From d94adb419dde888a276df84572c506a7c4042e4e Mon Sep 17 00:00:00 2001 From: "Endi S. Dewata" Date: Thu, 24 Oct 2024 17:11:38 -0500 Subject: [PATCH] Add tests for SSNv2 New tests have been added to verify a single CA and CA clones with SSNv2. New test scripts for SSNv2 have also been added to make it easier to change the location of the range objects and nextRange attributes later. The test for CA with Nuxwdog has been relocated due to GitHub workflow limit. --- .github/workflows/ca-clone-ssnv2-test.yml | 1286 ++++++++++++++++ .github/workflows/ca-clone-tests.yml | 5 + .github/workflows/ca-ssnv2-test.yml | 1326 +++++++++++++++++ .github/workflows/ca-tests.yml | 10 +- .github/workflows/ca-tests2.yml | 5 + tests/ca/bin/ca-cert-next-range-ssnv2.sh | 13 + tests/ca/bin/ca-cert-range-objects-ssnv2.sh | 34 + tests/ca/bin/ca-request-next-range-ssnv2.sh | 13 + .../ca/bin/ca-request-range-objects-ssnv2.sh | 34 + 9 files changed, 2721 insertions(+), 5 deletions(-) create mode 100644 .github/workflows/ca-clone-ssnv2-test.yml create mode 100644 .github/workflows/ca-ssnv2-test.yml create mode 100755 tests/ca/bin/ca-cert-next-range-ssnv2.sh create mode 100755 tests/ca/bin/ca-cert-range-objects-ssnv2.sh create mode 100755 tests/ca/bin/ca-request-next-range-ssnv2.sh create mode 100755 tests/ca/bin/ca-request-range-objects-ssnv2.sh diff --git a/.github/workflows/ca-clone-ssnv2-test.yml b/.github/workflows/ca-clone-ssnv2-test.yml new file mode 100644 index 00000000000..57a2a7002e2 --- /dev/null +++ b/.github/workflows/ca-clone-ssnv2-test.yml @@ -0,0 +1,1286 @@ +name: CA clone with SSNv2 +# +# This test creates a CA subsystem and its clone with SSNv2 for certs and requests, +# performs enrollments, and verifies that the ranges are maintained properly in +# CS.cfg and DS. + +on: workflow_call + +env: + DS_IMAGE: ${{ vars.DS_IMAGE || 'quay.io/389ds/dirsrv' }} + +jobs: + test: + name: Test + runs-on: ubuntu-latest + env: + SHARED: /tmp/workdir/pki + steps: + - name: Clone repository + uses: actions/checkout@v4 + + - name: Retrieve PKI images + uses: actions/cache@v4 + with: + key: pki-images-${{ github.sha }} + path: pki-images.tar + + - name: Load PKI images + run: docker load --input pki-images.tar + + - name: Create network + run: docker network create example + + #################################################################################################### + # Create primary CA with SSNv2 + # + # request range: + # - initial range: 1 - 10 + # - initial size: 10 + # - increment: 10 + # - minimum: 5 + # + # cert range: + # - initial range: 0x9 - 0x18 + # - initial size: 0x10 + # - increment: 0x12 + # - minimum: 0x9 + + - name: Set up primary DS container + run: | + tests/bin/ds-create.sh \ + --image=${{ env.DS_IMAGE }} \ + --hostname=primaryds.example.com \ + --network=example \ + --network-alias=primaryds.example.com \ + --password=Secret.123 \ + primaryds + + - name: Set up primary PKI container + run: | + tests/bin/runner-init.sh \ + --hostname=primary.example.com \ + --network=example \ + --network-alias=primary.example.com \ + primary + + - name: Create primary CA + run: | + docker exec primary pkispawn \ + -f /usr/share/pki/server/examples/installation/ca.cfg \ + -s CA \ + -D pki_ds_url=ldap://primaryds.example.com:3389 \ + -D pki_request_id_generator=legacy2 \ + -D pki_request_number_range_start=1 \ + -D pki_request_number_range_end=10 \ + -D pki_request_number_range_increment=10 \ + -D pki_request_number_range_minimum=5 \ + -D pki_request_number_range_transfer=5 \ + -D pki_cert_id_generator=legacy2 \ + -D pki_serial_number_range_start=0x9 \ + -D pki_serial_number_range_end=0x18 \ + -D pki_serial_number_range_increment=0x12 \ + -D pki_serial_number_range_minimum=0x9 \ + -D pki_serial_number_range_transfer=0x9 \ + -v + + - name: Enable serial number management in primary CA + run: | + docker exec primary pki-server ca-config-set dbs.enableSerialManagement true + + # disable serial number update background task + docker exec primary pki-server ca-config-set ca.serialNumberUpdateInterval 0 + + # enable serial number update manual job + docker exec primary pki-server ca-config-set jobsScheduler.enabled true + docker exec primary pki-server ca-config-set jobsScheduler.job.serialNumberUpdate.enabled true + + # restart primary CA + docker exec primary pki-server ca-redeploy --wait + + - name: Install admin cert in primary CA + run: | + docker exec primary pki-server cert-export \ + --cert-file $SHARED/ca_signing.crt \ + ca_signing + + docker exec primary pki nss-cert-import \ + --cert $SHARED/ca_signing.crt \ + --trust CT,C,C \ + ca_signing + + docker exec primary pki pkcs12-import \ + --pkcs12 /root/.dogtag/pki-tomcat/ca_admin_cert.p12 \ + --pkcs12-password Secret.123 + + - name: Check requests + if: always() + run: | + docker exec primary pki-server ca-cert-request-find | tee output + sed -n "s/^ *Request ID: *\(.*\)$/\1/p" output > actual + + # there should be 6 requests + seq 1 6 > expected + + diff expected actual + + - name: Check certs + if: always() + run: | + docker exec primary pki-server ca-cert-find | tee output + sed -n "s/^ *Serial Number: *\(.*\)$/\1/p" output > actual + + # there should be 6 certs + printf "0x%x\n" {9..14} > expected + + diff expected actual + + - name: Check request range config in primary CA + if: always() + run: | + tests/ca/bin/ca-request-range-config.sh primary | tee output + + # current range should be 1 - 10 (size: 10, remaining: 4) + cat > expected << EOF + dbs.beginRequestNumber=1 + dbs.endRequestNumber=10 + dbs.nextBeginRequestNumber=11 + dbs.nextEndRequestNumber=20 + dbs.requestCloneTransferNumber=5 + dbs.requestIncrement=10 + dbs.requestLowWaterMark=5 + EOF + + diff expected output + + - name: Check cert range config in primary CA + if: always() + run: | + tests/ca/bin/ca-cert-range-config.sh primary | tee output + + # current range should be 0x9 - 0x18 (size: 0x10, remaining: 0xa) + cat > expected << EOF + dbs.beginSerialNumber=0x9 + dbs.endSerialNumber=0x18 + dbs.serialCloneTransferNumber=0x9 + dbs.serialIncrement=0x12 + dbs.serialLowWaterMark=0x9 + EOF + + diff expected output + + - name: Check request range objects + if: always() + run: | + tests/ca/bin/ca-request-range-objects-ssnv2.sh primaryds | tee output + + # new range should be 11 - 20 (size: 10) + cat > expected << EOF + SecurePort: 8443 + beginRange: 11 + endRange: 20 + host: primary.example.com + + EOF + + diff expected output + + - name: Check cert range objects + if: always() + run: | + tests/ca/bin/ca-cert-range-objects-ssnv2.sh primaryds | tee output + + # there should be no new range + diff /dev/null output + + - name: Check request next range + if: always() + run: | + tests/ca/bin/ca-request-next-range-ssnv2.sh primaryds | tee output + + # nextRange should be endRange + 1 = 11 + cat > expected << EOF + nextRange: 21 + EOF + + diff expected output + + - name: Check cert next range + if: always() + run: | + tests/ca/bin/ca-cert-next-range-ssnv2.sh primaryds | tee output + + # nextRange should be dbs.endSerialNumber + 1 = 0x19 or 25 + cat > expected << EOF + nextRange: 25 + EOF + + diff expected output + + #################################################################################################### + # Create secondary CA with SSNv2 + + - name: Set up secondary DS container + run: | + tests/bin/ds-create.sh \ + --image=${{ env.DS_IMAGE }} \ + --hostname=secondaryds.example.com \ + --network=example \ + --network-alias=secondaryds.example.com \ + --password=Secret.123 \ + secondaryds + + - name: Set up secondary PKI container + run: | + tests/bin/runner-init.sh \ + --hostname=secondary.example.com \ + --network=example \ + --network-alias=secondary.example.com \ + secondary + + - name: Create secondary CA + run: | + docker exec primary pki-server ca-clone-prepare \ + --pkcs12-file $SHARED/ca-certs.p12 \ + --pkcs12-password Secret.123 + + docker exec secondary pkispawn \ + -f /usr/share/pki/server/examples/installation/ca-clone.cfg \ + -s CA \ + -D pki_cert_chain_path=$SHARED/ca_signing.crt \ + -D pki_clone_pkcs12_path=$SHARED/ca-certs.p12 \ + -D pki_clone_pkcs12_password=Secret.123 \ + -D pki_ds_url=ldap://secondaryds.example.com:3389 \ + -D pki_request_id_generator=legacy2 \ + -D pki_request_number_range_increment=10 \ + -D pki_request_number_range_minimum=5 \ + -D pki_request_number_range_transfer=5 \ + -D pki_cert_id_generator=legacy2 \ + -D pki_serial_number_range_increment=0x12 \ + -D pki_serial_number_range_minimum=0x9 \ + -D pki_serial_number_range_transfer=0x9 \ + -v + + - name: Enable serial number management in secondary CA + run: | + docker exec secondary pki-server ca-config-set dbs.enableSerialManagement true + + # disable serial number update background task + docker exec secondary pki-server ca-config-set ca.serialNumberUpdateInterval 0 + + # enable serial number update manual job + docker exec secondary pki-server ca-config-set jobsScheduler.enabled true + docker exec secondary pki-server ca-config-set jobsScheduler.job.serialNumberUpdate.enabled true + + # restart secondary CA + docker exec secondary pki-server ca-redeploy --wait + + - name: Install admin cert in secondary CA + run: | + docker exec secondary pki nss-cert-import \ + --cert $SHARED/ca_signing.crt \ + --trust CT,C,C \ + ca_signing + + docker exec primary cp \ + /root/.dogtag/pki-tomcat/ca_admin_cert.p12 \ + $SHARED/ca_admin_cert.p12 + + docker exec secondary pki pkcs12-import \ + --pkcs12 $SHARED/ca_admin_cert.p12 \ + --pkcs12-password Secret.123 + + - name: Check requests + if: always() + run: | + docker exec secondary pki-server ca-cert-request-find | tee output + sed -n "s/^ *Request ID: *\(.