From 1aa259fcc6d56eca275e27c2a093610a0ea4d6ea Mon Sep 17 00:00:00 2001 From: "Endi S. Dewata" Date: Thu, 20 Jun 2024 14:46:12 -0500 Subject: [PATCH] Update container tests to check server info --- .github/workflows/acme-container-test.yml | 43 +++++++++++++------ .../ca-container-existing-certs-test.yml | 28 +++++------- .../ca-container-existing-config-test.yml | 32 ++++++++------ .../workflows/ca-container-migration-test.yml | 17 +++++--- .github/workflows/kra-container-test.yml | 25 ++++++++--- .github/workflows/ocsp-container-test.yml | 25 ++++++++--- .github/workflows/server-container-test.yml | 16 +++---- .github/workflows/tks-container-test.yml | 19 +++++++- .github/workflows/tps-container-test.yml | 18 ++++++-- 9 files changed, 146 insertions(+), 77 deletions(-) diff --git a/.github/workflows/acme-container-test.yml b/.github/workflows/acme-container-test.yml index 1d3f7b22e2e..58a374bf9a5 100644 --- a/.github/workflows/acme-container-test.yml +++ b/.github/workflows/acme-container-test.yml @@ -177,40 +177,59 @@ jobs: -U https://acme.example.com:8443 \ acme-info - - name: Verify certbot in client container + - name: Register ACME account run: | docker exec client certbot register \ --server http://acme.example.com:8080/acme/directory \ --email user1@example.com \ --agree-tos \ --non-interactive + + - name: Enroll client cert + run: | docker exec client certbot certonly \ --server http://acme.example.com:8080/acme/directory \ -d client.example.com \ --key-type rsa \ --standalone \ --non-interactive - docker exec client openssl x509 -text -noout -in /etc/letsencrypt/live/client.example.com/fullchain.pem + + - name: Check client cert + run: | + docker exec client openssl x509 \ + -text \ + -noout \ + -in /etc/letsencrypt/live/client.example.com/fullchain.pem + + - name: Renew client cert + run: | docker exec client certbot renew \ --server http://acme.example.com:8080/acme/directory \ --cert-name client.example.com \ --force-renewal \ --no-random-sleep-on-renew \ --non-interactive - # - # By default the pki-acme container uses NSS issuer (instead of - # PKI issuer) which does not support cert revocation, so the - # revocation test is disabled. - # - # docker exec client certbot revoke \ - # --server http://acme.example.com:8080/acme/directory \ - # --cert-name client.example.com \ - # --non-interactive - # + + # - name: Revoke client cert + # run: | + # By default the pki-acme container uses NSS issuer (instead of + # PKI issuer) which does not support cert revocation, so the + # revocation test is disabled. + # + # docker exec client certbot revoke \ + # --server http://acme.example.com:8080/acme/directory \ + # --cert-name client.example.com \ + # --non-interactive + + - name: Update ACME account + run: | docker exec client certbot update_account \ --server http://acme.example.com:8080/acme/directory \ --email user2@example.com \ --non-interactive + + - name: Remove ACME account + run: | docker exec client certbot unregister \ --server http://acme.example.com:8080/acme/directory \ --non-interactive diff --git a/.github/workflows/ca-container-existing-certs-test.yml b/.github/workflows/ca-container-existing-certs-test.yml index dc4ad2e1b98..6d22fabcfd7 100644 --- a/.github/workflows/ca-container-existing-certs-test.yml +++ b/.github/workflows/ca-container-existing-certs-test.yml @@ -321,13 +321,19 @@ jobs: diff expected output - - name: Check basic operations from CA container + - name: Check CA info run: | - # check PKI server info - docker exec ca pki info + docker exec ca pki-server cert-export \ + --cert-file ca_signing.crt \ + ca_signing + + docker cp ca:ca_signing.crt . + + docker exec client pki nss-cert-import \ + --cert $SHARED/ca_signing.crt \ + --trust CT,C,C \ + ca_signing - - name: Check basic operations from client container - run: | # check PKI server info docker exec client pki \ -U https://ca.example.com:8443 \ @@ -347,21 +353,9 @@ jobs: - name: Initialize CA database run: | docker exec ca pki-server ca-db-init -v - - - name: Add CA search indexes - run: | docker exec ca pki-server ca-db-index-add -v - - - name: Rebuild CA search indexes - run: | docker exec ca