-
Notifications
You must be signed in to change notification settings - Fork 139
406 lines (337 loc) · 14.1 KB
/
ca-container-user-service-test.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
name: CA container user service
on: workflow_call
env:
DS_IMAGE: ${{ vars.DS_IMAGE || 'quay.io/389ds/dirsrv' }}
jobs:
test:
name: Test
runs-on: ubuntu-latest
env:
SHARED: /tmp/workdir/pki
steps:
- name: Install dependencies
run: |
sudo apt-get update
sudo apt-get -y install jq
- name: Clone repository
uses: actions/checkout@v4
- name: Retrieve PKI images
uses: actions/cache@v4
with:
key: pki-images-${{ github.sha }}
path: pki-images.tar
- name: Load PKI images
run: docker load --input pki-images.tar
- name: Create network
run: docker network create example
- name: Set up DS container
run: |
tests/bin/ds-create.sh \
--image=${{ env.DS_IMAGE }} \
--hostname=ds.example.com \
--network=example \
--network-alias=ds.example.com \
--password=Secret.123 \
ds
- name: Set up PKI container
run: |
tests/bin/runner-init.sh \
--hostname=ca.example.com \
--network=example \
pki
- name: Install Podman
run: |
docker exec pki dnf install -y podman fuse-overlayfs
echo "cat /usr/containers/storage.conf"
docker exec pki cat /usr/containers/storage.conf
echo "cat /etc/containers/storage.conf"
docker exec pki cat /etc/containers/storage.conf
echo "cat /root/.config/containers/storage.conf"
docker exec pki cat /root/.config/containers/storage.conf
docker exec pki podman info
- name: Configure rootless container
run: |
# enable SETUID and SETGID capabilities
# https://github.com/containers/podman/discussions/21739
docker exec pki setcap cap_setuid+ep /usr/bin/newuidmap
docker exec pki setcap cap_setgid+ep /usr/bin/newgidmap
# enable login shell
docker exec pki usermod -s /bin/bash pkiuser
# enable access to systemd journal
docker exec pki usermod -a -G systemd-journal pkiuser
# add subordinate UID and GID ranges
# https://github.com/containers/podman/blob/main/docs/tutorials/rootless_tutorial.md
docker exec pki usermod --add-subuids 100000-165535 --add-subgids 100000-165535 pkiuser
# enable systemd linger
# https://blog.christophersmart.com/2021/02/20/rootless-podman-containers-under-system-accounts-managed-and-enabled-at-boot-with-systemd/
docker exec pki loginctl enable-linger pkiuser
# use fuse-overlayfs
# https://github.com/containers/podman/issues/8705#issuecomment-744357805
docker exec -u pkiuser pki mkdir -p /home/pkiuser/.config/containers
docker exec -i -u pkiuser pki tee /home/pkiuser/.config/containers/storage.conf << EOF
[storage]
driver = "overlay"
[storage.options.overlay]
mount_program = "/usr/bin/fuse-overlayfs"
EOF
docker exec -u pkiuser pki podman system info --format=json | tee output
# rootless should be enabled
echo "true" > expected
jq -r '.host.security.rootless' output > actual
diff expected actual
- name: Load PKI images into PKI user's space
run: |
docker cp pki-images.tar pki:/home/pkiuser
docker exec pki chown pkiuser /home/pkiuser/pki-images.tar
docker exec -u pkiuser pki podman load --input /home/pkiuser/pki-images.tar
docker exec -u pkiuser pki podman images
- name: Create shared folders in PKI user's home directory
run: |
# create folders with default owner and permissions
docker exec -u pkiuser pki mkdir -p /home/pkiuser/.dogtag/pki-ca/conf
docker exec -u pkiuser pki mkdir -p /home/pkiuser/.dogtag/pki-ca/logs
docker exec pki ls -laR /home/pkiuser
- name: Create CA user service
run: |
# create container unit file
# https://docs.podman.io/en/latest/markdown/podman-systemd.unit.5.html
docker exec -u pkiuser pki mkdir -p /home/pkiuser/.config/containers/systemd
docker exec -i -u pkiuser pki tee /home/pkiuser/.config/containers/systemd/pki-ca.container << EOF