*\)$/\1/p" output > actual + + # there should be 7 requests + seq 1 7 > expected + + diff expected actual + + - name: Check certs + if: always() + run: | + docker exec secondary pki-server ca-cert-find | tee output + sed -n "s/^ *Serial Number: *\(.*\)$/\1/p" output > actual + + # there should be 7 certs + printf "0x%x\n" {9..15} > expected + + diff expected actual + + - name: Check request range config in primary CA + if: always() + run: | + tests/ca/bin/ca-request-range-config.sh primary | tee output + + # current range should be 1 - 10 (size: 10, remaining: 3) + # next range should be 11 - 15 (size: 5, remaining: 5) + cat > expected << EOF + dbs.beginRequestNumber=1 + dbs.endRequestNumber=10 + dbs.nextBeginRequestNumber=11 + dbs.nextEndRequestNumber=15 + dbs.requestCloneTransferNumber=5 + dbs.requestIncrement=10 + dbs.requestLowWaterMark=5 + EOF + + diff expected output + + - name: Check request range config in secondary CA + if: always() + run: | + tests/ca/bin/ca-request-range-config.sh secondary | tee output + + # current range should be 16 - 20 (size: 5, remaining: 5) + # it was taken from the primary CA's allocated range + # NOTE: should it be taken from the primary CA's current range instead? + cat > expected << EOF + dbs.beginRequestNumber=16 + dbs.endRequestNumber=20 + dbs.requestCloneTransferNumber=5 + dbs.requestIncrement=10 + dbs.requestLowWaterMark=5 + EOF + + diff expected output + + - name: Check cert range config in primary CA + if: always() + run: | + tests/ca/bin/ca-cert-range-config.sh primary | tee output + + # current range should be reduced into 0x9 - 0xf (size: 0x7, remaining: 0x0) + # part of it was transferred to the secondary CA + cat > expected << EOF + dbs.beginSerialNumber=0x9 + dbs.endSerialNumber=0xf + dbs.serialCloneTransferNumber=0x9 + dbs.serialIncrement=0x12 + dbs.serialLowWaterMark=0x9 + EOF + + diff expected output + + - name: Check cert range config in secondary CA + if: always() + run: | + tests/ca/bin/ca-cert-range-config.sh secondary | tee output + + # current range should be 0x10 - 0x18 (size: 0x9, remaining: 0x9) + # it was taken from the primary CA's current range + cat > expected << EOF + dbs.beginSerialNumber=0x10 + dbs.endSerialNumber=0x18 + dbs.serialCloneTransferNumber=0x9 + dbs.serialIncrement=0x12 + dbs.serialLowWaterMark=0x9 + EOF + + diff expected output + + - name: Check request range objects + if: always() + run: | + tests/ca/bin/ca-request-range-objects-ssnv2.sh secondaryds | tee output + + # there should be no new range + # NOTE: there's no indication that part of is has + # been transfered to the secondary CA + cat > expected << EOF + SecurePort: 8443 + beginRange: 11 + endRange: 20 + host: primary.example.com + + EOF + + diff expected output + + - name: Check cert range objects + if: always() + run: | + tests/ca/bin/ca-cert-range-objects-ssnv2.sh secondaryds | tee output + + # there should be no new range + diff /dev/null output + + - name: Check request next range + if: always() + run: | + tests/ca/bin/ca-request-next-range-ssnv2.sh secondaryds | tee output + + # nextRange should be the same + cat > expected << EOF + nextRange: 21 + EOF + + diff expected output + + - name: Check cert next range + if: always() + run: | + tests/ca/bin/ca-cert-next-range-ssnv2.sh secondaryds | tee output + + # nextRange should be the same + cat > expected << EOF + nextRange: 25 + EOF + + diff expected output + + #################################################################################################### + # Enroll certs to exhaust request and cert ranges + # + # This will create 5 requests and 5 certs in the secondary CA, + # so there's no remaining requests in the current range. + # + # The cert range in the primary CA is already exhausted. + + - name: Enroll 5 certs in secondary CA + if: always() + run: | + docker exec secondary pki \ + nss-cert-request \ + --subject "uid=testuser" \ + --ext /usr/share/pki/tools/examples/certs/testuser.conf \ + --csr testuser.csr + + for i in $(seq 1 5); do + docker exec secondary pki \ + -n caadmin \ + ca-cert-issue \ + --profile caUserCert \ + --csr-file testuser.csr \ + --output-file testuser.crt + + docker exec secondary openssl x509 -in testuser.crt -serial -noout + done + + - name: Check requests + if: always() + run: | + docker exec primary pki-server ca-cert-request-find | tee output + sed -n "s/^ *Request ID: *\(.*\)$/\1/p" output > actual + + # there should be 12 requests + seq 1 7 > expected + seq 16 20 >> expected + + diff expected actual + + - name: Check certs + if: always() + run: | + docker exec primary pki-server ca-cert-find | tee output + sed -n "s/^ *Serial Number: *\(.*\)$/\1/p" output > actual + + # there should be 12 certs + printf "0x%x\n" {9..15} > expected # primary CA + printf "0x%x\n" {16..20} >> expected # secondary CA + + diff expected actual + + - name: Check request range config in primary CA + if: always() + run: | + tests/ca/bin/ca-request-range-config.sh primary | tee output + + # current range should be 1 - 10 (size: 10, remaining: 3) + # next range should be 11 - 15 (size: 5, remaining: 5) + cat > expected << EOF + dbs.beginRequestNumber=1 + dbs.endRequestNumber=10 + dbs.nextBeginRequestNumber=11 + dbs.nextEndRequestNumber=15 + dbs.requestCloneTransferNumber=5 + dbs.requestIncrement=10 + dbs.requestLowWaterMark=5 + EOF + + diff expected output + + - name: Check request range config in secondary CA + if: always() + run: | + tests/ca/bin/ca-request-range-config.sh secondary | tee output + + # current range should be 16 - 20 (size: 5, remaining: 0) + cat > expected << EOF + dbs.beginRequestNumber=16 + dbs.endRequestNumber=20 + dbs.requestCloneTransferNumber=5 + dbs.requestIncrement=10 + dbs.requestLowWaterMark=5 + EOF + + diff expected output + + - name: Check cert range config in primary CA + if: always() + run: | + tests/ca/bin/ca-cert-range-config.sh primary | tee output + + # current range should be 0x9 - 0xf (size: 0x7, remaining: 0x0) + cat > expected << EOF + dbs.beginSerialNumber=0x9 + dbs.endSerialNumber=0xf + dbs.serialCloneTransferNumber=0x9 + dbs.serialIncrement=0x12 + dbs.serialLowWaterMark=0x9 + EOF + + diff expected output + + - name: Check cert range config in secondary CA + if: always() + run: | + tests/ca/bin/ca-cert-range-config.sh secondary | tee output + + # current range should be 0x10 - 0x18 (size: 0x9, remaining: 0x4) + cat > expected << EOF + dbs.beginSerialNumber=0x10 + dbs.endSerialNumber=0x18 + dbs.serialCloneTransferNumber=0x9 + dbs.serialIncrement=0x12 + dbs.serialLowWaterMark=0x9 + EOF + + diff expected output + + - name: Check request range objects + if: always() + run: | + tests/ca/bin/ca-request-range-objects-ssnv2.sh primaryds | tee output + + # there should be no new range + cat > expected << EOF + SecurePort: 8443 + beginRange: 11 + endRange: 20 + host: primary.example.com + + EOF + + diff expected output + + - name: Check cert range objects + if: always() + run: | + tests/ca/bin/ca-cert-range-objects-ssnv2.sh primaryds | tee output + + # there should be no new range + diff /dev/null output + + - name: Check request next range + if: always() + run: | + tests/ca/bin/ca-request-next-range-ssnv2.sh primaryds | tee output + + # nextRange should be the same + cat > expected << EOF + nextRange: 21 + EOF + + diff expected output + + - name: Check cert next range + if: always() + run: | + tests/ca/bin/ca-cert-next-range-ssnv2.sh primaryds | tee output + + # nextRange should be the same + cat > expected << EOF + nextRange: 25 + EOF + + diff expected output + + #################################################################################################### + # Enroll certs when ranges are exhausted + # + # On primary CA this will fail due to exhausted cert range, but + # it will still create a new request. + # + # On secondary CA this will fail due to exhausted request range, + # so it will not create a new request. + + - name: Enroll a cert when cert range is exhausted in primary CA + if: always() + run: | + docker exec primary pki \ + nss-cert-request \ + --subject "uid=testuser" \ + --ext /usr/share/pki/tools/examples/certs/testuser.conf \ + --csr testuser.csr + + docker exec primary pki \ + -n caadmin \ + ca-cert-issue \ + --profile caUserCert \ + --csr-file testuser.csr \ + --output-file testuser.crt \ + > >(tee stdout) 2> >(tee stderr >&2) || true + + # TODO: fix missing request ID and typo + cat > expected << EOF + PKIException: Server Internal Error: Request was completed with errors. + CA has exausted all available serial numbers + EOF + + diff expected stderr + + - name: Enroll a cert when request range is exhausted in secondary CA + if: always() + run: | + docker exec secondary pki \ + -n caadmin \ + ca-cert-issue \ + --profile caUserCert \ + --csr-file testuser.csr \ + --output-file testuser.crt \ + > >(tee stdout) 2> >(tee stderr >&2) || true + + cat > expected << EOF + PKIException: Unable to create enrollment request: Unable to create enrollment request: All serial numbers are used. The max serial number is 0x21 + EOF + + diff expected stderr + + - name: Check requests + if: always() + run: | + docker exec secondary pki-server ca-cert-request-find | tee output + sed -n "s/^ *Request ID: *\(.