PKI EST CI using subsystem certificate

.github/workflows/ca-admin-user-test.yml

@@ -191,6 +191,7 @@ jobs:
           echo "Administrators" > expected
           echo "Certificate Manager Agents" >> expected
           echo "Enterprise CA Administrators" >> expected
+          echo "Enterprise EST Administrators" >> expected
           echo "Enterprise KRA Administrators" >> expected
           echo "Enterprise OCSP Administrators" >> expected
           echo "Enterprise RA Administrators" >> expected

.github/workflows/est-default-realm-test.yml

@@ -71,31 +71,12 @@ jobs:
 
           docker exec pki pki info
 
-      - name: Add est user
-        run: |
-          docker exec pki pki -n caadmin ca-group-add "EST RA Agents"
-
-          docker exec pki pki -n caadmin ca-user-add \
-              est-ra-1 --fullName "EST RA 1" --password Secret.123
-
-          docker exec pki pki -n caadmin ca-group-member-add "EST RA Agents" est-ra-1
-
-      - name: Configure est profile
-        run: |
-          docker exec pki pki -n caadmin -n caadmin \
-              ca-profile-add --raw /usr/share/pki/ca/profiles/ca/estServiceCert.cfg
-
-          docker exec pki pki -n caadmin ca-profile-enable estServiceCert
-          docker exec pki pki-server restart --wait
-
       - name: Install EST
         run: |
           docker exec pki pkispawn \
               -f /usr/share/pki/server/examples/installation/est.cfg \
               -s EST \
               -D pki_ds_url=ldap://ds.example.com:3389 \
-              -D pki_est_ca_user=est-ra-1 -D pki_est_ca_password=Secret.123 \
-              -D pki_est_ca_certificate= \
               -v
 
       - name: Create EST users
@@ -184,16 +165,14 @@ jobs:
 
           diff expected output
 
-          diff expected actual
-
       - name: Check webapps
         run: |
           docker exec pki pki-server webapp-find | tee output
 
           # CA instance should have ROOT, ca, and pki webapps
           echo "ROOT" > expected
           echo "ca" >> expected
-          echo "esst" >> expected
+          echo "est" >> expected
           echo "pki" >> expected
           sed -n 's/^ *Webapp ID: *\(.*\)$/\1/p' output > actual
           diff expected actual
@@ -203,7 +182,16 @@ jobs:
           docker exec pki pki-server webapp-show est
           docker exec pki pki-server webapp-show pki
 
-      - name: Check est subsystem
+      - name: Configure CA est profile
+        run: |
+          docker exec pki cp /usr/share/pki/ca/profiles/ca/estServiceCert.cfg estServiceCert.cfg
+          docker exec pki sed -i 's/EST RA Agents/Subsystem Group/' estServiceCert.cfg
+          docker exec pki pki -n caadmin ca-profile-add \
+              --raw ./estServiceCert.cfg
+          docker exec pki pki -n caadmin ca-profile-enable estServiceCert
+          docker exec pki pki-server restart --wait
+
+      - name: Check EST subsystem
         run: |
           docker exec pki pki-server subsystem-show est | tee output
 
@@ -219,10 +207,10 @@ jobs:
       - name: Test CA certs
         run: |
           docker exec pki curl -o cacert.p7 -k https://pki.example.com:8443/.well-known/est/cacerts
-          docker exec openssl base64 -d --in cacert.p7 --out cacert.p7.der
-          docker exec openssl pkcs7 --in cacert.p7.der -inform DER -print_certs -out cacert.pem
-          docker exec openssl x509 -in cacert.pem -text -noout | tee actual
-          docker exec openssl x509 -in ca_signing.crt -text -noout | tee exected
+          docker exec pki openssl base64 -d --in cacert.p7 --out cacert.p7.der
+          docker exec pki openssl pkcs7 --in cacert.p7.der -inform DER -print_certs -out cacert.pem
+          docker exec pki openssl x509 -in cacert.pem -text -noout | tee actual
+          docker exec pki openssl x509 -in ca_signing.crt -text -noout | tee expected
           diff expected actual
 
       - name: Install est client
@@ -238,7 +226,7 @@ jobs:
           docker exec pki openssl base64 -d --in cert-0-0.pkcs7 --out cert-0-0.pkcs7.der
           docker exec pki openssl pkcs7 -in cert-0-0.pkcs7.der -inform DER -print_certs -out cert.pem
           docker exec pki openssl x509 -in cert.pem -subject -noout | tee actual
-          echo "subject=CN=test.example.com" > exptected
+          echo "subject=CN=test.example.com" > expected
           diff expected actual
 
