Skip to content

Commit

Permalink
Modify pkispawn to deploy EST
Browse files Browse the repository at this point in the history
EST deployment is included in pkispwn. The installation does not perform
all the steps done for CA and other subsystems so there is no security
domain management and user administration. During the installation there
is no DS or other DBs connection which has to be performed by the user
before or after the installation.
  • Loading branch information
fmarco76 committed Sep 18, 2024
1 parent 0ff1fc4 commit 3c77764
Show file tree
Hide file tree
Showing 19 changed files with 640 additions and 12 deletions.
233 changes: 233 additions & 0 deletions .github/workflows/est-ds-realm-test.yml
Original file line number Diff line number Diff line change
@@ -0,0 +1,233 @@
name: EST with ds realm

on: workflow_call

env:
DB_IMAGE: ${{ vars.DB_IMAGE || 'quay.io/389ds/dirsrv' }}

jobs:
# docs/installation/ca/Installing_CA.md
test:
name: Test
runs-on: ubuntu-latest
env:
SHARED: /tmp/workdir/pki
steps:
- name: Clone repository
uses: actions/checkout@v4

- name: Retrieve PKI images
uses: actions/cache@v4
with:
key: pki-images-${{ github.sha }}
path: pki-images.tar

- name: Load PKI images
run: docker load --input pki-images.tar

- name: Create network
run: docker network create example

- name: Set up DS container
run: |
tests/bin/ds-create.sh \
--image=${{ env.DB_IMAGE }} \
--hostname=ds.example.com \
--password=Secret.123 \
--network=example \
--network-alias=ds.example.com \
ds
- name: Set up PKI container
run: |
tests/bin/runner-init.sh \
--hostname=pki.example.com \
--network=example \
--network-alias=ca.example.com \
pki
- name: Install CA
run: |
docker exec pki pkispawn \
-f /usr/share/pki/server/examples/installation/ca.cfg \
-s CA \
-D pki_ds_url=ldap://ds.example.com:3389 \
-v
- name: Initialize PKI client
run: |
docker exec pki pki-server cert-export ca_signing --cert-file ca_signing.crt
docker exec pki pki nss-cert-import \
--cert ca_signing.crt \
--trust CT,C,C \
ca_signing
docker exec pki pki pkcs12-import \
--pkcs12 /root/.dogtag/pki-tomcat/ca_admin_cert.p12 \
--pkcs12-password Secret.123
docker exec pki pki info
- name: Add CA EST user
run: |
docker exec pki pki -n caadmin ca-group-add "EST RA Agents"
docker exec pki pki -n caadmin ca-user-add \
est-ra-1 --fullName "EST RA 1" --password Secret.est
docker exec pki pki -n caadmin ca-group-member-add "EST RA Agents" est-ra-1
- name: Configure CA est profile
run: |
docker exec pki pki -n caadmin ca-profile-add \
--raw /usr/share/pki/ca/profiles/ca/estServiceCert.cfg
docker exec pki pki -n caadmin ca-profile-enable estServiceCert
docker exec pki pki-server restart --wait
- name: Install EST
run: |
docker exec pki pkispawn \
-f /usr/share/pki/server/examples/installation/est.cfg \
-s EST \
-D est_realm_url=ldap://ds.example.com:3389 \
-v
- name: Check EST backend config
if: always()
run: |
docker exec pki cat /etc/pki/pki-tomcat/est/backend.conf
- name: Check EST authorizer config
if: always()
run: |
docker exec pki cat /etc/pki/pki-tomcat/est/authorizer.conf
- name: Check EST realm config
if: always()
run: |
docker exec pki cat /etc/pki/pki-tomcat/est/realm.conf
- name: Check webapps
run: |
docker exec pki pki-server webapp-find | tee output
# CA instance should have ROOT, ca, and pki webapps
echo "ROOT" > expected
echo "ca" >> expected
echo "est" >> expected
echo "pki" >> expected
sed -n 's/^ *Webapp ID: *\(.*\)$/\1/p' output > actual
diff expected actual
docker exec pki pki-server webapp-show ROOT
docker exec pki pki-server webapp-show ca
docker exec pki pki-server webapp-show est
docker exec pki pki-server webapp-show pki
- name: Create EST users
run: |
docker exec -i pki ldapadd -x -H ldap://ds.example.com:3389 \
-D "cn=Directory Manager" -w Secret.123 << EOF
dn: dc=est,dc=pki,dc=example,dc=com
objectClass: domain
dc: est
dn: ou=people,dc=est,dc=pki,dc=example,dc=com
ou: people
objectClass: top
objectClass: organizationalUnit
dn: ou=groups,dc=est,dc=pki,dc=example,dc=com
ou: groups
objectClass: top
objectClass: organizationalUnit
dn: uid=est-test-user,ou=people,dc=est,dc=pki,dc=example,dc=com
objectClass: top
objectClass: person
objectClass: organizationalPerson
objectClass: inetOrgPerson
objectClass: cmsuser
uid: est-test-user
sn: EST TEST USER
cn: EST TEST USER
usertype: undefined
userPassword: Secret.123
dn: cn=estclient,ou=groups,dc=est,dc=pki,dc=example,dc=com
objectClass: top
objectClass: groupOfUniqueNames
cn: estclient
uniqueMember: uid=est-test-user,ou=People,dc=est,dc=pki,dc=example,dc=com
EOF
- name: Test CA certs
run: |
docker exec pki curl -o cacert.p7 -k https://pki.example.com:8443/.well-known/est/cacerts
docker exec pki openssl base64 -d --in cacert.p7 --out cacert.p7.der
docker exec pki openssl pkcs7 --in cacert.p7.der -inform DER -print_certs -out cacert.pem
docker exec pki openssl x509 -in cacert.pem -text -noout | tee actual
docker exec pki openssl x509 -in ca_signing.crt -text -noout | tee expected
diff expected actual
- name: Install est client
run: |
docker exec pki dnf copr enable -y @pki/libest
docker exec pki dnf install -y libest
- name: Enroll certificate
run: |
docker exec -e EST_OPENSSL_CACERT=cacert.pem pki estclient -e -s pki.example.com -p 8443 \
--common-name test.example.com -o . -u est-test-user -h Secret.123
docker exec pki openssl base64 -d --in cert-0-0.pkcs7 --out cert-0-0.pkcs7.der
docker exec pki openssl pkcs7 -in cert-0-0.pkcs7.der -inform DER -print_certs -out cert.pem
docker exec pki openssl x509 -in cert.pem -subject -noout | tee actual
echo "subject=CN=test.example.com" > expected
diff expected actual
- name: Remove EST
run: |
docker exec pki pki-server est-undeploy --wait
docker exec pki pki-server est-remove
- name: Remove CA
run: docker exec pki pkidestroy -i pki-tomcat -s CA -v

