Add test for CA password policy enforcement

.github/workflows/ca-password-enforcement-test.yml

@@ -0,0 +1,152 @@
+name: CA password enforcement
+
+on: workflow_call
+
+env:
+  DS_IMAGE: ${{ vars.DS_IMAGE || 'quay.io/389ds/dirsrv' }}
+
+jobs:
+  # docs/installation/kra/Installing_KRA.md
+  test:
+    name: Test
+    runs-on: ubuntu-latest
+    env:
+      SHARED: /tmp/workdir/pki
+    steps:
+      - name: Clone repository
+        uses: actions/checkout@v4
+
+      - name: Retrieve PKI images
+        uses: actions/cache@v4
+        with:
+          key: pki-images-${{ github.sha }}
+          path: pki-images.tar
+
+      - name: Load PKI images
+        run: docker load --input pki-images.tar
+
+      - name: Create network
+        run: docker network create example
+
+      - name: Set up DS container
+        run: |
+          tests/bin/ds-create.sh \
+              --image=${{ env.DS_IMAGE }} \
+              --hostname=ds.example.com \
+              --password=Secret.123 \
+              ds
+
+      - name: Connect DS container to network
+        run: docker network connect example ds --alias ds.example.com
+
+      - name: Set up PKI container
+        run: |
+          tests/bin/runner-init.sh pki
+        env:
+          HOSTNAME: pki.example.com
+
+      - name: Connect PKI container to network
+        run: docker network connect example pki --alias pki.example.com
+
+      - name: Install CA
+        run: |
+          docker exec pki pkispawn \
+              -f /usr/share/pki/server/examples/installation/ca.cfg \
+              -s CA \
+              -D pki_ds_url=ldap://ds.example.com:3389 \
+              -v
+
+          docker exec pki pki-server cert-find
+
+      - name: Install KRA
+        run: |
+          docker exec pki pkispawn \
+              -f /usr/share/pki/server/examples/installation/kra.cfg \
+              -s KRA \
+              -D pki_ds_url=ldap://ds.example.com:3389 \
+              -v
+
+      - name: Configure CA admin cert
+        run: |
+          docker exec pki pki-server cert-export ca_signing --cert-file ca_signing.crt
+
+          docker exec pki pki nss-cert-import \
+              --cert ca_signing.crt \
+              --trust CT,C,C \
+              ca_signing
+
+          docker exec pki pki pkcs12-import \
+              --pkcs12 /root/.dogtag/pki-tomcat/ca_admin_cert.p12 \
+              --pkcs12-password Secret.123
+          docker exec pki pki -n caadmin ca-user-show caadmin
+
+      - name: Request profile
+        run: |
+          docker exec pki dnf install -y jq
+          docker exec pki curl --cacert ca_signing.crt -o req-tmp.json https://pki.example.com:8443/ca/rest/certrequests/profiles/caServerKeygen_UserCert
+          docker exec pki jq '.Input[0].Attribute[1].Value|="RSA" | .Input[0].Attribute[2].Value|="2048" | .Input[1].Attribute[0].Value|="test1"' req.json >req.json
+          
+      - name: Submit request with good password
+        run: |
+          jq '.Input[0].Attribute[0].Value|="k342r09cmIJmklOLIJ,lwerkln234lik-[df"' req.json | \
+             docker exec -i pki curl --cacert ca_signing.crt --json @- -o output https://pki.example.com:8443/ca/rest/certrequests
+
+          echo '"pending"' > expected
+          docker exec pki jq '.entries[0].requestStatus' output > actual
+          diff expected actual
+
+      - name: Submit request with short password
+        run: |
+          jq '.Input[0].Attribute[0].Value|="k342r0"' req.json | \
+             docker exec -i pki curl --cacert ca_signing.crt --json @- -o output https://pki.example.com:8443/ca/rest/certrequests
+
+          cat > expected <<EOF
+          "rejected"
+          "The password must be at least 20 characters"
+          EOF
+          docker exec pki jq '.entries[0].requestStatus, .entries[0].errorMessage' output > actual
+          diff expected actual
+
+      - name: Submit request with numberic password
+        run: |
+          jq '.Input[0].Attribute[0].Value|="1234567890246801357938"' req.json | \
+             docker exec -i pki curl --cacert ca_signing.crt --json @- -o output https://pki.example.com:8443/ca/rest/certrequests
+
+          cat > expected <<EOF
+          "rejected"
+          "The password requires at least 2 upper case letter(s)"
+          EOF
+          docker exec pki jq '.entries[0].requestStatus, .entries[0].errorMessage' output > actual
+          diff expected actual
+
+      - name: Disable password policy
+        run: |
+          docker exec pki sed -i \
+              's/^policyset.userCertSet.list=1,10,2,3,4,5,6,7,8,9,11/policyset.userCertSet.list=1,10,2,3,4,5,6,7,8,9/' \
+              /etc/pki/pki-tomcat/ca/profiles/ca/caServerKeygen_UserCert.cfg
+          docker exec pki-server ca redeploy --wait
+
+      - name: Submit request with minimal password
+        run: |
+          jq '.Input[0].Attribute[0].Value|="1"' req.json | \
+              docker exec -i pki curl --cacert ca_signing.crt --json @- -o output https://pki.example.com:8443/ca/rest/certrequests
+
+          echo '"pending"' > expected
+          docker exec pki jq '.entries[0].requestStatus' output > actual
+          diff expected actual
+
+      - name: Remove KRA
+        run: docker exec pki pkidestroy -s KRA -v
+
+      - name: Remove CA
+        run: docker exec pki pkidestroy -s CA -v
+
+      - name: Check CA debug log
+        if: always()
+        run: |
+          docker exec pki find /var/lib/pki/pki-tomcat/logs/ca -name "debug.*" -exec cat {} \;
+
+      - name: Check KRA debug log
+        if: always()
+        run: |
+          docker exec pki find /var/lib/pki/pki-tomcat/logs/kra -name "debug.*" -exec cat {} \;

