diff --git a/.github/workflows/ca_handler_tests_asa.yml b/.github/workflows/ca_handler_tests_asa.yml new file mode 100644 index 00000000..3333b4c1 --- /dev/null +++ b/.github/workflows/ca_handler_tests_asa.yml @@ -0,0 +1,625 @@ +name: CA handler Tests - Insta ASA + +on: + push: + pull_request: + branches: [ devel ] + schedule: + # * is a special character in YAML so you have to quote this string + - cron: '0 2 * * 6' + +jobs: + asa_handler_headerinfo_tests: + name: "asa_handler_headerinfo_tests" + runs-on: ubuntu-latest + steps: + - name: "checkout GIT" + uses: actions/checkout@v4 + + - name: "Build container" + uses: ./.github/actions/container_prep + with: + DB_HANDLER: "wsgi" + WEB_SRV: "apache2" + + - name: "Create lego folder" + run: | + mkdir lego + + - name: "Test http://acme-srv/directory is accessible" + run: docker run -i --rm --network acme curlimages/curl -f http://acme-srv/directory + + - name: "a2c configuration with standard profile" + run: | + sudo cp test/ca/certsrv_ca_certs.pem examples/Docker/data/ca_certs.pem + sudo touch examples/Docker/data/acme_srv.cfg + sudo chmod 777 examples/Docker/data/acme_srv.cfg + sudo head -n -8 .github/openssl_ca_handler.py_acme_srv_default_handler.cfg > examples/Docker/data/acme_srv.cfg + sudo echo "handler_file: examples/ca_handler/asa_ca_handler.py" >> examples/Docker/data/acme_srv.cfg + sudo echo "api_host: $ASA_API_HOST" >> examples/Docker/data/acme_srv.cfg + sudo echo "api_user: $ASA_API_USER" >> examples/Docker/data/acme_srv.cfg + sudo echo "api_password: $ASA_API_PASSWORD" >> examples/Docker/data/acme_srv.cfg + sudo echo "api_key: $ASA_API_KEY" >> examples/Docker/data/acme_srv.cfg + sudo echo "ca_name: $ASA_CA_NAME" >> examples/Docker/data/acme_srv.cfg + sudo echo "ca_bundle: $ASA_CA_BUNDLE" >> examples/Docker/data/acme_srv.cfg + sudo echo "profile_name: $ASA_POFILE1" >> examples/Docker/data/acme_srv.cfg + sudo sed -i "s/revocation_reason_check_disable: False/revocation_reason_check_disable: False\nenrollment_timeout:15/g" examples/Docker/data/acme_srv.cfg + sudo sed -i "s/tnauthlist_support: False/tnauthlist_support: False\nheader_info_list: [\"HTTP_USER_AGENT\"]/g" examples/Docker/data/acme_srv.cfg + cd examples/Docker/ + docker-compose restart + env: + ASA_API_HOST: ${{ secrets.ASA_API_HOST }} + ASA_API_USER: ${{ secrets.ASA_API_USER }} + ASA_API_PASSWORD: ${{ secrets.ASA_API_PASSWORD }} + ASA_API_KEY: ${{ secrets.ASA_API_KEY }} + ASA_CA_NAME: ${{ secrets.ASA_CA_NAME }} + ASA_CA_BUNDLE: ${{ secrets.ASA_CA_BUNDLE }} + ASA_PROFILE1: ${{ secrets.ASA_POFILE1 }} + + - name: "Test http://acme-srv/directory is accessible again" + run: docker run -i --rm --network acme curlimages/curl -f http://acme-srv/directory + + - name: "Enroll lego with profileID ACME - could potenially fail" + continue-on-error: True + run: | + docker run -i -v $PWD/lego:/.lego/ --rm --name lego --network acme goacme/lego -s http://acme-srv -a --email "lego@example.com" --user-agent profile_name=ACME -d lego.acme --key-type rsa2048 --http run + sudo openssl verify -CAfile cert-2.pem -untrusted cert-1.pem lego/certificates/lego.acme.crt + sudo openssl x509 -in lego/certificates/lego.acme.crt -ext keyUsage -noout | grep "Digital Signature" + + - name: "Enroll acme.sh with profileID ACME" + run: | + docker run --rm -i -v "$(pwd)/acme-sh":/acme.sh --network acme --name=acme-sh neilpang/acme.sh:latest --issue --server http://acme-srv --accountemail 'acme-sh@example.com' -d acme-sh.acme --standalone --useragent profile_name=ACME --keylength 2048 --debug 3 --output-insecure + awk 'BEGIN {c=0;} /BEGIN CERT/{c++} { print > "cert-" c ".pem"}' < acme-sh/acme-sh.acme/ca.cer + openssl verify -CAfile cert-2.pem -untrusted cert-1.pem acme-sh/acme-sh.acme/acme-sh.acme.cer + openssl x509 -in acme-sh/acme-sh.acme/acme-sh.acme.cer -ext keyUsage -noout | grep "Digital Signature" + + - name: "Enroll lego with profileID ACME" + run: | + docker run -i -v $PWD/lego:/.lego/ --rm --name lego --network acme goacme/lego -s http://acme-srv -a --email "lego@example.com" --user-agent profile_name=ACME -d lego.acme --key-type rsa2048 --http run + sudo openssl verify -CAfile cert-2.pem -untrusted cert-1.pem lego/certificates/lego.acme.crt + sudo openssl x509 -in lego/certificates/lego.acme.crt -ext keyUsage -noout | grep "Digital Signature" + + - name: "Enroll acme.sh with profileID ACME_2" + run: | + docker run --rm -i -v "$(pwd)/acme-sh":/acme.sh --network acme --name=acme-sh neilpang/acme.sh:latest --renew --server http://acme-srv --force -d acme-sh.acme --standalone --useragent profile_name=ACME_2 --keylength 2048 --debug 3 --output-insecure + openssl verify -CAfile cert-2.pem -untrusted cert-1.pem acme-sh/acme-sh.acme/acme-sh.acme.cer + openssl x509 -in acme-sh/acme-sh.acme/acme-sh.acme.cer -ext keyUsage -noout | grep "Key Encipherment, Data