Skip to content

[doc] openxpi handler #1391

[doc] openxpi handler

[doc] openxpi handler #1391

name: CA handler tests - MicrosoftCA
on:
push:
pull_request:
branches: [ devel ]
schedule:
# * is a special character in YAML so you have to quote this string
- cron: '0 2 * * 6'
jobs:
container_build:
name: "container_build"
runs-on: ubuntu-latest
strategy:
fail-fast: false
matrix:
websrv: ['apache2', 'nginx']
dbhandler: ['wsgi', 'django']
steps:
- name: "checkout GIT"
uses: actions/checkout@v4
- name: "Build container"
uses: ./.github/actions/container_build_upload
with:
DB_HANDLER: ${{ matrix.dbhandler }}
WEB_SRV: ${{ matrix.websrv }}
mscertsrv_handler_tests:
name: "mscertsrv_handler_tests"
runs-on: ubuntu-latest
needs: container_build
strategy:
fail-fast: false
# max-parallel: 1
matrix:
websrv: ['apache2', 'nginx']
dbhandler: ['wsgi', 'django']
steps:
- name: "checkout GIT"
uses: actions/checkout@v4
- name: "Download container"
uses: actions/download-artifact@v4
with:
name: a2c-${{ github.run_id }}.${{ matrix.websrv }}.${{ matrix.dbhandler }}.tar.gz
path: /tmp
- name: "Import container"
run: |
sudo apt-get install -y docker-compose
gunzip /tmp/a2c-${{ github.run_id }}.${{ matrix.websrv }}.${{ matrix.dbhandler }}.tar.gz
docker load -i /tmp/a2c-${{ github.run_id }}.${{ matrix.websrv }}.${{ matrix.dbhandler }}.tar
docker images
- name: "Prepare container environment"
uses: ./.github/actions/container_prep
with:
DB_HANDLER: ${{ matrix.dbhandler }}
WEB_SRV: ${{ matrix.websrv }}
CONTAINER_BUILD: false
NAME_SPACE: local
- name: "Get runner ip"
run: |
echo RUNNER_IP=$(ip addr show eth0 | grep -i "inet " | cut -d ' ' -f 6 | cut -d '/' -f 1) >> $GITHUB_ENV
echo RUNNER_PATH=$(pwd | sed 's_/_\\/_g') >> $GITHUB_ENV
- run: echo "runner IP is ${{ env.RUNNER_IP }}"
- name: "Setup tunnel"
uses: ./.github/actions/wf_specific/ms_ca_handler/tunnel_setup
with:
WCCE_SSH_USER: ${{ secrets.WCCE_SSH_USER }}
WCCE_SSH_HOST: ${{ secrets.WCCE_SSH_HOST }}
WCCE_SSH_PORT: ${{ secrets.WCCE_SSH_PORT }}
WCCE_HOST: ${{ secrets.WCCE_HOST }}
WCCE_FQDN_WOTLD: ${{ secrets.WCCE_FQDN_WOTLD }}
WCCE_FQDN: ${{ secrets.WCCE_FQDN }}
WCCE_SSH_KNOWN_HOSTS: ${{ secrets.WCCE_SSH_KNOWN_HOSTS }}
WCCE_SSH_ACCESS_KEY: ${{ secrets.WCCE_SSH_ACCESS_KEY }}
NAME_SPACE: local
- name: "KRB - Setup a2c with mscertsrv_ca_handler using kerberos"
run: |
sudo touch examples/Docker/data/ca_certs.pem
sudo chmod 777 examples/Docker/data/ca_certs.pem
sudo cp test/ca/certsrv_ca_certs.pem examples/Docker/data/ca_certs.pem
sudo touch examples/Docker/data/acme_srv.cfg
sudo chmod 777 examples/Docker/data/acme_srv.cfg
sudo head -n -8 .github/openssl_ca_handler.py_acme_srv_default_handler.cfg > examples/Docker/data/acme_srv.cfg
sudo echo "handler_file: examples/ca_handler/mscertsrv_ca_handler.py" >> examples/Docker/data/acme_srv.cfg
sudo echo "host: $WCCE_FQDN" >> examples/Docker/data/acme_srv.cfg
sudo echo "user: $WES_USER" >> examples/Docker/data/acme_srv.cfg
sudo echo "password: $WES_PASSWORD" >> examples/Docker/data/acme_srv.cfg
sudo echo "auth_method: gssapi" >> examples/Docker/data/acme_srv.cfg
sudo echo "template: $WES_TEMPLATE" >> examples/Docker/data/acme_srv.cfg
sudo echo "ca_bundle: /var/www/acme2certifier/volume/ca_certs.pem" >> examples/Docker/data/acme_srv.cfg
sudo echo "krb5_config: /var/www/acme2certifier/volume/krb5.conf" >> examples/Docker/data/acme_srv.cfg
sudo echo "verify: False" >> examples/Docker/data/acme_srv.cfg
sudo echo "request_timeout: 30" >> examples/Docker/data/acme_srv.cfg
sudo sed -i "s/tnauthlist_support: False/tnauthlist_support: False\nheader_info_list: [\"HTTP_USER_AGENT\"]/g" examples/Docker/data/acme_srv.cfg
sudo sed -i "s/revocation_reason_check_disable: False/revocation_reason_check_disable: False\nenrollment_timeout: 40/g" examples/Docker/data/acme_srv.cfg
sudo touch examples/Docker/data/krb5.conf
sudo chmod 777 examples/Docker/data/krb5.conf
cat <<EOF > examples/Docker/data/krb5.conf
$WES_KRB5_CONF
EOF
env:
WES_HOST: ${{ secrets.WES_HOST }}
WES_USER: ${{ secrets.WES_USER }}
WES_PASSWORD: ${{ secrets.WES_PASSWORD }}
WES_TEMPLATE: ${{ secrets.WES_TEMPLATE }}
WES_AUTHMETHOD: ${{ secrets.WES_AUTHMETHOD }}
WCCE_HOST: ${{ secrets.WCCE_HOST }}
WCCE_ADS_DOMAIN: ${{ secrets.WCCE_ADS_DOMAIN }}
WES_KRB5_CONF: ${{ secrets.WES_KRB5_CONF }}
WCCE_FQDN: ${{ secrets.WCCE_FQDN }}
WCCE_FQDN_WOTLD: ${{ secrets.WCCE_FQDN_WOTLD }}
- name: "Bring up a2c container"
uses: ./.github/actions/container_up
with:
DB_HANDLER: ${{ matrix.dbhandler }}
WEB_SRV: ${{ matrix.websrv }}
NAME_SPACE: local
- name: "Sleep for 10s"
uses: juliangruber/sleep-action@v2.0.3
with:
time: 10s
- name: "KRB - enrollment mit default profile and headerinfo"
uses: ./.github/actions/wf_specific/ms_ca_handler/enroll_default_headerinfo
with:
NAME_SPACE: local
- name: "NTLM - Setup a2c with mscertsrv_ca_handler using ntlm"
run: |
sudo touch examples/Docker/data/acme_srv.cfg
sudo chmod 777 examples/Docker/data/acme_srv.cfg
sudo head -n -8 .github/openssl_ca_handler.py_acme_srv_default_handler.cfg > examples/Docker/data/acme_srv.cfg
sudo echo "handler_file: examples/ca_handler/mscertsrv_ca_handler.py" >> examples/Docker/data/acme_srv.cfg
sudo echo "host: $WCCE_FQDN" >> examples/Docker/data/acme_srv.cfg
sudo echo "user: $WES_USER" >> examples/Docker/data/acme_srv.cfg
sudo echo "password: $WES_PASSWORD" >> examples/Docker/data/acme_srv.cfg
sudo echo "auth_method: ntlm" >> examples/Docker/data/acme_srv.cfg
sudo echo "template: $WES_TEMPLATE" >> examples/Docker/data/acme_srv.cfg
sudo echo "ca_bundle: /var/www/acme2certifier/volume/ca_certs.pem" >> examples/Docker/data/acme_srv.cfg
sudo echo "verify: False" >> examples/Docker/data/acme_srv.cfg
sudo echo "request_timeout: 30" >> examples/Docker/data/acme_srv.cfg
sudo sed -i "s/tnauthlist_support: False/tnauthlist_support: False\nheader_info_list: [\"HTTP_USER_AGENT\"]/g" examples/Docker/data/acme_srv.cfg
sudo sed -i "s/revocation_reason_check_disable: False/revocation_reason_check_disable: False\nenrollment_timeout: 40/g" examples/Docker/data/acme_srv.cfg
env:
WES_HOST: ${{ secrets.WES_HOST }}
WES_USER: ${{ secrets.WES_USER }}
WES_PASSWORD: ${{ secrets.WES_PASSWORD }}
WES_TEMPLATE: ${{ secrets.WES_TEMPLATE }}
WES_AUTHMETHOD: ${{ secrets.WES_AUTHMETHOD }}
WCCE_HOST: ${{ secrets.WCCE_HOST }}
WCCE_ADS_DOMAIN: ${{ secrets.WCCE_ADS_DOMAIN }}
WES_KRB5_CONF: ${{ secrets.WES_KRB5_CONF }}
WCCE_FQDN: ${{ secrets.WCCE_FQDN }}
WCCE_FQDN_WOTLD: ${{ secrets.WCCE_FQDN_WOTLD }}
- name: "NTLM - enrollment mit default profile and headerinfo"
uses: ./.github/actions/wf_specific/ms_ca_handler/enroll_default_headerinfo
with:
NAME_SPACE: local
- name: "NTLM - Setup a2c with mscertsrv_ca_handler with allowed_domainlist configuration"
run: |
sudo sed -i "s/challenge_validation_disable: False/challenge_validation_disable: True/g" examples/Docker/data/acme_srv.cfg
sudo echo "allowed_domainlist: [\"*.acme\", \"foo1.bar\", \"*.bar.local\"]" >> examples/Docker/data/acme_srv.cfg
cd examples/Docker/
docker-compose restart
- name: "NTLM - enrollment allowed domainlist"
uses: ./.github/actions/wf_specific/ms_ca_handler/enroll_allowed_domain_list
with:
NAME_SPACE: local
- name: "Verify allowed_domainlist error"
run: |
cd examples/Docker
docker-compose logs | grep "allowed_domainlist" | grep -i "either CN or SANs are not allowed by configuration"
- name: "Check container configuration"
uses: ./.github/actions/container_check