.github/workflows/ca-tests2.yml

@@ -83,6 +83,11 @@ jobs:
     needs: build
     uses: ./.github/workflows/ca-nuxwdog-test.yml
 
+  ca-password-enforcment-test:
+    name: CA password enforcement
+    needs: build
+    uses: ./.github/workflows/ca-password-enforcement-test.yml
+
   scep-test:
     name: SCEP responder
     needs: build

base/server/src/main/resources/UserMessages.properties

@@ -577,9 +577,9 @@ CMS_PASSWORD_INVALID_LEN=The password must be at least {0} characters
 CMS_PASSWORD_INVALID_LEN_1=The password must be at least {0} characters
 CMS_PASSWORD_NON_ALPHANUMERIC=The password contains non-alphanumeric characters
 CMS_PASSWORD_MISSING_PUNCTUATION=The password requires at least {0} punctuation symbol(s)
-CMS_PASSWORD_MISSING_NUMERIC=The password requires at least {0} numeric digit(s), excluding digits in the final position
+CMS_PASSWORD_MISSING_NUMERIC=The password requires at least {0} numeric digit(s)
 CMS_PASSWORD_MISSING_NUMERIC_1=The password requires at least {0} numeric digit(s)
-CMS_PASSWORD_MISSING_UPPER_CASE=The password requires at least {0} upper case letter(s), excluding capitals in the initial position
+CMS_PASSWORD_MISSING_UPPER_CASE=The password requires at least {0} upper case letter(s)
 CMS_PASSWORD_MISSING_UPPER_CASE_1=The password requires at least {0} upper case letter(s)
 CMS_PASSWORD_MISSING_LOWER_CASE=The password requires at least {0} lower case letter(s)
 CMS_PASSWORD_MISSING_LOWER_CASE_1=The password requires at least {0} lower case letter(s)