From e0d2186a8002080e5699d27d58c9101bec83b188 Mon Sep 17 00:00:00 2001 From: "Endi S. Dewata" Date: Fri, 6 Sep 2024 10:43:29 -0500 Subject: [PATCH] Replace ds-container-certs-import.sh with ds-certs-import.sh --- .github/workflows/ca-clone-secure-ds-test.yml | 24 ++- .github/workflows/ca-secure-ds-test.yml | 13 +- tests/bin/ds-certs-import.sh | 165 ++++++++++++++++++ tests/bin/ds-container-certs-import.sh | 97 ---------- 4 files changed, 193 insertions(+), 106 deletions(-) create mode 100755 tests/bin/ds-certs-import.sh delete mode 100755 tests/bin/ds-container-certs-import.sh diff --git a/.github/workflows/ca-clone-secure-ds-test.yml b/.github/workflows/ca-clone-secure-ds-test.yml index 2c97c35ff05..b08c969284a 100644 --- a/.github/workflows/ca-clone-secure-ds-test.yml +++ b/.github/workflows/ca-clone-secure-ds-test.yml @@ -91,11 +91,17 @@ jobs: run: | docker exec primary pk12util \ -d /root/.dogtag/nssdb \ - -o ds_server.p12 \ + -o $SHARED/primaryds_server.p12 \ -W Secret.123 \ -n Server-Cert - docker cp primary:ds_server.p12 primaryds_server.p12 - tests/bin/ds-container-certs-import.sh primaryds primaryds_server.p12 + + sudo chmod go+r primaryds_server.p12 + + tests/bin/ds-certs-import.sh \ + --image=pki-runner \ + --input=primaryds_server.p12 \ + --password=Secret.123 \ + primaryds tests/bin/ds-stop.sh \ --image=pki-runner \ @@ -203,11 +209,17 @@ jobs: run: | docker exec secondary pk12util \ -d /root/.dogtag/nssdb \ - -o ds_server.p12 \ + -o $SHARED/secondaryds_server.p12 \ -W Secret.123 \ -n Server-Cert - docker cp secondary:ds_server.p12 secondaryds_server.p12 - tests/bin/ds-container-certs-import.sh secondaryds secondaryds_server.p12 + + sudo chmod go+r secondaryds_server.p12 + + tests/bin/ds-certs-import.sh \ + --image=pki-runner \ + --input=secondaryds_server.p12 \ + --password=Secret.123 \ + secondaryds tests/bin/ds-stop.sh \ --image=pki-runner \ diff --git a/.github/workflows/ca-secure-ds-test.yml b/.github/workflows/ca-secure-ds-test.yml index 89eb2172097..669c85bb04b 100644 --- a/.github/workflows/ca-secure-ds-test.yml +++ b/.github/workflows/ca-secure-ds-test.yml @@ -90,11 +90,18 @@ jobs: run: | docker exec pki pk12util \ -d /root/.dogtag/nssdb \ - -o ds_server.p12 \ + -o $SHARED/ds_server.p12 \ -W Secret.123 \ -n Server-Cert - docker cp pki:ds_server.p12 ds_server.p12 - tests/bin/ds-container-certs-import.sh ds ds_server.p12 + + sudo chmod go+r ds_server.p12 + + tests/bin/ds-certs-import.sh \ + --image=pki-runner \ + --input=ds_server.p12 \ + --password=Secret.123 \ + --debug \ + ds tests/bin/ds-stop.sh \ --image=pki-runner \ diff --git a/tests/bin/ds-certs-import.sh b/tests/bin/ds-certs-import.sh new file mode 100755 index 00000000000..e808adc7bd6 --- /dev/null +++ b/tests/bin/ds-certs-import.sh @@ -0,0 +1,165 @@ +#!/bin/bash -e + +# https://fy.blackhats.net.au/blog/html/2020/03/28/389ds_in_containers.html + +SCRIPT_PATH=$(readlink -f "$0") +SCRIPT_NAME=$(basename "$SCRIPT_PATH") +SCRIPT_DIR=$(dirname "$SCRIPT_PATH") + +VERBOSE= +DEBUG= + +usage() { + echo "Usage: $SCRIPT_NAME [OPTIONS] " + echo + echo "Options:" + echo " --image= Container image (default: quay.io/389ds/dirsrv)" + echo " --input= PKCS #12 file" + echo " --password= PKCS #12 password" + echo " -v,--verbose Run in verbose mode." + echo " --debug Run in debug mode." + echo " --help Show help message." +} + +while getopts v-: arg ; do + case $arg in + v) + VERBOSE=true + ;; + -) + LONG_OPTARG="${OPTARG#*=}" + + case $OPTARG in + image=?*) + IMAGE="$LONG_OPTARG" + ;; + input=?*) + INPUT="$LONG_OPTARG" + ;; + password=?