From d0f53fffccbca521388742f55a818163919a7c6f Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?=C3=98yvind=20Hagberg?= Date: Fri, 11 Oct 2024 15:20:48 +0200 Subject: [PATCH] Fix various things so the test scripts pass (#197) * Ser om dette virker * Change container names because of new docker compose * Add a default server.conf to the container * Fix openssl version (regression) * Create the upload directory * Modify test so it doesn't rely on cgi script file * Make postArchive.go not care about content type * Fix the cfengine test * hostname without domain is no show stopper * Fix a test that didn't use the correct content-type * Bump version * Remove unnecessary config from test_cfengine.sh --- .github/workflows/ci.yaml | 28 +++---- VERSION | 2 +- ci/docker/Dockerfile | 3 +- ci/docker/api_Dockerfile | 9 ++- client/nivlheim_client | 2 +- client/windows/nivlheim_client.ps1 | 2 +- debian/changelog | 6 ++ server/entrypoint.sh | 2 +- server/server.conf | 12 +-- server/service/postArchive.go | 121 +++++++++++------------------ server/service/processarchive.go | 28 ++++--- tests/test_cert_handling.sh | 23 +++--- tests/test_cfengine.sh | 17 ++-- tests/test_change_ca.sh | 18 ++--- tests/test_client_timing.sh | 8 +- tests/test_clones.sh | 14 ++-- tests/test_powershell.sh | 2 +- 17 files changed, 137 insertions(+), 160 deletions(-) diff --git a/.github/workflows/ci.yaml b/.github/workflows/ci.yaml index 9f926ee7..601bbf4b 100644 --- a/.github/workflows/ci.yaml +++ b/.github/workflows/ci.yaml @@ -8,7 +8,7 @@ name: CI jobs: build: name: Build server image - runs-on: ubuntu-20.04 + runs-on: ubuntu-latest services: postgres: image: postgres:15 @@ -43,7 +43,7 @@ jobs: VERSION="$VERSION-$GITHUB_REF_NAME" fi echo "version=$VERSION" - docker build --file ci/docker/api_Dockerfile --tag nivlheim:latest --build-arg version=$VERSION server/service + docker build --file ci/docker/api_Dockerfile --tag nivlheim:latest --build-arg version=$VERSION . - name: Docker save run: docker save nivlheim | gzip > nivlheim-image.tar.gz - name: Upload artifact @@ -54,7 +54,7 @@ jobs: buildwww: name: Build httpd+cgi image - runs-on: ubuntu-20.04 + runs-on: ubuntu-latest steps: - name: Checkout uses: actions/checkout@v4 @@ -73,7 +73,7 @@ jobs: buildclient: name: Build client image - runs-on: ubuntu-20.04 + runs-on: ubuntu-latest steps: - name: Checkout uses: actions/checkout@v4 @@ -93,7 +93,7 @@ jobs: test-scripts: name: Run test scripts needs: [build, buildwww, buildclient] - runs-on: ubuntu-20.04 + runs-on: ubuntu-latest strategy: matrix: test: @@ -115,7 +115,7 @@ jobs: docker load --input nivlheim-image.tar.gz/nivlheim-image.tar.gz docker load --input nivlheim-client.tar.gz/nivlheim-client.tar.gz - name: Start containers - run: docker-compose -f "ci/docker/docker-compose.yml" up -d + run: docker compose -f "ci/docker/docker-compose.yml" up -d - name: SSL handshake run: openssl s_client -connect localhost:443 -prexit continue-on-error: true @@ -125,25 +125,25 @@ jobs: run: tests/test_${{ matrix.test }} - name: Retrieve logs from Docker if: always() - run: docker-compose -f "ci/docker/docker-compose.yml" logs + run: docker compose -f "ci/docker/docker-compose.yml" logs - name: Retrieve server logs if: always() run: | echo "------- access_log -------------------------------" - docker exec docker_nivlheimweb_1 grep -v 127.0.0.1 /var/log/httpd/access_log || true + docker exec docker-nivlheimweb-1 grep -v 127.0.0.1 /var/log/httpd/access_log || true echo "------- error_log --------------------------------" - docker exec docker_nivlheimweb_1 cat /var/log/httpd/error_log || true + docker exec docker-nivlheimweb-1 cat /var/log/httpd/error_log || true echo "------- system.log--------------------------------" - docker exec docker_nivlheimweb_1 cat /var/log/nivlheim/system.log || true + docker exec docker-nivlheimweb-1 cat /var/log/nivlheim/system.log || true - name: Stop containers if: always() - run: docker-compose -f "ci/docker/docker-compose.yml" down + run: docker compose -f "ci/docker/docker-compose.yml" down publish: if: ${{ github.ref == 'refs/heads/master' || startsWith(github.ref, 'refs/tags/') }} name: Publish server image needs: [test-scripts] - runs-on: ubuntu-20.04 + runs-on: ubuntu-latest permissions: packages: write contents: read @@ -173,7 +173,7 @@ jobs: if: ${{ github.ref == 'refs/heads/master' || startsWith(github.ref, 'refs/tags/') }} name: Publish httpd+cgi image needs: [test-scripts] - runs-on: ubuntu-20.04 + runs-on: ubuntu-latest permissions: packages: write contents: read @@ -212,7 +212,7 @@ jobs: if: ${{ github.ref == 'refs/heads/master' }} name: Tag and release needs: [test-scripts] - runs-on: ubuntu-20.04 + runs-on: ubuntu-latest steps: - uses: actions/checkout@v4 with: diff --git a/VERSION b/VERSION index 64b869a4..44960c7e 100644 --- a/VERSION +++ b/VERSION @@ -1 +1 @@ -2.7.23 +2.7.24 diff --git a/ci/docker/Dockerfile b/ci/docker/Dockerfile index c44516aa..603f9e44 100644 --- a/ci/docker/Dockerfile +++ b/ci/docker/Dockerfile @@ -4,8 +4,9 @@ LABEL no.uio.contact=usit-gid@usit.uio.no LABEL description="Web server for Nivlheim" ARG BRANCH="" -RUN dnf install -y httpd mod_ssl openssl procps-ng \ +RUN dnf install -y httpd mod_ssl procps-ng \ unzip file bind-utils npm \ + && dnf install -y --releasever=39 openssl \ && dnf clean all \ && rm -rf /var/cache/yum \ && npm install -g handlebars diff --git a/ci/docker/api_Dockerfile b/ci/docker/api_Dockerfile index 61cf040c..fdafe38a 100644 --- a/ci/docker/api_Dockerfile +++ b/ci/docker/api_Dockerfile @@ -4,12 +4,12 @@ ARG version WORKDIR /app -COPY go.mod go.sum ./ +COPY server/service/go.mod server/service/go.sum ./ RUN go mod download -COPY *.go ./ -COPY ./database ./database -COPY ./utility ./utility +COPY server/service/*.go ./ +COPY server/service/database ./database +COPY server/service/utility ./utility RUN go build -o /nivlheim -ldflags "-X main.version=${version:-UNDEFINED}" @@ -25,5 +25,6 @@ WORKDIR / RUN apt-get update -qq && apt-get install -yqq ca-certificates COPY --from=build /nivlheim /nivlheim +COPY server/server.conf /etc/nivlheim/server.conf ENTRYPOINT ["/nivlheim"] diff --git a/client/nivlheim_client b/client/nivlheim_client index e1e54b59..9c0fbee1 100755 --- a/client/nivlheim_client +++ b/client/nivlheim_client @@ -67,7 +67,7 @@ my $NAME = 'nivlheim_client'; my $AUTHOR = 'Øyvind Hagberg'; my $CONTACT = 'oyvind.hagberg@usit.uio.no'; my $RIGHTS = 'USIT/IT-DRIFT/GD/GID, University of Oslo, Norway'; -my $VERSION = '2.7.23'; +my $VERSION = '2.7.24'; # Usage text my $USAGE = <<"END_USAGE"; diff --git a/client/windows/nivlheim_client.ps1 b/client/windows/nivlheim_client.ps1 index 74ca1b26..a067eeda 100644 --- a/client/windows/nivlheim_client.ps1 +++ b/client/windows/nivlheim_client.ps1 @@ -31,7 +31,7 @@ param( [bool]$nosleep = $false ) -Set-Variable version -option Constant -value "2.7.23" +Set-Variable version -option Constant -value "2.7.24" Set-Variable useragent -option Constant -value "NivlheimPowershellClient/$version" Set-PSDebug -strict Set-StrictMode -version "Latest" # http://technet.microsoft.com/en-us/library/hh849692.aspx diff --git a/debian/changelog b/debian/changelog index 2397b601..6f59b688 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,9 @@ +nivlheim (2.7.24-1) buster; urgency=low + + * Changes in the server code (cgi scripts rewritten in Go) + + -- Øyvind Hagberg Thu, 10 Oct 2024 09:30:00 +0200 + nivlheim (2.7.23-1) buster; urgency=low * Changes in the server code (Dependabot patches) diff --git a/server/entrypoint.sh b/server/entrypoint.sh index a5757916..a822cac3 100755 --- a/server/entrypoint.sh +++ b/server/entrypoint.sh @@ -7,7 +7,7 @@ if [ `whoami` != "root" ]; then fi # make dirs -mkdir -p /var/www/nivlheim/{db,certs,CA,queue} +mkdir -p /var/www/nivlheim/{db,certs,CA,queue,upload} mkdir -p /var/log/nivlheim mkdir -p /var/log/httpd diff --git a/server/server.conf b/server/server.conf index 3e21af49..c821c9d9 100644 --- a/server/server.conf +++ b/server/server.conf @@ -16,7 +16,7 @@ LDAPprimaryAttr= LDAPadminGroup= AllAccessGroups= HostOwnerPluginURL= -CFEngineKeyDir= +CFEngineKeyDir=/var/cfekeys PGhost= PGport= PGdatabase= @@ -24,8 +24,8 @@ PGuser= PGpassword= PGsslmode= HTTPListenAddress= -CACertFile= -CAKeyFile= -ConfDir= -QueueDir= -UploadDir= +CACertFile=CA/nivlheimca.crt +CAKeyFile=CA/nivlheimca.key +ConfDir=/var/www/nivlheim +QueueDir=/var/www/nivlheim/queue +UploadDir=/var/www/nivlheim/upload diff --git a/server/service/postArchive.go b/server/service/postArchive.go index 45670171..c9bc0cad 100644 --- a/server/service/postArchive.go +++ b/server/service/postArchive.go @@ -116,7 +116,7 @@ func (vars *apiMethodPostArchive) ServeHTTP(w http.ResponseWriter, req *http.Req osHostName = strings.ToLower(osHostName) shortHost := osHostName - match = regexp.MustCompile(`^(\S+?)\.`) + match = regexp.MustCompile(`^(\S+?)\..*$`) shortHost2 := match.ReplaceAll([]byte(shortHost), []byte("$1")) clientVersion := req.FormValue("version") @@ -149,48 +149,32 @@ func (vars *apiMethodPostArchive) ServeHTTP(w http.ResponseWriter, req *http.Req defer dst.Close() - if strings.HasPrefix(contentType, "multipart/form-data") { - if _, ok := req.MultipartForm.File["archive"]; ok { - rFile := "archive" - file, _, err := req.FormFile(rFile) - - if err != nil { - http.Error(w, err.Error(), http.StatusBadRequest) - return - } - - defer file.Close() - - _, err = io.Copy(dst, file) - - if err != nil { - log.Printf("Could not write archive file: %s", err.Error()) - http.Error(w, err.Error(), http.StatusInternalServerError) - return - } - - } else { - log.Printf("missing file upload parameter 'archive' (%s)", fingerprint) - http.Error(w, "File missing", http.StatusBadRequest) + if _, ok := req.MultipartForm.File["archive"]; ok { + rFile := "archive" + file, _, err := req.FormFile(rFile) + if err != nil { + http.Error(w, err.Error(), http.StatusBadRequest) return } - } else if strings.HasPrefix(contentType, "application/x-www-form-urlencoded") { - rFile := "archive_base64" - file := req.FormValue(rFile) - if file != "" { - decoder := base64.NewDecoder(base64.StdEncoding, strings.NewReader(file)) - _, err = io.Copy(dst, decoder) - if err != nil { - log.Printf("Could not write archive file: %s", err.Error()) - http.Error(w, err.Error(), http.StatusInternalServerError) - return - } - - } else { - log.Printf("missing file upload parameter 'archive_base64' (%s)", fingerprint) - http.Error(w, "File missing", http.StatusBadRequest) + defer file.Close() + _, err = io.Copy(dst, file) + if err != nil { + log.Printf("Could not write archive file: %s", err.Error()) + http.Error(w, err.Error(), http.StatusInternalServerError) return } + } else if file := req.FormValue("archive_base64"); file != "" { + decoder := base64.NewDecoder(base64.StdEncoding, strings.NewReader(file)) + _, err = io.Copy(dst, decoder) + if err != nil { + log.Printf("Could not write archive file: %s", err.Error()) + http.Error(w, err.Error(), http.StatusInternalServerError) + return + } + } else { + log.Printf("missing file upload parameter (%s)", fingerprint) + http.Error(w, "File missing", http.StatusBadRequest) + return } defer func() { @@ -300,47 +284,32 @@ func (vars *apiMethodPostArchive) ServeHTTP(w http.ResponseWriter, req *http.Req defer dst.Close() - if strings.HasPrefix(contentType, "multipart/form-data") { - if _, ok := req.MultipartForm.File["signature"]; ok { - rFile := "signature" - file, _, err := req.FormFile(rFile) - - if err != nil { - http.Error(w, err.Error(), http.StatusBadRequest) - return - } - - defer file.Close() - - _, err = io.Copy(dst, file) - - if err != nil { - log.Printf("Could not write archive file: %s", err.Error()) - http.Error(w, err.Error(), http.StatusInternalServerError) - return - } - - } else { - log.Printf("missing file upload parameter 'signature' (%s)", fingerprint) - http.Error(w, "File missing", http.StatusBadRequest) + if _, ok := req.MultipartForm.File["signature"]; ok { + rFile := "signature" + file, _, err := req.FormFile(rFile) + if err != nil { + http.Error(w, err.Error(), http.StatusBadRequest) return } - } else if strings.HasPrefix(contentType, "application/x-www-form-urlencoded") { - rFile := "signature_base64" - file := req.FormValue(rFile) - if file != "" { - decoder := base64.NewDecoder(base64.StdEncoding, strings.NewReader(file)) - _, err = io.Copy(dst, decoder) - if err != nil { - log.Printf("Could not write signature file (%s): %s", fingerprint, err.Error()) - http.Error(w, err.Error(), http.StatusInternalServerError) - return - } - } else { - log.Printf("missing file upload parameter 'signature_base64' (%s)", fingerprint) - http.Error(w, "File missing", http.StatusBadRequest) + defer file.Close() + _, err = io.Copy(dst, file) + if err != nil { + log.Printf("Could not write archive file: %s", err.Error()) + http.Error(w, err.Error(), http.StatusInternalServerError) return } + } else if file := req.FormValue("signature_base64"); file != "" { + decoder := base64.NewDecoder(base64.StdEncoding, strings.NewReader(file)) + _, err = io.Copy(dst, decoder) + if err != nil { + log.Printf("Could not write signature file (%s): %s", fingerprint, err.Error()) + http.Error(w, err.Error(), http.StatusInternalServerError) + return + } + } else { + log.Printf("missing file upload parameter signature (%s)", fingerprint) + http.Error(w, "File missing", http.StatusBadRequest) + return } dstInfo, err = dst.Stat() diff --git a/server/service/processarchive.go b/server/service/processarchive.go index c98384d9..82987ddc 100644 --- a/server/service/processarchive.go +++ b/server/service/processarchive.go @@ -101,23 +101,21 @@ func processArchive(url string, db *sql.DB) (err error) { / There's a bug in the Windows client, in some cases it gives the hostname without the domain. / See: https://github.com/unioslo/nivlheim/issues/138 */ if !strings.Contains(metaData["os_hostname"], ".") { + // The file might not exist. In that case, do nothing. file, err := os.Open(tempDir + "/commands/DomainName") - if err != nil { - log.Printf("Could not open file %s: %s", tempDir+"/commands/DomainName", err) - return nil - } - defer file.Close() - scanner := bufio.NewScanner(file) - // first line is the command itself - scanner.Scan() - // second line is the output - scanner.Scan() - if err := scanner.Err(); err != nil { - return err + if err == nil { + defer file.Close() + scanner := bufio.NewScanner(file) + // first line is the command itself + scanner.Scan() + // second line is the output + scanner.Scan() + if err := scanner.Err(); err != nil { + return err + } + fqdn := metaData["hostname"] + "." + scanner.Text() + metaData["hostname"] = fqdn } - - fqdn := metaData["hostname"] + "." + scanner.Text() - metaData["hostname"] = fqdn } curFiles := make(map[string]int64) diff --git a/tests/test_cert_handling.sh b/tests/test_cert_handling.sh index bd72acff..06f9bd09 100755 --- a/tests/test_cert_handling.sh +++ b/tests/test_cert_handling.sh @@ -34,7 +34,7 @@ curl -sS -X POST 'http://localhost:4040/api/v2/settings/ipranges' -d 'ipRange=10 docker volume rm clientvar -f > /dev/null # Remove any previous cert files on the server -docker exec docker_nivlheimweb_1 sh -c 'rm -f /var/www/nivlheim/certs/*' +docker exec docker-nivlheimweb-1 sh -c 'rm -f /var/www/nivlheim/certs/*' # Run the client. This will call reqcert and post echo "Running the client" @@ -43,14 +43,14 @@ if ! docker run --rm --network host -v clientvar:/var nivlheimclient --debug >$t echo "--------------------------------------------" cat $tempdir/output echo "access_log: --------------------------------" - docker exec docker_nivlheimweb_1 cat /var/log/httpd/access_log + docker exec docker-nivlheimweb-1 cat /var/log/httpd/access_log echo "error_log: ---------------------------------" - docker exec docker_nivlheimweb_1 cat /var/log/httpd/error_log + docker exec docker-nivlheimweb-1 cat /var/log/httpd/error_log exit 1 fi # Verify that reqcert didn't leave any files -OUTPUT=$(docker exec -t docker_nivlheimweb_1 ls -1 /var/www/nivlheim/certs) +OUTPUT=$(docker exec -t docker-nivlheimweb-1 ls -1 /var/www/nivlheim/certs) if [[ "$OUTPUT" != "" ]]; then echo "Certificate files are left after reqcert:" echo $OUTPUT @@ -145,7 +145,7 @@ if [[ "$chain" != "$expect" ]]; then echo "Details:" $PSQL -c "SELECT certid,issued,first,previous,fingerprint FROM certificates ORDER BY certid" echo "================= httpd access log: ==================" - docker exec docker_nivlheimweb_1 tail -20 /var/log/httpd/access_log + docker exec docker-nivlheimweb-1 tail -20 /var/log/httpd/access_log echo "================= client output (1st time): ===========" cat $tempdir/first echo "================= client output (2nd time): ===========" @@ -175,7 +175,7 @@ if ! grep -q 