Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Update KRA and OCSP tests #4602

Merged
merged 1 commit into from
Nov 7, 2023
Merged
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension


Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
54 changes: 53 additions & 1 deletion .github/workflows/kra-basic-test.yml
Original file line number Diff line number Diff line change
Expand Up @@ -60,6 +60,42 @@ jobs:

docker exec pki pki-server cert-find

- name: Check CA security domain
run: |
# security domain should be enabled (i.e. securitydomain.select=new)
cat > expected << EOF
securitydomain.checkIP=false
securitydomain.checkinterval=300000
securitydomain.flushinterval=86400000
securitydomain.host=pki.example.com
securitydomain.httpport=8080
securitydomain.httpsadminport=8443
securitydomain.name=EXAMPLE
securitydomain.select=new
securitydomain.source=ldap
EOF
docker exec pki pki-server ca-config-find | grep ^securitydomain. | sort | tee actual
diff expected actual

docker exec pki pki-server cert-export ca_signing --cert-file ${SHARED}/ca_signing.crt
docker exec pki pki client-cert-import ca_signing --ca-cert ${SHARED}/ca_signing.crt

# REST API should return security domain info
cat > expected << EOF
Domain: EXAMPLE

CA Subsystem:

Host ID: CA pki.example.com 8443
Hostname: pki.example.com
Port: 8080
Secure Port: 8443
Domain Manager: TRUE

EOF
docker exec pki pki securitydomain-show | tee output
diff expected output

- name: Install KRA
run: |
docker exec pki pkispawn \
Expand Down Expand Up @@ -126,8 +162,24 @@ jobs:
--pkcs12-password Secret.123
docker exec pki pki -n caadmin kra-user-show kraadmin

- name: Verify KRA connector in CA
- name: Check KRA connector in CA
run: |
docker exec pki pki-server ca-config-find | grep ^ca.connector.KRA. | sort | tee output
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

See above


# KRA connector should be configured
cat > expected << EOF
ca.connector.KRA.enable=true
ca.connector.KRA.host=pki.example.com
ca.connector.KRA.local=false
ca.connector.KRA.nickName=subsystem
ca.connector.KRA.port=8443
ca.connector.KRA.timeout=30
ca.connector.KRA.uri=/kra/agent/kra/connector
EOF
sed -e '/^ca.connector.KRA.transportCert=/d' output > actual
diff expected actual

# REST API should return KRA connector info
docker exec pki pki -n caadmin ca-kraconnector-show | tee output
sed -n 's/\s*Host:\s\+\(\S\+\):.*/\1/p' output > actual
echo pki.example.com > expected
Expand Down
243 changes: 169 additions & 74 deletions .github/workflows/kra-standalone-test.yml
Original file line number Diff line number Diff line change
Expand Up @@ -38,138 +38,233 @@ jobs:
- name: Connect DS container to network
run: docker network connect example ds --alias ds.example.com

- name: Set up PKI container
- name: Set up CA container
run: |
tests/bin/runner-init.sh pki
tests/bin/runner-init.sh ca
env:
HOSTNAME: pki.example.com
HOSTNAME: ca.example.com

- name: Connect PKI container to network
run: docker network connect example pki --alias pki.example.com
- name: Connect CA container to network
run: docker network connect example ca --alias ca.example.com

- name: Create CA signing cert
- name: Install standalone CA
run: |
docker exec pki pki -d nssdb nss-cert-request \
--subject "CN=CA Signing Certificate" \
--ext /usr/share/pki/server/certs/ca_signing.conf \
--csr ca_signing.csr
docker exec pki pki -d nssdb nss-cert-issue \
--csr ca_signing.csr \
--ext /usr/share/pki/server/certs/ca_signing.conf \
--cert ca_signing.crt
docker exec pki pki -d nssdb nss-cert-import \
--cert ca_signing.crt \
--trust CT,C,C \
ca_signing
docker exec ca pkispawn \
-f /usr/share/pki/server/examples/installation/ca.cfg \
-s CA \
-D pki_ds_url=ldap://ds.example.com:3389 \
-D pki_cert_id_generator=random \
-D pki_request_id_generator=random \
-D pki_security_domain_setup=False \
-v

docker exec ca pki-server cert-find

- name: Check CA security domain
run: |
# security domain should be disabled (i.e. no securitydomain.select=new)
cat > expected << EOF
securitydomain.checkIP=false
securitydomain.checkinterval=300000
securitydomain.flushinterval=86400000
securitydomain.source=ldap
EOF
docker exec ca pki-server ca-config-find | grep ^securitydomain. | sort | tee actual
diff expected actual

docker exec ca pki-server cert-export ca_signing --cert-file ${SHARED}/ca_signing.crt
docker exec ca pki client-cert-import ca_signing --ca-cert ${SHARED}/ca_signing.crt