*\)$/\1/p" output > actual + + # there should be 13 requests + seq 1 7 > expected # primary CA + seq 16 20 >> expected # secondary CA + echo 8 >> expected # primary CA + + diff expected actual + + - name: Check certs + if: always() + run: | + docker exec primary pki-server ca-cert-find | tee output + sed -n "s/^ *Serial Number: *\(.*\)$/\1/p" output > actual + + # there should be 12 certs + printf "0x%x\n" {9..15} > expected # primary CA + printf "0x%x\n" {16..20} >> expected # secondary CA + + diff expected actual + + - name: Check request range config in primary CA + if: always() + run: | + tests/ca/bin/ca-request-range-config.sh primary | tee output + + # current range should be 1 - 10 (size: 10, remaining: 2) + # next range should be 11 - 15 (size: 5, remaining: 5) + cat > expected << EOF + dbs.beginRequestNumber=1 + dbs.endRequestNumber=10 + dbs.nextBeginRequestNumber=11 + dbs.nextEndRequestNumber=15 + dbs.requestCloneTransferNumber=5 + dbs.requestIncrement=10 + dbs.requestLowWaterMark=5 + EOF + + diff expected output + + - name: Check request range config in secondary CA + if: always() + run: | + tests/ca/bin/ca-request-range-config.sh secondary | tee output + + # current range should be 16 - 20 (size: 5, remaining: 0) + cat > expected << EOF + dbs.beginRequestNumber=16 + dbs.endRequestNumber=20 + dbs.requestCloneTransferNumber=5 + dbs.requestIncrement=10 + dbs.requestLowWaterMark=5 + EOF + + diff expected output + + - name: Check cert range config in primary CA + if: always() + run: | + tests/ca/bin/ca-cert-range-config.sh primary | tee output + + # current range should be 0x9 - 0xf (size: 0x7, remaining: 0x0) + cat > expected << EOF + dbs.beginSerialNumber=0x9 + dbs.endSerialNumber=0xf + dbs.serialCloneTransferNumber=0x9 + dbs.serialIncrement=0x12 + dbs.serialLowWaterMark=0x9 + EOF + + diff expected output + + - name: Check cert range config in secondary CA + if: always() + run: | + tests/ca/bin/ca-cert-range-config.sh secondary | tee output + + # current range should be 0x10 - 0x18 (size: 0x9, remaining: 0x4) + cat > expected << EOF + dbs.beginSerialNumber=0x10 + dbs.endSerialNumber=0x18 + dbs.serialCloneTransferNumber=0x9 + dbs.serialIncrement=0x12 + dbs.serialLowWaterMark=0x9 + EOF + + diff expected output + + #################################################################################################### + # Allocate new ranges + # + # This will create new request and cert ranges in primary CA and secondary CA. + + - name: Allocate new ranges + if: always() + run: | + docker exec primary pki \ + -n caadmin \ + ca-job-start \ + serialNumberUpdate + + docker exec secondary pki \ + -n caadmin \ + ca-job-start \ + serialNumberUpdate + + # wait for DS replication + sleep 5 + + - name: Check request range config in primary CA + if: always() + run: | + tests/ca/bin/ca-request-range-config.sh primary | tee output + + # current range should be 1 - 10 (size: 10, remaining: 2) + # next range should be 11 - 15 (size: 5, remaining: 5) + cat > expected << EOF + dbs.beginRequestNumber=1 + dbs.endRequestNumber=10 + dbs.nextBeginRequestNumber=11 + dbs.nextEndRequestNumber=15 + dbs.requestCloneTransferNumber=5 + dbs.requestIncrement=10 + dbs.requestLowWaterMark=5 + EOF + + diff expected output + + - name: Check request range config in secondary CA + if: always() + run: | + tests/ca/bin/ca-request-range-config.sh secondary | tee output + + # current range should be 16 - 20 (size: 5, remaining: 0) + # next range should be 21 - 30 (size: 10, remaining: 10) + cat > expected << EOF + dbs.beginRequestNumber=16 + dbs.endRequestNumber=20 + dbs.nextBeginRequestNumber=21 + dbs.nextEndRequestNumber=30 + dbs.requestCloneTransferNumber=5 + dbs.requestIncrement=10 + dbs.requestLowWaterMark=5 + EOF + + diff expected output + + - name: Check cert range config in primary CA + if: always() + run: | + tests/ca/bin/ca-cert-range-config.sh primary | tee output + + # current range should be 0x9 - 0xf (size: 0x7, remaining: 0x0) + # next range should be 0x19 - 0x2a (size: 0x12, remaining: 0x12) + cat > expected << EOF + dbs.beginSerialNumber=0x9 + dbs.endSerialNumber=0xf + dbs.nextBeginSerialNumber=0x19 + dbs.nextEndSerialNumber=0x2a + dbs.serialCloneTransferNumber=0x9 + dbs.serialIncrement=0x12 + dbs.serialLowWaterMark=0x9 + EOF + + diff expected output + + - name: Check cert range config in secondary CA + if: always() + run: | + tests/ca/bin/ca-cert-range-config.sh secondary | tee output + + # current range should be 0x10 - 0x18 (size: 0x9, remaining: 0x4) + # next range should be 0x2b - 0x3c (size: 0x12, remaining: 0x12) + cat > expected << EOF + dbs.beginSerialNumber=0x10 + dbs.endSerialNumber=0x18 + dbs.nextBeginSerialNumber=0x2b + dbs.nextEndSerialNumber=0x3c + dbs.serialCloneTransferNumber=0x9 + dbs.serialIncrement=0x12 + dbs.serialLowWaterMark=0x9 + EOF + + diff expected output + + - name: Check request range objects + if: always() + run: | + tests/ca/bin/ca-request-range-objects-ssnv2.sh primaryds | tee output + + # new range should be 21 - 30 (size: 10) + cat > expected << EOF + SecurePort: 8443 + beginRange: 11 + endRange: 20 + host: primary.example.com + + SecurePort: 8443 + beginRange: 21 + endRange: 30 + host: secondary.example.com + + EOF + + diff expected output + + - name: Check cert range objects + if: always() + run: | + tests/ca/bin/ca-cert-range-objects-ssnv2.sh primaryds | tee output + + # new range should be 0x2b - 0x3c or 43 - 60 (size: 0x12) + cat > expected << EOF + SecurePort: 8443 + beginRange: 25 + endRange: 42 + host: primary.example.com + + SecurePort: 8443 + beginRange: 43 + endRange: 60 + host: secondary.example.com + + EOF + + diff expected output + + - name: Check request next range + if: always() + run: | + tests/ca/bin/ca-request-next-range-ssnv2.sh primaryds | tee output + + # nextRange should be endRange + 1 = 31 + cat > expected << EOF + nextRange: 31 + EOF + + diff expected output + + - name: Check cert next range + if: always() + run: | + tests/ca/bin/ca-cert-next-range-ssnv2.sh primaryds | tee output + + # nextRange should be endRange + 1 = 61 or 0x3d + cat > expected << EOF + nextRange: 61 + EOF + + diff expected output + + #################################################################################################### + # Enroll certs to exhaust the ranges again + # + # This will create 7 requests and 7 certs in primary CA + # and 10 requests and 10 certs in secondary CA. + + - name: Enroll 7 certs in primary CA + if: always() + run: | + for i in $(seq 1 7); do + docker exec primary pki \ + -n caadmin \ + ca-cert-issue \ + --profile caUserCert \ + --csr-file testuser.csr \ + --output-file testuser.crt + + docker exec primary openssl x509 -in testuser.crt -serial -noout + done + + - name: Enroll 10 certs in secondary CA + if: always() + run: | + for i in $(seq 1 10); do + docker exec secondary pki \ + -n caadmin \ + ca-cert-issue \ + --profile caUserCert \ + --csr-file testuser.csr \ + --output-file testuser.crt + + docker exec secondary openssl x509 -in testuser.crt -serial -noout + done + + - name: Check requests + if: always() + run: | + docker exec secondary pki-server ca-cert-request-find | tee output + sed -n "s/^ *Request ID: *\(.*\)$/\1/p" output > actual + + # there should be 30 requests + seq 1 7 > expected # primary CA + seq 16 20 >> expected # secondary CA + seq 8 15 >> expected # primary CA + seq 21 30 >> expected # secondary CA + + diff expected actual + + - name: Check certs + if: always() + run: | + docker exec primary pki-server ca-cert-find | tee output + sed -n "s/^ *Serial Number: *\(.