Bug 2246422 ServerSideKeygen static SKID #101
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
name: TPS Tests | |
on: [push, pull_request] | |
jobs: | |
init: | |
name: Initialization | |
uses: ./.github/workflows/init.yml | |
secrets: inherit | |
build: | |
name: Waiting for build | |
needs: init | |
runs-on: ubuntu-latest | |
steps: | |
- name: Wait for build | |
uses: lewagon/wait-on-check-action@v1.2.0 | |
with: | |
ref: ${{ github.ref }} | |
check-name: 'Building PKI' | |
repo-token: ${{ secrets.GITHUB_TOKEN }} | |
wait-interval: 30 | |
if: github.event_name == 'push' | |
- name: Wait for build | |
uses: lewagon/wait-on-check-action@v1.2.0 | |
with: | |
ref: ${{ github.event.pull_request.head.sha }} | |
check-name: 'Building PKI' | |
repo-token: ${{ secrets.GITHUB_TOKEN }} | |
wait-interval: 30 | |
if: github.event_name == 'pull_request' | |
# docs/installation/tps/Installing_TPS.md | |
tps-test: | |
name: Testing TPS | |
needs: [init, build] | |
runs-on: ubuntu-latest | |
env: | |
PKIDIR: /tmp/workdir/pki | |
steps: | |
- name: Clone repository | |
uses: actions/checkout@v3 | |
- name: Retrieve pki-runner image | |
uses: actions/cache@v3 | |
with: | |
key: pki-runner-${{ github.sha }} | |
path: pki-runner.tar | |
- name: Load runner image | |
run: docker load --input pki-runner.tar | |
- name: Run container | |
run: | | |
IMAGE=pki-runner \ | |
NAME=pki \ | |
HOSTNAME=pki.example.com \ | |
tests/bin/runner-init.sh | |
- name: Install dependencies | |
run: docker exec pki dnf install -y 389-ds-base | |
- name: Install DS | |
run: docker exec pki ${PKIDIR}/tests/bin/ds-create.sh | |
- name: Install CA | |
run: docker exec pki pkispawn -f /usr/share/pki/server/examples/installation/ca.cfg -s CA -v | |
- name: Install KRA | |
run: docker exec pki pkispawn -f /usr/share/pki/server/examples/installation/kra.cfg -s KRA -v | |
- name: Install TKS | |
run: docker exec pki pkispawn -f /usr/share/pki/server/examples/installation/tks.cfg -s TKS -v | |
- name: Install TPS | |
run: docker exec pki pkispawn -f /usr/share/pki/server/examples/installation/tps.cfg -s TPS -v | |
- name: Run PKI healthcheck | |
run: docker exec pki pki-healthcheck --failures-only | |
- name: Verify TPS admin | |
run: | | |
docker exec pki pki-server cert-export ca_signing --cert-file ca_signing.crt | |
docker exec pki pki client-cert-import ca_signing --ca-cert ca_signing.crt | |
docker exec pki pki client-cert-import \ | |
--pkcs12 /root/.dogtag/pki-tomcat/ca_admin_cert.p12 \ | |
--pkcs12-password-file /root/.dogtag/pki-tomcat/ca/pkcs12_password.conf | |
docker exec pki pki -n caadmin tps-user-show tpsadmin | |
- name: Set up TPS authentication | |
run: | | |
# | |
# import sample TPS users | |
# | |
docker exec pki ldapadd -h pki.example.com -p 389 \ | |
-D "cn=Directory Manager" \ | |
-w Secret.123 \ | |
-f /usr/share/pki/tps/auth/ds/create.ldif | |
docker exec pki ldapadd -h pki.example.com -p 389 \ | |
-D "cn=Directory Manager" \ | |
-w Secret.123 \ | |
-f /usr/share/pki/tps/auth/ds/example.ldif | |
# | |
# configure TPS to use the sample TPS users | |
# | |
docker exec pki pki-server tps-config-set \ | |
auths.instance.ldap1.ldap.basedn \ | |
ou=people,dc=example,dc=com | |
docker exec pki pki-server tps-undeploy --wait | |
docker exec pki pki-server tps-deploy --wait | |
- name: Verify TPS client | |
run: | | |
# | |
# add unformatted token with random CUID | |
# | |
CUID=`hexdump -v -n "10" -e '1/1 "%02x"' /dev/urandom` | |
echo "UNFORMATTED" > expected | |
docker exec pki bash -c "pki -n caadmin tps-token-add $CUID | sed -n 's/\s*Status:\s\+\(\S\+\)\s*/\1/p' > ${PKIDIR}/actual" | |
diff expected actual | |
# | |
# format the token | |
# | |
docker exec pki /usr/share/pki/tps/bin/pki-tps-format \ | |
