diff --git a/.github/workflows/ca_handler_tests_digicert.yml b/.github/workflows/ca_handler_tests_digicert.yml deleted file mode 100644 index 119d390e..00000000 --- a/.github/workflows/ca_handler_tests_digicert.yml +++ /dev/null @@ -1,300 +0,0 @@ -name: CA handler Tests - Digicert CertCentral - -on: - push: - branches: [ 'devel', 'master', 'adl_wf'] - pull_request: - branches: [ devel ] - schedule: - # * is a special character in YAML so you have to quote this string - - cron: '0 2 * * 6' - -jobs: - digicert_handler_tests: - name: "digicert_handler_tests" - runs-on: ubuntu-latest - strategy: - max-parallel: 1 - fail-fast: false - matrix: - websrv: ['apache2'] - dbhandler: ['wsgi', 'django'] - steps: - - name: "checkout GIT" - uses: actions/checkout@v4 - - - name: "create folders" - run: | - mkdir lego - mkdir acme-sh - mkdir certbot - - - name: "Build container" - uses: ./.github/actions/container_prep - with: - DB_HANDLER: ${{ matrix.dbhandler }} - WEB_SRV: ${{ matrix.websrv }} - NAME_SPACE: acme.dynamop.de - - - name: "Setup a2c with digicert_ca_handler" - run: | - sudo cp .github/openssl_ca_handler.py_acme_srv_default_handler.cfg examples/Docker/data/acme_srv.cfg - sudo chmod 777 examples/Docker/data/acme_srv.cfg - sudo cp test/ca/certsrv_ca_certs.pem examples/Docker/data/ca_certs.pem - sudo head -n -8 .github/openssl_ca_handler.py_acme_srv_default_handler.cfg > examples/Docker/data/acme_srv.cfg - sudo echo "handler_file: examples/ca_handler/digicert_ca_handler.py" >> examples/Docker/data/acme_srv.cfg - sudo echo "api_key: $DIGICERT_API_KEY" >> examples/Docker/data/acme_srv.cfg - sudo echo "organization_name: $DIGICERT_ORGNAME" >> examples/Docker/data/acme_srv.cfg - sudo echo "allowed_domainlist: [\"$DIGICERT_DOMAIN\", \"bar.local$\"]" >> examples/Docker/data/acme_srv.cfg - sudo sed -i "s/revocation_reason_check_disable: False/revocation_reason_check_disable: False\nenrollment_timeout:15/g" examples/Docker/data/acme_srv.cfg - cd examples/Docker/ - docker-compose restart - env: - DIGICERT_API_KEY: ${{ secrets.DIGICERT_API_KEY }} - DIGICERT_ORGNAME: ${{ secrets.DIGICERT_ORGNAME }} - DIGICERT_DOMAIN: ${{ secrets.DIGICERT_DOMAIN }} - - - name: "Test enrollment" - uses: ./.github/actions/acme_clients - with: - NAME_SPACE: acme.dynamop.de - USE_CERTBOT: false - TEST_ADL: "true" - - - name: "Verify allowed_domainlist error" - run: | - cd examples/Docker - docker-compose logs | grep "allowed_domainlist" | grep -i "either CN or SANs are not allowed by configuration" - - - name: "EAB - Setup a2c with digicert_ca_handler" - run: | - mkdir -p examples/Docker/data - sudo cp .github/openssl_ca_handler.py_acme_srv_default_handler.cfg examples/Docker/data/acme_srv.cfg - sudo chmod 777 examples/Docker/data/acme_srv.cfg - sudo cp test/ca/certsrv_ca_certs.pem examples/Docker/data/ca_certs.pem - sudo head -n -8 .github/openssl_ca_handler.py_acme_srv_default_handler.cfg > examples/Docker/data/acme_srv.cfg - sudo echo "handler_file: examples/ca_handler/digicert_ca_handler.py" >> examples/Docker/data/acme_srv.cfg - sudo echo "api_key: $DIGICERT_API_KEY" >> examples/Docker/data/acme_srv.cfg - sudo echo "organization_name: $DIGICERT_ORGNAME" >> examples/Docker/data/acme_srv.cfg - sudo echo "allowed_domainlist: [\"$DIGICERT_DOMAIN\", \"bar.local$\"]" >> examples/Docker/data/acme_srv.cfg - sudo sed -i "s/revocation_reason_check_disable: False/revocation_reason_check_disable: False\nenrollment_timeout:15/g" examples/Docker/data/acme_srv.cfg - sudo echo "eab_profiling: True" >> examples/Docker/data/acme_srv.cfg - sudo sed -i "s/tnauthlist_support: False/tnauthlist_support: False\nheader_info_list: [\"HTTP_USER_AGENT\"]/g" examples/Docker/data/acme_srv.cfg - sudo echo -e "\n\n[EABhandler]" >> examples/Docker/data/acme_srv.cfg - sudo echo "eab_handler_file: /var/www/acme2certifier/examples/eab_handler/kid_profile_handler.py" >> examples/Docker/data/acme_srv.cfg - sudo echo "key_file: volume/kid_profiles.json" >> examples/Docker/data/acme_srv.cfg - - sudo cp examples/eab_handler/kid_profiles.json examples/Docker/data/kid_profiles.json - sudo chmod 777 examples/eab_handler/kid_profiles.json - sudo sed -i "s/\"profile_id\"\: \[\"profile_1\", \"profile_2\", \"profile_3\"\]/\"cert_type\"\: \[\"ssl_basic\", \"ssl_securesite_pro\", \"ssl_securesite_flex\"\]/g" examples/Docker/data/kid_profiles.json - sudo sed -i "s/\"profile_id\"\: \"profile_2\"/\"cert_type\"\: \"ssl_securesite_pro\"/g" examples/Docker/data/kid_profiles.json - sudo sed -i "s/\"ca_name\": \"example_ca\",/\"unknown_key\": \"unknown_value\"/g" examples/Docker/data/kid_profiles.json - sudo sed -i "s/\"ca_name\": \"example_ca_2\",/\"unknown_key\": \"unknown_value\"/g" examples/Docker/data/kid_profiles.json - sudo sed -i "s/www.example.org/*.acme.dynamop.de/g" examples/Docker/data/kid_profiles.json - sudo sed -i '18,19d' examples/Docker/data/kid_profiles.json - sudo sed -i '8,9d' examples/Docker/data/kid_profiles.json - cd examples/Docker/ - docker-compose restart - env: - DIGICERT_API_KEY: ${{ secrets.DIGICERT_API_KEY }} - DIGICERT_ORGNAME: ${{ secrets.DIGICERT_ORGNAME }} - DIGICERT_DOMAIN: ${{ secrets.DIGICERT_DOMAIN }} - - - name: "EAB - Test enrollment" - uses: ./.github/actions/wf_specific/digicert_ca_handler/enroll_eab - - - name: "Check container configuration" - uses: ./.github/actions/container_check - with: - DB_HANDLER: ${{ matrix.dbhandler }} - WEB_SRV: ${{ matrix.websrv }} - - - name: "[ * ] collecting test logs" - if: ${{ failure() }} - run: | - mkdir -p ${{ github.workspace }}/artifact/upload - sudo cp -rp examples/Docker/data/ ${{ github.workspace }}/artifact/data/ - sudo cp -rp acme-sh/ ${{ github.workspace }}/artifact/acme-sh/ - sudo cp -rp certbot/ ${{ github.workspace }}/artifact/certbot/ - sudo cp -rp lego/ ${{ github.workspace }}/artifact/lego/ - cd examples/Docker - docker-compose logs > ${{ github.workspace }}/artifact/docker-compose.log - sudo tar -C ${{ github.workspace }}/artifact/ -cvzf ${{ github.workspace }}/artifact/upload/artifact.tar.gz docker-compose.log data acme-sh certbot lego - - - name: "[ * ] uploading artificates" - uses: actions/upload-artifact@v4 - if: ${{ failure() }} - with: - name: digicert-${{ matrix.websrv }}-${{ matrix.dbhandler }}.tar.gz - path: ${{ github.workspace }}/artifact/upload/ - - digicert_ca_handler_tests_rpm: - name: "digicert_ca_handler_tests_rpm" - runs-on: ubuntu-latest - strategy: - max-parallel: 1 - fail-fast: false - matrix: - rhversion: [8] - execscript: ['rpm_tester.sh', 'django_tester.sh'] - - steps: - - name: "checkout GIT" - uses: actions/checkout@v4 - - - name: "Prepare Alma environment" - uses: ./.github/actions/rpm_prep - with: - GH_SBOM_USER: ${{ secrets.GH_SBOM_USER }} - GH_SBOM_TOKEN: ${{ secrets.GH_SBOM_TOKEN }} - RH_VERSION: ${{ matrix.rhversion }} - NAME_SPACE: acme.dynamop.de - - - name: "Setup a2c with digicert_ca_handler" - if: matrix.execscript == 'rpm_tester.sh' - run: | - sudo mkdir -p data/acme_ca/certs - sudo cp .github/openssl_ca_handler.py_acme_srv_default_handler.cfg data/acme_srv.cfg - sudo chmod 777 data/acme_srv.cfg - sudo cp test/ca/certsrv_ca_certs.pem data/ca_certs.pem - sudo head -n -8 .github/openssl_ca_handler.py_acme_srv_default_handler.cfg > data/acme_srv.cfg - sudo echo "handler_file: /opt/acme2certifier/examples/ca_handler/digicert_ca_handler.py" >> data/acme_srv.cfg - sudo echo "api_key: $DIGICERT_API_KEY" >> data/acme_srv.cfg - sudo echo "organization_name: $DIGICERT_ORGNAME" >> data/acme_srv.cfg - sudo echo "allowed_domainlist: [\"$DIGICERT_DOMAIN\", \"bar.local$\"]" >> data/acme_srv.cfg - sudo sed -i "s/revocation_reason_check_disable: False/revocation_reason_check_disable: False\nenrollment_timeout:15/g" data/acme_srv.cfg - env: - DIGICERT_API_KEY: ${{ secrets.DIGICERT_API_KEY }} - DIGICERT_ORGNAME: ${{ secrets.DIGICERT_ORGNAME }} - DIGICERT_DOMAIN: ${{ secrets.DIGICERT_DOMAIN }} - - - name: "Setup a2c with digicert_ca_handler for django" - if: matrix.execscript == 'django_tester.sh' - run: | - sudo mkdir -p data/volume/acme_ca/certs - sudo cp .github/openssl_ca_handler.py_acme_srv_default_handler.cfg data/volume/acme_srv.cfg - sudo chmod 777 data/volume/acme_srv.cfg - sudo cp test/ca/certsrv_ca_certs.pem data/volume/ca_certs.pem - sudo head -n -8 .github/openssl_ca_handler.py_acme_srv_default_handler.cfg > data/volume/acme_srv.cfg - sudo echo "handler_file: /opt/acme2certifier/examples/ca_handler/digicert_ca_handler.py" >> data/volume/acme_srv.cfg - sudo echo "api_key: $DIGICERT_API_KEY" >> data/volume/acme_srv.cfg - sudo echo "organization_name: $DIGICERT_ORGNAME" >> data/volume/acme_srv.cfg - sudo echo "allowed_domainlist: [\"$DIGICERT_DOMAIN\", \"bar.local$\"]" >> data/volume/acme_srv.cfg - sudo sed -i "s/revocation_reason_check_disable: False/revocation_reason_check_disable: False\nenrollment_timeout:15/g" data/volume/acme_srv.cfg - env: - DIGICERT_API_KEY: ${{ secrets.DIGICERT_API_KEY }} - DIGICERT_ORGNAME: ${{ secrets.DIGICERT_ORGNAME }} - DIGICERT_DOMAIN: ${{ secrets.DIGICERT_DOMAIN }} - - - name: "Execute install scipt" - run: | - docker exec acme-srv sh /tmp/acme2certifier/$EXEC_SCRIPT - env: - EXEC_SCRIPT: ${{ matrix.execscript }} - - - name: "Test enrollment" - uses: ./.github/actions/acme_clients - with: - NAME_SPACE: acme.dynamop.de - USE_CERTBOT: false - TEST_ADL: "true" - - - name: "Verify allowed_domainlist error" - run: | - docker exec acme-srv grep -i "either CN or SANs are not allowed by configuration" /var/log/messages - - - name: "EAB - Setup a2c with digicert_ca_handler" - if: matrix.execscript == 'rpm_tester.sh' - run: | - sudo mkdir -p data/acme_ca/certs - sudo cp .github/openssl_ca_handler.py_acme_srv_default_handler.cfg data/acme_srv.cfg - sudo cp test/ca/certsrv_ca_certs.pem data/ca_certs.pem - sudo head -n -8 .github/openssl_ca_handler.py_acme_srv_default_handler.cfg > data/acme_srv.cfg - sudo echo "handler_file: examples/ca_handler/digicert_ca_handler.py" >> data/acme_srv.cfg - sudo echo "api_key: $DIGICERT_API_KEY" >> data/acme_srv.cfg - sudo echo "organization_name: $DIGICERT_ORGNAME" >> data/acme_srv.cfg - sudo echo "allowed_domainlist: [\"$DIGICERT_DOMAIN\", \"bar.local$\"]" >> data/acme_srv.cfg - sudo sed -i "s/revocation_reason_check_disable: False/revocation_reason_check_disable: False\nenrollment_timeout:15/g" data/acme_srv.cfg - sudo echo "eab_profiling: True" >> data/acme_srv.cfg - sudo sed -i "s/tnauthlist_support: False/tnauthlist_support: False\nheader_info_list: [\"HTTP_USER_AGENT\"]/g" data/acme_srv.cfg - sudo echo -e "\n\n[EABhandler]" >> data/acme_srv.cfg - sudo echo "eab_handler_file: /opt/acme2certifier/examples/eab_handler/kid_profile_handler.py" >> data/acme_srv.cfg - sudo echo "key_file: /opt/acme2certifier/volume/acme_ca/kid_profiles.json" >> data/acme_srv.cfg - - sudo cp examples/eab_handler/kid_profiles.json data/acme_ca/kid_profiles.json - sudo chmod 777 data/acme_ca/kid_profiles.json - sudo sed -i "s/\"profile_id\"\: \[\"profile_1\", \"profile_2\", \"profile_3\"\]/\"cert_type\"\: \[\"ssl_basic\", \"ssl_securesite_pro\", \"ssl_securesite_flex\"\]/g" data/acme_ca/kid_profiles.json - sudo sed -i "s/\"profile_id\"\: \"profile_2\"/\"cert_type\"\: \"ssl_securesite_pro\"/g" data/acme_ca/kid_profiles.json - sudo sed -i "s/\"ca_name\": \"example_ca\",/\"unknown_key\": \"unknown_value\"/g" data/acme_ca/kid_profiles.json - sudo sed -i "s/\"ca_name\": \"example_ca_2\",/\"unknown_key\": \"unknown_value\"/g" data/acme_ca/kid_profiles.json - sudo sed -i "s/www.example.org/*.acme.dynamop.de/g" data/acme_ca/kid_profiles.json - sudo sed -i '18,19d' data/acme_ca/kid_profiles.json - sudo sed -i '8,9d' data/acme_ca/kid_profiles.json - env: - DIGICERT_API_KEY: ${{ secrets.DIGICERT_API_KEY }} - DIGICERT_ORGNAME: ${{ secrets.DIGICERT_ORGNAME }} - DIGICERT_DOMAIN: ${{ secrets.DIGICERT_DOMAIN }} - - - name: "EAB - Setup a2c with digicert_ca_handler" - if: matrix.execscript == 'django_tester.sh' - run: | - sudo mkdir -p data/volume/acme_ca/certs - sudo cp .github/openssl_ca_handler.py_acme_srv_default_handler.cfg data/volume/acme_srv.cfg - sudo chmod 777 data/volume/acme_srv.cfg - sudo cp test/ca/certsrv_ca_certs.pem data/ca_certs.pem - sudo head -n -8 .github/openssl_ca_handler.py_acme_srv_default_handler.cfg > data/volume/acme_srv.cfg - sudo echo "handler_file: examples/ca_handler/digicert_ca_handler.py" >> data/volume/acme_srv.cfg - sudo echo "api_key: $DIGICERT_API_KEY" >> data/volume/acme_srv.cfg - sudo echo "organization_name: $DIGICERT_ORGNAME" >> data/volume/acme_srv.cfg - sudo echo "allowed_domainlist: [\"$DIGICERT_DOMAIN\", \"bar.local$\"]" >> data/volume/acme_srv.cfg - sudo sed -i "s/revocation_reason_check_disable: False/revocation_reason_check_disable: False\nenrollment_timeout:15/g" data/volume/acme_srv.cfg - sudo echo "eab_profiling: True" >> data/volume/acme_srv.cfg - sudo sed -i "s/tnauthlist_support: False/tnauthlist_support: False\nheader_info_list: [\"HTTP_USER_AGENT\"]/g" data/volume/acme_srv.cfg - sudo echo -e "\n\n[EABhandler]" >> data/volume/acme_srv.cfg - sudo echo "eab_handler_file: /opt/acme2certifier/examples/eab_handler/kid_profile_handler.py" >> data/volume/acme_srv.cfg - sudo echo "key_file: /opt/acme2certifier/volume/acme_ca/kid_profiles.json" >> data/volume/acme_srv.cfg - - sudo cp examples/eab_handler/kid_profiles.json