-
Notifications
You must be signed in to change notification settings - Fork 138
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
EST deployment is included in pkispwn. The installation does not perform all the steps done for CA and other subsystems so there is no security domain management and user administration. During the installation there is no DS or other DBs connection which has to be performed by the user before or after the installation.
- Loading branch information
Showing
24 changed files
with
7,043 additions
and
11 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,322 @@ | ||
name: EST with ds realm | ||
|
||
on: workflow_call | ||
|
||
env: | ||
DB_IMAGE: ${{ vars.DB_IMAGE || 'quay.io/389ds/dirsrv' }} | ||
|
||
jobs: | ||
# docs/installation/ca/Installing_CA.md | ||
test: | ||
name: Test | ||
runs-on: ubuntu-latest | ||
env: | ||
SHARED: /tmp/workdir/pki | ||
steps: | ||
- name: Clone repository | ||
uses: actions/checkout@v4 | ||
|
||
- name: Retrieve PKI images | ||
uses: actions/cache@v4 | ||
with: | ||
key: pki-images-${{ github.sha }} | ||
path: pki-images.tar | ||
|
||
- name: Load PKI images | ||
run: docker load --input pki-images.tar | ||
|
||
- name: Create network | ||
run: docker network create example | ||
|
||
- name: Set up DS container | ||
run: | | ||
tests/bin/ds-create.sh \ | ||
--image=${{ env.DB_IMAGE }} \ | ||
--hostname=ds.example.com \ | ||
--password=Secret.123 \ | ||
ds | ||
- name: Connect DS container to network | ||
run: docker network connect example ds --alias ds.example.com | ||
|
||
- name: Set up PKI container | ||
run: | | ||
tests/bin/runner-init.sh pki | ||
env: | ||
HOSTNAME: pki.example.com | ||
|
||
- name: Connect PKI container to network | ||
run: docker network connect example pki --alias pki.example.com | ||
|
||
- name: Install CA | ||
run: | | ||
docker exec pki pkispawn \ | ||
-f /usr/share/pki/server/examples/installation/ca.cfg \ | ||
-s CA \ | ||
-D pki_ds_url=ldap://ds.example.com:3389 \ | ||
-v | ||
- name: Initialize PKI client | ||
run: | | ||
docker exec pki pki-server cert-export ca_signing --cert-file ca_signing.crt | ||
docker exec pki pki nss-cert-import \ | ||
--cert ca_signing.crt \ | ||
--trust CT,C,C \ | ||
ca_signing | ||
docker exec pki pki pkcs12-import \ | ||
--pkcs12 /root/.dogtag/pki-tomcat/ca_admin_cert.p12 \ | ||
--pkcs12-password Secret.123 | ||
docker exec pki pki info | ||
- name: Add CA EST user | ||
run: | | ||
docker exec pki pki -n caadmin ca-group-add "EST RA Agents" | ||
docker exec pki pki -n caadmin ca-user-add \ | ||
est-ra-1 --fullName "EST RA 1" --password Secret.est | ||
docker exec pki pki -n caadmin ca-group-member-add "EST RA Agents" est-ra-1 | ||
- name: Configure CA est profile | ||
run: | | ||
docker exec pki cp /usr/share/pki/ca/profiles/ca/estServiceCert.cfg estServiceCert.cfg | ||
docker exec pki sed -i 's/EST RA Agents/Subsystem Group/' estServiceCert.cfg | ||
docker exec pki pki -n caadmin ca-profile-add \ | ||
--raw ./estServiceCert.cfg | ||
docker exec pki pki -n caadmin ca-profile-enable estServiceCert | ||
docker exec pki pki-server restart --wait | ||
- name: Install EST | ||
run: | | ||
docker exec pki pkispawn \ | ||
-f /usr/share/pki/server/examples/installation/est.cfg \ | ||
-s EST \ | ||
-D est_realm_url=ldap://ds.example.com:3389 \ | ||
-v | ||
- name: Check EST backend config | ||
if: always() | ||
run: | | ||
docker exec pki cat /etc/pki/pki-tomcat/est/backend.conf | ||
- name: Check EST authorizer config | ||
if: always() | ||
run: | | ||
docker exec pki cat /etc/pki/pki-tomcat/est/authorizer.conf | ||
- name: Check EST realm config | ||
if: always() | ||
run: | | ||
docker exec pki cat /etc/pki/pki-tomcat/est/realm.conf | ||
- name: Check webapps | ||
run: | | ||
docker exec pki pki-server webapp-find | tee output | ||
# CA instance should have ROOT, ca, and pki webapps | ||
echo "ROOT" > expected | ||
echo "ca" >> expected | ||
echo "est" >> expected | ||
echo "pki" >> expected | ||
sed -n 's/^ *Webapp ID: *\(.*\)$/\1/p' output > actual | ||
diff expected actual | ||