Encipherment" + + - name: "Enroll lego with profileID ACME_2" + run: | + docker run -i -v $PWD/lego:/.lego/ --rm --name lego --network acme goacme/lego -s http://acme-srv -a --email "lego@example.com" --user-agent profile_name=ACME_2 -d lego.acme --key-type rsa2048 --http run + sudo openssl verify -CAfile cert-2.pem -untrusted cert-1.pem lego/certificates/lego.acme.crt + sudo openssl x509 -in lego/certificates/lego.acme.crt -ext keyUsage -noout | grep "Key Encipherment, Data Encipherment" + + - name: "[ * ] collecting test logs" + if: ${{ failure() }} + run: | + mkdir -p ${{ github.workspace }}/artifact/upload + sudo cp -rp examples/Docker/data/ ${{ github.workspace }}/artifact/data/ + sudo cp -rp lego/ ${{ github.workspace }}/artifact/lego/ + cd examples/Docker + docker-compose logs > ${{ github.workspace }}/artifact/docker-compose.log + sudo tar -C ${{ github.workspace }}/artifact/ -cvzf ${{ github.workspace }}/artifact/upload/artifact.tar.gz docker-compose.log data lego + + - name: "[ * ] uploading artificates" + uses: actions/upload-artifact@v4 + if: ${{ failure() }} + with: + name: asa_handler_headerinfo_tests.tar.gz + path: ${{ github.workspace }}/artifact/upload/ + + asa_handler_tests: + name: "asa_handler_tests" + runs-on: ubuntu-latest + needs: asa_handler_headerinfo_tests + strategy: + max-parallel: 2 + fail-fast: false + matrix: + websrv: ['apache2', 'nginx'] + dbhandler: ['wsgi', 'django'] + steps: + - name: "checkout GIT" + uses: actions/checkout@v4 + + - name: "create folders" + run: | + mkdir lego + mkdir acme-sh + mkdir certbot + + - name: "Build container" + uses: ./.github/actions/container_prep + with: + DB_HANDLER: ${{ matrix.dbhandler }} + WEB_SRV: ${{ matrix.websrv }} + + - name: "Profile ${{ secrets.ASA_PROFILE1 }} - Setup a2c with asa_ca_handler with profile ${{ secrets.ASA_PROFILE1 }}" + run: | + sudo cp .github/openssl_ca_handler.py_acme_srv_default_handler.cfg examples/Docker/data/acme_srv.cfg + sudo chmod 777 examples/Docker/data/acme_srv.cfg + sudo cp test/ca/certsrv_ca_certs.pem examples/Docker/data/ca_certs.pem + sudo head -n -8 .github/openssl_ca_handler.py_acme_srv_default_handler.cfg > examples/Docker/data/acme_srv.cfg + sudo echo "handler_file: examples/ca_handler/asa_ca_handler.py" >> examples/Docker/data/acme_srv.cfg + sudo echo "api_host: $ASA_API_HOST" >> examples/Docker/data/acme_srv.cfg + sudo echo "api_user: $ASA_API_USER" >> examples/Docker/data/acme_srv.cfg + sudo echo "api_password: $ASA_API_PASSWORD" >> examples/Docker/data/acme_srv.cfg + sudo echo "api_key: $ASA_API_KEY" >> examples/Docker/data/acme_srv.cfg + sudo echo "ca_name: $ASA_CA_NAME" >> examples/Docker/data/acme_srv.cfg + sudo echo "ca_bundle: $ASA_CA_BUNDLE" >> examples/Docker/data/acme_srv.cfg + sudo echo "profile_name: $ASA_PROFILE1" >> examples/Docker/data/acme_srv.cfg + sudo sed -i "s/revocation_reason_check_disable: False/revocation_reason_check_disable: False\nenrollment_timeout:15/g" examples/Docker/data/acme_srv.cfg + sudo echo "allowed_domainlist: [\"bar.local\", \"*.acme\"]" >> examples/Docker/data/acme_srv.cfg + cd examples/Docker/ + docker-compose restart + env: + ASA_API_HOST: ${{ secrets.ASA_API_HOST }} + ASA_API_USER: ${{ secrets.ASA_API_USER }} + ASA_API_PASSWORD: ${{ secrets.ASA_API_PASSWORD }} + ASA_API_KEY: ${{ secrets.ASA_API_KEY }} + ASA_CA_NAME: ${{ secrets.ASA_CA_NAME }} + ASA_CA_BUNDLE: ${{ secrets.ASA_CA_BUNDLE }} + ASA_PROFILE1: ${{ secrets.ASA_PROFILE1 }} + + - name: "Test enrollment" + uses: ./.github/actions/acme_clients + with: + TEST_ADL: "true" + + - name: "Verify allowed_domainlist error" + run: | + cd examples/Docker + docker-compose logs | grep "allowed_domainlist" | grep -i "either CN or SANs are not allowed by configuration" + + - name: "${{ secrets.ASA_PROFILE1 }} - enrollment" + uses: ./.github/actions/wf_specific/asa_ca_handler/enroll_profile_1 + with: + PROFILE: ${{ secrets.ASA_PROFILE1 }} + + - name: "Profile ${{ secrets.ASA_PROFILE2 }} - Reconfiguration of a2c with a new profile" + run: | + sudo cp test/ca/certsrv_ca_certs.pem examples/Docker/data/ca_certs.pem + sudo touch examples/Docker/data/acme_srv.cfg + sudo chmod 777 examples/Docker/data/acme_srv.cfg + sudo head -n -8 .github/openssl_ca_handler.py_acme_srv_default_handler.cfg > examples/Docker/data/acme_srv.cfg + sudo echo "handler_file: examples/ca_handler/asa_ca_handler.py" >> examples/Docker/data/acme_srv.cfg + sudo echo "api_host: $ASA_API_HOST" >> examples/Docker/data/acme_srv.cfg + sudo echo "api_user: $ASA_API_USER" >> examples/Docker/data/acme_srv.cfg + sudo echo "api_password: $ASA_API_PASSWORD" >> examples/Docker/data/acme_srv.cfg + sudo echo "api_key: $ASA_API_KEY" >> examples/Docker/data/acme_srv.cfg + sudo echo "ca_name: $ASA_CA_NAME" >> examples/Docker/data/acme_srv.cfg + sudo echo "ca_bundle: $ASA_CA_BUNDLE" >> examples/Docker/data/acme_srv.cfg + sudo echo "profile_name: $ASA_PROFILE2" >> examples/Docker/data/acme_srv.cfg + sudo sed -i "s/revocation_reason_check_disable: False/revocation_reason_check_disable: False\nenrollment_timeout:15/g" examples/Docker/data/acme_srv.cfg + cd examples/Docker/ + docker-compose restart + env: + ASA_API_HOST: ${{ secrets.ASA_API_HOST }} + ASA_API_USER: ${{ secrets.ASA_API_USER }} + ASA_API_PASSWORD: ${{ secrets.ASA_API_PASSWORD }} + ASA_API_KEY: ${{ secrets.ASA_API_KEY }} + ASA_CA_NAME: ${{ secrets.ASA_CA_NAME }} + ASA_CA_BUNDLE: ${{ secrets.ASA_CA_BUNDLE }} + ASA_PROFILE2: ${{ secrets.ASA_PROFILE2 }} + + - name: "${{ secrets.ASA_PROFILE2 }} - enrollment" + uses: ./.github/actions/wf_specific/asa_ca_handler/enroll_profile_2 + with: + PROFILE: ${{ secrets.ASA_PROFILE1 }} + + - name: "Header-info - Setup asa_ca_handler with headerinfo" + run: | + sudo cp .github/openssl_ca_handler.py_acme_srv_default_handler.cfg examples/Docker/data/acme_srv.cfg + sudo chmod 777 examples/Docker/data/acme_srv.cfg + sudo cp test/ca/certsrv_ca_certs.pem examples/Docker/data/ca_certs.pem + sudo head -n -8 .github/openssl_ca_handler.py_acme_srv_default_handler.cfg > examples/Docker/data/acme_srv.cfg + sudo echo "handler_file: examples/ca_handler/asa_ca_handler.py" >> examples/Docker/data/acme_srv.cfg + sudo echo "api_host: $ASA_API_HOST" >> examples/Docker/data/acme_srv.cfg + sudo echo "api_user: $ASA_API_USER" >> examples/Docker/data/acme_srv.cfg + sudo echo "api_password: $ASA_API_PASSWORD" >> examples/Docker/data/acme_srv.cfg + sudo echo "api_key: $ASA_API_KEY" >> examples/Docker/data/acme_srv.cfg + sudo echo "ca_name: $ASA_CA_NAME" >> examples/Docker/data/acme_srv.cfg + sudo echo "ca_bundle: $ASA_CA_BUNDLE" >> examples/Docker/data/acme_srv.cfg + sudo echo "profile_name: $ASA_PROFILE1" >> examples/Docker/data/acme_srv.cfg + sudo sed -i "s/revocation_reason_check_disable: False/revocation_reason_check_disable: False\nenrollment_timeout:15/g" examples/Docker/data/acme_srv.cfg + sudo sed -i "s/tnauthlist_support: False/tnauthlist_support: False\nheader_info_list: [\"HTTP_USER_AGENT\"]/g" examples/Docker/data/acme_srv.cfg + cd examples/Docker/ + docker-compose restart + env: + ASA_API_HOST: ${{ secrets.ASA_API_HOST }} + ASA_API_USER: ${{ secrets.ASA_API_USER }} + ASA_API_PASSWORD: ${{ secrets.ASA_API_PASSWORD }} + ASA_API_KEY: ${{ secrets.ASA_API_KEY }} + ASA_CA_NAME: ${{ secrets.ASA_CA_NAME }} + ASA_CA_BUNDLE: ${{ secrets.ASA_CA_BUNDLE }} + ASA_PROFILE1: ${{ secrets.ASA_PROFILE1 }} + + - name: "Hederinfo - enrollment" + uses: ./.github/actions/wf_specific/asa_ca_handler/enroll_headerinfo + with: + ASA_PROFILE1: ${{ secrets.ASA_PROFILE1 }} + ASA_PROFILE2: ${{ secrets.ASA_PROFILE2 }} + + - name: "EAB without headerinfo - Setup asa_ca_handler" + run: | + sudo cp .github/openssl_ca_handler.py_acme_srv_default_handler.cfg examples/Docker/data/acme_srv.cfg + sudo chmod 777 examples/Docker/data/acme_srv.cfg + sudo cp test/ca/certsrv_ca_certs.pem examples/Docker/data/ca_certs.pem + sudo head -n -8 .github/openssl_ca_handler.py_acme_srv_default_handler.cfg > examples/Docker/data/acme_srv.cfg + sudo echo "handler_file: examples/ca_handler/asa_ca_handler.py" >> examples/Docker/data/acme_srv.cfg + sudo echo "api_host: $ASA_API_HOST" >> examples/Docker/data/acme_srv.cfg + sudo echo "api_user: $ASA_API_USER" >> examples/Docker/data/acme_srv.cfg + sudo echo "api_password: $ASA_API_PASSWORD" >> examples/Docker/data/acme_srv.cfg + sudo echo "api_key: $ASA_API_KEY" >> examples/Docker/data/acme_srv.cfg + sudo echo "ca_name: $ASA_CA_NAME" >> examples/Docker/data/acme_srv.cfg + sudo echo "ca_bundle: $ASA_CA_BUNDLE" >> examples/Docker/data/acme_srv.cfg + sudo echo "profile_name: $ASA_PROFILE1" >> examples/Docker/data/acme_srv.cfg + sudo echo "eab_profiling: True" >> examples/Docker/data/acme_srv.cfg + sudo sed -i "s/revocation_reason_check_disable: False/revocation_reason_check_disable: False\nenrollment_timeout:15/g" examples/Docker/data/acme_srv.cfg + sudo echo -e "\n[EABhandler]" >> examples/Docker/data/acme_srv.cfg + sudo echo "eab_handler_file: /var/www/acme2certifier/examples/eab_handler/kid_profile_handler.py" >> examples/Docker/data/acme_srv.cfg + sudo echo "key_file: volume/kid_profiles.json" >> examples/Docker/data/acme_srv.cfg + + sudo cp examples/eab_handler/kid_profiles.json examples/Docker/data/kid_profiles.json + sudo chmod 777 examples/eab_handler/kid_profiles.json + sudo sed -i "s/\"profile_id\"\: \[\"profile_1\", \"profile_2\", \"profile_3\"\]/\"profile_name\"\: \[\"$ASA_PROFILE2\", \"$ASA_PROFILE1\"\]/g" examples/Docker/data/kid_profiles.json + sudo sed -i "s/\"profile_id\"\: \"profile_2\"/\"profile_name\"\: \"$ASA_PROFILE3\"/g" examples/Docker/data/kid_profiles.json + sudo sed -i "s/\"ca_name\": \"example_ca_2\",/\"ca_name\": \"$ASA_CA_NAME2\"/" examples/Docker/data/kid_profiles.json + sudo sed -i "s/\"ca_name\": \"example_ca\",/\"unknown_key\": \"unknown_value\"/g" examples/Docker/data/kid_profiles.json + sudo sed -i "s/example.net/acme/g" examples/Docker/data/kid_profiles.json + sudo sed -i '18,19d' examples/Docker/data/kid_profiles.json + sudo sed -i '8,9d' examples/Docker/data/kid_profiles.json + + cd examples/Docker/ + docker-compose restart + env: + ASA_API_HOST: ${{ secrets.ASA_API_HOST }} + ASA_API_USER: ${{ secrets.ASA_API_USER }} + ASA_API_PASSWORD: ${{ secrets.ASA_API_PASSWORD }} + ASA_API_KEY: ${{ secrets.ASA_API_KEY }} + ASA_CA_NAME: ${{ secrets.ASA_CA_NAME }} + ASA_CA_NAME2: ${{ secrets.ASA_CA_NAME2 }} + ASA_CA_BUNDLE: ${{ secrets.ASA_CA_BUNDLE }} + ASA_PROFILE1: ${{ secrets.ASA_PROFILE1 }} + ASA_PROFILE2: ${{ secrets.ASA_PROFILE2 }} + ASA_PROFILE3: ${{ secrets.ASA_PROFILE3 }} + + - name: "EAB without headerinfo - enrollment" + uses: ./.github/actions/wf_specific/asa_ca_handler/enroll_eab_wo_headerinfo + with: + ASA_CA_NAME1: ${{ secrets.ASA_CA_NAME }} + ASA_CA_NAME2: ${{ secrets.ASA_CA_NAME2 }} + + - name: "EAB with headerinfo - Setup asa_ca_handler" + run: | + sudo cp .github/openssl_ca_handler.py_acme_srv_default_handler.cfg examples/Docker/data/acme_srv.cfg + sudo chmod 777 examples/Docker/data/acme_srv.cfg + sudo cp test/ca/certsrv_ca_certs.pem examples/Docker/data/ca_certs.pem + sudo head -n -8 .github/openssl_ca_handler.py_acme_srv_default_handler.cfg > examples/Docker/data/acme_srv.cfg + sudo echo "handler_file: examples/ca_handler/asa_ca_handler.py" >> examples/Docker/data/acme_srv.cfg + sudo echo "api_host: $ASA_API_HOST" >> examples/Docker/data/acme_srv.cfg + sudo echo "api_user: $ASA_API_USER" >> examples/Docker/data/acme_srv.cfg + sudo echo "api_password: $ASA_API_PASSWORD" >> examples/Docker/data/acme_srv.cfg + sudo echo "api_key: $ASA_API_KEY" >> examples/Docker/data/acme_srv.cfg + sudo echo "ca_name: $ASA_CA_NAME" >> examples/Docker/data/acme_srv.cfg + sudo echo "ca_bundle: $ASA_CA_BUNDLE" >> examples/Docker/data/acme_srv.cfg + sudo echo "profile_name: $ASA_PROFILE1" >> examples/Docker/data/acme_srv.cfg + sudo echo "eab_profiling: True" >> examples/Docker/data/acme_srv.cfg + sudo sed -i "s/revocation_reason_check_disable: False/revocation_reason_check_disable: False\nenrollment_timeout:15/g" examples/Docker/data/acme_srv.cfg + sudo sed -i "s/tnauthlist_support: False/tnauthlist_support: False\nheader_info_list: [\"HTTP_USER_AGENT\"]/g" examples/Docker/data/acme_srv.cfg + sudo echo -e "\n[EABhandler]" >> examples/Docker/data/acme_srv.cfg + sudo echo "eab_handler_file: /var/www/acme2certifier/examples/eab_handler/kid_profile_handler.py" >> examples/Docker/data/acme_srv.cfg + sudo echo "key_file: volume/kid_profiles.json" >> examples/Docker/data/acme_srv.cfg + + sudo cp examples/eab_handler/kid_profiles.json examples/Docker/data/kid_profiles.json + sudo chmod 777 examples/eab_handler/kid_profiles.json + sudo sed -i "s/\"profile_id\"\: \[\"profile_1\", \"profile_2\", \"profile_3\"\]/\"profile_name\"\: \[\"$ASA_PROFILE2\", \"$ASA_PROFILE1\"\]/g" examples/Docker/data/kid_profiles.json + sudo sed -i "s/\"profile_id\"\: \"profile_2\"/\"profile_name\"\: \"$ASA_PROFILE3\"/g" examples/Docker/data/kid_profiles.json + sudo sed -i "s/\"ca_name\": \"example_ca_2\",/\"ca_name\": \"$ASA_CA_NAME2\"/" examples/Docker/data/kid_profiles.json + sudo sed -i "s/\"ca_name\": \"example_ca\",/\"unknown_key\": \"unknown_value\"/g" examples/Docker/data/kid_profiles.json + sudo sed -i "s/example.net/acme/g" examples/Docker/data/kid_profiles.json + sudo sed -i '18,19d' examples/Docker/data/kid_profiles.json + sudo sed -i '8,9d' examples/Docker/data/kid_profiles.json + + cd examples/Docker/ + docker-compose restart + env: + ASA_API_HOST: ${{ secrets.ASA_API_HOST }} + ASA_API_USER: ${{ secrets.ASA_API_USER }} + ASA_API_PASSWORD: ${{ secrets.ASA_API_PASSWORD }} + ASA_API_KEY: ${{ secrets.ASA_API_KEY }} + ASA_CA_NAME: ${{ secrets.ASA_CA_NAME }} + ASA_CA_NAME2: ${{ secrets.ASA_CA_NAME2 }} + ASA_CA_BUNDLE: ${{ secrets.ASA_CA_BUNDLE }} + ASA_PROFILE1: ${{ secrets.ASA_PROFILE1 }} + ASA_PROFILE2: ${{ secrets.ASA_PROFILE2 }} + ASA_PROFILE3: ${{ secrets.ASA_PROFILE3 }} + + - name: "EAB with headerinfo - enrollment" + uses: ./.github/actions/wf_specific/asa_ca_handler/enroll_eab_w_headerinfo + with: + ASA_CA_NAME1: ${{ secrets.ASA_CA_NAME }} + ASA_CA_NAME2: ${{ secrets.ASA_CA_NAME2 }} + + - name: "Check container configuration" + uses: ./.github/actions/container_check + with: + DB_HANDLER: ${{ matrix.dbhandler }} + WEB_SRV: ${{ matrix.websrv }} + + - name: "[ * ] collecting test logs" + if: ${{ failure() }} + run: | + mkdir -p ${{ github.workspace }}/artifact/upload + sudo cp -rp examples/Docker/data/ ${{ github.workspace }}/artifact/data/ + sudo cp -rp acme-sh/ ${{ github.workspace }}/artifact/acme-sh/ + sudo