--user=testuser \ | |
--password=Secret.123 \ | |
$CUID | |
echo "FORMATTED" > expected | |
docker exec pki bash -c "pki -n caadmin tps-token-show $CUID | sed -n 's/\s*Status:\s\+\(\S\+\)\s*/\1/p' > ${PKIDIR}/actual" | |
diff expected actual | |
# | |
# enroll the token | |
# | |
docker exec pki /usr/share/pki/tps/bin/pki-tps-enroll \ | |
--user=testuser \ | |
--password=Secret.123 \ | |
$CUID | |
echo "ACTIVE" > expected | |
docker exec pki bash -c "pki -n caadmin tps-token-show $CUID | sed -n 's/\s*Status:\s\+\(\S\+\)\s*/\1/p' > ${PKIDIR}/actual" | |
diff expected actual | |
- name: Gather artifacts | |
if: always() | |
run: | | |
tests/bin/ds-artifacts-save.sh pki | |
tests/bin/pki-artifacts-save.sh pki | |
- name: Remove TPS | |
run: docker exec pki pkidestroy -i pki-tomcat -s TPS -v | |
- name: Remove TKS | |
run: docker exec pki pkidestroy -i pki-tomcat -s TKS -v | |
- name: Remove KRA | |
run: docker exec pki pkidestroy -i pki-tomcat -s KRA -v | |
- name: Remove CA | |
run: docker exec pki pkidestroy -i pki-tomcat -s CA -v | |
- name: Remove DS | |
run: docker exec pki ${PKIDIR}/tests/bin/ds-remove.sh | |
- name: Upload artifacts | |
if: always() | |
uses: actions/upload-artifact@v3 | |
with: | |
name: tps | |
path: | | |
/tmp/artifacts/pki | |
tps-separate-test: | |
name: Testing TPS on separate instance | |
needs: [init, build] | |
runs-on: ubuntu-latest | |
env: | |
PKIDIR: /tmp/workdir/pki | |
steps: | |
- name: Clone repository | |
uses: actions/checkout@v3 | |
- name: Retrieve pki-runner image | |
uses: actions/cache@v3 | |
with: | |
key: pki-runner-${{ github.sha }} | |
path: pki-runner.tar | |
- name: Load runner image | |
run: docker load --input pki-runner.tar | |
- name: Create network | |
run: docker network create example | |
- name: Setup CA container | |
run: | | |
IMAGE=pki-runner \ | |
NAME=ca \ | |
HOSTNAME=ca.example.com \ | |
tests/bin/runner-init.sh | |
- name: Connect CA container to network | |
run: docker network connect example ca --alias ca.example.com | |
- name: Install dependencies in CA container | |
run: docker exec ca dnf install -y 389-ds-base | |
- name: Install DS in CA container | |
run: docker exec ca ${PKIDIR}/tests/bin/ds-create.sh | |
- name: Install CA in CA container | |
run: docker exec ca pkispawn -f /usr/share/pki/server/examples/installation/ca.cfg -s CA -v | |
- name: Install banner in CA container | |
run: docker exec ca cp /usr/share/pki/server/examples/banner/banner.txt /etc/pki/pki-tomcat | |
- name: Setup KRA container | |
run: | | |
IMAGE=pki-runner \ | |
NAME=kra \ | |
HOSTNAME=kra.example.com \ | |
tests/bin/runner-init.sh | |
- name: Connect KRA container to network | |
run: docker network connect example kra --alias kra.example.com | |
- name: Install dependencies in KRA container | |
run: docker exec kra dnf install -y 389-ds-base | |
- name: Install DS in KRA container | |
run: docker exec kra ${PKIDIR}/tests/bin/ds-create.sh | |
- name: Install KRA in KRA container | |
run: | | |
docker exec ca pki-server cert-export ca_signing --cert-file ${PKIDIR}/ca_signing.crt | |
docker exec ca cp /root/.dogtag/pki-tomcat/ca_admin.cert ${PKIDIR}/ca_admin.cert | |
docker exec kra cp ${PKIDIR}/ca_signing.crt . | |
docker exec kra cp ${PKIDIR}/ca_admin.cert . | |
docker exec kra pkispawn -f /usr/share/pki/server/examples/installation/kra-separate.cfg -s KRA -v | |
- name: Install banner in KRA container | |
run: docker exec kra cp /usr/share/pki/server/examples/banner/banner.txt /etc/pki/pki-tomcat | |
- name: Setup TKS container | |
run: | | |
IMAGE=pki-runner \ | |
NAME=tks \ | |
HOSTNAME=tks.example.com \ | |
tests/bin/runner-init.sh | |
- name: Connect TKS container to network | |