data/volume/acme_ca/kid_profiles.json - sudo chmod 777 data/volume/acme_ca/kid_profiles.json - sudo sed -i "s/\"profile_id\"\: \[\"profile_1\", \"profile_2\", \"profile_3\"\]/\"cert_type\"\: \[\"ssl_basic\", \"ssl_securesite_pro\", \"ssl_securesite_flex\"\]/g" data/volume/acme_ca/kid_profiles.json - sudo sed -i "s/\"profile_id\"\: \"profile_2\"/\"cert_type\"\: \"ssl_securesite_pro\"/g" data/volume/acme_ca/kid_profiles.json - sudo sed -i "s/\"ca_name\": \"example_ca\",/\"unknown_key\": \"unknown_value\"/g" data/volume/acme_ca/kid_profiles.json - sudo sed -i "s/\"ca_name\": \"example_ca_2\",/\"unknown_key\": \"unknown_value\"/g" data/volume/acme_ca/kid_profiles.json - sudo sed -i "s/www.example.org/*.acme.dynamop.de/g" data/volume/acme_ca/kid_profiles.json - sudo sed -i '18,19d' data/volume/acme_ca/kid_profiles.json - sudo sed -i '8,9d' data/volume/acme_ca/kid_profiles.json - env: - DIGICERT_API_KEY: ${{ secrets.DIGICERT_API_KEY }} - DIGICERT_ORGNAME: ${{ secrets.DIGICERT_ORGNAME }} - DIGICERT_DOMAIN: ${{ secrets.DIGICERT_DOMAIN }} - - - name: "Reconfigure a2c" - run: | - docker exec acme-srv sh /tmp/acme2certifier/$EXEC_SCRIPT restart - env: - EXEC_SCRIPT: ${{ matrix.execscript }} - - - name: "EAB - Test enrollment" - uses: ./.github/actions/wf_specific/digicert_ca_handler/enroll_eab - - - name: "[ * ] collecting test logs" - if: ${{ failure() }} - run: | - mkdir -p ${{ github.workspace }}/artifact/upload - docker exec acme-srv tar cvfz /tmp/acme2certifier/a2c.tgz /opt/acme2certifier - sudo cp -rp data/ ${{ github.workspace }}/artifact/data/ - sudo rm ${{ github.workspace }}/artifact/data/*.rpm - sudo cp -rp acme-sh/ ${{ github.workspace }}/artifact/acme-sh/ - sudo cp -rp certbot/ ${{ github.workspace }}/artifact/certbot/ - sudo cp -rp lego/ ${{ github.workspace }}/artifact/lego/ - docker exec acme-srv cat /etc/nginx/nginx.conf.orig > ${{ github.workspace }}/artifact/data/nginx.conf.orig - docker exec acme-srv cat /etc/nginx/nginx.conf > ${{ github.workspace }}/artifact/data/nginx.conf - docker exec acme-srv cat /var/log/messages > ${{ github.workspace }}/artifact/acme-srv.log - sudo tar -C ${{ github.workspace }}/artifact/ -cvzf ${{ github.workspace }}/artifact/upload/artifact.tar.gz data acme-srv.log acme-sh certbot lego - - - name: "[ * ] uploading artificates" - uses: actions/upload-artifact@v4 - if: ${{ failure() }} - with: - name: digicert_ca_handler_tests_rpm-rh${{ matrix.rhversion }}-${{ matrix.execscript }}.tar.gz - path: ${{ github.workspace }}/artifact/upload/ diff --git a/.github/workflows/ca_handler_tests_ejbca.yml b/.github/workflows/ca_handler_tests_ejbca.yml deleted file mode 100644 index 5475e09b..00000000 --- a/.github/workflows/ca_handler_tests_ejbca.yml +++ /dev/null @@ -1,335 +0,0 @@ -name: CA handler tests - EJBCA handler - -on: - push: - pull_request: - branches: [ devel ] - schedule: - # * is a special character in YAML so you have to quote this string - - cron: '0 2 * * 6' - -jobs: - ejb_ca_tests: - name: "ejbca_hander_handler_tests docker image" - runs-on: ubuntu-latest - strategy: - fail-fast: false - matrix: - websrv: ['apache2', 'nginx'] - dbhandler: ['wsgi', 'django'] - - steps: - - name: "checkout GIT" - uses: actions/checkout@v4 - - - name: "Get runner ip" - run: | - echo RUNNER_IP=$(ip addr show eth0 | grep -i "inet " | cut -d ' ' -f 6 | cut -d '/' -f 1) >> $GITHUB_ENV - echo RUNNER_PATH=$(pwd | sed 's_/_\\/_g') >> $GITHUB_ENV - - run: echo "runner IP is ${{ env.RUNNER_IP }}" - - - name: "Instanciate ejbca" - uses: ./.github/actions/wf_specific/ejbca_ca_handler/ejbca_prep - with: - RUNNER_IP: ${{ env.RUNNER_IP }} - WORKING_DIR: ${{ github.workspace }}/examples/Docker - - - name: "Build container" - uses: ./.github/actions/container_prep - with: - DB_HANDLER: ${{ matrix.dbhandler }} - WEB_SRV: ${{ matrix.websrv }} - - - name: "Default - setup a2c with ejbca_ca_handler" - run: | - sudo touch examples/Docker/data/acme_srv.cfg - sudo chmod 777 examples/Docker/data/acme_srv.cfg - sudo head -n -8 .github/openssl_ca_handler.py_acme_srv_default_handler.cfg > examples/Docker/data/acme_srv.cfg - sudo echo "handler_file: examples/ca_handler/ejbca_ca_handler.py" >> examples/Docker/data/acme_srv.cfg - sudo echo "api_host: https://ejbca" >> examples/Docker/data/acme_srv.cfg - sudo echo "cert_file: volume/acme_ca/superadmin.p12" >> examples/Docker/data/acme_srv.cfg - sudo echo "cert_passphrase: $SAEC" >> examples/Docker/data/acme_srv.cfg - sudo echo "ca_bundle: volume/acme_ca/ca_bundle.pem" >> examples/Docker/data/acme_srv.cfg - sudo echo "ca_name: acmesubca" >> examples/Docker/data/acme_srv.cfg - sudo echo "cert_profile_name: acmeca1" >> examples/Docker/data/acme_srv.cfg - sudo echo "ee_profile_name: acmeca" >> examples/Docker/data/acme_srv.cfg - sudo echo "username: acme_srv" >> examples/Docker/data/acme_srv.cfg - sudo echo "enrollment_code: acme_srv" >> examples/Docker/data/acme_srv.cfg - sudo echo "allowed_domainlist: [\"bar.local\", \"*.acme\"]" >> examples/Docker/data/acme_srv.cfg - cd examples/Docker/ - docker-compose restart - docker-compose logs - env: - SAEC: ${{ env.SAEC }} - - - name: "Test enrollment" - uses: ./.github/actions/acme_clients - with: - TEST_ADL: "true" - - - name: "Verify allowed_domainlist error" - run: | - cd examples/Docker - docker-compose logs | grep "allowed_domainlist" | grep -i "either CN or SANs are not allowed by configuration" - - - name: "EAB without headerinfo - setup a2c with ejbca_ca_handler" - run: | - sudo head -n -8 .github/openssl_ca_handler.py_acme_srv_default_handler.cfg > examples/Docker/data/acme_srv.cfg - sudo echo "handler_file: examples/ca_handler/ejbca_ca_handler.py" >> examples/Docker/data/acme_srv.cfg - sudo echo "api_host: https://ejbca" >> examples/Docker/data/acme_srv.cfg - sudo echo "cert_file: volume/acme_ca/superadmin.p12" >> examples/Docker/data/acme_srv.cfg - sudo echo "cert_passphrase: $SAEC" >> examples/Docker/data/acme_srv.cfg - sudo echo "ca_bundle: volume/acme_ca/ca_bundle.pem" >> examples/Docker/data/acme_srv.cfg - sudo echo "ca_name: acmesubca" >> examples/Docker/data/acme_srv.cfg - sudo echo "cert_profile_name: acmeca1" >> examples/Docker/data/acme_srv.cfg - sudo echo "ee_profile_name: acmeca" >> examples/Docker/data/acme_srv.cfg - sudo echo "username: acme_srv" >> examples/Docker/data/acme_srv.cfg - sudo echo "enrollment_code: acme_srv" >> examples/Docker/data/acme_srv.cfg - sudo echo "eab_profiling: True" >> examples/Docker/data/acme_srv.cfg - - sudo echo -e "\n[EABhandler]" >> examples/Docker/data/acme_srv.cfg - sudo echo "eab_handler_file: /var/www/acme2certifier/examples/eab_handler/kid_profile_handler.py" >> examples/Docker/data/acme_srv.cfg - sudo echo "key_file: volume/kid_profiles.json" >> examples/Docker/data/acme_srv.cfg - - sudo cp examples/eab_handler/kid_profiles.json examples/Docker/data/kid_profiles.json - sudo chmod 777 examples/eab_handler/kid_profiles.json - sudo sed -i "s/\"profile_id\"\: \[\"profile_1\", \"profile_2\", \"profile_3\"\]/\"cert_profile_name\"\: \[\"acmeca2\", \"acmeca1\"\]/g" examples/Docker/data/kid_profiles.json - sudo sed -i "s/\"profile_id\"\: \"profile_2\"/\"cert_profile_name\"\: \"acmeca2\"/g" examples/Docker/data/kid_profiles.json - sudo sed -i "s/\"ca_name\": \"example_ca_2\",/\"ca_name\": \"acmeca\"/" examples/Docker/data/kid_profiles.json - sudo sed -i "s/\"ca_name\": \"example_ca\",/\"unknown\": \"unknown\"/g" examples/Docker/data/kid_profiles.json - sudo sed -i "s/example.net/acme/g" examples/Docker/data/kid_profiles.json - sudo sed -i '18,19d' examples/Docker/data/kid_profiles.json - sudo sed -i '8,9d' examples/Docker/data/kid_profiles.json - cd examples/Docker/ - docker-compose restart - docker-compose logs - env: - SAEC: ${{ env.SAEC }} - - - name: "EAB without headerinfo - enrollment" - uses: ./.github/actions/wf_specific/ejbca_ca_handler/enroll_eab_wo_headerinfo - - - name: "EAB with headerinfo - setup a2c with ejbca_ca_handler" - run: | - sudo head -n -8 .github/openssl_ca_handler.py_acme_srv_default_handler.cfg > examples/Docker/data/acme_srv.cfg - sudo echo "handler_file: examples/ca_handler/ejbca_ca_handler.py" >> examples/Docker/data/acme_srv.cfg - sudo echo "api_host: https://ejbca" >> examples/Docker/data/acme_srv.cfg - sudo echo "cert_file: volume/acme_ca/superadmin.p12" >> examples/Docker/data/acme_srv.cfg - sudo echo "cert_passphrase: $SAEC" >> examples/Docker/data/acme_srv.cfg - sudo echo "ca_bundle: volume/acme_ca/ca_bundle.pem" >> examples/Docker/data/acme_srv.cfg - sudo echo "ca_name: acmesubca" >> examples/Docker/data/acme_srv.cfg - sudo echo "cert_profile_name: acmeca1" >> examples/Docker/data/acme_srv.cfg - sudo echo "ee_profile_name: acmeca" >> examples/Docker/data/acme_srv.cfg - sudo echo "username: acme_srv" >> examples/Docker/data/acme_srv.cfg - sudo echo "enrollment_code: acme_srv" >> examples/Docker/data/acme_srv.cfg - sudo echo "eab_profiling: True" >> examples/Docker/data/acme_srv.cfg - sudo sed -i "s/tnauthlist_support: False/tnauthlist_support: False\nheader_info_list: [\"HTTP_USER_AGENT\"]/g" examples/Docker/data/acme_srv.cfg - - sudo echo -e "\n[EABhandler]" >> examples/Docker/data/acme_srv.cfg - sudo echo "eab_handler_file: /var/www/acme2certifier/examples/eab_handler/kid_profile_handler.py" >> examples/Docker/data/acme_srv.cfg - sudo echo "key_file: volume/kid_profiles.json" >> examples/Docker/data/acme_srv.cfg - - sudo cp examples/eab_handler/kid_profiles.json examples/Docker/data/kid_profiles.json - sudo chmod 777 examples/eab_handler/kid_profiles.json - sudo sed -i "s/\"profile_id\"\: \[\"profile_1\", \"profile_2\", \"profile_3\"\]/\"cert_profile_name\"\: \[\"acmeca2\", \"acmeca1\"\]/g" examples/Docker/data/kid_profiles.json - sudo sed -i "s/\"profile_id\"\: \"profile_2\"/\"cert_profile_name\"\: \"acmeca2\"/g" examples/Docker/data/kid_profiles.json - sudo sed -i "s/\"ca_name\": \"example_ca_2\",/\"ca_name\": \"acmeca\"/" examples/Docker/data/kid_profiles.json - sudo sed -i "s/\"ca_name\": \"example_ca\",/\"unknown\": \"unknown\"/g" examples/Docker/data/kid_profiles.json - sudo sed -i "s/example.net/acme/g" examples/Docker/data/kid_profiles.json - sudo sed -i '18,19d' examples/Docker/data/kid_profiles.json - sudo sed -i '8,9d' examples/Docker/data/kid_profiles.json - cd examples/Docker/ - docker-compose restart - docker-compose logs - env: - SAEC: ${{ env.SAEC }} - - - name: "EAB with headerinfo - enrollment" - uses: ./.github/actions/wf_specific/ejbca_ca_handler/enroll_eab_w_headerinfo - - - name: "Check container configuration" - uses: ./.github/actions/container_check - with: - DB_HANDLER: ${{ matrix.dbhandler }} - WEB_SRV: ${{ matrix.websrv }} - - - name: "[ * ] collecting test logs" - if: ${{ failure() }} - run: | - mkdir -p ${{ github.workspace }}/artifact/upload - sudo cp -rp examples/Docker/data/ ${{ github.workspace }}/artifact/data/ - sudo cp -rp acme-sh/ ${{ github.workspace }}/artifact/acme-sh/ - sudo cp -rp certbot/ ${{ github.workspace }}/artifact/certbot/ - sudo cp -rp lego/ ${{ github.workspace }}/artifact/lego/ - docker logs ejbca > ${{ github.workspace }}/artifact/ejbca.log - cd examples/Docker - docker-compose logs > ${{ github.workspace }}/artifact/a2c.log - sudo tar -C ${{ github.workspace }}/artifact/ -cvzf ${{ github.workspace }}/artifact/upload/artifact.tar.gz ejbca.log a2c.log data acme-sh certbot lego - - - name: "[ * ] uploading artificates" - uses: actions/upload-artifact@v4 - if: ${{ failure() }} - with: - name: ejbca-${{ matrix.websrv }}-${{ matrix.dbhandler }}.tar.gz.tar.gz - path: ${{ github.workspace }}/artifact/upload/ - - ejbca_ca_handler_tests_rpm: - name: " ejbca_ca_handler_tests_rpm" - runs-on: ubuntu-latest - strategy: - fail-fast: false - matrix: - rhversion: [8, 9] - steps: - - - name: "checkout GIT" - uses: actions/checkout@v4 - - - name: "Get runner ip" - run: | - echo RUNNER_IP=$(ip addr show eth0 | grep -i "inet " | cut -d ' ' -f 6 | cut -d '/' -f 1) >> $GITHUB_ENV - echo RUNNER_PATH=$(pwd | sed 's_/_\\/_g') >> $GITHUB_ENV - - run: echo "runner IP is ${{ env.RUNNER_IP }}" - - - name: "Instanciate ejbca" - uses: ./.github/actions/wf_specific/ejbca_ca_handler/ejbca_prep - with: - RUNNER_IP: ${{ env.RUNNER_IP }} - WORKING_DIR: ${{ github.workspace }} - - - name: "Prepare Alma environment" - uses: ./.github/actions/rpm_prep - with: - GH_SBOM_USER: ${{ secrets.GH_SBOM_USER }} - GH_SBOM_TOKEN: ${{ secrets.GH_SBOM_TOKEN }} - RH_VERSION: ${{ matrix.rhversion }} - - - name: "Default - setup a2c with ejbca_ca_handler" - run: | - sudo touch data/acme_srv.cfg - sudo chmod 777 data/acme_srv.cfg - sudo head -n -8 .github/openssl_ca_handler.py_acme_srv_default_handler.cfg > data/acme_srv.cfg - sudo echo "handler_file: /opt/acme2certifier/examples/ca_handler/ejbca_ca_handler.py" >> data/acme_srv.cfg - sudo echo "api_host: https://ejbca" >> data/acme_srv.cfg - sudo echo "cert_file: /opt/acme2certifier/volume/acme_ca/superadmin.p12" >> data/acme_srv.cfg - sudo echo "cert_passphrase: $SAEC" >> data/acme_srv.cfg - sudo echo "ca_bundle: /opt/acme2certifier/volume/acme_ca/ca_bundle.pem" >> data/acme_srv.cfg - sudo echo "ca_name: acmesubca" >> data/acme_srv.cfg - sudo echo "cert_profile_name: acmeca1" >> data/acme_srv.cfg - sudo echo "ee_profile_name: acmeca" >> data/acme_srv.cfg - sudo echo "username: acme_srv" >> data/acme_srv.cfg - sudo echo "enrollment_code: acme_srv" >> data/acme_srv.cfg - sudo echo "allowed_domainlist: [\"bar.local\", \"*.acme\"]" >> data/acme_srv.cfg - env: - SAEC: ${{ env.SAEC }} - - - name: "Execute install scipt" - run: | - docker exec acme-srv sh /tmp/acme2certifier/rpm_tester.sh - - - name: "Test enrollment" - uses: ./.github/actions/acme_clients - with: - TEST_ADL: "true" - - - name: "Verify allowed_domainlist error" - run: | - docker exec acme-srv grep -i "either CN or SANs are not allowed by configuration" /var/log/messages - - - name: "EAB without headerinfo - setup a2c with ejbca_ca_handler" - run: | - sudo head -n -8 .github/openssl_ca_handler.py_acme_srv_default_handler.cfg > data/acme_srv.cfg - sudo echo "handler_file: /opt/acme2certifier/examples/ca_handler/ejbca_ca_handler.py" >> data/acme_srv.cfg - sudo echo "api_host: https://ejbca" >> data/acme_srv.cfg - sudo echo "cert_file: /opt/acme2certifier/volume/acme_ca/superadmin.p12" >> data/acme_srv.cfg - sudo echo "cert_passphrase: $SAEC" >> data/acme_srv.cfg - sudo echo "ca_bundle: /opt/acme2certifier/volume/acme_ca/ca_bundle.pem" >> data/acme_srv.cfg - sudo echo "ca_name: acmesubca" >> data/acme_srv.cfg - sudo echo "cert_profile_name: acmeca1" >> data/acme_srv.cfg - sudo echo "ee_profile_name: acmeca" >> data/acme_srv.cfg - sudo echo "username: acme_srv" >> data/acme_srv.cfg - sudo echo "enrollment_code: acme_srv" >> data/acme_srv.cfg - sudo echo "eab_profiling: True" >> data/acme_srv.cfg - - sudo echo -e "\n[EABhandler]" >> data/acme_srv.cfg - sudo echo "eab_handler_file: /opt/acme2certifier/examples/eab_handler/kid_profile_handler.py" >> data/acme_srv.cfg - sudo echo "key_file: /opt/acme2certifier/volume/acme_ca/kid_profiles.json" >> data/acme_srv.cfg - - sudo cp examples/eab_handler/kid_profiles.json data/acme_ca/kid_profiles.json - sudo chmod 777 data/acme_ca/kid_profiles.json - sudo sed -i "s/\"profile_id\"\: \[\"profile_1\", \"profile_2\", \"profile_3\"\]/\"cert_profile_name\"\: \[\"acmeca2\", \"acmeca1\"\]/g" data/acme_ca/kid_profiles.json - sudo sed -i "s/\"profile_id\"\: \"profile_2\"/\"cert_profile_name\"\: \"acmeca2\"/g" data/acme_ca/kid_profiles.json - sudo sed -i "s/\"ca_name\": \"example_ca_2\",/\"ca_name\": \"acmeca\"/" data/acme_ca/kid_profiles.json - sudo sed -i "s/\"ca_name\": \"example_ca\",/\"unknown\": \"unknown\"/g" data/acme_ca/kid_profiles.json - sudo sed -i "s/example.net/acme/g" data/acme_ca/kid_profiles.json - sudo sed -i '18,19d' data/acme_ca/kid_profiles.json - sudo sed -i '8,9d' data/acme_ca/kid_profiles.json - env: - SAEC: ${{ env.SAEC }} - - - name: "EAB without headerinfo - Reconfigure a2c " - run: | - docker exec acme-srv sh /tmp/acme2certifier/rpm_tester.sh restart - - - name: "EAB without headerinfo - enrollment" - uses: ./.github/actions/wf_specific/ejbca_ca_handler/enroll_eab_wo_headerinfo - - - name: "EAB with headerinfo - setup a2c with ejbca_ca_handler" - run: | - sudo head -n -8 .github/openssl_ca_handler.py_acme_srv_default_handler.cfg > data/acme_srv.cfg - sudo echo "handler_file: /opt/acme2certifier/examples/ca_handler/ejbca_ca_handler.py" >> data/acme_srv.cfg - sudo echo "api_host: https://ejbca" >> data/acme_srv.cfg - sudo echo "cert_file: /opt/acme2certifier/volume/acme_ca/superadmin.p12" >> data/acme_srv.cfg - sudo echo "cert_passphrase: $SAEC" >> data/acme_srv.cfg - sudo echo "ca_bundle: /opt/acme2certifier/volume/acme_ca/ca_bundle.pem" >> data/acme_srv.cfg - sudo echo "ca_name: acmesubca" >> data/acme_srv.cfg - sudo echo "cert_profile_name: acmeca1" >> data/acme_srv.cfg - sudo echo "ee_profile_name: acmeca" >> data/acme_srv.cfg - sudo echo "username: acme_srv" >> data/acme_srv.cfg - sudo echo "enrollment_code: acme_srv" >> data/acme_srv.cfg - sudo echo "eab_profiling: True" >> data/acme_srv.cfg - sudo sed -i "s/tnauthlist_support: False/tnauthlist_support: False\nheader_info_list: [\"HTTP_USER_AGENT\"]/g" data/acme_srv.cfg - - sudo echo -e "\n[EABhandler]" >> data/acme_srv.cfg - sudo echo "eab_handler_file: /opt/acme2certifier/examples/eab_handler/kid_profile_handler.py" >> data/acme_srv.cfg - sudo echo "key_file: /opt/acme2certifier/volume/acme_ca/kid_profiles.json" >> data/acme_srv.cfg - - sudo cp examples/eab_handler/kid_profiles.json data/acme_ca/kid_profiles.json - sudo chmod 777 data/acme_ca/kid_profiles.json - sudo sed -i "s/\"profile_id\"\: \[\"profile_1\", \"profile_2\", \"profile_3\"\]/\"cert_profile_name\"\: \[\"acmeca2\", \"acmeca1\"\]/g" data/acme_ca/kid_profiles.json - sudo sed -i "s/\"profile_id\"\: \"profile_2\"/\"cert_profile_name\"\: \"acmeca2\"/g" data/acme_ca/kid_profiles.json - sudo sed -i "s/\"ca_name\": \"example_ca_2\",/\"ca_name\": \"acmeca\"/" data/acme_ca/kid_profiles.json - sudo sed -i "s/\"ca_name\": \"example_ca\",/\"unknown\": \"unknown\"/g" data/acme_ca/kid_profiles.json - sudo sed -i "s/example.net/acme/g" data/acme_ca/kid_profiles.json - sudo sed -i '18,19d' data/acme_ca/kid_profiles.json - sudo sed -i '8,9d' data/acme_ca/kid_profiles.json - env: - SAEC: ${{ env.SAEC }} - - - name: "EAB with headerinfo - Reconfigure a2c " - run: | - docker exec acme-srv sh /tmp/acme2certifier/rpm_tester.sh restart - - - name: "EAB with headerinfo - enrollment" - uses: ./.github/actions/wf_specific/ejbca_ca_handler/enroll_eab_w_headerinfo - - - name: "[ * ] collecting test logs" - if: ${{ failure() }} - run: | - mkdir -p ${{ github.workspace }}/artifact/upload - docker exec acme-srv tar cvfz /tmp/acme2certifier/a2c.tgz /opt/acme2certifier - docker logs ejbca > ${{ github.workspace }}/artifact/ejbca.log - sudo cp -rp data/ ${{ github.workspace }}/artifact/data/ - sudo rm ${{ github.workspace }}/artifact/data/*.rpm - sudo cp -rp acme-sh/ ${{ github.workspace }}/artifact/acme-sh/ - docker exec acme-srv cat /etc/nginx/nginx.conf.orig > ${{ github.workspace }}/artifact/data/nginx.conf.orig - docker exec acme-srv cat /etc/nginx/nginx.conf > ${{ github.workspace }}/artifact/data/nginx.conf - docker exec acme-srv cat /var/log/messages > ${{ github.workspace }}/artifact/acme-srv.log - sudo tar -C ${{ github.workspace }}/artifact/ -cvzf ${{ github.workspace }}/artifact/upload/artifact.tar.gz data ejbca.log acme-srv.log acme-sh - - - name: "[ * ] uploading artificates" - uses: actions/upload-artifact@v4 - if: ${{ failure() }} - with: - name: ejb_rpm-rh${{ matrix.rhversion }}.tar.gz - path: ${{ github.workspace }}/artifact/upload/ \ No newline at end of file diff --git a/.github/workflows/ca_handler_tests_msca.yml b/.github/workflows/ca_handler_tests_msca.yml new file mode 100644 index 00000000..5a234ee8 --- /dev/null +++ b/.github/workflows/ca_handler_tests_msca.yml @@ -0,0 +1,1457 @@ +name: CA handler tests - MicrosoftCA + +on: + push: + pull_request: + branches: [ devel ] + schedule: + # * is a special character in YAML so you have to quote this string + - cron: '0 2 * * 6' + +jobs: + container_build: + name: "container_build" + runs-on: ubuntu-latest + strategy: + fail-fast: false + matrix: + websrv: ['apache2', 'nginx'] + dbhandler: ['wsgi', 'django'] + + steps: + - name: "checkout GIT" + uses: actions/checkout@v4 + + - name: "Build container" + uses: ./.github/actions/container_build_upload + with: + DB_HANDLER: ${{ matrix.dbhandler }} + WEB_SRV: ${{ matrix.websrv }} + + mscertsrv_handler_tests: + name: "mscertsrv_handler_tests" + runs-on: ubuntu-latest + needs: container_build + strategy: + fail-fast: false + # max-parallel: 1 + matrix: + websrv: ['apache2', 'nginx'] + dbhandler: ['wsgi', 'django'] + steps: + - name: "checkout GIT" + uses: actions/checkout@v4 + + - name: "Download container" + uses: actions/download-artifact@v4 + with: + name: a2c-${{ github.run_id }}.${{ matrix.websrv }}.${{ matrix.dbhandler }}.tar.gz + path: /tmp + + - name: "Import container" + run: | + sudo apt-get install -y docker-compose + gunzip /tmp/a2c-${{ github.run_id }}.${{ matrix.websrv }}.${{ matrix.dbhandler }}.tar.gz + docker load -i /tmp/a2c-${{ github.run_id }}.${{ matrix.websrv }}.${{ matrix.dbhandler }}.tar + docker images + + - name: "Prepare container environment" + uses: ./.github/actions/container_prep + with: + DB_HANDLER: ${{ matrix.dbhandler }} + WEB_SRV: ${{ matrix.websrv }} + CONTAINER_BUILD: false + NAME_SPACE: local + + - name: "Get runner ip" + run: | + echo RUNNER_IP=$(ip addr show eth0 | grep -i "inet " | cut -d ' ' -f 6 | cut -d '/' -f 1) >> $GITHUB_ENV + echo RUNNER_PATH=$(pwd | sed 's_/_\\/_g') >> $GITHUB_ENV + + - run: echo "runner IP is ${{ env.RUNNER_IP }}" + + - name: "Setup tunnel" + uses: ./.github/actions/wf_specific/ms_ca_handler/tunnel_setup + with: + WCCE_SSH_USER: ${{ secrets.WCCE_SSH_USER }} + WCCE_SSH_HOST: ${{ secrets.WCCE_SSH_HOST }} + WCCE_SSH_PORT: ${{ secrets.WCCE_SSH_PORT }} + WCCE_HOST: ${{ secrets.WCCE_HOST }} + WCCE_FQDN_WOTLD: ${{ secrets.WCCE_FQDN_WOTLD }} + WCCE_FQDN: ${{ secrets.WCCE_FQDN }} + WCCE_SSH_KNOWN_HOSTS: ${{ secrets.WCCE_SSH_KNOWN_HOSTS }} + WCCE_SSH_ACCESS_KEY: ${{ secrets.WCCE_SSH_ACCESS_KEY }} + NAME_SPACE: local + + - name: "KRB - Setup a2c with mscertsrv_ca_handler using kerberos" + run: | + sudo touch examples/Docker/data/ca_certs.pem + sudo chmod 777 examples/Docker/data/ca_certs.pem + sudo cp test/ca/certsrv_ca_certs.pem examples/Docker/data/ca_certs.pem + sudo touch examples/Docker/data/acme_srv.cfg + sudo chmod 777 examples/Docker/data/acme_srv.cfg + sudo head -n -8 .github/openssl_ca_handler.py_acme_srv_default_handler.cfg > examples/Docker/data/acme_srv.cfg + sudo echo "handler_file: examples/ca_handler/mscertsrv_ca_handler.py" >> examples/Docker/data/acme_srv.cfg + sudo echo "host: $WCCE_FQDN" >> examples/Docker/data/acme_srv.cfg + sudo echo "user: $WES_USER" >> examples/Docker/data/acme_srv.cfg + sudo echo "password: $WES_PASSWORD" >> examples/Docker/data/acme_srv.cfg + sudo echo "auth_method: gssapi" >> examples/Docker/data/acme_srv.cfg + sudo echo "template: $WES_TEMPLATE" >> examples/Docker/data/acme_srv.cfg + sudo echo "ca_bundle: /var/www/acme2certifier/volume/ca_certs.pem" >> examples/Docker/data/acme_srv.cfg + sudo echo "krb5_config: /var/www/acme2certifier/volume/krb5.conf" >> examples/Docker/data/acme_srv.cfg + sudo echo "verify: False" >> examples/Docker/data/acme_srv.cfg + sudo echo "request_timeout: 30" >> examples/Docker/data/acme_srv.cfg + sudo sed -i "s/tnauthlist_support: False/tnauthlist_support: False\nheader_info_list: [\"HTTP_USER_AGENT\"]/g" examples/Docker/data/acme_srv.cfg + sudo sed -i "s/revocation_reason_check_disable: False/revocation_reason_check_disable: False\nenrollment_timeout: 40/g" examples/Docker/data/acme_srv.cfg + + sudo touch examples/Docker/data/krb5.conf + sudo chmod 777 examples/Docker/data/krb5.conf + cat < examples/Docker/data/krb5.conf + $WES_KRB5_CONF + EOF + env: + WES_HOST: ${{ secrets.WES_HOST }} + WES_USER: ${{ secrets.WES_USER }} + WES_PASSWORD: ${{ secrets.WES_PASSWORD }} + WES_TEMPLATE: ${{ secrets.WES_TEMPLATE }} + WES_AUTHMETHOD: ${{ secrets.WES_AUTHMETHOD }} + WCCE_HOST: ${{ secrets.WCCE_HOST }} + WCCE_ADS_DOMAIN: ${{ secrets.WCCE_ADS_DOMAIN }} + WES_KRB5_CONF: ${{ secrets.WES_KRB5_CONF }} + WCCE_FQDN: ${{ secrets.WCCE_FQDN }} + WCCE_FQDN_WOTLD: ${{ secrets.WCCE_FQDN_WOTLD }} + + - name: "Bring up a2c container" + uses: ./.github/actions/container_up + with: + DB_HANDLER: ${{ matrix.dbhandler }} + WEB_SRV: ${{ matrix.websrv }} + NAME_SPACE: local + + - name: "Sleep for 10s" + uses: juliangruber/sleep-action@v2.0.3 + with: + time: 10s + + - name: "KRB - enrollment mit default profile and headerinfo" + uses: ./.github/actions/wf_specific/ms_ca_handler/enroll_default_headerinfo + with: + NAME_SPACE: local + + - name: "NTLM - Setup a2c with mscertsrv_ca_handler using ntlm" + run: | + sudo touch examples/Docker/data/acme_srv.cfg + sudo chmod 777 examples/Docker/data/acme_srv.cfg + sudo head -n -8 .github/openssl_ca_handler.py_acme_srv_default_handler.cfg > examples/Docker/data/acme_srv.cfg + sudo echo "handler_file: examples/ca_handler/mscertsrv_ca_handler.py" >> examples/Docker/data/acme_srv.cfg + sudo echo "host: $WCCE_FQDN" >> examples/Docker/data/acme_srv.cfg + sudo echo "user: $WES_USER" >> examples/Docker/data/acme_srv.cfg + sudo echo "password: $WES_PASSWORD" >> examples/Docker/data/acme_srv.cfg + sudo echo "auth_method: ntlm" >> examples/Docker/data/acme_srv.cfg + sudo echo "template: $WES_TEMPLATE" >> examples/Docker/data/acme_srv.cfg + sudo echo "ca_bundle: /var/www/acme2certifier/volume/ca_certs.pem" >> examples/Docker/data/acme_srv.cfg + sudo echo "verify: False" >> examples/Docker/data/acme_srv.cfg + sudo echo "request_timeout: 30" >> examples/Docker/data/acme_srv.cfg + sudo sed -i "s/tnauthlist_support: False/tnauthlist_support: False\nheader_info_list: [\"HTTP_USER_AGENT\"]/g" examples/Docker/data/acme_srv.cfg + sudo sed -i "s/revocation_reason_check_disable: False/revocation_reason_check_disable: False\nenrollment_timeout: 40/g" examples/Docker/data/acme_srv.cfg + env: + WES_HOST: ${{ secrets.WES_HOST }} + WES_USER: ${{ secrets.WES_USER }} + WES_PASSWORD: ${{ secrets.WES_PASSWORD }} + WES_TEMPLATE: ${{ secrets.WES_TEMPLATE }} + WES_AUTHMETHOD: ${{ secrets.WES_AUTHMETHOD }} + WCCE_HOST: ${{ secrets.WCCE_HOST }} + WCCE_ADS_DOMAIN: ${{ secrets.WCCE_ADS_DOMAIN }} + WES_KRB5_CONF: ${{ secrets.WES_KRB5_CONF }} + WCCE_FQDN: ${{ secrets.WCCE_FQDN }} + WCCE_FQDN_WOTLD: ${{ secrets.WCCE_FQDN_WOTLD }} + + - name: "NTLM - enrollment