- name: Check DS server systemd journal
if: always()
run: |
docker exec ds journalctl -x --no-pager -u [email protected]
- name: Check DS container logs
if: always()
run: |
docker logs ds
- name: Check PKI server systemd journal
if: always()
run: |
docker exec pki journalctl -x --no-pager -u [email protected]
- name: Check CA debug log
if: always()
run: |
docker exec pki find /var/lib/pki/pki-tomcat/logs/ca -name "debug.*" -exec cat {} \;
- name: Check EST debug log
if: always()
run: |
docker exec pki find /var/lib/pki/pki-tomcat/logs/est -name "debug.*" -exec cat {} \;
- name: Gather artifacts
if: always()
run: |
tests/bin/ds-artifacts-save.sh ds
tests/bin/pki-artifacts-save.sh pki
continue-on-error: true

- name: Upload artifacts
if: always()
uses: actions/upload-artifact@v4
with:
name: est-ds-basic
path: /tmp/artifacts
6 changes: 6 additions & 0 deletions .github/workflows/est-tests.yml
Original file line number Diff line number Diff line change
Expand Up @@ -40,3 +40,9 @@ jobs:
ansible-playbook -e 'pki_subsystem="est"' tests/ansible/pki-playbook.yml
env:
ANSIBLE_CONFIG: ${{ github.workspace }}/tests/ansible/ansible.cfg


est-ds-realm-test:
name: EST with ds realm
needs: build
uses: ./.github/workflows/est-ds-realm-test.yml
18 changes: 18 additions & 0 deletions base/est/CMakeLists.txt
Original file line number Diff line number Diff line change
Expand Up @@ -96,3 +96,21 @@ install(
DESTINATION
${DATA_INSTALL_DIR}/est/webapps/est/WEB-INF/lib
)

install(
DIRECTORY
shared/
DESTINATION
${SHARE_INSTALL_PREFIX}/${APPLICATION_NAME}/${PROJECT_NAME}/conf/
PATTERN
"CMakeLists.txt" EXCLUDE
)

