CVE-2023-4727 Fix token authentication bypass vulnerability #5590
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: KRA Tests | |
| on: [push, pull_request] | |
| jobs: | |
| init: | |
| name: Initialization | |
| uses: ./.github/workflows/init.yml | |
| secrets: inherit | |
| build: | |
| name: Waiting for build | |
| needs: init | |
| runs-on: ubuntu-latest | |
| steps: | |
| - name: Wait for build | |
| uses: lewagon/[email protected] | |
| with: | |
| ref: ${{ github.ref }} | |
| check-name: 'Building PKI' | |
| repo-token: ${{ secrets.GITHUB_TOKEN }} | |
| wait-interval: 30 | |
| if: github.event_name == 'push' | |
| - name: Wait for build | |
| uses: lewagon/[email protected] | |
| with: | |
| ref: ${{ github.event.pull_request.head.sha }} | |
| check-name: 'Building PKI' | |
| repo-token: ${{ secrets.GITHUB_TOKEN }} | |
| wait-interval: 30 | |
| if: github.event_name == 'pull_request' | |
| # docs/installation/kra/Installing_KRA.md | |
| kra-test: | |
| name: Testing KRA | |
| needs: [init, build] | |
| runs-on: ubuntu-latest | |
| env: | |
| PKIDIR: /tmp/workdir/pki | |
| steps: | |
| - name: Clone repository | |
| uses: actions/checkout@v3 | |
| - name: Retrieve pki-runner image | |
| uses: actions/cache@v3 | |
| with: | |
| key: pki-runner-${{ github.sha }} | |
| path: pki-runner.tar | |
| - name: Load runner image | |
| run: docker load --input pki-runner.tar | |
| - name: Run container | |
| run: | | |
| IMAGE=pki-runner \ | |
| NAME=pki \ | |
| HOSTNAME=pki.example.com \ | |
| tests/bin/runner-init.sh | |
| - name: Install dependencies | |
| run: docker exec pki dnf install -y 389-ds-base | |
| - name: Install DS | |
| run: docker exec pki ${PKIDIR}/tests/bin/ds-create.sh | |
| - name: Install CA | |
| run: docker exec pki pkispawn -f /usr/share/pki/server/examples/installation/ca.cfg -s CA -v | |
| - name: Install KRA | |
| run: docker exec pki pkispawn -f /usr/share/pki/server/examples/installation/kra.cfg -s KRA -v | |
| - name: Run PKI healthcheck | |
| run: docker exec pki pki-healthcheck --failures-only | |
| - name: Verify KRA admin | |
| run: | | |
| docker exec pki pki-server cert-export ca_signing --cert-file ca_signing.crt | |
| docker exec pki pki client-cert-import ca_signing --ca-cert ca_signing.crt | |
| docker exec pki pki client-cert-import \ | |
| --pkcs12 /root/.dogtag/pki-tomcat/ca_admin_cert.p12 \ | |
| --pkcs12-password-file /root/.dogtag/pki-tomcat/ca/pkcs12_password.conf | |
| docker exec pki pki -n caadmin kra-user-show kraadmin | |
| - name: Verify KRA connector in CA | |
| run: | | |
| docker exec pki bash -c "pki -n caadmin ca-kraconnector-show | sed -n 's/\s*Host:\s\+\(\S\+\):.*/\1/p' > ${PKIDIR}/kraconnector.host" | |
| echo pki.example.com > kra.hostname | |
| diff kra.hostname kraconnector.host | |
| - name: Gather artifacts | |
| if: always() | |
| run: | | |
| tests/bin/ds-artifacts-save.sh pki | |
| tests/bin/pki-artifacts-save.sh pki | |
| - name: Remove KRA | |
| run: docker exec pki pkidestroy -i pki-tomcat -s KRA -v | |
| - name: Remove CA | |
| run: docker exec pki pkidestroy -i pki-tomcat -s CA -v | |
| - name: Remove DS | |
| run: docker exec pki ${PKIDIR}/tests/bin/ds-remove.sh | |
| - name: Upload artifacts | |
| if: always() | |
| uses: actions/upload-artifact@v3 | |
| with: | |
| name: kra | |
| path: | | |
| /tmp/artifacts/pki | |
| # docs/installation/kra/Installing_KRA_on_Separate_Instance.md | |
| kra-separate-test: | |
| name: Testing KRA on separate instance | |
| needs: [init, build] | |
| runs-on: ubuntu-latest | |
| env: | |
| PKIDIR: /tmp/workdir/pki | |
| steps: | |
| - name: Clone repository | |
| uses: actions/checkout@v3 | |
| - name: Retrieve pki-runner image | |