with:
DB_HANDLER: ${{ matrix.dbhandler }}
WEB_SRV: ${{ matrix.websrv }}
- name: "[ * ] collecting test logs"
if: ${{ failure() }}
run: |
mkdir -p ${{ github.workspace }}/artifact/upload
sudo cp -rp examples/Docker/data/ ${{ github.workspace }}/artifact/data/
sudo cp /etc/hosts ${{ github.workspace }}/artifact/data/
sudo cp /etc/resolv.conf ${{ github.workspace }}/artifact/data/
sudo cp -rp acme-sh/ ${{ github.workspace }}/artifact/acme-sh/
sudo cp -rp certbot/ ${{ github.workspace }}/artifact/certbot/
sudo cp -rp lego/ ${{ github.workspace }}/artifact/lego/
cd examples/Docker
docker-compose logs > ${{ github.workspace }}/artifact/docker-compose.log
sudo tar -C ${{ github.workspace }}/artifact/ -cvzf ${{ github.workspace }}/artifact/upload/artifact.tar.gz docker-compose.log data acme-sh certbot lego dnsmasq
- name: "[ * ] uploading artificates"
uses: actions/upload-artifact@v4
if: ${{ failure() }}
with:
name: mscertsrv_handler_tests-${{ matrix.websrv }}-${{ matrix.dbhandler }}.tar.gz
path: ${{ github.workspace }}/artifact/upload/
mscertsrv_handler_eab_profiling_tests:
name: "mscertsrv_handler_eab_profiling_tests"
runs-on: ubuntu-latest
needs: container_build
strategy:
fail-fast: false
# max-parallel: 1
matrix:
websrv: ['apache2', 'nginx']
dbhandler: ['wsgi', 'django']
steps:
- name: "checkout GIT"
uses: actions/checkout@v4
- name: "create folders and networks"
run: |
mkdir lego
mkdir acme-sh
mkdir certbot
- name: "Download container"
uses: actions/download-artifact@v4
with:
name: a2c-${{ github.run_id }}.${{ matrix.websrv }}.${{ matrix.dbhandler }}.tar.gz
path: /tmp
- name: "Import container"
run: |
sudo apt-get install -y docker-compose
gunzip /tmp/a2c-${{ github.run_id }}.${{ matrix.websrv }}.${{ matrix.dbhandler }}.tar.gz
docker load -i /tmp/a2c-${{ github.run_id }}.${{ matrix.websrv }}.${{ matrix.dbhandler }}.tar
docker images
- name: "Prepare container environment"
uses: ./.github/actions/container_prep
with:
DB_HANDLER: ${{ matrix.dbhandler }}
WEB_SRV: ${{ matrix.websrv }}
CONTAINER_BUILD: false
NAME_SPACE: local
- name: "Get runner ip"
run: |
echo RUNNER_IP=$(ip addr show eth0 | grep -i "inet " | cut -d ' ' -f 6 | cut -d '/' -f 1) >> $GITHUB_ENV
echo RUNNER_PATH=$(pwd | sed 's_/_\\/_g') >> $GITHUB_ENV
- run: echo "runner IP is ${{ env.RUNNER_IP }}"
- name: "Setup tunnel"
uses: ./.github/actions/wf_specific/ms_ca_handler/tunnel_setup
with:
WCCE_SSH_USER: ${{ secrets.WCCE_SSH_USER }}
WCCE_SSH_HOST: ${{ secrets.WCCE_SSH_HOST }}
WCCE_SSH_PORT: ${{ secrets.WCCE_SSH_PORT }}
WCCE_HOST: ${{ secrets.WCCE_HOST }}
WCCE_FQDN_WOTLD: ${{ secrets.WCCE_FQDN_WOTLD }}
WCCE_FQDN: ${{ secrets.WCCE_FQDN }}
WCCE_SSH_KNOWN_HOSTS: ${{ secrets.WCCE_SSH_KNOWN_HOSTS }}
WCCE_SSH_ACCESS_KEY: ${{ secrets.WCCE_SSH_ACCESS_KEY }}
NAME_SPACE: local
- name: "EAB with headerinfo - Setup a2c with mscertsrv_ca_handler using kerberos"
run: |
sudo touch examples/Docker/data/ca_certs.pem
sudo chmod 777 examples/Docker/data/ca_certs.pem
sudo cp test/ca/certsrv_ca_certs.pem examples/Docker/data/ca_certs.pem
sudo touch examples/Docker/data/acme_srv.cfg
sudo chmod 777 examples/Docker/data/acme_srv.cfg
sudo head -n -8 .github/openssl_ca_handler.py_acme_srv_default_handler.cfg > examples/Docker/data/acme_srv.cfg
sudo echo "handler_file: examples/ca_handler/mscertsrv_ca_handler.py" >> examples/Docker/data/acme_srv.cfg
sudo echo "host: $WCCE_FQDN" >> examples/Docker/data/acme_srv.cfg
sudo echo "user: $WES_USER" >> examples/Docker/data/acme_srv.cfg
sudo echo "password: $WES_PASSWORD" >> examples/Docker/data/acme_srv.cfg
sudo echo "auth_method: gssapi" >> examples/Docker/data/acme_srv.cfg
sudo echo "template: $WES_TEMPLATE" >> examples/Docker/data/acme_srv.cfg
sudo echo "ca_bundle: /var/www/acme2certifier/volume/ca_certs.pem" >> examples/Docker/data/acme_srv.cfg
sudo echo "krb5_config: /var/www/acme2certifier/volume/krb5.conf" >> examples/Docker/data/acme_srv.cfg
sudo echo "verify: False" >> examples/Docker/data/acme_srv.cfg
sudo echo "request_timeout: 30" >> examples/Docker/data/acme_srv.cfg
sudo sed -i "s/tnauthlist_support: False/tnauthlist_support: False\nheader_info_list: [\"HTTP_USER_AGENT\"]/g" examples/Docker/data/acme_srv.cfg
sudo sed -i "s/revocation_reason_check_disable: False/revocation_reason_check_disable: False\nenrollment_timeout: 40/g" examples/Docker/data/acme_srv.cfg
sudo echo "eab_profiling: True" >> examples/Docker/data/acme_srv.cfg
sudo echo -e "\n\n[EABhandler]" >> examples/Docker/data/acme_srv.cfg
sudo echo "eab_handler_file: /var/www/acme2certifier/examples/eab_handler/kid_profile_handler.py" >> examples/Docker/data/acme_srv.cfg
sudo echo "key_file: volume/kid_profiles.json" >> examples/Docker/data/acme_srv.cfg
sudo touch examples/Docker/data/krb5.conf
sudo chmod 777 examples/Docker/data/krb5.conf
cat <<EOF > examples/Docker/data/krb5.conf
$WES_KRB5_CONF
EOF
sudo cp examples/eab_handler/kid_profiles.json examples/Docker/data/kid_profiles.json
sudo chmod 777 examples/eab_handler/kid_profiles.json
sudo sed -i "s/\"profile_id\"\: \[\"profile_1\", \"profile_2\", \"profile_3\"\]/\"template\"\: \[\"WebServerModified\"\, \"WebServer\"]/g" examples/Docker/data/kid_profiles.json
sudo sed -i "s/\"profile_id\"\: \"profile_2\"/\"template\"\: \"WebServerModified\"/g" examples/Docker/data/kid_profiles.json
sudo sed -i "s/\"ca_name\": \"example_ca_2\",/\"unknown_key\": \"unknown_value\"/g" examples/Docker/data/kid_profiles.json
sudo sed -i "s/\"ca_name\": \"example_ca\",/\"unknown_key\": \"unknown_value\"/g" examples/Docker/data/kid_profiles.json
sudo sed -i "s/example.net/local/g" examples/Docker/data/kid_profiles.json
sudo sed -i '18,19d' examples/Docker/data/kid_profiles.json
sudo sed -i '8,9d' examples/Docker/data/kid_profiles.json
env:
WES_HOST: ${{ secrets.WES_HOST }}
WES_USER: ${{ secrets.WES_USER }}
WES_PASSWORD: ${{ secrets.WES_PASSWORD }}
WES_TEMPLATE: ${{ secrets.WES_TEMPLATE }}
WES_AUTHMETHOD: ${{ secrets.WES_AUTHMETHOD }}
WCCE_HOST: ${{ secrets.WCCE_HOST }}
WCCE_ADS_DOMAIN: ${{ secrets.WCCE_ADS_DOMAIN }}
WES_KRB5_CONF: ${{ secrets.WES_KRB5_CONF }}
WCCE_FQDN: ${{ secrets.WCCE_FQDN }}
WCCE_FQDN_WOTLD: ${{ secrets.WCCE_FQDN_WOTLD }}
- name: "Bring up a2c container"
uses: ./.github/actions/container_up
with:
DB_HANDLER: ${{ matrix.dbhandler }}
WEB_SRV: ${{ matrix.websrv }}
NAME_SPACE: local
- name: "EAB with headerinfo - enrollment"
uses: ./.github/actions/wf_specific/ms_ca_handler/enroll_eab
with:
NAME_SPACE: local
- name: "Check container configuration"
uses: ./.github/actions/container_check
with:
DB_HANDLER: ${{ matrix.dbhandler }}
WEB_SRV: ${{ matrix.websrv }}
- name: "[ * ] collecting test logs"
if: ${{ failure() }}
run: |
mkdir -p ${{ github.workspace }}/artifact/upload
sudo cp -rp examples/Docker/data/ ${{ github.workspace }}/artifact/data/
sudo cp /etc/hosts ${{ github.workspace }}/artifact/data/
sudo cp /etc/resolv.conf ${{ github.workspace }}/artifact/data/
sudo cp -rp acme-sh/ ${{ github.workspace }}/artifact/acme-sh/
sudo cp -rp certbot/ ${{ github.workspace }}/artifact/certbot/
sudo cp -rp lego/ ${{ github.workspace }}/artifact/lego/
cd examples/Docker
docker-compose logs > ${{ github.workspace }}/artifact/docker-compose.log
sudo tar -C ${{ github.workspace }}/artifact/ -cvzf ${{ github.workspace }}/artifact/upload/artifact.tar.gz docker-compose.log data acme-sh certbot lego dnsmasq
- name: "[ * ] uploading artificates"
uses: actions/upload-artifact@v4
