-
Notifications
You must be signed in to change notification settings - Fork 132
297 lines (250 loc) · 11.4 KB
/
subca-clone-test.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
name: Sub-CA clone
# docs/installation/ca/Installing_CA_with_External_CA_Signing_Certificate.md
# https://github.com/dogtagpki/pki/blob/master/docs/installation/ca/Installing_CA_Clone.md
on: workflow_call
env:
DB_IMAGE: ${{ vars.DB_IMAGE || 'quay.io/389ds/dirsrv' }}
jobs:
test:
name: Test
runs-on: ubuntu-latest
env:
SHARED: /tmp/workdir/pki
steps:
- name: Clone repository
uses: actions/checkout@v4
- name: Retrieve PKI images
uses: actions/cache@v4
with:
key: pki-images-${{ github.sha }}
path: pki-images.tar
- name: Load PKI images
run: docker load --input pki-images.tar
- name: Create network
run: docker network create example
- name: Set up root CA container
run: |
tests/bin/runner-init.sh root-ca
env:
HOSTNAME: root-ca.example.com
- name: Connect root CA container to network
run: docker network connect example root-ca --alias root-ca.example.com
- name: Create root CA in NSS database
run: |
docker exec root-ca pki nss-cert-request \
--subject "CN=Root CA Signing Certificate" \
--ext /usr/share/pki/server/certs/ca_signing.conf \
--csr $SHARED/root-ca_signing.csr
docker exec root-ca pki nss-cert-issue \
--csr $SHARED/root-ca_signing.csr \
--ext /usr/share/pki/server/certs/ca_signing.conf \
--cert $SHARED/root-ca_signing.crt
docker exec root-ca pki nss-cert-import \
--cert $SHARED/root-ca_signing.crt \
--trust CT,C,C \
root-ca_signing
- name: Set up primary DS container
run: |
tests/bin/ds-container-create.sh primary-ds
env:
IMAGE: ${{ env.DB_IMAGE }}
HOSTNAME: primary-ds.example.com
PASSWORD: Secret.123
- name: Connect primary DS container to network
run: docker network connect example primary-ds --alias primary-ds.example.com
- name: Set up primary sub-CA container
run: |
tests/bin/runner-init.sh primary-subca
env:
HOSTNAME: primary-subca.example.com
- name: Connect primary sub-CA container to network
run: docker network connect example primary-subca --alias primary-subca.example.com
- name: Install primary sub-CA (step 1)
run: |
docker exec primary-subca pkispawn \
-f /usr/share/pki/server/examples/installation/ca-external-cert-step1.cfg \
-s CA \
-D pki_ds_url=ldap://primary-ds.example.com:3389 \
-D pki_ca_signing_csr_path=$SHARED/subca_signing.csr \
-D pki_client_admin_cert_p12=$SHARED/caadmin.p12 \
-v
- name: Issue primary sub-CA signing cert
run: |
docker exec root-ca pki nss-cert-issue \
--issuer root-ca_signing \
--csr $SHARED/subca_signing.csr \
--ext /usr/share/pki/server/certs/subca_signing.conf \
--cert $SHARED/subca_signing.crt
- name: Install primary sub-CA (step 2)
run: |
docker exec primary-subca pkispawn \
-f /usr/share/pki/server/examples/installation/ca-external-cert-step2.cfg \
-s CA \
-D pki_ds_url=ldap://primary-ds.example.com:3389 \
-D pki_cert_chain_path=${SHARED}/root-ca_signing.crt \
-D pki_ca_signing_csr_path=$SHARED/subca_signing.csr \
-D pki_ca_signing_cert_path=$SHARED/subca_signing.crt \
-D pki_client_admin_cert_p12=$SHARED/caadmin.p12 \
-v
docker exec primary-subca pki-server cert-find
- name: Run PKI healthcheck
run: docker exec primary-subca pki-healthcheck --failures-only
- name: Check primary sub-CA admin
run: |
docker exec primary-subca pki client-cert-import \
--ca-cert $SHARED/root-ca_signing.crt \
root-ca_signing
docker exec primary-subca pki pkcs12-import \
--pkcs12 $SHARED/caadmin.p12 \
--pkcs12-password Secret.123
docker exec primary-subca pki -n caadmin ca-user-show caadmin
- name: Export primary sub-CA certs
run: |
docker exec primary-subca pki-server ca-clone-prepare \
--pkcs12-file ${SHARED}/subca-certs.p12 \
--pkcs12-password Secret.123
- name: Set up secondary DS container
run: |
tests/bin/ds-container-create.sh secondary-ds
env:
IMAGE: ${{ env.DB_IMAGE }}
HOSTNAME: secondary-ds.example.com
PASSWORD: Secret.123
- name: Connect secondary DS container to network
run: docker network connect example secondary-ds --alias secondary-ds.example.com
- name: Set up secondary sub-CA container
run: |
tests/bin/runner-init.sh secondary-subca
env:
HOSTNAME: secondary-subca.example.com
- name: Connect secondary sub-CA container to network
run: docker network connect example secondary-subca --alias secondary-subca.example.com
- name: Install secondary sub-CA
run: |
# get CS.cfg from primary sub-CA before cloning
docker cp primary-subca:/var/lib/pki/pki-tomcat/conf/ca/CS.cfg CS.cfg.primary
docker exec secondary-subca pkispawn \
-f /usr/share/pki/server/examples/installation/ca-clone.cfg \
-s CA \
-D pki_cert_chain_path=${SHARED}/root-ca_signing.crt \
