-
Notifications
You must be signed in to change notification settings - Fork 30
192 lines (164 loc) · 7.28 KB
/
external-application-connection-tests.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
name: Third party Tests
on: [push, pull_request]
env:
NAMESPACE: ${{ vars.REGISTRY_NAMESPACE || 'dogtagpki' }}
jobs:
build:
name: Waiting for build
runs-on: ubuntu-latest
steps:
- name: Wait for build
uses: lewagon/[email protected]
with:
ref: ${{ github.ref }}
check-name: 'Building JSS'
repo-token: ${{ secrets.GITHUB_TOKEN }}
wait-interval: 30
if: github.event_name == 'push'
- name: Wait for build
uses: lewagon/[email protected]
with:
ref: ${{ github.event.pull_request.head.sha }}
check-name: 'Building JSS'
repo-token: ${{ secrets.GITHUB_TOKEN }}
wait-interval: 30
if: github.event_name == 'pull_request'
postgresql-test:
name: Testing connection to postrgresql
needs: build
runs-on: ubuntu-latest
env:
SHARED: /tmp/workdir/jss
steps:
- name: Clone repository
uses: actions/checkout@v4
- name: Retrieve JSS images
uses: actions/cache@v4
with:
key: jss-images-${{ github.sha }}
path: jss-images.tar
- name: Load JSS images
run: docker load --input jss-images.tar
- name: Create network
run: docker network create example
- name: Set up JSS container
run: |
tests/bin/runner-init.sh \
--image=jss-builder \
--hostname=jss.example.com \
--network=example \
--network-alias=jss.example.com \
jss
- name: Set up jss and database drivers
run: |
docker exec jss dnf install -y postgresql-jdbc
docker exec -t jss sh -c 'dnf install -y /root/jss/build/RPMS/*.rpm'
- name: Import LDAP SDK packages
run: |
docker create --name=ldapjdk-dist quay.io/$NAMESPACE/ldapjdk-dist:latest
docker cp ldapjdk-dist:/root/RPMS/. /tmp/RPMS/
docker rm -f ldapjdk-dist
- name: Import PKI packages
run: |
docker create --name=pki-dist quay.io/$NAMESPACE/pki-dist:latest
docker cp pki-dist:/root/RPMS/. /tmp/RPMS/
docker rm -f pki-dist
- name: Install packages
run: |
docker cp /tmp/RPMS/. jss:/root/RPMS/
docker exec jss bash -c "dnf localinstall -y /root/RPMS/*"
- name: Create postgresql certificates
run: |
docker exec jss pki nss-cert-request \
--subject "CN=postgresql.example.com" \
--csr /root/sslserver.csr \
--ext /usr/share/pki/server/certs/sslserver.conf
docker exec jss openssl req -text -noout -in /root/sslserver.csr
docker exec jss pki nss-cert-issue \
--csr /root/sslserver.csr \
--ext /usr/share/pki/server/certs/sslserver.conf \
--cert /root/sslserver.crt
docker exec jss openssl x509 -text -noout -in /root/sslserver.crt
docker exec jss pki nss-cert-import --cert /root/sslserver.crt --trust "TC,C,C" postgres
docker exec jss pk12util -o /root/ssl.p12 -n postgres -d /root/.dogtag/nssdb/ -W myPassword
docker cp jss:/root/ssl.p12 ssl.p12
openssl pkcs12 -in ssl.p12 -nokeys -out sslserver.crt -password pass:myPassword
openssl pkcs12 -in ssl.p12 -nocerts -noenc -out sslserver.key -password pass:myPassword
- name: Create postgresql Docker file
run: |
cat > Dockerfile-Postgresql <<EOF
FROM postgres AS postgres-ssl
# Copy certificates
COPY sslserver.key /var/lib/postgresql/server.key
COPY sslserver.crt /var/lib/postgresql/server.crt
RUN chown postgres:postgres /var/lib/postgresql/server.crt && \
chown postgres:postgres /var/lib/postgresql/server.key && \
chmod 600 /var/lib/postgresql/server.key
EOF
- name: Build postgrsql image with certificates
uses: docker/build-push-action@v5
with:
context: .
tags: postgres-ssl
target: postgres-ssl
file: Dockerfile-Postgresql
- name: Deploy postgresql
run: |
docker run -d --name postgresql \
--hostname postgresql.example.com \
--network example \
--network-alias postgresql.example.com \
-e POSTGRES_PASSWORD=mysecretpassword \
-e POSTGRES_USER=jss \
postgres-ssl -c ssl=on \
-c ssl_cert_file=/var/lib/postgresql/server.crt \
-c ssl_key_file=/var/lib/postgresql/server.key
- name: Build the tests
run: docker exec jss ./build.sh --work-dir=./build
- name: Test connection with java
run: |
docker exec jss mkdir /root/.postgresql
docker exec jss cp /root/sslserver.crt /root/.postgresql/root.crt
docker exec -t jss sh -c 'java -cp \
"/usr/share/java/*:/usr/share/java/ongres-stringprep/*:/usr/share/java/ongres-scram/*:usr/lib/java/jss.jar:/usr/share/java/slf4j/*:/root/jss/build/classes/tests" \
org.mozilla.jss.tests.JSSConnectionPostgres jss mysecretpassword \
'"'"'jdbc:postgresql://postgresql.example.com:5432/jss?ssl=true&sslmode=verify-full'"'" | tee output-java
grep "Connection DONE" output-java
- name: Create JSS DB and configuration files
run: |
cat > java.security <<EOF
security.provider.1=org.mozilla.jss.JSSProvider /root/jss/jss.cfg
security.provider.2=sun.security.provider.Sun
security.provider.3=sun.security.ssl.SunJSSE
security.provider.4=sun.security.rsa.SunRsaSign
security.provider.5=sun.security.ec.SunEC
security.provider.6=com.sun.net.ssl.internal.ssl.Provider
security.provider.7=com.sun.crypto.provider.SunJCE
security.provider.8=sun.security.jgss.SunProvider
security.provider.9=com.sun.security.sasl.Provider
security.provider.10=org.jcp.xml.dsig.internal.dom.XMLDSigRI
security.provider.11=sun.security.smartcardio.SunPCSC
EOF
cat java.security
docker cp java.security jss:/root/jss/java.security
cat > jss.cfg <<EOF
nss.config_dir=/root/.dogtag/nssdb
jss.password=m1oZilla
jss.experimental.sslengine=true
EOF
cat jss.cfg
docker cp jss.cfg jss:/root/jss/jss.cfg
echo "m1oZilla" > password_file
docker cp password_file jss:/root/jss
- name: Test connection with JSS
run: |
docker exec -t jss sh -c 'java -cp \
"/usr/share/java/*:/usr/share/java/ongres-stringprep/*:/usr/share/java/ongres-scram/*:/usr/lib/java/jss.jar:/usr/share/java/slf4j/slf4j-api.jar:/usr/share/java/slf4j/slf4j-jdk14.jar:/root/jss/build/classes/tests" \
-Djava.security.properties==/root/jss/java.security \
org.mozilla.jss.tests.JSSConnectionPostgres jss mysecretpassword \
'"'"'jdbc:postgresql://postgresql.example.com:5432/jss?ssl=true&sslmode=verify-full'"'" | tee output-jss
grep "JSS CryptoManager" output-jss
- name: Verify the output match
run: |
grep -v "CryptoManager" output-jss > output-jss-clean
diff output-jss-clean output-java