diff --git a/.github/workflows/ca_handler_tests_cmp.yml b/.github/workflows/ca_handler_tests_cmp.yml index 39381416..5354a867 100644 --- a/.github/workflows/ca_handler_tests_cmp.yml +++ b/.github/workflows/ca_handler_tests_cmp.yml @@ -78,6 +78,7 @@ jobs: sudo echo "cmp_key: volume/ra_key.pem" >> examples/Docker/data/acme_srv.cfg sudo echo "cmp_trusted: volume/ca_bundle.pem" >> examples/Docker/data/acme_srv.cfg sudo echo "cmp_recipient: $CMP_RECIPIENT" >> examples/Docker/data/acme_srv.cfg + sudo echo "allowed_domainlist: [\"bar.local\", \"*.acme\"]" >> examples/Docker/data/acme_srv.cfg cd examples/Docker/ docker-compose restart env: @@ -87,23 +88,18 @@ jobs: CMP_RA_CERT: ${{ secrets.CMP_RA_CERT }} CMP_TRUSTED: ${{ secrets.CMP_TRUSTED }} - - name: "Sleep for 10s" - uses: juliangruber/sleep-action@v2.0.3 + - name: "Test enrollment" + uses: ./.github/actions/acme_clients with: - time: 10s - - - name: "Test http://acme-srv/directory is accessible" - run: docker run -i --rm --network acme curlimages/curl -f http://acme-srv/directory - - - name: "Test if https://acme-srv/directory is accessible" - run: docker run -i --rm --network acme curlimages/curl --insecure -f https://acme-srv/directory + REVOCATION: "false" + VERIFY_CERT: "false" + USE_CERTBOT: "false" + TEST_ADL: "true" - - name: "Enroll acme.sh" + - name: "Verify allowed_domainlist error" run: | - docker run --rm -i -v "$(pwd)/acme-sh":/acme.sh --network acme --name=acme-sh neilpang/acme.sh:latest --issue --server http://acme-srv --accountemail 'acme-sh@example.com' -d acme-sh.acme --alpn --standalone --debug 3 --output-insecure --force - awk 'BEGIN {c=0;} /BEGIN CERT/{c++} { print > "cert-" c ".pem"}' < acme-sh/acme-sh.acme_ecc/ca.cer - openssl verify -CAfile cert-2.pem -untrusted cert-1.pem acme-sh/acme-sh.acme_ecc/acme-sh.acme.cer - sudo rm -rf acme-sh/* + cd examples/Docker + docker-compose logs | grep "allowed_domainlist" | grep -i "either CN or SANs are not allowed by configuration" - name: "Setup a2c with cmp_ca_handler with PSK refnum authentication" run: | @@ -127,6 +123,7 @@ jobs: sudo echo "cmp_recipient: $CMP_RECIPIENT" >> examples/Docker/data/acme_srv.cfg sudo echo "cmp_ref: $CMP_REF" >> examples/Docker/data/acme_srv.cfg sudo echo "cmp_secret: $CMP_SECRET" >> examples/Docker/data/acme_srv.cfg + sudo echo "allowed_domainlist: [\"bar.local\", \"*.acme\"]" >> examples/Docker/data/acme_srv.cfg cd examples/Docker/ docker-compose restart env: @@ -137,32 +134,18 @@ jobs: CMP_REF: ${{ secrets.CMP_REF }} CMP_SECRET: ${{ secrets.CMP_SECRET }} - - name: "Sleep for 10s" - uses: juliangruber/sleep-action@v2.0.3 - with: - time: 10s - - - name: "Sleep for 10s" - uses: juliangruber/sleep-action@v2.0.3 + - name: "Test enrollment" + uses: ./.github/actions/acme_clients with: - time: 10s - - - name: "Test http://acme-srv/directory is accessible" - run: docker run -i --rm --network acme curlimages/curl -f http://acme-srv/directory - - - name: "Test if https://acme-srv/directory is accessible" - run: docker run -i --rm --network acme curlimages/curl --insecure -f https://acme-srv/directory + REVOCATION: "false" + VERIFY_CERT: "false" + USE_CERTBOT: "false" + TEST_ADL: "true" - - name: "Enroll acme.sh" + - name: "Verify allowed_domainlist error" run: | - docker run --rm -i -v "$(pwd)/acme-sh":/acme.sh --network acme --name=acme-sh neilpang/acme.sh:latest --issue --server http://acme-srv --accountemail 'acme-sh@example.com' -d acme-sh.acme --alpn --standalone --debug 3 --output-insecure --force - awk 'BEGIN {c=0;} /BEGIN CERT/{c++} { print > "cert-" c ".pem"}' < acme-sh/acme-sh.acme_ecc/ca.cer - openssl verify -CAfile cert-2.pem -untrusted cert-1.pem acme-sh/acme-sh.acme_ecc/acme-sh.acme.cer - - name: "Check container configuration" - uses: ./.github/actions/container_check - with: - DB_HANDLER: ${{ matrix.dbhandler }} - WEB_SRV: ${{ matrix.websrv }} + cd examples/Docker + docker-compose logs | grep "allowed_domainlist" | grep -i "either CN or SANs are not allowed by configuration" - name: "[ * ] collecting test logs" if: ${{ failure() }} @@ -254,6 +237,7 @@ jobs: sudo echo "cmp_key: /opt/acme2certifier/volume/acme_ca/ra_key.pem" >> data/acme_srv.cfg sudo echo "cmp_trusted: /opt/acme2certifier/volume/acme_ca/ca_bundle.pem" >> data/acme_srv.cfg sudo echo "cmp_recipient: $CMP_RECIPIENT" >> data/acme_srv.cfg + sudo echo "allowed_domainlist: [\"bar.local\", \"*.acme\"]" >> data/acme_srv.cfg env: RUNNER_IP: ${{ env.RUNNER_IP }} CMP_RECIPIENT: ${{ secrets.CMP_RECIPIENT }} @@ -265,22 +249,17 @@ jobs: run: | docker exec acme-srv sh /tmp/acme2certifier/rpm_tester.sh - - name: "Sleep for 10s" - uses: juliangruber/sleep-action@v2.0.3 + - name: "Test enrollment" + uses: ./.github/actions/acme_clients with: - time: 10s + REVOCATION: "false" + VERIFY_CERT: "false" + USE_CERTBOT: "false" + TEST_ADL: "true" - - name: "Test http://acme-srv/directory is accessible" - run: docker run -i --rm --network acme curlimages/curl -f http://acme-srv/directory - - - name: "Test if https://acme-srv/directory is accessible" - run: docker run -i --rm --network acme curlimages/curl --insecure -f https://acme-srv/directory - - - name: "Enroll acme.sh" + - name: "Verify allowed_domainlist error" run: | - docker run --rm -i -v "$(pwd)/acme-sh":/acme.sh --network acme --name=acme-sh neilpang/acme.sh:latest --issue --server http://acme-srv --accountemail 'acme-sh@example.com' -d acme-sh.acme --alpn --standalone --debug 3 --output-insecure --force - awk 'BEGIN {c=0;} /BEGIN CERT/{c++} { print > "cert-" c ".pem"}' < acme-sh/acme-sh.acme_ecc/ca.cer - openssl verify -CAfile cert-2.pem -untrusted cert-1.pem acme-sh/acme-sh.acme_ecc/acme-sh.acme.cer + docker exec acme-srv grep -i "either CN or SANs are not allowed by configuration" /var/log/messages - name: "[ * ] collecting test logs" if: ${{ failure() }} @@ -370,6 +349,7 @@ jobs: sudo echo "cmp_recipient: $CMP_RECIPIENT" >> data/acme_srv.cfg sudo echo "cmp_ref: $CMP_REF" >> data/acme_srv.cfg sudo echo "cmp_secret: $CMP_SECRET" >> data/acme_srv.cfg + sudo echo "allowed_domainlist: [\"bar.local\", \"*.acme\"]" >> data/acme_srv.cfg env: RUNNER_IP: ${{ env.RUNNER_IP }} CMP_RECIPIENT: ${{ secrets.CMP_RECIPIENT }} @@ -382,22 +362,17 @@ jobs: run: | docker exec acme-srv sh /tmp/acme2certifier/rpm_tester.sh - - name: "Sleep for 10s" - uses: juliangruber/sleep-action@v2.0.3 + - name: "Test enrollment" + uses: ./.github/actions/acme_clients with: - time: 10s - - - name: "Test http://acme-srv/directory is accessible" - run: docker run -i --rm --network acme curlimages/curl -f http://acme-srv/directory - - - name: "Test if https://acme-srv/directory is accessible" - run: docker run -i --rm --network acme curlimages/curl --insecure -f https://acme-srv/directory + REVOCATION: "false" + VERIFY_CERT: "false" + USE_CERTBOT: "false" + TEST_ADL: "true" - - name: "Enroll acme.sh" + - name: "Verify allowed_domainlist error" run: | - docker run --rm -i -v "$(pwd)/acme-sh":/acme.sh --network acme --name=acme-sh neilpang/acme.sh:latest --issue --server http://acme-srv --accountemail 'acme-sh@example.com' -d acme-sh.acme --alpn --standalone --debug 3 --output-insecure --force - awk 'BEGIN {c=0;} /BEGIN CERT/{c++} { print > "cert-" c ".pem"}' < acme-sh/acme-sh.acme_ecc/ca.cer - openssl verify -CAfile cert-2.pem -untrusted cert-1.pem acme-sh/acme-sh.acme_ecc/acme-sh.acme.cer + docker exec acme-srv grep -i "either CN or SANs are not allowed by configuration" /var/log/messages - name: "[ * ] collecting test logs" if: ${{ failure() }} diff --git a/.github/workflows/ca_handler_tests_msca.yml b/.github/workflows/ca_handler_tests_msca.yml deleted file mode 100644 index 5a234ee8..00000000 --- a/.github/workflows/ca_handler_tests_msca.yml +++ /dev/null @@ -1,1457 +0,0 @@ -name: CA handler tests - MicrosoftCA - -on: - push: - pull_request: - branches: [ devel ] - schedule: - # * is a special character in YAML so you have to quote this string - - cron: '0 2 * * 6' - -jobs: - container_build: - name: "container_build" - runs-on: ubuntu-latest - strategy: - fail-fast: false - matrix: - websrv: ['apache2', 'nginx'] - dbhandler: ['wsgi', 'django'] - - steps: - - name: "checkout GIT" - uses: actions/checkout@v4 - - - name: "Build container" - uses: ./.github/actions/container_build_upload - with: - DB_HANDLER: ${{ matrix.dbhandler }} - WEB_SRV: ${{ matrix.websrv }} - - mscertsrv_handler_tests: - name: "mscertsrv_handler_tests" - runs-on: ubuntu-latest - needs: container_build - strategy: - fail-fast: false - # max-parallel: 1 - matrix: - websrv: ['apache2', 'nginx'] - dbhandler: ['wsgi', 'django'] - steps: - - name: "checkout GIT" - uses: actions/checkout@v4 - - - name: "Download container" - uses: actions/download-artifact@v4 - with: - name: a2c-${{ github.run_id }}.${{ matrix.websrv }}.${{ matrix.dbhandler }}.tar.gz - path: /tmp - - - name: "Import container" - run: | - sudo apt-get install -y docker-compose - gunzip /tmp/a2c-${{ github.run_id }}.${{ matrix.websrv }}.${{ matrix.dbhandler }}.tar.gz - docker load -i /tmp/a2c-${{ github.run_id }}.${{ matrix.websrv }}.