'ghijkl' $tempdir/grepout; then fi # Verify that renewcert didn't leave any files -OUTPUT=$(docker exec -t docker_nivlheimweb_1 ls -1 /var/www/nivlheim/certs) +OUTPUT=$(docker exec -t docker-nivlheimweb-1 ls -1 /var/www/nivlheim/certs) if [[ "$OUTPUT" != "" ]]; then echo "Certificate files are left after renewcert:" echo $OUTPUT @@ -192,9 +192,12 @@ if docker run --rm -v clientvar:/var --network host --entrypoint curl nivlheimcl fi # Test post (it will get a 403 anyway, because the nonce is missing) docker run --rm -v clientvar:/var --network host --entrypoint curl nivlheimclient -sk --cert /var/nivlheim/my.crt --key /var/nivlheim/my.key \ + -H 'Content-Type: application/x-www-form-urlencoded' \ https://localhost/cgi-bin/secure/post > $tempdir/postresult || true if ! grep -qi "revoked" $tempdir/postresult; then echo "Post worked even though cert was blacklisted." + echo "---------- response: -----------------" + cat $tempdir/postresult exit 1 fi # Test renew @@ -202,6 +205,8 @@ docker run --rm -v clientvar:/var --network host --entrypoint curl nivlheimclien https://localhost/cgi-bin/secure/renewcert > $tempdir/renewresult || true if ! grep -qi "revoked" $tempdir/renewresult; then echo "Renewcert worked even though cert was blacklisted." + echo "---------- response: -----------------" + cat $tempdir/renewresult exit 1 fi @@ -223,13 +228,13 @@ if [ ! -f $tempdir/foo/a.crt ] || [ ! -f $tempdir/foo/a.key ] || [ ! -f $tempdi fi # Check logs for errors -if docker exec -t docker_nivlheimweb_1 grep -A1 "ERROR" /var/log/nivlheim/system.log; then +if docker exec -t docker-nivlheimweb-1 grep -A1 "ERROR" /var/log/nivlheim/system.log; then exit 1 fi -if docker logs docker_nivlheimapi_1 2>&1 | grep -i error; then +if docker logs docker-nivlheimapi-1 2>&1 | grep -i error; then exit 1 fi -if docker exec -t docker_nivlheimweb_1 grep "cgi:error" /var/log/httpd/error_log | grep -v 'random state'; then +if docker exec -t docker-nivlheimweb-1 grep "cgi:error" /var/log/httpd/error_log | grep -v 'random state'; then exit 1 fi diff --git a/tests/test_cfengine.sh b/tests/test_cfengine.sh index 994b1843..7012a97d 100755 --- a/tests/test_cfengine.sh +++ b/tests/test_cfengine.sh @@ -5,9 +5,6 @@ set -e cd `dirname $0` PSQL=../ci/docker/psql.sh -# Configure where reqcert will look for CFEngine keys -docker exec docker_nivlheimweb_1 sh -c 'echo "CFEngineKeyDir=/var/cfekeys" >> /etc/nivlheim/server.conf' - # Try to run the client without CFEngine signature or any form of pre-approval. # Should result in it being put on the waiting list. echo "Running the client without any trust" @@ -31,20 +28,20 @@ trap finish EXIT docker cp cfengine.priv banana:/var/cfengine/ppkeys/localhost.priv docker cp cfengine.pub banana:/var/cfengine/ppkeys/localhost.pub # and the public key will also be used by the server -docker exec docker_nivlheimweb_1 mkdir -p /var/cfekeys -docker cp cfengine.pub docker_nivlheimweb_1:/var/cfekeys/root-MD5=01234567890123456789012345678932.pub # default value for a machine without cf-key +docker exec docker-nivlheimapi-1 mkdir -p /var/cfekeys +docker cp cfengine.pub docker-nivlheimapi-1:/var/cfekeys/root-MD5=01234567890123456789012345678932.pub # default value for a machine without cf-key # Ensure the httpd process will have read access -docker exec docker_nivlheimweb_1 chmod -R go+r /var/cfekeys +docker exec docker-nivlheimapi-1 