiuser context.xml -> /etc/tomcat/context.xml
drwxrwx--- pkiuser pkiuser est
lrwxrwxrwx pkiuser pkiuser logging.properties -> /usr/share/pki/server/conf/logging.properties
-rw-rw---- pkiuser pkiuser password.conf
-rw-rw---- pkiuser pkiuser server.xml
-rw-rw---- pkiuser pkiuser serverCertNick.conf
-rw-rw---- pkiuser pkiuser tomcat.conf
lrwxrwxrwx pkiuser pkiuser web.xml -> /etc/tomcat/web.xml
EOF
diff expected output
- name: Check PKI server logs dir after removal
run: |
# check file types, owners, and permissions
docker exec pki ls -l /var/log/pki/pki-tomcat \
| sed \
-e '/^total/d' \
-e 's/^\(\S*\) *\S* *\(\S*\) *\(\S*\) *\S* *\S* *\S* *\S* *\(.*\)$/\1 \2 \3 \4/' \
| tee output
DATE=$(date +'%Y-%m-%d')
# TODO: review permissions
cat > expected << EOF
drwxr-x--- pkiuser pkiuser backup
drwxrwx--- pkiuser pkiuser ca
-rw-rw-r-- pkiuser pkiuser catalina.$DATE.log
drwxrwx--- pkiuser pkiuser est
-rw-rw-r-- pkiuser pkiuser host-manager.$DATE.log
-rw-rw-r-- pkiuser pkiuser localhost.$DATE.log
-rw-r--r-- pkiuser pkiuser localhost_access_log.$DATE.txt
-rw-rw-r-- pkiuser pkiuser manager.$DATE.log
drwxr-xr-x pkiuser pkiuser pki
EOF
diff expected output
- name: Check DS server systemd journal
if: always()
run: |
docker exec ds journalctl -x --no-pager -u [email protected]
- name: Check DS container logs
if: always()
run: |
docker logs ds
- name: Check PKI server systemd journal
if: always()
run: |
docker exec pki journalctl -x --no-pager -u [email protected]
- name: Check CA debug log
if: always()
run: |
docker exec pki find /var/lib/pki/pki-tomcat/logs/ca -name "debug.*" -exec cat {} \;
- name: Check EST debug log
if: always()
run: |
docker exec pki find /var/lib/pki/pki-tomcat/logs/est -name "debug.*" -exec cat {} \;
- name: Gather artifacts
if: always()
run: |
tests/bin/ds-artifacts-save.sh ds
tests/bin/pki-artifacts-save.sh pki
continue-on-error: true

- name: Upload artifacts
if: always()
uses: actions/upload-artifact@v4
with:
name: ca-basic
path: /tmp/artifacts
6 changes: 6 additions & 0 deletions .github/workflows/est-tests.yml
Original file line number Diff line number Diff line change
Expand Up @@ -40,3 +40,9 @@ jobs:
ansible-playbook -e 'pki_subsystem="est"' tests/ansible/pki-playbook.yml
env:
ANSIBLE_CONFIG: ${{ github.workspace }}/tests/ansible/ansible.cfg


est-ds-realm-test:
name: EST with ds realm
needs: build
uses: ./.github/workflows/est-ds-realm-test.yml
21 changes: 21 additions & 0 deletions base/est/CMakeLists.txt
Original file line number Diff line number Diff line change
Expand Up @@ -96,3 +96,24 @@ install(
DESTINATION
${DATA_INSTALL_DIR}/est/webapps/est/WEB-INF/lib
)

install(
DIRECTORY
shared/
DESTINATION
${SHARE_INSTALL_PREFIX}/${APPLICATION_NAME}/${PROJECT_NAME}/conf/
PATTERN
"CMakeLists.txt" EXCLUDE
)

install(
FILES
${CMAKE_CURRENT_SOURCE_DIR}/bin/estauthz
DESTINATION
${LIBEXEC_INSTALL_DIR}
PERMISSIONS
OWNER_EXECUTE OWNER_WRITE OWNER_READ
GROUP_EXECUTE GROUP_READ
WORLD_EXECUTE WORLD_READ

)
7 changes: 7 additions & 0 deletions base/est/bin/estauthz
Original file line number Diff line number Diff line change
@@ -0,0 +1,7 @@
#!/usr/bin/python3
import json, sys
ALLOWED_ROLE = 'estclient'
obj = json.loads(sys.stdin.read())
if not ALLOWED_ROLE in obj['authzData']['principal']['roles']:
print(f'Principal does not have required role {ALLOWED_ROLE!r}')
sys.exit(1)
1 change: 0 additions & 1 deletion base/est/conf/realm.conf

This file was deleted.

2 changes: 2 additions & 0 deletions base/est/shared/authorizer.conf
Original file line number Diff line number Diff line change
@@ -0,0 +1,2 @@
class=org.dogtagpki.est.ExternalProcessRequestAuthorizer
executable=/usr/local/libexec/estauthz
5 changes: 5 additions & 0 deletions base/est/shared/backend.conf
Original file line number Diff line number Diff line change
@@ -0,0 +1,5 @@
class=org.dogtagpki.est.DogtagRABackend
url=https://fedora:8443
profile=estServiceCert
username=est-ra-1
password=est4ever
7 changes: 7 additions & 0 deletions base/est/shared/realm/ds.conf
Original file line number Diff line number Diff line change
@@ -0,0 +1,7 @@
class=com.netscape.cms.realm.PKILDAPRealm
url=ldap://localhost.localdomain:389
authType=BasicAuth
bindDN=cn=Directory Manager
bindPassword=Secret.123
usersDN=ou=people,dc=est,dc=pki,dc=example,dc=com
groupsDN=ou=groups,dc=est,dc=pki,dc=example,dc=com
4 changes: 4 additions & 0 deletions base/est/shared/realm/in-memory.conf
Original file line number Diff line number Diff line change
@@ -0,0 +1,4 @@
class=com.netscape.cms.realm.PKIInMemoryRealm
username=admin
password=Secret.123
roles=estclient
5 changes: 5 additions & 0 deletions base/est/shared/realm/postgresql.conf
Original file line number Diff line number Diff line change
@@ -0,0 +1,5 @@
class=com.netscape.cms.realm.PKIPostgreSQLRealm
url=jdbc:postgresql://localhost.localdomain:5432/est
user=est
password=Secret.123
statements=/usr/share/pki/est/conf/realm/statements.conf
Loading

0 comments on commit 073547d

Please sign in to comment.