${{ matrix.dbhandler }}.tar - docker images - - - name: "Prepare container environment" - uses: ./.github/actions/container_prep - with: - DB_HANDLER: ${{ matrix.dbhandler }} - WEB_SRV: ${{ matrix.websrv }} - CONTAINER_BUILD: false - NAME_SPACE: local - - - name: "Get runner ip" - run: | - echo RUNNER_IP=$(ip addr show eth0 | grep -i "inet " | cut -d ' ' -f 6 | cut -d '/' -f 1) >> $GITHUB_ENV - echo RUNNER_PATH=$(pwd | sed 's_/_\\/_g') >> $GITHUB_ENV - - - run: echo "runner IP is ${{ env.RUNNER_IP }}" - - - name: "Setup tunnel" - uses: ./.github/actions/wf_specific/ms_ca_handler/tunnel_setup - with: - WCCE_SSH_USER: ${{ secrets.WCCE_SSH_USER }} - WCCE_SSH_HOST: ${{ secrets.WCCE_SSH_HOST }} - WCCE_SSH_PORT: ${{ secrets.WCCE_SSH_PORT }} - WCCE_HOST: ${{ secrets.WCCE_HOST }} - WCCE_FQDN_WOTLD: ${{ secrets.WCCE_FQDN_WOTLD }} - WCCE_FQDN: ${{ secrets.WCCE_FQDN }} - WCCE_SSH_KNOWN_HOSTS: ${{ secrets.WCCE_SSH_KNOWN_HOSTS }} - WCCE_SSH_ACCESS_KEY: ${{ secrets.WCCE_SSH_ACCESS_KEY }} - NAME_SPACE: local - - - name: "KRB - Setup a2c with mscertsrv_ca_handler using kerberos" - run: | - sudo touch examples/Docker/data/ca_certs.pem - sudo chmod 777 examples/Docker/data/ca_certs.pem - sudo cp test/ca/certsrv_ca_certs.pem examples/Docker/data/ca_certs.pem - sudo touch examples/Docker/data/acme_srv.cfg - sudo chmod 777 examples/Docker/data/acme_srv.cfg - sudo head -n -8 .github/openssl_ca_handler.py_acme_srv_default_handler.cfg > examples/Docker/data/acme_srv.cfg - sudo echo "handler_file: examples/ca_handler/mscertsrv_ca_handler.py" >> examples/Docker/data/acme_srv.cfg - sudo echo "host: $WCCE_FQDN" >> examples/Docker/data/acme_srv.cfg - sudo echo "user: $WES_USER" >> examples/Docker/data/acme_srv.cfg - sudo echo "password: $WES_PASSWORD" >> examples/Docker/data/acme_srv.cfg - sudo echo "auth_method: gssapi" >> examples/Docker/data/acme_srv.cfg - sudo echo "template: $WES_TEMPLATE" >> examples/Docker/data/acme_srv.cfg - sudo echo "ca_bundle: /var/www/acme2certifier/volume/ca_certs.pem" >> examples/Docker/data/acme_srv.cfg - sudo echo "krb5_config: /var/www/acme2certifier/volume/krb5.conf" >> examples/Docker/data/acme_srv.cfg - sudo echo "verify: False" >> examples/Docker/data/acme_srv.cfg - sudo echo "request_timeout: 30" >> examples/Docker/data/acme_srv.cfg - sudo sed -i "s/tnauthlist_support: False/tnauthlist_support: False\nheader_info_list: [\"HTTP_USER_AGENT\"]/g" examples/Docker/data/acme_srv.cfg - sudo sed -i "s/revocation_reason_check_disable: False/revocation_reason_check_disable: False\nenrollment_timeout: 40/g" examples/Docker/data/acme_srv.cfg - - sudo touch examples/Docker/data/krb5.conf - sudo chmod 777 examples/Docker/data/krb5.conf - cat < examples/Docker/data/krb5.conf - $WES_KRB5_CONF - EOF - env: - WES_HOST: ${{ secrets.WES_HOST }} - WES_USER: ${{ secrets.WES_USER }} - WES_PASSWORD: ${{ secrets.WES_PASSWORD }} - WES_TEMPLATE: ${{ secrets.WES_TEMPLATE }} - WES_AUTHMETHOD: ${{ secrets.WES_AUTHMETHOD }} - WCCE_HOST: ${{ secrets.WCCE_HOST }} - WCCE_ADS_DOMAIN: ${{ secrets.WCCE_ADS_DOMAIN }} - WES_KRB5_CONF: ${{ secrets.WES_KRB5_CONF }} - WCCE_FQDN: ${{ secrets.WCCE_FQDN }} - WCCE_FQDN_WOTLD: ${{ secrets.WCCE_FQDN_WOTLD }} - - - name: "Bring up a2c container" - uses: ./.github/actions/container_up - with: - DB_HANDLER: ${{ matrix.dbhandler }} - WEB_SRV: ${{ matrix.websrv }} - NAME_SPACE: local - - - name: "Sleep for 10s" - uses: juliangruber/sleep-action@v2.0.3 - with: - time: 10s - - - name: "KRB - enrollment mit default profile and headerinfo" - uses: ./.github/actions/wf_specific/ms_ca_handler/enroll_default_headerinfo - with: - NAME_SPACE: local - - - name: "NTLM - Setup a2c with mscertsrv_ca_handler using ntlm" - run: | - sudo touch examples/Docker/data/acme_srv.cfg - sudo chmod 777 examples/Docker/data/acme_srv.cfg - sudo head -n -8 .github/openssl_ca_handler.py_acme_srv_default_handler.cfg > examples/Docker/data/acme_srv.cfg - sudo echo "handler_file: examples/ca_handler/mscertsrv_ca_handler.py" >> examples/Docker/data/acme_srv.cfg - sudo echo "host: $WCCE_FQDN" >> examples/Docker/data/acme_srv.cfg - sudo echo "user: $WES_USER" >> examples/Docker/data/acme_srv.cfg - sudo echo "password: $WES_PASSWORD" >> examples/Docker/data/acme_srv.cfg - sudo echo "auth_method: ntlm" >> examples/Docker/data/acme_srv.cfg - sudo echo "template: $WES_TEMPLATE" >> examples/Docker/data/acme_srv.cfg - sudo echo "ca_bundle: /var/www/acme2certifier/volume/ca_certs.pem" >> examples/Docker/data/acme_srv.cfg - sudo echo "verify: False" >> examples/Docker/data/acme_srv.cfg - sudo echo "request_timeout: 30" >> examples/Docker/data/acme_srv.cfg - sudo sed -i "s/tnauthlist_support: False/tnauthlist_support: False\nheader_info_list: [\"HTTP_USER_AGENT\"]/g" examples/Docker/data/acme_srv.cfg - sudo sed -i "s/revocation_reason_check_disable: False/revocation_reason_check_disable: False\nenrollment_timeout: 40/g" examples/Docker/data/acme_srv.cfg - env: - WES_HOST: ${{ secrets.WES_HOST }} - WES_USER: ${{ secrets.WES_USER }} - WES_PASSWORD: ${{ secrets.WES_PASSWORD }} - WES_TEMPLATE: ${{ secrets.WES_TEMPLATE }} - WES_AUTHMETHOD: ${{ secrets.WES_AUTHMETHOD }} - WCCE_HOST: ${{ secrets.WCCE_HOST }} - WCCE_ADS_DOMAIN: ${{ secrets.WCCE_ADS_DOMAIN }} - WES_KRB5_CONF: ${{ secrets.WES_KRB5_CONF }} - WCCE_FQDN: ${{ secrets.WCCE_FQDN }} - WCCE_FQDN_WOTLD: ${{ secrets.WCCE_FQDN_WOTLD }} - - - name: "NTLM - enrollment mit default profile and headerinfo" - uses: ./.github/actions/wf_specific/ms_ca_handler/enroll_default_headerinfo - with: - NAME_SPACE: local - - - name: "NTLM - Setup a2c with mscertsrv_ca_handler with allowed_domainlist configuration" - run: | - sudo sed -i "s/challenge_validation_disable: False/challenge_validation_disable: True/g" examples/Docker/data/acme_srv.cfg - sudo echo "allowed_domainlist: [\"*.acme\", \"foo1.bar\", \"*.bar.local\"]" >> examples/Docker/data/acme_srv.cfg - cd examples/Docker/ - docker-compose restart - - - name: "NTLM - enrollment allowed domainlist" - uses: ./.github/actions/wf_specific/ms_ca_handler/enroll_allowed_domain_list - with: - NAME_SPACE: local - - - name: "Verify allowed_domainlist error" - run: | - cd examples/Docker - docker-compose logs | grep "allowed_domainlist" | grep -i "either CN or SANs are not allowed by configuration" - - - name: "Check container configuration" - uses: ./.github/actions/container_check - with: - DB_HANDLER: ${{ matrix.dbhandler }} - WEB_SRV: ${{ matrix.websrv }} - - - name: "[ * ] collecting test logs" - if: ${{ failure() }} - run: | - mkdir -p ${{ github.workspace }}/artifact/upload - sudo cp -rp examples/Docker/data/ ${{ github.workspace }}/artifact/data/ - sudo cp /etc/hosts ${{ github.workspace }}/artifact/data/ - sudo cp /etc/resolv.conf ${{ github.workspace }}/artifact/data/ - sudo cp -rp acme-sh/ ${{ github.workspace }}/artifact/acme-sh/ - sudo cp -rp certbot/ ${{ github.workspace }}/artifact/certbot/ - sudo cp -rp lego/ ${{ github.workspace }}/artifact/lego/ - cd examples/Docker - docker-compose logs > ${{ github.workspace }}/artifact/docker-compose.log - sudo tar -C ${{ github.workspace }}/artifact/ -cvzf ${{ github.workspace }}/artifact/upload/artifact.tar.gz docker-compose.log data acme-sh certbot lego dnsmasq - - - name: "[ * ] uploading artificates" - uses: actions/upload-artifact@v4 - if: ${{ failure() }} - with: - name: mscertsrv_handler_tests-${{ matrix.websrv }}-${{ matrix.dbhandler }}.tar.gz - path: ${{ github.workspace }}/artifact/upload/ - - mscertsrv_handler_eab_profiling_tests: - name: "mscertsrv_handler_eab_profiling_tests" - runs-on: ubuntu-latest - needs: container_build - strategy: - fail-fast: false - # max-parallel: 1 - matrix: - websrv: ['apache2', 'nginx'] - dbhandler: ['wsgi', 'django'] - steps: - - name: "checkout GIT" - uses: actions/checkout@v4 - - - name: "create folders and networks" - run: | - mkdir lego - mkdir acme-sh - mkdir certbot - - - name: "Download container" - uses: actions/download-artifact@v4 - with: - name: a2c-${{ github.run_id }}.${{ matrix.websrv }}.${{ matrix.dbhandler }}.tar.gz - path: /tmp - - - name: "Import container" - run: | - sudo apt-get install -y docker-compose - gunzip /tmp/a2c-${{ github.run_id }}.${{ matrix.websrv }}.${{ matrix.dbhandler }}.tar.gz - docker load -i /tmp/a2c-${{ github.run_id }}.${{ matrix.websrv }}.${{ matrix.dbhandler }}.tar - docker images - - - name: "Prepare container environment" - uses: ./.github/actions/container_prep - with: - DB_HANDLER: ${{ matrix.dbhandler }} - WEB_SRV: ${{ matrix.websrv }} - CONTAINER_BUILD: false - NAME_SPACE: local - - - name: "Get runner ip" - run: | - echo RUNNER_IP=$(ip addr show eth0 | grep -i "inet " | cut -d ' ' -f 6 | cut -d '/' -f 1) >> $GITHUB_ENV - echo RUNNER_PATH=$(pwd | sed 's_/_\\/_g') >> $GITHUB_ENV - - - run: echo "runner IP is ${{ env.RUNNER_IP }}" - - - name: "Setup tunnel" - uses: ./.github/actions/wf_specific/ms_ca_handler/tunnel_setup - with: - WCCE_SSH_USER: ${{ secrets.WCCE_SSH_USER }} - WCCE_SSH_HOST: ${{ secrets.WCCE_SSH_HOST }} - WCCE_SSH_PORT: ${{ secrets.WCCE_SSH_PORT }} - WCCE_HOST: ${{ secrets.WCCE_HOST }} - WCCE_FQDN_WOTLD: ${{ secrets.WCCE_FQDN_WOTLD }} - WCCE_FQDN: ${{ secrets.WCCE_FQDN }} - WCCE_SSH_KNOWN_HOSTS: ${{ secrets.WCCE_SSH_KNOWN_HOSTS }} - WCCE_SSH_ACCESS_KEY: ${{ secrets.WCCE_SSH_ACCESS_KEY }} - NAME_SPACE: local - - - name: "EAB with headerinfo - Setup a2c with mscertsrv_ca_handler using kerberos" - run: | - sudo touch examples/Docker/data/ca_certs.pem - sudo chmod 777 examples/Docker/data/ca_certs.pem - sudo cp test/ca/certsrv_ca_certs.pem examples/Docker/data/ca_certs.pem - sudo touch examples/Docker/data/acme_srv.cfg - sudo chmod 777 examples/Docker/data/acme_srv.cfg - sudo head -n -8 .github/openssl_ca_handler.py_acme_srv_default_handler.cfg > examples/Docker/data/acme_srv.cfg - sudo echo "handler_file: examples/ca_handler/mscertsrv_ca_handler.py" >> examples/Docker/data/acme_srv.cfg - sudo echo "host: $WCCE_FQDN" >> examples/Docker/data/acme_srv.cfg - sudo echo "user: $WES_USER" >> examples/Docker/data/acme_srv.cfg - sudo echo "password: $WES_PASSWORD" >> examples/Docker/data/acme_srv.cfg - sudo echo "auth_method: gssapi" >> examples/Docker/data/acme_srv.cfg - sudo echo "template: $WES_TEMPLATE" >> examples/Docker/data/acme_srv.cfg - sudo echo "ca_bundle: /var/www/acme2certifier/volume/ca_certs.pem" >> examples/Docker/data/acme_srv.cfg - sudo echo "krb5_config: /var/www/acme2certifier/volume/krb5.conf" >> examples/Docker/data/acme_srv.cfg - sudo echo "verify: False" >> examples/Docker/data/acme_srv.cfg - sudo echo "request_timeout: 30" >> examples/Docker/data/acme_srv.cfg - sudo sed -i "s/tnauthlist_support: False/tnauthlist_support: False\nheader_info_list: [\"HTTP_USER_AGENT\"]/g" examples/Docker/data/acme_srv.cfg - sudo sed -i "s/revocation_reason_check_disable: False/revocation_reason_check_disable: False\nenrollment_timeout: 40/g" examples/Docker/data/acme_srv.cfg - - sudo echo "eab_profiling: True" >> examples/Docker/data/acme_srv.cfg - sudo echo -e "\n\n[EABhandler]" >> examples/Docker/data/acme_srv.cfg - sudo echo "eab_handler_file: /var/www/acme2certifier/examples/eab_handler/kid_profile_handler.py" >> examples/Docker/data/acme_srv.cfg - sudo echo "key_file: volume/kid_profiles.json" >> examples/Docker/data/acme_srv.cfg - - sudo touch examples/Docker/data/krb5.conf - sudo chmod 777 examples/Docker/data/krb5.conf - cat < examples/Docker/data/krb5.conf - $WES_KRB5_CONF - EOF - - sudo cp examples/eab_handler/kid_profiles.json examples/Docker/data/kid_profiles.json - sudo chmod 777 examples/eab_handler/kid_profiles.json - sudo sed -i "s/\"profile_id\"\: \[\"profile_1\", \"profile_2\", \"profile_3\"\]/\"template\"\: \[\"WebServerModified\"\, \"WebServer\"]/g" examples/Docker/data/kid_profiles.json - sudo sed -i "s/\"profile_id\"\: \"profile_2\"/\"template\"\: \"WebServerModified\"/g" examples/Docker/data/kid_profiles.json - sudo sed -i "s/\"ca_name\": \"example_ca_2\",/\"unknown_key\": \"unknown_value\"/g" examples/Docker/data/kid_profiles.json - sudo sed -i "s/\"ca_name\": \"example_ca\",/\"unknown_key\": \"unknown_value\"/g" examples/Docker/data/kid_profiles.json - sudo sed -i "s/example.net/local/g" examples/Docker/data/kid_profiles.json - sudo sed -i '18,19d' examples/Docker/data/kid_profiles.json - sudo sed -i '8,9d' examples/Docker/data/kid_profiles.json - env: - WES_HOST: ${{ secrets.WES_HOST }} - WES_USER: ${{ secrets.WES_USER }} - WES_PASSWORD: ${{ secrets.WES_PASSWORD }} - WES_TEMPLATE: ${{ secrets.WES_TEMPLATE }} - WES_AUTHMETHOD: ${{ secrets.WES_AUTHMETHOD }} - WCCE_HOST: ${{ secrets.WCCE_HOST }} - WCCE_ADS_DOMAIN: ${{ secrets.WCCE_ADS_DOMAIN }} - WES_KRB5_CONF: ${{ secrets.WES_KRB5_CONF }} - WCCE_FQDN: ${{ secrets.WCCE_FQDN }} - WCCE_FQDN_WOTLD: ${{ secrets.WCCE_FQDN_WOTLD }} - - - name: "Bring up a2c container" - uses: ./.github/actions/container_up - with: - DB_HANDLER: ${{ matrix.dbhandler }} - WEB_SRV: ${{ matrix.websrv }} - NAME_SPACE: local - - - name: "EAB with headerinfo - enrollment" - uses: ./.github/actions/wf_specific/ms_ca_handler/enroll_eab - with: - NAME_SPACE: local - - - name: "Check container configuration" - uses: ./.github/actions/container_check - with: - DB_HANDLER: ${{ matrix.dbhandler }} - WEB_SRV: ${{ matrix.websrv }} - - - name: "[ * ] collecting test logs" - if: ${{ failure() }} - run: | - mkdir -p ${{ github.workspace }}/artifact/upload - sudo cp -rp examples/Docker/data/ ${{ github.workspace }}/artifact/data/ - sudo cp /etc/hosts ${{ github.workspace }}/artifact/data/ - sudo cp /etc/resolv.conf ${{ github.workspace }}/artifact/data/ - sudo cp -rp acme-sh/ ${{ github.workspace }}/artifact/acme-sh/ - sudo cp -rp certbot/ ${{ github.workspace }}/artifact/certbot/ - sudo cp -rp lego/ ${{ github.workspace }}/artifact/lego/ - cd examples/Docker - docker-compose logs > ${{ github.workspace }}/artifact/docker-compose.log - sudo tar -C ${{ github.workspace }}/artifact/ -cvzf ${{ github.workspace }}/artifact/upload/artifact.tar.gz docker-compose.log data acme-sh certbot lego dnsmasq - - - name: "[ * ] uploading artificates" - uses: actions/upload-artifact@v4 - if: ${{ failure() }} - with: - name: mscertsrv_handler_profiling_tests-${{ matrix.websrv }}-${{ matrix.dbhandler }}.tar.gz - path: ${{ github.workspace }}/artifact/upload/ - - mswcce_handler_tests: - name: "mswcce_handler_tests" - runs-on: ubuntu-latest - needs: container_build - strategy: - fail-fast: false - # max-parallel: 1 - matrix: - websrv: ['apache2', 'nginx'] - dbhandler: ['wsgi', 'django'] - steps: - - name: "checkout GIT" - uses: actions/checkout@v4 - - - name: "create folders" - run: | - mkdir lego - mkdir acme-sh - mkdir certbot - - - name: "Download container" - uses: actions/download-artifact@v4 - with: - name: a2c-${{ github.run_id }}.${{ matrix.websrv }}.${{ matrix.dbhandler }}.tar.gz - path: /tmp - - - name: "Import container" - run: | - sudo apt-get install -y docker-compose - gunzip /tmp/a2c-${{ github.run_id }}.${{ matrix.websrv }}.${{ matrix.dbhandler }}.tar.gz - docker load -i /tmp/a2c-${{ github.run_id }}.${{ matrix.websrv }}.${{ matrix.dbhandler }}.tar - docker images - - - name: "Prepare container environment" - uses: ./.github/actions/container_prep - with: - DB_HANDLER: ${{ matrix.dbhandler }} - WEB_SRV: ${{ matrix.websrv }} - CONTAINER_BUILD: false - - - name: "[ PREPARE ] get runner ip" - run: | - echo RUNNER_IP=$(ip addr show eth0 | grep -i "inet " | cut -d ' ' -f 6 | cut -d '/' -f 1) >> $GITHUB_ENV - echo RUNNER_PATH=$(pwd | sed 's_/_\\/_g') >> $GITHUB_ENV - - run: echo "runner IP is ${{ env.RUNNER_IP }}" - - - name: "Install dnsmasq" - run: | - sudo apt-get update - sudo apt-get install -y dnsmasq - sudo systemctl disable systemd-resolved - sudo systemctl stop systemd-resolved - sudo mkdir -p dnsmasq - sudo cp .github/dnsmasq.conf dnsmasq/ - sudo chmod -R 777 dnsmasq/dnsmasq.conf - sudo sed -i "s/RUNNER_IP/$RUNNER_IP/g" dnsmasq/dnsmasq.conf - sudo echo "address=/$WCCE_FQDN/$RUNNER_IP" >> dnsmasq/dnsmasq.conf - sudo echo "address=/$WCCE_ADS_DOMAIN/$RUNNER_IP" >> dnsmasq/dnsmasq.conf - sudo echo "address=/$WES_HOST/$RUNNER_IP" >> dnsmasq/dnsmasq.conf - cat dnsmasq/dnsmasq.conf - sudo cp dnsmasq/dnsmasq.conf /etc/ - sudo systemctl enable dnsmasq - sudo systemctl start dnsmasq - env: - RUNNER_IP: ${{ env.RUNNER_IP }} - WCCE_ADS_DOMAIN: ${{ secrets.WCCE_ADS_DOMAIN }} - WCCE_FQDN: ${{ secrets.WCCE_FQDN }} - WES_HOST: ${{ secrets.WES_HOST }} - - - name: "[ PREPARE ] test dns resulution" - run: | - host $WCCE_ADS_DOMAIN 127.0.0.1 - host $WCCE_FQDN 127.0.0.1 - host $WES_HOST 127.0.0.1 - env: - WCCE_ADS_DOMAIN: ${{ secrets.WCCE_ADS_DOMAIN }} - WCCE_FQDN: ${{ secrets.WCCE_FQDN }} - WES_HOST: ${{ secrets.WES_HOST }} - - - name: "Setup tunnel" - uses: ./.github/actions/wf_specific/ms_ca_handler/tunnel_setup - with: - WCCE_SSH_USER: ${{ secrets.WCCE_SSH_USER }} - WCCE_SSH_HOST: ${{ secrets.WCCE_SSH_HOST }} - WCCE_SSH_PORT: ${{ secrets.WCCE_SSH_PORT }} - WCCE_HOST: ${{ secrets.WCCE_HOST }} - WCCE_FQDN_WOTLD: ${{ secrets.WCCE_FQDN_WOTLD }} - WCCE_FQDN: ${{ secrets.WCCE_FQDN }} - WCCE_SSH_KNOWN_HOSTS: ${{ secrets.WCCE_SSH_KNOWN_HOSTS }} - WCCE_SSH_ACCESS_KEY: ${{ secrets.WCCE_SSH_ACCESS_KEY }} - - - name: "NTLM - Setup a2c with ms_wcce_ca_handler (ntlm)" - run: | - sudo cp .github/acme2certifier.pem examples/Docker/data/acme2certifier.pem - sudo cp .github/acme2certifier_cert.pem examples/Docker/data/acme2certifier_cert.pem - sudo cp .github/acme2certifier_key.pem examples/Docker/data/acme2certifier_key.pem - sudo cp .github/django_settings.py examples/Docker/data/settings.py - sudo touch examples/Docker/data/ca_certs.pem - sudo chmod 777 examples/Docker/data/ca_certs.pem - sudo echo "$WCCE_CA_BUNDLE" > examples/Docker/data/ca_certs.pem - sudo touch examples/Docker/data/acme_srv.cfg - sudo chmod 777 examples/Docker/data/acme_srv.cfg - sudo head -n -8 .github/openssl_ca_handler.py_acme_srv_default_handler.cfg > examples/Docker/data/acme_srv.cfg - sudo echo "handler_file: /var/www/acme2certifier/examples/ca_handler/mswcce_ca_handler.py" >> examples/Docker/data/acme_srv.cfg - sudo echo "host: $RUNNER_IP" >> examples/Docker/data/acme_srv.cfg - sudo echo "user: $WCCE_USER" >> examples/Docker/data/acme_srv.cfg - sudo echo "password: $WCCE_PASSWORD" >> examples/Docker/data/acme_srv.cfg - sudo echo "template: $WCCE_TEMPLATE" >> examples/Docker/data/acme_srv.cfg - sudo echo "ca_name: $WCCE_CA_NAME" >> examples/Docker/data/acme_srv.cfg - sudo echo "target_domain: $WCCE_ADS_DOMAIN" >> examples/Docker/data/acme_srv.cfg - sudo echo "ca_bundle: volume/ca_certs.pem" >> examples/Docker/data/acme_srv.cfg - sudo echo "timeout: 20" >> examples/Docker/data/acme_srv.cfg - sudo echo "ssh_host: $SSH_HOST:$SSH_PORT" >> examples/Docker/data/acme_srv.cfg - sudo sed -i "s/tnauthlist_support: False/tnauthlist_support: False\nheader_info_list: [\"HTTP_USER_AGENT\"]/g" examples/Docker/data/acme_srv.cfg - sudo sed -i "s/revocation_reason_check_disable: False/revocation_reason_check_disable: False\nenrollment_timeout: 40/g" examples/Docker/data/acme_srv.cfg - env: - RUNNER_IP: ${{ env.RUNNER_IP }} - WCCE_USER: ${{ secrets.WCCE_USER }} - WCCE_PASSWORD: ${{ secrets.WCCE_PASSWORD }} - WCCE_TEMPLATE: ${{ secrets.WCCE_TEMPLATE }} - WCCE_CA_NAME: ${{ secrets.WCCE_CA_NAME }} - WCCE_ADS_DOMAIN: ${{ secrets.WCCE_ADS_DOMAIN }} - WCCE_CA_BUNDLE: ${{ secrets.WCCE_CA_BUNDLE }} - WCCE_HOST: ${{ secrets.WCCE_HOST }} - SSH_HOST: ${{ secrets.WCCE_SSH_HOST }} - SSH_PORT: ${{ secrets.WCCE_SSH_PORT }} - - - name: "Bring up a2c container" - uses: ./.github/actions/container_up - with: - DB_HANDLER: ${{ matrix.dbhandler }} - WEB_SRV: ${{ matrix.websrv }} - - - name: "NTLM - enrollment mit default profile and headerinfo" - uses: ./.github/actions/wf_specific/ms_ca_handler/enroll_default_headerinfo - - - name: "KRB - Setup a2c with ms_wcce_ca_handler (Kerboros)" - run: | - sudo touch examples/Docker/data/ca_certs.pem - sudo chmod 777 examples/Docker/data/ca_certs.pem - sudo echo "$WCCE_CA_BUNDLE" > examples/Docker/data/ca_certs.pem - sudo touch examples/Docker/data/acme_srv.cfg - sudo chmod 777 examples/Docker/data/acme_srv.cfg - sudo head -n -8 .github/openssl_ca_handler.py_acme_srv_default_handler.cfg > examples/Docker/data/acme_srv.cfg - sudo echo "handler_file: /var/www/acme2certifier/examples/ca_handler/mswcce_ca_handler.py" >> examples/Docker/data/acme_srv.cfg - sudo echo "host: $WCCE_FQDN" >> examples/Docker/data/acme_srv.cfg - sudo echo "user: $WCCE_USER" >> examples/Docker/data/acme_srv.cfg - sudo echo "password: $WCCE_PASSWORD" >> examples/Docker/data/acme_srv.cfg - sudo echo "template: $WCCE_TEMPLATE" >> examples/Docker/data/acme_srv.cfg - sudo echo "ca_name: $WCCE_CA_NAME" >> examples/Docker/data/acme_srv.cfg - sudo echo "target_domain: $WCCE_ADS_DOMAIN" >> examples/Docker/data/acme_srv.cfg - sudo echo "domain_controller: $RUNNER_IP" >> examples/Docker/data/acme_srv.cfg - sudo echo "ca_bundle: volume/ca_certs.pem" >> examples/Docker/data/acme_srv.cfg - sudo echo "timeout: 20" >> examples/Docker/data/acme_srv.cfg - sudo echo "use_kerberos: True" >> examples/Docker/data/acme_srv.cfg - sudo sed -i "s/tnauthlist_support: False/tnauthlist_support: False\nheader_info_list: [\"HTTP_USER_AGENT\"]/g" examples/Docker/data/acme_srv.cfg - sudo sed -i "s/revocation_reason_check_disable: False/revocation_reason_check_disable: False\nenrollment_timeout: 40/g" examples/Docker/data/acme_srv.cfg - cd examples/Docker/ - docker-compose restart - env: - RUNNER_IP: ${{ env.RUNNER_IP }} - DNSMASQ_IP: ${{ env.DNSMASQ_IP }} - WCCE_USER: ${{ secrets.WCCE_USER }} - WCCE_PASSWORD: ${{ secrets.WCCE_PASSWORD }} - WCCE_TEMPLATE: ${{ secrets.WCCE_TEMPLATE }} - WCCE_CA_NAME: ${{ secrets.WCCE_CA_NAME }} - WCCE_ADS_DOMAIN: ${{ secrets.WCCE_ADS_DOMAIN }} - WCCE_CA_BUNDLE: ${{ secrets.WCCE_CA_BUNDLE }} - WCCE_FQDN: ${{ secrets.WCCE_FQDN }} - - - name: "KRB - Sleep for 10s" - uses: juliangruber/sleep-action@v2.0.3 - with: - time: 10s - - - name: "KRB - enrollment mit default profile and headerinfo" - uses: ./.github/actions/wf_specific/ms_ca_handler/enroll_default_headerinfo - - - name: "KRB - Setup a2c with mswcce_ca_handler with allowed_domainlist configuration" - run: | - sudo sed -i "s/challenge_validation_disable: False/challenge_validation_disable: True/g" examples/Docker/data/acme_srv.cfg - sudo echo "allowed_domainlist: [\"*.acme\", \"foo1.bar\", \"*.bar.local\"]" >> examples/Docker/data/acme_srv.cfg - cd examples/Docker/ - docker-compose restart - - - name: "KRB - enrollment allowed domainlist" - uses: ./.github/actions/wf_specific/ms_ca_handler/enroll_allowed_domain_list - - - name: "Verify allowed_domainlist error" - run: | - cd examples/Docker - docker-compose logs | grep "allowed_domainlist" | grep -i "either CN or SANs are not allowed by configuration" - - - name: "Check container configuration" - uses: ./.github/actions/container_check - with: - DB_HANDLER: ${{ matrix.dbhandler }} - WEB_SRV: ${{ matrix.websrv }} - - - name: "[ * ] collecting test logs" - if: ${{ failure() }} - run: | - mkdir -p ${{ github.workspace }}/artifact/upload - sudo cp -rp examples/Docker/data/ ${{ github.workspace }}/artifact/data/ - sudo cp -rp acme-sh/ ${{ github.workspace }}/artifact/acme-sh/ - sudo cp -rp certbot/ ${{ github.workspace }}/artifact/certbot/ - sudo cp -rp lego/ ${{ github.workspace }}/artifact/lego/ - sudo cp -rp dnsmasq/ ${{ github.workspace }}/artifact/dnsmasq/ - cd examples/Docker - docker-compose logs > ${{ github.workspace }}/artifact/docker-compose.log - sudo tar -C ${{ github.workspace }}/artifact/ -cvzf ${{ github.workspace }}/artifact/upload/artifact.tar.gz docker-compose.log data dnsmasq - - - name: "[ * ] uploading artificates" - uses: actions/upload-artifact@v4 - if: ${{ failure() }} - with: - name: mswcce_handler_tests-${{ matrix.websrv }}-${{ matrix.dbhandler }}.tar.gz - path: ${{ github.workspace }}/artifact/upload/ - - mswcce_handler_eab_profiling_tests: - name: "mswcce_handler_eab_profiling_tests" - runs-on: ubuntu-latest - needs: container_build - strategy: - fail-fast: false - # max-parallel: 2 - matrix: - websrv: ['apache2', 'nginx'] - dbhandler: ['wsgi', 'django'] - steps: - - name: "checkout GIT" - uses: actions/checkout@v4 - - - name: "create folders" - run: | - mkdir lego - mkdir acme-sh - mkdir certbot - - - name: "[ PREPARE ] get runner ip" - run: | - echo RUNNER_IP=$(ip addr show eth0 | grep -i "inet " | cut -d ' ' -f 6 | cut -d '/' -f 1) >> $GITHUB_ENV - echo RUNNER_PATH=$(pwd | sed 's_/_\\/_g') >> $GITHUB_ENV - - - run: echo "runner IP is ${{ env.RUNNER_IP }}" - - - name: "Install dnsmasq" - run: | - sudo apt-get update - sudo apt-get install -y dnsmasq - sudo systemctl disable systemd-resolved - sudo systemctl stop systemd-resolved - sudo mkdir -p dnsmasq - sudo cp .github/dnsmasq.conf dnsmasq/ - sudo chmod -R 777 dnsmasq/dnsmasq.conf - sudo sed -i "s/RUNNER_IP/$RUNNER_IP/g" dnsmasq/dnsmasq.conf - sudo echo "address=/$WCCE_FQDN/$RUNNER_IP" >> dnsmasq/dnsmasq.conf - sudo echo "address=/$WCCE_ADS_DOMAIN/$RUNNER_IP" >> dnsmasq/dnsmasq.conf - sudo echo "address=/$WES_HOST/$RUNNER_IP" >> dnsmasq/dnsmasq.conf - cat dnsmasq/dnsmasq.conf - sudo cp dnsmasq/dnsmasq.conf /etc/ - sudo systemctl enable dnsmasq - sudo systemctl start dnsmasq - env: - RUNNER_IP: ${{ env.RUNNER_IP }} - WCCE_ADS_DOMAIN: ${{ secrets.WCCE_ADS_DOMAIN }} - WCCE_FQDN: ${{ secrets.WCCE_FQDN }} - WES_HOST: ${{ secrets.WES_HOST }} - - - name: "[ PREPARE ] test dns resulution" - run: | - host $WCCE_ADS_DOMAIN 127.0.0.1 - host $WCCE_FQDN 127.0.0.1 - host $WES_HOST 127.0.0.1 - env: - WCCE_ADS_DOMAIN: ${{ secrets.WCCE_ADS_DOMAIN }} - WCCE_FQDN: ${{ secrets.WCCE_FQDN }} - WES_HOST: ${{ secrets.WES_HOST }} - - - name: "Download container" - uses: actions/download-artifact@v4 - with: - name: a2c-${{ github.run_id }}.${{ matrix.websrv }}.${{ matrix.dbhandler }}.tar.gz - path: /tmp - - - name: "Import container" - run: | - sudo apt-get install -y docker-compose - gunzip /tmp/a2c-${{ github.run_id }}.${{ matrix.websrv }}.${{ matrix.dbhandler }}.tar.gz - docker load -i /tmp/a2c-${{ github.run_id }}.${{ matrix.websrv }}.${{ matrix.dbhandler }}.tar - docker images - - - name: "Prepare container environment" - uses: ./.github/actions/container_prep - with: - DB_HANDLER: ${{ matrix.dbhandler }} - WEB_SRV: ${{ matrix.websrv }} - CONTAINER_BUILD: false - - - name: "Setup tunnel" - uses: ./.github/actions/wf_specific/ms_ca_handler/tunnel_setup - with: - WCCE_SSH_USER: ${{ secrets.WCCE_SSH_USER }} - WCCE_SSH_HOST: ${{ secrets.WCCE_SSH_HOST }} - WCCE_SSH_PORT: ${{ secrets.WCCE_SSH_PORT }} - WCCE_HOST: ${{ secrets.WCCE_HOST }} - WCCE_FQDN_WOTLD: ${{ secrets.WCCE_FQDN_WOTLD }} - WCCE_FQDN: ${{ secrets.WCCE_FQDN }} - WCCE_SSH_KNOWN_HOSTS: ${{ secrets.WCCE_SSH_KNOWN_HOSTS }} - WCCE_SSH_ACCESS_KEY: ${{ secrets.WCCE_SSH_ACCESS_KEY }} - - - name: "EAB with headerinfo - Setup a2c with ms_wcce_ca_handler (Kerboros)" - run: | - sudo cp .github/acme2certifier.pem examples/Docker/data/acme2certifier.pem - sudo cp .github/acme2certifier_cert.pem examples/Docker/data/acme2certifier_cert.pem - sudo cp .github/acme2certifier_key.pem examples/Docker/data/acme2certifier_key.pem - sudo cp .github/django_settings.py examples/Docker/data/settings.py - sudo touch examples/Docker/data/ca_certs.pem - sudo chmod 777 examples/Docker/data/ca_certs.pem - sudo echo "$WCCE_CA_BUNDLE" > examples/Docker/data/ca_certs.pem - sudo touch examples/Docker/data/acme_srv.cfg - sudo chmod 777 examples/Docker/data/acme_srv.cfg - sudo head -n -8 .github/openssl_ca_handler.py_acme_srv_default_handler.cfg > examples/Docker/data/acme_srv.cfg - sudo echo "handler_file: /var/www/acme2certifier/examples/ca_handler/mswcce_ca_handler.py" >> examples/Docker/data/acme_srv.cfg - sudo echo "host: $WCCE_FQDN" >> examples/Docker/data/acme_srv.cfg - sudo echo "user: $WCCE_USER" >> examples/Docker/data/acme_srv.cfg - sudo echo "password: $WCCE_PASSWORD" >> examples/Docker/data/acme_srv.cfg - sudo echo "template: $WCCE_TEMPLATE" >> examples/Docker/data/acme_srv.cfg - sudo echo "ca_name: $WCCE_CA_NAME" >> examples/Docker/data/acme_srv.cfg - sudo echo "target_domain: $WCCE_ADS_DOMAIN" >> examples/Docker/data/acme_srv.cfg - sudo echo "domain_controller: $RUNNER_IP" >> examples/Docker/data/acme_srv.cfg - sudo echo "ca_bundle: volume/ca_certs.pem" >> examples/Docker/data/acme_srv.cfg - sudo echo "timeout: 20" >> examples/Docker/data/acme_srv.cfg - sudo echo "use_kerberos: True" >> examples/Docker/data/acme_srv.cfg - sudo sed -i "s/tnauthlist_support: False/tnauthlist_support: False\nheader_info_list: [\"HTTP_USER_AGENT\"]/g" examples/Docker/data/acme_srv.cfg - sudo sed -i "s/revocation_reason_check_disable: False/revocation_reason_check_disable: False\nenrollment_timeout: 40/g" examples/Docker/data/acme_srv.cfg - - sudo echo "eab_profiling: True" >> examples/Docker/data/acme_srv.cfg - sudo echo -e "\n\n[EABhandler]" >> examples/Docker/data/acme_srv.cfg - sudo echo "eab_handler_file: /var/www/acme2certifier/examples/eab_handler/kid_profile_handler.py" >> examples/Docker/data/acme_srv.cfg - sudo echo "key_file: volume/kid_profiles.json" >> examples/Docker/data/acme_srv.cfg - - sudo cp examples/eab_handler/kid_profiles.json examples/Docker/data/kid_profiles.json - sudo chmod 777 examples/eab_handler/kid_profiles.json - sudo sed -i "s/\"profile_id\"\: \[\"profile_1\", \"profile_2\", \"profile_3\"\]/\"template\"\: \[\"WebServerModified\"\, \"WebServer\"]/g" examples/Docker/data/kid_profiles.json - sudo sed -i "s/\"profile_id\"\: \"profile_2\"/\"template\"\: \"WebServerModified\"/g" examples/Docker/data/kid_profiles.json - sudo sed -i "s/\"ca_name\": \"example_ca_2\",/\"unknown_key\": \"unknown_value\"/g" examples/Docker/data/kid_profiles.json - sudo sed -i "s/\"ca_name\": \"example_ca\",/\"unknown_key\": \"unknown_value\"/g" examples/Docker/data/kid_profiles.json - sudo sed -i "s/example.net/acme/g" examples/Docker/data/kid_profiles.json - sudo sed -i '18,19d' examples/Docker/data/kid_profiles.json - sudo sed -i '8,9d' examples/Docker/data/kid_profiles.json - env: - RUNNER_IP: ${{ env.RUNNER_IP }} - DNSMASQ_IP: ${{ env.DNSMASQ_IP }} - WCCE_USER: ${{ secrets.WCCE_USER }} - WCCE_PASSWORD: ${{ secrets.WCCE_PASSWORD }} - WCCE_TEMPLATE: ${{ secrets.WCCE_TEMPLATE }} - WCCE_CA_NAME: ${{ secrets.WCCE_CA_NAME }} - WCCE_ADS_DOMAIN: ${{ secrets.WCCE_ADS_DOMAIN }} - WCCE_CA_BUNDLE: ${{ secrets.WCCE_CA_BUNDLE }} - WCCE_FQDN: ${{ secrets.WCCE_FQDN }} - - - name: "Bring up a2c container" - uses: ./.github/actions/container_up - with: - DB_HANDLER: ${{ matrix.dbhandler }} - WEB_SRV: ${{ matrix.websrv }} - - - name: "EAB with headerinfo - enrollment" - uses: ./.github/actions/wf_specific/ms_ca_handler/enroll_eab - - - name: "Check container configuration" - uses: ./.github/actions/container_check - with: - DB_HANDLER: ${{ matrix.dbhandler }} - WEB_SRV: ${{ matrix.websrv }} - - - name: "[ * ] collecting test logs" - if: ${{ failure() }} - run: | - mkdir -p ${{ github.workspace }}/artifact/upload - sudo cp -rp examples/Docker/data/ ${{ github.workspace }}/artifact/data/ - sudo cp -rp acme-sh/ ${{ github.workspace }}/artifact/acme-sh/ - sudo cp -rp certbot/ ${{ github.workspace }}/artifact/certbot/ - sudo cp -rp lego/ ${{ github.workspace }}/artifact/lego/ - sudo cp -rp dnsmasq/ ${{ github.workspace }}/artifact/dnsmasq/ - cd examples/Docker - docker-compose logs > ${{ github.workspace }}/artifact/docker-compose.log - sudo tar -C ${{ github.workspace }}/artifact/ -cvzf ${{ github.workspace }}/artifact/upload/artifact.tar.gz docker-compose.log data acme-sh certbot lego dnsmasq - - - name: "[ * ] uploading artificates" - uses: actions/upload-artifact@v4 - if: ${{ failure() }} - with: - name: mswcce_handler_profiling_tests-${{ matrix.websrv }}-${{ matrix.dbhandler }}.tar.gz - path: ${{ github.workspace }}/artifact/upload/ - - cleanup: - name: "cleanup" - runs-on: ubuntu-latest - needs: [mscertsrv_handler_tests, mswcce_handler_tests, mswcce_handler_eab_profiling_tests, mscertsrv_handler_eab_profiling_tests ] - strategy: - fail-fast: false - matrix: - websrv: ['apache2', 'nginx'] - dbhandler: ['wsgi', 'django'] - - steps: - - uses: geekyeggo/delete-artifact@v5 - with: - name: a2c-${{ github.run_id }}.