| uses: actions/cache@v3 | |
| with: | |
| key: pki-runner-${{ github.sha }} | |
| path: pki-runner.tar | |
| - name: Load runner image | |
| run: docker load --input pki-runner.tar | |
| - name: Create network | |
| run: docker network create example | |
| - name: Setup CA container | |
| run: | | |
| IMAGE=pki-runner \ | |
| NAME=ca \ | |
| HOSTNAME=ca.example.com \ | |
| tests/bin/runner-init.sh | |
| - name: Connect CA container to network | |
| run: docker network connect example ca --alias ca.example.com | |
| - name: Install dependencies in CA container | |
| run: docker exec ca dnf install -y 389-ds-base | |
| - name: Install DS in CA container | |
| run: docker exec ca ${PKIDIR}/tests/bin/ds-create.sh | |
| - name: Install CA in CA container | |
| run: docker exec ca pkispawn -f /usr/share/pki/server/examples/installation/ca.cfg -s CA -v | |
| - name: Install banner in CA container | |
| run: docker exec ca cp /usr/share/pki/server/examples/banner/banner.txt /etc/pki/pki-tomcat | |
| - name: Setup KRA container | |
| run: | | |
| IMAGE=pki-runner \ | |
| NAME=kra \ | |
| HOSTNAME=kra.example.com \ | |
| tests/bin/runner-init.sh | |
| - name: Connect KRA container to network | |
| run: docker network connect example kra --alias kra.example.com | |
| - name: Install dependencies in KRA container | |
| run: docker exec kra dnf install -y 389-ds-base | |
| - name: Install DS in KRA container | |
| run: docker exec kra ${PKIDIR}/tests/bin/ds-create.sh | |
| - name: Install KRA in KRA container | |
| run: | | |
| docker exec ca pki-server cert-export ca_signing --cert-file ${PKIDIR}/ca_signing.crt | |
| docker exec ca cp /root/.dogtag/pki-tomcat/ca_admin.cert ${PKIDIR}/ca_admin.cert | |
| docker exec kra cp ${PKIDIR}/ca_signing.crt . | |
| docker exec kra cp ${PKIDIR}/ca_admin.cert . | |
| docker exec kra pkispawn -f /usr/share/pki/server/examples/installation/kra-separate.cfg -s KRA -v | |
| - name: Install banner in KRA container | |
| run: docker exec kra cp /usr/share/pki/server/examples/banner/banner.txt /etc/pki/pki-tomcat | |
| # TODO: Fix DogtagKRAConnectivityCheck to work without CA | |
| # - name: Run PKI healthcheck | |
| # run: docker exec kra pki-healthcheck --failures-only | |
| - name: Verify KRA admin | |
| run: | | |
| docker exec ca cp /root/.dogtag/pki-tomcat/ca_admin_cert.p12 ${PKIDIR}/ca_admin_cert.p12 | |
| docker exec ca cp /root/.dogtag/pki-tomcat/ca/pkcs12_password.conf ${PKIDIR}/pkcs12_password.conf | |
| docker exec kra pki client-cert-import ca_signing --ca-cert ca_signing.crt | |
| docker exec kra pki client-cert-import \ | |
| --pkcs12 ${PKIDIR}/ca_admin_cert.p12 \ | |
| --pkcs12-password-file ${PKIDIR}/pkcs12_password.conf | |
| docker exec kra pki -n caadmin --ignore-banner kra-user-show kraadmin | |
| - name: Verify KRA connector in CA | |
| run: | | |
| docker exec ca pki client-cert-import ca_signing --ca-cert ${PKIDIR}/ca_signing.crt | |
| docker exec ca pki client-cert-import \ | |
| --pkcs12 /root/.dogtag/pki-tomcat/ca_admin_cert.p12 \ | |
| --pkcs12-password-file /root/.dogtag/pki-tomcat/ca/pkcs12_password.conf | |
| docker exec ca bash pki -n caadmin --ignore-banner ca-kraconnector-show | tee output | |
| sed -n 's/\s*Host:\s\+\(\S\+\):.*/\1/p' output > actual | |
| echo kra.example.com > expected | |
| diff expected actual | |
| - name: Gather artifacts from CA container | |
| if: always() | |
| run: | | |
| tests/bin/ds-artifacts-save.sh ca | |
| tests/bin/pki-artifacts-save.sh ca | |
| - name: Gather artifacts from KRA container | |
| if: always() | |
| run: | | |
| tests/bin/ds-artifacts-save.sh kra | |
| tests/bin/pki-artifacts-save.sh kra | |