if: ${{ failure() }}
with:
name: mscertsrv_handler_profiling_tests-${{ matrix.websrv }}-${{ matrix.dbhandler }}.tar.gz
path: ${{ github.workspace }}/artifact/upload/
mswcce_handler_tests:
name: "mswcce_handler_tests"
runs-on: ubuntu-latest
needs: container_build
strategy:
fail-fast: false
# max-parallel: 1
matrix:
websrv: ['apache2', 'nginx']
dbhandler: ['wsgi', 'django']
steps:
- name: "checkout GIT"
uses: actions/checkout@v4
- name: "create folders"
run: |
mkdir lego
mkdir acme-sh
mkdir certbot
- name: "Download container"
uses: actions/download-artifact@v4
with:
name: a2c-${{ github.run_id }}.${{ matrix.websrv }}.${{ matrix.dbhandler }}.tar.gz
path: /tmp
- name: "Import container"
run: |
sudo apt-get install -y docker-compose
gunzip /tmp/a2c-${{ github.run_id }}.${{ matrix.websrv }}.${{ matrix.dbhandler }}.tar.gz
docker load -i /tmp/a2c-${{ github.run_id }}.${{ matrix.websrv }}.${{ matrix.dbhandler }}.tar
docker images
- name: "Prepare container environment"
uses: ./.github/actions/container_prep
with:
DB_HANDLER: ${{ matrix.dbhandler }}
WEB_SRV: ${{ matrix.websrv }}
CONTAINER_BUILD: false
- name: "[ PREPARE ] get runner ip"
run: |
echo RUNNER_IP=$(ip addr show eth0 | grep -i "inet " | cut -d ' ' -f 6 | cut -d '/' -f 1) >> $GITHUB_ENV
echo RUNNER_PATH=$(pwd | sed 's_/_\\/_g') >> $GITHUB_ENV
- run: echo "runner IP is ${{ env.RUNNER_IP }}"
- name: "Install dnsmasq"
run: |
sudo apt-get update
sudo apt-get install -y dnsmasq
sudo systemctl disable systemd-resolved
sudo systemctl stop systemd-resolved
sudo mkdir -p dnsmasq
sudo cp .github/dnsmasq.conf dnsmasq/
sudo chmod -R 777 dnsmasq/dnsmasq.conf
sudo sed -i "s/RUNNER_IP/$RUNNER_IP/g" dnsmasq/dnsmasq.conf
sudo echo "address=/$WCCE_FQDN/$RUNNER_IP" >> dnsmasq/dnsmasq.conf
sudo echo "address=/$WCCE_ADS_DOMAIN/$RUNNER_IP" >> dnsmasq/dnsmasq.conf
sudo echo "address=/$WES_HOST/$RUNNER_IP" >> dnsmasq/dnsmasq.conf
cat dnsmasq/dnsmasq.conf
sudo cp dnsmasq/dnsmasq.conf /etc/
sudo systemctl enable dnsmasq
sudo systemctl start dnsmasq
env:
RUNNER_IP: ${{ env.RUNNER_IP }}
WCCE_ADS_DOMAIN: ${{ secrets.WCCE_ADS_DOMAIN }}
WCCE_FQDN: ${{ secrets.WCCE_FQDN }}
WES_HOST: ${{ secrets.WES_HOST }}
- name: "[ PREPARE ] test dns resulution"
run: |
host $WCCE_ADS_DOMAIN 127.0.0.1
host $WCCE_FQDN 127.0.0.1
host $WES_HOST 127.0.0.1
env:
WCCE_ADS_DOMAIN: ${{ secrets.WCCE_ADS_DOMAIN }}
WCCE_FQDN: ${{ secrets.WCCE_FQDN }}
WES_HOST: ${{ secrets.WES_HOST }}
- name: "Setup tunnel"
uses: ./.github/actions/wf_specific/ms_ca_handler/tunnel_setup
with:
WCCE_SSH_USER: ${{ secrets.WCCE_SSH_USER }}
WCCE_SSH_HOST: ${{ secrets.WCCE_SSH_HOST }}
WCCE_SSH_PORT: ${{ secrets.WCCE_SSH_PORT }}
WCCE_HOST: ${{ secrets.WCCE_HOST }}
WCCE_FQDN_WOTLD: ${{ secrets.WCCE_FQDN_WOTLD }}
WCCE_FQDN: ${{ secrets.WCCE_FQDN }}
WCCE_SSH_KNOWN_HOSTS: ${{ secrets.WCCE_SSH_KNOWN_HOSTS }}
WCCE_SSH_ACCESS_KEY: ${{ secrets.WCCE_SSH_ACCESS_KEY }}
- name: "NTLM - Setup a2c with ms_wcce_ca_handler (ntlm)"
run: |
sudo cp .github/acme2certifier.pem examples/Docker/data/acme2certifier.pem
sudo cp .github/acme2certifier_cert.pem examples/Docker/data/acme2certifier_cert.pem
sudo cp .github/acme2certifier_key.pem examples/Docker/data/acme2certifier_key.pem
sudo cp .github/django_settings.py examples/Docker/data/settings.py
sudo touch examples/Docker/data/ca_certs.pem
sudo chmod 777 examples/Docker/data/ca_certs.pem
sudo echo "$WCCE_CA_BUNDLE" > examples/Docker/data/ca_certs.pem
sudo touch examples/Docker/data/acme_srv.cfg
sudo chmod 777 examples/Docker/data/acme_srv.cfg
sudo head -n -8 .github/openssl_ca_handler.py_acme_srv_default_handler.cfg > examples/Docker/data/acme_srv.cfg
sudo echo "handler_file: /var/www/acme2certifier/examples/ca_handler/mswcce_ca_handler.py" >> examples/Docker/data/acme_srv.cfg
sudo echo "host: $RUNNER_IP" >> examples/Docker/data/acme_srv.cfg
sudo echo "user: $WCCE_USER" >> examples/Docker/data/acme_srv.cfg
sudo echo "password: $WCCE_PASSWORD" >> examples/Docker/data/acme_srv.cfg
sudo echo "template: $WCCE_TEMPLATE" >> examples/Docker/data/acme_srv.cfg
sudo echo "ca_name: $WCCE_CA_NAME" >> examples/Docker/data/acme_srv.cfg
sudo echo "target_domain: $WCCE_ADS_DOMAIN" >> examples/Docker/data/acme_srv.cfg
sudo echo "ca_bundle: volume/ca_certs.pem" >> examples/Docker/data/acme_srv.cfg
sudo echo "timeout: 20" >> examples/Docker/data/acme_srv.cfg
sudo echo "ssh_host: $SSH_HOST:$SSH_PORT" >> examples/Docker/data/acme_srv.cfg
sudo sed -i "s/tnauthlist_support: False/tnauthlist_support: False\nheader_info_list: [\"HTTP_USER_AGENT\"]/g" examples/Docker/data/acme_srv.cfg
sudo sed -i "s/revocation_reason_check_disable: False/revocation_reason_check_disable: False\nenrollment_timeout: 40/g" examples/Docker/data/acme_srv.cfg
env:
RUNNER_IP: ${{ env.RUNNER_IP }}
WCCE_USER: ${{ secrets.WCCE_USER }}
WCCE_PASSWORD: ${{ secrets.WCCE_PASSWORD }}
WCCE_TEMPLATE: ${{ secrets.WCCE_TEMPLATE }}
WCCE_CA_NAME: ${{ secrets.WCCE_CA_NAME }}
WCCE_ADS_DOMAIN: ${{ secrets.WCCE_ADS_DOMAIN }}
WCCE_CA_BUNDLE: ${{ secrets.WCCE_CA_BUNDLE }}
WCCE_HOST: ${{ secrets.WCCE_HOST }}
SSH_HOST: ${{ secrets.WCCE_SSH_HOST }}
SSH_PORT: ${{ secrets.WCCE_SSH_PORT }}
- name: "Bring up a2c container"
uses: ./.github/actions/container_up
with:
DB_HANDLER: ${{ matrix.dbhandler }}
WEB_SRV: ${{ matrix.websrv }}
- name: "NTLM - enrollment mit default profile and headerinfo"
uses: ./.github/actions/wf_specific/ms_ca_handler/enroll_default_headerinfo
- name: "KRB - Setup a2c with ms_wcce_ca_handler (Kerboros)"
run: |
sudo touch examples/Docker/data/ca_certs.pem
sudo chmod 777 examples/Docker/data/ca_certs.pem
sudo echo "$WCCE_CA_BUNDLE" > examples/Docker/data/ca_certs.pem
sudo touch examples/Docker/data/acme_srv.cfg
sudo chmod 777 examples/Docker/data/acme_srv.cfg
sudo head -n -8 .github/openssl_ca_handler.py_acme_srv_default_handler.cfg > examples/Docker/data/acme_srv.cfg
sudo echo "handler_file: /var/www/acme2certifier/examples/ca_handler/mswcce_ca_handler.py" >> examples/Docker/data/acme_srv.cfg
sudo echo "host: $WCCE_FQDN" >> examples/Docker/data/acme_srv.cfg
sudo echo "user: $WCCE_USER" >> examples/Docker/data/acme_srv.cfg
sudo echo "password: $WCCE_PASSWORD" >> examples/Docker/data/acme_srv.cfg
sudo echo "template: $WCCE_TEMPLATE" >> examples/Docker/data/acme_srv.cfg
sudo echo "ca_name: $WCCE_CA_NAME" >> examples/Docker/data/acme_srv.cfg
sudo echo "target_domain: $WCCE_ADS_DOMAIN" >> examples/Docker/data/acme_srv.cfg
sudo echo "domain_controller: $RUNNER_IP" >> examples/Docker/data/acme_srv.cfg
sudo echo "ca_bundle: volume/ca_certs.pem" >> examples/Docker/data/acme_srv.cfg
sudo echo "timeout: 20" >> examples/Docker/data/acme_srv.cfg
sudo echo "use_kerberos: True" >> examples/Docker/data/acme_srv.cfg
sudo sed -i "s/tnauthlist_support: False/tnauthlist_support: False\nheader_info_list: [\"HTTP_USER_AGENT\"]/g" examples/Docker/data/acme_srv.cfg
sudo sed -i "s/revocation_reason_check_disable: False/revocation_reason_check_disable: False\nenrollment_timeout: 40/g" examples/Docker/data/acme_srv.cfg
cd examples/Docker/
docker-compose restart
env:
RUNNER_IP: ${{ env.RUNNER_IP }}
DNSMASQ_IP: ${{ env.DNSMASQ_IP }}
WCCE_USER: ${{ secrets.WCCE_USER }}
WCCE_PASSWORD: ${{ secrets.WCCE_PASSWORD }}
WCCE_TEMPLATE: ${{ secrets.WCCE_TEMPLATE }}
WCCE_CA_NAME: ${{ secrets.WCCE_CA_NAME }}
WCCE_ADS_DOMAIN: ${{ secrets.WCCE_ADS_DOMAIN }}
WCCE_CA_BUNDLE: ${{ secrets.WCCE_CA_BUNDLE }}
WCCE_FQDN: ${{ secrets.WCCE_FQDN }}
