Skip to content

Bug2246422-(refinement of)ServerSideKeygen static SKID #4595

Bug2246422-(refinement of)ServerSideKeygen static SKID

Bug2246422-(refinement of)ServerSideKeygen static SKID #4595

Workflow file for this run

name: TPS Tests
on: [push, pull_request]
jobs:
init:
name: Initialization
uses: ./.github/workflows/init.yml
secrets: inherit
build:
name: Waiting for build
needs: init
runs-on: ubuntu-latest
steps:
- name: Wait for build
uses: lewagon/[email protected]
with:
ref: ${{ github.ref }}
check-name: 'Building PKI'
repo-token: ${{ secrets.GITHUB_TOKEN }}
wait-interval: 30
if: github.event_name == 'push'
- name: Wait for build
uses: lewagon/[email protected]
with:
ref: ${{ github.event.pull_request.head.sha }}
check-name: 'Building PKI'
repo-token: ${{ secrets.GITHUB_TOKEN }}
wait-interval: 30
if: github.event_name == 'pull_request'
# docs/installation/tps/Installing_TPS.md
tps-test:
name: Testing TPS
needs: [init, build]
runs-on: ubuntu-latest
env:
PKIDIR: /tmp/workdir/pki
steps:
- name: Clone repository
uses: actions/checkout@v3
- name: Retrieve pki-runner image
uses: actions/cache@v3
with:
key: pki-runner-${{ github.sha }}
path: pki-runner.tar
- name: Load runner image
run: docker load --input pki-runner.tar
- name: Run container
run: |
IMAGE=pki-runner \
NAME=pki \
HOSTNAME=pki.example.com \
tests/bin/runner-init.sh
- name: Install dependencies
run: docker exec pki dnf install -y 389-ds-base
- name: Install DS
run: docker exec pki ${PKIDIR}/tests/bin/ds-create.sh
- name: Install CA
run: docker exec pki pkispawn -f /usr/share/pki/server/examples/installation/ca.cfg -s CA -v
- name: Install KRA
run: docker exec pki pkispawn -f /usr/share/pki/server/examples/installation/kra.cfg -s KRA -v
- name: Install TKS
run: docker exec pki pkispawn -f /usr/share/pki/server/examples/installation/tks.cfg -s TKS -v
- name: Install TPS
run: docker exec pki pkispawn -f /usr/share/pki/server/examples/installation/tps.cfg -s TPS -v
- name: Run PKI healthcheck
run: docker exec pki pki-healthcheck --failures-only
- name: Verify TPS admin
run: |
docker exec pki pki-server cert-export ca_signing --cert-file ca_signing.crt
docker exec pki pki client-cert-import ca_signing --ca-cert ca_signing.crt
docker exec pki pki client-cert-import \
--pkcs12 /root/.dogtag/pki-tomcat/ca_admin_cert.p12 \
--pkcs12-password-file /root/.dogtag/pki-tomcat/ca/pkcs12_password.conf
docker exec pki pki -n caadmin tps-user-show tpsadmin
- name: Set up TPS authentication
run: |
#
# import sample TPS users
#
docker exec pki ldapadd -h pki.example.com -p 389 \
-D "cn=Directory Manager" \
-w Secret.123 \
-f /usr/share/pki/tps/auth/ds/create.ldif
docker exec pki ldapadd -h pki.example.com -p 389 \
-D "cn=Directory Manager" \
-w Secret.123 \
-f /usr/share/pki/tps/auth/ds/example.ldif
#
# configure TPS to use the sample TPS users
#
docker exec pki pki-server tps-config-set \
auths.instance.ldap1.ldap.basedn \
ou=people,dc=example,dc=com
docker exec pki pki-server tps-undeploy --wait
docker exec pki pki-server tps-deploy --wait
- name: Verify TPS client
run: |
#
# add unformatted token with random CUID
#
CUID=`hexdump -v -n "10" -e '1/1 "%02x"' /dev/urandom`