| - name: Remove KRA from KRA container | |
| run: docker exec kra pkidestroy -i pki-tomcat -s KRA -v | |
| - name: Remove DS from KRA container | |
| run: docker exec kra ${PKIDIR}/tests/bin/ds-remove.sh | |
| - name: Disconnect KRA container from network | |
| run: docker network disconnect example kra | |
| - name: Remove CA from CA container | |
| run: docker exec ca pkidestroy -i pki-tomcat -s CA -v | |
| - name: Remove DS from CA container | |
| run: docker exec ca ${PKIDIR}/tests/bin/ds-remove.sh | |
| - name: Disconnect CA container from network | |
| run: docker network disconnect example ca | |
| - name: Remove network | |
| run: docker network rm example | |
| - name: Upload artifacts from CA container | |
| if: always() | |
| uses: actions/upload-artifact@v3 | |
| with: | |
| name: kra-separate-ca | |
| path: | | |
| /tmp/artifacts/ca | |
| - name: Upload artifacts from KRA container | |
| if: always() | |
| uses: actions/upload-artifact@v3 | |
| with: | |
| name: kra-separate-kra | |
| path: | | |
| /tmp/artifacts/kra | |
| # docs/installation/kra/Installing_KRA_with_External_Certificates.md | |
| kra-external-certs-test: | |
| name: Testing KRA with external certificates | |
| needs: [init, build] | |
| runs-on: ubuntu-latest | |
| env: | |
| PKIDIR: /tmp/workdir/pki | |
| steps: | |
| - name: Clone repository | |
| uses: actions/checkout@v3 | |
| - name: Retrieve pki-runner image | |
| uses: actions/cache@v3 | |
| with: | |
| key: pki-runner-${{ github.sha }} | |
| path: pki-runner.tar | |
| - name: Load runner image | |
| run: docker load --input pki-runner.tar | |
| - name: Create network | |
| run: docker network create example | |
| - name: Setup CA container | |
| run: | | |
| IMAGE=pki-runner \ | |
| NAME=ca \ | |
| HOSTNAME=ca.example.com \ | |
| tests/bin/runner-init.sh | |
| - name: Connect CA container to network | |
| run: docker network connect example ca --alias ca.example.com | |
| - name: Install dependencies in CA container | |
| run: docker exec ca dnf install -y 389-ds-base | |
| - name: Install DS in CA container | |
| run: docker exec ca ${PKIDIR}/tests/bin/ds-create.sh | |
| - name: Install CA in CA container | |
| run: docker exec ca pkispawn -f /usr/share/pki/server/examples/installation/ca.cfg -s CA -v | |
| - name: Initialize CA admin in CA container | |
| run: | | |
| docker exec ca pki-server cert-export ca_signing --cert-file ${PKIDIR}/ca_signing.crt | |
| docker exec ca pki client-cert-import ca_signing --ca-cert ${PKIDIR}/ca_signing.crt | |
| docker exec ca pki client-cert-import \ | |
| --pkcs12 /root/.dogtag/pki-tomcat/ca_admin_cert.p12 \ | |
| --pkcs12-password-file /root/.dogtag/pki-tomcat/ca/pkcs12_password.conf | |
| - name: Setup KRA container | |
| run: | | |
| IMAGE=pki-runner \ | |
| NAME=kra \ | |
| HOSTNAME=kra.example.com \ | |
| tests/bin/runner-init.sh | |
| - name: Connect KRA container to network | |
| run: docker network connect example kra --alias kra.example.com | |
| - name: Install dependencies in KRA container | |
| run: docker exec kra dnf install -y 389-ds-base | |
| - name: Install DS in KRA container | |
| run: docker exec kra ${PKIDIR}/tests/bin/ds-create.sh | |
| - name: Install KRA in KRA container (step 1) | |
| run: | | |
| docker exec kra cp ${PKIDIR}/ca_signing.crt . | |
| docker exec kra pkispawn -f /usr/share/pki/server/examples/installation/kra-external-certs-step1.cfg -s KRA -v | |
| - name: Issue KRA storage cert | |
| run: | | |
| docker exec kra cp kra_storage.csr ${PKIDIR}/kra_storage.csr | |
| docker exec ca bash -c "pki ca-cert-request-submit --profile caStorageCert --csr-file ${PKIDIR}/kra_storage.csr | sed -n 's/Request ID: *\(.*\)/\1/p' > ${PKIDIR}/kra_storage.reqid" | |