mit default profile and headerinfo" + uses: ./.github/actions/wf_specific/ms_ca_handler/enroll_default_headerinfo + with: + NAME_SPACE: local + + - name: "NTLM - Setup a2c with mscertsrv_ca_handler with allowed_domainlist configuration" + run: | + sudo sed -i "s/challenge_validation_disable: False/challenge_validation_disable: True/g" examples/Docker/data/acme_srv.cfg + sudo echo "allowed_domainlist: [\"*.acme\", \"foo1.bar\", \"*.bar.local\"]" >> examples/Docker/data/acme_srv.cfg + cd examples/Docker/ + docker-compose restart + + - name: "NTLM - enrollment allowed domainlist" + uses: ./.github/actions/wf_specific/ms_ca_handler/enroll_allowed_domain_list + with: + NAME_SPACE: local + + - name: "Verify allowed_domainlist error" + run: | + cd examples/Docker + docker-compose logs | grep "allowed_domainlist" | grep -i "either CN or SANs are not allowed by configuration" + + - name: "Check container configuration" + uses: ./.github/actions/container_check + with: + DB_HANDLER: ${{ matrix.dbhandler }} + WEB_SRV: ${{ matrix.websrv }} + + - name: "[ * ] collecting test logs" + if: ${{ failure() }} + run: | + mkdir -p ${{ github.workspace }}/artifact/upload + sudo cp -rp examples/Docker/data/ ${{ github.workspace }}/artifact/data/ + sudo cp /etc/hosts ${{ github.workspace }}/artifact/data/ + sudo cp /etc/resolv.conf ${{ github.workspace }}/artifact/data/ + sudo cp -rp acme-sh/ ${{ github.workspace }}/artifact/acme-sh/ + sudo cp -rp certbot/ ${{ github.workspace }}/artifact/certbot/ + sudo cp -rp lego/ ${{ github.workspace }}/artifact/lego/ + cd examples/Docker + docker-compose logs > ${{ github.workspace }}/artifact/docker-compose.log + sudo tar -C ${{ github.workspace }}/artifact/ -cvzf ${{ github.workspace }}/artifact/upload/artifact.tar.gz docker-compose.log data acme-sh certbot lego dnsmasq + + - name: "[ * ] uploading artificates" + uses: actions/upload-artifact@v4 + if: ${{ failure() }} + with: + name: mscertsrv_handler_tests-${{ matrix.websrv }}-${{ matrix.dbhandler }}.tar.gz + path: ${{ github.workspace }}/artifact/upload/ + + mscertsrv_handler_eab_profiling_tests: + name: "mscertsrv_handler_eab_profiling_tests" + runs-on: ubuntu-latest + needs: container_build + strategy: + fail-fast: false + # max-parallel: 1 + matrix: + websrv: ['apache2', 'nginx'] + dbhandler: ['wsgi', 'django'] + steps: + - name: "checkout GIT" + uses: actions/checkout@v4 + + - name: "create folders and networks" + run: | + mkdir lego + mkdir acme-sh + mkdir certbot + + - name: "Download container" + uses: actions/download-artifact@v4 + with: + name: a2c-${{ github.run_id }}.${{ matrix.websrv }}.${{ matrix.dbhandler }}.tar.gz + path: /tmp + + - name: "Import container" + run: | + sudo apt-get install -y docker-compose + gunzip /tmp/a2c-${{ github.run_id }}.${{ matrix.websrv }}.${{ matrix.dbhandler }}.tar.gz + docker load -i /tmp/a2c-${{ github.run_id }}.${{ matrix.websrv }}.${{ matrix.dbhandler }}.tar + docker images + + - name: "Prepare container environment" + uses: ./.github/actions/container_prep + with: + DB_HANDLER: ${{ matrix.dbhandler }} + WEB_SRV: ${{ matrix.websrv }} + CONTAINER_BUILD: false + NAME_SPACE: local + + - name: "Get runner ip" + run: | + echo RUNNER_IP=$(ip addr show eth0 | grep -i "inet " | cut -d ' ' -f 6 | cut -d '/' -f 1) >> $GITHUB_ENV + echo RUNNER_PATH=$(pwd | sed 's_/_\\/_g') >> $GITHUB_ENV + + - run: echo "runner IP is ${{ env.RUNNER_IP }}" + + - name: "Setup tunnel" + uses: ./.github/actions/wf_specific/ms_ca_handler/tunnel_setup + with: + WCCE_SSH_USER: ${{ secrets.WCCE_SSH_USER }} + WCCE_SSH_HOST: ${{ secrets.WCCE_SSH_HOST }} + WCCE_SSH_PORT: ${{ secrets.WCCE_SSH_PORT }} + WCCE_HOST: ${{ secrets.WCCE_HOST }} + WCCE_FQDN_WOTLD: ${{ secrets.WCCE_FQDN_WOTLD }} + WCCE_FQDN: ${{ secrets.WCCE_FQDN }} + WCCE_SSH_KNOWN_HOSTS: ${{ secrets.WCCE_SSH_KNOWN_HOSTS }} + WCCE_SSH_ACCESS_KEY: ${{ secrets.WCCE_SSH_ACCESS_KEY }} + NAME_SPACE: local + + - name: "EAB with headerinfo - Setup a2c with mscertsrv_ca_handler using kerberos" + run: | + sudo touch examples/Docker/data/ca_certs.pem + sudo chmod 777 examples/Docker/data/ca_certs.pem + sudo cp test/ca/certsrv_ca_certs.pem examples/Docker/data/ca_certs.pem + sudo touch examples/Docker/data/acme_srv.cfg + sudo chmod 777 examples/Docker/data/acme_srv.cfg + sudo head -n -8 .github/openssl_ca_handler.py_acme_srv_default_handler.cfg > examples/Docker/data/acme_srv.cfg + sudo echo "handler_file: examples/ca_handler/mscertsrv_ca_handler.py" >> examples/Docker/data/acme_srv.cfg + sudo echo "host: $WCCE_FQDN" >> examples/Docker/data/acme_srv.cfg + sudo echo "user: $WES_USER" >> examples/Docker/data/acme_srv.cfg + sudo echo "password: $WES_PASSWORD" >> examples/Docker/data/acme_srv.cfg + sudo echo "auth_method: gssapi" >> examples/Docker/data/acme_srv.cfg + sudo echo "template: $WES_TEMPLATE" >> examples/Docker/data/acme_srv.cfg + sudo echo "ca_bundle: /var/www/acme2certifier/volume/ca_certs.pem" >> examples/Docker/data/acme_srv.cfg + sudo echo "krb5_config: /var/www/acme2certifier/volume/krb5.conf" >> examples/Docker/data/acme_srv.cfg + sudo echo "verify: False" >> examples/Docker/data/acme_srv.cfg + sudo echo "request_timeout: 30" >> examples/Docker/data/acme_srv.cfg + sudo sed -i "s/tnauthlist_support: False/tnauthlist_support: False\nheader_info_list: [\"HTTP_USER_AGENT\"]/g" examples/Docker/data/acme_srv.cfg + sudo sed -i "s/revocation_reason_check_disable: False/revocation_reason_check_disable: False\nenrollment_timeout: 40/g" examples/Docker/data/acme_srv.cfg + + sudo echo "eab_profiling: True" >> examples/Docker/data/acme_srv.cfg + sudo echo -e "\n\n[EABhandler]" >> examples/Docker/data/acme_srv.cfg + sudo echo "eab_handler_file: /var/www/acme2certifier/examples/eab_handler/kid_profile_handler.py" >> examples/Docker/data/acme_srv.cfg + sudo echo "key_file: volume/kid_profiles.json" >> examples/Docker/data/acme_srv.cfg + + sudo touch examples/Docker/data/krb5.conf + sudo chmod 777 examples/Docker/data/krb5.conf + cat < examples/Docker/data/krb5.conf + $WES_KRB5_CONF + EOF + + sudo cp examples/eab_handler/kid_profiles.json examples/Docker/data/kid_profiles.json + sudo chmod 777 examples/eab_handler/kid_profiles.json + sudo sed -i "s/\"profile_id\"\: \[\"profile_1\", \"profile_2\", \"profile_3\"\]/\"template\"\: \[\"WebServerModified\"\, \"WebServer\"]/g" examples/Docker/data/kid_profiles.json + sudo sed -i "s/\"profile_id\"\: \"profile_2\"/\"template\"\: \"WebServerModified\"/g" examples/Docker/data/kid_profiles.json + sudo sed -i "s/\"ca_name\": \"example_ca_2\",/\"unknown_key\": \"unknown_value\"/g" examples/Docker/data/kid_profiles.json + sudo sed -i "s/\"ca_name\": \"example_ca\",/\"unknown_key\": \"unknown_value\"/g" examples/Docker/data/kid_profiles.json + sudo sed -i "s/example.net/local/g" examples/Docker/data/kid_profiles.json + sudo sed -i '18,19d' examples/Docker/data/kid_profiles.json + sudo sed -i '8,9d' examples/Docker/data/kid_profiles.json + env: + WES_HOST: ${{ secrets.WES_HOST }} + WES_USER: ${{ secrets.WES_USER }} + WES_PASSWORD: ${{ secrets.WES_PASSWORD }} + WES_TEMPLATE: ${{ secrets.WES_TEMPLATE }} + WES_AUTHMETHOD: ${{ secrets.WES_AUTHMETHOD }} + WCCE_HOST: ${{ secrets.WCCE_HOST }} + WCCE_ADS_DOMAIN: ${{ secrets.WCCE_ADS_DOMAIN }} + WES_KRB5_CONF: ${{ secrets.WES_KRB5_CONF }} + WCCE_FQDN: ${{ secrets.WCCE_FQDN }} + WCCE_FQDN_WOTLD: ${{ secrets.WCCE_FQDN_WOTLD }} + + - name: "Bring up a2c container" + uses: ./.github/actions/container_up + with: + DB_HANDLER: ${{ matrix.dbhandler }} + WEB_SRV: ${{ matrix.websrv }} + NAME_SPACE: local + + - name: "EAB with headerinfo - enrollment" + uses: ./.github/actions/wf_specific/ms_ca_handler/enroll_eab + with: + NAME_SPACE: local + + - name: "Check container configuration" + uses: ./.github/actions/container_check + with: + DB_HANDLER: ${{ matrix.dbhandler }} + WEB_SRV: ${{ matrix.websrv }} + + - name: "[ * ] collecting test logs" + if: ${{ failure() }} + run: | + mkdir -p ${{ github.workspace }}/artifact/upload + sudo cp -rp examples/Docker/data/ ${{ github.workspace }}/artifact/data/ + sudo cp /etc/hosts ${{ github.workspace }}/artifact/data/ + sudo cp /etc/resolv.conf ${{ github.workspace }}/artifact/data/ + sudo cp -rp acme-sh/ ${{ github.workspace }}/artifact/acme-sh/ + sudo cp -rp certbot/ ${{ github.workspace }}/artifact/certbot/ + sudo cp -rp lego/ ${{ github.workspace }}/artifact/lego/ + cd examples/Docker + docker-compose logs > ${{ github.workspace }}/artifact/docker-compose.log + sudo tar -C ${{ github.workspace }}/artifact/ -cvzf ${{ github.workspace }}/artifact/upload/artifact.tar.gz docker-compose.log data acme-sh certbot lego dnsmasq + + - name: "[ * ] uploading artificates" + uses: actions/upload-artifact@v4 + if: ${{ failure() }} + with: + name: mscertsrv_handler_profiling_tests-${{ matrix.websrv }}-${{ matrix.dbhandler }}.tar.gz + path: ${{ github.workspace }}/artifact/upload/ + + mswcce_handler_tests: + name: "mswcce_handler_tests" + runs-on: ubuntu-latest + needs: container_build + strategy: + fail-fast: false + # max-parallel: 1 + matrix: + websrv: ['apache2', 'nginx'] + dbhandler: ['wsgi', 'django'] + steps: + - name: "checkout GIT" + uses: actions/checkout@v4 + + - name: "create folders" + run: | + mkdir lego + mkdir acme-sh + mkdir certbot + + - name: "Download container" + uses: actions/download-artifact@v4 + with: + name: a2c-${{ github.run_id }}.${{ matrix.websrv }}.${{ matrix.dbhandler }}.tar.gz + path: /tmp + + - name: "Import container" + run: | + sudo apt-get install -y docker-compose + gunzip /tmp/a2c-${{ github.run_id }}.${{ matrix.websrv }}.${{ matrix.dbhandler }}.tar.gz + docker load -i /tmp/a2c-${{ github.run_id }}.${{ matrix.websrv }}.${{ matrix.dbhandler }}.tar + docker images + + - name: "Prepare container environment" + uses: ./.github/actions/container_prep + with: + DB_HANDLER: ${{ matrix.dbhandler }} + WEB_SRV: ${{ matrix.websrv }} + CONTAINER_BUILD: false + + - name: "[ PREPARE ] get runner ip" + run: | + echo RUNNER_IP=$(ip addr show eth0 | grep -i "inet " | cut -d ' ' -f 6 | cut -d '/' -f 1) >> $GITHUB_ENV + echo RUNNER_PATH=$(pwd | sed 's_/_\\/_g') >> $GITHUB_ENV + - run: echo "runner IP is ${{ env.RUNNER_IP }}" + + - name: "Install dnsmasq" + run: | + sudo apt-get update + sudo apt-get install -y dnsmasq + sudo systemctl disable systemd-resolved + sudo systemctl stop systemd-resolved + sudo mkdir -p dnsmasq + sudo cp .github/dnsmasq.conf dnsmasq/ + sudo chmod -R 777 dnsmasq/dnsmasq.conf + sudo sed -i "s/RUNNER_IP/$RUNNER_IP/g" dnsmasq/dnsmasq.conf + sudo echo "address=/$WCCE_FQDN/$RUNNER_IP" >> dnsmasq/dnsmasq.conf + sudo echo "address=/$WCCE_ADS_DOMAIN/$RUNNER_IP" >> dnsmasq/dnsmasq.conf + sudo echo "address=/$WES_HOST/$RUNNER_IP" >> dnsmasq/dnsmasq.conf + cat dnsmasq/dnsmasq.conf + sudo cp dnsmasq/dnsmasq.conf /etc/ + sudo systemctl enable dnsmasq + sudo systemctl start dnsmasq + env: + RUNNER_IP: ${{ env.RUNNER_IP }} + WCCE_ADS_DOMAIN: ${{ secrets.WCCE_ADS_DOMAIN }} + WCCE_FQDN: ${{ secrets.WCCE_FQDN }} + WES_HOST: ${{ secrets.WES_HOST }} + + - name: "[ PREPARE ] test dns resulution" + run: | + host $WCCE_ADS_DOMAIN 127.0.0.1 + host $WCCE_FQDN 127.0.0.1 + host $WES_HOST 127.0.0.1 + env: + WCCE_ADS_DOMAIN: ${{ secrets.WCCE_ADS_DOMAIN }} + WCCE_FQDN: ${{ secrets.WCCE_FQDN }} + WES_HOST: ${{ secrets.WES_HOST }} + + - name: "Setup tunnel" + uses: ./.github/actions/wf_specific/ms_ca_handler/tunnel_setup + with: + WCCE_SSH_USER: ${{ secrets.WCCE_SSH_USER }} + WCCE_SSH_HOST: ${{ secrets.WCCE_SSH_HOST }} + WCCE_SSH_PORT: ${{ secrets.WCCE_SSH_PORT }} + WCCE_HOST: ${{ secrets.WCCE_HOST }} + WCCE_FQDN_WOTLD: ${{ secrets.WCCE_FQDN_WOTLD }} + WCCE_FQDN: ${{ secrets.WCCE_FQDN }} + WCCE_SSH_KNOWN_HOSTS: ${{ secrets.WCCE_SSH_KNOWN_HOSTS }} + WCCE_SSH_ACCESS_KEY: ${{ secrets.WCCE_SSH_ACCESS_KEY }} + + - name: "NTLM - Setup a2c with ms_wcce_ca_handler (ntlm)" + run: | + sudo cp .github/acme2certifier.pem examples/Docker/data/acme2certifier.pem + sudo cp .github/acme2certifier_cert.pem examples/Docker/data/acme2certifier_cert.pem + sudo cp .github/acme2certifier_key.pem examples/Docker/data/acme2certifier_key.pem + sudo cp .github/django_settings.py examples/Docker/data/settings.py + sudo touch examples/Docker/data/ca_certs.pem + sudo chmod 777 examples/Docker/data/ca_certs.pem + sudo echo "$WCCE_CA_BUNDLE" > examples/Docker/data/ca_certs.pem + sudo touch examples/Docker/data/acme_srv.cfg + sudo chmod 777 examples/Docker/data/acme_srv.cfg + sudo head -n -8 .github/openssl_ca_handler.py_acme_srv_default_handler.cfg > examples/Docker/data/acme_srv.cfg + sudo echo "handler_file: /var/www/acme2certifier/examples/ca_handler/mswcce_ca_handler.py" >> examples/Docker/data/acme_srv.cfg + sudo echo "host: $RUNNER_IP" >> examples/Docker/data/acme_srv.cfg + sudo echo "user: $WCCE_USER" >> examples/Docker/data/acme_srv.cfg + sudo echo "password: $WCCE_PASSWORD" >> examples/Docker/data/acme_srv.cfg + sudo echo "template: $WCCE_TEMPLATE" >> examples/Docker/data/acme_srv.cfg + sudo echo "ca_name: $WCCE_CA_NAME" >> examples/Docker/data/acme_srv.cfg + sudo echo "target_domain: $WCCE_ADS_DOMAIN" >> examples/Docker/data/acme_srv.cfg + sudo echo "ca_bundle: volume/ca_certs.pem" >> examples/Docker/data/acme_srv.cfg + sudo echo "timeout: 20" >> examples/Docker/data/acme_srv.cfg + sudo echo "ssh_host: $SSH_HOST:$SSH_PORT" >> examples/Docker/data/acme_srv.cfg + sudo sed -i "s/tnauthlist_support: False/tnauthlist_support: False\nheader_info_list: [\"HTTP_USER_AGENT\"]/g" examples/Docker/data/acme_srv.cfg + sudo sed -i "s/revocation_reason_check_disable: False/revocation_reason_check_disable: False\nenrollment_timeout: 40/g" examples/Docker/data/acme_srv.cfg + env: + RUNNER_IP: ${{ env.RUNNER_IP }} + WCCE_USER: ${{ secrets.WCCE_USER }} + WCCE_PASSWORD: ${{ secrets.WCCE_PASSWORD }} + WCCE_TEMPLATE: ${{ secrets.WCCE_TEMPLATE }} + WCCE_CA_NAME: ${{ secrets.WCCE_CA_NAME }} + WCCE_ADS_DOMAIN: ${{ secrets.WCCE_ADS_DOMAIN }} + WCCE_CA_BUNDLE: ${{ secrets.WCCE_CA_BUNDLE }} + WCCE_HOST: ${{ secrets.WCCE_HOST }} + SSH_HOST: ${{ secrets.WCCE_SSH_HOST }} + SSH_PORT: ${{ secrets.WCCE_SSH_PORT }} + + - name: "Bring up a2c container" + uses: ./.github/actions/container_up + with: + DB_HANDLER: ${{ matrix.dbhandler }} + WEB_SRV: ${{ matrix.websrv }} + + - name: "NTLM - enrollment mit default profile and headerinfo" + uses: ./.github/actions/wf_specific/ms_ca_handler/enroll_default_headerinfo + + - name: "KRB - Setup a2c with ms_wcce_ca_handler (Kerboros)" + run: | + sudo touch examples/Docker/data/ca_certs.pem + sudo chmod 777 examples/Docker/data/ca_certs.pem + sudo echo "$WCCE_CA_BUNDLE" > examples/Docker/data/ca_certs.pem + sudo touch examples/Docker/data/acme_srv.cfg + sudo chmod 777 examples/Docker/data/acme_srv.cfg + sudo head -n -8 .github/openssl_ca_handler.py_acme_srv_default_handler.cfg > examples/Docker/data/acme_srv.cfg + sudo echo "handler_file: /var/www/acme2certifier/examples/ca_handler/mswcce_ca_handler.py" >> examples/Docker/data/acme_srv.cfg + sudo echo "host: $WCCE_FQDN" >> examples/Docker/data/acme_srv.cfg + sudo echo "user: $WCCE_USER" >> examples/Docker/data/acme_srv.cfg + sudo echo "password: $WCCE_PASSWORD" >> examples/Docker/data/acme_srv.cfg + sudo echo "template: $WCCE_TEMPLATE" >> examples/Docker/data/acme_srv.cfg + sudo echo "ca_name: $WCCE_CA_NAME" >> examples/Docker/data/acme_srv.cfg + sudo echo "target_domain: $WCCE_ADS_DOMAIN" >> examples/Docker/data/acme_srv.cfg + sudo echo "domain_controller: $RUNNER_IP" >> examples/Docker/data/acme_srv.cfg + sudo echo "ca_bundle: volume/ca_certs.pem" >> examples/Docker/data/acme_srv.cfg + sudo echo "timeout: 20" >> examples/Docker/data/acme_srv.cfg + sudo echo "use_kerberos: True" >> examples/Docker/data/acme_srv.cfg + sudo sed -i "s/tnauthlist_support: False/tnauthlist_support: False\nheader_info_list: [\"HTTP_USER_AGENT\"]/g" examples/Docker/data/acme_srv.cfg + sudo sed -i "s/revocation_reason_check_disable: False/revocation_reason_check_disable: False\nenrollment_timeout: 40/g" examples/Docker/data/acme_srv.cfg + cd examples/Docker/ + docker-compose restart + env: + RUNNER_IP: ${{ env.RUNNER_IP }} + DNSMASQ_IP: ${{ env.DNSMASQ_IP }} + WCCE_USER: ${{ secrets.WCCE_USER }} + WCCE_PASSWORD: ${{ secrets.WCCE_PASSWORD }} + WCCE_TEMPLATE: ${{ secrets.WCCE_TEMPLATE }} + WCCE_CA_NAME: ${{ secrets.WCCE_CA_NAME }} + WCCE_ADS_DOMAIN: ${{ secrets.WCCE_ADS_DOMAIN }} + WCCE_CA_BUNDLE: ${{ secrets.WCCE_CA_BUNDLE }} + WCCE_FQDN: ${{ secrets.WCCE_FQDN }} + + - name: "KRB - Sleep for 10s" + uses: juliangruber/sleep-action@v2.0.3 + with: + time: 10s + + - name: "KRB - enrollment mit default profile and headerinfo" + uses: ./.github/actions/wf_specific/ms_ca_handler/enroll_default_headerinfo + + - name: "KRB - Setup a2c with mswcce_ca_handler with allowed_domainlist configuration" + run: | + sudo sed -i "s/challenge_validation_disable: False/challenge_validation_disable: True/g" examples/Docker/data/acme_srv.cfg + sudo echo "allowed_domainlist: [\"*.acme\", \"foo1.bar\", \"*.bar.local\"]" >> examples/Docker/data/acme_srv.cfg + cd examples/Docker/ + docker-compose restart + + - name: "KRB - enrollment allowed domainlist" + uses: ./.github/actions/wf_specific/ms_ca_handler/enroll_allowed_domain_list + + - name: "Verify allowed_domainlist error" + run: | + cd examples/Docker + docker-compose logs | grep "allowed_domainlist" | grep -i "either CN or SANs are not allowed by configuration" + + - name: "Check container configuration" + uses: ./.github/actions/container_check + with: + DB_HANDLER: ${{ matrix.dbhandler }} + WEB_SRV: ${{ matrix.websrv }} + + - name: "[ * ] collecting test logs" + if: ${{ failure() }} + run: | + mkdir -p ${{ github.workspace }}/artifact/upload + sudo cp -rp examples/Docker/data/ ${{ github.workspace }}/artifact/data/ + sudo cp -rp acme-sh/ ${{ github.workspace }}/artifact/acme-sh/ + sudo cp -rp certbot/ ${{ github.workspace }}/artifact/certbot/ + sudo cp -rp lego/ ${{ github.workspace }}/artifact/lego/ + sudo cp -rp dnsmasq/ ${{ github.workspace }}/artifact/dnsmasq/ + cd examples/Docker + docker-compose logs > ${{ github.workspace }}/artifact/docker-compose.log + sudo tar -C ${{ github.workspace }}/artifact/ -cvzf ${{ github.workspace }}/artifact/upload/artifact.tar.gz docker-compose.log data dnsmasq + + - name: "[ * ] uploading artificates" + uses: actions/upload-artifact@v4 + if: ${{ failure() }} + with: + name: mswcce_handler_tests-${{ matrix.websrv }}-${{ matrix.dbhandler }}.tar.gz + path: ${{ github.workspace }}/artifact/upload/ + + mswcce_handler_eab_profiling_tests: + name: "mswcce_handler_eab_profiling_tests" + runs-on: ubuntu-latest + needs: container_build + strategy: + fail-fast: false + # max-parallel: 2 + matrix: + websrv: ['apache2', 'nginx'] + dbhandler: ['wsgi', 'django'] + steps: + - name: "checkout GIT" + uses: actions/checkout@v4 + + - name: "create folders" + run: | + mkdir lego + mkdir acme-sh + mkdir certbot + + - name: "[ PREPARE ] get runner ip" + run: | + echo RUNNER_IP=$(ip addr show eth0 | grep -i "inet " | cut -d ' ' -f 6 | cut -d '/' -f 1) >> $GITHUB_ENV + echo RUNNER_PATH=$(pwd | sed 's_/_\\/_g') >> $GITHUB_ENV + + - run: echo "runner IP is ${{ env.RUNNER_IP }}" + + - name: "Install dnsmasq" + run: | + sudo apt-get update + sudo apt-get install -y dnsmasq + sudo systemctl disable systemd-resolved + sudo systemctl stop systemd-resolved + sudo mkdir -p dnsmasq + sudo cp .github/dnsmasq.conf dnsmasq/ + sudo chmod -R 777 dnsmasq/dnsmasq.conf + sudo sed -i "s/RUNNER_IP/$RUNNER_IP/g" dnsmasq/dnsmasq.conf + sudo echo "address=/$WCCE_FQDN/$RUNNER_IP" >> dnsmasq/dnsmasq.conf + sudo echo "address=/$WCCE_ADS_DOMAIN/$RUNNER_IP" >> dnsmasq/dnsmasq.conf + sudo echo "address=/$WES_HOST/$RUNNER_IP" >> dnsmasq/dnsmasq.conf + cat dnsmasq/dnsmasq.conf + sudo cp dnsmasq/dnsmasq.conf /etc/ + sudo systemctl enable dnsmasq + sudo systemctl start dnsmasq + env: + RUNNER_IP: ${{ env.RUNNER_IP }} + WCCE_ADS_DOMAIN: ${{ secrets.WCCE_ADS_DOMAIN }} + WCCE_FQDN: ${{ secrets.WCCE_FQDN }} + WES_HOST: ${{ secrets.WES_HOST }} + + - name: "[ PREPARE ] test dns resulution" + run: | + host $WCCE_ADS_DOMAIN 127.0.0.1 + host $WCCE_FQDN 127.0.0.1 + host $WES_HOST 127.0.0.1 + env: + WCCE_ADS_DOMAIN: ${{ secrets.WCCE_ADS_DOMAIN }} + WCCE_FQDN: ${{ secrets.WCCE_FQDN }} + WES_HOST: ${{ secrets.WES_HOST }} + + - name: "Download container" + uses: actions/download-artifact@v4 + with: + name: a2c-${{ github.run_id }}.${{ matrix.websrv }}.${{ matrix.dbhandler }}.tar.gz + path: /tmp + + - name: "Import container" + run: | + sudo apt-get install -y docker-compose + gunzip /tmp/a2c-${{ github.run_id }}.${{ matrix.websrv }}.${{ matrix.dbhandler }}.tar.gz + docker load -i /tmp/a2c-${{ github.run_id }}.${{ matrix.websrv }}.${{ matrix.dbhandler }}.tar + docker images + + - name: "Prepare container environment" + uses: ./.github/actions/container_prep + with: + DB_HANDLER: ${{ matrix.dbhandler }} + WEB_SRV: ${{ matrix.websrv }} + CONTAINER_BUILD: false + + - name: "Setup tunnel" + uses: ./.github/actions/wf_specific/ms_ca_handler/tunnel_setup + with: + WCCE_SSH_USER: ${{ secrets.WCCE_SSH_USER }} + WCCE_SSH_HOST: ${{ secrets.WCCE_SSH_HOST }} + WCCE_SSH_PORT: ${{ secrets.WCCE_SSH_PORT }} + WCCE_HOST: ${{ secrets.WCCE_HOST }} + WCCE_FQDN_WOTLD: ${{ secrets.WCCE_FQDN_WOTLD }} + WCCE_FQDN: ${{ secrets.WCCE_FQDN }} + WCCE_SSH_KNOWN_HOSTS: ${{ secrets.WCCE_SSH_KNOWN_HOSTS }} + WCCE_SSH_ACCESS_KEY: ${{ secrets.WCCE_SSH_ACCESS_KEY }} + + - name: "EAB with headerinfo - Setup a2c with ms_wcce_ca_handler (Kerboros)" + run: | + sudo cp .github/acme2certifier.pem examples/Docker/data/acme2certifier.pem + sudo cp .github/acme2certifier_cert.pem examples/Docker/data/acme2certifier_cert.pem + sudo cp .github/acme2certifier_key.pem examples/Docker/data/acme2certifier_key.pem + sudo cp .github/django_settings.py examples/Docker/data/settings.py + sudo touch examples/Docker/data/ca_certs.pem + sudo chmod 777 examples/Docker/data/ca_certs.pem + sudo echo "$WCCE_CA_BUNDLE" > examples/Docker/data/ca_certs.pem + sudo touch examples/Docker/data/acme_srv.cfg + sudo chmod 777 examples/Docker/data/acme_srv.cfg + sudo head -n -8 .github/openssl_ca_handler.py_acme_srv_default_handler.cfg > examples/Docker/data/acme_srv.cfg + sudo echo "handler_file: /var/www/acme2certifier/examples/ca_handler/mswcce_ca_handler.py" >> examples/Docker/data/acme_srv.cfg + sudo echo "host: $WCCE_FQDN" >> examples/Docker/data/acme_srv.cfg + sudo echo "user: $WCCE_USER" >> examples/Docker/data/acme_srv.cfg + sudo echo "password: $WCCE_PASSWORD" >> examples/Docker/data/acme_srv.cfg + sudo echo "template: $WCCE_TEMPLATE" >> examples/Docker/data/acme_srv.cfg + sudo echo "ca_name: $WCCE_CA_NAME" >> examples/Docker/data/acme_srv.cfg + sudo echo "target_domain: $WCCE_ADS_DOMAIN" >> examples/Docker/data/acme_srv.cfg + sudo echo "domain_controller: $RUNNER_IP" >> examples/Docker/data/acme_srv.cfg + sudo echo "ca_bundle: volume/ca_certs.pem" >> examples/Docker/data/acme_srv.cfg + sudo echo "timeout: 20" >> examples/Docker/data/acme_srv.cfg + sudo echo "use_kerberos: True" >> examples/Docker/data/acme_srv.cfg + sudo sed -i "s/tnauthlist_support: False/tnauthlist_support: False\nheader_info_list: [\"HTTP_USER_AGENT\"]/g" examples/Docker/data/acme_srv.cfg + sudo sed -i "s/revocation_reason_check_disable: False/revocation_reason_check_disable: False\nenrollment_timeout: 40/g" examples/Docker/data/acme_srv.cfg + + sudo echo "eab_profiling: True" >> examples/Docker/data/acme_srv.cfg + sudo echo -e "\n\n[EABhandler]" >> examples/Docker/data/acme_srv.cfg + sudo echo "eab_handler_file: /var/www/acme2certifier/examples/eab_handler/kid_profile_handler.py" >> examples/Docker/data/acme_srv.cfg + sudo echo "key_file: volume/kid_profiles.json" >> examples/Docker/data/acme_srv.cfg + + sudo cp examples/eab_handler/kid_profiles.json examples/Docker/data/kid_profiles.json + sudo chmod 777 examples/eab_handler/kid_profiles.json + sudo sed -i "s/\"profile_id\"\: \[\"profile_1\", \"profile_2\", \"profile_3\"\]/\"template\"\: \[\"WebServerModified\"\, \"WebServer\"]/g" examples/Docker/data/kid_profiles.json + sudo sed -i "s/\"profile_id\"\: \"profile_2\"/\"template\"\: \"WebServerModified\"/g" examples/Docker/data/kid_profiles.json + sudo sed -i "s/\"ca_name\": \"example_ca_2\",/\"unknown_key\": \"unknown_value\"/g" examples/Docker/data/kid_profiles.json + sudo sed -i "s/\"ca_name\": \"example_ca\",/\"unknown_key\": \"unknown_value\"/g" examples/Docker/data/kid_profiles.json + sudo sed -i "s/example.net/acme/g" examples/Docker/data/kid_profiles.json + sudo sed -i '18,19d' examples/Docker/data/kid_profiles.json + sudo sed -i '8,9d' examples/Docker/data/kid_profiles.json + env: + RUNNER_IP: ${{ env.RUNNER_IP }} + DNSMASQ_IP: ${{ env.DNSMASQ_IP }} + WCCE_USER: ${{ secrets.WCCE_USER }} + WCCE_PASSWORD: ${{ secrets.WCCE_PASSWORD }} + WCCE_TEMPLATE: ${{ secrets.WCCE_TEMPLATE }} + WCCE_CA_NAME: ${{ secrets.WCCE_CA_NAME }} + WCCE_ADS_DOMAIN: ${{ secrets.WCCE_ADS_DOMAIN }} + WCCE_CA_BUNDLE: ${{ secrets.WCCE_CA_BUNDLE }} + WCCE_FQDN: ${{ secrets.WCCE_FQDN }} + + - name: "Bring up a2c container" + uses: ./.github/actions/container_up + with: + DB_HANDLER: ${{ matrix.dbhandler }} + WEB_SRV: ${{ matrix.websrv }} + + - name: "EAB with headerinfo - enrollment" + uses: ./.github/actions/wf_specific/ms_ca_handler/enroll_eab + + - name: "Check container configuration" + uses: ./.github/actions/container_check + with: + DB_HANDLER: ${{ matrix.dbhandler }} + WEB_SRV: ${{ matrix.websrv }} + + - name: "[ * ] collecting test logs" + if: ${{ failure() }} + run: | + mkdir -p ${{ github.workspace }}/artifact/upload + sudo cp -rp examples/Docker/data/ ${{ github.workspace }}/artifact/data/ + sudo cp -rp acme-sh/ ${{ github.workspace }}/artifact/acme-sh/ + sudo cp -rp certbot/ ${{ github.workspace }}/artifact/certbot/ + sudo cp -rp lego/ ${{ github.workspace }}/artifact/lego/ + sudo cp -rp dnsmasq/ ${{ github.workspace }}/artifact/dnsmasq/ + cd examples/Docker + docker-compose logs > ${{ github.workspace }}/artifact/docker-compose.log + sudo tar -C ${{ github.workspace }}/artifact/ -cvzf ${{ github.workspace }}/artifact/upload/artifact.tar.gz docker-compose.log data acme-sh certbot lego dnsmasq + + - name: "[ * ] uploading artificates" + uses: actions/upload-artifact@v4 + if: ${{ failure() }} + with: + name: mswcce_handler_profiling_tests-${{ matrix.websrv }}-${{ matrix.dbhandler }}.tar.gz + path: ${{ github.workspace }}/artifact/upload/ + + cleanup: + name: "cleanup" + runs-on: ubuntu-latest + needs: [mscertsrv_handler_tests, mswcce_handler_tests, mswcce_handler_eab_profiling_tests, mscertsrv_handler_eab_profiling_tests ] + strategy: + fail-fast: false + matrix: + websrv: ['apache2', 'nginx'] + dbhandler: ['wsgi', 'django'] + + steps: + - uses: geekyeggo/delete-artifact@v5 + with: + name: a2c-${{ github.run_id }}.