[Unit]
Description=PKI CA
[Container]
Image=pki-ca
Network=host
# run container as PKI user
User=pkiuser
Group=pkiuser
UserNS=keep-id
# use shared folders in home directory
Volume=/home/pkiuser/.dogtag/pki-ca/conf:/conf
Volume=/home/pkiuser/.dogtag/pki-ca/logs:/logs
# configure DS connection
Environment=PKI_DS_URL=ldap://ds.example.com:3389
Environment=PKI_DS_PASSWORD=Secret.123
[Install]
WantedBy=multi-user.target
EOF
# check service unit file generated by Quadlet
docker exec -u pkiuser pki /usr/libexec/podman/quadlet -dryrun -user
# reload service unit files using login shell
docker exec pki sudo -i -u pkiuser systemctl --user daemon-reload
- name: Run CA user service
run: |
# start service using login shell
docker exec pki sudo -i -u pkiuser systemctl --user start pki-ca.service
docker exec -u pkiuser pki podman ps
# wait for CA to start
docker exec -u pkiuser pki curl \
--retry 180 \
--retry-delay 0 \
--retry-connrefused \
-s \
-k \
-o /dev/null \
https://ca.example.com:8443
- name: Check conf dir
if: always()
run: |
docker exec -u pkiuser pki ls -l /home/pkiuser/.dogtag/pki-ca/conf \
| sed \
-e '/^total/d' \
-e 's/^\(\S*\) *\S* *\S* *\(\S*\) *\S* *\S* *\S* *\S* *\(.*\)$/\1 \2 \3/' \
| tee output
# everything should be owned by pkiuser group
# TODO: review owners/permissions
cat > expected << EOF
drwxrwxrwx pkiuser Catalina
drwxrwxrwx pkiuser alias
drwxrwxrwx pkiuser ca
-rw-rw-rw- pkiuser catalina.policy
lrwxrwxrwx pkiuser catalina.properties -> /usr/share/pki/server/conf/catalina.properties
drwxrwxrwx pkiuser certs
lrwxrwxrwx pkiuser context.xml -> /etc/tomcat/context.xml
-rw-rw-rw- pkiuser jss.conf
lrwxrwxrwx pkiuser logging.properties -> /usr/share/pki/server/conf/logging.properties
-rw-rw-rw- pkiuser password.conf
-rw-rw-rw- pkiuser server.xml
-rw-rw-rw- pkiuser serverCertNick.conf
-rw-rw-rw- pkiuser tomcat.conf
lrwxrwxrwx pkiuser web.xml -> /etc/tomcat/web.xml
EOF
diff expected output
- name: Check conf/alias dir
if: always()
run: |
docker exec -u pkiuser pki ls -l /home/pkiuser/.dogtag/pki-ca/conf/alias \
| sed \
-e '/^total/d' \
-e 's/^\(\S*\) *\S* *\S* *\(\S*\) *\S* *\S* *\S* *\S* *\(.*\)$/\1 \2 \3/' \
| tee output
# everything should be owned by pkiuser group
# TODO: review owners/permissions
cat > expected << EOF
-rw-rw-rw- pkiuser ca.crt
-rw-rw-rw- pkiuser cert9.db
-rw-rw-rw- pkiuser key4.db
-rw-rw-rw- pkiuser pkcs11.txt
EOF
diff expected output
- name: Check conf/ca dir
if: always()
run: |
docker exec -u pkiuser pki ls -l /home/pkiuser/.dogtag/pki-ca/conf/ca \
| sed \
-e '/^total/d' \
-e 's/^\(\S*\) *\S* *\S* *\(\S*\) *\S* *\S* *\S* *\S* *\(.*\)$/\1 \2 \3/' \
-e '/^\S* *\S* *\S* *CS.cfg.bak /d' \
| tee output
# everything should be owned by pkiuser group
# TODO: review owners/permissions
cat > expected << EOF
-rw-rw-rw- pkiuser CS.cfg
-rw-rw-rw- pkiuser adminCert.profile
drwxrwxrwx pkiuser archives
-rw-rw-rw- pkiuser caAuditSigningCert.profile
-rw-rw-rw- pkiuser caCert.profile
-rw-rw-rw- pkiuser caOCSPCert.profile
drwxrwxrwx pkiuser emails
-rw-rw-rw- pkiuser flatfile.txt
drwxrwxrwx pkiuser profiles
-rw-rw-rw- pkiuser proxy.conf
-rw-rw-rw- pkiuser registry.cfg
-rw-rw-rw- pkiuser serverCert.profile
-rw-rw-rw- pkiuser subsystemCert.profile
EOF
diff expected output
- name: Check logs dir
if: always()
run: |
docker exec -u pkiuser pki ls -l /home/pkiuser/.dogtag/pki-ca/logs \
| sed \
-e '/^total/d' \
-e 's/^\(\S*\) *\S* *\S* *\(\S*\) *\S* *\S* *\S* *\S* *\(.*\)$/\1 \2 \3/' \
| tee output
DATE=$(date +'%Y-%m-%d')
# everything should be owned by pkiuser group
# TODO: review owners/permissions
cat > expected << EOF
drwxrwx--- pkiuser backup
drwxrwxrwx pkiuser ca
-rw-rw-rw- pkiuser catalina.$DATE.log
-rw-rw-rw- pkiuser host-manager.$DATE.log