| docker exec ca bash -c "pki -n caadmin ca-cert-request-approve `cat kra_storage.reqid` --force | sed -n 's/Certificate ID: *\(.*\)/\1/p' > ${PKIDIR}/kra_storage.certid" | |
| docker exec ca bash -c "pki ca-cert-export `cat kra_storage.certid` --output-file ${PKIDIR}/kra_storage.crt" | |
| docker exec kra cp ${PKIDIR}/kra_storage.crt kra_storage.crt | |
| - name: Issue KRA transport cert | |
| run: | | |
| docker exec kra cp kra_transport.csr ${PKIDIR}/kra_transport.csr | |
| docker exec ca bash -c "pki ca-cert-request-submit --profile caTransportCert --csr-file ${PKIDIR}/kra_transport.csr | sed -n 's/Request ID: *\(.*\)/\1/p' > ${PKIDIR}/kra_transport.reqid" | |
| docker exec ca bash -c "pki -n caadmin ca-cert-request-approve `cat kra_transport.reqid` --force | sed -n 's/Certificate ID: *\(.*\)/\1/p' > ${PKIDIR}/kra_transport.certid" | |
| docker exec ca bash -c "pki ca-cert-export `cat kra_transport.certid` --output-file ${PKIDIR}/kra_transport.crt" | |
| docker exec kra cp ${PKIDIR}/kra_transport.crt kra_transport.crt | |
| - name: Issue subsystem cert | |
| run: | | |
| docker exec kra cp subsystem.csr ${PKIDIR}/subsystem.csr | |
| docker exec ca bash -c "pki ca-cert-request-submit --profile caSubsystemCert --csr-file ${PKIDIR}/subsystem.csr | sed -n 's/Request ID: *\(.*\)/\1/p' > ${PKIDIR}/subsystem.reqid" | |
| docker exec ca bash -c "pki -n caadmin ca-cert-request-approve `cat subsystem.reqid` --force | sed -n 's/Certificate ID: *\(.*\)/\1/p' > ${PKIDIR}/subsystem.certid" | |
| docker exec ca bash -c "pki ca-cert-export `cat subsystem.certid` --output-file ${PKIDIR}/subsystem.crt" | |
| docker exec kra cp ${PKIDIR}/subsystem.crt subsystem.crt | |
| - name: Issue SSL server cert | |
| run: | | |
| docker exec kra cp sslserver.csr ${PKIDIR}/sslserver.csr | |
| docker exec ca bash -c "pki ca-cert-request-submit --profile caServerCert --csr-file ${PKIDIR}/sslserver.csr | sed -n 's/Request ID: *\(.*\)/\1/p' > ${PKIDIR}/sslserver.reqid" | |
| docker exec ca bash -c "pki -n caadmin ca-cert-request-approve `cat sslserver.reqid` --force | sed -n 's/Certificate ID: *\(.*\)/\1/p' > ${PKIDIR}/sslserver.certid" | |
| docker exec ca bash -c "pki ca-cert-export `cat sslserver.certid` --output-file ${PKIDIR}/sslserver.crt" | |
| docker exec kra cp ${PKIDIR}/sslserver.crt sslserver.crt | |
| - name: Issue KRA audit signing cert | |
| run: | | |
| docker exec kra cp kra_audit_signing.csr ${PKIDIR}/kra_audit_signing.csr | |
| docker exec ca bash -c "pki ca-cert-request-submit --profile caAuditSigningCert --csr-file ${PKIDIR}/kra_audit_signing.csr | sed -n 's/Request ID: *\(.*\)/\1/p' > ${PKIDIR}/kra_audit_signing.reqid" | |
| docker exec ca bash -c "pki -n caadmin ca-cert-request-approve `cat kra_audit_signing.reqid` --force | sed -n 's/Certificate ID: *\(.*\)/\1/p' > ${PKIDIR}/kra_audit_signing.certid" | |
| docker exec ca bash -c "pki ca-cert-export `cat kra_audit_signing.certid` --output-file ${PKIDIR}/kra_audit_signing.crt" | |
| docker exec kra cp ${PKIDIR}/kra_audit_signing.crt kra_audit_signing.crt | |
| - name: Issue KRA admin cert | |
| run: | | |
| docker exec kra cp kra_admin.csr ${PKIDIR}/kra_admin.csr | |
| docker exec ca bash -c "pki ca-cert-request-submit --profile caUserCert --csr-file ${PKIDIR}/kra_admin.csr --subject uid=kraadmin | sed -n 's/Request ID: *\(.*\)/\1/p' > ${PKIDIR}/kra_admin.reqid" | |
| docker exec ca bash -c "pki -n caadmin ca-cert-request-approve `cat kra_admin.reqid` --force | sed -n 's/Certificate ID: *\(.*\)/\1/p' > ${PKIDIR}/kra_admin.certid" | |
| docker exec ca bash -c "pki ca-cert-export `cat kra_admin.certid` --output-file ${PKIDIR}/kra_admin.crt" | |