echo "UNFORMATTED" > expected
docker exec pki bash -c "pki -n caadmin tps-token-add $CUID | sed -n 's/\s*Status:\s\+\(\S\+\)\s*/\1/p' > ${PKIDIR}/actual"
diff expected actual
#
# format the token
#
docker exec pki /usr/share/pki/tps/bin/pki-tps-format \
--user=testuser \
--password=Secret.123 \
$CUID
echo "FORMATTED" > expected
docker exec pki bash -c "pki -n caadmin tps-token-show $CUID | sed -n 's/\s*Status:\s\+\(\S\+\)\s*/\1/p' > ${PKIDIR}/actual"
diff expected actual
#
# enroll the token
#
docker exec pki /usr/share/pki/tps/bin/pki-tps-enroll \
--user=testuser \
--password=Secret.123 \
$CUID
echo "ACTIVE" > expected
docker exec pki bash -c "pki -n caadmin tps-token-show $CUID | sed -n 's/\s*Status:\s\+\(\S\+\)\s*/\1/p' > ${PKIDIR}/actual"
diff expected actual
- name: Gather artifacts
if: always()
run: |
tests/bin/ds-artifacts-save.sh pki
tests/bin/pki-artifacts-save.sh pki
- name: Remove TPS
run: docker exec pki pkidestroy -i pki-tomcat -s TPS -v
- name: Remove TKS
run: docker exec pki pkidestroy -i pki-tomcat -s TKS -v
- name: Remove KRA
run: docker exec pki pkidestroy -i pki-tomcat -s KRA -v
- name: Remove CA
run: docker exec pki pkidestroy -i pki-tomcat -s CA -v
- name: Remove DS
run: docker exec pki ${PKIDIR}/tests/bin/ds-remove.sh
- name: Upload artifacts
if: always()
uses: actions/upload-artifact@v3
with:
name: tps
path: |
/tmp/artifacts/pki
tps-separate-test:
name: Testing TPS on separate instance
needs: [init, build]
runs-on: ubuntu-latest
env:
PKIDIR: /tmp/workdir/pki
steps:
- name: Clone repository
uses: actions/checkout@v3
- name: Retrieve pki-runner image
uses: actions/cache@v3
with:
key: pki-runner-${{ github.sha }}
path: pki-runner.tar
- name: Load runner image
run: docker load --input pki-runner.tar
- name: Create network
run: docker network create example
- name: Setup CA container
run: |
IMAGE=pki-runner \
NAME=ca \
HOSTNAME=ca.example.com \
tests/bin/runner-init.sh
- name: Connect CA container to network
run: docker network connect example ca --alias ca.example.com
- name: Install dependencies in CA container
run: docker exec ca dnf install -y 389-ds-base
- name: Install DS in CA container
run: docker exec ca ${PKIDIR}/tests/bin/ds-create.sh
- name: Install CA in CA container
run: docker exec ca pkispawn -f /usr/share/pki/server/examples/installation/ca.cfg -s CA -v
- name: Install banner in CA container
run: docker exec ca cp /usr/share/pki/server/examples/banner/banner.txt /etc/pki/pki-tomcat
- name: Setup KRA container
run: |
IMAGE=pki-runner \
NAME=kra \
HOSTNAME=kra.example.com \
tests/bin/runner-init.sh
- name: Connect KRA container to network
run: docker network connect example kra --alias kra.example.com
- name: Install dependencies in KRA container
run: docker exec kra dnf install -y 389-ds-base
- name: Install DS in KRA container
run: docker exec kra ${PKIDIR}/tests/bin/ds-create.sh
- name: Install KRA in KRA container
run: |
docker exec ca pki-server cert-export ca_signing --cert-file ${PKIDIR}/ca_signing.crt
docker exec ca cp /root/.dogtag/pki-tomcat/ca_admin.cert ${PKIDIR}/ca_admin.cert
docker exec kra cp ${PKIDIR}/ca_signing.crt .
docker exec kra cp ${PKIDIR}/ca_admin.cert .
