Add CI test for OCSP self crl check

When LDAP store is used the OCSP can be configured to check certificate
using the stored CRL. This is implemented in PR #4545.

.github/workflows/ocsp-tests.yml

@@ -76,3 +76,36 @@ jobs:
     uses: ./.github/workflows/ocsp-hsm-test.yml
     with:
       db-image: ${{ needs.init.outputs.db-image }}
+
+  ocsp-crl-ldap-self-verification-test:
+    name: OCSP with self certificate verification test
+    needs: [init, build]
+    runs-on: ubuntu-latest
+    steps:
+    - name: Clone repository
+      uses: actions/checkout@v3
+
+    - name: Retrieve PKI images
+      uses: actions/cache@v3
+      with:
+        key: pki-images-${{ github.sha }}
+        path: pki-images.tar
+
+    - name: Load PKI images
+      run: docker load --input pki-images.tar
+
+    - name: Set up Python 3.9
+      uses: actions/setup-python@v4
+      with:
+        python-version: 3.9
+
+    - name: Install ansible
+      run: |
+        python -m pip install --upgrade pip
+        pip install --user -r tests/ansible/requirements.txt
+
+    - name: Execute est playbook
+      run: |
+        ansible-playbook  -e 'pki_subsystem="ocsp"' tests/ansible/pki-playbook.yml 
+      env:
+        ANSIBLE_CONFIG: ${{ github.workspace }}/tests/ansible/ansible.cfg

tests/ansible/ca_signing.crt

@@ -0,0 +1,27 @@
+-----BEGIN CERTIFICATE-----
+MIIEfTCCAuWgAwIBAgIQavVXHCitBbcwDsABcEu5fjANBgkqhkiG9w0BAQsFADBI
+MRAwDgYDVQQKDAdFWEFNUExFMRMwEQYDVQQLDApwa2ktdG9tY2F0MR8wHQYDVQQD
+DBZDQSBTaWduaW5nIENlcnRpZmljYXRlMB4XDTIzMDgyMzEwMDYxNVoXDTQzMDgy
+MzEwMDYxNVowSDEQMA4GA1UECgwHRVhBTVBMRTETMBEGA1UECwwKcGtpLXRvbWNh
+dDEfMB0GA1UEAwwWQ0EgU2lnbmluZyBDZXJ0aWZpY2F0ZTCCAaIwDQYJKoZIhvcN
+AQEBBQADggGPADCCAYoCggGBAK9kHDM3KmcSAQz/u6iM79ejge9pxwoZupshlm/I
+5u7caLaOak5kcBKlMzcsGCZiDgtf7SLhm2BWn1IO/MGllYnlZk7+OcXiPM6RZzBN
+IvcOaoPj5Ki2+JLx3+rvDLkZfvirEP+dSQi8B/dxVY9vaXXg0yVhL21BDPS7CBEg
+O1PVLpV83JzFTfKiRQPzE6LYfaO3brjODVEwDwcy0Iw5cLOEXncudOjWCCfPJQjn
+fEIhadRGOXkJ/pMtMVDE42QSZZJ+W+AfpB67sS9guq4sUCLcUjPmensIi0cWU9es
+o9ahJsTWrNuMwOAjVl70Ykeir0OXZLIV2c3nVj0dVNKud14+QY34sfi/jfZunyzd
+U3D1O11g0U8hOSA/Zp7CgptKK2HLLbBVAJ3aELfKxYU00lAVRTZbOEMQMrw3Zr4S
+QwajtwhMeYMgliTf2wBg0Ixz02DjtKUBduP/K4VqRpZEAAvVdiY2NJPxTHWqfKk8
+Fa2sxyAcrW0mMzPePm6Xaqm6tQIDAQABo2MwYTAfBgNVHSMEGDAWgBQ9O6szYpko
+vvmbVOwy7vXZS2vXpzAPBgNVHRMBAf8EBTADAQH/MA4GA1UdDwEB/wQEAwIBxjAd
+BgNVHQ4EFgQUPTurM2KZKL75m1TsMu712Utr16cwDQYJKoZIhvcNAQELBQADggGB
+AJ2S1bNnsmQ76vCswTtCaNFlGFWqULmljr3MEci2evR8sHNhiF+Held5SPCsHUam
+R2RwzmyLDQUnJ4BZC7wHI6qkHIPvc6oBMsxzWyHiYHY4YU1cKBCrBmruYMzm02Nh
+s0ZxTlXurpeHC6cFyw1I2UBFk16grYEB+sfdAbmljxxIKelhOlBm4nlnqMaZpLQR
+KJb2+e9bDbl40Cy0pmquzb39eglkdCdvu7MGyjt8FRXtJdDLILziQN1woMbhusvI
+WQVw+omrqPu+9bDr1++J6C6BUlNGlvG9mFE0bVs1heA8hWUgLExFtYZI1kEn7lO9
+XctQ6feHpIfj5semI8o6cDUEm8NurG60QH67bLZPsrsL09YXNCppDms2y223DDiJ
+Fbz4nw5DmzJPYLI4ASPyOrKKaRIv5kjd2VFaQJSJ432wA8AdKbjwhmQxx22g71At
+q60YXW0PxYegDiqHqlgyjBCR88JperwCmXkyl2WwE6xMFvkWvBRY4QQKe+jSDBOO
+Tw==
+-----END CERTIFICATE-----