| docker exec kra cp ${PKIDIR}/kra_admin.crt kra_admin.crt | |
| - name: Install KRA in KRA container (step 2) | |
| run: | | |
| docker exec kra pkispawn -f /usr/share/pki/server/examples/installation/kra-external-certs-step2.cfg -s KRA -v | |
| # TODO: Fix DogtagKRAConnectivityCheck to work without CA | |
| # - name: Run PKI healthcheck | |
| # run: docker exec kra pki-healthcheck --failures-only | |
| - name: Verify KRA admin | |
| run: | | |
| docker exec kra pki client-cert-import ca_signing --ca-cert ca_signing.crt | |
| docker exec kra pki client-cert-import \ | |
| --pkcs12 /root/.dogtag/pki-tomcat/kra_admin_cert.p12 \ | |
| --pkcs12-password-file /root/.dogtag/pki-tomcat/kra/pkcs12_password.conf | |
| docker exec kra pki -n kraadmin kra-user-show kraadmin | |
| - name: Verify KRA connector in CA | |
| run: | | |
| docker exec ca bash -c "pki -n caadmin ca-kraconnector-show | sed -n 's/\s*Host:\s\+\(\S\+\):.*/\1/p' > ${PKIDIR}/kraconnector.host" | |
| echo kra.example.com > kra.hostname | |
| diff kra.hostname kraconnector.host | |
| - name: Gather artifacts from CA container | |
| if: always() | |
| run: | | |
| tests/bin/ds-artifacts-save.sh ca | |
| tests/bin/pki-artifacts-save.sh ca | |
| - name: Gather artifacts from KRA container | |
| if: always() | |
| run: | | |
| tests/bin/ds-artifacts-save.sh kra | |
| tests/bin/pki-artifacts-save.sh kra | |
| - name: Remove KRA from KRA container | |
| run: docker exec kra pkidestroy -i pki-tomcat -s KRA -v | |
| - name: Remove DS from KRA container | |
| run: docker exec kra ${PKIDIR}/tests/bin/ds-remove.sh | |
| - name: Disconnect KRA container from network | |
| run: docker network disconnect example kra | |
| - name: Remove CA from CA container | |
| run: docker exec ca pkidestroy -i pki-tomcat -s CA -v | |
| - name: Remove DS from CA container | |
| run: docker exec ca ${PKIDIR}/tests/bin/ds-remove.sh | |
| - name: Disconnect CA container from network | |
| run: docker network disconnect example ca | |
| - name: Remove network | |
| run: docker network rm example | |
| - name: Upload artifacts from CA container | |
| if: always() | |
| uses: actions/upload-artifact@v3 | |
| with: | |
| name: kra-external-certs-ca | |
| path: | | |
| /tmp/artifacts/ca | |
| - name: Upload artifacts from KRA container | |
| if: always() | |
| uses: actions/upload-artifact@v3 | |
| with: | |
| name: kra-external-certs-kra | |
| path: | | |
| /tmp/artifacts/kra | |
| # docs/installation/kra/Installing_KRA_Clone.md | |
| kra-clone-test: | |
| name: Testing KRA clone | |
| needs: [init, build] | |
| runs-on: ubuntu-latest | |
| env: | |
| PKIDIR: /tmp/workdir/pki | |
| steps: | |
| - name: Clone repository | |
| uses: actions/checkout@v3 | |
| - name: Retrieve pki-runner image | |
| uses: actions/cache@v3 | |
| with: | |
| key: pki-runner-${{ github.sha }} | |
| path: pki-runner.tar | |
| - name: Load runner image | |
| run: docker load --input pki-runner.tar | |
| - name: Create network | |
| run: docker network create example | |
| - name: Run primary container | |
| run: | | |
| IMAGE=pki-runner \ | |
| NAME=primary \ | |
| HOSTNAME=primary.example.com \ | |
| tests/bin/runner-init.sh | |
| - name: Connect primary container to network | |
| run: docker network connect example primary --alias primary.example.com | |
| - name: Install dependencies in primary container | |
| run: docker exec primary dnf install -y 389-ds-base | |
| - name: Install DS in primary container | |
| run: docker exec primary ${PKIDIR}/tests/bin/ds-create.sh | |
| - name: Install primary CA in primary container | |
| run: docker exec primary pkispawn -f /usr/share/pki/server/examples/installation/ca.cfg -s CA -v | |