       - name: Remove EST
@@ -282,6 +270,7 @@ jobs:
           lrwxrwxrwx pkiuser pkiuser catalina.properties -> /usr/share/pki/server/conf/catalina.properties
           drwxrwx--- pkiuser pkiuser certs
           lrwxrwxrwx pkiuser pkiuser context.xml -> /etc/tomcat/context.xml
+          drwxrwx--- pkiuser pkiuser est
           lrwxrwxrwx pkiuser pkiuser logging.properties -> /usr/share/pki/server/conf/logging.properties
           -rw-rw---- pkiuser pkiuser password.conf
           -rw-rw---- pkiuser pkiuser server.xml

base/server/python/pki/server/deployment/__init__.py

@@ -5006,7 +5006,7 @@ def finalize_est(self, subsystem):
 if not ALLOWED_ROLE in obj['authzData']['principal']['roles']:
     print(f'Principal does not have required role {ALLOWED_ROLE!r}')
     sys.exit(1)'''
-        with open('/usr/local/libexec/estauthz', 'w', ) as auth_exec:
+        with open('/usr/local/libexec/estauthz', 'w', encoding='utf-8') as auth_exec:
             auth_exec.write(est_auth_exec)
         os.chmod("/usr/local/libexec/estauthz", 0o755)
         authorizer_config = {

base/server/python/pki/server/pkispawn.py

@@ -691,6 +691,7 @@ def validate_user_deployment_cfg(user_deployment_cfg):
         line = line.strip()
         if not line.startswith('['):
             continue
+
         if line not in [
                 '[DEFAULT]',
                 '[Tomcat]',
@@ -925,13 +926,19 @@ def print_tps_step_one_information(mdict, instance):
     print(log.PKI_RUN_INSTALLATION_STEP_TWO)
     print(log.PKI_SPAWN_INFORMATION_FOOTER)
 
-def print_tps_step_one_information(mdict, instance):
+
+def print_est_step_one_information(mdict, instance):
 
     print(log.PKI_SPAWN_INFORMATION_HEADER)
-    print("TO BE COMPLETED")
+    print("      The %s subsystem of the '%s' instance is still incomplete." %
+          (deployer.subsystem_type, instance.name))
+    print()
+    print("      NSS database: %s" % instance.nssdb_dir)
+    print()
     print(log.PKI_RUN_INSTALLATION_STEP_TWO)
     print(log.PKI_SPAWN_INFORMATION_FOOTER)
 
+
 def print_skip_configuration_information(mdict, instance):
 
     print(log.PKI_SPAWN_INFORMATION_HEADER)

base/server/python/pki/server/subsystem.py

@@ -2682,6 +2682,7 @@ class KRASubsystem(PKISubsystem):
     def __init__(self, instance):
         super().__init__(instance, 'kra')
 
+
 class OCSPSubsystem(PKISubsystem):
 
     def __init__(self, instance):
@@ -2864,23 +2865,23 @@ def __init__(self, instance):
     def add_realm(self, params):
         realm_conf = os.path.join(self.conf_dir, 'realm.conf')
         self.instance.touch(realm_conf)
-        with open(realm_conf, 'w') as realm:
+        with open(realm_conf, 'w', encoding='utf-8') as realm:
             for key, value in params.items():
                 if value:
                     realm.write('{}={}\n'.format(key, value))
 
     def add_authorizer(self, params):
         authorizer_conf = os.path.join(self.conf_dir, 'authorizer.conf')
         self.instance.touch(authorizer_conf)
-        with open(authorizer_conf, 'w') as authorizer:
+        with open(authorizer_conf, 'w', encoding='utf-8') as authorizer:
             for key, value in params.items():
                 if value:
                     authorizer.write('{}={}\n'.format(key, value))
 
     def add_backend(self, params):
         backend_conf = os.path.join(self.conf_dir, 'backend.conf')
         self.instance.touch(backend_conf)
-        with open(backend_conf, 'w') as backend:
+        with open(backend_conf, 'w', encoding='utf-8') as backend:
             for key, value in params.items():
                 if value:
                     backend.write('{}={}\n'.format(key, value))