cp -rp certbot/ ${{ github.workspace }}/artifact/certbot/ + sudo cp -rp lego/ ${{ github.workspace }}/artifact/lego/ + cd examples/Docker + docker-compose logs > ${{ github.workspace }}/artifact/docker-compose.log + sudo tar -C ${{ github.workspace }}/artifact/ -cvzf ${{ github.workspace }}/artifact/upload/artifact.tar.gz docker-compose.log data acme-sh certbot lego + + - name: "[ * ] uploading artificates" + uses: actions/upload-artifact@v4 + if: ${{ failure() }} + with: + name: asa-${{ matrix.websrv }}-${{ matrix.dbhandler }}.tar.gz + path: ${{ github.workspace }}/artifact/upload/ + + asa_handler_tests_rpm: + name: "asa_handler_tests_rpm" + runs-on: ubuntu-latest + needs: asa_handler_headerinfo_tests + strategy: + max-parallel: 1 + fail-fast: false + matrix: + rhversion: [8, 9] + steps: + - name: "checkout GIT" + uses: actions/checkout@v4 + + - name: "Prepare Alma environment" + uses: ./.github/actions/rpm_prep + with: + GH_SBOM_USER: ${{ secrets.GH_SBOM_USER }} + GH_SBOM_TOKEN: ${{ secrets.GH_SBOM_TOKEN }} + RH_VERSION: ${{ matrix.rhversion }} + + - name: "Create letsencrypt and lego folder" + run: | + mkdir certbot + mkdir lego + mkdir acme-sh + + - name: "Profile ${{ secrets.ASA_PROFILE1 }} - Setup a2c with asa_ca_handler with profile ${{ secrets.ASA_PROFILE1 }}" + run: | + mkdir -p data/acme_ca + sudo cp test/ca/certsrv_ca_certs.pem data/acme_ca/ca_certs.pem + sudo touch data/acme_srv.cfg + sudo chmod 777 data/acme_srv.cfg + sudo head -n -8 .github/openssl_ca_handler.py_acme_srv_default_handler.cfg > data/acme_srv.cfg + sudo echo "handler_file: examples/ca_handler/asa_ca_handler.py" >> data/acme_srv.cfg + sudo echo "api_host: $ASA_API_HOST" >> data/acme_srv.cfg + sudo echo "api_user: $ASA_API_USER" >> data/acme_srv.cfg + sudo echo "api_password: $ASA_API_PASSWORD" >> data/acme_srv.cfg + sudo echo "api_key: $ASA_API_KEY" >> data/acme_srv.cfg + sudo echo "ca_name: $ASA_CA_NAME" >> data/acme_srv.cfg + sudo echo "ca_bundle: $ASA_CA_BUNDLE" >> data/acme_srv.cfg + sudo echo "profile_name: $ASA_PROFILE1" >> data/acme_srv.cfg + sudo sed -i "s/revocation_reason_check_disable: False/revocation_reason_check_disable: False\nenrollment_timeout:15/g" data/acme_srv.cfg + sudo echo "allowed_domainlist: [\"bar.local\", \"*.acme\"]" >> data/acme_srv.cfg + env: + ASA_API_HOST: ${{ secrets.ASA_API_HOST }} + ASA_API_USER: ${{ secrets.ASA_API_USER }} + ASA_API_PASSWORD: ${{ secrets.ASA_API_PASSWORD }} + ASA_API_KEY: ${{ secrets.ASA_API_KEY }} + ASA_CA_NAME: ${{ secrets.ASA_CA_NAME }} + ASA_CA_BUNDLE: ${{ secrets.ASA_CA_BUNDLE }} + ASA_PROFILE1: ${{ secrets.ASA_PROFILE1 }} + + - name: "Profile ${{ secrets.ASA_PROFILE1 }} - Execute install scipt" + run: | + docker exec acme-srv sh /tmp/acme2certifier/rpm_tester.sh + + - name: "Test enrollment" + uses: ./.github/actions/acme_clients + with: + TEST_ADL: "true" + + - name: "Verify allowed_domainlist error" + run: | + docker exec acme-srv grep -i "either CN or SANs are not allowed by configuration" /var/log/messages + + - name: "${{ secrets.ASA_PROFILE1 }} - enrollment" + uses: ./.github/actions/wf_specific/asa_ca_handler/enroll_profile_1 + with: + PROFILE: ${{ secrets.ASA_PROFILE1 }} + + - name: "Profile ${{ secrets.ASA_PROFILE2 }} - Setup a2c with asa_ca_handler with profile ${{ secrets.ASA_PROFILE1 }}" + run: | + sudo touch data/acme_srv.cfg + sudo chmod 777 data/acme_srv.cfg + sudo head -n -8 .github/openssl_ca_handler.py_acme_srv_default_handler.cfg > data/acme_srv.cfg + sudo echo "handler_file: examples/ca_handler/asa_ca_handler.py" >> data/acme_srv.cfg + sudo echo "api_host: $ASA_API_HOST" >> data/acme_srv.cfg + sudo echo "api_user: $ASA_API_USER" >> data/acme_srv.cfg + sudo echo "api_password: $ASA_API_PASSWORD" >> data/acme_srv.cfg + sudo echo "api_key: $ASA_API_KEY" >> data/acme_srv.cfg + sudo echo "ca_name: $ASA_CA_NAME" >> data/acme_srv.cfg + sudo echo "ca_bundle: $ASA_CA_BUNDLE" >> data/acme_srv.cfg + sudo echo "profile_name: $ASA_PROFILE2" >> data/acme_srv.cfg + sudo sed -i "s/revocation_reason_check_disable: False/revocation_reason_check_disable: False\nenrollment_timeout:15/g" data/acme_srv.cfg + env: + ASA_API_HOST: ${{ secrets.ASA_API_HOST }} + ASA_API_USER: ${{ secrets.ASA_API_USER }} + ASA_API_PASSWORD: ${{ secrets.ASA_API_PASSWORD }} + ASA_API_KEY: ${{ secrets.ASA_API_KEY }} + ASA_CA_NAME: ${{ secrets.ASA_CA_NAME }} + ASA_CA_BUNDLE: ${{ secrets.ASA_CA_BUNDLE }} + ASA_PROFILE2: ${{ secrets.ASA_PROFILE2 }} + + - name: "Profile ${{ secrets.ASA_PROFILE2 }} - reconfigure a2c " + run: | + docker exec acme-srv sh /tmp/acme2certifier/rpm_tester.sh restart + + - name: "${{ secrets.ASA_PROFILE2 }} - enrollment" + uses: ./.github/actions/wf_specific/asa_ca_handler/enroll_profile_2 + with: + PROFILE: ${{ secrets.ASA_PROFILE1 }} + + - name: "Header-info - Setup asa_ca_handler with headerinfo" + run: | + sudo