| - name: Install primary KRA in primary container | |
| run: docker exec primary pkispawn -f /usr/share/pki/server/examples/installation/kra.cfg -s KRA -v | |
| - name: Setup secondary container | |
| run: | | |
| IMAGE=pki-runner \ | |
| NAME=secondary \ | |
| HOSTNAME=secondary.example.com \ | |
| tests/bin/runner-init.sh | |
| - name: Connect secondary container to network | |
| run: docker network connect example secondary --alias secondary.example.com | |
| - name: Install dependencies in secondary container | |
| run: docker exec secondary dnf install -y 389-ds-base | |
| - name: Install DS in secondary container | |
| run: docker exec secondary ${PKIDIR}/tests/bin/ds-create.sh | |
| - name: Install CA in secondary container | |
| run: | | |
| docker exec primary pki-server cert-export ca_signing --cert-file ${PKIDIR}/ca_signing.crt | |
| docker exec primary pki-server ca-clone-prepare --pkcs12-file ${PKIDIR}/ca-certs.p12 --pkcs12-password Secret.123 | |
| docker exec secondary cp ${PKIDIR}/ca_signing.crt . | |
| docker exec secondary cp ${PKIDIR}/ca-certs.p12 . | |
| docker exec secondary pkispawn -f /usr/share/pki/server/examples/installation/ca-clone.cfg -s CA -v | |
| - name: Install KRA in secondary container | |
| run: | | |
| docker exec primary pki-server kra-clone-prepare --pkcs12-file ${PKIDIR}/kra-certs.p12 --pkcs12-password Secret.123 | |
| docker exec secondary cp ${PKIDIR}/kra-certs.p12 . | |
| docker exec secondary pkispawn -f /usr/share/pki/server/examples/installation/kra-clone.cfg -s KRA -v | |
| - name: Verify KRA admin in secondary container | |
| run: | | |
| docker exec primary cp /root/.dogtag/pki-tomcat/ca_admin_cert.p12 ${PKIDIR}/ca_admin_cert.p12 | |
| docker exec primary cp /root/.dogtag/pki-tomcat/ca/pkcs12_password.conf ${PKIDIR}/pkcs12_password.conf | |
| docker exec secondary pki client-cert-import ca_signing --ca-cert ca_signing.crt | |
| docker exec secondary pki client-cert-import \ | |
| --pkcs12 ${PKIDIR}/ca_admin_cert.p12 \ | |
| --pkcs12-password-file ${PKIDIR}/pkcs12_password.conf | |
| docker exec secondary pki -n caadmin kra-user-show kraadmin | |
| - name: Setup tertiary container | |
| run: | | |
| IMAGE=pki-runner \ | |
| NAME=tertiary \ | |
| HOSTNAME=tertiary.example.com \ | |
| tests/bin/runner-init.sh | |
| - name: Connect tertiary container to network | |
| run: docker network connect example tertiary --alias tertiary.example.com | |
| - name: Install dependencies in tertiary container | |
| run: docker exec tertiary dnf install -y 389-ds-base | |
| - name: Install DS in tertiary container | |
| run: docker exec tertiary ${PKIDIR}/tests/bin/ds-create.sh | |
| - name: Install CA in tertiary container | |
| run: | | |
| docker exec secondary pki-server cert-export ca_signing --cert-file ${PKIDIR}/ca_signing.crt | |
| docker exec secondary pki-server ca-clone-prepare --pkcs12-file ${PKIDIR}/ca-certs.p12 --pkcs12-password Secret.123 | |
| docker exec tertiary cp ${PKIDIR}/ca_signing.crt . | |
| docker exec tertiary cp ${PKIDIR}/ca-certs.p12 . | |
| docker exec tertiary pkispawn -f /usr/share/pki/server/examples/installation/ca-clone-of-clone.cfg -s CA -v | |
| - name: Install KRA in tertiary container | |
| run: | | |
| docker exec secondary pki-server kra-clone-prepare --pkcs12-file ${PKIDIR}/kra-certs.p12 --pkcs12-password Secret.123 | |
| docker exec tertiary cp ${PKIDIR}/kra-certs.p12 . | |
| docker exec tertiary pkispawn -f /usr/share/pki/server/examples/installation/kra-clone-of-clone.cfg -s KRA -v | |
| - name: Run PKI healthcheck in primary container | |
| run: docker exec primary pki-healthcheck --failures-only | |
| - name: Run PKI healthcheck in secondary container | |
