From 1c6313313631961d3d2d7f628b9526df03b58679 Mon Sep 17 00:00:00 2001 From: "Endi S. Dewata" Date: Thu, 30 Nov 2023 13:36:49 +0700 Subject: [PATCH] Update security domain tests Some KRA/OCSP tests have been updated to check the security domain configuration after installation. --- .github/workflows/kra-basic-test.yml | 19 ++++++++- .github/workflows/kra-separate-test.yml | 51 ++++++++++++++++++++++++ .github/workflows/ocsp-basic-test.yml | 19 ++++++++- .github/workflows/ocsp-separate-test.yml | 32 +++++++++++++++ 4 files changed, 117 insertions(+), 4 deletions(-) diff --git a/.github/workflows/kra-basic-test.yml b/.github/workflows/kra-basic-test.yml index 31389cd3aba..bad8c34b4e4 100644 --- a/.github/workflows/kra-basic-test.yml +++ b/.github/workflows/kra-basic-test.yml @@ -58,9 +58,9 @@ jobs: docker exec pki pki-server cert-find - - name: Check CA security domain + - name: Check security domain config in CA run: | - # security domain should be enabled (i.e. securitydomain.select=new) + # CA should run security domain service cat > expected << EOF securitydomain.checkIP=false securitydomain.checkinterval=300000 @@ -72,6 +72,7 @@ jobs: securitydomain.select=new securitydomain.source=ldap EOF + docker exec pki pki-server ca-config-find | grep ^securitydomain. | sort | tee actual diff expected actual @@ -102,6 +103,20 @@ jobs: -D pki_ds_url=ldap://ds.example.com:3389 \ -v + - name: Check security domain config in KRA + run: | + # KRA should join security domain in CA + cat > expected << EOF + securitydomain.host=pki.example.com + securitydomain.httpport=8080 + securitydomain.httpsadminport=8443 + securitydomain.name=EXAMPLE + securitydomain.select=existing + EOF + + docker exec pki pki-server kra-config-find | grep ^securitydomain. | sort | tee actual + diff expected actual + - name: Check KRA storage cert run: | docker exec pki pki-server cert-export kra_storage \ diff --git a/.github/workflows/kra-separate-test.yml b/.github/workflows/kra-separate-test.yml index dabffe07222..8b10b6ca92f 100644 --- a/.github/workflows/kra-separate-test.yml +++ b/.github/workflows/kra-separate-test.yml @@ -56,6 +56,24 @@ jobs: -D pki_ds_url=ldap://rootcads.example.com:3389 \ -v + - name: Check security domain config in root CA + run: | + # root CA should run security domain service + cat > expected << EOF + securitydomain.checkIP=false + securitydomain.checkinterval=300000 + securitydomain.flushinterval=86400000 + securitydomain.host=rootca.example.com + securitydomain.httpport=8080 + securitydomain.httpsadminport=8443 + securitydomain.name=EXAMPLE + securitydomain.select=new + securitydomain.source=ldap + EOF + + docker exec rootca pki-server ca-config-find | grep ^securitydomain. | sort | tee actual + diff expected actual + - name: Check root CA certs if: always() run: | @@ -101,6 +119,7 @@ jobs: -D pki_ds_url=ldap://subcads.example.com:3389 \ -D pki_security_domain_uri=https://rootca.example.com:8443 \ -D pki_subordinate_create_new_security_domain=True \ + -D pki_subordinate_security_domain_name=SUBORDINATE \ -D pki_issuing_ca_uri=https://rootca.example.com:8443 \ -v @@ -120,6 +139,24 @@ jobs: docker exec subca pki-server ca-user-show caadmin docker exec subca pki-server ca-user-role-find caadmin + - name: Check security domain config in sub CA + run: | + # sub CA should run security domain service + cat > expected << EOF + securitydomain.checkIP=false + securitydomain.checkinterval=300000 + securitydomain.flushinterval=86400000 + securitydomain.host=subca.example.com + securitydomain.httpport=8080 + securitydomain.httpsadminport=8443 + securitydomain.name=SUBORDINATE + securitydomain.select=new + securitydomain.source=ldap + EOF + + docker exec subca pki-server ca-config-find | grep ^securitydomain. | sort | tee actual + diff expected actual + - name: Export subordinate CA cert bundle run: | cat root-ca_signing.crt > cert_chain.crt @@ -182,6 +219,20 @@ jobs: -D pki_ds_url=ldap://krads.example.com:3389 \ -v + - name: Check security domain config in KRA + run: | + # KRA should join existing security domain in sub CA + cat > expected << EOF + securitydomain.host=subca.example.com + securitydomain.httpport=8080 + securitydomain.httpsadminport=8443 + securitydomain.name=SUBORDINATE + securitydomain.select=existing + EOF + + docker exec kra pki-server kra-config-find | grep ^securitydomain. | sort | tee actual + diff expected actual + - name: Check KRA certs if: always() run: | diff --git a/.github/workflows/ocsp-basic-test.yml b/.github/workflows/ocsp-basic-test.yml index 58834e58af4..8e1beabb177 100644 --- a/.github/workflows/ocsp-basic-test.yml +++ b/.github/workflows/ocsp-basic-test.yml @@ -58,9 +58,9 @@ jobs: docker exec pki pki-server cert-find - - name: Check CA security domain + - name: Check security domain config in CA run: | - # security domain should be enabled (i.e. securitydomain.select=new) + # CA should run security domain service cat > expected << EOF securitydomain.checkIP=false securitydomain.checkinterval=300000 @@ -72,6 +72,7 @@ jobs: securitydomain.select=new securitydomain.source=ldap EOF + docker exec pki pki-server ca-config-find | grep ^securitydomain. | sort | tee actual diff expected actual @@ -102,6 +103,20 @@ jobs: -D pki_ds_url=ldap://ds.example.com:3389 \ -v + - name: Check security domain config in OCSP + run: | + # OCSP should join security domain in CA + cat > expected << EOF + securitydomain.host=pki.example.com + securitydomain.httpport=8080 + securitydomain.httpsadminport=8443 + securitydomain.name=EXAMPLE + securitydomain.select=existing + EOF + + docker exec pki pki-server ocsp-config-find | grep ^securitydomain. | sort | tee actual + diff expected actual + - name: Check OCSP signing cert run: | docker exec pki pki-server cert-export ocsp_signing \ diff --git a/.github/workflows/ocsp-separate-test.yml b/.github/workflows/ocsp-separate-test.yml index d6c82b19102..d72a6c952fb 100644 --- a/.github/workflows/ocsp-separate-test.yml +++ b/.github/workflows/ocsp-separate-test.yml @@ -57,6 +57,24 @@ jobs: docker exec ca pki-server cert-find + - name: Check security domain config in CA + run: | + # CA should run security domain service + cat > expected << EOF + securitydomain.checkIP=false + securitydomain.checkinterval=300000 + securitydomain.flushinterval=86400000 + securitydomain.host=ca.example.com + securitydomain.httpport=8080 + securitydomain.httpsadminport=8443 + securitydomain.name=EXAMPLE + securitydomain.select=new + securitydomain.source=ldap + EOF + + docker exec ca pki-server ca-config-find | grep ^securitydomain. | sort | tee actual + diff expected actual + - name: Install banner in CA container run: docker exec ca cp /usr/share/pki/server/examples/banner/banner.txt /etc/pki/pki-tomcat @@ -96,6 +114,20 @@ jobs: docker exec ocsp pki-server cert-find + - name: Check security domain config in OCSP + run: | + # OCSP should join security domain in CA + cat > expected << EOF + securitydomain.host=ca.example.com + securitydomain.httpport=8080 + securitydomain.httpsadminport=8443 + securitydomain.name=EXAMPLE + securitydomain.select=existing + EOF + + docker exec ocsp pki-server ocsp-config-find | grep ^securitydomain. | sort | tee actual + diff expected actual + - name: Install banner in OCSP container run: docker exec ocsp cp /usr/share/pki/server/examples/banner/banner.txt /etc/pki/pki-tomcat