*\)$/\1/p" output > actual + + # there should be 29 certs. since the certs were issued by + # different CAs with different ranges, it's normal to have + # a gap temporarily, and the gap should disappear when the + # ranges are exhausted. + + printf "0x%x\n" {9..15} > expected # primary CA + printf "0x%x\n" {16..24} >> expected # secondary CA + printf "0x%x\n" {25..31} >> expected # primary CA + printf "0x%x\n" {43..48} >> expected # secondary CA + + diff expected actual + + - name: Check request range config in primary CA + if: always() + run: | + tests/ca/bin/ca-request-range-config.sh primary | tee output + + # current range should be 11 - 15 (size: 5, remaining: 0) + cat > expected << EOF + dbs.beginRequestNumber=11 + dbs.endRequestNumber=15 + dbs.requestCloneTransferNumber=5 + dbs.requestIncrement=10 + dbs.requestLowWaterMark=5 + EOF + + diff expected output + + - name: Check request range config in secondary CA + if: always() + run: | + tests/ca/bin/ca-request-range-config.sh secondary | tee output + + # current range should be 21 - 30 (size: 10, remaining: 0) + cat > expected << EOF + dbs.beginRequestNumber=21 + dbs.endRequestNumber=30 + dbs.requestCloneTransferNumber=5 + dbs.requestIncrement=10 + dbs.requestLowWaterMark=5 + EOF + + diff expected output + + - name: Check cert range config in primary CA + if: always() + run: | + tests/ca/bin/ca-cert-range-config.sh primary | tee output + + # current range should be 0x19 - 0x2a (size: 0x12, remaining: 0xb) + cat > expected << EOF + dbs.beginSerialNumber=0x19 + dbs.endSerialNumber=0x2a + dbs.serialCloneTransferNumber=0x9 + dbs.serialIncrement=0x12 + dbs.serialLowWaterMark=0x9 + EOF + + diff expected output + + - name: Check cert range config in secondary CA + if: always() + run: | + tests/ca/bin/ca-cert-range-config.sh secondary | tee output + + # current range should be 0x2b - 0x3c (size: 0x12, remaining: 0xc) + cat > expected << EOF + dbs.beginSerialNumber=0x2b + dbs.endSerialNumber=0x3c + dbs.serialCloneTransferNumber=0x9 + dbs.serialIncrement=0x12 + dbs.serialLowWaterMark=0x9 + EOF + + diff expected output + + - name: Check request range objects + if: always() + run: | + tests/ca/bin/ca-request-range-objects-ssnv2.sh primaryds | tee output + + # there should be no new range + cat > expected << EOF + SecurePort: 8443 + beginRange: 11 + endRange: 20 + host: primary.example.com + + SecurePort: 8443 + beginRange: 21 + endRange: 30 + host: secondary.example.com + + EOF + + diff expected output + + - name: Check cert range objects + if: always() + run: | + tests/ca/bin/ca-cert-range-objects-ssnv2.sh primaryds | tee output + + # there should be no new range + cat > expected << EOF + SecurePort: 8443 + beginRange: 25 + endRange: 42 + host: primary.example.com + + SecurePort: 8443 + beginRange: 43 + endRange: 60 + host: secondary.example.com + + EOF + + diff expected output + + - name: Check request next range + if: always() + run: | + tests/ca/bin/ca-request-next-range-ssnv2.sh primaryds | tee output + + # nextRange should be the same + cat > expected << EOF + nextRange: 31 + EOF + + diff expected output + + - name: Check cert next range + if: always() + run: | + tests/ca/bin/ca-cert-next-range-ssnv2.sh primaryds | tee output + + # nextRange should be the same + cat > expected << EOF + nextRange: 61 + EOF + + diff expected output + + #################################################################################################### + # Allocate new request range for primary CA + + - name: Allocate new request range for primary CA + if: always() + run: | + docker exec primary pki \ + -n caadmin \ + ca-job-start \ + serialNumberUpdate + + # wait for DS replication + sleep 5 + + #################################################################################################### + # Enroll 10 certs in primary CA + # + # This will create 10 requests and 10 certs in primary CA. + + - name: Enroll 10 certs in primary CA + if: always() + run: | + for i in $(seq 1 10); do + docker exec primary pki \ + -n caadmin \ + ca-cert-issue \ + --profile caUserCert \ + --csr-file testuser.csr \ + --output-file testuser.crt + + docker exec primary openssl x509 -in testuser.crt -serial -noout + done + + - name: Check requests + if: always() + run: | + docker exec secondary pki-server ca-cert-request-find | tee output + sed -n "s/^ *Request ID: *\(.*\)$/\1/p" output > actual + + # there should be 40 requests + seq 1 7 > expected # primary CA + seq 16 20 >> expected # secondary CA + seq 8 15 >> expected # primary CA + seq 21 30 >> expected # secondary CA + seq 31 40 >> expected # primary CA + + diff expected actual + + - name: Check certs + if: always() + run: | + docker exec primary pki-server ca-cert-find | tee output + sed -n "s/^ *Serial Number: *\(.*\)$/\1/p" output > actual + + # there should be 39 certs + printf "0x%x\n" {9..15} > expected # primary CA + printf "0x%x\n" {16..24} >> expected # secondary CA + printf "0x%x\n" {25..41} >> expected # primary CA + printf "0x%x\n" {43..48} >> expected # secondary CA + + diff expected actual + + #################################################################################################### + # Allocate new request range for primary CA again + + - name: Allocate new request range for primary CA again + if: always() + run: | + docker exec primary pki \ + -n caadmin \ + ca-job-start \ + serialNumberUpdate + + # wait for DS replication + sleep 5 + + #################################################################################################### + # Enroll 1 cert in primary CA to close the gap + # + # This will create 1 request and 1 cert in primary CA. + + - name: Enroll 1 cert in primary CA + if: always() + run: | + docker exec primary pki \ + -n caadmin \ + ca-cert-issue \ + --profile caUserCert \ + --csr-file testuser.csr \ + --output-file testuser.crt + + docker exec primary openssl x509 -in testuser.crt -serial -noout + + - name: Check requests + if: always() + run: | + docker exec secondary pki-server ca-cert-request-find | tee output + sed -n "s/^ *Request ID: *\(.*\)$/\1/p" output > actual + + # there should be 41 requests + seq 1 7 > expected # primary CA + seq 16 20 >> expected # secondary CA + seq 8 15 >> expected # primary CA + seq 21 30 >> expected # secondary CA + seq 31 41 >> expected # primary CA + + diff expected actual + + - name: Check certs + if: always() + run: | + docker exec primary pki-server ca-cert-find | tee output + sed -n "s/^ *Serial Number: *\(.*\)$/\1/p" output > actual + + # there should be 40 certs without any gap + printf "0x%x\n" {9..15} > expected # primary CA + printf "0x%x\n" {16..24} >> expected # secondary CA + printf "0x%x\n" {25..42} >> expected # primary CA + printf "0x%x\n" {43..48} >> expected # secondary CA + + diff expected actual + + #################################################################################################### + # Cleanup + + - name: Remove secondary CA + run: | + docker exec secondary pkidestroy -s CA -v + + - name: Remove primary CA + run: | + docker exec primary pkidestroy -s CA -v + + - name: Check primary DS server systemd journal + if: always() + run: | + docker exec primaryds journalctl -x --no-pager -u dirsrv@localhost.service + + - name: Check primary DS container logs + if: always() + run: | + docker logs primaryds + + - name: Check primary PKI server systemd journal + if: always() + run: | + docker exec primary journalctl -x --no-pager -u pki-tomcatd@pki-tomcat.service + + - name: Check primary PKI server access log + if: always() + run: | + docker exec primary find /var/log/pki/pki-tomcat -name "localhost_access_log.*" -exec cat {} \; + + - name: Check primary CA debug log + if: always() + run: | + docker exec primary find /var/lib/pki/pki-tomcat/logs/ca -name "debug.*" -exec cat {} \; + + - name: Check secondary DS server systemd journal + if: always() + run: | + docker exec secondaryds journalctl -x --no-pager -u dirsrv@localhost.service + + - name: Check secondary DS container logs + if: always() + run: | + docker logs secondaryds + + - name: Check secondary PKI server systemd journal + if: always() + run: | + docker exec secondary journalctl -x --no-pager -u pki-tomcatd@pki-tomcat.service + + - name: Check secondary PKI server access log + if: always() + run: | + docker exec secondary find /var/log/pki/pki-tomcat -name "localhost_access_log.*" -exec cat {} \; + + - name: Check secondary CA debug log + if: always() + run: | + docker exec secondary find /var/lib/pki/pki-tomcat/logs/ca -name "debug.