Skip to content

Commit

Permalink
Add basic CA container test
Browse files Browse the repository at this point in the history 
A new test has been added to create a basic CA container with
minimal setup so it will create new certs.

The current CA container test has been converted into a test
for CA container with existing certs.

The container startup scripts have been modified to suppress
error messages when checking whether the certs already exist.
  • Loading branch information
@edewata
edewata committed Jun 4, 2024
1 parent 2d158c6 commit db7c5a7
Show file tree
Hide file tree
Showing 5 changed files with 414 additions and 15 deletions.
382 changes: 382 additions & 0 deletions .github/workflows/ca-container-basic-test.yml
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,382 @@
name: Basic CA container

on: workflow_call

env:
DB_IMAGE: ${{ vars.DB_IMAGE || 'quay.io/389ds/dirsrv' }}

jobs:
# https://github.com/dogtagpki/pki/wiki/Deploying-CA-Container
test:
name: Test
runs-on: ubuntu-latest
env:
SHARED: /tmp/workdir/pki
steps:
- name: Install dependencies
run: |
sudo apt-get update
# replace docker with podman
sudo apt-get -y purge --auto-remove docker-ce-cli
sudo apt-get -y install podman-docker
- name: Clone repository
uses: actions/checkout@v4

- name: Retrieve PKI images
uses: actions/cache@v4
with:
key: pki-images-${{ github.sha }}
path: pki-images.tar