pki-server ca-db-index-rebuild -v - - - name: Add CA VLV indexes - run: | docker exec ca pki-server ca-db-vlv-add -v - - - name: Rebuild CA VLV indexes - run: | docker exec ca pki-server ca-db-vlv-reindex -v - name: Import CA signing cert into CA database diff --git a/.github/workflows/ca-container-existing-config-test.yml b/.github/workflows/ca-container-existing-config-test.yml index dfebdb4420e..3ed8a86d4a7 100644 --- a/.github/workflows/ca-container-existing-config-test.yml +++ b/.github/workflows/ca-container-existing-config-test.yml @@ -71,26 +71,29 @@ jobs: --network-alias=client.example.com \ client - - name: Check admin user + - name: Check CA info run: | - mkdir certs - - # install CA signing cert docker exec pki pki-server cert-export \ - --cert-file $SHARED/certs/ca_signing.crt \ + --cert-file ca_signing.crt \ ca_signing + docker cp pki:ca_signing.crt . + docker exec client pki nss-cert-import \ - --cert $SHARED/certs/ca_signing.crt \ + --cert $SHARED/ca_signing.crt \ --trust CT,C,C \ ca_signing - # install admin cert - docker exec pki cp \ - /root/.dogtag/pki-tomcat/ca_admin_cert.p12 \ - $SHARED/certs/admin.p12 + docker exec client pki \ + -U https://ca.example.com:8443 \ + info + + - name: Check CA admin user + run: | + docker cp pki:/root/.dogtag/pki-tomcat/ca_admin_cert.p12 . + docker exec client pki pkcs12-import \ - --pkcs12 $SHARED/certs/admin.p12 \ + --pkcs12 $SHARED/ca_admin_cert.p12 \ --password Secret.123 docker exec client pki \ @@ -106,6 +109,8 @@ jobs: - name: Export certs run: | + mkdir certs + # export system certs and keys docker exec pki pki \ -v \ @@ -144,6 +149,9 @@ jobs: /var/lib/pki/pki-tomcat/conf/certs/ca_admin.csr \ $SHARED/certs/admin.csr + # export admin cert and key + docker cp pki:/root/.dogtag/pki-tomcat/ca_admin_cert.p12 certs/admin.p12 + docker exec pki pki pkcs12-cert-find \ --pkcs12 $SHARED/certs/admin.p12 \ --password Secret.123 @@ -278,7 +286,7 @@ jobs: diff expected output - - name: Check admin user again + - name: Check CA admin user again run: | docker exec client pki \ -U https://ca.example.com:8443 \ diff --git a/.github/workflows/ca-container-migration-test.yml b/.github/workflows/ca-container-migration-test.yml index b9d8f6b78aa..ef52e0e25bf 100644 --- a/.github/workflows/ca-container-migration-test.yml +++ b/.github/workflows/ca-container-migration-test.yml @@ -62,9 +62,8 @@ jobs: --network-alias=client.example.com \ client - - name: Check admin user + - name: Check CA info run: | - # install CA signing cert docker exec pki pki-server cert-export \ --cert-file $SHARED/ca_signing.crt \ ca_signing @@ -74,12 +73,16 @@ jobs: --trust CT,C,C \ ca_signing - # install admin cert - docker exec pki cp \ - /root/.dogtag/pki-tomcat/ca_admin_cert.p12 \ - $SHARED/admin.p12 + docker exec client pki \ + -U https://pki.example.com:8443 \ + info + + - name: Check CA admin user + run: | + docker cp pki:/root/.dogtag/pki-tomcat/ca_admin_cert.p12 . + docker exec client pki pkcs12-import \ - --pkcs12 $SHARED/admin.p12 \ + --pkcs12 $SHARED/ca_admin_cert.p12 \ --password Secret.123 docker exec client pki \ diff --git a/.github/workflows/kra-container-test.yml b/.github/workflows/kra-container-test.yml index 032e7e995d5..353e50f4116 100644 --- a/.github/workflows/kra-container-test.yml +++ b/.github/workflows/kra-container-test.yml @@ -77,6 +77,23 @@ jobs: -o /dev/null \ https://ca.example.com:8443 + - name: Check CA info + run: | + docker exec ca pki-server cert-export \ + --cert-file ca_signing.crt \ + ca_signing + + docker cp ca:ca_signing.crt . + + docker exec client pki nss-cert-import \ + --cert $SHARED/ca_signing.crt \ + --trust CT,C,C \ + ca_signing + + docker exec client pki \ + -U https://ca.example.com:8443 \ + info + - name: Set up CA DS container run: | tests/bin/ds-container-create.sh \ @@ -426,14 +443,8 @@ jobs: diff expected output - - name: Check basic operations from KRA container - run: | - # check PKI server info - docker exec kra pki info - - - name: Check basic operations from client container + - name: Check KRA info run: | - # check PKI server info docker exec client pki \ -U https://kra.example.com:8443 \ info diff --git