- name: "KRB - Sleep for 10s"
uses: juliangruber/sleep-action@v2.0.3
with:
time: 10s
- name: "KRB - enrollment mit default profile and headerinfo"
uses: ./.github/actions/wf_specific/ms_ca_handler/enroll_default_headerinfo
- name: "KRB - Setup a2c with mswcce_ca_handler with allowed_domainlist configuration"
run: |
sudo sed -i "s/challenge_validation_disable: False/challenge_validation_disable: True/g" examples/Docker/data/acme_srv.cfg
sudo echo "allowed_domainlist: [\"*.acme\", \"foo1.bar\", \"*.bar.local\"]" >> examples/Docker/data/acme_srv.cfg
cd examples/Docker/
docker-compose restart
- name: "KRB - enrollment allowed domainlist"
uses: ./.github/actions/wf_specific/ms_ca_handler/enroll_allowed_domain_list
- name: "Verify allowed_domainlist error"
run: |
cd examples/Docker
docker-compose logs | grep "allowed_domainlist" | grep -i "either CN or SANs are not allowed by configuration"
- name: "Check container configuration"
uses: ./.github/actions/container_check
with:
DB_HANDLER: ${{ matrix.dbhandler }}
WEB_SRV: ${{ matrix.websrv }}
- name: "[ * ] collecting test logs"
if: ${{ failure() }}
run: |
mkdir -p ${{ github.workspace }}/artifact/upload
sudo cp -rp examples/Docker/data/ ${{ github.workspace }}/artifact/data/
sudo cp -rp acme-sh/ ${{ github.workspace }}/artifact/acme-sh/
sudo cp -rp certbot/ ${{ github.workspace }}/artifact/certbot/
sudo cp -rp lego/ ${{ github.workspace }}/artifact/lego/
sudo cp -rp dnsmasq/ ${{ github.workspace }}/artifact/dnsmasq/
cd examples/Docker
docker-compose logs > ${{ github.workspace }}/artifact/docker-compose.log
sudo tar -C ${{ github.workspace }}/artifact/ -cvzf ${{ github.workspace }}/artifact/upload/artifact.tar.gz docker-compose.log data dnsmasq
- name: "[ * ] uploading artificates"
uses: actions/upload-artifact@v4
if: ${{ failure() }}
with:
name: mswcce_handler_tests-${{ matrix.websrv }}-${{ matrix.dbhandler }}.tar.gz
path: ${{ github.workspace }}/artifact/upload/
mswcce_handler_eab_profiling_tests:
name: "mswcce_handler_eab_profiling_tests"
runs-on: ubuntu-latest
needs: container_build
strategy:
fail-fast: false
# max-parallel: 2
matrix:
websrv: ['apache2', 'nginx']
dbhandler: ['wsgi', 'django']
steps:
- name: "checkout GIT"
uses: actions/checkout@v4
- name: "create folders"
run: |
mkdir lego
mkdir acme-sh
mkdir certbot
- name: "[ PREPARE ] get runner ip"
run: |
echo RUNNER_IP=$(ip addr show eth0 | grep -i "inet " | cut -d ' ' -f 6 | cut -d '/' -f 1) >> $GITHUB_ENV
echo RUNNER_PATH=$(pwd | sed 's_/_\\/_g') >> $GITHUB_ENV
- run: echo "runner IP is ${{ env.RUNNER_IP }}"
- name: "Install dnsmasq"
run: |
sudo apt-get update
sudo apt-get install -y dnsmasq
sudo systemctl disable systemd-resolved
sudo systemctl stop systemd-resolved
sudo mkdir -p dnsmasq
sudo cp .github/dnsmasq.conf dnsmasq/
sudo chmod -R 777 dnsmasq/dnsmasq.conf
sudo sed -i "s/RUNNER_IP/$RUNNER_IP/g" dnsmasq/dnsmasq.conf
sudo echo "address=/$WCCE_FQDN/$RUNNER_IP" >> dnsmasq/dnsmasq.conf
sudo echo "address=/$WCCE_ADS_DOMAIN/$RUNNER_IP" >> dnsmasq/dnsmasq.conf
sudo echo "address=/$WES_HOST/$RUNNER_IP" >> dnsmasq/dnsmasq.conf
cat dnsmasq/dnsmasq.conf
sudo cp dnsmasq/dnsmasq.conf /etc/
sudo systemctl enable dnsmasq
sudo systemctl start dnsmasq
env:
RUNNER_IP: ${{ env.RUNNER_IP }}
WCCE_ADS_DOMAIN: ${{ secrets.WCCE_ADS_DOMAIN }}
WCCE_FQDN: ${{ secrets.WCCE_FQDN }}
WES_HOST: ${{ secrets.WES_HOST }}
- name: "[ PREPARE ] test dns resulution"
run: |
host $WCCE_ADS_DOMAIN 127.0.0.1
host $WCCE_FQDN 127.0.0.1
host $WES_HOST 127.0.0.1
env:
WCCE_ADS_DOMAIN: ${{ secrets.WCCE_ADS_DOMAIN }}
WCCE_FQDN: ${{ secrets.WCCE_FQDN }}
WES_HOST: ${{ secrets.WES_HOST }}
- name: "Download container"
uses: actions/download-artifact@v4
with:
name: a2c-${{ github.run_id }}.${{ matrix.websrv }}.${{ matrix.dbhandler }}.tar.gz
path: /tmp
- name: "Import container"
run: |
sudo apt-get install -y docker-compose
gunzip /tmp/a2c-${{ github.run_id }}.${{ matrix.websrv }}.${{ matrix.dbhandler }}.tar.gz
docker load -i /tmp/a2c-${{ github.run_id }}.${{ matrix.websrv }}.${{ matrix.dbhandler }}.tar
docker images
- name: "Prepare container environment"
uses: ./.github/actions/container_prep
with:
DB_HANDLER: ${{ matrix.dbhandler }}
WEB_SRV: ${{ matrix.websrv }}
CONTAINER_BUILD: false
- name: "Setup tunnel"
uses: ./.github/actions/wf_specific/ms_ca_handler/tunnel_setup
with:
WCCE_SSH_USER: ${{ secrets.WCCE_SSH_USER }}
WCCE_SSH_HOST: ${{ secrets.WCCE_SSH_HOST }}
WCCE_SSH_PORT: ${{ secrets.WCCE_SSH_PORT }}
WCCE_HOST: ${{ secrets.WCCE_HOST }}
WCCE_FQDN_WOTLD: ${{ secrets.WCCE_FQDN_WOTLD }}
WCCE_FQDN: ${{ secrets.WCCE_FQDN }}
WCCE_SSH_KNOWN_HOSTS: ${{ secrets.WCCE_SSH_KNOWN_HOSTS }}
WCCE_SSH_ACCESS_KEY: ${{ secrets.WCCE_SSH_ACCESS_KEY }}
- name: "EAB with headerinfo - Setup a2c with ms_wcce_ca_handler (Kerboros)"
run: |
sudo cp .github/acme2certifier.pem examples/Docker/data/acme2certifier.pem
sudo cp .github/acme2certifier_cert.pem examples/Docker/data/acme2certifier_cert.pem
sudo cp .github/acme2certifier_key.pem examples/Docker/data/acme2certifier_key.pem
sudo cp .github/django_settings.py examples/Docker/data/settings.py
sudo touch examples/Docker/data/ca_certs.pem
sudo chmod 777 examples/Docker/data/ca_certs.pem
sudo echo "$WCCE_CA_BUNDLE" > examples/Docker/data/ca_certs.pem
sudo touch examples/Docker/data/acme_srv.cfg
sudo chmod 777 examples/Docker/data/acme_srv.cfg
sudo head -n -8 .github/openssl_ca_handler.py_acme_srv_default_handler.cfg > examples/Docker/data/acme_srv.cfg
sudo echo "handler_file: /var/www/acme2certifier/examples/ca_handler/mswcce_ca_handler.py" >> examples/Docker/data/acme_srv.cfg
sudo echo "host: $WCCE_FQDN" >> examples/Docker/data/acme_srv.cfg
sudo echo "user: $WCCE_USER" >> examples/Docker/data/acme_srv.cfg
sudo echo "password: $WCCE_PASSWORD" >> examples/Docker/data/acme_srv.cfg
sudo echo "template: $WCCE_TEMPLATE" >> examples/Docker/data/acme_srv.cfg
sudo echo "ca_name: $WCCE_CA_NAME" >> examples/Docker/data/acme_srv.cfg
sudo echo "target_domain: $WCCE_ADS_DOMAIN" >> examples/Docker/data/acme_srv.cfg
sudo echo "domain_controller: $RUNNER_IP" >> examples/Docker/data/acme_srv.cfg
sudo echo "ca_bundle: volume/ca_certs.pem" >> examples/Docker/data/acme_srv.cfg
sudo echo "timeout: 20" >> examples/Docker/data/acme_srv.cfg
sudo echo "use_kerberos: True" >> examples/Docker/data/acme_srv.cfg
sudo sed -i "s/tnauthlist_support: False/tnauthlist_support: False\nheader_info_list: [\"HTTP_USER_AGENT\"]/g" examples/Docker/data/acme_srv.cfg
sudo sed -i "s/revocation_reason_check_disable: False/revocation_reason_check_disable: False\nenrollment_timeout: 40/g" examples/Docker/data/acme_srv.cfg
sudo echo "eab_profiling: True" >> examples/Docker/data/acme_srv.cfg
sudo echo -e "\n\n[EABhandler]" >> examples/Docker/data/acme_srv.cfg
sudo echo "eab_handler_file: /var/www/acme2certifier/examples/eab_handler/kid_profile_handler.py" >> examples/Docker/data/acme_srv.cfg
sudo echo "key_file: volume/kid_profiles.json" >> examples/Docker/data/acme_srv.cfg
sudo cp examples/eab_handler/kid_profiles.json examples/Docker/data/kid_profiles.json
sudo chmod 777 examples/eab_handler/kid_profiles.json
sudo sed -i "s/\"profile_id\"\: \[\"profile_1\", \"profile_2\", \"profile_3\"\]/\"template\"\: \[\"WebServerModified\"\, \"WebServer\"]/g" examples/Docker/data/kid_profiles.json
sudo sed -i "s/\"profile_id\"\: \"profile_2\"/\"template\"\: \"WebServerModified\"/g" examples/Docker/data/kid_profiles.json