docker exec pki pki-server webapp-show ROOT | ||
docker exec pki pki-server webapp-show ca | ||
docker exec pki pki-server webapp-show est | ||
docker exec pki pki-server webapp-show pki | ||
- name: Create EST users | ||
run: | | ||
docker exec -i pki ldapadd -x -H ldap://ds.example.com:3389 \ | ||
-D "cn=Directory Manager" -w Secret.123 << EOF | ||
dn: dc=est,dc=pki,dc=example,dc=com | ||
objectClass: domain | ||
dc: est | ||
dn: ou=people,dc=est,dc=pki,dc=example,dc=com | ||
ou: people | ||
objectClass: top | ||
objectClass: organizationalUnit | ||
dn: ou=groups,dc=est,dc=pki,dc=example,dc=com | ||
ou: groups | ||
objectClass: top | ||
objectClass: organizationalUnit | ||
dn: uid=est-test-user,ou=people,dc=est,dc=pki,dc=example,dc=com | ||
objectClass: top | ||
objectClass: person | ||
objectClass: organizationalPerson | ||
objectClass: inetOrgPerson | ||
objectClass: cmsuser | ||
uid: est-test-user | ||
sn: EST TEST USER | ||
cn: EST TEST USER | ||
usertype: undefined | ||
userPassword: Secret.123 | ||
dn: cn=estclient,ou=groups,dc=est,dc=pki,dc=example,dc=com | ||
objectClass: top | ||
objectClass: groupOfUniqueNames | ||
cn: estclient | ||
uniqueMember: uid=est-test-user,ou=People,dc=est,dc=pki,dc=example,dc=com | ||
EOF | ||
- name: Check EST subsystem | ||
run: | | ||
docker exec pki pki-server subsystem-show est | tee output | ||
# CA instance should have CA subsystem | ||
echo "est" > expected | ||
sed -n 's/^ *Subsystem ID: *\(.*\)$/\1/p' output > actual | ||
diff expected actual | ||
echo "True" > expected | ||
sed -n 's/^ *Enabled: *\(.*\)$/\1/p' output > actual | ||
diff expected actual | ||
- name: Test CA certs | ||
run: | | ||
docker exec pki curl -o cacert.p7 -k https://pki.example.com:8443/.well-known/est/cacerts | ||
docker exec pki openssl base64 -d --in cacert.p7 --out cacert.p7.der | ||
docker exec pki openssl pkcs7 --in cacert.p7.der -inform DER -print_certs -out cacert.pem | ||
docker exec pki openssl x509 -in cacert.pem -text -noout | tee actual | ||
docker exec pki openssl x509 -in ca_signing.crt -text -noout | tee expected | ||
diff expected actual | ||
- name: Install est client | ||
run: | | ||
docker exec pki dnf copr enable -y @pki/libest | ||
docker exec pki dnf install -y libest | ||
- name: Enroll certificate | ||
run: | | ||
docker exec -e EST_OPENSSL_CACERT=cacert.pem pki estclient -e -s pki.example.com -p 8443 \ | ||
--common-name test.example.com -o . -u est-test-user -h Secret.123 | ||
docker exec pki openssl base64 -d --in cert-0-0.pkcs7 --out cert-0-0.pkcs7.der | ||
docker exec pki openssl pkcs7 -in cert-0-0.pkcs7.der -inform DER -print_certs -out cert.pem | ||
docker exec pki openssl x509 -in cert.pem -subject -noout | tee actual | ||
echo "subject=CN=test.example.com" > expected | ||
diff expected actual | ||
- name: Remove EST | ||
run: | | ||
docker exec pki pki-server est-undeploy --wait | ||
docker exec pki pki-server est-remove | ||
- name: Remove CA | ||
run: docker exec pki pkidestroy -i pki-tomcat -s CA -v | ||
|
||
- name: Check PKI server base dir after removal | ||
run: | | ||
# check file types, owners, and permissions | ||
docker exec pki ls -l /var/lib/pki/pki-tomcat \ | ||
| sed \ | ||
-e '/^total/d' \ | ||
-e 's/^\(\S*\) *\S* *\(\S*\) *\(\S*\) *\S* *\S* *\S* *\S* *\(.*\)$/\1 \2 \3 \4/' \ | ||
| tee output | ||
# TODO: review permissions | ||
cat > expected << EOF | ||
lrwxrwxrwx pkiuser pkiuser conf -> /etc/pki/pki-tomcat | ||
lrwxrwxrwx pkiuser pkiuser logs -> /var/log/pki/pki-tomcat | ||
EOF | ||
diff expected output | ||
- name: Check PKI server conf dir after removal | ||
run: | | ||
# check file types, owners, and permissions | ||
docker exec pki ls -l /etc/pki/pki-tomcat \ | ||
| sed \ | ||
-e '/^total/d' \ | ||
-e 's/^\(\S*\) *\S* *\(\S*\) *\(\S*\) *\S* *\S* *\S* *\S* *\(.*\)$/\1 \2 \3 \4/' \ | ||
| tee output | ||
# TODO: review permissions | ||
cat > expected << EOF | ||
drwxrwx--- pkiuser pkiuser Catalina | ||
drwxrwx--- pkiuser pkiuser alias | ||
drwxrwx--- pkiuser pkiuser ca | ||
-rw-r--r-- pkiuser pkiuser catalina.policy | ||