-D pki_security_domain_hostname=primary-subca.example.com \
-D pki_clone_pkcs12_path=${SHARED}/subca-certs.p12 \
-D pki_clone_pkcs12_password=Secret.123 \
-D pki_ds_url=ldap://secondary-ds.example.com:3389 \
-D pki_clone_uri=https://primary-subca.example.com:8443 \
-v
docker exec secondary-subca pki-server cert-find
- name: Check CS.cfg in primary sub-CA after cloning
run: |
# get CS.cfg from primary sub-CA after cloning
docker cp primary-subca:/var/lib/pki/pki-tomcat/conf/ca/CS.cfg CS.cfg.primary.after
# normalize expected result:
# - remove params that cannot be compared
# - set dbs.enableSerialManagement to true (automatically enabled when cloned)
sed -e '/^dbs.beginReplicaNumber=/d' \
-e '/^dbs.endReplicaNumber=/d' \
-e '/^dbs.nextBeginReplicaNumber=/d' \
-e '/^dbs.nextEndReplicaNumber=/d' \
-e 's/^\(dbs.enableSerialManagement\)=.*$/\1=true/' \
CS.cfg.primary \
| sort > expected
# normalize actual result:
# - remove params that cannot be compared
sed -e '/^dbs.beginReplicaNumber=/d' \
-e '/^dbs.endReplicaNumber=/d' \
-e '/^dbs.nextBeginReplicaNumber=/d' \
-e '/^dbs.nextEndReplicaNumber=/d' \
CS.cfg.primary.after \
| sort > actual
diff expected actual
- name: Check CS.cfg in secondary sub-CA
run: |
# get CS.cfg from secondary sub-CA
docker cp secondary-subca:/var/lib/pki/pki-tomcat/conf/ca/CS.cfg CS.cfg.secondary
# normalize expected result:
# - remove params that cannot be compared
# - replace primary-subca.example.com with secondary-subca.example.com
# - replace primary-ds.example.com with secondary-ds.example.com
# - set ca.crl.MasterCRL.enableCRLCache to false (automatically disabled in the clone)
# - set ca.crl.MasterCRL.enableCRLUpdates to false (automatically disabled in the clone)
# - add params for the clone
sed -e '/^installDate=/d' \
-e '/^dbs.beginReplicaNumber=/d' \
-e '/^dbs.endReplicaNumber=/d' \
-e '/^dbs.nextBeginReplicaNumber=/d' \
-e '/^dbs.nextEndReplicaNumber=/d' \
-e '/^ca.sslserver.cert=/d' \
-e '/^ca.sslserver.certreq=/d' \
-e 's/primary-subca.example.com/secondary-subca.example.com/' \
-e 's/primary-ds.example.com/secondary-ds.example.com/' \
-e 's/^\(ca.crl.MasterCRL.enableCRLCache\)=.*$/\1=false/' \
-e 's/^\(ca.crl.MasterCRL.enableCRLUpdates\)=.*$/\1=false/' \
-e '$ a ca.certStatusUpdateInterval=0' \
-e '$ a ca.listenToCloneModifications=false' \
-e '$ a master.ca.agent.host=primary-subca.example.com' \
-e '$ a master.ca.agent.port=8443' \
CS.cfg.primary.after \
| sort > expected
# normalize actual result:
# - remove params that cannot be compared
sed -e '/^installDate=/d' \
-e '/^dbs.beginReplicaNumber=/d' \
-e '/^dbs.endReplicaNumber=/d' \
-e '/^dbs.nextBeginReplicaNumber=/d' \
-e '/^dbs.nextEndReplicaNumber=/d' \
-e '/^ca.sslserver.cert=/d' \
-e '/^ca.sslserver.certreq=/d' \
CS.cfg.secondary \
| sort > actual
diff expected actual
- name: Run PKI healthcheck
run: docker exec secondary-subca pki-healthcheck --failures-only
- name: Check secondary sub-CA admin
run: |
docker exec secondary-subca pki client-cert-import \
--ca-cert $SHARED/root-ca_signing.crt \
root-ca_signing
docker exec secondary-subca pki pkcs12-import \
--pkcs12 $SHARED/caadmin.p12 \
--pkcs12-password Secret.123
docker exec secondary-subca pki -n caadmin ca-user-show caadmin
- name: Check users in primary sub-CA and secondary sub-CA
run: |
docker exec primary-subca pki -n caadmin ca-user-find | tee subca-users.primary
docker exec secondary-subca pki -n caadmin ca-user-find > subca-users.secondary
diff subca-users.primary subca-users.secondary
- name: Check certs in primary sub-CA and secondary sub-CA
run: |
docker exec primary-subca pki ca-cert-find | tee subca-certs.primary
docker exec secondary-subca pki ca-cert-find > subca-certs.secondary
diff subca-certs.primary subca-certs.secondary
- name: Gather artifacts from primary sub-CA
if: always()
run: |
tests/bin/ds-artifacts-save.sh --output=/tmp/artifacts/pki primary-ds
tests/bin/pki-artifacts-save.sh primary-subca
continue-on-error: true
- name: Gather artifacts from secondary sub-CA
if: always()
run: |
tests/bin/ds-artifacts-save.sh --output=/tmp/artifacts/pki secondary-ds
tests/bin/pki-artifacts-save.sh secondary-subca
continue-on-error: true
- name: Remove secondary sub-CA
run: docker exec secondary-subca pkidestroy -i pki-tomcat -s CA -v
- name: Remove primary sub-CA
run: docker exec primary-subca pkidestroy -i pki-tomcat -s CA -v
- name: Upload artifacts from primary sub-CA
if: always()
uses: actions/upload-artifact@v4
with:
name: subca-clone-primary
path: |
/tmp/artifacts/primary-subca
- name: Upload artifacts from secondary sub-CA
if: always()
uses: actions/upload-artifact@v4
with:
name: subca-clone-secondary
path: |
/tmp/artifacts/secondary-subca