Est doc update

.github/workflows/est-ds-realm-separate-test.yml

@@ -93,41 +93,6 @@ jobs:
               --network-alias=estds.example.com \
               estds
 
-      - name: Create EST users
-        run: |
-          docker exec -i estds ldapadd -x -H ldap://estds.example.com:3389 \
-              -D "cn=Directory Manager"  -w Secret.123 << EOF
-          dn: dc=est,dc=pki,dc=example,dc=com
-          objectClass: domain
-          dc: est 
-
-          dn: ou=people,dc=est,dc=pki,dc=example,dc=com
-          ou: people
-          objectClass: top
-          objectClass: organizationalUnit
-
-          dn: ou=groups,dc=est,dc=pki,dc=example,dc=com
-          ou: groups
-          objectClass: top
-          objectClass: organizationalUnit
-
-          dn: uid=est-test-user,ou=people,dc=est,dc=pki,dc=example,dc=com
-          objectClass: top
-          objectClass: person
-          objectClass: organizationalPerson
-          objectClass: inetOrgPerson
-          uid: est-test-user
-          sn: EST TEST USER
-          cn: EST TEST USER
-          userPassword: Secret.123
-
-          dn: cn=estclient,ou=groups,dc=est,dc=pki,dc=example,dc=com
-          objectClass: top
-          objectClass: groupOfUniqueNames
-          cn: estclient
-          uniqueMember: uid=est-test-user,ou=People,dc=est,dc=pki,dc=example,dc=com
-          EOF
-
       - name: Set up EST container
         run: |
           tests/bin/runner-init.sh \
@@ -136,6 +101,12 @@ jobs:
           --network-alias=est.example.com \
           est
 
+      - name: Set up EST user DB
+        run: |
+          docker exec -i est ldapadd -x -H ldap://estds.example.com:3389 \
+              -D "cn=Directory Manager"  -w Secret.123 \
+              -f /usr/share/pki/est/conf/realm/ds/create.ldif
+
       - name: Install EST
         run: |
           docker exec est pkispawn \
@@ -255,6 +226,31 @@ jobs:
           docker exec est openssl x509 -in $SHARED/ca_signing.crt -text -noout | tee expected
           diff expected actual
 
+      - name: Add EST user
+        run: |
+          docker exec -i est ldapadd -x -H ldap://estds.example.com:3389 \
+              -D "cn=Directory Manager"  -w Secret.123 <<EOF
+          dn: uid=est-test-user,ou=people,dc=est,dc=pki,dc=example,dc=com
+          objectClass: top
+          objectClass: person
+          objectClass: organizationalPerson
+          objectClass: inetOrgPerson
+          uid: est-test-user
+          sn: EST TEST USER
+          cn: EST TEST USER
+          userPassword: Secret.123
+          EOF
+
+      - name: Add EST user to EST Users group
+        run: |
+          docker exec -i est ldapmodify -x -H ldap://estds.example.com:3389 \
+              -D "cn=Directory Manager"  -w Secret.123 <<EOF
+          dn: cn=EST Users,ou=groups,dc=est,dc=pki,dc=example,dc=com
+          changetype: modify
+          add: uniqueMember
+          uniqueMember: uid=est-test-user,ou=People,dc=est,dc=pki,dc=example,dc=com
+          EOF
+
       - name: Install est client
         run: |
           docker exec est dnf copr enable -y @pki/libest 
@@ -378,19 +374,3 @@ jobs:
         if: always()
         run: |
           docker exec est find /var/lib/pki/pki-tomcat/logs/est -name "debug.*" -exec cat {} \;
-
-      - name: Gather artifacts
-        if: always()
-        run: |
-          tests/bin/ds-artifacts-save.sh cads
-          tests/bin/ds-artifacts-save.sh estds
-          tests/bin/pki-artifacts-save.sh ca
-          tests/bin/pki-artifacts-save.sh est
-        continue-on-error: true
-
-      - name: Upload artifacts
-        if: always()
-        uses: actions/upload-artifact@v4
-        with:
-          name: est-ds-separate
-          path: /tmp/artifacts