*" -exec cat {} \; diff --git a/.github/workflows/ca-clone-tests.yml b/.github/workflows/ca-clone-tests.yml index c3d731a37ea..7a52e40a47f 100644 --- a/.github/workflows/ca-clone-tests.yml +++ b/.github/workflows/ca-clone-tests.yml @@ -37,3 +37,8 @@ jobs: name: CA clone with SSNv1 needs: build uses: ./.github/workflows/ca-clone-ssnv1-test.yml + + ca-clone-ssnv2-test: + name: CA clone with SSNv2 + needs: build + uses: ./.github/workflows/ca-clone-ssnv2-test.yml diff --git a/.github/workflows/ca-ssnv2-test.yml b/.github/workflows/ca-ssnv2-test.yml new file mode 100644 index 00000000000..0fe1280f034 --- /dev/null +++ b/.github/workflows/ca-ssnv2-test.yml @@ -0,0 +1,1326 @@ +name: CA with SSNv2 +# +# This test creates a CA subsystem with SSNv2 for certs and requests, +# performs enrollments, and verifies that the ranges are maintained +# properly in CS.cfg and DS. + +on: workflow_call + +env: + DS_IMAGE: ${{ vars.DS_IMAGE || 'quay.io/389ds/dirsrv' }} + +jobs: + test: + name: Test + runs-on: ubuntu-latest + env: + SHARED: /tmp/workdir/pki + steps: + - name: Clone repository + uses: actions/checkout@v4 + + - name: Retrieve PKI images + uses: actions/cache@v4 + with: + key: pki-images-${{ github.sha }} + path: pki-images.tar + + - name: Load PKI images + run: docker load --input pki-images.tar + + - name: Create network + run: docker network create example + + #################################################################################################### + # Create CA with Sequential Serial Numbers + # + # requests: + # - initial range: 1 - 10 + # - initial size: 10 + # - increment: 10 + # - minimum: 5 + # + # certs: + # - initial range: 0x9 - 0x18 + # - initial size: 0x10 + # - increment: 0x12 + # - minimum: 0x9 + + - name: Set up DS container + run: | + tests/bin/ds-create.sh \ + --image=${{ env.DS_IMAGE }} \ + --hostname=ds.example.com \ + --network=example \ + --network-alias=ds.example.com \ + --password=Secret.123 \ + ds + + - name: Set up PKI container + run: | + tests/bin/runner-init.sh \ + --hostname=pki.example.com \ + --network=example \ + --network-alias=pki.example.com \ + pki + + - name: Create CA + run: | + docker exec pki pkispawn \ + -f /usr/share/pki/server/examples/installation/ca.cfg \ + -s CA \ + -D pki_ds_url=ldap://ds.example.com:3389 \ + -D pki_request_id_generator=legacy2 \ + -D pki_request_number_range_start=1 \ + -D pki_request_number_range_end=10 \ + -D pki_request_number_range_increment=10 \ + -D pki_request_number_range_minimum=5 \ + -D pki_request_number_range_transfer=5 \ + -D pki_cert_id_generator=legacy2 \ + -D pki_serial_number_range_start=0x9 \ + -D pki_serial_number_range_end=0x18 \ + -D pki_serial_number_range_increment=0x12 \ + -D pki_serial_number_range_minimum=0x9 \ + -D pki_serial_number_range_transfer=0x9 \ + -v + + - name: Install admin cert + run: | + docker exec pki pki-server cert-export \ + --cert-file ca_signing.crt \ + ca_signing + + docker exec pki pki nss-cert-import \ + --cert ca_signing.crt \ + --trust CT,C,C \ + ca_signing + + docker exec pki pki pkcs12-import \ + --pkcs12 /root/.dogtag/pki-tomcat/ca_admin_cert.p12 \ + --pkcs12-password Secret.123 + + - name: Check requests + if: always() + run: | + docker exec pki pki-server ca-cert-request-find | tee output + sed -n "s/^ *Request ID: *\(.*\)$/\1/p" output > actual + + # there should be 6 requests + seq 1 6 > expected + + diff expected actual + + - name: Check certs + if: always() + run: | + docker exec pki pki-server ca-cert-find | tee output + sed -n "s/^ *Serial Number: *\(.*\)$/\1/p" output > actual + + # there should be 6 certs + printf "0x%x\n" {9..14} > expected + + diff expected actual + + - name: Check request range config + if: always() + run: | + tests/ca/bin/ca-request-range-config.sh pki | tee output + + # current range should be 1 - 10 (size: 10, remaining: 4) + cat > expected << EOF + dbs.beginRequestNumber=1 + dbs.endRequestNumber=10 + dbs.requestCloneTransferNumber=5 + dbs.requestIncrement=10 + dbs.requestLowWaterMark=5 + EOF + + diff expected output + + - name: Check cert range config + if: always() + run: | + tests/ca/bin/ca-cert-range-config.sh pki | tee output + + # current range should be 0x9 - 0x18 (size: 0x10, remaining: 0xa) + cat > expected << EOF + dbs.beginSerialNumber=0x9 + dbs.endSerialNumber=0x18 + dbs.serialCloneTransferNumber=0x9 + dbs.serialIncrement=0x12 + dbs.serialLowWaterMark=0x9 + EOF + + diff expected output + + - name: Check request range objects + if: always() + run: | + tests/ca/bin/ca-request-range-objects-ssnv2.sh ds | tee output + + # there should be no new range + diff /dev/null output + + - name: Check cert range objects + if: always() + run: | + tests/ca/bin/ca-cert-range-objects-ssnv2.sh ds | tee output + + # there should be no new range + diff /dev/null output + + - name: Check request next range + if: always() + run: | + tests/ca/bin/ca-request-next-range-ssnv2.sh ds | tee output + + # request nextRange should be dbs.endRequestNumber + 1 = 11 + cat > expected << EOF + nextRange: 11 + EOF + + diff expected output + + - name: Check cert next range + if: always() + run: | + tests/ca/bin/ca-cert-next-range-ssnv2.sh ds | tee output + + # cert nextRange should be dbs.endSerialNumber + 1 = 0x19 or 25 + cat > expected << EOF + nextRange: 25 + EOF + + diff expected output + + #################################################################################################### + # Enable serial number management + # + # Restarting CA with serial management enabled will trigger a new + # range allocation for requests since the remaining numbers in + # the current range (i.e. 4) is below the minimum (i.e. 5). + # + # For certs there is no new allocation since the remaining numbers + # in the current range (i.e. 10) is still above the minimum (i.e. 9). + + - name: Enable serial number management + if: always() + run: | + docker exec pki pki-server ca-config-set dbs.enableSerialManagement true + + # disable serial number update background task + docker exec pki pki-server ca-config-set ca.serialNumberUpdateInterval 0 + + # enable serial number update manual job + docker exec pki pki-server ca-config-set jobsScheduler.enabled true + docker exec pki pki-server ca-config-set jobsScheduler.job.serialNumberUpdate.enabled true + + # restart CA subsystem + docker exec pki pki-server ca-redeploy --wait + + - name: Check request range config + if: always() + run: | + tests/ca/bin/ca-request-range-config.sh pki | tee output + + # current range should be 1 - 10 (size: 10, remaining: 4) + # new range should be 11 - 20 (size: 10, remaining: 10) + cat > expected << EOF + dbs.beginRequestNumber=1 + dbs.endRequestNumber=10 + dbs.nextBeginRequestNumber=11 + dbs.nextEndRequestNumber=20 + dbs.requestCloneTransferNumber=5 + dbs.requestIncrement=10 + dbs.requestLowWaterMark=5 + EOF + + diff expected output + + - name: Check cert range config + if: always() + run: | + tests/ca/bin/ca-cert-range-config.sh pki | tee output + + # current range should be 0x9 - 0x18 (size: 0x10, remaining: 0xa) + cat > expected << EOF + dbs.beginSerialNumber=0x9 + dbs.endSerialNumber=0x18 + dbs.serialCloneTransferNumber=0x9 + dbs.serialIncrement=0x12 + dbs.serialLowWaterMark=0x9 + EOF + + diff expected output + + - name: Check request range objects + if: always() + run: | + tests/ca/bin/ca-request-range-objects-ssnv2.sh ds | tee output + + # new range should be 11 - 20 (size: 10) + cat > expected << EOF + SecurePort: 8443 + beginRange: 11 + endRange: 20 + host: pki.example.com + + EOF + + diff expected output + + - name: Check cert range objects + if: always() + run: | + tests/ca/bin/ca-cert-range-objects-ssnv2.sh ds | tee output + + # there should be no new range + diff /dev/null output + + - name: Check request next range + if: always() + run: | + tests/ca/bin/ca-request-next-range-ssnv2.sh ds | tee output + + # nextRange should be endRange + 1 = 21 + cat > expected << EOF + nextRange: 21 + EOF + + diff expected output + + - name: Check cert next range + if: always() + run: | + tests/ca/bin/ca-cert-next-range-ssnv2.sh ds | tee output + + # nextRange should be the same + cat > expected << EOF + nextRange: 25 + EOF + + diff expected output + + #################################################################################################### + # Enroll certs to exhaust cert range + # + # This will create 10 requests and 10 certs. For requests, since + # the remaining numbers in the current range is below the minimum + # and already has allocated new range, it will automatically + # switch to the new range. + # + # For certs, it will exhaust the current range but not switch to a + # new range. + + - name: Enroll 10 certs + if: always() + run: | + docker exec pki pki \ + nss-cert-request \ + --subject "uid=testuser" \ + --ext /usr/share/pki/tools/examples/certs/testuser.conf \ + --csr testuser.csr + + for i in $(seq 1 10); do + docker exec pki pki \ + -n caadmin \ + ca-cert-issue \ + --profile caUserCert \ + --csr-file testuser.csr \ + --output-file testuser.crt + + docker exec pki openssl x509 -in testuser.crt -serial -noout + done + + - name: Check requests + if: always() + run: | + docker exec pki pki-server ca-cert-request-find | tee output + + sed -n "s/^ *Request ID: *\(.*\)$/\1/p" output > actual + + # there should be 16 requests + seq 1 16 > expected + + diff expected actual + + - name: Check certs + if: always() + run: | + docker exec pki pki-server ca-cert-find | tee output + + sed -n "s/^ *Serial Number: *\(.