${{ matrix.websrv }}.${{ matrix.dbhandler }}.tar.gz - - rpm_build_and_upload: - name: "rpm_build_and_upload" - runs-on: ubuntu-latest - steps: - - name: "checkout GIT" - uses: actions/checkout@v4 - - - name: "Build rpm package" - id: rpm_build - uses: ./.github/actions/rpm_build_upload - - mscertsrv_handler_tests_rpm: - name: "mscertsrv_handler_tests_rpm" - runs-on: ubuntu-latest - needs: rpm_build_and_upload - strategy: - # max-parallel: 1 - fail-fast: false - matrix: - rhversion: [8, 9] - steps: - - name: "checkout GIT" - uses: actions/checkout@v4 - - - name: "Prepare Alma environment" - uses: ./.github/actions/rpm_prep - with: - GH_SBOM_USER: ${{ secrets.GH_SBOM_USER }} - GH_SBOM_TOKEN: ${{ secrets.GH_SBOM_TOKEN }} - RH_VERSION: ${{ matrix.rhversion }} - RPM_BUILD: false - NAME_SPACE: "local" - - - name: Download rpm package - uses: actions/download-artifact@v4 - with: - name: acme2certifier-${{ github.run_id }}.noarch.rpm - path: data/ - - - name: "Get runner ip" - run: | - echo RUNNER_IP=$(ip addr show eth0 | grep -i "inet " | cut -d ' ' -f 6 | cut -d '/' -f 1) >> $GITHUB_ENV - echo RUNNER_PATH=$(pwd | sed 's_/_\\/_g') >> $GITHUB_ENV - - - run: echo "runner IP is ${{ env.RUNNER_IP }}" - - - name: "Setup tunnel" - uses: ./.github/actions/wf_specific/ms_ca_handler/tunnel_setup - with: - WCCE_SSH_USER: ${{ secrets.WCCE_SSH_USER }} - WCCE_SSH_HOST: ${{ secrets.WCCE_SSH_HOST }} - WCCE_SSH_PORT: ${{ secrets.WCCE_SSH_PORT }} - WCCE_HOST: ${{ secrets.WCCE_HOST }} - WCCE_FQDN_WOTLD: ${{ secrets.WCCE_FQDN_WOTLD }} - WCCE_FQDN: ${{ secrets.WCCE_FQDN }} - WCCE_SSH_KNOWN_HOSTS: ${{ secrets.WCCE_SSH_KNOWN_HOSTS }} - WCCE_SSH_ACCESS_KEY: ${{ secrets.WCCE_SSH_ACCESS_KEY }} - NAME_SPACE: local - - - name: "KRB - Setup a2c with mscertsrv_ca_handler using kerberos" - run: | - mkdir -p data/acme_ca - sudo cp test/ca/certsrv_ca_certs.pem data/acme_ca/ca_certs.pem - sudo touch data/acme_srv.cfg - sudo chmod 777 data/acme_srv.cfg - sudo head -n -8 .github/openssl_ca_handler.py_acme_srv_default_handler.cfg > data/acme_srv.cfg - sudo echo "handler_file: /opt/acme2certifier/examples/ca_handler/mscertsrv_ca_handler.py" >> data/acme_srv.cfg - sudo echo "host: $WCCE_FQDN" >> data/acme_srv.cfg - sudo echo "user: $WES_USER" >> data/acme_srv.cfg - sudo echo "password: $WES_PASSWORD" >> data/acme_srv.cfg - sudo echo "auth_method: gssapi" >> data/acme_srv.cfg - sudo echo "template: $WES_TEMPLATE" >> data/acme_srv.cfg - sudo echo "ca_bundle: volume/acme_ca/ca_certs.pem" >> data/acme_srv.cfg - sudo echo "krb5_config: volume/acme_ca/krb5.conf" >> data/acme_srv.cfg - sudo echo "verify: False" >> data/acme_srv.cfg - sudo echo "request_timeout: 30" >> data/acme_srv.cfg - sudo sed -i "s/tnauthlist_support: False/tnauthlist_support: False\nheader_info_list: [\"HTTP_USER_AGENT\"]/g" data/acme_srv.cfg - sudo sed -i "s/revocation_reason_check_disable: False/revocation_reason_check_disable: False\nenrollment_timeout: 40/g" data/acme_srv.cfg - - sudo touch data/acme_ca/krb5.conf - sudo chmod 777 data/acme_ca/krb5.conf - cat < data/acme_ca/krb5.conf - $WES_KRB5_CONF - EOF - - env: - WES_HOST: ${{ secrets.WES_HOST }} - WES_USER: ${{ secrets.WES_USER }} - WES_PASSWORD: ${{ secrets.WES_PASSWORD }} - WES_AUTHMETHOD: ${{ secrets.WES_AUTHMETHOD }} - WES_TEMPLATE: ${{ secrets.WES_TEMPLATE }} - WCCE_FQDN: ${{ secrets.WCCE_FQDN }} - WES_KRB5_CONF: ${{ secrets.WES_KRB5_CONF }} - - - name: "KRB - Execute install scipt" - run: | - docker exec acme-srv sh /tmp/acme2certifier/rpm_tester.sh - docker exec acme-srv yum install -y krb5-libs - - - name: "KRB - enrollment mit default profile and headerinfo" - uses: ./.github/actions/wf_specific/ms_ca_handler/enroll_default_headerinfo - with: - NAME_SPACE: local - - - name: "NTLM - Setup a2c with mscertsrv_ca_handler" - run: | - sudo head -n -8 .github/openssl_ca_handler.py_acme_srv_default_handler.cfg > data/acme_srv.cfg - sudo echo "handler_file: /opt/acme2certifier/examples/ca_handler/mscertsrv_ca_handler.py" >> data/acme_srv.cfg - sudo echo "host: $WCCE_FQDN" >> data/acme_srv.cfg - sudo echo "user: $WES_USER" >> data/acme_srv.cfg - sudo echo "password: $WES_PASSWORD" >> data/acme_srv.cfg - sudo echo "auth_method: $WES_AUTHMETHOD" >> data/acme_srv.cfg - sudo echo "template: $WES_TEMPLATE" >> data/acme_srv.cfg - sudo echo "ca_bundle: volume/acme_ca/ca_certs.pem" >> data/acme_srv.cfg - sudo echo "verify: False" >> data/acme_srv.cfg - sudo echo "request_timeout: 30" >> data/acme_srv.cfg - sudo sed -i "s/tnauthlist_support: False/tnauthlist_support: False\nheader_info_list: [\"HTTP_USER_AGENT\"]/g" data/acme_srv.cfg - sudo sed -i "s/revocation_reason_check_disable: False/revocation_reason_check_disable: False\nenrollment_timeout: 40/g" data/acme_srv.cfg - env: - WES_HOST: ${{ secrets.WES_HOST }} - WES_USER: ${{ secrets.WES_USER }} - WES_PASSWORD: ${{ secrets.WES_PASSWORD }} - WES_AUTHMETHOD: ${{ secrets.WES_AUTHMETHOD }} - WES_TEMPLATE: ${{ secrets.WES_TEMPLATE }} - WCCE_FQDN: ${{ secrets.WCCE_FQDN }} - - - name: "NTLM - Reconfigure a2c " - run: | - docker exec acme-srv sh /tmp/acme2certifier/rpm_tester.sh restart - - - name: "NTLM - enrollment mit default profile and headerinfo" - uses: ./.github/actions/wf_specific/ms_ca_handler/enroll_default_headerinfo - with: - NAME_SPACE: local - - - name: "NTLM - Setup a2c with mscertsrv_ca_handler with allowed_domainlist configuration" - run: | - sudo sed -i "s/challenge_validation_disable: False/challenge_validation_disable: True/g" data/acme_srv.cfg - sudo echo "allowed_domainlist: [\"*.acme\", \"foo1.bar\", \"*.bar.local\"]" >> data/acme_srv.cfg - - - name: "NTLM - Reconfigure a2c " - run: | - docker exec acme-srv sh /tmp/acme2certifier/rpm_tester.sh restart - - - name: "NTLM - enrollment allowed domainlist" - uses: ./.github/actions/wf_specific/ms_ca_handler/enroll_allowed_domain_list - with: - NAME_SPACE: local - - - name: "Verify allowed_domainlist error" - run: | - docker exec acme-srv grep -i "either CN or SANs are not allowed by configuration" /var/log/messages - - - name: "[ * ] collecting test logs" - if: ${{ failure() }} - run: | - mkdir -p ${{ github.workspace }}/artifact/upload - docker exec acme-srv tar cvfz /tmp/acme2certifier/a2c.tgz /opt/acme2certifier - sudo rm -rf data/*.rpm - sudo cp -rp data/ ${{ github.workspace }}/artifact/data/ - sudo cp -rp acme-sh/ ${{ github.workspace }}/artifact/acme-sh/ - docker exec acme-srv ls -la /tmp > ${{ github.workspace }}/artifact/data/tmp_list - docker exec acme-srv ls -la /tmp - docker exec acme-srv cat /var/log/messages > ${{ github.workspace }}/artifact/acme-srv.log - sudo tar -C ${{ github.workspace }}/artifact/ -cvzf ${{ github.workspace }}/artifact/upload/artifact.tar.gz data acme-srv.log acme-sh - - - name: "[ * ] uploading artificates" - uses: actions/upload-artifact@v4 - if: ${{ failure() }} - with: - name: mscertsrv_handler_tests_rpm-rh${{ matrix.rhversion }}.tar.gz - path: ${{ github.workspace }}/artifact/upload/ - - mscertsrv_handler_eab_profile_tests_rpm: - name: "mscertsrv_handler_eab_profile_tests_rpm" - runs-on: ubuntu-latest - needs: mscertsrv_handler_tests_rpm - strategy: - # max-parallel: 1 - fail-fast: false - matrix: - rhversion: [8, 9] - steps: - - name: "checkout GIT" - uses: actions/checkout@v4 - - - name: "Prepare Alma environment" - uses: ./.github/actions/rpm_prep - with: - GH_SBOM_USER: ${{ secrets.GH_SBOM_USER }} - GH_SBOM_TOKEN: ${{ secrets.GH_SBOM_TOKEN }} - RH_VERSION: ${{ matrix.rhversion }} - RPM_BUILD: false - NAME_SPACE: "local" - - - name: Download rpm package - uses: actions/download-artifact@v4 - with: - name: acme2certifier-${{ github.run_id }}.noarch.rpm - path: data/ - - - name: "Get runner ip" - run: | - echo RUNNER_IP=$(ip addr show eth0 | grep -i "inet " | cut -d ' ' -f 6 | cut -d '/' -f 1) >> $GITHUB_ENV - echo RUNNER_PATH=$(pwd | sed 's_/_\\/_g') >> $GITHUB_ENV - - - run: echo "runner IP is ${{ env.RUNNER_IP }}" - - - name: "Setup tunnel" - uses: ./.github/actions/wf_specific/ms_ca_handler/tunnel_setup - with: - WCCE_SSH_USER: ${{ secrets.WCCE_SSH_USER }} - WCCE_SSH_HOST: ${{ secrets.WCCE_SSH_HOST }} - WCCE_SSH_PORT: ${{ secrets.WCCE_SSH_PORT }} - WCCE_HOST: ${{ secrets.WCCE_HOST }} - WCCE_FQDN_WOTLD: ${{ secrets.WCCE_FQDN_WOTLD }} - WCCE_FQDN: ${{ secrets.WCCE_FQDN }} - WCCE_SSH_KNOWN_HOSTS: ${{ secrets.WCCE_SSH_KNOWN_HOSTS }} - WCCE_SSH_ACCESS_KEY: ${{ secrets.WCCE_SSH_ACCESS_KEY }} - NAME_SPACE: local - - - name: "EAB with headerinfo - Setup a2c with mscertsrv_ca_handler using kerberos" - run: | - mkdir -p data/acme_ca - sudo cp test/ca/certsrv_ca_certs.pem data/acme_ca/ca_certs.pem - sudo touch data/acme_srv.cfg - sudo chmod 777 data/acme_srv.cfg - sudo head -n -8 .github/openssl_ca_handler.py_acme_srv_default_handler.cfg > data/acme_srv.cfg - sudo echo "handler_file: /opt/acme2certifier/examples/ca_handler/mscertsrv_ca_handler.py" >> data/acme_srv.cfg - sudo echo "host: $WCCE_FQDN" >> data/acme_srv.cfg - sudo echo "user: $WES_USER" >> data/acme_srv.cfg - sudo echo "password: $WES_PASSWORD" >> data/acme_srv.cfg - sudo echo "auth_method: gssapi" >> data/acme_srv.cfg - sudo echo "template: $WES_TEMPLATE" >> data/acme_srv.cfg - sudo echo "ca_bundle: volume/acme_ca/ca_certs.pem" >> data/acme_srv.cfg - sudo echo "krb5_config: volume/acme_ca/krb5.conf" >> data/acme_srv.cfg - sudo echo "verify: False" >> data/acme_srv.cfg - sudo echo "request_timeout: 