lrwxrwxrwx pkiuser pkiuser catalina.properties -> /usr/share/pki/server/conf/catalina.properties | ||
drwxrwx--- pkiuser pkiuser certs | ||
lrwxrwxrwx pkiuser pkiuser context.xml -> /etc/tomcat/context.xml | ||
drwxrwx--- pkiuser pkiuser est | ||
lrwxrwxrwx pkiuser pkiuser logging.properties -> /usr/share/pki/server/conf/logging.properties | ||
-rw-rw---- pkiuser pkiuser password.conf | ||
-rw-rw---- pkiuser pkiuser server.xml | ||
-rw-rw---- pkiuser pkiuser serverCertNick.conf | ||
-rw-rw---- pkiuser pkiuser tomcat.conf | ||
lrwxrwxrwx pkiuser pkiuser web.xml -> /etc/tomcat/web.xml | ||
EOF | ||
diff expected output | ||
- name: Check PKI server logs dir after removal | ||
run: | | ||
# check file types, owners, and permissions | ||
docker exec pki ls -l /var/log/pki/pki-tomcat \ | ||
| sed \ | ||
-e '/^total/d' \ | ||
-e 's/^\(\S*\) *\S* *\(\S*\) *\(\S*\) *\S* *\S* *\S* *\S* *\(.*\)$/\1 \2 \3 \4/' \ | ||
| tee output | ||
DATE=$(date +'%Y-%m-%d') | ||
# TODO: review permissions | ||
cat > expected << EOF | ||
drwxr-x--- pkiuser pkiuser backup | ||
drwxrwx--- pkiuser pkiuser ca | ||
-rw-rw-r-- pkiuser pkiuser catalina.$DATE.log | ||
drwxrwx--- pkiuser pkiuser est | ||
-rw-rw-r-- pkiuser pkiuser host-manager.$DATE.log | ||
-rw-rw-r-- pkiuser pkiuser localhost.$DATE.log | ||
-rw-r--r-- pkiuser pkiuser localhost_access_log.$DATE.txt | ||
-rw-rw-r-- pkiuser pkiuser manager.$DATE.log | ||
drwxr-xr-x pkiuser pkiuser pki | ||
EOF | ||
diff expected output | ||
- name: Check DS server systemd journal | ||
if: always() | ||
run: | | ||
docker exec ds journalctl -x --no-pager -u [email protected] | ||
- name: Check DS container logs | ||
if: always() | ||
run: | | ||
docker logs ds | ||
- name: Check PKI server systemd journal | ||
if: always() | ||
run: | | ||
docker exec pki journalctl -x --no-pager -u [email protected] | ||
- name: Check CA debug log | ||
if: always() | ||
run: | | ||
docker exec pki find /var/lib/pki/pki-tomcat/logs/ca -name "debug.*" -exec cat {} \; | ||
- name: Check EST debug log | ||
if: always() | ||
run: | | ||
docker exec pki find /var/lib/pki/pki-tomcat/logs/est -name "debug.*" -exec cat {} \; | ||
- name: Gather artifacts | ||
if: always() | ||
run: | | ||
tests/bin/ds-artifacts-save.sh ds | ||
tests/bin/pki-artifacts-save.sh pki | ||
continue-on-error: true | ||
|
||
- name: Upload artifacts | ||
if: always() | ||
uses: actions/upload-artifact@v4 | ||
with: | ||
name: ca-basic | ||
path: /tmp/artifacts |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,7 @@ | ||
#!/usr/bin/python3 | ||
import json, sys | ||
ALLOWED_ROLE = 'estclient' | ||
obj = json.loads(sys.stdin.read()) | ||
if not ALLOWED_ROLE in obj['authzData']['principal']['roles']: | ||
print(f'Principal does not have required role {ALLOWED_ROLE!r}') | ||
sys.exit(1) |
This file was deleted.
Oops, something went wrong.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,2 @@ | ||
class=org.dogtagpki.est.ExternalProcessRequestAuthorizer | ||
executable=/usr/local/libexec/estauthz |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,5 @@ | ||
class=org.dogtagpki.est.DogtagRABackend | ||
url=https://fedora:8443 | ||
profile=estServiceCert | ||
username=est-ra-1 | ||
password=est4ever |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,7 @@ | ||
class=com.netscape.cms.realm.PKILDAPRealm | ||
url=ldap://localhost.localdomain:389 | ||
authType=BasicAuth | ||
bindDN=cn=Directory Manager | ||
bindPassword=Secret.123 | ||
usersDN=ou=people,dc=est,dc=pki,dc=example,dc=com | ||
groupsDN=ou=groups,dc=est,dc=pki,dc=example,dc=com |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,4 @@ | ||
class=com.netscape.cms.realm.PKIInMemoryRealm | ||
username=admin | ||
password=Secret.123 | ||
roles=estclient |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,5 @@ | ||
class=com.netscape.cms.realm.PKIPostgreSQLRealm | ||
url=jdbc:postgresql://localhost.localdomain:5432/est | ||
user=est | ||
password=Secret.123 | ||
statements=/usr/share/pki/est/conf/realm/statements.conf |
Oops, something went wrong.