sudo sed -i "s/\"ca_name\": \"example_ca_2\",/\"unknown_key\": \"unknown_value\"/g" examples/Docker/data/kid_profiles.json
sudo sed -i "s/\"ca_name\": \"example_ca\",/\"unknown_key\": \"unknown_value\"/g" examples/Docker/data/kid_profiles.json
sudo sed -i "s/example.net/acme/g" examples/Docker/data/kid_profiles.json
sudo sed -i '18,19d' examples/Docker/data/kid_profiles.json
sudo sed -i '8,9d' examples/Docker/data/kid_profiles.json
env:
RUNNER_IP: ${{ env.RUNNER_IP }}
DNSMASQ_IP: ${{ env.DNSMASQ_IP }}
WCCE_USER: ${{ secrets.WCCE_USER }}
WCCE_PASSWORD: ${{ secrets.WCCE_PASSWORD }}
WCCE_TEMPLATE: ${{ secrets.WCCE_TEMPLATE }}
WCCE_CA_NAME: ${{ secrets.WCCE_CA_NAME }}
WCCE_ADS_DOMAIN: ${{ secrets.WCCE_ADS_DOMAIN }}
WCCE_CA_BUNDLE: ${{ secrets.WCCE_CA_BUNDLE }}
WCCE_FQDN: ${{ secrets.WCCE_FQDN }}
- name: "Bring up a2c container"
uses: ./.github/actions/container_up
with:
DB_HANDLER: ${{ matrix.dbhandler }}
WEB_SRV: ${{ matrix.websrv }}
- name: "EAB with headerinfo - enrollment"
uses: ./.github/actions/wf_specific/ms_ca_handler/enroll_eab
- name: "Check container configuration"
uses: ./.github/actions/container_check
with:
DB_HANDLER: ${{ matrix.dbhandler }}
WEB_SRV: ${{ matrix.websrv }}
- name: "[ * ] collecting test logs"
if: ${{ failure() }}
run: |
mkdir -p ${{ github.workspace }}/artifact/upload
sudo cp -rp examples/Docker/data/ ${{ github.workspace }}/artifact/data/
sudo cp -rp acme-sh/ ${{ github.workspace }}/artifact/acme-sh/
sudo cp -rp certbot/ ${{ github.workspace }}/artifact/certbot/
sudo cp -rp lego/ ${{ github.workspace }}/artifact/lego/
sudo cp -rp dnsmasq/ ${{ github.workspace }}/artifact/dnsmasq/
cd examples/Docker
docker-compose logs > ${{ github.workspace }}/artifact/docker-compose.log
sudo tar -C ${{ github.workspace }}/artifact/ -cvzf ${{ github.workspace }}/artifact/upload/artifact.tar.gz docker-compose.log data acme-sh certbot lego dnsmasq
- name: "[ * ] uploading artificates"
uses: actions/upload-artifact@v4
if: ${{ failure() }}
with:
name: mswcce_handler_profiling_tests-${{ matrix.websrv }}-${{ matrix.dbhandler }}.tar.gz
path: ${{ github.workspace }}/artifact/upload/
cleanup:
name: "cleanup"
runs-on: ubuntu-latest
needs: [mscertsrv_handler_tests, mswcce_handler_tests, mswcce_handler_eab_profiling_tests, mscertsrv_handler_eab_profiling_tests ]
strategy:
fail-fast: false
matrix:
websrv: ['apache2', 'nginx']
dbhandler: ['wsgi', 'django']
steps:
- uses: geekyeggo/delete-artifact@v5
with:
name: a2c-${{ github.run_id }}.${{ matrix.websrv }}.${{ matrix.dbhandler }}.tar.gz
rpm_build_and_upload:
name: "rpm_build_and_upload"
runs-on: ubuntu-latest
steps:
- name: "checkout GIT"
uses: actions/checkout@v4
- name: "Build rpm package"
id: rpm_build
uses: ./.github/actions/rpm_build_upload
mscertsrv_handler_tests_rpm:
name: "mscertsrv_handler_tests_rpm"
runs-on: ubuntu-latest
needs: rpm_build_and_upload
strategy:
# max-parallel: 1
fail-fast: false
matrix:
rhversion: [8, 9]
steps:
- name: "checkout GIT"
uses: actions/checkout@v4
- name: "Prepare Alma environment"
uses: ./.github/actions/rpm_prep
with:
GH_SBOM_USER: ${{ secrets.GH_SBOM_USER }}
GH_SBOM_TOKEN: ${{ secrets.GH_SBOM_TOKEN }}
RH_VERSION: ${{ matrix.rhversion }}
RPM_BUILD: false
NAME_SPACE: "local"
- name: Download rpm package
uses: actions/download-artifact@v4
with:
name: acme2certifier-${{ github.run_id }}.noarch.rpm
path: data/
- name: "Get runner ip"
run: |
echo RUNNER_IP=$(ip addr show eth0 | grep -i "inet " | cut -d ' ' -f 6 | cut -d '/' -f 1) >> $GITHUB_ENV
echo RUNNER_PATH=$(pwd | sed 's_/_\\/_g') >> $GITHUB_ENV
- run: echo "runner IP is ${{ env.RUNNER_IP }}"
- name: "Setup tunnel"
uses: ./.github/actions/wf_specific/ms_ca_handler/tunnel_setup
with:
WCCE_SSH_USER: ${{ secrets.WCCE_SSH_USER }}
WCCE_SSH_HOST: ${{ secrets.WCCE_SSH_HOST }}
WCCE_SSH_PORT: ${{ secrets.WCCE_SSH_PORT }}
WCCE_HOST: ${{ secrets.WCCE_HOST }}
WCCE_FQDN_WOTLD: ${{ secrets.WCCE_FQDN_WOTLD }}
WCCE_FQDN: ${{ secrets.WCCE_FQDN }}
WCCE_SSH_KNOWN_HOSTS: ${{ secrets.WCCE_SSH_KNOWN_HOSTS }}
WCCE_SSH_ACCESS_KEY: ${{ secrets.WCCE_SSH_ACCESS_KEY }}
NAME_SPACE: local
- name: "KRB - Setup a2c with mscertsrv_ca_handler using kerberos"
run: |
mkdir -p data/acme_ca
sudo cp test/ca/certsrv_ca_certs.pem data/acme_ca/ca_certs.pem
sudo touch data/acme_srv.cfg
sudo chmod 777 data/acme_srv.cfg
sudo head -n -8 .github/openssl_ca_handler.py_acme_srv_default_handler.cfg > data/acme_srv.cfg
sudo echo "handler_file: /opt/acme2certifier/examples/ca_handler/mscertsrv_ca_handler.py" >> data/acme_srv.cfg
sudo echo "host: $WCCE_FQDN" >> data/acme_srv.cfg
sudo echo "user: $WES_USER" >> data/acme_srv.cfg
sudo echo "password: $WES_PASSWORD" >> data/acme_srv.cfg
sudo echo "auth_method: gssapi" >> data/acme_srv.cfg
sudo echo "template: $WES_TEMPLATE" >> data/acme_srv.cfg
sudo echo "ca_bundle: volume/acme_ca/ca_certs.pem" >> data/acme_srv.cfg
sudo echo "krb5_config: volume/acme_ca/krb5.conf" >> data/acme_srv.cfg
sudo echo "verify: False" >> data/acme_srv.cfg
sudo echo "request_timeout: 30" >> data/acme_srv.cfg
sudo sed -i "s/tnauthlist_support: False/tnauthlist_support: False\nheader_info_list: [\"HTTP_USER_AGENT\"]/g" data/acme_srv.cfg
sudo sed -i "s/revocation_reason_check_disable: False/revocation_reason_check_disable: False\nenrollment_timeout: 40/g" data/acme_srv.cfg
sudo touch data/acme_ca/krb5.conf
sudo chmod 777 data/acme_ca/krb5.conf
cat <<EOF > data/acme_ca/krb5.conf
$WES_KRB5_CONF
EOF
env:
WES_HOST: ${{ secrets.WES_HOST }}
WES_USER: ${{ secrets.WES_USER }}
WES_PASSWORD: ${{ secrets.WES_PASSWORD }}
WES_AUTHMETHOD: ${{ secrets.WES_AUTHMETHOD }}
WES_TEMPLATE: ${{ secrets.WES_TEMPLATE }}
WCCE_FQDN: ${{ secrets.WCCE_FQDN }}
WES_KRB5_CONF: ${{ secrets.WES_KRB5_CONF }}
- name: "KRB - Execute install scipt"
run: |
docker exec acme-srv sh /tmp/acme2certifier/rpm_tester.sh
docker exec acme-srv yum install -y krb5-libs
- name: "KRB - enrollment mit default profile and headerinfo"
uses: ./.github/actions/wf_specific/ms_ca_handler/enroll_default_headerinfo
with:
NAME_SPACE: local
- name: "NTLM - Setup a2c with mscertsrv_ca_handler"
run: |
sudo head -n -8 .github/openssl_ca_handler.py_acme_srv_default_handler.cfg > data/acme_srv.cfg
sudo echo "handler_file: /opt/acme2certifier/examples/ca_handler/mscertsrv_ca_handler.py" >> data/acme_srv.cfg
sudo echo "host: $WCCE_FQDN" >> data/acme_srv.cfg
sudo echo "user: $WES_USER" >> data/acme_srv.cfg
sudo echo "password: $WES_PASSWORD" >> data/acme_srv.cfg
sudo echo "auth_method: $WES_AUTHMETHOD" >> data/acme_srv.cfg
sudo echo "template: $WES_TEMPLATE" >> data/acme_srv.cfg
sudo echo "ca_bundle: volume/acme_ca/ca_certs.pem" >> data/acme_srv.cfg
sudo echo "verify: False" >> data/acme_srv.cfg
sudo echo "request_timeout: 30" >> data/acme_srv.cfg
sudo sed -i "s/tnauthlist_support: False/tnauthlist_support: False\nheader_info_list: [\"HTTP_USER_AGENT\"]/g" data/acme_srv.cfg
sudo sed -i "s/revocation_reason_check_disable: False/revocation_reason_check_disable: False\nenrollment_timeout: 40/g" data/acme_srv.cfg
env:
WES_HOST: ${{ secrets.WES_HOST }}
WES_USER: ${{ secrets.WES_USER }}
WES_PASSWORD: ${{ secrets.WES_PASSWORD }}
WES_AUTHMETHOD: ${{ secrets.WES_AUTHMETHOD }}
WES_TEMPLATE: ${{ secrets.WES_TEMPLATE }}
WCCE_FQDN: ${{ secrets.WCCE_FQDN }}
- name: "NTLM - Reconfigure a2c "
run: |
docker exec acme-srv sh /tmp/acme2certifier/rpm_tester.sh restart
- name: "NTLM - enrollment mit default profile and headerinfo"