*\)$/\1/p" output > actual + + # there should be 16 certs + printf "0x%x\n" {9..24} > expected + + diff expected actual + + - name: Check request range config + if: always() + run: | + tests/ca/bin/ca-request-range-config.sh pki | tee output + + # current range should be 11 - 20 (size: 10, remaining: 4) + cat > expected << EOF + dbs.beginRequestNumber=11 + dbs.endRequestNumber=20 + dbs.requestCloneTransferNumber=5 + dbs.requestIncrement=10 + dbs.requestLowWaterMark=5 + EOF + + diff expected output + + - name: Check cert range config + if: always() + run: | + tests/ca/bin/ca-cert-range-config.sh pki | tee output + + # current range should be 0x9 - 0x18 (size: 0x10, remaining: 0x0) + cat > expected << EOF + dbs.beginSerialNumber=0x9 + dbs.endSerialNumber=0x18 + dbs.serialCloneTransferNumber=0x9 + dbs.serialIncrement=0x12 + dbs.serialLowWaterMark=0x9 + EOF + + diff expected output + + - name: Check request range objects + if: always() + run: | + tests/ca/bin/ca-request-range-objects-ssnv2.sh ds | tee output + + # there should be no new range + cat > expected << EOF + SecurePort: 8443 + beginRange: 11 + endRange: 20 + host: pki.example.com + + EOF + + diff expected output + + - name: Check cert range objects + if: always() + run: | + tests/ca/bin/ca-cert-range-objects-ssnv2.sh ds | tee output + + # there should be no new range + diff /dev/null output + + - name: Check request next range + if: always() + run: | + tests/ca/bin/ca-request-next-range-ssnv2.sh ds | tee output + + # nextRange should be the same + cat > expected << EOF + nextRange: 21 + EOF + + diff expected output + + - name: Check cert next range + if: always() + run: | + tests/ca/bin/ca-cert-next-range-ssnv2.sh ds | tee output + + # nextRange should be the same + cat > expected << EOF + nextRange: 25 + EOF + + diff expected output + + #################################################################################################### + # Enroll a cert when cert range is exhausted + # + # This will create a request but fail to create a cert. + + - name: Enroll a cert when cert range is exhausted + if: always() + run: | + docker exec pki pki \ + -n caadmin \ + ca-cert-issue \ + --profile caUserCert \ + --csr-file testuser.csr \ + --output-file testuser.crt \ + > >(tee stdout) 2> >(tee stderr >&2) || true + + # TODO: fix missing request ID and typo + cat > expected << EOF + PKIException: Server Internal Error: Request was completed with errors. + CA has exausted all available serial numbers + EOF + + diff expected stderr + + - name: Check requests + if: always() + run: | + docker exec pki pki-server ca-cert-request-find | tee output + + sed -n "s/^ *Request ID: *\(.*\)$/\1/p" output > actual + + # there should be 17 requests + seq 1 17 > expected + + diff expected actual + + - name: Check certs + if: always() + run: | + docker exec pki pki-server ca-cert-find | tee output + + sed -n "s/^ *Serial Number: *\(.*\)$/\1/p" output > actual + + # there should be 16 certs + printf "0x%x\n" {9..24} > expected + + diff expected actual + + - name: Check request range config + if: always() + run: | + tests/ca/bin/ca-request-range-config.sh pki | tee output + + # current range should be 11 - 20 (size: 10, remaining: 3) + cat > expected << EOF + dbs.beginRequestNumber=11 + dbs.endRequestNumber=20 + dbs.requestCloneTransferNumber=5 + dbs.requestIncrement=10 + dbs.requestLowWaterMark=5 + EOF + + diff expected output + + - name: Check cert range config + if: always() + run: | + tests/ca/bin/ca-cert-range-config.sh pki | tee output + + # current range should be 0x9 - 0x18 (size: 0x10, remaining: 0x0) + cat > expected << EOF + dbs.beginSerialNumber=0x9 + dbs.endSerialNumber=0x18 + dbs.serialCloneTransferNumber=0x9 + dbs.serialIncrement=0x12 + dbs.serialLowWaterMark=0x9 + EOF + + diff expected output + + - name: Check request range objects + if: always() + run: | + tests/ca/bin/ca-request-range-objects-ssnv2.sh ds | tee output + + # there should be no new range + cat > expected << EOF + SecurePort: 8443 + beginRange: 11 + endRange: 20 + host: pki.example.com + + EOF + + diff expected output + + - name: Check cert range objects + if: always() + run: | + tests/ca/bin/ca-cert-range-objects-ssnv2.sh ds | tee output + + # there should be no new range + diff /dev/null output + + - name: Check request next range + if: always() + run: | + tests/ca/bin/ca-request-next-range-ssnv2.sh ds | tee output + + # request nextRange should be the same + cat > expected << EOF + nextRange: 21 + EOF + + diff expected output + + - name: Check cert next range + if: always() + run: | + tests/ca/bin/ca-cert-next-range-ssnv2.sh ds | tee output + + # cert nextRange should be the same + cat > expected << EOF + nextRange: 25 + EOF + + diff expected output + + #################################################################################################### + # Allocate new ranges + # + # This will allocate new ranges for requests and certs since + # the remaining numbers in their ranges are below the minimum. + + - name: Allocate new ranges + if: always() + run: | + docker exec pki pki -n caadmin ca-job-start serialNumberUpdate + + - name: Check request range config + if: always() + run: | + tests/ca/bin/ca-request-range-config.sh pki | tee output + + # current range should be 11 - 20 (size: 10, remaining: 3) + # new range should be 21 - 30 (size: 10, remaining: 10) + cat > expected << EOF + dbs.beginRequestNumber=11 + dbs.endRequestNumber=20 + dbs.nextBeginRequestNumber=21 + dbs.nextEndRequestNumber=30 + dbs.requestCloneTransferNumber=5 + dbs.requestIncrement=10 + dbs.requestLowWaterMark=5 + EOF + + diff expected output + + - name: Check cert range config + if: always() + run: | + tests/ca/bin/ca-cert-range-config.sh pki | tee output + + # current range should be 0x9 - 0x18 (size: 0x10, remaining: 0x0) + # new range should be 0x19 - 0x2a (size: 0x12, remaining: 0x12) + cat > expected << EOF + dbs.beginSerialNumber=0x9 + dbs.endSerialNumber=0x18 + dbs.nextBeginSerialNumber=0x19 + dbs.nextEndSerialNumber=0x2a + dbs.serialCloneTransferNumber=0x9 + dbs.serialIncrement=0x12 + dbs.serialLowWaterMark=0x9 + EOF + + diff expected output + + - name: Check request range objects + if: always() + run: | + tests/ca/bin/ca-request-range-objects-ssnv2.sh ds | tee output + + # new request range should be 21 - 30 (size: 10) + cat > expected << EOF + SecurePort: 8443 + beginRange: 11 + endRange: 20 + host: pki.example.com + + SecurePort: 8443 + beginRange: 21 + endRange: 30 + host: pki.example.com + + EOF + + diff expected output + + - name: Check cert range objects + if: always() + run: | + tests/ca/bin/ca-cert-range-objects-ssnv2.sh ds | tee output + + # new cert range should be 0x19 - 0x2a or 25 - 42 (size: 0x12) + cat > expected << EOF + SecurePort: 8443 + beginRange: 25 + endRange: 42 + host: pki.example.com + + EOF + + diff expected output + + - name: Check request next range + if: always() + run: | + tests/ca/bin/ca-request-next-range-ssnv2.sh ds | tee output + + # request nextRange should be incremented by 10 to 31 + cat > expected << EOF + nextRange: 31 + EOF + + diff expected output + + - name: Check cert next range + if: always() + run: | + tests/ca/bin/ca-cert-next-range-ssnv2.sh ds | tee output + + # cert nextRequest should incremented by 0x12 to 0x2b or 43 + cat > expected << EOF + nextRange: 43 + EOF + + diff expected output + + #################################################################################################### + # Enroll certs to exhaust request range + # + # This will create 13 requests and 13 certs. Both requests and certs + # will switch to the new ranges allocated earlier. + + - name: Enroll 13 additional certs + if: always() + run: | + for i in $(seq 1 13); do + docker exec pki pki \ + -n caadmin \ + ca-cert-issue \ + --profile caUserCert \ + --csr-file testuser.csr \ + --output-file testuser.crt + + docker exec pki openssl x509 -in testuser.crt -serial -noout + done + + - name: Check requests + if: always() + run: | + docker exec pki pki-server ca-cert-request-find | tee output + + sed -n "s/^ *Request ID: *\(.*\)$/\1/p" output > actual + + # there should be 30 requests (17 existing + 13 new) + seq 1 30 > expected + + diff expected actual + + - name: Check certs + if: always() + run: | + docker exec pki pki-server ca-cert-find | tee output + + sed -n "s/^ *Serial Number: *\(.