run: docker network connect example tks --alias tks.example.com | |
- name: Install dependencies in TKS container | |
run: docker exec tks dnf install -y 389-ds-base | |
- name: Install DS in TKS container | |
run: docker exec tks ${PKIDIR}/tests/bin/ds-create.sh | |
- name: Install TKS in TKS container | |
run: | | |
docker exec tks cp ${PKIDIR}/ca_signing.crt . | |
docker exec tks cp ${PKIDIR}/ca_admin.cert . | |
docker exec tks pkispawn -f /usr/share/pki/server/examples/installation/tks-separate.cfg -s TKS -v | |
- name: Install banner in TKS container | |
run: docker exec tks cp /usr/share/pki/server/examples/banner/banner.txt /etc/pki/pki-tomcat | |
- name: Setup TPS container | |
run: | | |
IMAGE=pki-runner \ | |
NAME=tps \ | |
HOSTNAME=tps.example.com \ | |
tests/bin/runner-init.sh | |
- name: Connect TPS container to network | |
run: docker network connect example tps --alias tps.example.com | |
- name: Install dependencies in TPS container | |
run: docker exec tps dnf install -y 389-ds-base | |
- name: Install DS in TPS container | |
run: docker exec tps ${PKIDIR}/tests/bin/ds-create.sh | |
- name: Install TPS in TPS container | |
run: | | |
docker exec tps cp ${PKIDIR}/ca_signing.crt . | |
docker exec tps cp ${PKIDIR}/ca_admin.cert . | |
docker exec tps pkispawn -f /usr/share/pki/server/examples/installation/tps-separate.cfg -s TPS -v | |
- name: Install banner in TPS container | |
run: docker exec tps cp /usr/share/pki/server/examples/banner/banner.txt /etc/pki/pki-tomcat | |
- name: Run PKI healthcheck | |
run: docker exec tps pki-healthcheck --debug | |
- name: Verify TPS admin | |
run: | | |
docker exec ca cp /root/.dogtag/pki-tomcat/ca_admin_cert.p12 ${PKIDIR}/ca_admin_cert.p12 | |
docker exec ca cp /root/.dogtag/pki-tomcat/ca/pkcs12_password.conf ${PKIDIR}/pkcs12_password.conf | |
docker exec tps pki client-cert-import ca_signing --ca-cert ca_signing.crt | |
docker exec tps pki client-cert-import \ | |
--pkcs12 ${PKIDIR}/ca_admin_cert.p12 \ | |
--pkcs12-password-file ${PKIDIR}/pkcs12_password.conf | |
docker exec tps pki -n caadmin --ignore-banner tps-user-show tpsadmin | |
- name: Gather artifacts from CA container | |
if: always() | |
run: | | |
tests/bin/ds-artifacts-save.sh ca | |
tests/bin/pki-artifacts-save.sh ca | |
- name: Gather artifacts from KRA container | |
if: always() | |
run: | | |
tests/bin/ds-artifacts-save.sh kra | |
tests/bin/pki-artifacts-save.sh kra | |
- name: Gather artifacts from TKS container | |
if: always() | |
run: | | |
tests/bin/ds-artifacts-save.sh tks | |
tests/bin/pki-artifacts-save.sh tks | |
- name: Gather artifacts from TPS container | |
if: always() | |
run: | | |
tests/bin/ds-artifacts-save.sh tps | |
tests/bin/pki-artifacts-save.sh tps | |
- name: Remove TPS from TPS container | |
run: docker exec tps pkidestroy -i pki-tomcat -s TPS -v | |
- name: Remove DS from TPS container | |
run: docker exec tps ${PKIDIR}/tests/bin/ds-remove.sh | |
- name: Disconnect TPS container from network | |
run: docker network disconnect example tps | |
- name: Remove TKS from TKS container | |
run: docker exec tks pkidestroy -i pki-tomcat -s TKS -v | |
- name: Remove DS from TKS container | |
run: docker exec tks ${PKIDIR}/tests/bin/ds-remove.sh | |
- name: Disconnect TKS container from network | |
run: docker network disconnect example tks | |
- name: Remove KRA from KRA container | |
run: docker exec kra pkidestroy -i pki-tomcat -s KRA -v | |
- name: Remove DS from KRA container | |
run: docker exec kra ${PKIDIR}/tests/bin/ds-remove.sh | |
- name: Disconnect KRA container from network | |
run: docker network disconnect example kra | |
- name: Remove CA from CA container | |