docker exec kra pkispawn -f /usr/share/pki/server/examples/installation/kra-separate.cfg -s KRA -v
- name: Install banner in KRA container
run: docker exec kra cp /usr/share/pki/server/examples/banner/banner.txt /etc/pki/pki-tomcat
- name: Setup TKS container
run: |
IMAGE=pki-runner \
NAME=tks \
HOSTNAME=tks.example.com \
tests/bin/runner-init.sh
- name: Connect TKS container to network
run: docker network connect example tks --alias tks.example.com
- name: Install dependencies in TKS container
run: docker exec tks dnf install -y 389-ds-base
- name: Install DS in TKS container
run: docker exec tks ${PKIDIR}/tests/bin/ds-create.sh
- name: Install TKS in TKS container
run: |
docker exec tks cp ${PKIDIR}/ca_signing.crt .
docker exec tks cp ${PKIDIR}/ca_admin.cert .
docker exec tks pkispawn -f /usr/share/pki/server/examples/installation/tks-separate.cfg -s TKS -v
- name: Install banner in TKS container
run: docker exec tks cp /usr/share/pki/server/examples/banner/banner.txt /etc/pki/pki-tomcat
- name: Setup TPS container
run: |
IMAGE=pki-runner \
NAME=tps \
HOSTNAME=tps.example.com \
tests/bin/runner-init.sh
- name: Connect TPS container to network
run: docker network connect example tps --alias tps.example.com
- name: Install dependencies in TPS container
run: docker exec tps dnf install -y 389-ds-base
- name: Install DS in TPS container
run: docker exec tps ${PKIDIR}/tests/bin/ds-create.sh
- name: Install TPS in TPS container
run: |
docker exec tps cp ${PKIDIR}/ca_signing.crt .
docker exec tps cp ${PKIDIR}/ca_admin.cert .
docker exec tps pkispawn -f /usr/share/pki/server/examples/installation/tps-separate.cfg -s TPS -v
- name: Install banner in TPS container
run: docker exec tps cp /usr/share/pki/server/examples/banner/banner.txt /etc/pki/pki-tomcat
- name: Run PKI healthcheck
run: docker exec tps pki-healthcheck --debug
- name: Verify TPS admin
run: |
docker exec ca cp /root/.dogtag/pki-tomcat/ca_admin_cert.p12 ${PKIDIR}/ca_admin_cert.p12
docker exec ca cp /root/.dogtag/pki-tomcat/ca/pkcs12_password.conf ${PKIDIR}/pkcs12_password.conf
docker exec tps pki client-cert-import ca_signing --ca-cert ca_signing.crt
docker exec tps pki client-cert-import \
--pkcs12 ${PKIDIR}/ca_admin_cert.p12 \
--pkcs12-password-file ${PKIDIR}/pkcs12_password.conf
docker exec tps pki -n caadmin --ignore-banner tps-user-show tpsadmin
- name: Gather artifacts from CA container
if: always()
run: |
tests/bin/ds-artifacts-save.sh ca
tests/bin/pki-artifacts-save.sh ca
- name: Gather artifacts from KRA container
if: always()
run: |
tests/bin/ds-artifacts-save.sh kra
tests/bin/pki-artifacts-save.sh kra
- name: Gather artifacts from TKS container
if: always()
run: |
tests/bin/ds-artifacts-save.sh tks
tests/bin/pki-artifacts-save.sh tks
- name: Gather artifacts from TPS container
if: always()
run: |
tests/bin/ds-artifacts-save.sh tps
tests/bin/pki-artifacts-save.sh tps
- name: Remove TPS from TPS container
run: docker exec tps pkidestroy -i pki-tomcat -s TPS -v
- name: Remove DS from TPS container
run: docker exec tps ${PKIDIR}/tests/bin/ds-remove.sh
- name: Disconnect TPS container from network
run: docker network disconnect example tps
- name: Remove TKS from TKS container
run: docker exec tks pkidestroy -i pki-tomcat -s TKS -v
- name: Remove DS from TKS container
run: docker exec tks ${PKIDIR}/tests/bin/ds-remove.sh
- name: Disconnect TKS container from network
run: docker network disconnect example tks
- name: Remove KRA from KRA container
run: docker exec kra pkidestroy -i pki-tomcat -s KRA -v
