Skip to content

Commit

Permalink
Update security domain tests
Browse files Browse the repository at this point in the history 
Some KRA/OCSP tests have been updated to check the security
domain configuration after installation.
  • Loading branch information
@edewata
edewata committed Dec 1, 2023
1 parent eb5db84 commit 1c63133
Show file tree
Hide file tree
Showing 4 changed files with 117 additions and 4 deletions.
19 changes: 17 additions & 2 deletions .github/workflows/kra-basic-test.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -58,9 +58,9 @@ jobs:
docker exec pki pki-server cert-find
- name: Check CA security domain
- name: Check security domain config in CA
run: |
# security domain should be enabled (i.e. securitydomain.select=new)
# CA should run security domain service
cat > expected << EOF
securitydomain.checkIP=false
securitydomain.checkinterval=300000
Expand All @@ -72,6 +72,7 @@ jobs:
securitydomain.select=new
securitydomain.source=ldap
EOF
docker exec pki pki-server ca-config-find | grep ^securitydomain. | sort | tee actual
diff expected actual
Expand Down Expand Up @@ -102,6 +103,20 @@ jobs:
-D pki_ds_url=ldap://ds.example.com:3389 \
-v
- name: Check security domain config in KRA
run: |
# KRA should join security domain in CA
cat > expected << EOF
securitydomain.host=pki.example.com
securitydomain.httpport=8080
securitydomain.httpsadminport=8443
securitydomain.name=EXAMPLE
securitydomain.select=existing
EOF
docker exec pki pki-server kra-config-find | grep ^securitydomain. | sort | tee actual
diff expected actual
- name: Check KRA storage cert
run: |
docker exec pki pki-server cert-export kra_storage \
Expand Down
51 changes: 51 additions & 0 deletions .github/workflows/kra-separate-test.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -56,6 +56,24 @@ jobs:
-D pki_ds_url=ldap://rootcads.example.com:3389 \
-v
- name: Check security domain config in root CA
run: |
# root CA should run security domain service
cat > expected << EOF
securitydomain.checkIP=false
securitydomain.checkinterval=300000
securitydomain.flushinterval=86400000
securitydomain.host=rootca.example.com
securitydomain.httpport=8080
securitydomain.httpsadminport=8443
securitydomain.name=EXAMPLE
securitydomain.select=new
securitydomain.source=ldap
EOF
docker exec rootca pki-server ca-config-find | grep ^securitydomain. | sort | tee actual
diff expected actual
- name: Check root CA certs
if: always()
run: |
Expand Down Expand Up @@ -101,6 +119,7 @@ jobs:
-D pki_ds_url=ldap://subcads.example.com:3389 \
-D pki_security_domain_uri=https://rootca.example.com:8443 \
-D pki_subordinate_create_new_security_domain=True \
-D pki_subordinate_security_domain_name=SUBORDINATE \
-D pki_issuing_ca_uri=https://rootca.example.com:8443 \
-v
Expand All @@ -120,6 +139,24 @@ jobs:
docker exec subca pki-server ca-user-show caadmin
docker exec subca pki-server ca-user-role-find caadmin
- name: Check security domain config in sub CA
run: |
# sub CA should run security domain service
cat > expected << EOF
securitydomain.checkIP=false
securitydomain.checkinterval=300000
securitydomain.flushinterval=86400000
securitydomain.host=subca.example.com
securitydomain.httpport=8080
securitydomain.httpsadminport=8443
securitydomain.name=SUBORDINATE
securitydomain.select=new
securitydomain.source=ldap
EOF
docker exec subca pki-server ca-config-find | grep ^securitydomain. | sort | tee actual
diff expected actual
- name: Export subordinate CA cert bundle
run: |
cat root-ca_signing.crt > cert_chain.crt
Expand Down Expand Up @@ -182,6 +219,20 @@ jobs:
-D pki_ds_url=ldap://krads.example.com:3389 \
-v
- name: Check security domain config in KRA
run: |
# KRA should join existing security domain in sub CA
cat > expected << EOF
securitydomain.host=subca.example.com
securitydomain.httpport=8080
securitydomain.httpsadminport=8443
securitydomain.name=SUBORDINATE
securitydomain.select=existing
EOF
docker exec kra pki-server kra-config-find | grep ^securitydomain. | sort | tee actual
diff expected actual
- name: Check KRA certs
if: always()
run: |
Expand Down
19 changes: 17 additions & 2 deletions .github/workflows/ocsp-basic-test.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -58,9 +58,9 @@ jobs:
docker exec pki pki-server cert-find
- name: Check CA security domain
- name: Check security domain config in CA
run: |
# security domain should be enabled (i.e. securitydomain.select=new)
# CA should run security domain service
cat > expected << EOF
securitydomain.checkIP=false
securitydomain.checkinterval=300000
Expand All @@ -72,6 +72,7 @@ jobs:
securitydomain.select=new
securitydomain.source=ldap
EOF
docker exec pki pki-server ca-config-find | grep ^securitydomain. | sort | tee actual
diff expected actual
Expand Down Expand Up @@ -102,6 +103,20 @@ jobs:
-D pki_ds_url=ldap://ds.example.com:3389 \
-v
- name: Check security domain config in OCSP
run: |
# OCSP should join security domain in CA
cat > expected << EOF
securitydomain.host=pki.example.com
securitydomain.httpport=8080
securitydomain.httpsadminport=8443
securitydomain.name=EXAMPLE
securitydomain.select=existing
EOF
docker exec pki pki-server ocsp-config-find | grep ^securitydomain. | sort | tee actual
diff expected actual
- name: Check OCSP signing cert
run: |
docker exec pki pki-server cert-export ocsp_signing \
Expand Down
32 changes: 32 additions & 0 deletions .github/workflows/ocsp-separate-test.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -57,6 +57,24 @@ jobs:
docker exec ca pki-server cert-find
- name: Check security domain config in CA
run: |
# CA should run security domain service
cat > expected << EOF
securitydomain.checkIP=false
securitydomain.checkinterval=300000
securitydomain.flushinterval=86400000
securitydomain.host=ca.example.com
securitydomain.httpport=8080
securitydomain.httpsadminport=8443
securitydomain.name=EXAMPLE
securitydomain.select=new
securitydomain.source=ldap
EOF
docker exec ca pki-server ca-config-find | grep ^securitydomain. | sort | tee actual
diff expected actual
- name: Install banner in CA container
run: docker exec ca cp /usr/share/pki/server/examples/banner/banner.txt /etc/pki/pki-tomcat

Expand Down Expand Up @@ -96,6 +114,20 @@ jobs:
docker exec ocsp pki-server cert-find
- name: Check security domain config in OCSP
run: |
# OCSP should join security domain in CA
cat > expected << EOF
securitydomain.host=ca.example.com
securitydomain.httpport=8080
securitydomain.httpsadminport=8443
securitydomain.name=EXAMPLE
securitydomain.select=existing
EOF
docker exec ocsp pki-server ocsp-config-find | grep ^securitydomain. | sort | tee actual
diff expected actual
- name: Install banner in OCSP container
run: docker exec ocsp cp /usr/share/pki/server/examples/banner/banner.txt /etc/pki/pki-tomcat

Expand Down

0 comments on commit 1c63133

Please sign in to comment.