.github/workflows/est-ds-realm-test.yml

@@ -83,6 +83,12 @@ jobs:
           docker exec pki pki -n caadmin ca-profile-enable estServiceCert
           docker exec pki pki-server restart --wait
 
+      - name: Set up EST user DB
+        run: |
+          docker exec -i pki ldapadd -x -H ldap://ds.example.com:3389 \
+              -D "cn=Directory Manager"  -w Secret.123 \
+              -f /usr/share/pki/est/conf/realm/ds/create.ldif
+
       - name: Install EST
         run: |
           docker exec pki pkispawn \
@@ -225,24 +231,10 @@ jobs:
           diff expected output
 
 
-      - name: Create EST users
+      - name: Create EST user
         run: |
           docker exec -i pki ldapadd -x -H ldap://ds.example.com:3389 \
               -D "cn=Directory Manager"  -w Secret.123 << EOF
-          dn: dc=est,dc=pki,dc=example,dc=com
-          objectClass: domain
-          dc: est 
-
-          dn: ou=people,dc=est,dc=pki,dc=example,dc=com
-          ou: people
-          objectClass: top
-          objectClass: organizationalUnit
-
-          dn: ou=groups,dc=est,dc=pki,dc=example,dc=com
-          ou: groups
-          objectClass: top
-          objectClass: organizationalUnit
-
           dn: uid=est-test-user,ou=people,dc=est,dc=pki,dc=example,dc=com
           objectClass: top
           objectClass: person
@@ -254,11 +246,15 @@ jobs:
           cn: EST TEST USER
           usertype: undefined
           userPassword: Secret.123
+          EOF
 
-          dn: cn=estclient,ou=groups,dc=est,dc=pki,dc=example,dc=com
-          objectClass: top
-          objectClass: groupOfUniqueNames
-          cn: estclient
+      - name: Add EST user to EST Users group
+        run: |
+          docker exec -i pki ldapmodify -x -H ldap://ds.example.com:3389 \
+              -D "cn=Directory Manager"  -w Secret.123 << EOF
+          dn: cn=EST Users,ou=groups,dc=est,dc=pki,dc=example,dc=com
+          changetype: modify
+          add: uniqueMember
           uniqueMember: uid=est-test-user,ou=People,dc=est,dc=pki,dc=example,dc=com
           EOF
 
@@ -438,17 +434,3 @@ jobs:
         if: always()
         run: |
           docker exec pki find /var/lib/pki/pki-tomcat/logs/est -name "debug.*" -exec cat {} \;
-
-      - name: Gather artifacts
-        if: always()
-        run: |
-          tests/bin/ds-artifacts-save.sh ds
-          tests/bin/pki-artifacts-save.sh pki
-        continue-on-error: true
-
-      - name: Upload artifacts
-        if: always()
-        uses: actions/upload-artifact@v4
-        with:
-          name: est-ds-basic
-          path: /tmp/artifacts

.github/workflows/est-postgresql-realm-test.yml

@@ -152,15 +152,10 @@ jobs:
           docker exec pki ln -s /usr/share/java/ongres-stringprep/stringprep.jar /usr/share/pki/server/common/lib/
           docker exec pki pki-server restart --wait
 
-      - name: Add EST user
+      - name: Set up EST user DB
         run: |
           docker cp ./base/est/shared/realm/postgresql/create.sql postgresql:/tmp/create.sql
           docker exec postgresql psql -U est -t -A -f /tmp/create.sql  est
-          DIGEST=$(docker exec pki tomcat-digest Secret.123 | sed 's/.*://')
-
-          docker exec postgresql psql -U est -t -A -c "INSERT INTO users VALUES ('est-test-user', 'EST TEST USER', '$DIGEST');"  est 
-          docker exec postgresql psql -U est -t -A -c "INSERT INTO groups VALUES ('estclient', 'EST TEST USERS');"  est 
-          docker exec postgresql psql -U est -t -A -c "INSERT INTO group_members VALUES ('estclient', 'est-test-user');"  est 
 