- name: Remove DS from KRA container
run: docker exec kra ${PKIDIR}/tests/bin/ds-remove.sh
- name: Disconnect KRA container from network
run: docker network disconnect example kra
- name: Remove CA from CA container
run: docker exec ca pkidestroy -i pki-tomcat -s CA -v
- name: Remove DS from CA container
run: docker exec ca ${PKIDIR}/tests/bin/ds-remove.sh
- name: Disconnect CA container from network
run: docker network disconnect example ca
- name: Remove network
run: docker network rm example
- name: Upload artifacts from CA container
if: always()
uses: actions/upload-artifact@v3
with:
name: tps-separate-ca
path: |
/tmp/artifacts/ca
- name: Upload artifacts from KRA container
if: always()
uses: actions/upload-artifact@v3
with:
name: tps-separate-kra
path: |
/tmp/artifacts/kra
- name: Upload artifacts from TKS container
if: always()
uses: actions/upload-artifact@v3
with:
name: tps-separate-tks
path: |
/tmp/artifacts/tks
- name: Upload artifacts from TPS container
if: always()
uses: actions/upload-artifact@v3
with:
name: tps-separate-tps
path: |
/tmp/artifacts/tps
# docs/installation/tps/Installing_TPS_Clone.md
# This test installs DS, CA, KRA, TKS, and TPS in the primary container,
# then installs DS clone, CA clone, KRA clone, TKS clone, and TPS clone in the secondary container.
tps-clone-test:
name: Testing TPS clone
needs: [init, build]
runs-on: ubuntu-latest
env:
PKIDIR: /tmp/workdir/pki
steps:
- name: Clone repository
uses: actions/checkout@v3
- name: Retrieve pki-runner image
uses: actions/cache@v3
with:
key: pki-runner-${{ github.sha }}
path: pki-runner.tar
- name: Load runner image
run: docker load --input pki-runner.tar
- name: Create network
run: docker network create example
- name: Run primary container
run: |
IMAGE=pki-runner \
NAME=primary \
HOSTNAME=primary.example.com \
tests/bin/runner-init.sh
- name: Connect primary container to network
run: docker network connect example primary --alias primary.example.com
- name: Install dependencies in primary container
run: docker exec primary dnf install -y 389-ds-base
- name: Install DS in primary container
run: docker exec primary ${PKIDIR}/tests/bin/ds-create.sh
- name: Install CA in primary container
run: docker exec primary pkispawn -f /usr/share/pki/server/examples/installation/ca.cfg -s CA -v
- name: Install KRA in primary container
run: docker exec primary pkispawn -f /usr/share/pki/server/examples/installation/kra.cfg -s KRA -v
- name: Install TKS in primary container
run: docker exec primary pkispawn -f /usr/share/pki/server/examples/installation/tks.cfg -s TKS -v
- name: Install TPS in primary container
run: docker exec primary pkispawn -f /usr/share/pki/server/examples/installation/tps.cfg -s TPS -v
- name: Setup secondary container
run: |
IMAGE=pki-runner \
NAME=secondary \
HOSTNAME=secondary.example.com \
tests/bin/runner-init.sh
- name: Connect secondary container to network
run: docker network connect example secondary --alias secondary.example.com
- name: Install dependencies in secondary container
run: docker exec secondary dnf install -y 389-ds-base
- name: Install DS in secondary container
run: docker exec secondary ${PKIDIR}/tests/bin/ds-create.sh
- name: Install CA in secondary container
run: |
docker exec primary pki-server cert-export ca_signing --cert-file ${PKIDIR}/ca_signing.crt
docker exec primary pki-server ca-clone-prepare --pkcs12-file ${PKIDIR}/ca-certs.p12 --pkcs12-password Secret.123
docker exec secondary cp ${PKIDIR}/ca_signing.crt .
docker exec secondary cp ${PKIDIR}/ca-certs.p12 .