*\)$/\1/p" output > actual + + # there should be 29 certs (16 existing + 13 new) + printf "0x%x\n" {9..37} > expected + + diff expected actual + + - name: Check request range config + if: always() + run: | + tests/ca/bin/ca-request-range-config.sh pki | tee output + + # current range should be 21 - 30 (size: 10, remaining: 0) + cat > expected << EOF + dbs.beginRequestNumber=21 + dbs.endRequestNumber=30 + dbs.requestCloneTransferNumber=5 + dbs.requestIncrement=10 + dbs.requestLowWaterMark=5 + EOF + + diff expected output + + - name: Check cert range config + if: always() + run: | + tests/ca/bin/ca-cert-range-config.sh pki | tee output + + # current range should be 0x19 - 0x2a (size: 0x12, remaining: 0x5) + cat > expected << EOF + dbs.beginSerialNumber=0x19 + dbs.endSerialNumber=0x2a + dbs.serialCloneTransferNumber=0x9 + dbs.serialIncrement=0x12 + dbs.serialLowWaterMark=0x9 + EOF + + diff expected output + + - name: Check request range objects + if: always() + run: | + tests/ca/bin/ca-request-range-objects-ssnv2.sh ds | tee output + + # request range objects should be the same + cat > expected << EOF + SecurePort: 8443 + beginRange: 11 + endRange: 20 + host: pki.example.com + + SecurePort: 8443 + beginRange: 21 + endRange: 30 + host: pki.example.com + + EOF + + diff expected output + + - name: Check cert range objects + if: always() + run: | + tests/ca/bin/ca-cert-range-objects-ssnv2.sh ds | tee output + + # cert range objects should be the same + cat > expected << EOF + SecurePort: 8443 + beginRange: 25 + endRange: 42 + host: pki.example.com + + EOF + + diff expected output + + - name: Check request next range + if: always() + run: | + tests/ca/bin/ca-request-next-range-ssnv2.sh ds | tee output + + # request nextRange should be the same + cat > expected << EOF + nextRange: 31 + EOF + + diff expected output + + - name: Check cert next range + if: always() + run: | + tests/ca/bin/ca-cert-next-range-ssnv2.sh ds | tee output + + # cert nextRange should be the same + cat > expected << EOF + nextRange: 43 + EOF + + diff expected output + + #################################################################################################### + # Enroll a cert when request range is exhausted + # + # This will fail to create a request so no cert will be created either. + + - name: Enroll a cert when request range is exhausted + if: always() + run: | + docker exec pki pki \ + -n caadmin \ + ca-cert-issue \ + --profile caUserCert \ + --csr-file testuser.csr \ + --output-file testuser.crt \ + > >(tee stdout) 2> >(tee stderr >&2) || true + + cat > expected << EOF + PKIException: Unable to create enrollment request: Unable to create enrollment request: All serial numbers are used. The max serial number is 0x31 + EOF + + diff expected stderr + + - name: Check requests + if: always() + run: | + docker exec pki pki-server ca-cert-request-find | tee output + + sed -n "s/^ *Request ID: *\(.*\)$/\1/p" output > actual + + # requests should be the same + seq 1 30 > expected + + diff expected actual + + - name: Check certs + if: always() + run: | + docker exec pki pki-server ca-cert-find | tee output + + sed -n "s/^ *Serial Number: *\(.*\)$/\1/p" output > actual + + # certs should be the same + printf "0x%x\n" {9..37} > expected + + diff expected actual + + - name: Check request range config + if: always() + run: | + tests/ca/bin/ca-request-range-config.sh pki | tee output + + # current range should be 21 - 30 (size: 10, remaining: 0) + cat > expected << EOF + dbs.beginRequestNumber=21 + dbs.endRequestNumber=30 + dbs.requestCloneTransferNumber=5 + dbs.requestIncrement=10 + dbs.requestLowWaterMark=5 + EOF + + diff expected output + + - name: Check cert range config + if: always() + run: | + tests/ca/bin/ca-cert-range-config.sh pki | tee output + + # current range should be 0x19 - 0x2a (size: 0x12, remaining: 0x5) + cat > expected << EOF + dbs.beginSerialNumber=0x19 + dbs.endSerialNumber=0x2a + dbs.serialCloneTransferNumber=0x9 + dbs.serialIncrement=0x12 + dbs.serialLowWaterMark=0x9 + EOF + + diff expected output + + - name: Check request range objects + if: always() + run: | + tests/ca/bin/ca-request-range-objects-ssnv2.sh ds | tee output + + # request range objects should be the same + cat > expected << EOF + SecurePort: 8443 + beginRange: 11 + endRange: 20 + host: pki.example.com + + SecurePort: 8443 + beginRange: 21 + endRange: 30 + host: pki.example.com + + EOF + + diff expected output + + - name: Check cert range objects + if: always() + run: | + tests/ca/bin/ca-cert-range-objects-ssnv2.sh ds | tee output + + # cert range objects should be the same + cat > expected << EOF + SecurePort: 8443 + beginRange: 25 + endRange: 42 + host: pki.example.com + + EOF + + diff expected output + + - name: Check request next range + if: always() + run: | + tests/ca/bin/ca-request-next-range-ssnv2.sh ds | tee output + + # request nextRange should be the same + cat > expected << EOF + nextRange: 31 + EOF + + diff expected output + + - name: Check cert next range + if: always() + run: | + tests/ca/bin/ca-cert-next-range-ssnv2.sh ds | tee output + + # cert nextRange should be the same + cat > expected << EOF + nextRange: 43 + EOF + + diff expected output + + #################################################################################################### + # Allocate new ranges again + # + # This will allocate new ranges for requests and certs since + # the remaining numbers in their ranges are below the minimum. + + - name: Allocate new ranges again + if: always() + run: | + docker exec pki pki -n caadmin ca-job-start serialNumberUpdate + + - name: Check request range config + if: always() + run: | + tests/ca/bin/ca-request-range-config.sh pki | tee output + + # current range should be 21 - 30 (size: 10, remaining: 0) + # next range should be 31 - 40 (size: 10, remaining: 0) + cat > expected << EOF + dbs.beginRequestNumber=21 + dbs.endRequestNumber=30 + dbs.nextBeginRequestNumber=31 + dbs.nextEndRequestNumber=40 + dbs.requestCloneTransferNumber=5 + dbs.requestIncrement=10 + dbs.requestLowWaterMark=5 + EOF + + diff expected output + + - name: Check cert range config + if: always() + run: | + tests/ca/bin/ca-cert-range-config.sh pki | tee output + + # current range should be 0x19 - 0x2a (size: 0x12, remaining: 0x5) + # next range should be 0x2b - 0x3c (size: 0x12, remaining: 0x12) + cat > expected << EOF + dbs.beginSerialNumber=0x19 + dbs.endSerialNumber=0x2a + dbs.nextBeginSerialNumber=0x2b + dbs.nextEndSerialNumber=0x3c + dbs.serialCloneTransferNumber=0x9 + dbs.serialIncrement=0x12 + dbs.serialLowWaterMark=0x9 + EOF + + diff expected output + + - name: Check request range objects + if: always() + run: | + tests/ca/bin/ca-request-range-objects-ssnv2.sh ds | tee output + + # new range should be 31 - 40 (size: 10) + cat > expected << EOF + SecurePort: 8443 + beginRange: 11 + endRange: 20 + host: pki.example.com + + SecurePort: 8443 + beginRange: 21 + endRange: 30 + host: pki.example.com + + SecurePort: 8443 + beginRange: 31 + endRange: 40 + host: pki.example.com + + EOF + + diff expected output + + - name: Check cert range objects + if: always() + run: | + tests/ca/bin/ca-cert-range-objects-ssnv2.sh ds | tee output + + # new range should be 0x2b - 0x3c or 43 - 60 (size: 0x12) + cat > expected << EOF + SecurePort: 8443 + beginRange: 25 + endRange: 42 + host: pki.example.com + + SecurePort: 8443 + beginRange: 43 + endRange: 60 + host: pki.example.com + + EOF + + diff expected output + + - name: Check request next range + if: always() + run: | + tests/ca/bin/ca-request-next-range-ssnv2.sh ds | tee output + + # request nextRange should be incremented by 10 to 41 + cat > expected << EOF + nextRange: 41 + EOF + + diff expected output + + - name: Check cert next range + if: always() + run: | + tests/ca/bin/ca-cert-next-range-ssnv2.sh ds | tee output + + # cert nextRange should be incremented by 0x12 to 0x47 or 61 + cat > expected << EOF + nextRange: 61 + EOF + + diff expected output + + #################################################################################################### + # Enroll 10 additional certs + # + # This will create 10 requests and 10 certs. + # Both requests and certs will switch to new ranges. + + - name: Enroll 10 additional certs + if: always() + run: | + for i in $(seq 1 10); do + docker exec pki pki \ + -n caadmin \ + ca-cert-issue \ + --profile caUserCert \ + --csr-file testuser.csr \ + --output-file testuser.crt + + docker exec pki openssl x509 -in testuser.crt -serial -noout + done + + - name: Check requests + if: always() + run: | + docker exec pki pki-server ca-cert-request-find | tee output + + sed -n "s/^ *Request ID: *\(.*\)$/\1/p" output > actual + + # there should be 40 requests (30 existing + 10 new) + seq 1 40 > expected + + diff expected actual + + - name: Check certs + if: always() + run: | + docker exec pki pki-server ca-cert-find | tee output + + sed -n "s/^ *Serial Number: *\(.