30" >> data/acme_srv.cfg - sudo sed -i "s/tnauthlist_support: False/tnauthlist_support: False\nheader_info_list: [\"HTTP_USER_AGENT\"]/g" data/acme_srv.cfg - sudo sed -i "s/revocation_reason_check_disable: False/revocation_reason_check_disable: False\nenrollment_timeout: 40/g" data/acme_srv.cfg - - sudo echo "eab_profiling: True" >> data/acme_srv.cfg - sudo echo -e "\n[EABhandler]" >> data/acme_srv.cfg - sudo echo "eab_handler_file: /opt/acme2certifier/examples/eab_handler/kid_profile_handler.py" >> data/acme_srv.cfg - sudo echo "key_file: /opt/acme2certifier/volume/acme_ca/kid_profiles.json" >> data/acme_srv.cfg - - sudo cp examples/eab_handler/kid_profiles.json data/acme_ca/kid_profiles.json - sudo chmod 777 data/acme_ca/kid_profiles.json - sudo sed -i "s/\"profile_id\"\: \[\"profile_1\", \"profile_2\", \"profile_3\"\]/\"template\"\: \[\"WebServerModified\"\, \"WebServer\"]/g" data/acme_ca/kid_profiles.json - sudo sed -i "s/\"profile_id\"\: \"profile_2\"/\"template\"\: \"WebServerModified\"/g" data/acme_ca/kid_profiles.json - sudo sed -i "s/\"ca_name\": \"example_ca_2\",/\"unknown_key\": \"unknown_value\"/g" data/acme_ca/kid_profiles.json - sudo sed -i "s/\"ca_name\": \"example_ca\",/\"unknown_key\": \"unknown_value\"/g" data/acme_ca/kid_profiles.json - sudo sed -i "s/example.net/local/g" data/acme_ca/kid_profiles.json - sudo sed -i '18,19d' data/acme_ca/kid_profiles.json - sudo sed -i '8,9d' data/acme_ca/kid_profiles.json - - sudo touch data/acme_ca/krb5.conf - sudo chmod 777 data/acme_ca/krb5.conf - cat < data/acme_ca/krb5.conf - $WES_KRB5_CONF - EOF - env: - WES_HOST: ${{ secrets.WES_HOST }} - WES_USER: ${{ secrets.WES_USER }} - WES_PASSWORD: ${{ secrets.WES_PASSWORD }} - WES_AUTHMETHOD: ${{ secrets.WES_AUTHMETHOD }} - WES_TEMPLATE: ${{ secrets.WES_TEMPLATE }} - WCCE_FQDN: ${{ secrets.WCCE_FQDN }} - WES_KRB5_CONF: ${{ secrets.WES_KRB5_CONF }} - - - name: "KRB - Execute install scipt" - run: | - docker exec acme-srv sh /tmp/acme2certifier/rpm_tester.sh - docker exec acme-srv yum install -y krb5-libs - - - name: "EAB with headerinfo - enrollment" - uses: ./.github/actions/wf_specific/ms_ca_handler/enroll_eab - with: - NAME_SPACE: local - - - name: "[ * ] collecting test logs" - if: ${{ failure() }} - run: | - mkdir -p ${{ github.workspace }}/artifact/upload - docker exec acme-srv tar cvfz /tmp/acme2certifier/a2c.tgz /opt/acme2certifier - sudo rm -rf data/*.rpm - sudo cp -rp data/ ${{ github.workspace }}/artifact/data/ - sudo cp -rp acme-sh/ ${{ github.workspace }}/artifact/acme-sh/ - docker exec acme-srv ls -la /tmp > ${{ github.workspace }}/artifact/data/tmp_list - docker exec acme-srv ls -la /tmp - docker exec acme-srv cat /var/log/messages > ${{ github.workspace }}/artifact/acme-srv.log - sudo tar -C ${{ github.workspace }}/artifact/ -cvzf ${{ github.workspace }}/artifact/upload/artifact.tar.gz data acme-srv.log acme-sh - - - name: "[ * ] uploading artificates" - uses: actions/upload-artifact@v4 - if: ${{ failure() }} - with: - name: mscertsrv_handler_profile_tests_rpm-rh${{ matrix.rhversion }}.tar.gz - path: ${{ github.workspace }}/artifact/upload/ - - mswcce_handler_tests_rpm: - name: "mswcce_handler_tests_rpm" - runs-on: ubuntu-latest - needs: mscertsrv_handler_tests_rpm - strategy: - # max-parallel: 1 - fail-fast: false - matrix: - rhversion: [8, 9] - steps: - - name: "checkout GIT" - uses: actions/checkout@v4 - - - name: "Prepare Alma environment" - uses: ./.github/actions/rpm_prep - with: - GH_SBOM_USER: ${{ secrets.GH_SBOM_USER }} - GH_SBOM_TOKEN: ${{ secrets.GH_SBOM_TOKEN }} - RH_VERSION: ${{ matrix.rhversion }} - DJANGO_DB: psql - RPM_BUILD: false - - - name: Download rpm package - uses: actions/download-artifact@v4 - with: - name: acme2certifier-${{ github.run_id }}.noarch.rpm - path: data/ - - - name: "Get runner ip" - run: | - echo RUNNER_IP=$(ip addr show eth0 | grep -i "inet " | cut -d ' ' -f 6 | cut -d '/' -f 1) >> $GITHUB_ENV - echo RUNNER_PATH=$(pwd | sed 's_/_\\/_g') >> $GITHUB_ENV - - - run: echo "runner IP is ${{ env.RUNNER_IP }}" - - - name: "Install dnsmasq" - run: | - sudo apt-get update - sudo apt-get install -y dnsmasq - sudo systemctl disable systemd-resolved - sudo systemctl stop systemd-resolved - # sudo chmod -R 777 /etc/resolv.conf - # sudo echo "nameserver 8.8.8.8" > /etc/resolv.conf - sudo mkdir -p dnsmasq - sudo cp .github/dnsmasq.conf dnsmasq/ - sudo chmod -R 777 dnsmasq/dnsmasq.conf - sudo sed -i "s/RUNNER_IP/$RUNNER_IP/g" dnsmasq/dnsmasq.conf - sudo echo "address=/$WCCE_FQDN/$RUNNER_IP" >> dnsmasq/dnsmasq.conf - sudo echo "address=/$WCCE_ADS_DOMAIN/$RUNNER_IP" >> dnsmasq/dnsmasq.conf - sudo echo "address=/$WES_HOST/$RUNNER_IP" >> dnsmasq/dnsmasq.conf - cat dnsmasq/dnsmasq.conf - sudo cp dnsmasq/dnsmasq.conf /etc/ - sudo sed -i "s/ --local-service/ /g" /etc/init.d/dnsmasq - sudo systemctl enable dnsmasq - sudo systemctl start dnsmasq - env: - RUNNER_IP: ${{ env.RUNNER_IP }} - WCCE_ADS_DOMAIN: ${{ secrets.WCCE_ADS_DOMAIN }} - WCCE_FQDN: ${{ secrets.WCCE_FQDN }} - WES_HOST: ${{ secrets.WES_HOST }} - - - name: "Test dns resulution" - run: | - host $WCCE_ADS_DOMAIN ${{ env.RUNNER_IP }} - host $WCCE_FQDN ${{ env.RUNNER_IP }} - host $WES_HOST 127.0.0.1 - env: - WCCE_ADS_DOMAIN: ${{ secrets.WCCE_ADS_DOMAIN }} - WCCE_FQDN: ${{ secrets.WCCE_FQDN }} - WES_HOST: ${{ secrets.WES_HOST }} - - - name: "Create letsencrypt and lego folder" - run: | - mkdir certbot - mkdir lego - mkdir acme-sh - - - name: "Setup tunnel" - uses: ./.github/actions/wf_specific/ms_ca_handler/tunnel_setup - with: - WCCE_SSH_USER: ${{ secrets.WCCE_SSH_USER }} - WCCE_SSH_HOST: ${{ secrets.WCCE_SSH_HOST }} - WCCE_SSH_PORT: ${{ secrets.WCCE_SSH_PORT }} - WCCE_HOST: ${{ secrets.WCCE_HOST }} - WCCE_FQDN_WOTLD: ${{ secrets.WCCE_FQDN_WOTLD }} - WCCE_FQDN: ${{ secrets.WCCE_FQDN }} - WCCE_SSH_KNOWN_HOSTS: ${{ secrets.WCCE_SSH_KNOWN_HOSTS }} - WCCE_SSH_ACCESS_KEY: ${{ secrets.WCCE_SSH_ACCESS_KEY }} - - - name: "NTLM - Prepare acme_srv.cfg with ms_wcce_ca_handler" - run: | - mkdir -p data/acme_ca - sudo touch data/acme_ca/ca_certs.pem - sudo chmod 777 data/acme_ca/ca_certs.pem - sudo echo "$WCCE_CA_BUNDLE" > data/acme_ca/ca_certs.pem - sudo touch data/acme_ca/acme_srv.cfg - sudo chmod 777 data/acme_ca/acme_srv.cfg - sudo head -n -8 .github/openssl_ca_handler.py_acme_srv_default_handler.cfg > data/acme_srv.cfg - sudo echo "handler_file: /opt/acme2certifier/examples/ca_handler/mswcce_ca_handler.py" >> data/acme_srv.cfg - sudo echo "host: $RUNNER_IP" >> data/acme_srv.cfg - sudo echo "user: $WCCE_USER" >> data/acme_srv.cfg - sudo echo "password: $WCCE_PASSWORD" >> data/acme_srv.cfg - sudo echo "template: $WCCE_TEMPLATE" >> data/acme_srv.cfg - sudo echo "ca_name: $WCCE_CA_NAME" >> data/acme_srv.cfg - sudo echo "target_domain: $WCCE_ADS_DOMAIN" >> data/acme_srv.cfg - sudo echo "ca_bundle: /opt/acme2certifier/volume/acme_ca/ca_certs.pem" >> data/acme_srv.cfg - sudo echo "timeout: 20" >> data/acme_srv.cfg - sudo sed -i "s/tnauthlist_support: False/tnauthlist_support: False\nheader_info_list: [\"HTTP_USER_AGENT\"]/g" data/acme_srv.cfg - sudo sed -i "s/revocation_reason_check_disable: False/revocation_reason_check_disable: False\nenrollment_timeout: 40/g" data/acme_srv.cfg - env: - RUNNER_IP: ${{ env.RUNNER_IP }} - WCCE_USER: ${{ secrets.WCCE_USER }} - WCCE_PASSWORD: ${{ secrets.WCCE_PASSWORD }} - WCCE_TEMPLATE: ${{ secrets.WCCE_TEMPLATE }} - WCCE_CA_NAME: ${{ secrets.WCCE_CA_NAME }} - WCCE_ADS_DOMAIN: ${{ secrets.WCCE_ADS_DOMAIN }} - WCCE_CA_BUNDLE: ${{ secrets.WCCE_CA_BUNDLE }} - - - name: "NTLM - Execute install scipt" - run: | - docker exec acme-srv sh /tmp/acme2certifier/rpm_tester.sh - - - name: "NTLM - enrollment mit default profile and headerinfo" - uses: ./.github/actions/wf_specific/ms_ca_handler/enroll_default_headerinfo - - - name: "KRB - Setup a2c with ms_wcce_ca_handler (Kerberos)" - run: | - mkdir -p data/acme_ca - sudo touch data/acme_ca/ca_certs.pem - sudo chmod 777 data/acme_ca/ca_certs.pem - sudo echo "$WCCE_CA_BUNDLE" > data/acme_ca/ca_certs.pem - sudo touch data/acme_ca/acme_srv.cfg - sudo chmod 777 data/acme_ca/acme_srv.cfg - sudo head -n -8 .github/openssl_ca_handler.py_acme_srv_default_handler.cfg > data/acme_srv.cfg - sudo echo "handler_file: /opt/acme2certifier/examples/ca_handler/mswcce_ca_handler.py" >> data/acme_srv.cfg - sudo echo "host: $WCCE_FQDN" >> data/acme_srv.cfg - sudo echo "user: $WCCE_USER" >> data/acme_srv.cfg - sudo echo "password: $WCCE_PASSWORD" >> data/acme_srv.cfg - sudo echo "template: $WCCE_TEMPLATE" >> data/acme_srv.cfg - sudo echo "ca_name: $WCCE_CA_NAME" >> data/acme_srv.cfg - sudo echo "target_domain: $WCCE_ADS_DOMAIN" >> data/acme_srv.cfg - sudo echo "domain_controller: $RUNNER_IP" >> data/acme_srv.cfg - sudo echo "ca_bundle: /opt/acme2certifier/volume/acme_ca/ca_certs.pem" >> data/acme_srv.cfg - sudo echo "timeout: 20" >> data/acme_srv.cfg - sudo echo "use_kerberos: True" >> data/acme_srv.cfg - sudo sed -i "s/tnauthlist_support: False/tnauthlist_support: False\nheader_info_list: [\"HTTP_USER_AGENT\"]/g" data/acme_srv.cfg - sudo sed -i "s/revocation_reason_check_disable: False/revocation_reason_check_disable: False\nenrollment_timeout: 40/g" data/acme_srv.cfg - env: - RUNNER_IP: ${{ env.RUNNER_IP }} - WCCE_USER: ${{ secrets.WCCE_USER }} - WCCE_PASSWORD: ${{ secrets.WCCE_PASSWORD }} - WCCE_TEMPLATE: ${{ secrets.WCCE_TEMPLATE }} - WCCE_CA_NAME: ${{ secrets.WCCE_CA_NAME }} - WCCE_ADS_DOMAIN: ${{ secrets.WCCE_ADS_DOMAIN }} - WCCE_CA_BUNDLE: ${{ secrets.WCCE_CA_BUNDLE }} - WCCE_FQDN: ${{ secrets.WCCE_FQDN }} - - - name: "KRB - Reconfigure a2c " - run: | - docker exec acme-srv sh /tmp/acme2certifier/rpm_tester.sh restart - - - name: "KRB - enrollment mit default profile and headerinfo" - uses: ./.github/actions/wf_specific/ms_ca_handler/enroll_default_headerinfo - - - name: "KRB - Setup a2c with mswcce_ca_handler with allowed_domainlist configuration" - run: | - sudo sed -i "s/challenge_validation_disable: False/challenge_validation_disable: True/g" data/acme_srv.cfg - sudo echo "allowed_domainlist: [\"*.acme\", \"foo1.bar\", \"*.bar.local\"]" >> data/acme_srv.cfg - - - name: "KRB - Reconfigure a2c " - run: | - docker exec acme-srv sh /tmp/acme2certifier/rpm_tester.sh restart - - - name: "KRB - enrollment allowed domainlist" - uses: ./.github/actions/wf_specific/ms_ca_handler/enroll_allowed_domain_list - - - name: "Verify allowed_domainlist error" - run: | - docker exec acme-srv grep -i "either CN or SANs are not allowed by configuration" /var/log/messages - - - name: "[ * ] collecting test logs" - if: ${{ failure() }} - run: | - mkdir -p ${{ github.workspace }}/artifact/upload - docker exec acme-srv tar cvfz /tmp/acme2certifier/a2c.tgz /opt/acme2certifier - sudo rm -rf data/*.rpm - sudo cp -rp data/ ${{ github.workspace }}/artifact/data/ - sudo cp -rp acme-sh/ ${{ github.workspace }}/artifact/acme-sh/ - sudo cp -rp dnsmasq/ ${{ github.workspace }}/artifact/dnsmasq/ - # docker exec acme-srv cat /etc/nginx/nginx.conf.orig > ${{ github.workspace }}/artifact/data/nginx.conf.orig - # docker exec acme-srv cat /etc/nginx/nginx.conf > ${{ github.workspace }}/artifact/data/nginx.conf - docker exec acme-srv cat /var/log/messages > ${{ github.workspace }}/artifact/acme-srv.log - sudo tar -C ${{ github.workspace }}/artifact/ -cvzf ${{ github.workspace }}/artifact/upload/artifact.tar.gz data acme-srv.log acme-sh dnsmasq - - - name: "[ * ] uploading artificates" - uses: actions/upload-artifact@v4 - if: ${{ failure() }} - with: - name: mswcce_handler_tests_rpm-rh${{ matrix.rhversion }}.tar.gz - path: ${{ github.workspace }}/artifact/upload/ - - mswcce_handler_eab_profile_tests_rpm: - name: "mswcce_handler_eab_profile_tests_rpm" - runs-on: ubuntu-latest - needs: mscertsrv_handler_tests_rpm - strategy: - # max-parallel: 1 - fail-fast: false - matrix: - rhversion: [8, 9] - steps: - - name: "checkout GIT" - uses: actions/checkout@v4 - - - name: "Prepare Alma environment" - uses: ./.github/actions/rpm_prep - with: - GH_SBOM_USER: ${{ secrets.GH_SBOM_USER }} - GH_SBOM_TOKEN: ${{ secrets.GH_SBOM_TOKEN }} - RH_VERSION: ${{ matrix.rhversion }} - DJANGO_DB: psql - RPM_BUILD: false - - - name: Download rpm package - uses: actions/download-artifact@v4 - with: - name: acme2certifier-${{ github.run_id }}.noarch.rpm - path: data/ - - - name: "Get runner ip" - run: | - echo RUNNER_IP=$(ip addr show eth0 | grep -i "inet " | cut -d ' ' -f 6 | cut -d '/' -f 1) >> $GITHUB_ENV - echo RUNNER_PATH=$(pwd | sed 's_/_\\/_g') >> $GITHUB_ENV - - - run: echo "runner IP is ${{ env.RUNNER_IP }}" - - - name: "Install dnsmasq" - run: | - sudo apt-get update - sudo apt-get install -y dnsmasq - sudo systemctl disable systemd-resolved - sudo systemctl stop systemd-resolved - # sudo chmod -R 777 /etc/resolv.conf - # sudo echo "nameserver 8.8.8.8" > /etc/resolv.conf - sudo mkdir -p dnsmasq - sudo cp .github/dnsmasq.conf dnsmasq/ - sudo chmod -R 777 dnsmasq/dnsmasq.conf - sudo sed -i "s/RUNNER_IP/$RUNNER_IP/g" dnsmasq/dnsmasq.conf - sudo echo "address=/$WCCE_FQDN/$RUNNER_IP" >> dnsmasq/dnsmasq.conf - sudo echo "address=/$WCCE_ADS_DOMAIN/$RUNNER_IP" >> dnsmasq/dnsmasq.conf - sudo echo "address=/$WES_HOST/$RUNNER_IP" >> dnsmasq/dnsmasq.conf - cat dnsmasq/dnsmasq.conf - sudo cp dnsmasq/dnsmasq.conf /etc/ - sudo sed -i "s/ --local-service/ /g" /etc/init.d/dnsmasq - sudo systemctl enable dnsmasq - sudo systemctl start dnsmasq - env: - RUNNER_IP: ${{ env.RUNNER_IP }} - WCCE_ADS_DOMAIN: ${{ secrets.WCCE_ADS_DOMAIN }} - WCCE_FQDN: ${{ secrets.WCCE_FQDN }} - WES_HOST: ${{ secrets.WES_HOST }} - - - name: "Test dns resulution" - run: | - host $WCCE_ADS_DOMAIN ${{ env.RUNNER_IP }} - host $WCCE_FQDN ${{ env.RUNNER_IP }} - host $WES_HOST 127.0.0.1 - env: - WCCE_ADS_DOMAIN: ${{ secrets.WCCE_ADS_DOMAIN }} - WCCE_FQDN: ${{ secrets.WCCE_FQDN }} - WES_HOST: ${{ secrets.WES_HOST }} - - - name: "Create letsencrypt and lego folder" - run: | - mkdir certbot - mkdir lego - mkdir acme-sh - - - name: "Setup tunnel" - uses: ./.github/actions/wf_specific/ms_ca_handler/tunnel_setup - with: - WCCE_SSH_USER: ${{ secrets.WCCE_SSH_USER }} - WCCE_SSH_HOST: ${{ secrets.WCCE_SSH_HOST }} - WCCE_SSH_PORT: ${{ secrets.WCCE_SSH_PORT }} - WCCE_HOST: ${{ secrets.WCCE_HOST }} - WCCE_FQDN_WOTLD: ${{ secrets.WCCE_FQDN_WOTLD }} - WCCE_FQDN: ${{ secrets.WCCE_FQDN }} - WCCE_SSH_KNOWN_HOSTS: ${{ secrets.WCCE_SSH_KNOWN_HOSTS }} - WCCE_SSH_ACCESS_KEY: ${{ secrets.WCCE_SSH_ACCESS_KEY }} - - - name: "EAB with headerinfo - Setup a2c with ms_wcce_ca_handler (Kerberos)" - run: | - mkdir -p data/acme_ca - sudo touch data/acme_ca/ca_certs.pem - sudo chmod 777 data/acme_ca/ca_certs.pem - sudo echo "$WCCE_CA_BUNDLE" > data/acme_ca/ca_certs.pem - sudo touch data/acme_ca/acme_srv.cfg - sudo chmod 777 data/acme_ca/acme_srv.cfg - sudo head -n -8 .github/openssl_ca_handler.py_acme_srv_default_handler.cfg > data/acme_srv.cfg - sudo echo "handler_file: /opt/acme2certifier/examples/ca_handler/mswcce_ca_handler.py" >> data/acme_srv.cfg - sudo echo "host: $WCCE_FQDN" >> data/acme_srv.cfg - sudo echo "user: $WCCE_USER" >> data/acme_srv.cfg - sudo echo "password: $WCCE_PASSWORD" >> data/acme_srv.cfg - sudo echo "template: $WCCE_TEMPLATE" >> data/acme_srv.cfg - sudo echo "ca_name: $WCCE_CA_NAME" >> data/acme_srv.cfg - sudo echo "target_domain: $WCCE_ADS_DOMAIN" >> data/acme_srv.cfg - sudo echo "domain_controller: $RUNNER_IP" >> data/acme_srv.cfg - sudo echo "ca_bundle: /opt/acme2certifier/volume/acme_ca/ca_certs.pem" >> data/acme_srv.cfg - sudo echo "timeout: 20" >> data/acme_srv.cfg - sudo echo "use_kerberos: True" >> data/acme_srv.cfg - sudo sed -i "s/tnauthlist_support: False/tnauthlist_support: False\nheader_info_list: [\"HTTP_USER_AGENT\"]/g" data/acme_srv.cfg - sudo sed -i "s/revocation_reason_check_disable: False/revocation_reason_check_disable: False\nenrollment_timeout: 40/g" data/acme_srv.cfg - - sudo echo "eab_profiling: True" >> data/acme_srv.cfg - sudo echo -e "\n[EABhandler]" >> data/acme_srv.cfg - sudo echo "eab_handler_file: /opt/acme2certifier/examples/eab_handler/kid_profile_handler.py" >> data/acme_srv.cfg - sudo echo "key_file: /opt/acme2certifier/volume/acme_ca/kid_profiles.json" >> data/acme_srv.cfg - - sudo cp examples/eab_handler/kid_profiles.json data/acme_ca/kid_profiles.json - sudo chmod 777 data/acme_ca/kid_profiles.json - sudo sed -i "s/\"profile_id\"\: \[\"profile_1\", \"profile_2\", \"profile_3\"\]/\"template\"\: \[\"WebServerModified\"\, \"WebServer\"]/g" data/acme_ca/kid_profiles.json - sudo sed -i "s/\"profile_id\"\: \"profile_2\"/\"template\"\: \"WebServerModified\"/g" data/acme_ca/kid_profiles.json - sudo sed -i "s/\"ca_name\": \"example_ca_2\",/\"unknown_key\": \"unknown_value\"/g" data/acme_ca/kid_profiles.json - sudo sed -i "s/\"ca_name\": \"example_ca\",/\"unknown_key\": \"unknown_value\"/g" data/acme_ca/kid_profiles.json - sudo sed -i "s/example.net/acme/g" data/acme_ca/kid_profiles.json - sudo sed -i '18,19d' data/acme_ca/kid_profiles.json - sudo sed -i '8,9d' data/acme_ca/kid_profiles.json - - env: - RUNNER_IP: ${{ env.RUNNER_IP }} - WCCE_USER: ${{ secrets.WCCE_USER }} - WCCE_PASSWORD: ${{ secrets.WCCE_PASSWORD }} - WCCE_TEMPLATE: ${{ secrets.WCCE_TEMPLATE }} - WCCE_CA_NAME: ${{ secrets.WCCE_CA_NAME }} - WCCE_ADS_DOMAIN: ${{ secrets.WCCE_ADS_DOMAIN }} - WCCE_CA_BUNDLE: ${{ secrets.WCCE_CA_BUNDLE }} - WCCE_FQDN: ${{ secrets.WCCE_FQDN }} - - - name: "EAB with headerinfo - Execute install scipt" - run: | - docker exec acme-srv sh /tmp/acme2certifier/rpm_tester.sh - - - name: "EAB with headerinfo - enrollment" - uses: ./.github/actions/wf_specific/ms_ca_handler/enroll_eab - - - name: "[ * ] collecting test logs" - if: ${{ failure() }} - run: | - mkdir -p ${{ github.workspace }}/artifact/upload - docker exec acme-srv tar cvfz /tmp/acme2certifier/a2c.tgz /opt/acme2certifier - sudo rm -rf data/*.rpm - sudo cp -rp data/ ${{ github.workspace }}/artifact/data/ - sudo cp -rp acme-sh/ ${{ github.workspace }}/artifact/acme-sh/ - sudo cp -rp dnsmasq/ ${{ github.workspace }}/artifact/dnsmasq/ - # docker exec acme-srv cat /etc/nginx/nginx.conf.orig > ${{ github.workspace }}/artifact/data/nginx.conf.orig - # docker exec acme-srv cat /etc/nginx/nginx.conf > ${{ github.workspace }}/artifact/data/nginx.conf - docker exec acme-srv cat /var/log/messages > ${{ github.workspace }}/artifact/acme-srv.log - sudo tar -C ${{ github.workspace }}/artifact/ -cvzf ${{ github.workspace }}/artifact/upload/artifact.tar.gz data acme-srv.log acme-sh dnsmasq - - - name: "[ * ] uploading artificates" - uses: actions/upload-artifact@v4 - if: ${{ failure() }} - with: - name: mswcce_handler_profile_tests_rpm-rh${{ matrix.rhversion }}.tar.gz - path: ${{ github.workspace }}/artifact/upload/ - - rpm_cleanup: - name: "rpm_cleanup" - runs-on: ubuntu-latest - needs: [mscertsrv_handler_tests_rpm, mscertsrv_handler_eab_profile_tests_rpm, mswcce_handler_tests_rpm, mswcce_handler_eab_profile_tests_rpm] - steps: - - name: "Delete artifact" - uses: geekyeggo/delete-artifact@v5 - with: - name: acme2certifier-${{ github.run_id }}.noarch.rpm \ No newline at end of file diff --git a/.github/workflows/ca_handler_tests_nclm.yml b/.github/workflows/ca_handler_tests_nclm.yml deleted file mode 100644 index 5f564ba0..00000000 --- a/.github/workflows/ca_handler_tests_nclm.yml +++ /dev/null @@ -1,273 +0,0 @@ -name: CA handler tests - NCLM - -on: - push: - pull_request: - branches: [ devel ] - schedule: - # * is a special character in YAML so you have to quote this string - - cron: '0 2 * * 6' - -jobs: - nclm_handler_tests: - name: "nclm_handler_tests" - runs-on: ubuntu-latest - strategy: - fail-fast: false - # max-parallel: 1 - matrix: - websrv: ['apache2', 'nginx'] - dbhandler: ['wsgi', 'django'] - steps: - - name: "checkout GIT" - uses: actions/checkout@v4 - - - name: "Generate UUID" - run: | - echo UUID=$(uuidgen | cut -d "-" -f1) >> $GITHUB_ENV - - run: echo "UUID ${{ env.UUID }}" - - - name: "Build container" - uses: ./.github/actions/container_prep - with: - DB_HANDLER: ${{ matrix.dbhandler }} - WEB_SRV: ${{ matrix.websrv }} - - - name: "Setup a2c with nclm_ca_handler" - run: | - sudo cp test/ca/certsrv_ca_certs.pem examples/Docker/data/ca_certs.pem - sudo touch examples/Docker/data/acme_srv.cfg - sudo chmod 777 examples/Docker/data/acme_srv.cfg - sudo