docker exec secondary pkispawn -f /usr/share/pki/server/examples/installation/ca-clone.cfg -s CA -v
- name: Install KRA in secondary container
run: |
docker exec primary pki-server kra-clone-prepare --pkcs12-file ${PKIDIR}/kra-certs.p12 --pkcs12-password Secret.123
docker exec secondary cp ${PKIDIR}/kra-certs.p12 .
docker exec secondary pkispawn -f /usr/share/pki/server/examples/installation/kra-clone.cfg -s KRA -v
- name: Install TKS in secondary container
run: |
docker exec primary pki-server tks-clone-prepare --pkcs12-file ${PKIDIR}/tks-certs.p12 --pkcs12-password Secret.123
docker exec secondary cp ${PKIDIR}/tks-certs.p12 .
docker exec secondary pkispawn -f /usr/share/pki/server/examples/installation/tks-clone.cfg -s TKS -v
- name: Install TPS in secondary container
run: |
docker exec primary pki-server tps-clone-prepare --pkcs12-file ${PKIDIR}/tps-certs.p12 --pkcs12-password Secret.123
docker exec secondary cp ${PKIDIR}/tps-certs.p12 .
docker exec secondary pkispawn -f /usr/share/pki/server/examples/installation/tps-clone.cfg -s TPS -v
- name: Verify admin user
run: |
docker exec primary cp /root/.dogtag/pki-tomcat/ca_admin_cert.p12 ${PKIDIR}/ca_admin_cert.p12
docker exec primary cp /root/.dogtag/pki-tomcat/ca/pkcs12_password.conf ${PKIDIR}/pkcs12_password.conf
docker exec secondary pki client-cert-import ca_signing --ca-cert ca_signing.crt
docker exec secondary pki client-cert-import \
--pkcs12 ${PKIDIR}/ca_admin_cert.p12 \
--pkcs12-password-file ${PKIDIR}/pkcs12_password.conf
docker exec secondary pki -n caadmin tps-user-show tpsadmin
- name: Gather artifacts from primary container
if: always()
run: |
tests/bin/ds-artifacts-save.sh primary
tests/bin/pki-artifacts-save.sh primary
- name: Gather artifacts from secondary container
if: always()
run: |
tests/bin/ds-artifacts-save.sh secondary
tests/bin/pki-artifacts-save.sh secondary
- name: Remove TPS from secondary container
run: docker exec secondary pkidestroy -i pki-tomcat -s TPS -v
- name: Remove TKS from secondary container
run: docker exec secondary pkidestroy -i pki-tomcat -s TKS -v
- name: Remove KRA from secondary container
run: docker exec secondary pkidestroy -i pki-tomcat -s KRA -v
- name: Remove CA from secondary container
run: docker exec secondary pkidestroy -i pki-tomcat -s CA -v
- name: Remove DS from secondary container
run: docker exec secondary ${PKIDIR}/tests/bin/ds-remove.sh
- name: Disconnect secondary container from network
run: docker network disconnect example secondary
- name: Remove TPS from primary container
run: docker exec primary pkidestroy -i pki-tomcat -s TPS -v
- name: Remove TKS from primary container
run: docker exec primary pkidestroy -i pki-tomcat -s TKS -v
- name: Remove KRA from primary container
run: docker exec primary pkidestroy -i pki-tomcat -s KRA -v
- name: Remove CA from primary container
run: docker exec primary pkidestroy -i pki-tomcat -s CA -v
- name: Remove DS from primary container
run: docker exec primary ${PKIDIR}/tests/bin/ds-remove.sh
- name: Disconnect primary container from network
run: docker network disconnect example primary
- name: Remove network
run: docker network rm example
- name: Upload artifacts from primary container
if: always()
uses: actions/upload-artifact@v3
with:
name: tps-clone-primary
path: |
/tmp/artifacts/primary
- name: Upload artifacts from secondary container
if: always()
uses: actions/upload-artifact@v3
with:
name: tps-clone-secondary
path: |
/tmp/artifacts/secondary