Skip to content

Commit

Permalink
Add test for KRA clone with shared DS
Browse files Browse the repository at this point in the history 
A new CI test has been added to verify installing KRA with a DS
instance, then cloning the KRA using the same DS instance. The
test will also check the system certs and the CS.cfg in both
instances.
  • Loading branch information
@edewata
edewata committed Oct 10, 2023
1 parent e865fe7 commit 64548e5
Show file tree
Hide file tree
Showing 2 changed files with 279 additions and 0 deletions.
272 changes: 272 additions & 0 deletions .github/workflows/kra-clone-shared-ds-test.yml
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,272 @@
name: KRA clone with shared DS

on:
workflow_call:
inputs:
db-image:
required: false
type: string

jobs:
test:
name: Test
runs-on: ubuntu-latest
env:
SHARED: /tmp/workdir/pki
steps:
- name: Clone repository
uses: actions/checkout@v3

- name: Retrieve PKI images
uses: actions/cache@v3
with:
key: pki-images-${{ github.sha }}
path: pki-images.tar

- name: Load PKI images
run: docker load --input pki-images.tar

- name: Create network
run: docker network create example

- name: Set up primary DS container
run: |
tests/bin/ds-container-create.sh ds
env:
IMAGE: ${{ inputs.db-image }}
HOSTNAME: ds.example.com
PASSWORD: Secret.123

- name: Connect DS container to network
run: docker network connect example ds --alias ds.example.com

- name: Set up primary PKI container
run: |
tests/bin/runner-init.sh primary
env:
HOSTNAME: primary.example.com

- name: Connect primary PKI container to network
run: docker network connect example primary --alias primary.example.com

- name: Install CA in primary PKI container
run: |
docker exec primary pkispawn \
-f /usr/share/pki/server/examples/installation/ca.cfg \
-s CA \
-D pki_ds_url=ldap://ds.example.com:3389 \
-D pki_cert_id_generator=random \
-D pki_request_id_generator=random \
-v
- name: Install KRA in primary PKI container
run: |
docker exec primary pkispawn \
-f /usr/share/pki/server/examples/installation/kra.cfg \
-s KRA \
-D pki_ds_url=ldap://ds.example.com:3389 \
-D pki_key_id_generator=random \
-D pki_request_id_generator=random \
-v
- name: Install admin cert in primary PKI container
run: |
# install CA signing cert
docker exec primary pki-server cert-export ca_signing \
--cert-file ${SHARED}/ca_signing.crt
docker exec primary pki client-cert-import ca_signing \
--ca-cert ${SHARED}/ca_signing.crt
# install admin cert
docker exec primary cp \
/root/.dogtag/pki-tomcat/ca_admin_cert.p12 \
${SHARED}/ca_admin_cert.p12
docker exec primary pki pkcs12-import \
--pkcs12 ${SHARED}/ca_admin_cert.p12 \
--pkcs12-password Secret.123
- name: Export certs and keys from primary PKI container
run: |
docker exec primary pki-server ca-clone-prepare \
--pkcs12-file ${SHARED}/ca-certs.p12 \
--pkcs12-password Secret.123
docker exec primary pki-server kra-clone-prepare \
--pkcs12-file ${SHARED}/kra-certs.p12 \
--pkcs12-password Secret.123
- name: Set up secondary PKI container
run: |
tests/bin/runner-init.sh secondary
env:
HOSTNAME: secondary.example.com

- name: Connect secondary PKI container to network
run: docker network connect example secondary --alias secondary.example.com