       - name: Install EST
         run: |
@@ -316,6 +311,13 @@ jobs:
           docker exec pki openssl x509 -in ca_signing.crt -text -noout | tee expected
           diff expected actual
 
+      - name: Add EST user
+        run: |
+          DIGEST=$(docker exec pki tomcat-digest Secret.123 | sed 's/.*://')
+
+          docker exec postgresql psql -U est -t -A -c "INSERT INTO users VALUES ('est-test-user', 'EST TEST USER', '$DIGEST');"  est 
+          docker exec postgresql psql -U est -t -A -c "INSERT INTO group_members VALUES ('EST Users', 'est-test-user');"  est 
+
       - name: Install est client
         run: |
           docker exec pki dnf copr enable -y @pki/libest 
@@ -479,17 +481,3 @@ jobs:
         if: always()
         run: |
           docker exec pki find /var/lib/pki/pki-tomcat/logs/est -name "debug.*" -exec cat {} \;
-
-      - name: Gather artifacts
-        if: always()
-        run: |
-          tests/bin/ds-artifacts-save.sh ds
-          tests/bin/pki-artifacts-save.sh pki
-        continue-on-error: true
-
-      - name: Upload artifacts
-        if: always()
-        uses: actions/upload-artifact@v4
-        with:
-          name: est-postgresql-basic
-          path: /tmp/artifacts

.github/workflows/est-separate-provided-certs-test.yml

@@ -127,41 +127,6 @@ jobs:
               --network-alias=estds.example.com \
               estds
 
-      - name: Create EST users
-        run: |
-          docker exec -i estds ldapadd -x -H ldap://estds.example.com:3389 \
-              -D "cn=Directory Manager"  -w Secret.123 << EOF
-          dn: dc=est,dc=pki,dc=example,dc=com
-          objectClass: domain
-          dc: est 
-
-          dn: ou=people,dc=est,dc=pki,dc=example,dc=com
-          ou: people
-          objectClass: top
-          objectClass: organizationalUnit
-
-          dn: ou=groups,dc=est,dc=pki,dc=example,dc=com
-          ou: groups
-          objectClass: top
-          objectClass: organizationalUnit
-
-          dn: uid=est-test-user,ou=people,dc=est,dc=pki,dc=example,dc=com
-          objectClass: top
-          objectClass: person
-          objectClass: organizationalPerson
-          objectClass: inetOrgPerson
-          uid: est-test-user
-          sn: EST TEST USER
-          cn: EST TEST USER
-          userPassword: Secret.123
-
-          dn: cn=estclient,ou=groups,dc=est,dc=pki,dc=example,dc=com
-          objectClass: top
-          objectClass: groupOfUniqueNames
-          cn: estclient
-          uniqueMember: uid=est-test-user,ou=People,dc=est,dc=pki,dc=example,dc=com
-          EOF
-
       - name: Set up EST container
         run: |
           tests/bin/runner-init.sh \
@@ -170,6 +135,12 @@ jobs:
           --network-alias=est.example.com \
           est
 
+      - name: Set up EST user DB
+        run: |
+          docker exec -i est ldapadd -x -H ldap://estds.example.com:3389 \
+              -D "cn=Directory Manager"  -w Secret.123 \
+              -f /usr/share/pki/est/conf/realm/ds/create.ldif
+
       - name: Install EST
         run: |
           docker exec est pkispawn \
@@ -291,6 +262,31 @@ jobs:
           docker exec est openssl x509 -in $SHARED/ca_signing.crt -text -noout | tee expected
           diff expected actual
 