-rw-rw-rw- pkiuser localhost.$DATE.log
-rw-rw-rw- pkiuser localhost_access_log.$DATE.txt
-rw-rw-rw- pkiuser manager.$DATE.log
drwxrwxrwx pkiuser pki
EOF
diff expected output
- name: Check CA info
run: |
docker exec -u pkiuser pki podman exec systemd-pki-ca \
pki-server cert-export \
--cert-file /conf/certs/ca_signing.crt \
ca_signing
docker exec -u pkiuser pki pki nss-cert-import \
--cert /home/pkiuser/.dogtag/pki-ca/conf/certs/ca_signing.crt \
--trust CT,C,C \
ca_signing
docker exec -u pkiuser pki pki info
# https://github.com/dogtagpki/pki/wiki/Setting-up-CA-Database
- name: Initialize CA database
run: |
docker exec -u pkiuser pki podman exec systemd-pki-ca \
pki-server ca-db-init -v
docker exec -u pkiuser pki podman exec systemd-pki-ca \
pki-server ca-db-index-add -v
docker exec -u pkiuser pki podman exec systemd-pki-ca \
pki-server ca-db-index-rebuild -v
docker exec -u pkiuser pki podman exec systemd-pki-ca \
pki-server ca-db-vlv-add -v
docker exec -u pkiuser pki podman exec systemd-pki-ca \
pki-server ca-db-vlv-reindex -v
- name: Create admin cert
run: |
# create cert request
docker exec -u pkiuser pki pki nss-cert-request \
--subject "CN=Administrator" \
--ext /usr/share/pki/server/certs/admin.conf \
--csr /home/pkiuser/admin.csr
docker exec -u pkiuser pki podman cp /home/pkiuser/admin.csr systemd-pki-ca:/home/pkiuser
# issue cert
docker exec -u pkiuser pki podman exec systemd-pki-ca pki-server ca-cert-create \
--csr /home/pkiuser/admin.csr \
--profile /usr/share/pki/ca/conf/rsaAdminCert.profile \
--cert /home/pkiuser/admin.crt \
--import-cert
docker exec -u pkiuser pki podman cp systemd-pki-ca:/home/pkiuser/admin.crt /home/pkiuser
# import cert
docker exec -u pkiuser pki pki nss-cert-import \
--cert /home/pkiuser/admin.crt \
admin
# https://github.com/dogtagpki/pki/wiki/Setting-up-CA-Admin-User
- name: Add CA admin user
run: |
# create CA admin user
docker exec -u pkiuser pki podman exec systemd-pki-ca \
pki-server ca-user-add \
--full-name Administrator \
--type adminType \
--cert /home/pkiuser/admin.crt \
admin
# add CA admin user into CA groups
docker exec -u pkiuser pki podman exec systemd-pki-ca \
pki-server ca-user-role-add admin "Administrators"
docker exec -u pkiuser pki podman exec systemd-pki-ca \
pki-server ca-user-role-add admin "Certificate Manager Agents"
- name: Check CA admin user
run: |
docker exec -u pkiuser pki pki \
-n admin \
ca-user-show \
admin
- name: Check cert enrollment
run: |
docker exec -u pkiuser pki pki \
client-cert-request \
uid=testuser | tee output
REQUEST_ID=$(sed -n -e 's/^ *Request ID: *\(.*\)$/\1/p' output)
echo "REQUEST_ID: $REQUEST_ID"
docker exec -u pkiuser pki pki \
-n admin \
ca-cert-request-approve \
$REQUEST_ID \
--force
- name: Check DS server systemd journal
if: always()
run: |
docker exec ds journalctl -x --no-pager -u [email protected]
- name: Check DS container logs
if: always()
run: |
docker logs ds
- name: Check CA container systemd journal
if: always()
run: |
docker exec -u pkiuser pki journalctl --user -x --no-pager -u pki-ca.service
- name: Check CA container logs
if: always()
run: |
docker exec -u pkiuser pki podman logs systemd-pki-ca 2>&1
- name: Check CA debug logs
if: always()
run: |
docker exec -u pkiuser pki find /home/pkiuser/.dogtag/pki-ca/logs/ca -name "debug.*" -exec cat {} \;
- name: Gather artifacts
if: always()
run: |
tests/bin/ds-artifacts-save.sh ds
tests/bin/pki-artifacts-save.sh pki
docker cp pki:/home/pkiuser/.dogtag/pki-ca /tmp/artifacts/ca
docker exec -u pkiuser pki podman logs systemd-pki-ca > /tmp/artifacts/ca/container.out 2> /tmp/artifacts/ca/container.err
- name: Upload artifacts
if: always()
uses: actions/upload-artifact@v4
with:
name: ca-container-user-service
path: /tmp/artifacts