run: docker exec ca pkidestroy -i pki-tomcat -s CA -v | |
- name: Remove DS from CA container | |
run: docker exec ca ${PKIDIR}/tests/bin/ds-remove.sh | |
- name: Disconnect CA container from network | |
run: docker network disconnect example ca | |
- name: Remove network | |
run: docker network rm example | |
- name: Upload artifacts from CA container | |
if: always() | |
uses: actions/upload-artifact@v3 | |
with: | |
name: tps-separate-ca | |
path: | | |
/tmp/artifacts/ca | |
- name: Upload artifacts from KRA container | |
if: always() | |
uses: actions/upload-artifact@v3 | |
with: | |
name: tps-separate-kra | |
path: | | |
/tmp/artifacts/kra | |
- name: Upload artifacts from TKS container | |
if: always() | |
uses: actions/upload-artifact@v3 | |
with: | |
name: tps-separate-tks | |
path: | | |
/tmp/artifacts/tks | |
- name: Upload artifacts from TPS container | |
if: always() | |
uses: actions/upload-artifact@v3 | |
with: | |
name: tps-separate-tps | |
path: | | |
/tmp/artifacts/tps | |
# docs/installation/tps/Installing_TPS_Clone.md | |
# This test installs DS, CA, KRA, TKS, and TPS in the primary container, | |
# then installs DS clone, CA clone, KRA clone, TKS clone, and TPS clone in the secondary container. | |
tps-clone-test: | |
name: Testing TPS clone | |
needs: [init, build] | |
runs-on: ubuntu-latest | |
env: | |
PKIDIR: /tmp/workdir/pki | |
steps: | |
- name: Clone repository | |
uses: actions/checkout@v3 | |
- name: Retrieve pki-runner image | |
uses: actions/cache@v3 | |
with: | |
key: pki-runner-${{ github.sha }} | |
path: pki-runner.tar | |
- name: Load runner image | |
run: docker load --input pki-runner.tar | |
- name: Create network | |
run: docker network create example | |
- name: Run primary container | |
run: | | |
IMAGE=pki-runner \ | |
NAME=primary \ | |
HOSTNAME=primary.example.com \ | |
tests/bin/runner-init.sh | |
- name: Connect primary container to network | |
run: docker network connect example primary --alias primary.example.com | |
- name: Install dependencies in primary container | |
run: docker exec primary dnf install -y 389-ds-base | |
- name: Install DS in primary container | |
run: docker exec primary ${PKIDIR}/tests/bin/ds-create.sh | |
- name: Install CA in primary container | |
run: docker exec primary pkispawn -f /usr/share/pki/server/examples/installation/ca.cfg -s CA -v | |
- name: Install KRA in primary container | |
run: docker exec primary pkispawn -f /usr/share/pki/server/examples/installation/kra.cfg -s KRA -v | |
- name: Install TKS in primary container | |
run: docker exec primary pkispawn -f /usr/share/pki/server/examples/installation/tks.cfg -s TKS -v | |
- name: Install TPS in primary container | |
run: docker exec primary pkispawn -f /usr/share/pki/server/examples/installation/tps.cfg -s TPS -v | |
- name: Setup secondary container | |
run: | | |
IMAGE=pki-runner \ | |
NAME=secondary \ | |
HOSTNAME=secondary.example.com \ | |
tests/bin/runner-init.sh | |
- name: Connect secondary container to network | |
run: docker network connect example secondary --alias secondary.example.com | |
- name: Install dependencies in secondary container | |
run: docker exec secondary dnf install -y 389-ds-base | |
- name: Install DS in secondary container | |
run: docker exec secondary ${PKIDIR}/tests/bin/ds-create.sh | |
- name: Install CA in secondary container | |
run: | | |
docker exec primary pki-server cert-export ca_signing --cert-file ${PKIDIR}/ca_signing.crt | |
docker exec primary pki-server ca-clone-prepare --pkcs12-file ${PKIDIR}/ca-certs.p12 --pkcs12-password Secret.123 | |
docker exec secondary cp ${PKIDIR}/ca_signing.crt . | |
docker exec secondary cp ${PKIDIR}/ca-certs.p12 . | |