| run: docker exec secondary pki-healthcheck --failures-only | |
| - name: Run PKI healthcheck in tertiary container | |
| run: docker exec tertiary pki-healthcheck --failures-only | |
| - name: Verify KRA admin in tertiary container | |
| run: | | |
| docker exec tertiary pki client-cert-import ca_signing --ca-cert ca_signing.crt | |
| docker exec tertiary pki client-cert-import \ | |
| --pkcs12 ${PKIDIR}/ca_admin_cert.p12 \ | |
| --pkcs12-password-file ${PKIDIR}/pkcs12_password.conf | |
| docker exec tertiary pki -n caadmin kra-user-show kraadmin | |
| - name: Gather artifacts from primary container | |
| if: always() | |
| run: | | |
| tests/bin/ds-artifacts-save.sh primary | |
| tests/bin/pki-artifacts-save.sh primary | |
| - name: Gather artifacts from secondary container | |
| if: always() | |
| run: | | |
| tests/bin/ds-artifacts-save.sh secondary | |
| tests/bin/pki-artifacts-save.sh secondary | |
| - name: Gather artifacts from tertiary container | |
| if: always() | |
| run: | | |
| tests/bin/ds-artifacts-save.sh tertiary | |
| tests/bin/pki-artifacts-save.sh tertiary | |
| - name: Remove KRA from tertiary container | |
| run: docker exec tertiary pkidestroy -i pki-tomcat -s KRA -v | |
| - name: Remove CA from tertiary container | |
| run: docker exec tertiary pkidestroy -i pki-tomcat -s CA -v | |
| - name: Remove DS from tertiary container | |
| run: docker exec tertiary ${PKIDIR}/tests/bin/ds-remove.sh | |
| - name: Disconnect tertiary container from network | |
| run: docker network disconnect example tertiary | |
| - name: Remove KRA from secondary container | |
| run: docker exec secondary pkidestroy -i pki-tomcat -s KRA -v | |
| - name: Remove CA from secondary container | |
| run: docker exec secondary pkidestroy -i pki-tomcat -s CA -v | |
| - name: Remove DS from secondary container | |
| run: docker exec secondary ${PKIDIR}/tests/bin/ds-remove.sh | |
| - name: Disconnect secondary container from network | |
| run: docker network disconnect example secondary | |
| - name: Remove KRA from primary container | |
| run: docker exec primary pkidestroy -i pki-tomcat -s KRA -v | |
| - name: Remove CA from primary container | |
| run: docker exec primary pkidestroy -i pki-tomcat -s CA -v | |
| - name: Remove DS from primary container | |
| run: docker exec primary ${PKIDIR}/tests/bin/ds-remove.sh | |
| - name: Disconnect primary container from network | |
| run: docker network disconnect example primary | |
| - name: Remove network | |
| run: docker network rm example | |
| - name: Upload artifacts from primary container | |
| if: always() | |
| uses: actions/upload-artifact@v3 | |
| with: | |
| name: kra-clone-primary | |
| path: | | |
| /tmp/artifacts/primary | |
| - name: Upload artifacts from secondary container | |
| if: always() | |
| uses: actions/upload-artifact@v3 | |
| with: | |
| name: kra-clone-secondary | |
| path: | | |
| /tmp/artifacts/secondary | |
| - name: Upload artifacts from tertiary container | |
| if: always() | |
| uses: actions/upload-artifact@v3 | |
| with: | |
| name: kra-clone-tertiary | |
| path: | | |
| /tmp/artifacts/tertiary | |
| kra-standalone-test: | |
| name: Testing standalone KRA | |
| needs: [init, build] | |
| runs-on: ubuntu-latest | |
| env: | |
| PKIDIR: /tmp/workdir/pki | |
| steps: | |
| - name: Clone repository | |
| uses: actions/checkout@v3 | |
| - name: Retrieve pki-runner image | |
| uses: actions/cache@v3 | |
| with: | |
| key: pki-runner-${{ github.sha }} | |
| path: pki-runner.tar | |
| - name: Load runner image | |
| run: docker load --input pki-runner.tar | |
| - name: Run container | |
| run: | | |
| IMAGE=pki-runner \ | |
| NAME=pki \ | |
| HOSTNAME=pki.example.com \ | |