chmod -R go+r /var/cfekeys function printlogs() { echo "------- access_log -------------------------------" - docker exec docker_nivlheimweb_1 grep -v 127.0.0.1 /var/log/httpd/access_log || true + docker exec docker-nivlheimweb-1 grep -v 127.0.0.1 /var/log/httpd/access_log || true echo "------- error_log --------------------------------" - docker exec docker_nivlheimweb_1 grep "cgi:error" /var/log/httpd/error_log || true + docker exec docker-nivlheimweb-1 grep "cgi:error" /var/log/httpd/error_log || true echo "------- system.log--------------------------------" - docker exec docker_nivlheimweb_1 cat /var/log/nivlheim/system.log || true + docker exec docker-nivlheimweb-1 cat /var/log/nivlheim/system.log || true echo "------- docker logs ------------------------------" - docker logs docker_nivlheimapi_1 || true + docker logs docker-nivlheimapi-1 || true } # Run the client. This will call reqcert and post. diff --git a/tests/test_change_ca.sh b/tests/test_change_ca.sh index 872e6567..dc08a4c5 100755 --- a/tests/test_change_ca.sh +++ b/tests/test_change_ca.sh @@ -6,13 +6,13 @@ cd `dirname $0` function printlogs() { echo "------- access_log -------------------------------" - docker exec docker_nivlheimweb_1 grep -v 127.0.0.1 /var/log/httpd/access_log || true + docker exec docker-nivlheimweb-1 grep -v 127.0.0.1 /var/log/httpd/access_log || true echo "------- error_log --------------------------------" - docker exec docker_nivlheimweb_1 grep "cgi:error" /var/log/httpd/error_log || true + docker exec docker-nivlheimweb-1 grep "cgi:error" /var/log/httpd/error_log || true echo "------- system.log--------------------------------" - docker exec docker_nivlheimweb_1 cat /var/log/nivlheim/system.log || true + docker exec docker-nivlheimweb-1 cat /var/log/nivlheim/system.log || true echo "------- docker logs ------------------------------" - docker logs docker_nivlheimapi_1 || true + docker logs docker-nivlheimapi-1 || true } # Whitelist the private network address ranges @@ -35,7 +35,7 @@ fi # Create a new CA certificate echo "Attempting to create a new CA certificate..." -docker exec docker_nivlheimweb_1 /usr/bin/client_CA_cert.sh --force-create --verbose +docker exec docker-nivlheimweb-1 /usr/bin/client_CA_cert.sh --force-create --verbose # Start a container that has the clientvar volume mounted, for easier access docker run -d --rm --name easyvar -v clientvar:/var --network host --entrypoint sh nivlheimclient -c 'tail -f /dev/null' @@ -79,12 +79,12 @@ if [[ "$A" != "$B" ]]; then fi # Activate the new CA certificate -docker exec docker_nivlheimweb_1 /usr/bin/client_CA_cert.sh --force-activate --verbose +docker exec docker-nivlheimweb-1 /usr/bin/client_CA_cert.sh --force-activate --verbose # Verify that the old client certificate still works -docker exec docker_nivlheimweb_1 cp -a /var/www/cgi-bin/ping /var/www/cgi-bin/secure/foo -if ! docker exec easyvar curl -sSkf --cert /var/nivlheim/my.crt --key /var/nivlheim/my.key \ - https://localhost/cgi-bin/secure/foo; then +echo "Expecting http status 400 if it works, 403 if it doesn't" +if ! docker exec easyvar curl -sSkfI --cert /var/nivlheim/my.crt --key /var/nivlheim/my.key \ + https://localhost/cgi-bin/secure/ping | grep "HTTP/1.1 400 Bad Request"; then echo "The client cert didn't work after a new CA was activated." printlogs exit 1 diff --git