docker exec secondary pkispawn -f /usr/share/pki/server/examples/installation/ca-clone.cfg -s CA -v | |
- name: Install KRA in secondary container | |
run: | | |
docker exec primary pki-server kra-clone-prepare --pkcs12-file ${PKIDIR}/kra-certs.p12 --pkcs12-password Secret.123 | |
docker exec secondary cp ${PKIDIR}/kra-certs.p12 . | |
docker exec secondary pkispawn -f /usr/share/pki/server/examples/installation/kra-clone.cfg -s KRA -v | |
- name: Install TKS in secondary container | |
run: | | |
docker exec primary pki-server tks-clone-prepare --pkcs12-file ${PKIDIR}/tks-certs.p12 --pkcs12-password Secret.123 | |
docker exec secondary cp ${PKIDIR}/tks-certs.p12 . | |
docker exec secondary pkispawn -f /usr/share/pki/server/examples/installation/tks-clone.cfg -s TKS -v | |
- name: Install TPS in secondary container | |
run: | | |
docker exec primary pki-server tps-clone-prepare --pkcs12-file ${PKIDIR}/tps-certs.p12 --pkcs12-password Secret.123 | |
docker exec secondary cp ${PKIDIR}/tps-certs.p12 . | |
docker exec secondary pkispawn -f /usr/share/pki/server/examples/installation/tps-clone.cfg -s TPS -v | |
- name: Verify admin user | |
run: | | |
docker exec primary cp /root/.dogtag/pki-tomcat/ca_admin_cert.p12 ${PKIDIR}/ca_admin_cert.p12 | |
docker exec primary cp /root/.dogtag/pki-tomcat/ca/pkcs12_password.conf ${PKIDIR}/pkcs12_password.conf | |
docker exec secondary pki client-cert-import ca_signing --ca-cert ca_signing.crt | |
docker exec secondary pki client-cert-import \ | |
--pkcs12 ${PKIDIR}/ca_admin_cert.p12 \ | |
--pkcs12-password-file ${PKIDIR}/pkcs12_password.conf | |
docker exec secondary pki -n caadmin tps-user-show tpsadmin | |
- name: Gather artifacts from primary container | |
if: always() | |
run: | | |
tests/bin/ds-artifacts-save.sh primary | |
tests/bin/pki-artifacts-save.sh primary | |
- name: Gather artifacts from secondary container | |
if: always() | |
run: | | |
tests/bin/ds-artifacts-save.sh secondary | |
tests/bin/pki-artifacts-save.sh secondary | |
- name: Remove TPS from secondary container | |
run: docker exec secondary pkidestroy -i pki-tomcat -s TPS -v | |
- name: Remove TKS from secondary container | |
run: docker exec secondary pkidestroy -i pki-tomcat -s TKS -v | |
- name: Remove KRA from secondary container | |
run: docker exec secondary pkidestroy -i pki-tomcat -s KRA -v | |
- name: Remove CA from secondary container | |
run: docker exec secondary pkidestroy -i pki-tomcat -s CA -v | |
- name: Remove DS from secondary container | |
run: docker exec secondary ${PKIDIR}/tests/bin/ds-remove.sh | |
- name: Disconnect secondary container from network | |
run: docker network disconnect example secondary | |
- name: Remove TPS from primary container | |
run: docker exec primary pkidestroy -i pki-tomcat -s TPS -v | |
- name: Remove TKS from primary container | |
run: docker exec primary pkidestroy -i pki-tomcat -s TKS -v | |
- name: Remove KRA from primary container | |
run: docker exec primary pkidestroy -i pki-tomcat -s KRA -v | |
- name: Remove CA from primary container | |
run: docker exec primary pkidestroy -i pki-tomcat -s CA -v | |
- name: Remove DS from primary container | |
run: docker exec primary ${PKIDIR}/tests/bin/ds-remove.sh | |
- name: Disconnect primary container from network | |
run: docker network disconnect example primary | |
- name: Remove network | |
run: docker network rm example | |
- name: Upload artifacts from primary container | |
if: always() | |
uses: actions/upload-artifact@v3 | |
with: | |
name: tps-clone-primary | |
path: | | |
/tmp/artifacts/primary | |
- name: Upload artifacts from secondary container | |
if: always() | |
uses: actions/upload-artifact@v3 | |
with: | |
name: tps-clone-secondary | |
path: | | |
/tmp/artifacts/secondary |