${{ matrix.websrv }}.${{ matrix.dbhandler }}.tar.gz + + rpm_build_and_upload: + name: "rpm_build_and_upload" + runs-on: ubuntu-latest + steps: + - name: "checkout GIT" + uses: actions/checkout@v4 + + - name: "Build rpm package" + id: rpm_build + uses: ./.github/actions/rpm_build_upload + + mscertsrv_handler_tests_rpm: + name: "mscertsrv_handler_tests_rpm" + runs-on: ubuntu-latest + needs: rpm_build_and_upload + strategy: + # max-parallel: 1 + fail-fast: false + matrix: + rhversion: [8, 9] + steps: + - name: "checkout GIT" + uses: actions/checkout@v4 + + - name: "Prepare Alma environment" + uses: ./.github/actions/rpm_prep + with: + GH_SBOM_USER: ${{ secrets.GH_SBOM_USER }} + GH_SBOM_TOKEN: ${{ secrets.GH_SBOM_TOKEN }} + RH_VERSION: ${{ matrix.rhversion }} + RPM_BUILD: false + NAME_SPACE: "local" + + - name: Download rpm package + uses: actions/download-artifact@v4 + with: + name: acme2certifier-${{ github.run_id }}.noarch.rpm + path: data/ + + - name: "Get runner ip" + run: | + echo RUNNER_IP=$(ip addr show eth0 | grep -i "inet " | cut -d ' ' -f 6 | cut -d '/' -f 1) >> $GITHUB_ENV + echo RUNNER_PATH=$(pwd | sed 's_/_\\/_g') >> $GITHUB_ENV + + - run: echo "runner IP is ${{ env.RUNNER_IP }}" + + - name: "Setup tunnel" + uses: ./.github/actions/wf_specific/ms_ca_handler/tunnel_setup + with: + WCCE_SSH_USER: ${{ secrets.WCCE_SSH_USER }} + WCCE_SSH_HOST: ${{ secrets.WCCE_SSH_HOST }} + WCCE_SSH_PORT: ${{ secrets.WCCE_SSH_PORT }} + WCCE_HOST: ${{ secrets.WCCE_HOST }} + WCCE_FQDN_WOTLD: ${{ secrets.WCCE_FQDN_WOTLD }} + WCCE_FQDN: ${{ secrets.WCCE_FQDN }} + WCCE_SSH_KNOWN_HOSTS: ${{ secrets.WCCE_SSH_KNOWN_HOSTS }} + WCCE_SSH_ACCESS_KEY: ${{ secrets.WCCE_SSH_ACCESS_KEY }} + NAME_SPACE: local + + - name: "KRB - Setup a2c with mscertsrv_ca_handler using kerberos" + run: | + mkdir -p data/acme_ca + sudo cp test/ca/certsrv_ca_certs.pem data/acme_ca/ca_certs.pem + sudo touch data/acme_srv.cfg + sudo chmod 777 data/acme_srv.cfg + sudo head -n -8 .github/openssl_ca_handler.py_acme_srv_default_handler.cfg > data/acme_srv.cfg + sudo echo "handler_file: /opt/acme2certifier/examples/ca_handler/mscertsrv_ca_handler.py" >> data/acme_srv.cfg + sudo echo "host: $WCCE_FQDN" >> data/acme_srv.cfg + sudo echo "user: $WES_USER" >> data/acme_srv.cfg + sudo echo "password: $WES_PASSWORD" >> data/acme_srv.cfg + sudo echo "auth_method: gssapi" >> data/acme_srv.cfg + sudo echo "template: $WES_TEMPLATE" >> data/acme_srv.cfg + sudo echo "ca_bundle: volume/acme_ca/ca_certs.pem" >> data/acme_srv.cfg + sudo echo "krb5_config: volume/acme_ca/krb5.conf" >> data/acme_srv.cfg + sudo echo "verify: False" >> data/acme_srv.cfg + sudo echo "request_timeout: 30" >> data/acme_srv.cfg + sudo sed -i "s/tnauthlist_support: False/tnauthlist_support: False\nheader_info_list: [\"HTTP_USER_AGENT\"]/g" data/acme_srv.cfg + sudo sed -i "s/revocation_reason_check_disable: False/revocation_reason_check_disable: False\nenrollment_timeout: 40/g" data/acme_srv.cfg + + sudo touch data/acme_ca/krb5.conf + sudo chmod 777 data/acme_ca/krb5.conf + cat < data/acme_ca/krb5.conf + $WES_KRB5_CONF + EOF + + env: + WES_HOST: ${{ secrets.WES_HOST }} + WES_USER: ${{ secrets.WES_USER }} + WES_PASSWORD: ${{ secrets.WES_PASSWORD }} + WES_AUTHMETHOD: ${{ secrets.WES_AUTHMETHOD }} + WES_TEMPLATE: ${{ secrets.WES_TEMPLATE }} + WCCE_FQDN: ${{ secrets.WCCE_FQDN }} + WES_KRB5_CONF: ${{ secrets.WES_KRB5_CONF }} + + - name: "KRB - Execute install scipt" + run: | + docker exec acme-srv sh /tmp/acme2certifier/rpm_tester.sh + docker exec acme-srv yum install -y krb5-libs + + - name: "KRB - enrollment mit default profile and headerinfo" + uses: ./.github/actions/wf_specific/ms_ca_handler/enroll_default_headerinfo + with: + NAME_SPACE: local + + - name: "NTLM - Setup a2c with mscertsrv_ca_handler" + run: | + sudo head -n -8 .github/openssl_ca_handler.py_acme_srv_default_handler.cfg > data/acme_srv.cfg + sudo echo "handler_file: /opt/acme2certifier/examples/ca_handler/mscertsrv_ca_handler.py" >> data/acme_srv.cfg + sudo echo "host: $WCCE_FQDN" >> data/acme_srv.cfg + sudo echo "user: $WES_USER" >> data/acme_srv.cfg + sudo echo "password: $WES_PASSWORD" >> data/acme_srv.cfg + sudo echo "auth_method: $WES_AUTHMETHOD" >> data/acme_srv.cfg + sudo echo "template: $WES_TEMPLATE" >> data/acme_srv.cfg + sudo echo "ca_bundle: volume/acme_ca/ca_certs.pem" >> data/acme_srv.cfg + sudo echo "verify: False" >> data/acme_srv.cfg + sudo echo "request_timeout: 30" >> data/acme_srv.cfg + sudo sed -i "s/tnauthlist_support: False/tnauthlist_support: False\nheader_info_list: [\"HTTP_USER_AGENT\"]/g" data/acme_srv.cfg + sudo sed -i "s/revocation_reason_check_disable: False/revocation_reason_check_disable: False\nenrollment_timeout: 40/g" data/acme_srv.cfg + env: + WES_HOST: ${{ secrets.WES_HOST }} + WES_USER: ${{ secrets.WES_USER }} + WES_PASSWORD: ${{ secrets.WES_PASSWORD }} + WES_AUTHMETHOD: ${{ secrets.WES_AUTHMETHOD }} + WES_TEMPLATE: ${{ secrets.WES_TEMPLATE }} + WCCE_FQDN: ${{ secrets.WCCE_FQDN }} + + - name: "NTLM - Reconfigure a2c " + run: | + docker exec acme-srv sh /tmp/acme2certifier/rpm_tester.sh restart + + - name: "NTLM - enrollment mit default profile and headerinfo" + uses: ./.github/actions/wf_specific/ms_ca_handler/enroll_default_headerinfo + with: + NAME_SPACE: local + + - name: "NTLM - Setup a2c with mscertsrv_ca_handler with allowed_domainlist configuration" + run: | + sudo sed -i "s/challenge_validation_disable: False/challenge_validation_disable: True/g" data/acme_srv.cfg + sudo echo "allowed_domainlist: [\"*.acme\", \"foo1.bar\", \"*.bar.local\"]" >> data/acme_srv.cfg + + - name: "NTLM - Reconfigure a2c " + run: | + docker exec acme-srv sh /tmp/acme2certifier/rpm_tester.sh restart + + - name: "NTLM - enrollment allowed domainlist" + uses: ./.github/actions/wf_specific/ms_ca_handler/enroll_allowed_domain_list + with: + NAME_SPACE: local + + - name: "Verify allowed_domainlist error" + run: | + docker exec acme-srv grep -i "either CN or SANs are not allowed by configuration" /var/log/messages + + - name: "[ * ] collecting test logs" + if: ${{ failure() }} + run: | + mkdir -p ${{ github.workspace }}/artifact/upload + docker exec acme-srv tar cvfz /tmp/acme2certifier/a2c.tgz /opt/acme2certifier + sudo rm -rf data/*.rpm + sudo cp -rp data/ ${{ github.workspace }}/artifact/data/ + sudo cp -rp acme-sh/ ${{ github.workspace }}/artifact/acme-sh/ + docker exec acme-srv ls -la /tmp > ${{ github.workspace }}/artifact/data/tmp_list + docker exec acme-srv ls -la /tmp + docker exec acme-srv cat /var/log/messages > ${{ github.workspace }}/artifact/acme-srv.log + sudo tar -C ${{ github.workspace }}/artifact/ -cvzf ${{ github.workspace }}/artifact/upload/artifact.tar.gz data acme-srv.log acme-sh + + - name: "[ * ] uploading artificates" + uses: actions/upload-artifact@v4 + if: ${{ failure() }} + with: + name: mscertsrv_handler_tests_rpm-rh${{ matrix.rhversion }}.tar.gz + path: ${{ github.workspace }}/artifact/upload/ + + mscertsrv_handler_eab_profile_tests_rpm: + name: "mscertsrv_handler_eab_profile_tests_rpm" + runs-on: ubuntu-latest + needs: mscertsrv_handler_tests_rpm + strategy: + # max-parallel: 1 + fail-fast: false + matrix: + rhversion: [8, 9] + steps: + - name: "checkout GIT" + uses: actions/checkout@v4 + + - name: "Prepare Alma environment" + uses: ./.github/actions/rpm_prep + with: + GH_SBOM_USER: ${{ secrets.GH_SBOM_USER }} + GH_SBOM_TOKEN: ${{ secrets.GH_SBOM_TOKEN }} + RH_VERSION: ${{ matrix.rhversion }} + RPM_BUILD: false + NAME_SPACE: "local" + + - name: Download rpm package + uses: actions/download-artifact@v4 + with: + name: acme2certifier-${{ github.run_id }}.noarch.rpm + path: data/ + + - name: "Get runner ip" + run: | + echo RUNNER_IP=$(ip addr show eth0 | grep -i "inet " | cut -d ' ' -f 6 | cut -d '/' -f 1) >> $GITHUB_ENV + echo RUNNER_PATH=$(pwd | sed 's_/_\\/_g') >> $GITHUB_ENV + + - run: echo "runner IP is ${{ env.RUNNER_IP }}" + + - name: "Setup tunnel" + uses: ./.github/actions/wf_specific/ms_ca_handler/tunnel_setup + with: + WCCE_SSH_USER: ${{ secrets.WCCE_SSH_USER }} + WCCE_SSH_HOST: ${{ secrets.WCCE_SSH_HOST }} + WCCE_SSH_PORT: ${{ secrets.WCCE_SSH_PORT }} + WCCE_HOST: ${{ secrets.WCCE_HOST }} + WCCE_FQDN_WOTLD: ${{ secrets.WCCE_FQDN_WOTLD }} + WCCE_FQDN: ${{ secrets.WCCE_FQDN }} + WCCE_SSH_KNOWN_HOSTS: ${{ secrets.WCCE_SSH_KNOWN_HOSTS }} + WCCE_SSH_ACCESS_KEY: ${{ secrets.WCCE_SSH_ACCESS_KEY }} + NAME_SPACE: local + + - name: "EAB with headerinfo - Setup a2c with mscertsrv_ca_handler using kerberos" + run: | + mkdir -p data/acme_ca + sudo cp test/ca/certsrv_ca_certs.pem data/acme_ca/ca_certs.pem + sudo touch data/acme_srv.cfg + sudo chmod 777 data/acme_srv.cfg + sudo head -n -8 .github/openssl_ca_handler.py_acme_srv_default_handler.cfg > data/acme_srv.cfg + sudo echo "handler_file: /opt/acme2certifier/examples/ca_handler/mscertsrv_ca_handler.py" >> data/acme_srv.cfg + sudo echo "host: $WCCE_FQDN" >> data/acme_srv.cfg + sudo echo "user: $WES_USER" >> data/acme_srv.cfg + sudo echo "password: $WES_PASSWORD" >> data/acme_srv.cfg + sudo echo "auth_method: gssapi" >> data/acme_srv.cfg + sudo echo "template: $WES_TEMPLATE" >> data/acme_srv.cfg + sudo echo "ca_bundle: volume/acme_ca/ca_certs.pem" >> data/acme_srv.cfg + sudo echo "krb5_config: volume/acme_ca/krb5.conf" >> data/acme_srv.cfg + sudo echo "verify: False" >> data/acme_srv.cfg + sudo echo "request_timeout: 30" >> data/acme_srv.cfg + sudo sed -i "s/tnauthlist_support: False/tnauthlist_support: False\nheader_info_list: [\"HTTP_USER_AGENT\"]/g" data/acme_srv.cfg + sudo sed -i "s/revocation_reason_check_disable: False/revocation_reason_check_disable: False\nenrollment_timeout: 40/g" data/acme_srv.cfg + + sudo echo "eab_profiling: True" >> data/acme_srv.cfg + sudo echo -e "\n[EABhandler]" >> data/acme_srv.cfg + sudo echo "eab_handler_file: /opt/acme2certifier/examples/eab_handler/kid_profile_handler.py" >> data/acme_srv.cfg + sudo echo "key_file: /opt/acme2certifier/volume/acme_ca/kid_profiles.json" >> data/acme_srv.cfg + + sudo cp examples/eab_handler/kid_profiles.json data/acme_ca/kid_profiles.json + sudo chmod 777 data/acme_ca/kid_profiles.json + sudo sed -i "s/\"profile_id\"\: \[\"profile_1\", \"profile_2\", \"profile_3\"\]/\"template\"\: \[\"WebServerModified\"\, \"WebServer\"]/g" data/acme_ca/kid_profiles.json + sudo sed -i "s/\"profile_id\"\: \"profile_2\"/\"template\"\: \"WebServerModified\"/g" data/acme_ca/kid_profiles.json + sudo sed -i "s/\"ca_name\": \"example_ca_2\",/\"unknown_key\": \"unknown_value\"/g" data/acme_ca/kid_profiles.json + sudo sed -i "s/\"ca_name\": \"example_ca\",/\"unknown_key\": \"unknown_value\"/g" data/acme_ca/kid_profiles.json + sudo sed -i "s/example.net/local/g" data/acme_ca/kid_profiles.json + sudo sed -i '18,19d' data/acme_ca/kid_profiles.json + sudo sed -i '8,9d' data/acme_ca/kid_profiles.json + + sudo touch data/acme_ca/krb5.conf + sudo chmod 777 data/acme_ca/krb5.conf + cat < data/acme_ca/krb5.conf + $WES_KRB5_CONF + EOF + env: + WES_HOST: ${{ secrets.WES_HOST }} + WES_USER: ${{ secrets.WES_USER }} + WES_PASSWORD: ${{ secrets.WES_PASSWORD }} + WES_AUTHMETHOD: ${{ secrets.WES_AUTHMETHOD }} + WES_TEMPLATE: ${{ secrets.WES_TEMPLATE }} + WCCE_FQDN: ${{ secrets.WCCE_FQDN }} + WES_KRB5_CONF: ${{ secrets.WES_KRB5_CONF }} + + - name: "KRB - Execute install scipt" + run: | + docker exec acme-srv sh /tmp/acme2certifier/rpm_tester.sh + docker exec acme-srv yum install -y krb5-libs + + - name: "EAB with headerinfo - enrollment" + uses: ./.github/actions/wf_specific/ms_ca_handler/enroll_eab + with: + NAME_SPACE: local + + - name: "[ * ] collecting test logs" + if: ${{ failure() }} + run: | + mkdir -p ${{ github.workspace }}/artifact/upload + docker exec acme-srv tar cvfz /tmp/acme2certifier/a2c.tgz /opt/acme2certifier + sudo rm -rf data/*.rpm + sudo cp -rp data/ ${{ github.workspace }}/artifact/data/ + sudo cp -rp acme-sh/ ${{ github.workspace }}/artifact/acme-sh/ + docker exec acme-srv ls -la /tmp > ${{ github.workspace }}/artifact/data/tmp_list + docker exec acme-srv ls -la /tmp + docker exec acme-srv cat /var/log/messages > ${{ github.workspace }}/artifact/acme-srv.log + sudo tar -C ${{ github.workspace }}/artifact/ -cvzf ${{ github.workspace }}/artifact/upload/artifact.tar.gz data acme-srv.log acme-sh + + - name: "[ * ] uploading artificates" + uses: actions/upload-artifact@v4 + if: ${{ failure() }} + with: + name: mscertsrv_handler_profile_tests_rpm-rh${{ matrix.rhversion }}.tar.gz + path: ${{ github.workspace }}/artifact/upload/ + + mswcce_handler_tests_rpm: + name: "mswcce_handler_tests_rpm" + runs-on: ubuntu-latest + needs: mscertsrv_handler_tests_rpm + strategy: + # max-parallel: 1 + fail-fast: false + matrix: + rhversion: [8, 9] + steps: + - name: "checkout GIT" + uses: actions/checkout@v4 + + - name: "Prepare Alma environment" + uses: ./.github/actions/rpm_prep + with: + GH_SBOM_USER: ${{ secrets.GH_SBOM_USER }} + GH_SBOM_TOKEN: ${{ secrets.GH_SBOM_TOKEN }} + RH_VERSION: ${{ matrix.rhversion }} + DJANGO_DB: psql + RPM_BUILD: false + + - name: Download rpm package + uses: actions/download-artifact@v4 + with: + name: acme2certifier-${{ github.run_id }}.noarch.rpm + path: data/ + + - name: "Get runner ip" + run: | + echo RUNNER_IP=$(ip addr show eth0 | grep -i "inet " | cut -d ' ' -f 6 | cut -d '/' -f 1) >> $GITHUB_ENV + echo RUNNER_PATH=$(pwd | sed 's_/_\\/_g') >> $GITHUB_ENV + + - run: echo "runner IP is ${{ env.RUNNER_IP }}" + + - name: "Install dnsmasq" + run: | + sudo apt-get update + sudo apt-get install -y dnsmasq + sudo systemctl disable systemd-resolved + sudo systemctl stop systemd-resolved + # sudo chmod -R 777 /etc/resolv.conf + # sudo echo "nameserver 8.8.8.8" > /etc/resolv.conf + sudo mkdir -p dnsmasq + sudo cp .github/dnsmasq.conf dnsmasq/ + sudo chmod -R 777 dnsmasq/dnsmasq.conf + sudo sed -i "s/RUNNER_IP/$RUNNER_IP/g" dnsmasq/dnsmasq.conf + sudo echo "address=/$WCCE_FQDN/$RUNNER_IP" >> dnsmasq/dnsmasq.conf + sudo echo "address=/$WCCE_ADS_DOMAIN/$RUNNER_IP" >> dnsmasq/dnsmasq.conf + sudo echo "address=/$WES_HOST/$RUNNER_IP" >> dnsmasq/dnsmasq.conf + cat dnsmasq/dnsmasq.conf + sudo cp dnsmasq/dnsmasq.conf /etc/ + sudo sed -i "s/ --local-service/ /g" /etc/init.d/dnsmasq + sudo systemctl enable dnsmasq + sudo systemctl start dnsmasq + env: + RUNNER_IP: ${{ env.RUNNER_IP }} + WCCE_ADS_DOMAIN: ${{ secrets.WCCE_ADS_DOMAIN }} + WCCE_FQDN: ${{ secrets.WCCE_FQDN }} + WES_HOST: ${{ secrets.WES_HOST }} + + - name: "Test dns resulution" + run: | + host $WCCE_ADS_DOMAIN ${{ env.RUNNER_IP }} + host $WCCE_FQDN ${{ env.RUNNER_IP }} + host $WES_HOST 127.0.0.1 + env: + WCCE_ADS_DOMAIN: ${{ secrets.WCCE_ADS_DOMAIN }} + WCCE_FQDN: ${{ secrets.WCCE_FQDN }} + WES_HOST: ${{ secrets.WES_HOST }} + + - name: "Create letsencrypt and lego folder" + run: | + mkdir certbot + mkdir lego + mkdir acme-sh + + - name: "Setup tunnel" + uses: ./.github/actions/wf_specific/ms_ca_handler/tunnel_setup + with: + WCCE_SSH_USER: ${{ secrets.WCCE_SSH_USER }} + WCCE_SSH_HOST: ${{ secrets.WCCE_SSH_HOST }} + WCCE_SSH_PORT: ${{ secrets.WCCE_SSH_PORT }} + WCCE_HOST: ${{ secrets.WCCE_HOST }} + WCCE_FQDN_WOTLD: ${{ secrets.WCCE_FQDN_WOTLD }} + WCCE_FQDN: ${{ secrets.WCCE_FQDN }} + WCCE_SSH_KNOWN_HOSTS: ${{ secrets.WCCE_SSH_KNOWN_HOSTS }} + WCCE_SSH_ACCESS_KEY: ${{ secrets.WCCE_SSH_ACCESS_KEY }} + + - name: "NTLM - Prepare acme_srv.cfg with ms_wcce_ca_handler" + run: | + mkdir -p data/acme_ca + sudo touch data/acme_ca/ca_certs.pem + sudo chmod 777 data/acme_ca/ca_certs.pem + sudo echo "$WCCE_CA_BUNDLE" > data/acme_ca/ca_certs.pem + sudo touch data/acme_ca/acme_srv.cfg + sudo chmod 777 data/acme_ca/acme_srv.cfg + sudo head -n -8 .github/openssl_ca_handler.py_acme_srv_default_handler.cfg > data/acme_srv.cfg + sudo echo "handler_file: /opt/acme2certifier/examples/ca_handler/mswcce_ca_handler.py" >> data/acme_srv.cfg + sudo echo "host: $RUNNER_IP" >> data/acme_srv.cfg + sudo echo "user: $WCCE_USER" >> data/acme_srv.cfg + sudo echo "password: $WCCE_PASSWORD" >> data/acme_srv.cfg + sudo echo "template: $WCCE_TEMPLATE" >> data/acme_srv.cfg + sudo echo "ca_name: $WCCE_CA_NAME" >> data/acme_srv.cfg + sudo echo "target_domain: $WCCE_ADS_DOMAIN" >> data/acme_srv.cfg + sudo echo "ca_bundle: /opt/acme2certifier/volume/acme_ca/ca_certs.pem" >> data/acme_srv.cfg + sudo echo "timeout: 20" >> data/acme_srv.cfg + sudo sed -i "s/tnauthlist_support: False/tnauthlist_support: False\nheader_info_list: [\"HTTP_USER_AGENT\"]/g" data/acme_srv.cfg + sudo sed -i "s/revocation_reason_check_disable: False/revocation_reason_check_disable: False\nenrollment_timeout: 40/g" data/acme_srv.cfg + env: + RUNNER_IP: ${{ env.RUNNER_IP }} + WCCE_USER: ${{ secrets.WCCE_USER }} + WCCE_PASSWORD: ${{ secrets.WCCE_PASSWORD }} + WCCE_TEMPLATE: ${{ secrets.WCCE_TEMPLATE }} + WCCE_CA_NAME: ${{ secrets.WCCE_CA_NAME }} + WCCE_ADS_DOMAIN: ${{ secrets.WCCE_ADS_DOMAIN }} + WCCE_CA_BUNDLE: ${{ secrets.WCCE_CA_BUNDLE }} + + - name: "NTLM - Execute install scipt" + run: | + docker exec acme-srv sh /tmp/acme2certifier/rpm_tester.sh + + - name: "NTLM - enrollment mit default profile and headerinfo" + uses: ./.github/actions/wf_specific/ms_ca_handler/enroll_default_headerinfo + + - name: "KRB - Setup a2c with ms_wcce_ca_handler (Kerberos)" + run: | + mkdir -p data/acme_ca + sudo touch data/acme_ca/ca_certs.pem + sudo chmod 777 data/acme_ca/ca_certs.pem + sudo echo "$WCCE_CA_BUNDLE" > data/acme_ca/ca_certs.pem + sudo touch data/acme_ca/acme_srv.cfg + sudo chmod 777 data/acme_ca/acme_srv.cfg + sudo head -n -8 .github/openssl_ca_handler.py_acme_srv_default_handler.cfg > data/acme_srv.cfg + sudo echo "handler_file: /opt/acme2certifier/examples/ca_handler/mswcce_ca_handler.py" >> data/acme_srv.cfg + sudo echo "host: $WCCE_FQDN" >> data/acme_srv.cfg + sudo echo "user: $WCCE_USER" >> data/acme_srv.cfg + sudo echo "password: $WCCE_PASSWORD" >> data/acme_srv.cfg + sudo echo "template: $WCCE_TEMPLATE" >> data/acme_srv.cfg + sudo echo "ca_name: $WCCE_CA_NAME" >> data/acme_srv.cfg + sudo echo "target_domain: $WCCE_ADS_DOMAIN" >> data/acme_srv.cfg + sudo echo "domain_controller: $RUNNER_IP" >> data/acme_srv.cfg + sudo echo "ca_bundle: /opt/acme2certifier/volume/acme_ca/ca_certs.pem" >> data/acme_srv.cfg + sudo echo "timeout: 20" >> data/acme_srv.cfg + sudo echo "use_kerberos: True" >> data/acme_srv.cfg + sudo sed -i "s/tnauthlist_support: False/tnauthlist_support: False\nheader_info_list: [\"HTTP_USER_AGENT\"]/g" data/acme_srv.cfg + sudo sed -i "s/revocation_reason_check_disable: False/revocation_reason_check_disable: False\nenrollment_timeout: 40/g" data/acme_srv.cfg + env: + RUNNER_IP: ${{ env.RUNNER_IP }} + WCCE_USER: ${{ secrets.WCCE_USER }} + WCCE_PASSWORD: ${{ secrets.WCCE_PASSWORD }} + WCCE_TEMPLATE: ${{ secrets.WCCE_TEMPLATE }} + WCCE_CA_NAME: ${{ secrets.WCCE_CA_NAME }} + WCCE_ADS_DOMAIN: ${{ secrets.WCCE_ADS_DOMAIN }} + WCCE_CA_BUNDLE: ${{ secrets.WCCE_CA_BUNDLE }} + WCCE_FQDN: ${{ secrets.WCCE_FQDN }} + + - name: "KRB - Reconfigure a2c " + run: | + docker exec acme-srv sh /tmp/acme2certifier/rpm_tester.sh restart + + - name: "KRB - enrollment mit default profile and headerinfo" + uses: ./.github/actions/wf_specific/ms_ca_handler/enroll_default_headerinfo + + - name: "KRB - Setup a2c with mswcce_ca_handler with allowed_domainlist configuration" + run: | + sudo sed -i "s/challenge_validation_disable: False/challenge_validation_disable: True/g" data/acme_srv.cfg + sudo echo "allowed_domainlist: [\"*.acme\", \"foo1.bar\", \"*.bar.local\"]" >> data/acme_srv.cfg + + - name: "KRB - Reconfigure a2c " + run: | + docker exec acme-srv sh /tmp/acme2certifier/rpm_tester.sh restart + + - name: "KRB - enrollment allowed domainlist" + uses: ./.github/actions/wf_specific/ms_ca_handler/enroll_allowed_domain_list + + - name: "Verify allowed_domainlist error" + run: | + docker exec acme-srv grep -i "either CN or SANs are not allowed by configuration" /var/log/messages + + - name: "[ * ] collecting test logs" + if: ${{ failure() }} + run: | + mkdir -p ${{ github.workspace }}/artifact/upload + docker exec acme-srv tar cvfz /tmp/acme2certifier/a2c.tgz /opt/acme2certifier + sudo rm -rf data/*.rpm + sudo cp -rp data/ ${{ github.workspace }}/artifact/data/ + sudo cp -rp acme-sh/ ${{ github.workspace }}/artifact/acme-sh/ + sudo cp -rp dnsmasq/ ${{ github.workspace }}/artifact/dnsmasq/ + # docker exec acme-srv cat /etc/nginx/nginx.conf.orig > ${{ github.workspace }}/artifact/data/nginx.conf.orig + # docker exec acme-srv cat /etc/nginx/nginx.conf > ${{ github.workspace }}/artifact/data/nginx.conf + docker exec acme-srv cat /var/log/messages > ${{ github.workspace }}/artifact/acme-srv.log + sudo tar -C ${{ github.workspace }}/artifact/ -cvzf ${{ github.workspace }}/artifact/upload/artifact.tar.gz data acme-srv.log acme-sh dnsmasq + + - name: "[ * ] uploading artificates" + uses: actions/upload-artifact@v4 + if: ${{ failure() }} + with: + name: mswcce_handler_tests_rpm-rh${{ matrix.rhversion }}.tar.gz + path: ${{ github.workspace }}/artifact/upload/ + + mswcce_handler_eab_profile_tests_rpm: + name: "mswcce_handler_eab_profile_tests_rpm" + runs-on: ubuntu-latest + needs: mscertsrv_handler_tests_rpm + strategy: + # max-parallel: 1 + fail-fast: false + matrix: + rhversion: [8, 9] + steps: + - name: "checkout GIT" + uses: actions/checkout@v4 + + - name: "Prepare Alma environment" + uses: ./.github/actions/rpm_prep + with: + GH_SBOM_USER: ${{ secrets.GH_SBOM_USER }} + GH_SBOM_TOKEN: ${{ secrets.GH_SBOM_TOKEN }} + RH_VERSION: ${{ matrix.rhversion }} + DJANGO_DB: psql + RPM_BUILD: false + + - name: Download rpm package + uses: actions/download-artifact@v4 + with: + name: acme2certifier-${{ github.run_id }}.noarch.rpm + path: data/ + + - name: "Get runner ip" + run: | + echo RUNNER_IP=$(ip addr show eth0 | grep -i "inet " | cut -d ' ' -f 6 | cut -d '/' -f 1) >> $GITHUB_ENV + echo RUNNER_PATH=$(pwd | sed 's_/_\\/_g') >> $GITHUB_ENV + + - run: echo "runner IP is ${{ env.RUNNER_IP }}" + + - name: "Install dnsmasq" + run: | + sudo apt-get update + sudo apt-get install -y dnsmasq + sudo systemctl disable systemd-resolved + sudo systemctl stop systemd-resolved + # sudo chmod -R 777 /etc/resolv.conf + # sudo echo "nameserver 8.8.8.8" > /etc/resolv.conf + sudo mkdir -p dnsmasq + sudo cp .github/dnsmasq.conf dnsmasq/ + sudo chmod -R 777 dnsmasq/dnsmasq.conf + sudo sed -i "s/RUNNER_IP/$RUNNER_IP/g" dnsmasq/dnsmasq.conf + sudo echo "address=/$WCCE_FQDN/$RUNNER_IP" >> dnsmasq/dnsmasq.conf + sudo echo "address=/$WCCE_ADS_DOMAIN/$RUNNER_IP" >> dnsmasq/dnsmasq.conf + sudo echo "address=/$WES_HOST/$RUNNER_IP" >> dnsmasq/dnsmasq.conf + cat dnsmasq/dnsmasq.conf + sudo cp dnsmasq/dnsmasq.conf /etc/ + sudo sed -i "s/ --local-service/ /g" /etc/init.d/dnsmasq + sudo systemctl enable dnsmasq + sudo systemctl start dnsmasq + env: + RUNNER_IP: ${{ env.RUNNER_IP }} + WCCE_ADS_DOMAIN: ${{ secrets.WCCE_ADS_DOMAIN }} + WCCE_FQDN: ${{ secrets.WCCE_FQDN }} + WES_HOST: ${{ secrets.WES_HOST }} + + - name: "Test dns resulution" + run: | + host $WCCE_ADS_DOMAIN ${{ env.RUNNER_IP }} + host $WCCE_FQDN ${{ env.RUNNER_IP }} + host $WES_HOST 127.0.0.1 + env: + WCCE_ADS_DOMAIN: ${{ secrets.WCCE_ADS_DOMAIN }} + WCCE_FQDN: ${{ secrets.WCCE_FQDN }} + WES_HOST: ${{ secrets.WES_HOST }} + + - name: "Create letsencrypt and lego folder" + run: | + mkdir certbot + mkdir lego + mkdir acme-sh + + - name: "Setup tunnel" + uses: ./.github/actions/wf_specific/ms_ca_handler/tunnel_setup + with: + WCCE_SSH_USER: ${{ secrets.WCCE_SSH_USER }} + WCCE_SSH_HOST: ${{ secrets.WCCE_SSH_HOST }} + WCCE_SSH_PORT: ${{ secrets.WCCE_SSH_PORT }} + WCCE_HOST: ${{ secrets.WCCE_HOST }} + WCCE_FQDN_WOTLD: ${{ secrets.WCCE_FQDN_WOTLD }} + WCCE_FQDN: ${{ secrets.WCCE_FQDN }} + WCCE_SSH_KNOWN_HOSTS: ${{ secrets.WCCE_SSH_KNOWN_HOSTS }} + WCCE_SSH_ACCESS_KEY: ${{ secrets.WCCE_SSH_ACCESS_KEY }} + + - name: "EAB with headerinfo - Setup a2c with ms_wcce_ca_handler (Kerberos)" + run: | + mkdir -p data/acme_ca + sudo touch data/acme_ca/ca_certs.pem + sudo chmod 777 data/acme_ca/ca_certs.pem + sudo echo "$WCCE_CA_BUNDLE" > data/acme_ca/ca_certs.pem + sudo touch data/acme_ca/acme_srv.cfg + sudo chmod 777 data/acme_ca/acme_srv.cfg + sudo head -n -8 .github/openssl_ca_handler.py_acme_srv_default_handler.cfg > data/acme_srv.cfg + sudo echo "handler_file: /opt/acme2certifier/examples/ca_handler/mswcce_ca_handler.py" >> data/acme_srv.cfg + sudo echo "host: $WCCE_FQDN" >> data/acme_srv.cfg + sudo echo "user: $WCCE_USER" >> data/acme_srv.cfg + sudo echo "password: $WCCE_PASSWORD" >> data/acme_srv.cfg + sudo echo "template: $WCCE_TEMPLATE" >> data/acme_srv.cfg + sudo echo "ca_name: $WCCE_CA_NAME" >> data/acme_srv.cfg + sudo echo "target_domain: $WCCE_ADS_DOMAIN" >> data/acme_srv.cfg + sudo echo "domain_controller: $RUNNER_IP" >> data/acme_srv.cfg + sudo echo "ca_bundle: /opt/acme2certifier/volume/acme_ca/ca_certs.pem" >> data/acme_srv.cfg + sudo echo "timeout: 20" >> data/acme_srv.cfg + sudo echo "use_kerberos: True" >> data/acme_srv.cfg + sudo sed -i "s/tnauthlist_support: False/tnauthlist_support: False\nheader_info_list: [\"HTTP_USER_AGENT\"]/g" data/acme_srv.cfg + sudo sed -i "s/revocation_reason_check_disable: False/revocation_reason_check_disable: False\nenrollment_timeout: 40/g" data/acme_srv.cfg + + sudo echo "eab_profiling: True" >> data/acme_srv.cfg + sudo echo -e "\n[EABhandler]" >> data/acme_srv.cfg + sudo echo "eab_handler_file: /opt/acme2certifier/examples/eab_handler/kid_profile_handler.py" >> data/acme_srv.cfg + sudo echo "key_file: /opt/acme2certifier/volume/acme_ca/kid_profiles.json" >> data/acme_srv.cfg + + sudo cp examples/eab_handler/kid_profiles.json data/acme_ca/kid_profiles.json + sudo chmod 777 data/acme_ca/kid_profiles.json + sudo sed -i "s/\"profile_id\"\: \[\"profile_1\", \"profile_2\", \"profile_3\"\]/\"template\"\: \[\"WebServerModified\"\, \"WebServer\"]/g" data/acme_ca/kid_profiles.json + sudo sed -i "s/\"profile_id\"\: \"profile_2\"/\"template\"\: \"WebServerModified\"/g" data/acme_ca/kid_profiles.json + sudo sed -i "s/\"ca_name\": \"example_ca_2\",/\"unknown_key\": \"unknown_value\"/g" data/acme_ca/kid_profiles.json + sudo sed -i "s/\"ca_name\": \"example_ca\",/\"unknown_key\": \"unknown_value\"/g" data/acme_ca/kid_profiles.json + sudo sed -i "s/example.net/acme/g" data/acme_ca/kid_profiles.json + sudo sed -i '18,19d' data/acme_ca/kid_profiles.json + sudo sed -i '8,9d' data/acme_ca/kid_profiles.json + + env: + RUNNER_IP: ${{ env.RUNNER_IP }} + WCCE_USER: ${{ secrets.WCCE_USER }} + WCCE_PASSWORD: ${{ secrets.WCCE_PASSWORD }} + WCCE_TEMPLATE: ${{ secrets.WCCE_TEMPLATE }} + WCCE_CA_NAME: ${{ secrets.WCCE_CA_NAME }} + WCCE_ADS_DOMAIN: ${{ secrets.WCCE_ADS_DOMAIN }} + WCCE_CA_BUNDLE: ${{ secrets.WCCE_CA_BUNDLE }} + WCCE_FQDN: ${{ secrets.WCCE_FQDN }} + + - name: "EAB with headerinfo - Execute install scipt" + run: | + docker exec acme-srv sh /tmp/acme2certifier/rpm_tester.sh + + - name: "EAB with headerinfo - enrollment" + uses: ./.github/actions/wf_specific/ms_ca_handler/enroll_eab + + - name: "[ * ] collecting test logs" + if: ${{ failure() }} + run: | + mkdir -p ${{ github.workspace }}/artifact/upload + docker exec acme-srv tar cvfz /tmp/acme2certifier/a2c.tgz /opt/acme2certifier + sudo rm -rf data/*.rpm + sudo cp -rp data/ ${{ github.workspace }}/artifact/data/ + sudo cp -rp acme-sh/ ${{ github.workspace }}/artifact/acme-sh/ + sudo cp -rp dnsmasq/ ${{ github.workspace }}/artifact/dnsmasq/ + # docker exec acme-srv cat /etc/nginx/nginx.conf.orig > ${{ github.workspace }}/artifact/data/nginx.conf.orig + # docker exec acme-srv cat /etc/nginx/nginx.conf > ${{ github.workspace }}/artifact/data/nginx.conf + docker exec acme-srv cat /var/log/messages > ${{ github.workspace }}/artifact/acme-srv.log + sudo tar -C ${{ github.workspace }}/artifact/ -cvzf ${{ github.workspace }}/artifact/upload/artifact.tar.gz data acme-srv.log acme-sh dnsmasq + + - name: "[ * ] uploading artificates" + uses: actions/upload-artifact@v4 + if: ${{ failure() }} + with: + name: mswcce_handler_profile_tests_rpm-rh${{ matrix.rhversion }}.tar.gz + path: ${{ github.workspace }}/artifact/upload/ + + rpm_cleanup: + name: "rpm_cleanup" + runs-on: ubuntu-latest + needs: [mscertsrv_handler_tests_rpm, mscertsrv_handler_eab_profile_tests_rpm, mswcce_handler_tests_rpm, mswcce_handler_eab_profile_tests_rpm] + steps: + - name: "Delete artifact" + uses: geekyeggo/delete-artifact@v5 + with: + name: acme2certifier-${{ github.run_id }}.noarch.rpm \ No newline at end of file diff --git a/.github/workflows/ca_handler_tests_nclm.yml b/.github/workflows/ca_handler_tests_nclm.yml new file mode 100644 index 00000000..5f564ba0 --- /dev/null +++ b/.github/workflows/ca_handler_tests_nclm.yml @@ -0,0 +1,273 @@ +name: CA handler tests - NCLM + +on: + push: + pull_request: + branches: [ devel ] + schedule: + # * is a special character in YAML so you have to quote this string + - cron: '0 2 * * 6' + +jobs: + nclm_handler_tests: + name: "nclm_handler_tests" + runs-on: ubuntu-latest + strategy: + fail-fast: false + # max-parallel: 1 + matrix: + websrv: ['apache2', 'nginx'] + dbhandler: ['wsgi', 'django'] + steps: + - name: "checkout GIT" + uses: actions/checkout@v4 + + - name: "Generate UUID" + run: | + echo UUID=$(uuidgen | cut -d "-" -f1) >> $GITHUB_ENV + - run: echo "UUID ${{ env.UUID }}" + + - name: "Build container" + uses: ./.github/actions/container_prep + with: + DB_HANDLER: ${{ matrix.dbhandler }} + WEB_SRV: ${{ matrix.websrv }} + + - name: "Setup a2c with nclm_ca_handler" + run: | + sudo cp test/ca/certsrv_ca_certs.pem examples/Docker/data/ca_certs.pem + sudo touch examples/Docker/data/acme_srv.cfg + sudo chmod 777 examples/Docker/data/acme_srv.cfg + sudo head -n -8 .github/openssl_ca_handler.py_acme_srv_default_handler.cfg > examples/Docker/data/acme_srv.cfg + sudo echo "handler_file: examples/ca_handler/nclm_ca_handler.py" >> examples/Docker/data/acme_srv.cfg + sudo echo "api_host: $NCLM_API_HOST" >> examples/Docker/data/acme_srv.cfg + sudo echo "api_user: $NCLM_API_USER" >> examples/Docker/data/acme_srv.cfg + sudo echo "api_password: $NCLM_API_PASSWORD" >> examples/Docker/data/acme_srv.cfg + sudo echo "tsg_name: $NCLM_TSG_NAME" >> examples/Docker/data/acme_srv.cfg + sudo echo "ca_name: $NCLM_CA_NAME" >> examples/Docker/data/acme_srv.cfg + sudo echo "ca_id_list: [$NCLM_CA_ID_LIST]" >> examples/Docker/data/acme_srv.cfg + sudo echo "request_timeout: 40" >> examples/Docker/data/acme_srv.cfg + sudo echo "allowed_domainlist: [\"bar.local\", \"*.acme\"]" >> examples/Docker/data/acme_srv.cfg + sudo sed -i "s/revocation_reason_check_disable: False/revocation_reason_check_disable: False\nenrollment_timeout: 40/g" examples/Docker/data/acme_srv.cfg + cd examples/Docker/ + docker-compose restart + env: + NCLM_API_HOST: ${{ secrets.NCLM_API_HOST }} + NCLM_API_USER: ${{ secrets.NCLM_API_USER }} + NCLM_API_PASSWORD: ${{ secrets.NCLM_API_PASSWORD }} + NCLM_TSG_NAME: ${{ secrets.NCLM_TSG_NAME }} + NCLM_CA_NAME: ${{ secrets.NCLM_CA_NAME }} + NCLM_CA_ID_LIST: ${{ secrets.NCLM_CA_ID_LIST }} + + - name: "Test enrollment" + uses: ./.github/actions/acme_clients + with: + HOSTNAME_SUFFIX: -${{ env.UUID }} + VERIFY_CERT: false + TEST_ADL: "true" + + - name: "Verify allowed_domainlist error" + run: | + cd examples/Docker + docker-compose logs | grep "allowed_domainlist" | grep -i "either CN or SANs are not allowed by configuration" + + - name: "Generate UUID" + run: | + echo UUID=$(uuidgen | cut -d "-" -f1) >> $GITHUB_ENV + - run: echo "UUID ${{ env.UUID }}" + + - name: "Reconfigure nclm handler to test enrollment from MSCA" + run: | + sudo sed -i "s/ca_name: $NCLM_CA_NAME/ca_name: $NCLM_MSCA_NAME/g" examples/Docker/data/acme_srv.cfg + sudo echo "template_name: $NCLM_MSCA_TEMPLATE_NAME" >> examples/Docker/data/acme_srv.cfg + cd examples/Docker/ + docker-compose restart + env: + NCLM_MSCA_TEMPLATE_NAME: ${{ secrets.NCLM_MSCA_TEMPLATE_NAME }} + NCLM_MSCA_NAME: ${{ secrets.NCLM_MSCA_NAME }} + NCLM_CA_NAME: ${{ secrets.NCLM_CA_NAME }} + + - name: "Test enrollment" + uses: ./.github/actions/acme_clients + with: + USE_RSA: true + HOSTNAME_SUFFIX: -${{ env.UUID }} + + - name: "[ * ] collecting test logs" + if: ${{ failure() }} + run: | + mkdir -p ${{ github.workspace }}/artifact/upload + mkdir -p ${{ github.workspace }}/artifact/clients + sudo cp -rp examples/Docker/data/ ${{ github.workspace }}/artifact/data/ + # sudo cp *.pem ${{ github.workspace }}/artifact/data/ + sudo cp -rp acme-sh/ ${{ github.workspace }}/artifact/clients/acme-sh/ + sudo cp -rp certbot/ ${{ github.workspace }}/artifact/clients/certbot/ + sudo cp -rp lego/ ${{ github.workspace }}/artifact/clients/lego/ + cd examples/Docker + docker-compose logs > ${{ github.workspace }}/artifact/docker-compose.log + sudo tar -C ${{ github.workspace }}/artifact/ -cvzf ${{ github.workspace }}/artifact/upload/artifact.tar.gz docker-compose.log data clients + + - name: "[ * ] uploading artificates" + uses: actions/upload-artifact@v4 + if: ${{ failure() }} + with: + name: nclm_handler_tests-${{ matrix.websrv }}-${{ matrix.dbhandler }}.tar.gz + path: ${{ github.workspace }}/artifact/upload/ + + + nclm_handler_tests_rpm: + name: "nclm_handler_tests_rpm" + runs-on: ubuntu-latest + strategy: + fail-fast: false + # max-parallel: 1 + matrix: + rhversion: [8, 9] + execscript: ['rpm_tester.sh', 'django_tester.sh'] + + steps: + - name: "checkout GIT" + uses: actions/checkout@v4 + + - name: "Generate UUID" + run: | + echo UUID=$(uuidgen | cut -d "-" -f1) >> $GITHUB_ENV + - run: echo "UUID ${{ env.UUID }}" + + - name: "Prepare Alma environment" + uses: ./.github/actions/rpm_prep + with: + GH_SBOM_USER: ${{ secrets.GH_SBOM_USER }} + GH_SBOM_TOKEN: ${{ secrets.GH_SBOM_TOKEN }} + RH_VERSION: ${{ matrix.rhversion }} + + - name: "Setup a2c with with nclm_ca_handler" + if: matrix.execscript == 'rpm_tester.sh' + run: | + mkdir -p data/acme_ca + sudo cp test/ca/certsrv_ca_certs.pem data/acme_ca/ca_certs.pem + sudo touch data/acme_srv.cfg + sudo chmod 777 data/acme_srv.cfg + sudo head -n -8 .github/openssl_ca_handler.py_acme_srv_default_handler.cfg > data/acme_srv.cfg + sudo echo "handler_file: examples/ca_handler/nclm_ca_handler.py" >> data/acme_srv.cfg + sudo echo "api_host: $NCLM_API_HOST" >> data/acme_srv.cfg + sudo echo "api_user: $NCLM_API_USER" >> data/acme_srv.cfg + sudo echo "api_password: $NCLM_API_PASSWORD" >> data/acme_srv.cfg + sudo echo "tsg_name: $NCLM_TSG_NAME" >> data/acme_srv.cfg + sudo echo "ca_name: $NCLM_CA_NAME" >> data/acme_srv.cfg + sudo echo "ca_id_list: [$NCLM_CA_ID_LIST]" >> data/acme_srv.cfg + sudo echo "request_timeout: 40" >> data/acme_srv.cfg + sudo echo "allowed_domainlist: [\"bar.local\", \"*.acme\"]" >> data/acme_srv.cfg + sudo sed -i "s/revocation_reason_check_disable: False/revocation_reason_check_disable: False\nenrollment_timeout: 60/g" data/acme_srv.cfg + env: + NCLM_API_HOST: ${{ secrets.NCLM_API_HOST }} + NCLM_API_USER: ${{ secrets.NCLM_API_USER }} + NCLM_API_PASSWORD: ${{ secrets.NCLM_API_PASSWORD }} + NCLM_TSG_NAME: ${{ secrets.NCLM_TSG_NAME }} + NCLM_CA_NAME: ${{ secrets.NCLM_CA_NAME }} + NCLM_CA_ID_LIST: ${{ secrets.NCLM_CA_ID_LIST }} + + - name: "Setup a2c with with nclm_ca_handler for django" + if: matrix.execscript == 'django_tester.sh' + run: | + sudo mkdir -p data/volume/acme_ca/certs + sudo cp test/ca/certsrv_ca_certs.pem data/volume/acme_ca/ca_certs.pem + sudo touch data/volume/acme_srv.cfg + sudo chmod 777 data/volume/acme_srv.cfg + sudo head -n -8 .github/openssl_ca_handler.py_acme_srv_default_handler.cfg > data/volume/acme_srv.cfg + sudo echo "handler_file: examples/ca_handler/nclm_ca_handler.py" >> data/volume/acme_srv.cfg + sudo echo "api_host: $NCLM_API_HOST" >> data/volume/acme_srv.cfg + sudo echo "api_user: $NCLM_API_USER" >> data/volume/acme_srv.cfg + sudo echo "api_password: $NCLM_API_PASSWORD" >> data/volume/acme_srv.cfg + sudo echo "tsg_name: $NCLM_TSG_NAME" >> data/volume/acme_srv.cfg + sudo echo "ca_name: $NCLM_CA_NAME" >> data/volume/acme_srv.cfg + sudo echo "ca_id_list: [$NCLM_CA_ID_LIST]" >> data/volume/acme_srv.cfg + sudo echo "request_timeout: 40" >> data/volume/acme_srv.cfg + sudo echo "allowed_domainlist: [\"bar.local\", \"*.acme\"]" >> data/volume/acme_srv.cfg + sudo sed -i "s/revocation_reason_check_disable: False/revocation_reason_check_disable: False\nenrollment_timeout: 60/g" data/volume/acme_srv.cfg + env: + NCLM_API_HOST: ${{ secrets.NCLM_API_HOST }} + NCLM_API_USER: ${{ secrets.NCLM_API_USER }} + NCLM_API_PASSWORD: ${{ secrets.NCLM_API_PASSWORD }} + NCLM_TSG_NAME: ${{ secrets.NCLM_TSG_NAME }} + NCLM_CA_NAME: ${{ secrets.NCLM_CA_NAME }} + NCLM_CA_ID_LIST: ${{ secrets.NCLM_CA_ID_LIST }} + + - name: "Execute install scipt" + run: | + docker exec acme-srv sh /tmp/acme2certifier/$EXEC_SCRIPT + env: + EXEC_SCRIPT: ${{ matrix.execscript }} + + - name: "Test enrollment" + uses: ./.github/actions/acme_clients + with: + HOSTNAME_SUFFIX: -${{ env.UUID }} + VERIFY_CERT: false + TEST_ADL: "true" + + - name: "Verify allowed_domainlist error" + run: | + docker exec acme-srv grep -i "either CN or SANs are not allowed by configuration" /var/log/messages + + - name: "Generate UUID" + run: | + echo UUID=$(uuidgen | cut -d "-" -f1) >> $GITHUB_ENV + - run: echo "UUID ${{ env.UUID }}" + + - name: "Reconfigure nclm handler to test enrollment from MSCA" + if: matrix.execscript == 'rpm_tester.sh' + run: | + sudo sed -i "s/ca_name: $NCLM_CA_NAME/ca_name: $NCLM_MSCA_NAME/g" data/acme_srv.cfg + sudo echo "template_name: $NCLM_MSCA_TEMPLATE_NAME" >> data/acme_srv.cfg + env: + NCLM_MSCA_TEMPLATE_NAME: ${{ secrets.NCLM_MSCA_TEMPLATE_NAME }} + NCLM_MSCA_NAME: ${{ secrets.NCLM_MSCA_NAME }} + NCLM_CA_NAME: ${{ secrets.NCLM_CA_NAME }} + + - name: "Reconfigure nclm handler to test enrollment from MSCA" + if: matrix.execscript == 'django_tester.sh' + run: | + sudo sed -i "s/ca_name: $NCLM_CA_NAME/ca_name: $NCLM_MSCA_NAME/g" data/volume/acme_srv.cfg + sudo echo "template_name: $NCLM_MSCA_TEMPLATE_NAME" >> data/volume/acme_srv.cfg + env: + NCLM_MSCA_TEMPLATE_NAME: ${{ secrets.NCLM_MSCA_TEMPLATE_NAME }} + NCLM_MSCA_NAME: ${{ secrets.NCLM_MSCA_NAME }} + NCLM_CA_NAME: ${{ secrets.NCLM_CA_NAME }} + + - name: "Execute install scipt" + run: | + docker exec acme-srv sh /tmp/acme2certifier/$EXEC_SCRIPT restart + env: + EXEC_SCRIPT: ${{ matrix.execscript }} + + - name: "Test enrollment" + uses: ./.github/actions/acme_clients + with: + USE_RSA: true + HOSTNAME_SUFFIX: -${{ env.UUID }} + + - name: "[ * ] collecting test logs" + if: ${{ failure() }} + continue-on-error: true + run: | + mkdir -p ${{ github.workspace }}/artifact/upload + mkdir -p ${{ github.workspace }}/artifact/clients + docker exec acme-srv tar cvfz /tmp/acme2certifier/a2c.tgz /opt/acme2certifier + sudo cp -rp data/ ${{ github.workspace }}/artifact/data/ + # sudo cp *.pem ${{ github.workspace }}/artifact/data/ + sudo cp -rp acme-sh/ ${{ github.workspace }}/artifact/clients/acme-sh/ + sudo cp -rp certbot/ ${{ github.workspace }}/artifact/clients/certbot/ + sudo cp -rp lego/ ${{ github.workspace }}/artifact/clients/lego/ + sudo rm ${{ github.workspace }}/artifact/data/*.rpm + docker exec acme-srv cat /etc/nginx/nginx.conf.orig > ${{ github.workspace }}/artifact/data/nginx.conf.orig + docker exec acme-srv cat /etc/nginx/nginx.conf > ${{ github.workspace }}/artifact/data/nginx.conf + docker exec acme-srv cat /var/log/messages > ${{ github.workspace }}/artifact/acme-srv.log + sudo tar -C ${{ github.workspace }}/artifact/ -cvzf ${{ github.workspace }}/artifact/upload/artifact.tar.gz data clients acme-srv.log + + - name: "[ * ] uploading artificates" + uses: actions/upload-artifact@v4 + if: ${{ failure() }} + with: + name: nclm_ca_handler_rpm-rh${{ matrix.rhversion }}-${{ matrix.execscript}}.tar.gz + path: ${{ github.workspace }}/artifact/upload/ \ No newline at end of file