- name: Install KRA (step 1)
docker exec ca pki securitydomain-show \
> >(tee stdout) 2> >(tee stderr >&2) || true

# REST API should not return security domain info
echo "PKIException: Not Found" > expected
diff expected stderr

- name: Check CA admin
run: |
docker exec pki pkispawn \
docker exec ca pki pkcs12-import \
--pkcs12 /root/.dogtag/pki-tomcat/ca_admin_cert.p12 \
--pkcs12-password Secret.123
docker exec ca pki -n caadmin ca-user-show caadmin

- name: Set up KRA container
run: |
tests/bin/runner-init.sh kra
env:
HOSTNAME: kra.example.com

- name: Connect KRA container to network
run: docker network connect example kra --alias kra.example.com

- name: Install standalone KRA (step 1)
run: |
docker exec kra pkispawn \
-f /usr/share/pki/server/examples/installation/kra-standalone-step1.cfg \
-s KRA \
-D pki_cert_chain_path=${SHARED}/ca_signing.crt \
-D pki_ds_url=ldap://ds.example.com:3389 \
-D pki_storage_csr_path=${SHARED}/kra_storage.csr \
-D pki_transport_csr_path=${SHARED}/kra_transport.csr \
-D pki_subsystem_csr_path=${SHARED}/subsystem.csr \
-D pki_sslserver_csr_path=${SHARED}/sslserver.csr \
-D pki_audit_signing_csr_path=${SHARED}/kra_audit_signing.csr \
-D pki_admin_csr_path=${SHARED}/kra_admin.csr \
-D pki_key_id_generator=random \
-D pki_request_id_generator=random \
-v

- name: Issue KRA storage cert
run: |
docker exec pki openssl req -text -noout -in kra_storage.csr
docker exec pki pki -d nssdb nss-cert-issue \
--issuer ca_signing \
--csr kra_storage.csr \
--ext /usr/share/pki/server/certs/kra_storage.conf \
--cert kra_storage.crt
docker exec pki openssl x509 -text -noout -in kra_storage.crt
docker exec ca openssl req -text -noout -in ${SHARED}/kra_storage.csr
docker exec ca pki ca-cert-request-submit --profile caStorageCert --csr-file ${SHARED}/kra_storage.csr | tee output
REQUEST_ID=$(sed -n 's/Request ID: *\(.*\)/\1/p' output)
docker exec ca pki -n caadmin ca-cert-request-approve $REQUEST_ID --force | tee output
CERT_ID=$(sed -n 's/Certificate ID: *\(.*\)/\1/p' output)
docker exec ca pki ca-cert-export $CERT_ID --output-file ${SHARED}/kra_storage.crt
docker exec ca openssl x509 -text -noout -in ${SHARED}/kra_storage.crt

- name: Issue KRA transport cert
run: |
docker exec pki openssl req -text -noout -in kra_transport.csr
docker exec pki pki -d nssdb nss-cert-issue \
--issuer ca_signing \
--csr kra_transport.csr \
--ext /usr/share/pki/server/certs/kra_transport.conf \
--cert kra_transport.crt
docker exec pki openssl x509 -text -noout -in kra_transport.crt
docker exec ca openssl req -text -noout -in ${SHARED}/kra_transport.csr
docker exec ca pki ca-cert-request-submit --profile caTransportCert --csr-file ${SHARED}/kra_transport.csr | tee output
REQUEST_ID=$(sed -n 's/Request ID: *\(.*\)/\1/p' output)
docker exec ca pki -n caadmin ca-cert-request-approve $REQUEST_ID --force | tee output
CERT_ID=$(sed -n 's/Certificate ID: *\(.*\)/\1/p' output)
docker exec ca pki ca-cert-export $CERT_ID --output-file ${SHARED}/kra_transport.crt
docker exec ca openssl x509 -text -noout -in ${SHARED}/kra_transport.crt