install(
DIRECTORY
bin
DESTINATION
${SHARE_INSTALL_PREFIX}/${APPLICATION_NAME}/${PROJECT_NAME}/
PATTERN
"CMakeLists.txt" EXCLUDE
)
7 changes: 7 additions & 0 deletions base/est/bin/estauthz
Original file line number Diff line number Diff line change
@@ -0,0 +1,7 @@
#!/usr/bin/python3
import json, sys
ALLOWED_ROLE = 'estclient'
obj = json.loads(sys.stdin.read())
if not ALLOWED_ROLE in obj['authzData']['principal']['roles']:
print(f'Principal does not have required role {ALLOWED_ROLE!r}')
sys.exit(1)
1 change: 0 additions & 1 deletion base/est/conf/realm.conf

This file was deleted.

2 changes: 2 additions & 0 deletions base/est/shared/authorizer.conf
Original file line number Diff line number Diff line change
@@ -0,0 +1,2 @@
class=org.dogtagpki.est.ExternalProcessRequestAuthorizer
executable=/usr/share/pki/est/bin/estauthz
5 changes: 5 additions & 0 deletions base/est/shared/backend.conf
Original file line number Diff line number Diff line change
@@ -0,0 +1,5 @@
class=org.dogtagpki.est.DogtagRABackend
url=https://fedora:8443
profile=estServiceCert
username=est-ra-1
password=est4ever
7 changes: 7 additions & 0 deletions base/est/shared/realm/ds.conf
Original file line number Diff line number Diff line change
@@ -0,0 +1,7 @@
class=com.netscape.cms.realm.PKILDAPRealm
url=ldap://localhost.localdomain:389
authType=BasicAuth
bindDN=cn=Directory Manager
bindPassword=Secret.123
usersDN=ou=people,dc=est,dc=pki,dc=example,dc=com
groupsDN=ou=groups,dc=est,dc=pki,dc=example,dc=com
4 changes: 4 additions & 0 deletions base/est/shared/realm/in-memory.conf
Original file line number Diff line number Diff line change
@@ -0,0 +1,4 @@
class=com.netscape.cms.realm.PKIInMemoryRealm
username=admin
password=Secret.123
roles=estclient
5 changes: 5 additions & 0 deletions base/est/shared/realm/postgresql.conf
Original file line number Diff line number Diff line change
@@ -0,0 +1,5 @@
class=com.netscape.cms.realm.PKIPostgreSQLRealm
url=jdbc:postgresql://localhost.localdomain:5432/est
user=est
password=Secret.123
statements=/usr/share/pki/est/conf/realm/statements.conf
31 changes: 31 additions & 0 deletions base/est/shared/realm/statements.conf
Original file line number Diff line number Diff line change
@@ -0,0 +1,31 @@
getUserByID=\
SELECT \
"id", "full_name", "password" \
FROM \
"users" \
WHERE \
"id" = ?

getUserByCertID=\
SELECT \
u."id", u."full_name", u."password" \
FROM \
"users" u, "user_certs" uc \
WHERE \
u."id" = uc."user_id" AND uc."cert_id" = ?

getUserCerts=\
SELECT \
"data" \
FROM \
"user_certs" \
WHERE \
"user_id" = ?

getUserRoles=\
SELECT \
"group_id" \
FROM \
"group_members" \
WHERE \
"user_id" = ?
25 changes: 25 additions & 0 deletions base/est/webapps/est/index.jsp
Original file line number Diff line number Diff line change
@@ -0,0 +1,25 @@
<!-- --- BEGIN COPYRIGHT BLOCK ---
This program is free software; you can redistribute it and/or modify
it under the terms of the GNU General Public License as published by
the Free Software Foundation; version 2 of the License.
This program is distributed in the hope that it will be useful,
but WITHOUT ANY WARRANTY; without even the implied warranty of
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
GNU General Public License for more details.
You should have received a copy of the GNU General Public License along
with this program; if not, write to the Free Software Foundation, Inc.,
51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
Copyright (C) 2013 Red Hat, Inc.
All rights reserved.
--- END COPYRIGHT BLOCK --- -->
<html>
<head>
<title>Enrollment over Secure Transport</title>
<meta name="viewport" content="width=device-width, initial-scale=1.0">
</head>
<body>
</body>
</html>
Loading

0 comments on commit 3c77764

Please sign in to comment.