| tests/bin/runner-init.sh | |
| - name: Install dependencies | |
| run: docker exec pki dnf install -y 389-ds-base | |
| - name: Install DS | |
| run: docker exec pki ${PKIDIR}/tests/bin/ds-create.sh | |
| - name: Create CA signing cert | |
| run: | | |
| docker exec pki pki -d nssdb nss-cert-request \ | |
| --subject "CN=CA Signing Certificate" \ | |
| --ext /usr/share/pki/server/certs/ca_signing.conf \ | |
| --csr ca_signing.csr | |
| docker exec pki pki -d nssdb nss-cert-issue \ | |
| --csr ca_signing.csr \ | |
| --ext /usr/share/pki/server/certs/ca_signing.conf \ | |
| --serial 1 \ | |
| --cert ca_signing.crt | |
| docker exec pki pki -d nssdb nss-cert-import \ | |
| --cert ca_signing.crt \ | |
| --trust CT,C,C \ | |
| ca_signing | |
| - name: Install KRA (step 1) | |
| run: | | |
| docker exec pki pkispawn -f /usr/share/pki/server/examples/installation/kra-standalone-step1.cfg -s KRA -v | |
| - name: Issue KRA storage cert | |
| run: | | |
| docker exec pki pki -d nssdb nss-cert-issue \ | |
| --issuer ca_signing \ | |
| --csr kra_storage.csr \ | |
| --ext /usr/share/pki/server/certs/kra_storage.conf \ | |
| --serial 2 \ | |
| --cert kra_storage.crt | |
| - name: Issue KRA transport cert | |
| run: | | |
| docker exec pki pki -d nssdb nss-cert-issue \ | |
| --issuer ca_signing \ | |
| --csr kra_transport.csr \ | |
| --ext /usr/share/pki/server/certs/kra_transport.conf \ | |
| --serial 3 \ | |
| --cert kra_transport.crt | |
| - name: Issue subsystem cert | |
| run: | | |
| docker exec pki pki -d nssdb nss-cert-issue \ | |
| --issuer ca_signing \ | |
| --csr subsystem.csr \ | |
| --ext /usr/share/pki/server/certs/subsystem.conf \ | |
| --serial 4 \ | |
| --cert subsystem.crt | |
| - name: Issue SSL server cert | |
| run: | | |
| docker exec pki pki -d nssdb nss-cert-issue \ | |
| --issuer ca_signing \ | |
| --csr sslserver.csr \ | |
| --ext /usr/share/pki/server/certs/sslserver.conf \ | |
| --serial 5 \ | |
| --cert sslserver.crt | |
| - name: Issue KRA audit signing cert | |
| run: | | |
| docker exec pki pki -d nssdb nss-cert-issue \ | |
| --issuer ca_signing \ | |
| --csr kra_audit_signing.csr \ | |
| --ext /usr/share/pki/server/certs/audit_signing.conf \ | |
| --serial 6 \ | |
| --cert kra_audit_signing.crt | |
| - name: Issue KRA admin cert | |
| run: | | |
| docker exec pki pki -d nssdb nss-cert-issue \ | |
| --issuer ca_signing \ | |
| --csr kra_admin.csr \ | |
| --ext /usr/share/pki/server/certs/admin.conf \ | |
| --serial 7 \ | |
| --cert kra_admin.crt | |
| - name: Install KRA (step 2) | |
| run: | | |
| docker exec pki pkispawn -f /usr/share/pki/server/examples/installation/kra-standalone-step2.cfg -s KRA -v | |
| # TODO: Fix DogtagKRAConnectivityCheck to work without CA | |
| # - name: Run PKI healthcheck | |
| # run: docker exec pki pki-healthcheck --failures-only | |
| - name: Verify admin user | |
| run: | | |
| docker exec pki pki client-cert-import ca_signing --ca-cert ca_signing.crt | |
| docker exec pki pki client-cert-import \ | |
| --pkcs12 /root/.dogtag/pki-tomcat/kra_admin_cert.p12 \ | |
| --pkcs12-password-file /root/.dogtag/pki-tomcat/kra/pkcs12_password.conf | |
| docker exec pki pki -n kraadmin kra-user-show kraadmin | |
| - name: Gather artifacts | |
| if: always() | |
| run: | | |
| tests/bin/ds-artifacts-save.sh pki | |
| tests/bin/pki-artifacts-save.sh pki | |
| - name: Remove KRA | |
| run: docker exec pki pkidestroy -i pki-tomcat -s KRA -v | |
| - name: Remove DS | |
| run: docker exec pki ${PKIDIR}/tests/bin/ds-remove.sh | |
| - name: Upload artifacts | |
| if: always() | |
| uses: actions/upload-artifact@v3 | |
| with: | |
| name: kra-standalone | |
| path: | | |
| /tmp/artifacts/pki |