- name: Issue subsystem cert
run: |
docker exec pki openssl req -text -noout -in subsystem.csr
docker exec pki pki -d nssdb nss-cert-issue \
--issuer ca_signing \
--csr subsystem.csr \
--ext /usr/share/pki/server/certs/subsystem.conf \
--cert subsystem.crt
docker exec pki openssl x509 -text -noout -in subsystem.crt
docker exec ca openssl req -text -noout -in ${SHARED}/subsystem.csr
docker exec ca pki ca-cert-request-submit --profile caSubsystemCert --csr-file ${SHARED}/subsystem.csr | tee output
REQUEST_ID=$(sed -n 's/Request ID: *\(.*\)/\1/p' output)
docker exec ca pki -n caadmin ca-cert-request-approve $REQUEST_ID --force | tee output
CERT_ID=$(sed -n 's/Certificate ID: *\(.*\)/\1/p' output)
docker exec ca pki ca-cert-export $CERT_ID --output-file ${SHARED}/subsystem.crt
docker exec ca openssl x509 -text -noout -in ${SHARED}/subsystem.crt

- name: Issue SSL server cert
run: |
docker exec pki openssl req -text -noout -in sslserver.csr
docker exec pki pki -d nssdb nss-cert-issue \
--issuer ca_signing \
--csr sslserver.csr \
--ext /usr/share/pki/server/certs/sslserver.conf \
--cert sslserver.crt
docker exec pki openssl x509 -text -noout -in sslserver.crt
docker exec ca openssl req -text -noout -in ${SHARED}/sslserver.csr
docker exec ca pki ca-cert-request-submit --profile caServerCert --csr-file ${SHARED}/sslserver.csr | tee output
REQUEST_ID=$(sed -n 's/Request ID: *\(.*\)/\1/p' output)
docker exec ca pki -n caadmin ca-cert-request-approve $REQUEST_ID --force | tee output
CERT_ID=$(sed -n 's/Certificate ID: *\(.*\)/\1/p' output)
docker exec ca pki ca-cert-export $CERT_ID --output-file ${SHARED}/sslserver.crt
docker exec ca openssl x509 -text -noout -in ${SHARED}/sslserver.crt

- name: Issue KRA audit signing cert
run: |
docker exec pki openssl req -text -noout -in kra_audit_signing.csr
docker exec pki pki -d nssdb nss-cert-issue \
--issuer ca_signing \
--csr kra_audit_signing.csr \
--ext /usr/share/pki/server/certs/audit_signing.conf \
--cert kra_audit_signing.crt
docker exec pki openssl x509 -text -noout -in kra_audit_signing.crt
docker exec ca openssl req -text -noout -in ${SHARED}/kra_audit_signing.csr
docker exec ca pki ca-cert-request-submit --profile caAuditSigningCert --csr-file ${SHARED}/kra_audit_signing.csr | tee output
REQUEST_ID=$(sed -n 's/Request ID: *\(.*\)/\1/p' output)
docker exec ca pki -n caadmin ca-cert-request-approve $REQUEST_ID --force | tee output
CERT_ID=$(sed -n 's/Certificate ID: *\(.*\)/\1/p' output)
docker exec ca pki ca-cert-export $CERT_ID --output-file ${SHARED}/kra_audit_signing.crt
docker exec ca openssl x509 -text -noout -in ${SHARED}/kra_audit_signing.crt

- name: Issue KRA admin cert
run: |
docker exec pki openssl req -text -noout -in kra_admin.csr
docker exec pki pki -d nssdb nss-cert-issue \
--issuer ca_signing \
--csr kra_admin.csr \
--ext /usr/share/pki/server/certs/admin.conf \
--cert kra_admin.crt
docker exec pki openssl x509 -text -noout -in kra_admin.crt
docker exec ca openssl req -text -noout -in ${SHARED}/kra_admin.csr
docker exec ca pki ca-cert-request-submit --profile AdminCert --csr-file ${SHARED}/kra_admin.csr | tee output
REQUEST_ID=$(sed -n 's/Request ID: *\(.*\)/\1/p' output)
docker exec ca pki -n caadmin ca-cert-request-approve $REQUEST_ID --force | tee output
CERT_ID=$(sed -n 's/Certificate ID: *\(.*\)/\1/p' output)
docker exec ca pki ca-cert-export $CERT_ID --output-file ${SHARED}/kra_admin.crt
docker exec ca openssl x509 -text -noout -in ${SHARED}/kra_admin.crt