tests/ansible/est/defaults/main.yml

@@ -2,7 +2,7 @@
 # defaults file for est
 
 shared_workspace: /tmp/workdir/pki
-github_workspace: ./
+github_workspace: ../../
 
 #DS
 ds_container: ds

tests/ansible/ocsp/README.md

@@ -0,0 +1,37 @@
+OCSP
+=========
+
+OCSP tests for CI
+
+Requirements
+------------
+
+The only requirement is the `community.docker` module
+
+
+Role Variables
+--------------
+
+A description of the settable variables for this role should go here, including any variables that are in defaults/main.yml, vars/main.yml, and any variables that can/should be set via parameters to the role. Any variables that are read from other roles and/or the global scope (ie. hostvars, group vars, etc.) should be mentioned here as well.
+
+
+
+Example Playbook
+----------------
+
+Including an example of how to use your role (for instance, with variables passed in as parameters) is always nice for users too:
+
+    - hosts: servers
+      roles:
+         - ocsp
+
+License
+-------
+
+GPL-2-and-later
+
+Author Information
+------------------
+
+Marco Fargetta (mfargett@redhat.com)
+

tests/ansible/ocsp/defaults/main.yml

@@ -0,0 +1,33 @@
+---
+# defaults file for ocsp
+
+shared_workspace: /tmp/workdir/pki
+github_workspace: ../../
+
+#CA-DS
+cads_container: cads
+cads_image: pki-runner 
+cads_hostname: cads.example.com
+cads_password: Secret.123
+
+#CA
+ca_container: ca
+ca_image: pki-runner
+ca_hostname: ca.example.com
+
+#OCSP-DS
+ocspds_container: ocspds
+ocspds_image: pki-runner 
+ocspds_hostname: ocspds.example.com
+ocspds_password: Secret.123
+
+#OCSP
+ocsp_container: ocsp
+ocsp_image: pki-runner
+ocsp_hostname: ocsp.example.com
+
+
+#Client
+client_container: client
+client_image: quay.io/dogtagpki/libest
+client_hostname: client.example.com

tests/ansible/ocsp/handlers/main.yml

@@ -0,0 +1,2 @@
+---
+# handlers file for ocsp

tests/ansible/ocsp/meta/main.yml

@@ -0,0 +1,24 @@
+galaxy_info:
+  author: Marco Fargetta (mfargett@redhat.com)
+  description: OCSP tests for CI
+  company: Red Hat
+
+
+  license: GPL-2.0-or-later
+
+  min_ansible_version: 2.1
+
+
+  platforms:
+  - name: Fedora
+    versions:
+    - all
+  - name: Ubuntu
+    versions:
+    - 22.04
+
+  galaxy_tags:
+  - dogtag
+  - pki
+
+dependencies: []