Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Update security domain tests #4630

Merged
merged 1 commit into from
Dec 1, 2023
Merged

Update security domain tests #4630

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
19 changes: 17 additions & 2 deletions .github/workflows/kra-basic-test.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -58,9 +58,9 @@ jobs:

docker exec pki pki-server cert-find

- name: Check CA security domain
- name: Check security domain config in CA
run: |
# security domain should be enabled (i.e. securitydomain.select=new)
# CA should run security domain service
cat > expected << EOF
securitydomain.checkIP=false
securitydomain.checkinterval=300000
Expand All @@ -72,6 +72,7 @@ jobs:
securitydomain.select=new
securitydomain.source=ldap
EOF

docker exec pki pki-server ca-config-find | grep ^securitydomain. | sort | tee actual
diff expected actual

Expand Down Expand Up @@ -102,6 +103,20 @@ jobs:
-D pki_ds_url=ldap://ds.example.com:3389 \
-v

- name: Check security domain config in KRA
run: |
# KRA should join security domain in CA
cat > expected << EOF
securitydomain.host=pki.example.com
securitydomain.httpport=8080
securitydomain.httpsadminport=8443
securitydomain.name=EXAMPLE
securitydomain.select=existing
EOF

docker exec pki pki-server kra-config-find | grep ^securitydomain. | sort | tee actual
diff expected actual

- name: Check KRA storage cert
run: |
docker exec pki pki-server cert-export kra_storage \
Expand Down
51 changes: 51 additions & 0 deletions .github/workflows/kra-separate-test.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -56,6 +56,24 @@ jobs:
-D pki_ds_url=ldap://rootcads.example.com:3389 \
-v

- name: Check security domain config in root CA
run: |
# root CA should run security domain service
cat > expected << EOF
securitydomain.checkIP=false
securitydomain.checkinterval=300000
securitydomain.flushinterval=86400000
securitydomain.host=rootca.example.com
securitydomain.httpport=8080
securitydomain.httpsadminport=8443
securitydomain.name=EXAMPLE
securitydomain.select=new
securitydomain.source=ldap
EOF

docker exec rootca pki-server ca-config-find | grep ^securitydomain. | sort | tee actual
diff expected actual

- name: Check root CA certs
if: always()
run: |
Expand Down Expand Up @@ -101,6 +119,7 @@ jobs:
-D pki_ds_url=ldap://subcads.example.com:3389 \
-D pki_security_domain_uri=https://rootca.example.com:8443 \
-D pki_subordinate_create_new_security_domain=True \
-D pki_subordinate_security_domain_name=SUBORDINATE \
-D pki_issuing_ca_uri=https://rootca.example.com:8443 \
-v

Expand All @@ -120,6 +139,24 @@ jobs:
docker exec subca pki-server ca-user-show caadmin
docker exec subca pki-server ca-user-role-find caadmin

- name: Check security domain config in sub CA
run: |
# sub CA should run security domain service
cat > expected << EOF
securitydomain.checkIP=false
securitydomain.checkinterval=300000
securitydomain.flushinterval=86400000
securitydomain.host=subca.example.com
securitydomain.httpport=8080
securitydomain.httpsadminport=8443
securitydomain.name=SUBORDINATE
securitydomain.select=new
securitydomain.source=ldap
EOF

docker exec subca pki-server ca-config-find | grep ^securitydomain. | sort | tee actual
diff expected actual

- name: Export subordinate CA cert bundle
run: |
cat root-ca_signing.crt > cert_chain.crt
Expand Down Expand Up @@ -182,6 +219,20 @@ jobs:
-D pki_ds_url=ldap://krads.example.com:3389 \
-v

- name: Check security domain config in KRA
run: |
# KRA should join existing security domain in sub CA
cat > expected << EOF
securitydomain.host=subca.example.com
securitydomain.httpport=8080
securitydomain.httpsadminport=8443
securitydomain.name=SUBORDINATE
securitydomain.select=existing
EOF

docker exec kra pki-server kra-config-find | grep ^securitydomain. | sort | tee actual
diff expected actual

- name: Check KRA certs
if: always()
run: |
Expand Down
19 changes: 17 additions & 2 deletions .github/workflows/ocsp-basic-test.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -58,9 +58,9 @@ jobs:

docker exec pki pki-server cert-find

- name: Check CA security domain
- name: Check security domain config in CA
run: |
# security domain should be enabled (i.e. securitydomain.select=new)
# CA should run security domain service
cat > expected << EOF
securitydomain.checkIP=false
securitydomain.checkinterval=300000
Expand All @@ -72,6 +72,7 @@ jobs:
securitydomain.select=new
securitydomain.source=ldap
EOF

docker exec pki pki-server ca-config-find | grep ^securitydomain. | sort | tee actual
diff expected actual

Expand Down Expand Up @@ -102,6 +103,20 @@ jobs:
-D pki_ds_url=ldap://ds.example.com:3389 \
-v

- name: Check security domain config in OCSP
run: |
# OCSP should join security domain in CA
cat > expected << EOF
securitydomain.host=pki.example.com
securitydomain.httpport=8080
securitydomain.httpsadminport=8443
securitydomain.name=EXAMPLE
securitydomain.select=existing
EOF

docker exec pki pki-server ocsp-config-find | grep ^securitydomain. | sort | tee actual
diff expected actual

- name: Check OCSP signing cert
run: |
docker exec pki pki-server cert-export ocsp_signing \
Expand Down
32 changes: 32 additions & 0 deletions .github/workflows/ocsp-separate-test.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -57,6 +57,24 @@ jobs:

docker exec ca pki-server cert-find

- name: Check security domain config in CA
run: |
# CA should run security domain service
cat > expected << EOF
securitydomain.checkIP=false
securitydomain.checkinterval=300000
securitydomain.flushinterval=86400000
securitydomain.host=ca.example.com
securitydomain.httpport=8080
securitydomain.httpsadminport=8443
securitydomain.name=EXAMPLE
securitydomain.select=new
securitydomain.source=ldap
EOF

docker exec ca pki-server ca-config-find | grep ^securitydomain. | sort | tee actual
diff expected actual

- name: Install banner in CA container
run: docker exec ca cp /usr/share/pki/server/examples/banner/banner.txt /etc/pki/pki-tomcat

Expand Down Expand Up @@ -96,6 +114,20 @@ jobs:

docker exec ocsp pki-server cert-find

- name: Check security domain config in OCSP
run: |
# OCSP should join security domain in CA
cat > expected << EOF
securitydomain.host=ca.example.com
securitydomain.httpport=8080
securitydomain.httpsadminport=8443
securitydomain.name=EXAMPLE
securitydomain.select=existing
EOF

docker exec ocsp pki-server ocsp-config-find | grep ^securitydomain. | sort | tee actual
diff expected actual

- name: Install banner in OCSP container
run: docker exec ocsp cp /usr/share/pki/server/examples/banner/banner.txt /etc/pki/pki-tomcat

Expand Down
Loading