- name: Load PKI images
run: docker load --input pki-images.tar

- name: Create network
run: docker network create example

- name: Create shared folders
run: |
mkdir certs
mkdir conf
mkdir logs
- name: Set up client container
run: |
tests/bin/runner-init.sh \
--hostname=client.example.com \
--network=example \
client
- name: Set up CA container
run: |
docker run \
--name ca \
--hostname ca.example.com \
--network example \
--network-alias ca.example.com \
-v $PWD/certs:/certs \
-v $PWD/conf:/conf \
-v $PWD/logs:/logs \
-e PKI_DS_URL=ldap://ds.example.com:3389 \
-e PKI_DS_PASSWORD=Secret.123 \
--detach \
pki-ca
# wait for CA to start
docker exec client curl \
--retry 180 \
--retry-delay 0 \
--retry-connrefused \
-s \
-k \
-o /dev/null \
https://ca.example.com:8443
- name: Check conf dir
if: always()
run: |
ls -l conf \
| sed \
-e '/^total/d' \
-e 's/^\(\S*\) *\S* *\S* *\(\S*\) *\S* *\S* *\S* *\S* *\(.*\)$/\1 \2 \3/' \
| tee output
# everything should be owned by docker group
# TODO: review owners/permissions
cat > expected << EOF
drwxrwxrwx docker Catalina
drwxrwxrwx docker alias
drwxrwxrwx docker ca
-rw-rw-rw- docker catalina.policy
lrwxrwxrwx docker catalina.properties -> /usr/share/pki/server/conf/catalina.properties
drwxrwxrwx docker certs
lrwxrwxrwx docker context.xml -> /etc/tomcat/context.xml
-rw-rw-rw- docker jss.conf
lrwxrwxrwx docker logging.properties -> /usr/share/pki/server/conf/logging.properties
-rw-rw-rw- docker password.conf
-rw-rw-rw- docker server.xml
-rw-rw-rw- docker serverCertNick.conf
-rw-rw-rw- docker tomcat.conf
lrwxrwxrwx docker web.xml -> /etc/tomcat/web.xml
EOF
diff expected output
- name: Check conf/ca dir
if: always()
run: |
ls -l conf/ca \
| sed \
-e '/^total/d' \
-e 's/^\(\S*\) *\S* *\S* *\(\S*\) *\S* *\S* *\S* *\S* *\(.*\)$/\1 \2 \3/' \
-e '/^\S* *\S* *\S* *CS.cfg.bak /d' \
| tee output
# everything should be owned by docker group
# TODO: review owners/permissions
cat > expected << EOF
-rw-rw-rw- docker CS.cfg
-rw-rw-rw- docker adminCert.profile
drwxrwxrwx docker archives
-rw-rw-rw- docker caAuditSigningCert.profile
-rw-rw-rw- docker caCert.profile
-rw-rw-rw- docker caOCSPCert.profile
drwxrwxrwx docker emails
-rw-rw-rw- docker flatfile.txt
drwxrwxrwx docker profiles
-rw-rw-rw- docker proxy.conf
-rw-rw-rw- docker registry.cfg
-rw-rw-rw- docker serverCert.profile
-rw-rw-rw- docker subsystemCert.profile
EOF
diff expected output
- name: Check logs dir
if: always()
run: |
ls -l logs \
| sed \
-e '/^total/d' \
-e 's/^\(\S*\) *\S* *\S* *\(\S*\) *\S* *\S* *\S* *\S* *\(.*\)$/\1 \2 \3/' \
| tee output
DATE=$(date +'%Y-%m-%d')
# everything should be owned by docker group
# TODO: review owners/permissions
cat > expected << EOF
drwxrwx--- docker backup
drwxrwxrwx docker ca
-rw-rw-rw- docker catalina.$DATE.log
-rw-rw-rw- docker host-manager.$DATE.log
-rw-rw-rw- docker localhost.$DATE.log
-rw-rw-rw- docker localhost_access_log.$DATE.txt
-rw-rw-rw- docker manager.$DATE.log
drwxrwxrwx docker pki
EOF
diff expected output
- name: Check CA info
run: |
docker exec client pki nss-cert-import \
--cert $SHARED/certs/ca_signing.crt \
--trust CT,C,C \
ca_signing
docker exec client pki \
-U https://ca.example.com:8443 \
info
- name: Set up DS container
run: |
tests/bin/ds-container-create.sh \
--image=${{ env.DB_IMAGE }} \
--hostname=ds.example.com \
--network=example \
--network-alias=ds.example.com \
--password=Secret.123 \
ds
# https://github.com/dogtagpki/pki/wiki/Setting-up-CA-Database
- name: Initialize CA database
run: |
docker exec ca pki-server ca-db-init -v
docker exec ca pki-server ca-db-index-add -v
docker exec ca pki-server ca-db-index-rebuild -v
docker exec ca pki-server ca-db-vlv-add -v
docker exec ca pki-server ca-db-vlv-reindex -v
- name: Import CA signing cert into CA database
run: |
docker exec ca pki-server ca-cert-request-import \
--csr /certs/ca_signing.csr \
--profile /usr/share/pki/ca/conf/caCert.profile | tee output
REQUEST_ID=$(sed -n 's/Request ID: *\(.*\)/\1/p' output)
docker exec ca pki-server ca-cert-import \
--cert /certs/ca_signing.crt \
--profile /usr/share/pki/ca/conf/caCert.profile \
--request $REQUEST_ID
- name: Import CA OCSP signing cert into CA database
run: |
docker exec ca pki-server ca-cert-request-import \
--csr /certs/ocsp_signing.csr \
--profile /usr/share/pki/ca/conf/caOCSPCert.profile | tee output
REQUEST_ID=$(sed -n 's/Request ID: *\(.*\)/\1/p' output)
docker exec ca pki-server ca-cert-import \
--cert /certs/ocsp_signing.crt \
--profile /usr/share/pki/ca/conf/caOCSPCert.profile \
--request $REQUEST_ID
- name: Import CA audit signing cert into CA database
run: |