a/.github/workflows/ocsp-container-test.yml b/.github/workflows/ocsp-container-test.yml index dae09203eea..a9323241224 100644 --- a/.github/workflows/ocsp-container-test.yml +++ b/.github/workflows/ocsp-container-test.yml @@ -78,6 +78,23 @@ jobs: -o /dev/null \ https://ca.example.com:8443 + - name: Check CA info + run: | + docker exec ca pki-server cert-export \ + --cert-file ca_signing.crt \ + ca_signing + + docker cp ca:ca_signing.crt . + + docker exec client pki nss-cert-import \ + --cert $SHARED/ca_signing.crt \ + --trust CT,C,C \ + ca_signing + + docker exec client pki \ + -U https://ca.example.com:8443 \ + info + - name: Set up CA DS container run: | tests/bin/ds-container-create.sh \ @@ -406,14 +423,8 @@ jobs: diff expected output - - name: Check basic operations from OCSP container - run: | - # check PKI server info - docker exec ocsp pki info - - - name: Check basic operations from client container + - name: Check OCSP info run: | - # check PKI server info docker exec client pki \ -U https://ocsp.example.com:8443 \ info diff --git a/.github/workflows/server-container-test.yml b/.github/workflows/server-container-test.yml index 897ed456b10..004cced5a32 100644 --- a/.github/workflows/server-container-test.yml +++ b/.github/workflows/server-container-test.yml @@ -125,26 +125,22 @@ jobs: diff expected output - - name: Check server info locally - run: | - docker exec server pki info - - - name: Install CA signing cert + - name: Check server info run: | docker exec server pki \ -d /conf/alias \ -f /conf/password.conf \ nss-cert-export \ - --output-file /conf/certs/ca_signing.crt \ + --output-file ca_signing.crt \ ca_signing + docker cp server:ca_signing.crt . + docker exec client pki nss-cert-import \ - --cert $SHARED/conf/certs/ca_signing.crt \ + --cert $SHARED/ca_signing.crt \ --trust CT,C,C \ ca_signing - - name: Check server info remotely - run: | docker exec client pki \ -U https://pki.example.com:8443 \ info @@ -164,7 +160,7 @@ jobs: -o /dev/null \ https://pki.example.com:8443 - - name: Check server info remotely again + - name: Check server info again run: | docker exec client pki \ -U https://pki.example.com:8443 \ diff --git a/.github/workflows/tks-container-test.yml b/.github/workflows/tks-container-test.yml index 011d46b90d2..31c750e43d7 100644 --- a/.github/workflows/tks-container-test.yml +++ b/.github/workflows/tks-container-test.yml @@ -78,6 +78,23 @@ jobs: -o /dev/null \ https://ca.example.com:8443 + - name: Check CA info + run: | + docker exec ca pki-server cert-export \ + --cert-file ca_signing.crt \ + ca_signing + + docker cp ca:ca_signing.crt . + + docker exec client pki nss-cert-import \ + --cert $SHARED/ca_signing.crt \ + --trust CT,C,C \ + ca_signing + + docker exec client pki \ + -U https://ca.example.com:8443 \ + info + - name: Set up CA DS container run: | tests/bin/ds-container-create.sh \ @@ -388,7 +405,7 @@ jobs: diff expected output - - name: Check TKS server info + - name: Check TKS info run: | docker exec client pki \ -U https://tks.example.com:8443 \ diff --git a/.github/workflows/tps-container-test.yml b/.github/workflows/tps-container-test.yml index e81a2a425b1..bc71c473c66 100644 --- a/.github/workflows/tps-container-test.yml +++ b/.github/workflows/tps-container-test.yml @@ -73,8 +73,7 @@ jobs: --detach \ pki-ca - - name: Wait for CA to start - run: | + # wait for CA to start docker exec client curl \ --retry 180 \ --retry-delay 0 \ @@ -84,18 +83,23 @@ jobs: -o /dev/null \ https://ca.example.com:8443 + - name: Check CA info + run: | docker exec ca pki-server cert-export \ --cert-file ca_signing.crt \ ca_signing docker cp ca:ca_signing.crt . - docker exec client pki \ - nss-cert-import \ + docker exec client pki nss-cert-import \ --cert $SHARED/ca_signing.crt \ --trust CT,C,C \ ca_signing + docker exec client pki \ + -U https://ca.example.com:8443 \ + info + - name: Set up CA DS container run: | tests/bin/ds-container-create.sh \ @@ -800,6 +804,12 @@ jobs: diff expected output + - name: Check TPS info + run: | + docker exec client pki \ + -U https://tps.example.com:8443 \ + info + - name: Set up TPS DS container run: | tests/bin/ds-container-create.sh \