uses: ./.github/actions/wf_specific/ms_ca_handler/enroll_default_headerinfo
with:
NAME_SPACE: local
- name: "NTLM - Setup a2c with mscertsrv_ca_handler with allowed_domainlist configuration"
run: |
sudo sed -i "s/challenge_validation_disable: False/challenge_validation_disable: True/g" data/acme_srv.cfg
sudo echo "allowed_domainlist: [\"*.acme\", \"foo1.bar\", \"*.bar.local\"]" >> data/acme_srv.cfg
- name: "NTLM - Reconfigure a2c "
run: |
docker exec acme-srv sh /tmp/acme2certifier/rpm_tester.sh restart
- name: "NTLM - enrollment allowed domainlist"
uses: ./.github/actions/wf_specific/ms_ca_handler/enroll_allowed_domain_list
with:
NAME_SPACE: local
- name: "Verify allowed_domainlist error"
run: |
docker exec acme-srv grep -i "either CN or SANs are not allowed by configuration" /var/log/messages
- name: "[ * ] collecting test logs"
if: ${{ failure() }}
run: |
mkdir -p ${{ github.workspace }}/artifact/upload
docker exec acme-srv tar cvfz /tmp/acme2certifier/a2c.tgz /opt/acme2certifier
sudo rm -rf data/*.rpm
sudo cp -rp data/ ${{ github.workspace }}/artifact/data/
sudo cp -rp acme-sh/ ${{ github.workspace }}/artifact/acme-sh/
docker exec acme-srv ls -la /tmp > ${{ github.workspace }}/artifact/data/tmp_list
docker exec acme-srv ls -la /tmp
docker exec acme-srv cat /var/log/messages > ${{ github.workspace }}/artifact/acme-srv.log
sudo tar -C ${{ github.workspace }}/artifact/ -cvzf ${{ github.workspace }}/artifact/upload/artifact.tar.gz data acme-srv.log acme-sh
- name: "[ * ] uploading artificates"
uses: actions/upload-artifact@v4
if: ${{ failure() }}
with:
name: mscertsrv_handler_tests_rpm-rh${{ matrix.rhversion }}.tar.gz
path: ${{ github.workspace }}/artifact/upload/
mscertsrv_handler_eab_profile_tests_rpm:
name: "mscertsrv_handler_eab_profile_tests_rpm"
runs-on: ubuntu-latest
needs: mscertsrv_handler_tests_rpm
strategy:
# max-parallel: 1
fail-fast: false
matrix:
rhversion: [8, 9]
steps:
- name: "checkout GIT"
uses: actions/checkout@v4
- name: "Prepare Alma environment"
uses: ./.github/actions/rpm_prep
with:
GH_SBOM_USER: ${{ secrets.GH_SBOM_USER }}
GH_SBOM_TOKEN: ${{ secrets.GH_SBOM_TOKEN }}
RH_VERSION: ${{ matrix.rhversion }}
RPM_BUILD: false
NAME_SPACE: "local"
- name: Download rpm package
uses: actions/download-artifact@v4
with:
name: acme2certifier-${{ github.run_id }}.noarch.rpm
path: data/
- name: "Get runner ip"
run: |
echo RUNNER_IP=$(ip addr show eth0 | grep -i "inet " | cut -d ' ' -f 6 | cut -d '/' -f 1) >> $GITHUB_ENV
echo RUNNER_PATH=$(pwd | sed 's_/_\\/_g') >> $GITHUB_ENV
- run: echo "runner IP is ${{ env.RUNNER_IP }}"
- name: "Setup tunnel"
uses: ./.github/actions/wf_specific/ms_ca_handler/tunnel_setup
with:
WCCE_SSH_USER: ${{ secrets.WCCE_SSH_USER }}
WCCE_SSH_HOST: ${{ secrets.WCCE_SSH_HOST }}
WCCE_SSH_PORT: ${{ secrets.WCCE_SSH_PORT }}
WCCE_HOST: ${{ secrets.WCCE_HOST }}
WCCE_FQDN_WOTLD: ${{ secrets.WCCE_FQDN_WOTLD }}
WCCE_FQDN: ${{ secrets.WCCE_FQDN }}
WCCE_SSH_KNOWN_HOSTS: ${{ secrets.WCCE_SSH_KNOWN_HOSTS }}
WCCE_SSH_ACCESS_KEY: ${{ secrets.WCCE_SSH_ACCESS_KEY }}
NAME_SPACE: local
- name: "EAB with headerinfo - Setup a2c with mscertsrv_ca_handler using kerberos"
run: |
mkdir -p data/acme_ca
sudo cp test/ca/certsrv_ca_certs.pem data/acme_ca/ca_certs.pem
sudo touch data/acme_srv.cfg
sudo chmod 777 data/acme_srv.cfg
sudo head -n -8 .github/openssl_ca_handler.py_acme_srv_default_handler.cfg > data/acme_srv.cfg
sudo echo "handler_file: /opt/acme2certifier/examples/ca_handler/mscertsrv_ca_handler.py" >> data/acme_srv.cfg
sudo echo "host: $WCCE_FQDN" >> data/acme_srv.cfg
sudo echo "user: $WES_USER" >> data/acme_srv.cfg
sudo echo "password: $WES_PASSWORD" >> data/acme_srv.cfg
sudo echo "auth_method: gssapi" >> data/acme_srv.cfg
sudo echo "template: $WES_TEMPLATE" >> data/acme_srv.cfg
sudo echo "ca_bundle: volume/acme_ca/ca_certs.pem" >> data/acme_srv.cfg
sudo echo "krb5_config: volume/acme_ca/krb5.conf" >> data/acme_srv.cfg
sudo echo "verify: False" >> data/acme_srv.cfg
sudo echo "request_timeout: 30" >> data/acme_srv.cfg
sudo sed -i "s/tnauthlist_support: False/tnauthlist_support: False\nheader_info_list: [\"HTTP_USER_AGENT\"]/g" data/acme_srv.cfg
sudo sed -i "s/revocation_reason_check_disable: False/revocation_reason_check_disable: False\nenrollment_timeout: 40/g" data/acme_srv.cfg
sudo echo "eab_profiling: True" >> data/acme_srv.cfg
sudo echo -e "\n[EABhandler]" >> data/acme_srv.cfg
sudo echo "eab_handler_file: /opt/acme2certifier/examples/eab_handler/kid_profile_handler.py" >> data/acme_srv.cfg
sudo echo "key_file: /opt/acme2certifier/volume/acme_ca/kid_profiles.json" >> data/acme_srv.cfg
sudo cp examples/eab_handler/kid_profiles.json data/acme_ca/kid_profiles.json
sudo chmod 777 data/acme_ca/kid_profiles.json
sudo sed -i "s/\"profile_id\"\: \[\"profile_1\", \"profile_2\", \"profile_3\"\]/\"template\"\: \[\"WebServerModified\"\, \"WebServer\"]/g" data/acme_ca/kid_profiles.json
sudo sed -i "s/\"profile_id\"\: \"profile_2\"/\"template\"\: \"WebServerModified\"/g" data/acme_ca/kid_profiles.json
sudo sed -i "s/\"ca_name\": \"example_ca_2\",/\"unknown_key\": \"unknown_value\"/g" data/acme_ca/kid_profiles.json
sudo sed -i "s/\"ca_name\": \"example_ca\",/\"unknown_key\": \"unknown_value\"/g" data/acme_ca/kid_profiles.json
sudo sed -i "s/example.net/local/g" data/acme_ca/kid_profiles.json
sudo sed -i '18,19d' data/acme_ca/kid_profiles.json
sudo sed -i '8,9d' data/acme_ca/kid_profiles.json
sudo touch data/acme_ca/krb5.conf
sudo chmod 777 data/acme_ca/krb5.conf
cat <<EOF > data/acme_ca/krb5.conf
$WES_KRB5_CONF
EOF
env:
WES_HOST: ${{ secrets.WES_HOST }}
WES_USER: ${{ secrets.WES_USER }}
WES_PASSWORD: ${{ secrets.WES_PASSWORD }}
WES_AUTHMETHOD: ${{ secrets.WES_AUTHMETHOD }}
WES_TEMPLATE: ${{ secrets.WES_TEMPLATE }}
WCCE_FQDN: ${{ secrets.WCCE_FQDN }}
WES_KRB5_CONF: ${{ secrets.WES_KRB5_CONF }}
- name: "KRB - Execute install scipt"
run: |
docker exec acme-srv sh /tmp/acme2certifier/rpm_tester.sh
docker exec acme-srv yum install -y krb5-libs
- name: "EAB with headerinfo - enrollment"
uses: ./.github/actions/wf_specific/ms_ca_handler/enroll_eab
with:
NAME_SPACE: local
- name: "[ * ] collecting test logs"
if: ${{ failure() }}
run: |
mkdir -p ${{ github.workspace }}/artifact/upload
docker exec acme-srv tar cvfz /tmp/acme2certifier/a2c.tgz /opt/acme2certifier
sudo rm -rf data/*.rpm
sudo cp -rp data/ ${{ github.workspace }}/artifact/data/
sudo cp -rp acme-sh/ ${{ github.workspace }}/artifact/acme-sh/
docker exec acme-srv ls -la /tmp > ${{ github.workspace }}/artifact/data/tmp_list
docker exec acme-srv ls -la /tmp
docker exec acme-srv cat /var/log/messages > ${{ github.workspace }}/artifact/acme-srv.log
sudo tar -C ${{ github.workspace }}/artifact/ -cvzf ${{ github.workspace }}/artifact/upload/artifact.tar.gz data acme-srv.log acme-sh
- name: "[ * ] uploading artificates"
uses: actions/upload-artifact@v4
if: ${{ failure() }}
with:
name: mscertsrv_handler_profile_tests_rpm-rh${{ matrix.rhversion }}.tar.gz
path: ${{ github.workspace }}/artifact/upload/
mswcce_handler_tests_rpm:
name: "mswcce_handler_tests_rpm"
runs-on: ubuntu-latest
needs: mscertsrv_handler_tests_rpm
strategy:
# max-parallel: 1
fail-fast: false
matrix:
rhversion: [8, 9]
steps:
- name: "checkout GIT"
uses: actions/checkout@v4
- name: "Prepare Alma environment"
uses: ./.github/actions/rpm_prep
with:
GH_SBOM_USER: ${{ secrets.GH_SBOM_USER }}