*) + PASSWORD="$LONG_OPTARG" + ;; + verbose) + VERBOSE=true + ;; + debug) + VERBOSE=true + DEBUG=true + ;; + help) + usage + exit + ;; + '') + break # "--" terminates argument processing + ;; + image* | input* | password*) + echo "ERROR: Missing argument for --$OPTARG option" >&2 + exit 1 + ;; + *) + echo "ERROR: Illegal option --$OPTARG" >&2 + exit 1 + ;; + esac + ;; + \?) + exit 1 # getopts already reported the illegal option + ;; + esac +done + +# remove parsed options and args from $@ list +shift $((OPTIND-1)) + +NAME=$1 + +if [ "$NAME" == "" ] +then + echo "ERROR: Missing container name" + exit 1 +fi + +if [ "$INPUT" == "" ] +then + echo "ERROR: Missing PKCS #12 file" + exit 1 +fi + +if [ "$PASSWORD" == "" ] +then + echo "ERROR: Missing PKCS #12 password" +fi + +if [ "$IMAGE" = "" ] +then + IMAGE=quay.io/389ds/dirsrv +fi + +import_certs_into_server() { + + echo "Importing DS certs into server" + + docker cp $INPUT $NAME:certs.p12 + + docker exec $NAME pk12util \ + -d /etc/dirsrv/slapd-localhost \ + -k /etc/dirsrv/slapd-localhost/pwdfile.txt \ + -i certs.p12 \ + -W $PASSWORD + + echo "Configuring trust flags" + + docker exec $NAME certutil -M \ + -d /etc/dirsrv/slapd-localhost \ + -f /etc/dirsrv/slapd-localhost/pwdfile.txt \ + -n Self-Signed-CA \ + -t CT,C,C + + echo "Enabling SSL connection" + + docker exec $NAME dsconf localhost config replace nsslapd-security=on +} + +import_certs_into_container() { + + echo "Importing DS certs into container" + + docker cp $INPUT $NAME:/tmp/certs.p12 + + echo "Exporting server cert into /data/tls/server.crt" + + docker exec $NAME openssl pkcs12 \ + -in /tmp/certs.p12 \ + -passin pass:$PASSWORD \ + -out /data/tls/server.crt \ + -clcerts \ + -nokeys + + echo "Exporting server key into /data/tls/server.key" + + docker exec $NAME openssl pkcs12 \ + -in /tmp/certs.p12 \ + -passin pass:$PASSWORD \ + -out /data/tls/server.key \ + -nodes \ + -nocerts + + echo "Exporting CA cert into /data/tls/ca/ca.crt" + + docker exec $NAME openssl pkcs12 \ + -in /tmp/certs.p12 \ + -passin pass:$PASSWORD \ + -out /data/tls/ca/ca.crt \ + -cacerts \ + -nokeys +} + +if [ "$IMAGE" == "pki-runner" ] +then + import_certs_into_server +else + import_certs_into_container +fi + +echo "DS certs imported" diff --git a/tests/bin/ds-container-certs-import.sh b/tests/bin/ds-container-certs-import.sh deleted file mode 100755 index 6d57f6fffe2..00000000000 --- a/tests/bin/ds-container-certs-import.sh +++ /dev/null @@ -1,97 +0,0 @@ -#!/bin/bash -e - -# https://fy.blackhats.net.au/blog/html/2020/03/28/389ds_in_containers.html - -NAME=$1 - -if [ "$NAME" == "" ] -then - echo "Usage: ds-container-certs-import.sh " - exit 1 -fi - -INPUT=$2 - -if [ "$INPUT" == "" ] -then - echo "Usage: ds-container-certs-import.sh " - exit 1 -fi - -if [ "$PASSWORD" == "" ] -then - PASSWORD=Secret.123 -fi - -import_certs_into_server() { - - echo "Importing DS certs into server" - - docker cp $INPUT $NAME:certs.p12 - - docker exec $NAME pki \ - -d /etc/dirsrv/slapd-localhost \ - -C /etc/dirsrv/slapd-localhost/pwdfile.txt \ - pkcs12-import \ - --pkcs12 certs.p12 \ - --pkcs12-password Secret.123 - - echo "Configuring trust flags" - - docker exec $NAME certutil -M \ - -d /etc/dirsrv/slapd-localhost \ - -f /etc/dirsrv/slapd-localhost/pwdfile.txt \ - -n Self-Signed-CA \ - -t CT,C,C - - echo "Enabling SSL connection" - - docker exec $NAME dsconf localhost config replace nsslapd-security=on -} - -import_certs_into_container() { - - echo "Importing DS certs into container" - - docker cp $INPUT $NAME:/tmp/certs.p12 - - echo "Fixing file ownership" - - docker exec -u 0 $NAME chown dirsrv.dirsrv /tmp/certs.p12 - - echo "Exporting server cert into /data/tls/server.crt" - - docker exec $NAME openssl pkcs12 \ - -in /tmp/certs.p12 \ - -passin pass:$PASSWORD \ - -out /data/tls/server.crt \ - -clcerts \ - -nokeys - - echo "Exporting server key into /data/tls/server.key" - - docker exec $NAME openssl pkcs12 \ - -in /tmp/certs.p12 \ - -passin pass:$PASSWORD \ - -out /data/tls/server.key \ - -nodes \ - -nocerts - - echo "Exporting CA cert into /data/tls/ca/ca.crt" - - docker exec $NAME openssl pkcs12 \ - -in /tmp/certs.p12 \ - -passin pass:$PASSWORD \ - -out /data/tls/ca/ca.crt \ - -cacerts \ - -nokeys -} - -if [ "$IMAGE" == "" ] -then - import_certs_into_server -else - import_certs_into_container -fi - -echo "DS certs imported"