docker exec ca pki-server ca-cert-request-import \
--csr /certs/audit_signing.csr \
--profile /usr/share/pki/ca/conf/caAuditSigningCert.profile | tee output
REQUEST_ID=$(sed -n 's/Request ID: *\(.*\)/\1/p' output)
docker exec ca pki-server ca-cert-import \
--cert /certs/audit_signing.crt \
--profile /usr/share/pki/ca/conf/caAuditSigningCert.profile \
--request $REQUEST_ID
- name: Import subsystem cert into CA database
run: |
docker exec ca pki-server ca-cert-request-import \
--csr /certs/subsystem.csr \
--profile /usr/share/pki/ca/conf/rsaSubsystemCert.profile | tee output
REQUEST_ID=$(sed -n 's/Request ID: *\(.*\)/\1/p' output)
docker exec ca pki-server ca-cert-import \
--cert /certs/subsystem.crt \
--profile /usr/share/pki/ca/conf/rsaSubsystemCert.profile \
--request $REQUEST_ID
- name: Import SSL server cert into CA database
run: |
docker exec ca pki-server ca-cert-request-import \
--csr /certs/sslserver.csr \
--profile /usr/share/pki/ca/conf/rsaServerCert.profile | tee output
REQUEST_ID=$(sed -n 's/Request ID: *\(.*\)/\1/p' output)
docker exec ca pki-server ca-cert-import \
--cert /certs/sslserver.crt \
--profile /usr/share/pki/ca/conf/rsaServerCert.profile \
--request $REQUEST_ID
- name: Import admin cert into CA database
run: |
docker exec ca pki-server ca-cert-request-import \
--csr /certs/admin.csr \
--profile /usr/share/pki/ca/conf/rsaAdminCert.profile | tee output
REQUEST_ID=$(sed -n 's/Request ID: *\(.*\)/\1/p' output)
docker exec ca pki-server ca-cert-import \
--cert /certs/admin.crt \
--profile /usr/share/pki/ca/conf/rsaAdminCert.profile \
--request $REQUEST_ID
- name: Check CA certs
run: |
docker exec client pki \
-U https://ca.example.com:8443 \
ca-cert-find
# https://github.com/dogtagpki/pki/wiki/Setting-up-CA-Admin-User
- name: Add CA admin user
run: |
# create CA admin user
docker exec ca pki-server ca-user-add \
--full-name Administrator \
--type adminType \
admin
# assign admin cert to CA admin user
docker exec ca pki-server ca-user-cert-add \
--cert /certs/admin.crt \
admin
# add CA admin user into CA groups
docker exec ca pki-server ca-user-role-add admin "Administrators"
docker exec ca pki-server ca-user-role-add admin "Certificate Manager Agents"
- name: Check CA admin user
run: |
docker exec client pki pkcs12-import \
--pkcs12 $SHARED/certs/admin.p12 \
--pkcs12-password Secret.123
docker exec client pki \
-U https://ca.example.com:8443 \
-n admin \
ca-user-show \
admin
- name: Check cert enrollment
run: |
# create cert request
docker exec client pki \
-U https://ca.example.com:8443 \
client-cert-request \
uid=testuser | tee output
REQUEST_ID=$(sed -n -e 's/^ *Request ID: *\(.*\)$/\1/p' output)
echo "REQUEST_ID: $REQUEST_ID"
# issue cert
docker exec client pki \
-U https://ca.example.com:8443 \
-n admin \
ca-cert-request-approve \
$REQUEST_ID \
--force
- name: Restart CA
run: |
docker restart ca
# wait for CA to restart
docker exec client curl \
--retry 180 \
--retry-delay 0 \
--retry-connrefused \
-s \
-k \
-o /dev/null \
https://ca.example.com:8443
- name: Check CA admin user again
run: |
docker exec client pki \
-U https://ca.example.com:8443 \
-n admin \
ca-user-show \
admin
- name: Check DS server systemd journal
if: always()
run: |
docker exec ds journalctl -x --no-pager -u [email protected]
- name: Check DS container logs
if: always()
run: |
docker logs ds
- name: Check CA container logs
if: always()
run: |
docker logs ca 2>&1
- name: Check CA debug logs
if: always()
run: |
docker exec ca find /var/lib/pki/pki-tomcat/logs/ca -name "debug.*" -exec cat {} \;
- name: Gather artifacts
if: always()
run: |
tests/bin/ds-artifacts-save.sh ds
mkdir -p /tmp/artifacts/ca
cp -r certs /tmp/artifacts/ca
cp -r conf /tmp/artifacts/ca
cp -r logs /tmp/artifacts/ca
docker logs ca > /tmp/artifacts/ca/container.out 2> /tmp/artifacts/ca/container.err
mkdir -p /tmp/artifacts/client
docker logs client > /tmp/artifacts/client/container.out 2> /tmp/artifacts/client/container.err
- name: Upload artifacts
if: always()
uses: actions/upload-artifact@v4
with:
name: ca-container-basic
path: /tmp/artifacts
4 changes: 2 additions & 2 deletions .github/workflows/ca-container-test.yml → ...lows/ca-container-existing-certs-test.yml
View file
Original file line number Diff line number Diff line change
@@ -1,4 +1,4 @@
name: CA container
name: CA container with existing certs

on: workflow_call

Expand Down Expand Up @@ -568,5 +568,5 @@ jobs:
if: always()
uses: actions/upload-artifact@v4
with:
name: ca-container
name: ca-container-existing-certs
path: /tmp/artifacts
Loading

0 comments on commit db7c5a7

Please sign in to comment.