*\)$/\1/p" output > actual + + # there should be 39 certs (29 existing + 10 new) + printf "0x%x\n" {9..47} > expected + + diff expected actual + + - name: Check request range config + if: always() + run: | + tests/ca/bin/ca-request-range-config.sh pki | tee output + + # request range should be 31 - 40 (size: 10, remaining: 0) + cat > expected << EOF + dbs.beginRequestNumber=31 + dbs.endRequestNumber=40 + dbs.requestCloneTransferNumber=5 + dbs.requestIncrement=10 + dbs.requestLowWaterMark=5 + EOF + + diff expected output + + - name: Check cert range config + if: always() + run: | + tests/ca/bin/ca-cert-range-config.sh pki | tee output + + # current range should be 0x2b - 0x3c (size: 0x12, remaining: 0xd) + cat > expected << EOF + dbs.beginSerialNumber=0x2b + dbs.endSerialNumber=0x3c + dbs.serialCloneTransferNumber=0x9 + dbs.serialIncrement=0x12 + dbs.serialLowWaterMark=0x9 + EOF + + diff expected output + + - name: Check request range objects + if: always() + run: | + tests/ca/bin/ca-request-range-objects-ssnv2.sh ds | tee output + + # request range objects should be the same + cat > expected << EOF + SecurePort: 8443 + beginRange: 11 + endRange: 20 + host: pki.example.com + + SecurePort: 8443 + beginRange: 21 + endRange: 30 + host: pki.example.com + + SecurePort: 8443 + beginRange: 31 + endRange: 40 + host: pki.example.com + + EOF + + diff expected output + + - name: Check cert range objects + if: always() + run: | + tests/ca/bin/ca-cert-range-objects-ssnv2.sh ds | tee output + + # cert range objects should be the same + cat > expected << EOF + SecurePort: 8443 + beginRange: 25 + endRange: 42 + host: pki.example.com + + SecurePort: 8443 + beginRange: 43 + endRange: 60 + host: pki.example.com + + EOF + + diff expected output + + - name: Check request next range + if: always() + run: | + tests/ca/bin/ca-request-next-range-ssnv2.sh ds | tee output + + # request nextRange should be the same + cat > expected << EOF + nextRange: 41 + EOF + + diff expected output + + - name: Check cert next range + if: always() + run: | + tests/ca/bin/ca-cert-next-range-ssnv2.sh ds | tee output + + # cert nextRange should be the same + cat > expected << EOF + nextRange: 61 + EOF + + diff expected output + + #################################################################################################### + # Enroll a cert with RSNv3 + # + # This should create a request and a cert. The cert + # should be issued with a non-sequential serial number. + + - name: Switch to RSNv3 + if: always() + run: | + # switch cert request ID generator to RSNv3 + docker exec pki pki-server ca-config-unset dbs.beginRequestNumber + docker exec pki pki-server ca-config-unset dbs.endRequestNumber + docker exec pki pki-server ca-config-unset dbs.requestIncrement + docker exec pki pki-server ca-config-unset dbs.requestLowWaterMark + docker exec pki pki-server ca-config-unset dbs.requestCloneTransferNumber + docker exec pki pki-server ca-config-unset dbs.requestRangeDN + + docker exec pki pki-server ca-config-set dbs.request.id.generator random + + # switch cert ID generator to RSNv3 + docker exec pki pki-server ca-config-unset dbs.beginSerialNumber + docker exec pki pki-server ca-config-unset dbs.endSerialNumber + docker exec pki pki-server ca-config-unset dbs.serialIncrement + docker exec pki pki-server ca-config-unset dbs.serialLowWaterMark + docker exec pki pki-server ca-config-unset dbs.serialCloneTransferNumber + docker exec pki pki-server ca-config-unset dbs.serialRangeDN + + docker exec pki pki-server ca-config-set dbs.cert.id.generator random + + # restart CA subsystem + docker exec pki pki-server ca-redeploy --wait + + - name: Enroll a cert with RSNv3 + if: always() + run: | + docker exec pki pki \ + -n caadmin \ + ca-cert-issue \ + --profile caUserCert \ + --csr-file testuser.csr \ + --output-file testuser.crt + + docker exec pki openssl x509 -in testuser.crt -serial -noout + + - name: Check requests + if: always() + run: | + docker exec pki pki-server ca-cert-request-find | tee output + sed -n "s/^ *Request ID: *\(.*\)$/\1/p" output > list + + # there should be 40 requests with sequential request ID + + seq 1 40 > expected + head -n 40 list > actual + diff expected actual + + # there should be one request with random request ID (longer than 2 chars) + REQUEST_ID=$(tail -n 1 list) + [ ${#REQUEST_ID} -gt 2 ] + + - name: Check certs + if: always() + run: | + docker exec pki pki-server ca-cert-find | tee output + sed -n "s/^ *Serial Number: *\(.*\)$/\1/p" output > list + + # there should be 39 certs with sequential serial numbers + + printf "0x%x\n" {9..47} > expected + head -n 39 list > actual + diff expected actual + + # there should be one cert with random serial number (longer than 4 chars) + + SERIAL_NUMBER=$(tail -n 1 list) + [ ${#SERIAL_NUMBER} -gt 4 ] + + #################################################################################################### + # Cleanup + + - name: Remove CA + run: docker exec pki pkidestroy -s CA -v + + - name: Check DS server systemd journal + if: always() + run: | + docker exec ds journalctl -x --no-pager -u dirsrv@localhost.service + + - name: Check DS container logs + if: always() + run: | + docker logs ds + + - name: Check PKI server systemd journal + if: always() + run: | + docker exec pki journalctl -x --no-pager -u pki-tomcatd@pki-tomcat.service + + - name: Check PKI server access log + if: always() + run: | + docker exec pki find /var/log/pki/pki-tomcat -name "localhost_access_log.*" -exec cat {} \; + + - name: Check CA debug log + if: always() + run: | + docker exec pki find /var/lib/pki/pki-tomcat/logs/ca -name "debug.*" -exec cat {} \; diff --git a/.github/workflows/ca-tests.yml b/.github/workflows/ca-tests.yml index 5f7f7586ea7..98df7d9ccf9 100644 --- a/.github/workflows/ca-tests.yml +++ b/.github/workflows/ca-tests.yml @@ -63,11 +63,6 @@ jobs: needs: build uses: ./.github/workflows/ca-hsm-test.yml - ca-nuxwdog-test: - name: CA with Nuxwdog - needs: build - uses: ./.github/workflows/ca-nuxwdog-test.yml - ca-ds-connection-test: name: CA connection with DS needs: build @@ -83,6 +78,11 @@ jobs: needs: build uses: ./.github/workflows/ca-ssnv1-test.yml + ca-ssnv2-test: + name: CA with SSNv2 + needs: build + uses: ./.github/workflows/ca-ssnv2-test.yml + ca-pruning-test: name: CA database pruning needs: build diff --git a/.github/workflows/ca-tests2.yml b/.github/workflows/ca-tests2.yml index 16f71398a41..633a318134f 100644 --- a/.github/workflows/ca-tests2.yml +++ b/.github/workflows/ca-tests2.yml @@ -78,6 +78,11 @@ jobs: needs: build uses: ./.github/workflows/ca-hsm-operation-test.yml + ca-nuxwdog-test: + name: CA with Nuxwdog + needs: build + uses: ./.github/workflows/ca-nuxwdog-test.yml + scep-test: name: SCEP responder needs: build diff --git a/tests/ca/bin/ca-cert-next-range-ssnv2.sh b/tests/ca/bin/ca-cert-next-range-ssnv2.sh new file mode 100755 index 00000000000..59796e57cab --- /dev/null +++ b/tests/ca/bin/ca-cert-next-range-ssnv2.sh @@ -0,0 +1,13 @@ +#!/bin/bash -e + +NAME=$1 + +docker exec $NAME ldapsearch \ + -H ldap://$NAME.example.com:3389 \ + -D "cn=Directory Manager" \ + -w Secret.123 \ + -b ou=certificateRepository,ou=ca,dc=ca,dc=pki,dc=example,dc=com \ + -s base \ + -o ldif_wrap=no \ + -LLL \ + | grep nextRange: diff --git a/tests/ca/bin/ca-cert-range-objects-ssnv2.sh b/tests/ca/bin/ca-cert-range-objects-ssnv2.sh new file mode 100755 index 00000000000..6524da82127 --- /dev/null +++ b/tests/ca/bin/ca-cert-range-objects-ssnv2.sh @@ -0,0 +1,34 @@ +#!/bin/bash -e + +NAME=$1 + +LIST=$(docker exec $NAME ldapsearch \ + -H ldap://$NAME.example.com:3389 \ + -D "cn=Directory Manager" \ + -w Secret.123 \ + -b ou=certificateRepository,ou=ranges,dc=ca,dc=pki,dc=example,dc=com \ + -s one \ + -o ldif_wrap=no \ + -LLL \ + dn \ + | sed -n 's/^dn: *\(.*\)$/\1/p') + +for DN in $LIST +do + docker exec $NAME ldapsearch \ + -H ldap://$NAME.example.com:3389 \ + -D "cn=Directory Manager" \ + -w Secret.123 \ + -b $DN \ + -s base \ + -o ldif_wrap=no \ + -LLL \ + | grep \ + -e SecurePort: \ + -e beginRange: \ + -e endRange: \ + -e host: \ + | sort + + echo +done diff --git a/tests/ca/bin/ca-request-next-range-ssnv2.sh b/tests/ca/bin/ca-request-next-range-ssnv2.sh new file mode 100755 index 00000000000..3bf262d8a8c --- /dev/null +++ b/tests/ca/bin/ca-request-next-range-ssnv2.sh @@ -0,0 +1,13 @@ +#!/bin/bash -e + +NAME=$1 + +docker exec $NAME ldapsearch \ + -H ldap://$NAME.example.com:3389 \ + -D "cn=Directory Manager" \ + -w Secret.123 \ + -b ou=ca,ou=requests,dc=ca,dc=pki,dc=example,dc=com \ + -s base \ + -o ldif_wrap=no \ + -LLL \ + | grep nextRange: diff --git a/tests/ca/bin/ca-request-range-objects-ssnv2.sh b/tests/ca/bin/ca-request-range-objects-ssnv2.sh new file mode 100755 index 00000000000..c17a316bfbd --- /dev/null +++ b/tests/ca/bin/ca-request-range-objects-ssnv2.sh @@ -0,0 +1,34 @@ +#!/bin/bash -e + +NAME=$1 + +LIST=$(docker exec $NAME ldapsearch \ + -H ldap://$NAME.example.com:3389 \ + -D "cn=Directory Manager" \ + -w Secret.123 \ + -b ou=requests,ou=ranges,dc=ca,dc=pki,dc=example,dc=com \ + -s one \ + -o ldif_wrap=no \ + -LLL \ + dn \ + | sed -n 's/^dn: *\(.*\)$/\1/p') + +for DN in $LIST +do + docker exec $NAME ldapsearch \ + -H ldap://$NAME.example.com:3389 \ + -D "cn=Directory Manager" \ + -w Secret.123 \ + -b $DN \ + -s base \ + -o ldif_wrap=no \ + -LLL \ + | grep \ + -e SecurePort: \ + -e beginRange: \ + -e endRange: \ + -e host: \ + | sort + + echo +done