GH_SBOM_TOKEN: ${{ secrets.GH_SBOM_TOKEN }}
RH_VERSION: ${{ matrix.rhversion }}
DJANGO_DB: psql
RPM_BUILD: false
- name: Download rpm package
uses: actions/download-artifact@v4
with:
name: acme2certifier-${{ github.run_id }}.noarch.rpm
path: data/
- name: "Get runner ip"
run: |
echo RUNNER_IP=$(ip addr show eth0 | grep -i "inet " | cut -d ' ' -f 6 | cut -d '/' -f 1) >> $GITHUB_ENV
echo RUNNER_PATH=$(pwd | sed 's_/_\\/_g') >> $GITHUB_ENV
- run: echo "runner IP is ${{ env.RUNNER_IP }}"
- name: "Install dnsmasq"
run: |
sudo apt-get update
sudo apt-get install -y dnsmasq
sudo systemctl disable systemd-resolved
sudo systemctl stop systemd-resolved
# sudo chmod -R 777 /etc/resolv.conf
# sudo echo "nameserver 8.8.8.8" > /etc/resolv.conf
sudo mkdir -p dnsmasq
sudo cp .github/dnsmasq.conf dnsmasq/
sudo chmod -R 777 dnsmasq/dnsmasq.conf
sudo sed -i "s/RUNNER_IP/$RUNNER_IP/g" dnsmasq/dnsmasq.conf
sudo echo "address=/$WCCE_FQDN/$RUNNER_IP" >> dnsmasq/dnsmasq.conf
sudo echo "address=/$WCCE_ADS_DOMAIN/$RUNNER_IP" >> dnsmasq/dnsmasq.conf
sudo echo "address=/$WES_HOST/$RUNNER_IP" >> dnsmasq/dnsmasq.conf
cat dnsmasq/dnsmasq.conf
sudo cp dnsmasq/dnsmasq.conf /etc/
sudo sed -i "s/ --local-service/ /g" /etc/init.d/dnsmasq
sudo systemctl enable dnsmasq
sudo systemctl start dnsmasq
env:
RUNNER_IP: ${{ env.RUNNER_IP }}
WCCE_ADS_DOMAIN: ${{ secrets.WCCE_ADS_DOMAIN }}
WCCE_FQDN: ${{ secrets.WCCE_FQDN }}
WES_HOST: ${{ secrets.WES_HOST }}
- name: "Test dns resulution"
run: |
host $WCCE_ADS_DOMAIN ${{ env.RUNNER_IP }}
host $WCCE_FQDN ${{ env.RUNNER_IP }}
host $WES_HOST 127.0.0.1
env:
WCCE_ADS_DOMAIN: ${{ secrets.WCCE_ADS_DOMAIN }}
WCCE_FQDN: ${{ secrets.WCCE_FQDN }}
WES_HOST: ${{ secrets.WES_HOST }}
- name: "Create letsencrypt and lego folder"
run: |
mkdir certbot
mkdir lego
mkdir acme-sh
- name: "Setup tunnel"
uses: ./.github/actions/wf_specific/ms_ca_handler/tunnel_setup
with:
WCCE_SSH_USER: ${{ secrets.WCCE_SSH_USER }}
WCCE_SSH_HOST: ${{ secrets.WCCE_SSH_HOST }}
WCCE_SSH_PORT: ${{ secrets.WCCE_SSH_PORT }}
WCCE_HOST: ${{ secrets.WCCE_HOST }}
WCCE_FQDN_WOTLD: ${{ secrets.WCCE_FQDN_WOTLD }}
WCCE_FQDN: ${{ secrets.WCCE_FQDN }}
WCCE_SSH_KNOWN_HOSTS: ${{ secrets.WCCE_SSH_KNOWN_HOSTS }}
WCCE_SSH_ACCESS_KEY: ${{ secrets.WCCE_SSH_ACCESS_KEY }}
- name: "NTLM - Prepare acme_srv.cfg with ms_wcce_ca_handler"
run: |
mkdir -p data/acme_ca
sudo touch data/acme_ca/ca_certs.pem
sudo chmod 777 data/acme_ca/ca_certs.pem
sudo echo "$WCCE_CA_BUNDLE" > data/acme_ca/ca_certs.pem
sudo touch data/acme_ca/acme_srv.cfg
sudo chmod 777 data/acme_ca/acme_srv.cfg
sudo head -n -8 .github/openssl_ca_handler.py_acme_srv_default_handler.cfg > data/acme_srv.cfg
sudo echo "handler_file: /opt/acme2certifier/examples/ca_handler/mswcce_ca_handler.py" >> data/acme_srv.cfg
sudo echo "host: $RUNNER_IP" >> data/acme_srv.cfg
sudo echo "user: $WCCE_USER" >> data/acme_srv.cfg
sudo echo "password: $WCCE_PASSWORD" >> data/acme_srv.cfg
sudo echo "template: $WCCE_TEMPLATE" >> data/acme_srv.cfg
sudo echo "ca_name: $WCCE_CA_NAME" >> data/acme_srv.cfg
sudo echo "target_domain: $WCCE_ADS_DOMAIN" >> data/acme_srv.cfg
sudo echo "ca_bundle: /opt/acme2certifier/volume/acme_ca/ca_certs.pem" >> data/acme_srv.cfg
sudo echo "timeout: 20" >> data/acme_srv.cfg
sudo sed -i "s/tnauthlist_support: False/tnauthlist_support: False\nheader_info_list: [\"HTTP_USER_AGENT\"]/g" data/acme_srv.cfg
sudo sed -i "s/revocation_reason_check_disable: False/revocation_reason_check_disable: False\nenrollment_timeout: 40/g" data/acme_srv.cfg
env:
RUNNER_IP: ${{ env.RUNNER_IP }}
WCCE_USER: ${{ secrets.WCCE_USER }}
WCCE_PASSWORD: ${{ secrets.WCCE_PASSWORD }}
WCCE_TEMPLATE: ${{ secrets.WCCE_TEMPLATE }}
WCCE_CA_NAME: ${{ secrets.WCCE_CA_NAME }}
WCCE_ADS_DOMAIN: ${{ secrets.WCCE_ADS_DOMAIN }}
WCCE_CA_BUNDLE: ${{ secrets.WCCE_CA_BUNDLE }}
- name: "NTLM - Execute install scipt"
run: |
docker exec acme-srv sh /tmp/acme2certifier/rpm_tester.sh
- name: "NTLM - enrollment mit default profile and headerinfo"
uses: ./.github/actions/wf_specific/ms_ca_handler/enroll_default_headerinfo
- name: "KRB - Setup a2c with ms_wcce_ca_handler (Kerberos)"
run: |
mkdir -p data/acme_ca
sudo touch data/acme_ca/ca_certs.pem
sudo chmod 777 data/acme_ca/ca_certs.pem
sudo echo "$WCCE_CA_BUNDLE" > data/acme_ca/ca_certs.pem
sudo touch data/acme_ca/acme_srv.cfg
sudo chmod 777 data/acme_ca/acme_srv.cfg
sudo head -n -8 .github/openssl_ca_handler.py_acme_srv_default_handler.cfg > data/acme_srv.cfg
sudo echo "handler_file: /opt/acme2certifier/examples/ca_handler/mswcce_ca_handler.py" >> data/acme_srv.cfg
sudo echo "host: $WCCE_FQDN" >> data/acme_srv.cfg
sudo echo "user: $WCCE_USER" >> data/acme_srv.cfg
sudo echo "password: $WCCE_PASSWORD" >> data/acme_srv.cfg
sudo echo "template: $WCCE_TEMPLATE" >> data/acme_srv.cfg
sudo echo "ca_name: $WCCE_CA_NAME" >> data/acme_srv.cfg
sudo echo "target_domain: $WCCE_ADS_DOMAIN" >> data/acme_srv.cfg
sudo echo "domain_controller: $RUNNER_IP" >> data/acme_srv.cfg
sudo echo "ca_bundle: /opt/acme2certifier/volume/acme_ca/ca_certs.pem" >> data/acme_srv.cfg
sudo echo "timeout: 20" >> data/acme_srv.cfg
sudo echo "use_kerberos: True" >> data/acme_srv.cfg
sudo sed -i "s/tnauthlist_support: False/tnauthlist_support: False\nheader_info_list: [\"HTTP_USER_AGENT\"]/g" data/acme_srv.cfg
sudo sed -i "s/revocation_reason_check_disable: False/revocation_reason_check_disable: False\nenrollment_timeout: 40/g" data/acme_srv.cfg
env:
RUNNER_IP: ${{ env.RUNNER_IP }}
WCCE_USER: ${{ secrets.WCCE_USER }}
WCCE_PASSWORD: ${{ secrets.WCCE_PASSWORD }}
WCCE_TEMPLATE: ${{ secrets.WCCE_TEMPLATE }}
WCCE_CA_NAME: ${{ secrets.WCCE_CA_NAME }}
WCCE_ADS_DOMAIN: ${{ secrets.WCCE_ADS_DOMAIN }}
WCCE_CA_BUNDLE: ${{ secrets.WCCE_CA_BUNDLE }}
WCCE_FQDN: ${{ secrets.WCCE_FQDN }}
- name: "KRB - Reconfigure a2c "
run: |
docker exec acme-srv sh /tmp/acme2certifier/rpm_tester.sh restart
- name: "KRB - enrollment mit default profile and headerinfo"
uses: ./.github/actions/wf_specific/ms_ca_handler/enroll_default_headerinfo
- name: "KRB - Setup a2c with mswcce_ca_handler with allowed_domainlist configuration"
run: |
sudo sed -i "s/challenge_validation_disable: False/challenge_validation_disable: True/g" data/acme_srv.cfg
sudo echo "allowed_domainlist: [\"*.acme\", \"foo1.bar\", \"*.bar.local\"]" >> data/acme_srv.cfg
- name: "KRB - Reconfigure a2c "
run: |
docker exec acme-srv sh /tmp/acme2certifier/rpm_tester.sh restart
- name: "KRB - enrollment allowed domainlist"
uses: ./.github/actions/wf_specific/ms_ca_handler/enroll_allowed_domain_list
- name: "Verify allowed_domainlist error"
run: |
docker exec acme-srv grep -i "either CN or SANs are not allowed by configuration" /var/log/messages
- name: "[ * ] collecting test logs"
if: ${{ failure() }}
run: |
mkdir -p ${{ github.workspace }}/artifact/upload
docker exec acme-srv tar cvfz /tmp/acme2certifier/a2c.tgz /opt/acme2certifier
sudo rm -rf data/*.rpm
sudo cp -rp data/ ${{ github.workspace }}/artifact/data/
sudo cp -rp acme-sh/ ${{ github.workspace }}/artifact/acme-sh/
sudo cp -rp dnsmasq/ ${{ github.workspace }}/artifact/dnsmasq/
# docker exec acme-srv cat /etc/nginx/nginx.conf.orig > ${{ github.workspace }}/artifact/data/nginx.conf.orig
# docker exec acme-srv cat /etc/nginx/nginx.conf > ${{ github.workspace }}/artifact/data/nginx.conf
docker exec acme-srv cat /var/log/messages > ${{ github.workspace }}/artifact/acme-srv.log