- name: Install CA in secondary PKI container
run: |
docker exec secondary pkispawn \
-f /usr/share/pki/server/examples/installation/ca-clone.cfg \
-s CA \
-D pki_cert_chain_path=${SHARED}/ca_signing.crt \
-D pki_clone_pkcs12_path=${SHARED}/ca-certs.p12 \
-D pki_clone_pkcs12_password=Secret.123 \
-D pki_ds_url=ldap://ds.example.com:3389 \
-D pki_ds_setup=False \
-D pki_cert_id_generator=random \
-D pki_request_id_generator=random \
-v
- name: Install KRA in secondary PKI container
run: |
# get CS.cfg from primary KRA before cloning
docker cp primary:/etc/pki/pki-tomcat/kra/CS.cfg CS.cfg.primary
docker exec secondary pkispawn \
-f /usr/share/pki/server/examples/installation/kra-clone.cfg \
-s KRA \
-D pki_cert_chain_path=${SHARED}/ca_signing.crt \
-D pki_clone_pkcs12_path=${SHARED}/kra-certs.p12 \
-D pki_clone_pkcs12_password=Secret.123 \
-D pki_ds_url=ldap://ds.example.com:3389 \
-D pki_ds_setup=False \
-D pki_key_id_generator=random \
-D pki_request_id_generator=random \
-v
- name: Check system certs in primary KRA and secondary KRA
run: |
# get system certs from primary KRA (except sslserver)
docker exec primary pki-server cert-show kra_storage > system-certs.primary
echo >> system-certs.primary
docker exec primary pki-server cert-show kra_transport >> system-certs.primary
echo >> system-certs.primary
docker exec primary pki-server cert-show kra_audit_signing >> system-certs.primary
echo >> system-certs.primary
docker exec primary pki-server cert-show subsystem >> system-certs.primary
# get system certs from secondary KRA (except sslserver)
docker exec secondary pki-server cert-show kra_storage > system-certs.secondary
echo >> system-certs.secondary
docker exec secondary pki-server cert-show kra_transport >> system-certs.secondary
echo >> system-certs.secondary
docker exec secondary pki-server cert-show kra_audit_signing >> system-certs.secondary
echo >> system-certs.secondary
docker exec secondary pki-server cert-show subsystem >> system-certs.secondary
cat system-certs.primary
diff system-certs.primary system-certs.secondary
- name: Check CS.cfg in primary KRA after cloning
run: |
# get CS.cfg from primary KRA after cloning
docker cp primary:/etc/pki/pki-tomcat/kra/CS.cfg CS.cfg.primary.after
# normalize expected result:
# - remove params that cannot be compared
sed -e '/^dbs.beginReplicaNumber=/d' \
-e '/^dbs.endReplicaNumber=/d' \
-e '/^dbs.nextBeginReplicaNumber=/d' \
-e '/^dbs.nextEndReplicaNumber=/d' \
CS.cfg.primary \
| sort > expected
# normalize actual result:
# - remove params that cannot be compared
sed -e '/^dbs.beginReplicaNumber=/d' \
-e '/^dbs.endReplicaNumber=/d' \
-e '/^dbs.nextBeginReplicaNumber=/d' \
-e '/^dbs.nextEndReplicaNumber=/d' \
CS.cfg.primary.after \
| sort > actual
diff expected actual
- name: Check CS.cfg in secondary KRA
run: |
# get CS.cfg from secondary KRA
docker cp secondary:/etc/pki/pki-tomcat/kra/CS.cfg CS.cfg.secondary
# normalize expected result:
# - remove params that cannot be compared
# - replace primary.example.com with secondary.example.com
# - set securitydomain.host to primary.example.com
sed -e '/^installDate=/d' \
-e '/^dbs.beginReplicaNumber=/d' \
-e '/^dbs.endReplicaNumber=/d' \
-e '/^dbs.nextBeginReplicaNumber=/d' \
-e '/^dbs.nextEndReplicaNumber=/d' \
-e '/^kra.sslserver.cert=/d' \
-e '/^kra.sslserver.certreq=/d' \
-e 's/primary.example.com/secondary.example.com/' \
-e 's/^\(securitydomain.host\)=.*$/\1=primary.example.com/' \
CS.cfg.primary.after \
| sort > expected
# normalize actual result:
# - remove params that cannot be compared
sed -e '/^installDate=/d' \
-e '/^dbs.beginReplicaNumber=/d' \
-e '/^dbs.endReplicaNumber=/d' \
-e '/^dbs.nextBeginReplicaNumber=/d' \
-e '/^dbs.nextEndReplicaNumber=/d' \
-e '/^kra.sslserver.cert=/d' \
-e '/^kra.sslserver.certreq=/d' \
CS.cfg.secondary \
| sort > actual
diff expected actual
- name: Install admin cert in secondary PKI container
run: |
# install CA signing cert
docker exec secondary pki client-cert-import ca_signing \
--ca-cert ${SHARED}/ca_signing.crt
# install admin cert
docker exec secondary pki pkcs12-import \
--pkcs12 ${SHARED}/ca_admin_cert.p12 \
--pkcs12-password Secret.123
- name: Check users in primary KRA and secondary KRA
run: |
docker exec primary pki -n caadmin kra-user-find | tee kra-users.primary
docker exec secondary pki -n caadmin kra-user-find > kra-users.secondary
diff kra-users.primary kra-users.secondary
- name: Run PKI healthcheck in primary container
run: docker exec primary pki-healthcheck --failures-only

- name: Run PKI healthcheck in secondary container
run: docker exec secondary pki-healthcheck --failures-only

- name: Gather artifacts
if: always()
run: |
tests/bin/ds-artifacts-save.sh ds
tests/bin/pki-artifacts-save.sh primary
tests/bin/pki-artifacts-save.sh secondary
continue-on-error: true

- name: Remove KRA from secondary PKI container
run: docker exec secondary pkidestroy -i pki-tomcat -s KRA -v

- name: Remove CA from secondary PKI container
run: docker exec secondary pkidestroy -i pki-tomcat -s CA -v

- name: Remove KRA from primary PKI container
run: docker exec primary pkidestroy -i pki-tomcat -s KRA -v

- name: Remove CA from primary PKI container
run: docker exec primary pkidestroy -i pki-tomcat -s CA -v

- name: Upload artifacts
if: always()
uses: actions/upload-artifact@v3
with:
name: kra-clone-shared-ds
path: |
/tmp/artifacts/ds
/tmp/artifacts/primary
/tmp/artifacts/secondary
7 changes: 7 additions & 0 deletions .github/workflows/kra-tests.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -63,6 +63,13 @@ jobs:
with:
db-image: ${{ needs.init.outputs.db-image }}

kra-clone-shared-ds-test:
name: KRA clone with shared DS
needs: [init, build]
uses: ./.github/workflows/kra-clone-shared-ds-test.yml
with:
db-image: ${{ needs.init.outputs.db-image }}

kra-standalone-test:
name: Standalone KRA
needs: [init, build]
Expand Down

0 comments on commit 64548e5

Please sign in to comment.