head -n -8 .github/openssl_ca_handler.py_acme_srv_default_handler.cfg > examples/Docker/data/acme_srv.cfg - sudo echo "handler_file: examples/ca_handler/nclm_ca_handler.py" >> examples/Docker/data/acme_srv.cfg - sudo echo "api_host: $NCLM_API_HOST" >> examples/Docker/data/acme_srv.cfg - sudo echo "api_user: $NCLM_API_USER" >> examples/Docker/data/acme_srv.cfg - sudo echo "api_password: $NCLM_API_PASSWORD" >> examples/Docker/data/acme_srv.cfg - sudo echo "tsg_name: $NCLM_TSG_NAME" >> examples/Docker/data/acme_srv.cfg - sudo echo "ca_name: $NCLM_CA_NAME" >> examples/Docker/data/acme_srv.cfg - sudo echo "ca_id_list: [$NCLM_CA_ID_LIST]" >> examples/Docker/data/acme_srv.cfg - sudo echo "request_timeout: 40" >> examples/Docker/data/acme_srv.cfg - sudo echo "allowed_domainlist: [\"bar.local\", \"*.acme\"]" >> examples/Docker/data/acme_srv.cfg - sudo sed -i "s/revocation_reason_check_disable: False/revocation_reason_check_disable: False\nenrollment_timeout: 40/g" examples/Docker/data/acme_srv.cfg - cd examples/Docker/ - docker-compose restart - env: - NCLM_API_HOST: ${{ secrets.NCLM_API_HOST }} - NCLM_API_USER: ${{ secrets.NCLM_API_USER }} - NCLM_API_PASSWORD: ${{ secrets.NCLM_API_PASSWORD }} - NCLM_TSG_NAME: ${{ secrets.NCLM_TSG_NAME }} - NCLM_CA_NAME: ${{ secrets.NCLM_CA_NAME }} - NCLM_CA_ID_LIST: ${{ secrets.NCLM_CA_ID_LIST }} - - - name: "Test enrollment" - uses: ./.github/actions/acme_clients - with: - HOSTNAME_SUFFIX: -${{ env.UUID }} - VERIFY_CERT: false - TEST_ADL: "true" - - - name: "Verify allowed_domainlist error" - run: | - cd examples/Docker - docker-compose logs | grep "allowed_domainlist" | grep -i "either CN or SANs are not allowed by configuration" - - - name: "Generate UUID" - run: | - echo UUID=$(uuidgen | cut -d "-" -f1) >> $GITHUB_ENV - - run: echo "UUID ${{ env.UUID }}" - - - name: "Reconfigure nclm handler to test enrollment from MSCA" - run: | - sudo sed -i "s/ca_name: $NCLM_CA_NAME/ca_name: $NCLM_MSCA_NAME/g" examples/Docker/data/acme_srv.cfg - sudo echo "template_name: $NCLM_MSCA_TEMPLATE_NAME" >> examples/Docker/data/acme_srv.cfg - cd examples/Docker/ - docker-compose restart - env: - NCLM_MSCA_TEMPLATE_NAME: ${{ secrets.NCLM_MSCA_TEMPLATE_NAME }} - NCLM_MSCA_NAME: ${{ secrets.NCLM_MSCA_NAME }} - NCLM_CA_NAME: ${{ secrets.NCLM_CA_NAME }} - - - name: "Test enrollment" - uses: ./.github/actions/acme_clients - with: - USE_RSA: true - HOSTNAME_SUFFIX: -${{ env.UUID }} - - - name: "[ * ] collecting test logs" - if: ${{ failure() }} - run: | - mkdir -p ${{ github.workspace }}/artifact/upload - mkdir -p ${{ github.workspace }}/artifact/clients - sudo cp -rp examples/Docker/data/ ${{ github.workspace }}/artifact/data/ - # sudo cp *.pem ${{ github.workspace }}/artifact/data/ - sudo cp -rp acme-sh/ ${{ github.workspace }}/artifact/clients/acme-sh/ - sudo cp -rp certbot/ ${{ github.workspace }}/artifact/clients/certbot/ - sudo cp -rp lego/ ${{ github.workspace }}/artifact/clients/lego/ - cd examples/Docker - docker-compose logs > ${{ github.workspace }}/artifact/docker-compose.log - sudo tar -C ${{ github.workspace }}/artifact/ -cvzf ${{ github.workspace }}/artifact/upload/artifact.tar.gz docker-compose.log data clients - - - name: "[ * ] uploading artificates" - uses: actions/upload-artifact@v4 - if: ${{ failure() }} - with: - name: nclm_handler_tests-${{ matrix.websrv }}-${{ matrix.dbhandler }}.tar.gz - path: ${{ github.workspace }}/artifact/upload/ - - - nclm_handler_tests_rpm: - name: "nclm_handler_tests_rpm" - runs-on: ubuntu-latest - strategy: - fail-fast: false - # max-parallel: 1 - matrix: - rhversion: [8, 9] - execscript: ['rpm_tester.sh', 'django_tester.sh'] - - steps: - - name: "checkout GIT" - uses: actions/checkout@v4 - - - name: "Generate UUID" - run: | - echo UUID=$(uuidgen | cut -d "-" -f1) >> $GITHUB_ENV - - run: echo "UUID ${{ env.UUID }}" - - - name: "Prepare Alma environment" - uses: ./.github/actions/rpm_prep - with: - GH_SBOM_USER: ${{ secrets.GH_SBOM_USER }} - GH_SBOM_TOKEN: ${{ secrets.GH_SBOM_TOKEN }} - RH_VERSION: ${{ matrix.rhversion }} - - - name: "Setup a2c with with nclm_ca_handler" - if: matrix.execscript == 'rpm_tester.sh' - run: | - mkdir -p data/acme_ca - sudo cp test/ca/certsrv_ca_certs.pem data/acme_ca/ca_certs.pem - sudo touch data/acme_srv.cfg - sudo chmod 777 data/acme_srv.cfg - sudo head -n -8 .github/openssl_ca_handler.py_acme_srv_default_handler.cfg > data/acme_srv.cfg - sudo echo "handler_file: examples/ca_handler/nclm_ca_handler.py" >> data/acme_srv.cfg - sudo echo "api_host: $NCLM_API_HOST" >> data/acme_srv.cfg - sudo echo "api_user: $NCLM_API_USER" >> data/acme_srv.cfg - sudo echo "api_password: $NCLM_API_PASSWORD" >> data/acme_srv.cfg - sudo echo "tsg_name: $NCLM_TSG_NAME" >> data/acme_srv.cfg - sudo echo "ca_name: $NCLM_CA_NAME" >> data/acme_srv.cfg - sudo echo "ca_id_list: [$NCLM_CA_ID_LIST]" >> data/acme_srv.cfg - sudo echo "request_timeout: 40" >> data/acme_srv.cfg - sudo echo "allowed_domainlist: [\"bar.local\", \"*.acme\"]" >> data/acme_srv.cfg - sudo sed -i "s/revocation_reason_check_disable: False/revocation_reason_check_disable: False\nenrollment_timeout: 60/g" data/acme_srv.cfg - env: - NCLM_API_HOST: ${{ secrets.NCLM_API_HOST }} - NCLM_API_USER: ${{ secrets.NCLM_API_USER }} - NCLM_API_PASSWORD: ${{ secrets.NCLM_API_PASSWORD }} - NCLM_TSG_NAME: ${{ secrets.NCLM_TSG_NAME }} - NCLM_CA_NAME: ${{ secrets.NCLM_CA_NAME }} - NCLM_CA_ID_LIST: ${{ secrets.NCLM_CA_ID_LIST }} - - - name: "Setup a2c with with nclm_ca_handler for django" - if: matrix.execscript == 'django_tester.sh' - run: | - sudo mkdir -p data/volume/acme_ca/certs - sudo cp test/ca/certsrv_ca_certs.pem data/volume/acme_ca/ca_certs.pem - sudo touch data/volume/acme_srv.cfg - sudo chmod 777 data/volume/acme_srv.cfg - sudo head -n -8 .github/openssl_ca_handler.py_acme_srv_default_handler.cfg > data/volume/acme_srv.cfg - sudo echo "handler_file: examples/ca_handler/nclm_ca_handler.py" >> data/volume/acme_srv.cfg - sudo echo "api_host: $NCLM_API_HOST" >> data/volume/acme_srv.cfg - sudo echo "api_user: $NCLM_API_USER" >> data/volume/acme_srv.cfg - sudo echo "api_password: $NCLM_API_PASSWORD" >> data/volume/acme_srv.cfg - sudo echo "tsg_name: $NCLM_TSG_NAME" >> data/volume/acme_srv.cfg - sudo echo "ca_name: $NCLM_CA_NAME" >> data/volume/acme_srv.cfg - sudo echo "ca_id_list: [$NCLM_CA_ID_LIST]" >> data/volume/acme_srv.cfg - sudo echo "request_timeout: 40" >> data/volume/acme_srv.cfg - sudo echo "allowed_domainlist: [\"bar.local\", \"*.acme\"]" >> data/volume/acme_srv.cfg - sudo sed -i "s/revocation_reason_check_disable: False/revocation_reason_check_disable: False\nenrollment_timeout: 60/g" data/volume/acme_srv.cfg - env: - NCLM_API_HOST: ${{ secrets.NCLM_API_HOST }} - NCLM_API_USER: ${{ secrets.NCLM_API_USER }} - NCLM_API_PASSWORD: ${{ secrets.NCLM_API_PASSWORD }} - NCLM_TSG_NAME: ${{ secrets.NCLM_TSG_NAME }} - NCLM_CA_NAME: ${{ secrets.NCLM_CA_NAME }} - NCLM_CA_ID_LIST: ${{ secrets.NCLM_CA_ID_LIST }} - - - name: "Execute install scipt" - run: | - docker exec acme-srv sh /tmp/acme2certifier/$EXEC_SCRIPT - env: - EXEC_SCRIPT: ${{ matrix.execscript }} - - - name: "Test enrollment" - uses: ./.github/actions/acme_clients - with: - HOSTNAME_SUFFIX: -${{ env.UUID }} - VERIFY_CERT: false - TEST_ADL: "true" - - - name: "Verify allowed_domainlist error" - run: | - docker exec acme-srv grep -i "either CN or SANs are not allowed by configuration" /var/log/messages - - - name: "Generate UUID" - run: | - echo UUID=$(uuidgen | cut -d "-" -f1) >> $GITHUB_ENV - - run: echo "UUID ${{ env.UUID }}" - - - name: "Reconfigure nclm handler to test enrollment from MSCA" - if: matrix.execscript == 'rpm_tester.sh' - run: | - sudo sed -i "s/ca_name: $NCLM_CA_NAME/ca_name: $NCLM_MSCA_NAME/g" data/acme_srv.cfg - sudo echo "template_name: $NCLM_MSCA_TEMPLATE_NAME" >> data/acme_srv.cfg - env: - NCLM_MSCA_TEMPLATE_NAME: ${{ secrets.NCLM_MSCA_TEMPLATE_NAME }} - NCLM_MSCA_NAME: ${{ secrets.NCLM_MSCA_NAME }} - NCLM_CA_NAME: ${{ secrets.NCLM_CA_NAME }} - - - name: "Reconfigure nclm handler to test enrollment from MSCA" - if: matrix.execscript == 'django_tester.sh' - run: | - sudo sed -i "s/ca_name: $NCLM_CA_NAME/ca_name: $NCLM_MSCA_NAME/g" data/volume/acme_srv.cfg - sudo echo "template_name: $NCLM_MSCA_TEMPLATE_NAME" >> data/volume/acme_srv.cfg - env: - NCLM_MSCA_TEMPLATE_NAME: ${{ secrets.NCLM_MSCA_TEMPLATE_NAME }} - NCLM_MSCA_NAME: ${{ secrets.NCLM_MSCA_NAME }} - NCLM_CA_NAME: ${{ secrets.NCLM_CA_NAME }} - - - name: "Execute install scipt" - run: | - docker exec acme-srv sh /tmp/acme2certifier/$EXEC_SCRIPT restart - env: - EXEC_SCRIPT: ${{ matrix.execscript }} - - - name: "Test enrollment" - uses: ./.github/actions/acme_clients - with: - USE_RSA: true - HOSTNAME_SUFFIX: -${{ env.UUID }} - - - name: "[ * ] collecting test logs" - if: ${{ failure() }} - continue-on-error: true - run: | - mkdir -p ${{ github.workspace }}/artifact/upload - mkdir -p ${{ github.workspace }}/artifact/clients - docker exec acme-srv tar cvfz /tmp/acme2certifier/a2c.tgz /opt/acme2certifier - sudo cp -rp data/ ${{ github.workspace }}/artifact/data/ - # sudo cp *.pem ${{ github.workspace }}/artifact/data/ - sudo cp -rp acme-sh/ ${{ github.workspace }}/artifact/clients/acme-sh/ - sudo cp -rp certbot/ ${{ github.workspace }}/artifact/clients/certbot/ - sudo cp -rp lego/ ${{ github.workspace }}/artifact/clients/lego/ - sudo rm ${{ github.workspace }}/artifact/data/*.rpm - docker exec acme-srv cat /etc/nginx/nginx.conf.orig > ${{ github.workspace }}/artifact/data/nginx.conf.orig - docker exec acme-srv cat /etc/nginx/nginx.conf > ${{ github.workspace }}/artifact/data/nginx.conf - docker exec acme-srv cat /var/log/messages > ${{ github.workspace }}/artifact/acme-srv.log - sudo tar -C ${{ github.workspace }}/artifact/ -cvzf ${{ github.workspace }}/artifact/upload/artifact.tar.gz data clients acme-srv.log - - - name: "[ * ] uploading artificates" - uses: actions/upload-artifact@v4 - if: ${{ failure() }} - with: - name: nclm_ca_handler_rpm-rh${{ matrix.rhversion }}-${{ matrix.execscript}}.tar.gz - path: ${{ github.workspace }}/artifact/upload/ \ No newline at end of file