a/tests/test_client_timing.sh b/tests/test_client_timing.sh index 63437b2d..31feffa4 100755 --- a/tests/test_client_timing.sh +++ b/tests/test_client_timing.sh @@ -6,13 +6,13 @@ cd `dirname $0` function printlogs() { echo "------- access_log -------------------------------" - docker exec docker_nivlheimweb_1 grep -v 127.0.0.1 /var/log/httpd/access_log || true + docker exec docker-nivlheimweb-1 grep -v 127.0.0.1 /var/log/httpd/access_log || true echo "------- error_log --------------------------------" - docker exec docker_nivlheimweb_1 grep "cgi:error" /var/log/httpd/error_log || true + docker exec docker-nivlheimweb-1 grep "cgi:error" /var/log/httpd/error_log || true echo "------- system.log--------------------------------" - docker exec docker_nivlheimweb_1 cat /var/log/nivlheim/system.log || true + docker exec docker-nivlheimweb-1 cat /var/log/nivlheim/system.log || true echo "------- docker logs ------------------------------" - docker logs docker_nivlheimapi_1 || true + docker logs docker-nivlheimapi-1 || true } # tempdir diff --git a/tests/test_clones.sh b/tests/test_clones.sh index f84fe150..6755d8c6 100755 --- a/tests/test_clones.sh +++ b/tests/test_clones.sh @@ -13,13 +13,13 @@ PSQL=../ci/docker/psql.sh function printlogs() { echo "------- access_log -------------------------------" - docker exec docker_nivlheimweb_1 grep -v 127.0.0.1 /var/log/httpd/access_log || true + docker exec docker-nivlheimweb-1 grep -v 127.0.0.1 /var/log/httpd/access_log || true echo "------- error_log --------------------------------" - docker exec docker_nivlheimweb_1 grep "cgi:error" /var/log/httpd/error_log || true + docker exec docker-nivlheimweb-1 grep "cgi:error" /var/log/httpd/error_log || true echo "------- system.log--------------------------------" - docker exec docker_nivlheimweb_1 cat /var/log/nivlheim/system.log || true + docker exec docker-nivlheimweb-1 cat /var/log/nivlheim/system.log || true echo "------- docker logs ------------------------------" - docker logs docker_nivlheimapi_1 || true + docker logs docker-nivlheimapi-1 || true } # tempdir @@ -86,13 +86,13 @@ then fi # Check for errors -if docker exec docker_nivlheimweb_1 grep -A1 "ERROR" /var/log/nivlheim/system.log; then +if docker exec docker-nivlheimweb-1 grep -A1 "ERROR" /var/log/nivlheim/system.log; then exit 1 fi -if docker logs docker_nivlheimapi_1 2>&1 | grep -i error; then +if docker logs docker-nivlheimapi-1 2>&1 | grep -i error; then exit 1 fi -if docker exec docker_nivlheimweb_1 grep "cgi:error" /var/log/httpd/error_log | grep -v 'random state'; then +if docker exec docker-nivlheimweb-1 grep "cgi:error" /var/log/httpd/error_log | grep -v 'random state'; then exit 1 fi diff --git a/tests/test_powershell.sh b/tests/test_powershell.sh index 863c14d7..2c82b0a5 100755 --- a/tests/test_powershell.sh +++ b/tests/test_powershell.sh @@ -33,7 +33,7 @@ curl -sS -X POST 'http://localhost:4040/api/v2/settings/ipranges' -d 'ipRange=10 # Fetch the CA certificate from the Nivlheim web server container. # It was used to sign the web server ssl certificate. -docker cp docker_nivlheimweb_1:/var/www/nivlheim/CA/nivlheimca.crt /tmp +docker cp docker-nivlheimweb-1:/var/www/nivlheim/CA/nivlheimca.crt /tmp # Update the CA certificates in the Powershell container so the Nivlheim CA is trusted. # If not, web requests to the nivlheim server won't work.