- name: Install KRA (step 2)
- name: Install standalone KRA (step 2)
run: |
docker exec pki pkispawn \
docker exec kra pkispawn \
-f /usr/share/pki/server/examples/installation/kra-standalone-step2.cfg \
-s KRA \
-D pki_cert_chain_path=${SHARED}/ca_signing.crt \
-D pki_ds_url=ldap://ds.example.com:3389 \
-D pki_storage_csr_path=${SHARED}/kra_storage.csr \
-D pki_transport_csr_path=${SHARED}/kra_transport.csr \
-D pki_subsystem_csr_path=${SHARED}/subsystem.csr \
-D pki_sslserver_csr_path=${SHARED}/sslserver.csr \
-D pki_audit_signing_csr_path=${SHARED}/kra_audit_signing.csr \
-D pki_admin_csr_path=${SHARED}/kra_admin.csr \
-D pki_storage_cert_path=${SHARED}/kra_storage.crt \
-D pki_transport_cert_path=${SHARED}/kra_transport.crt \
-D pki_subsystem_cert_path=${SHARED}/subsystem.crt \
-D pki_sslserver_cert_path=${SHARED}/sslserver.crt \
-D pki_audit_signing_cert_path=${SHARED}/kra_audit_signing.crt \
-D pki_admin_cert_path=${SHARED}/kra_admin.crt \
-D pki_key_id_generator=random \
-D pki_request_id_generator=random \
-v

docker exec pki pki-server cert-find
docker exec kra pki-server cert-find

# TODO: Fix DogtagKRAConnectivityCheck to work without CA
# - name: Run PKI healthcheck
# run: docker exec pki pki-healthcheck --failures-only
# run: docker exec kra pki-healthcheck --failures-only

- name: Verify admin user
- name: Check KRA security domain
run: |
docker exec pki pki client-cert-import ca_signing --ca-cert ca_signing.crt
docker exec pki pki pkcs12-import \
docker exec kra pki client-cert-import ca_signing --ca-cert ${SHARED}/ca_signing.crt
docker exec kra pki securitydomain-show \
> >(tee stdout) 2> >(tee stderr >&2) || true

# standalone KRA should not return security domain info
echo "PKIException: Not Found" > expected
diff expected stderr

- name: Check KRA admin
run: |
docker exec kra pki pkcs12-import \
--pkcs12 /root/.dogtag/pki-tomcat/kra_admin_cert.p12 \
--pkcs12-password Secret.123
docker exec pki pki -n kraadmin kra-user-show kraadmin
docker exec kra pki -n kraadmin kra-user-show kraadmin

- name: Check KRA users
run: |
docker exec kra pki -n kraadmin kra-user-find

docker exec kra pki -n kraadmin kra-user-show CA-ca.example.com-8443 \
> >(tee stdout) 2> >(tee stderr >&2) || true

# standalone KRA should not have CA user
echo "UserNotFoundException: User CA-ca.example.com-8443 not found" > expected
diff expected stderr

- name: Check KRA connector in CA
run: |
# KRA connector should not be configured
echo -n > expected
docker exec ca pki-server ca-config-find | grep ^ca.connector.KRA. | tee actual
diff expected actual

# REST API should not return KRA connector info
echo "ForbiddenException: Authorization Error" > expected
docker exec ca pki -n caadmin ca-kraconnector-show \
> >(tee stdout) 2> >(tee stderr >&2) || true
diff expected stderr

- name: Gather artifacts
if: always()
run: |
tests/bin/ds-artifacts-save.sh --output=/tmp/artifacts/pki ds
tests/bin/pki-artifacts-save.sh pki
tests/bin/ds-artifacts-save.sh ds
tests/bin/pki-artifacts-save.sh ca
tests/bin/pki-artifacts-save.sh kra
continue-on-error: true

- name: Remove KRA
run: docker exec pki pkidestroy -i pki-tomcat -s KRA -v
run: docker exec kra pkidestroy -i pki-tomcat -s KRA -v

- name: Remove CA
run: docker exec ca pkidestroy -i pki-tomcat -s CA -v

- name: Upload artifacts
if: always()
uses: actions/upload-artifact@v3
with:
name: kra-standalone
path: |
/tmp/artifacts/pki
/tmp/artifacts/ds
/tmp/artifacts/ca
/tmp/artifacts/kra
Loading
Loading