+      - name: Create EST user
+        run: |
+          docker exec -i est ldapadd -x -H ldap://estds.example.com:3389 \
+              -D "cn=Directory Manager"  -w Secret.123 << EOF
+          dn: uid=est-test-user,ou=people,dc=est,dc=pki,dc=example,dc=com
+          objectClass: top
+          objectClass: person
+          objectClass: organizationalPerson
+          objectClass: inetOrgPerson
+          uid: est-test-user
+          sn: EST TEST USER
+          cn: EST TEST USER
+          userPassword: Secret.123
+          EOF
+
+      - name: Add EST user to EST Users group
+        run: |
+          docker exec -i est ldapmodify -x -H ldap://estds.example.com:3389 \
+              -D "cn=Directory Manager"  -w Secret.123 << EOF
+          dn: cn=EST Users,ou=groups,dc=est,dc=pki,dc=example,dc=com
+          changetype: modify
+          add: uniqueMember
+          uniqueMember: uid=est-test-user,ou=People,dc=est,dc=pki,dc=example,dc=com
+          EOF
+
       - name: Install est client
         run: |
           docker exec est dnf copr enable -y @pki/libest 
@@ -414,19 +410,3 @@ jobs:
         if: always()
         run: |
           docker exec est find /var/lib/pki/pki-tomcat/logs/est -name "debug.*" -exec cat {} \;
-
-      - name: Gather artifacts
-        if: always()
-        run: |
-          tests/bin/ds-artifacts-save.sh cads
-          tests/bin/ds-artifacts-save.sh estds
-          tests/bin/pki-artifacts-save.sh ca
-          tests/bin/pki-artifacts-save.sh est
-        continue-on-error: true
-
-      - name: Upload artifacts
-        if: always()
-        uses: actions/upload-artifact@v4
-        with:
-          name: est-separate-provided-certs
-          path: /tmp/artifacts

base/est/bin/estauthz

@@ -1,6 +1,6 @@
 #!/usr/bin/python3
 import json, sys
-ALLOWED_ROLE = 'estclient'
+ALLOWED_ROLE = 'EST Users'
 obj = json.loads(sys.stdin.read())
 if not ALLOWED_ROLE in obj['authzData']['principal']['roles']:
     print(f'Principal does not have required role {ALLOWED_ROLE!r}')

base/est/shared/realm/ds/create.ldif

@@ -0,0 +1,20 @@
+dn: dc=est,dc=pki,dc=example,dc=com
+objectClass: domain
+dc: est
+
+dn: ou=people,dc=est,dc=pki,dc=example,dc=com
+ou: people
+objectClass: top
+objectClass: organizationalUnit
+
+dn: ou=groups,dc=est,dc=pki,dc=example,dc=com
+ou: groups
+objectClass: top
+objectClass: organizationalUnit
+
+dn: cn=EST Users,ou=groups,dc=est,dc=pki,dc=example,dc=com
+objectClass: top
+objectClass: groupOfUniqueNames
+cn: EST Users
+description: Users enabled to enroll certificate
+

base/est/shared/realm/postgresql/create.sql

@@ -21,3 +21,5 @@ CREATE TABLE "group_members" (
     "user_id"          VARCHAR NOT NULL,
     PRIMARY KEY ("group_id", "user_id")
 );
+
+INSERT INTO groups VALUES ('EST Users', 'Users enabled to enroll certificates');

base/server/python/pki/server/subsystem.py

@@ -3010,7 +3010,7 @@ def get_realm_config(self, realm_type=None):
 
         if realm_type:
             # if realm type is specified, load the realm.conf template
-            realm_conf = os.path.join(template_dir, '%s.conf' % realm_type)
+            realm_conf = os.path.join(template_dir, realm_type, '%s.conf' % realm_type)
         else:
             # otherwise, load the current realm.conf in the instance
             realm_conf = self.realm_conf