sudo tar -C ${{ github.workspace }}/artifact/ -cvzf ${{ github.workspace }}/artifact/upload/artifact.tar.gz data acme-srv.log acme-sh dnsmasq
- name: "[ * ] uploading artificates"
uses: actions/upload-artifact@v4
if: ${{ failure() }}
with:
name: mswcce_handler_tests_rpm-rh${{ matrix.rhversion }}.tar.gz
path: ${{ github.workspace }}/artifact/upload/
mswcce_handler_eab_profile_tests_rpm:
name: "mswcce_handler_eab_profile_tests_rpm"
runs-on: ubuntu-latest
needs: mscertsrv_handler_tests_rpm
strategy:
# max-parallel: 1
fail-fast: false
matrix:
rhversion: [8, 9]
steps:
- name: "checkout GIT"
uses: actions/checkout@v4
- name: "Prepare Alma environment"
uses: ./.github/actions/rpm_prep
with:
GH_SBOM_USER: ${{ secrets.GH_SBOM_USER }}
GH_SBOM_TOKEN: ${{ secrets.GH_SBOM_TOKEN }}
RH_VERSION: ${{ matrix.rhversion }}
DJANGO_DB: psql
RPM_BUILD: false
- name: Download rpm package
uses: actions/download-artifact@v4
with:
name: acme2certifier-${{ github.run_id }}.noarch.rpm
path: data/
- name: "Get runner ip"
run: |
echo RUNNER_IP=$(ip addr show eth0 | grep -i "inet " | cut -d ' ' -f 6 | cut -d '/' -f 1) >> $GITHUB_ENV
echo RUNNER_PATH=$(pwd | sed 's_/_\\/_g') >> $GITHUB_ENV
- run: echo "runner IP is ${{ env.RUNNER_IP }}"
- name: "Install dnsmasq"
run: |
sudo apt-get update
sudo apt-get install -y dnsmasq
sudo systemctl disable systemd-resolved
sudo systemctl stop systemd-resolved
# sudo chmod -R 777 /etc/resolv.conf
# sudo echo "nameserver 8.8.8.8" > /etc/resolv.conf
sudo mkdir -p dnsmasq
sudo cp .github/dnsmasq.conf dnsmasq/
sudo chmod -R 777 dnsmasq/dnsmasq.conf
sudo sed -i "s/RUNNER_IP/$RUNNER_IP/g" dnsmasq/dnsmasq.conf
sudo echo "address=/$WCCE_FQDN/$RUNNER_IP" >> dnsmasq/dnsmasq.conf
sudo echo "address=/$WCCE_ADS_DOMAIN/$RUNNER_IP" >> dnsmasq/dnsmasq.conf
sudo echo "address=/$WES_HOST/$RUNNER_IP" >> dnsmasq/dnsmasq.conf
cat dnsmasq/dnsmasq.conf
sudo cp dnsmasq/dnsmasq.conf /etc/
sudo sed -i "s/ --local-service/ /g" /etc/init.d/dnsmasq
sudo systemctl enable dnsmasq
sudo systemctl start dnsmasq
env:
RUNNER_IP: ${{ env.RUNNER_IP }}
WCCE_ADS_DOMAIN: ${{ secrets.WCCE_ADS_DOMAIN }}
WCCE_FQDN: ${{ secrets.WCCE_FQDN }}
WES_HOST: ${{ secrets.WES_HOST }}
- name: "Test dns resulution"
run: |
host $WCCE_ADS_DOMAIN ${{ env.RUNNER_IP }}
host $WCCE_FQDN ${{ env.RUNNER_IP }}
host $WES_HOST 127.0.0.1
env:
WCCE_ADS_DOMAIN: ${{ secrets.WCCE_ADS_DOMAIN }}
WCCE_FQDN: ${{ secrets.WCCE_FQDN }}
WES_HOST: ${{ secrets.WES_HOST }}
- name: "Create letsencrypt and lego folder"
run: |
mkdir certbot
mkdir lego
mkdir acme-sh
- name: "Setup tunnel"
uses: ./.github/actions/wf_specific/ms_ca_handler/tunnel_setup
with:
WCCE_SSH_USER: ${{ secrets.WCCE_SSH_USER }}
WCCE_SSH_HOST: ${{ secrets.WCCE_SSH_HOST }}
WCCE_SSH_PORT: ${{ secrets.WCCE_SSH_PORT }}
WCCE_HOST: ${{ secrets.WCCE_HOST }}
WCCE_FQDN_WOTLD: ${{ secrets.WCCE_FQDN_WOTLD }}
WCCE_FQDN: ${{ secrets.WCCE_FQDN }}
WCCE_SSH_KNOWN_HOSTS: ${{ secrets.WCCE_SSH_KNOWN_HOSTS }}
WCCE_SSH_ACCESS_KEY: ${{ secrets.WCCE_SSH_ACCESS_KEY }}
- name: "EAB with headerinfo - Setup a2c with ms_wcce_ca_handler (Kerberos)"
run: |
mkdir -p data/acme_ca
sudo touch data/acme_ca/ca_certs.pem
sudo chmod 777 data/acme_ca/ca_certs.pem
sudo echo "$WCCE_CA_BUNDLE" > data/acme_ca/ca_certs.pem
sudo touch data/acme_ca/acme_srv.cfg
sudo chmod 777 data/acme_ca/acme_srv.cfg
sudo head -n -8 .github/openssl_ca_handler.py_acme_srv_default_handler.cfg > data/acme_srv.cfg
sudo echo "handler_file: /opt/acme2certifier/examples/ca_handler/mswcce_ca_handler.py" >> data/acme_srv.cfg
sudo echo "host: $WCCE_FQDN" >> data/acme_srv.cfg
sudo echo "user: $WCCE_USER" >> data/acme_srv.cfg
sudo echo "password: $WCCE_PASSWORD" >> data/acme_srv.cfg
sudo echo "template: $WCCE_TEMPLATE" >> data/acme_srv.cfg
sudo echo "ca_name: $WCCE_CA_NAME" >> data/acme_srv.cfg
sudo echo "target_domain: $WCCE_ADS_DOMAIN" >> data/acme_srv.cfg
sudo echo "domain_controller: $RUNNER_IP" >> data/acme_srv.cfg
sudo echo "ca_bundle: /opt/acme2certifier/volume/acme_ca/ca_certs.pem" >> data/acme_srv.cfg
sudo echo "timeout: 20" >> data/acme_srv.cfg
sudo echo "use_kerberos: True" >> data/acme_srv.cfg
sudo sed -i "s/tnauthlist_support: False/tnauthlist_support: False\nheader_info_list: [\"HTTP_USER_AGENT\"]/g" data/acme_srv.cfg
sudo sed -i "s/revocation_reason_check_disable: False/revocation_reason_check_disable: False\nenrollment_timeout: 40/g" data/acme_srv.cfg
sudo echo "eab_profiling: True" >> data/acme_srv.cfg
sudo echo -e "\n[EABhandler]" >> data/acme_srv.cfg
sudo echo "eab_handler_file: /opt/acme2certifier/examples/eab_handler/kid_profile_handler.py" >> data/acme_srv.cfg
sudo echo "key_file: /opt/acme2certifier/volume/acme_ca/kid_profiles.json" >> data/acme_srv.cfg
sudo cp examples/eab_handler/kid_profiles.json data/acme_ca/kid_profiles.json
sudo chmod 777 data/acme_ca/kid_profiles.json
sudo sed -i "s/\"profile_id\"\: \[\"profile_1\", \"profile_2\", \"profile_3\"\]/\"template\"\: \[\"WebServerModified\"\, \"WebServer\"]/g" data/acme_ca/kid_profiles.json
sudo sed -i "s/\"profile_id\"\: \"profile_2\"/\"template\"\: \"WebServerModified\"/g" data/acme_ca/kid_profiles.json
sudo sed -i "s/\"ca_name\": \"example_ca_2\",/\"unknown_key\": \"unknown_value\"/g" data/acme_ca/kid_profiles.json
sudo sed -i "s/\"ca_name\": \"example_ca\",/\"unknown_key\": \"unknown_value\"/g" data/acme_ca/kid_profiles.json
sudo sed -i "s/example.net/acme/g" data/acme_ca/kid_profiles.json
sudo sed -i '18,19d' data/acme_ca/kid_profiles.json
sudo sed -i '8,9d' data/acme_ca/kid_profiles.json
env:
RUNNER_IP: ${{ env.RUNNER_IP }}
WCCE_USER: ${{ secrets.WCCE_USER }}
WCCE_PASSWORD: ${{ secrets.WCCE_PASSWORD }}
WCCE_TEMPLATE: ${{ secrets.WCCE_TEMPLATE }}
WCCE_CA_NAME: ${{ secrets.WCCE_CA_NAME }}
WCCE_ADS_DOMAIN: ${{ secrets.WCCE_ADS_DOMAIN }}
WCCE_CA_BUNDLE: ${{ secrets.WCCE_CA_BUNDLE }}
WCCE_FQDN: ${{ secrets.WCCE_FQDN }}
- name: "EAB with headerinfo - Execute install scipt"
run: |
docker exec acme-srv sh /tmp/acme2certifier/rpm_tester.sh
- name: "EAB with headerinfo - enrollment"
uses: ./.github/actions/wf_specific/ms_ca_handler/enroll_eab
- name: "[ * ] collecting test logs"
if: ${{ failure() }}
run: |
mkdir -p ${{ github.workspace }}/artifact/upload
docker exec acme-srv tar cvfz /tmp/acme2certifier/a2c.tgz /opt/acme2certifier
sudo rm -rf data/*.rpm
sudo cp -rp data/ ${{ github.workspace }}/artifact/data/
sudo cp -rp acme-sh/ ${{ github.workspace }}/artifact/acme-sh/
sudo cp -rp dnsmasq/ ${{ github.workspace }}/artifact/dnsmasq/
# docker exec acme-srv cat /etc/nginx/nginx.conf.orig > ${{ github.workspace }}/artifact/data/nginx.conf.orig
# docker exec acme-srv cat /etc/nginx/nginx.conf > ${{ github.workspace }}/artifact/data/nginx.conf
docker exec acme-srv cat /var/log/messages > ${{ github.workspace }}/artifact/acme-srv.log
sudo tar -C ${{ github.workspace }}/artifact/ -cvzf ${{ github.workspace }}/artifact/upload/artifact.tar.gz data acme-srv.log acme-sh dnsmasq
- name: "[ * ] uploading artificates"
uses: actions/upload-artifact@v4
if: ${{ failure() }}
with:
name: mswcce_handler_profile_tests_rpm-rh${{ matrix.rhversion }}.tar.gz
path: ${{ github.workspace }}/artifact/upload/
rpm_cleanup:
name: "rpm_cleanup"
runs-on: ubuntu-latest
needs: [mscertsrv_handler_tests_rpm, mscertsrv_handler_eab_profile_tests_rpm, mswcce_handler_tests_rpm, mswcce_handler_eab_profile_tests_rpm]
steps:
- name: "Delete artifact"
uses: geekyeggo/delete-artifact@v5
with:
name: acme2certifier-${{ github.run_id }}.noarch.rpm