touch data/acme_srv.cfg + sudo chmod 777 data/acme_srv.cfg + sudo head -n -8 .github/openssl_ca_handler.py_acme_srv_default_handler.cfg > data/acme_srv.cfg + sudo echo "handler_file: examples/ca_handler/asa_ca_handler.py" >> data/acme_srv.cfg + sudo echo "api_host: $ASA_API_HOST" >> data/acme_srv.cfg + sudo echo "api_user: $ASA_API_USER" >> data/acme_srv.cfg + sudo echo "api_password: $ASA_API_PASSWORD" >> data/acme_srv.cfg + sudo echo "api_key: $ASA_API_KEY" >> data/acme_srv.cfg + sudo echo "ca_name: $ASA_CA_NAME" >> data/acme_srv.cfg + sudo echo "ca_bundle: $ASA_CA_BUNDLE" >> data/acme_srv.cfg + sudo echo "profile_name: $ASA_PROFILE1" >> data/acme_srv.cfg + sudo sed -i "s/revocation_reason_check_disable: False/revocation_reason_check_disable: False\nenrollment_timeout:15/g" data/acme_srv.cfg + sudo sed -i "s/tnauthlist_support: False/tnauthlist_support: False\nheader_info_list: [\"HTTP_USER_AGENT\"]/g" data/acme_srv.cfg + env: + ASA_API_HOST: ${{ secrets.ASA_API_HOST }} + ASA_API_USER: ${{ secrets.ASA_API_USER }} + ASA_API_PASSWORD: ${{ secrets.ASA_API_PASSWORD }} + ASA_API_KEY: ${{ secrets.ASA_API_KEY }} + ASA_CA_NAME: ${{ secrets.ASA_CA_NAME }} + ASA_CA_BUNDLE: ${{ secrets.ASA_CA_BUNDLE }} + ASA_PROFILE1: ${{ secrets.ASA_PROFILE1 }} + + - name: "Profile ${{ secrets.ASA_PROFILE2 }} - reconfigure a2c " + run: | + docker exec acme-srv sh /tmp/acme2certifier/rpm_tester.sh restart + + - name: "Hederinfo - enrollment" + uses: ./.github/actions/wf_specific/asa_ca_handler/enroll_headerinfo + with: + ASA_PROFILE1: ${{ secrets.ASA_PROFILE1 }} + ASA_PROFILE2: ${{ secrets.ASA_PROFILE2 }} + + - name: "EAB without headerinfo - Setup asa_ca_handler" + run: | + sudo touch data/acme_srv.cfg + sudo chmod 777 data/acme_srv.cfg + sudo head -n -8 .github/openssl_ca_handler.py_acme_srv_default_handler.cfg > data/acme_srv.cfg + sudo echo "handler_file: examples/ca_handler/asa_ca_handler.py" >> data/acme_srv.cfg + sudo echo "api_host: $ASA_API_HOST" >> data/acme_srv.cfg + sudo echo "api_user: $ASA_API_USER" >> data/acme_srv.cfg + sudo echo "api_password: $ASA_API_PASSWORD" >> data/acme_srv.cfg + sudo echo "api_key: $ASA_API_KEY" >> data/acme_srv.cfg + sudo echo "ca_name: $ASA_CA_NAME" >> data/acme_srv.cfg + sudo echo "ca_bundle: $ASA_CA_BUNDLE" >> data/acme_srv.cfg + sudo echo "profile_name: $ASA_PROFILE1" >> data/acme_srv.cfg + sudo echo "eab_profiling: True" >> data/acme_srv.cfg + sudo sed -i "s/revocation_reason_check_disable: False/revocation_reason_check_disable: False\nenrollment_timeout:15/g" data/acme_srv.cfg + sudo echo -e "\n\n[EABhandler]" >> data/acme_srv.cfg + sudo echo "eab_handler_file: /opt/acme2certifier/examples/eab_handler/kid_profile_handler.py" >> data/acme_srv.cfg + sudo echo "key_file: /opt/acme2certifier/volume/acme_ca/kid_profiles.json" >> data/acme_srv.cfg + + sudo cp examples/eab_handler/kid_profiles.json data/acme_ca/kid_profiles.json + sudo chmod 777 data/acme_ca/kid_profiles.json + sudo sed -i "s/\"profile_id\"\: \[\"profile_1\", \"profile_2\", \"profile_3\"\]/\"profile_name\"\: \[\"$ASA_PROFILE2\", \"$ASA_PROFILE1\"\]/g" data/acme_ca/kid_profiles.json + sudo sed -i "s/\"profile_id\"\: \"profile_2\"/\"profile_name\"\: \"$ASA_PROFILE3\"/g" data/acme_ca/kid_profiles.json + sudo sed -i "s/\"ca_name\": \"example_ca_2\",/\"ca_name\": \"$ASA_CA_NAME2\"/" data/acme_ca/kid_profiles.json + sudo sed -i "s/\"ca_name\": \"example_ca\",/\"unknown_key\": \"unknown_value\"/g" data/acme_ca/kid_profiles.json + sudo sed -i "s/example.net/acme/g" data/acme_ca/kid_profiles.json + sudo sed -i '18,19d' data/acme_ca/kid_profiles.json + sudo sed -i '8,9d' data/acme_ca/kid_profiles.json + env: + ASA_API_HOST: ${{ secrets.ASA_API_HOST }} + ASA_API_USER: ${{ secrets.ASA_API_USER }} + ASA_API_PASSWORD: ${{ secrets.ASA_API_PASSWORD }} + ASA_API_KEY: ${{ secrets.ASA_API_KEY }} + ASA_CA_NAME: ${{ secrets.ASA_CA_NAME }} + ASA_CA_NAME2: ${{ secrets.ASA_CA_NAME2 }} + ASA_CA_BUNDLE: ${{ secrets.ASA_CA_BUNDLE }} + ASA_PROFILE1: ${{ secrets.ASA_PROFILE1 }} + ASA_PROFILE2: ${{ secrets.ASA_PROFILE2 }} + ASA_PROFILE3: ${{ secrets.ASA_PROFILE3 }} + + - name: "EAB without headerinfo - Reconfigure a2c " + run: | + docker exec acme-srv sh /tmp/acme2certifier/rpm_tester.sh restart + + - name: "EAB without headerinfo - enrollment" + uses: ./.github/actions/wf_specific/asa_ca_handler/enroll_eab_wo_headerinfo + with: + ASA_CA_NAME1: ${{ secrets.ASA_CA_NAME }} + ASA_CA_NAME2: ${{ secrets.ASA_CA_NAME2 }} + + - name: "EAB with headerinfo - Setup asa_ca_handler" + run: | + sudo touch data/acme_srv.cfg + sudo chmod 777 data/acme_srv.cfg + sudo head -n -8 .github/openssl_ca_handler.py_acme_srv_default_handler.cfg > data/acme_srv.cfg + sudo echo "handler_file: examples/ca_handler/asa_ca_handler.py" >> data/acme_srv.cfg + sudo echo "api_host: $ASA_API_HOST" >> data/acme_srv.cfg + sudo echo "api_user: $ASA_API_USER" >> data/acme_srv.cfg + sudo echo "api_password: $ASA_API_PASSWORD" >> data/acme_srv.cfg + sudo echo "api_key: $ASA_API_KEY" >> data/acme_srv.cfg + sudo echo "ca_name: $ASA_CA_NAME" >> data/acme_srv.cfg + sudo echo "ca_bundle: $ASA_CA_BUNDLE" >> data/acme_srv.cfg + sudo echo "profile_name: $ASA_PROFILE1" >> data/acme_srv.cfg + sudo echo "eab_profiling: True" >> data/acme_srv.cfg + sudo sed -i "s/revocation_reason_check_disable: False/revocation_reason_check_disable: False\nenrollment_timeout:15/g" data/acme_srv.cfg + sudo sed -i "s/tnauthlist_support: False/tnauthlist_support: False\nheader_info_list: [\"HTTP_USER_AGENT\"]/g" data/acme_srv.cfg + sudo echo -e "\n\n[EABhandler]" >> data/acme_srv.cfg + sudo echo "eab_handler_file: /opt/acme2certifier/examples/eab_handler/kid_profile_handler.py" >> data/acme_srv.cfg + sudo echo "key_file: /opt/acme2certifier/volume/acme_ca/kid_profiles.json" >> data/acme_srv.cfg + + sudo cp examples/eab_handler/kid_profiles.json data/acme_ca/kid_profiles.json + sudo chmod 777 data/acme_ca/kid_profiles.json + sudo sed -i "s/\"profile_id\"\: \[\"profile_1\", \"profile_2\", \"profile_3\"\]/\"profile_name\"\: \[\"$ASA_PROFILE2\", \"$ASA_PROFILE1\"\]/g" data/acme_ca/kid_profiles.json + sudo sed -i "s/\"profile_id\"\: \"profile_2\"/\"profile_name\"\: \"$ASA_PROFILE3\"/g" data/acme_ca/kid_profiles.json + sudo sed -i "s/\"ca_name\": \"example_ca_2\",/\"ca_name\": \"$ASA_CA_NAME2\"/" data/acme_ca/kid_profiles.json + sudo sed -i "s/\"ca_name\": \"example_ca\",/\"unknown_key\": \"unknown_value\"/g" data/acme_ca/kid_profiles.json + sudo sed -i "s/example.net/acme/g" data/acme_ca/kid_profiles.json + sudo sed -i '18,19d' data/acme_ca/kid_profiles.json + sudo sed -i '8,9d' data/acme_ca/kid_profiles.json + env: + ASA_API_HOST: ${{ secrets.ASA_API_HOST }} + ASA_API_USER: ${{ secrets.ASA_API_USER }} + ASA_API_PASSWORD: ${{ secrets.ASA_API_PASSWORD }} + ASA_API_KEY: ${{ secrets.ASA_API_KEY }} + ASA_CA_NAME: ${{ secrets.ASA_CA_NAME }} + ASA_CA_NAME2: ${{ secrets.ASA_CA_NAME2 }} + ASA_CA_BUNDLE: ${{ secrets.ASA_CA_BUNDLE }} + ASA_PROFILE1: ${{ secrets.ASA_PROFILE1 }} + ASA_PROFILE2: ${{ secrets.ASA_PROFILE2 }} + ASA_PROFILE3: ${{ secrets.ASA_PROFILE3 }} + + - name: "EAB with headerinfo - Reconfigure a2c " + run: | + docker exec acme-srv sh /tmp/acme2certifier/rpm_tester.sh restart + + - name: "EAB with headerinfo - enrollment" + uses: ./.github/actions/wf_specific/asa_ca_handler/enroll_eab_w_headerinfo + with: + ASA_CA_NAME1: ${{ secrets.ASA_CA_NAME }} + ASA_CA_NAME2: ${{ secrets.ASA_CA_NAME2 }} + + - name: "[ * ] collecting test logs" + if: ${{ failure() }} + run: | + mkdir -p ${{ github.workspace }}/artifact/upload + docker exec acme-srv tar cvfz /tmp/acme2certifier/a2c.tgz /opt/acme2certifier + sudo cp -rp data/ ${{ github.workspace }}/artifact/data/ + sudo rm ${{ github.workspace }}/artifact/data/*.rpm + sudo cp -rp acme-sh/ ${{ github.workspace }}/artifact/acme-sh/ + docker exec acme-srv cat /etc/nginx/nginx.conf.orig > ${{ github.workspace }}/artifact/data/nginx.conf.orig + docker exec acme-srv cat /etc/nginx/nginx.conf > ${{ github.workspace }}/artifact/data/nginx.conf + docker exec acme-srv cat /var/log/messages > ${{ github.workspace }}/artifact/acme-srv.log + sudo tar -C ${{ github.workspace }}/artifact/ -cvzf ${{ github.workspace }}/artifact/upload/artifact.tar.gz data acme-srv.log acme-sh + + - name: "[ * ] uploading artificates" + uses: actions/upload-artifact@v4 + if: ${{ failure() }} + with: + name: asa_handler_tests_rpm-rh${{ matrix.rhversion }}.tar.gz + path: ${{ github.workspace }}/artifact/upload/ + diff --git a/.github/workflows/ca_handler_tests_certifier.yml b/.github/workflows/ca_handler_tests_certifier.yml new file mode 100644 index 00000000..521045d3 --- /dev/null +++ b/.github/workflows/ca_handler_tests_certifier.yml @@ -0,0 +1,571 @@ +name: CA handler Tests - Certifier + +on: + push: + pull_request: + branches: [ devel ] + schedule: + # * is a special character in YAML so you have to quote this string + - cron: '0 2 * * 6' + +jobs: + certifier_handler_tests: + name: "certifier_handler_tests" + runs-on: ubuntu-latest + strategy: + max-parallel: 2 + fail-fast: false + matrix: + websrv: ['apache2', 'nginx'] + dbhandler: ['wsgi', 'django'] + steps: + - name: "checkout GIT" + uses: actions/checkout@v4 + + - name: "Build container" + uses: ./.github/actions/container_prep + with: + DB_HANDLER: ${{ matrix.dbhandler }} + WEB_SRV: ${{ matrix.websrv }} + + - name: "Setup tunnel" + uses: ./.github/actions/wf_specific/certifier_ca_handler/tunnel_setup + with: + WCCE_SSH_USER: ${{ secrets.WCCE_SSH_USER }} + WCCE_SSH_HOST: ${{ secrets.WCCE_SSH_HOST }} + WCCE_SSH_PORT: ${{ secrets.WCCE_SSH_PORT }} + NCM_API_HOST: ${{ secrets.NCM_API_HOST }} + WCCE_SSH_KNOWN_HOSTS: ${{ secrets.WCCE_SSH_KNOWN_HOSTS }} + WCCE_SSH_ACCESS_KEY: ${{ secrets.WCCE_SSH_ACCESS_KEY }} + NCM_API_USER: ${{ secrets.NCM_API_USER }} + NCM_API_PASSWORD: ${{ secrets.NCM_API_PASSWORD }} + + - name: "No profile - Setup a2c with certifier_ca_handler" + run: | + sudo cp .github/openssl_ca_handler.py_acme_srv_default_handler.cfg examples/Docker/data/acme_srv.cfg + sudo chmod 777 examples/Docker/data/acme_srv.cfg + sudo cp test/ca/certsrv_ca_certs.pem examples/Docker/data/ca_certs.pem + sudo head -n -8 .github/openssl_ca_handler.py_acme_srv_default_handler.cfg > examples/Docker/data/acme_srv.cfg + sudo echo "handler_file: examples/ca_handler/certifier_ca_handler.py" >> examples/Docker/data/acme_srv.cfg + # sudo echo "api_host: $NCM_API_HOST" >> examples/Docker/data/acme_srv.cfg + sudo echo "api_host: https://forwarder.acme:8084" >> examples/Docker/data/acme_srv.cfg + sudo echo "ca_bundle: False" >> examples/Docker/data/acme_srv.cfg + sudo echo "api_user: $NCM_API_USER" >> examples/Docker/data/acme_srv.cfg + sudo echo "api_password: $NCM_API_PASSWORD" >> examples/Docker/data/acme_srv.cfg + sudo echo "ca_name: $NCM_CA_NAME" >> examples/Docker/data/acme_srv.cfg + # sudo echo "ca_bundle: $NCM_CA_BUNDLE" >> examples/Docker/data/acme_srv.cfg + sudo echo "allowed_domainlist: [\"bar.local\", \"*.acme\"]" >> examples/Docker/data/acme_srv.cfg + cd examples/Docker/ + docker-compose restart + env: + NCM_API_HOST: ${{ secrets.NCM_API_HOST }} + NCM_API_USER: ${{ secrets.NCM_API_USER }} + NCM_API_PASSWORD: ${{ secrets.NCM_API_PASSWORD }} + NCM_CA_NAME: ${{ secrets.NCM_CA_NAME }} + NCM_CA_BUNDLE: ${{ secrets.NCM_CA_BUNDLE }} + + - name: "Test enrollment" + uses: ./.github/actions/acme_clients + with: + TEST_ADL: "true" + + - name: "Verify allowed_domainlist error" + run: | + cd examples/Docker + docker-compose logs | grep "allowed_domainlist" | grep -i "either CN or SANs are not allowed by configuration" + + - name: "No profile - Enrollmnet" + uses: ./.github/actions/wf_specific/certifier_ca_handler/enroll_no_profile + + - name: "Profile 101 - Setup a2c with certifier_ca_handler with profile 101" + run: | + sudo head -n -8 .github/openssl_ca_handler.py_acme_srv_default_handler.cfg > examples/Docker/data/acme_srv.cfg + sudo echo "handler_file: examples/ca_handler/certifier_ca_handler.py" >> examples/Docker/data/acme_srv.cfg + # sudo echo "api_host: $NCM_API_HOST" >> examples/Docker/data/acme_srv.cfg + sudo echo "api_host: https://forwarder.acme:8084" >> examples/Docker/data/acme_srv.cfg + sudo echo "ca_bundle: False" >> examples/Docker/data/acme_srv.cfg + sudo echo "api_user: $NCM_API_USER" >> examples/Docker/data/acme_srv.cfg + sudo echo "api_password: $NCM_API_PASSWORD" >> examples/Docker/data/acme_srv.cfg + sudo echo "ca_name: $NCM_CA_NAME" >> examples/Docker/data/acme_srv.cfg + # sudo echo "ca_bundle: $NCM_CA_BUNDLE" >> examples/Docker/data/acme_srv.cfg + sudo echo "profile_id: 101" >> examples/Docker/data/acme_srv.cfg + cd examples/Docker/ + docker-compose restart + env: + NCM_API_HOST: ${{ secrets.NCM_API_HOST }} + NCM_API_USER: ${{ secrets.NCM_API_USER }} + NCM_API_PASSWORD: ${{ secrets.NCM_API_PASSWORD }} + NCM_CA_NAME: ${{ secrets.NCM_CA_NAME }} + NCM_CA_BUNDLE: ${{ secrets.NCM_CA_BUNDLE }} + PROFILE: ${{ secrets.PROFILE }} + + - name: "Profile 101 - Enrollmnet" + uses: ./.github/actions/wf_specific/certifier_ca_handler/enroll_101_profile + + - name: "Profile 102 - Setup a2c with certifier_ca_handler with Profile 102" + run: | + sudo head -n -8 .github/openssl_ca_handler.py_acme_srv_default_handler.cfg > examples/Docker/data/acme_srv.cfg + sudo echo "handler_file: examples/ca_handler/certifier_ca_handler.py" >> examples/Docker/data/acme_srv.cfg + # sudo echo "api_host: $NCM_API_HOST" >> examples/Docker/data/acme_srv.cfg + sudo echo "api_host: https://forwarder.acme:8084" >> examples/Docker/data/acme_srv.cfg + sudo echo "ca_bundle: False" >> examples/Docker/data/acme_srv.cfg + sudo echo "api_user: $NCM_API_USER" >> examples/Docker/data/acme_srv.cfg + sudo echo "api_password: $NCM_API_PASSWORD" >> examples/Docker/data/acme_srv.cfg + sudo echo "ca_name: $NCM_CA_NAME" >> examples/Docker/data/acme_srv.cfg + # sudo echo "ca_bundle: $NCM_CA_BUNDLE" >> examples/Docker/data/acme_srv.cfg + sudo echo "profile_id: 102" >> examples/Docker/data/acme_srv.cfg + cd examples/Docker/ + docker-compose restart + env: + NCM_API_HOST: ${{ secrets.NCM_API_HOST }} + NCM_API_USER: ${{ secrets.NCM_API_USER }} + NCM_API_PASSWORD: ${{ secrets.NCM_API_PASSWORD }} + NCM_CA_NAME: ${{ secrets.NCM_CA_NAME }} + NCM_CA_BUNDLE: ${{ secrets.NCM_CA_BUNDLE }} + + - name: "Profile 102 - Enrollmnet" + uses: ./.github/actions/wf_specific/certifier_ca_handler/enroll_102_profile + + - name: "Header-info - Setup a2c with certifier_ca_handler with header-info" + run: | + sudo head -n -8 .github/openssl_ca_handler.py_acme_srv_default_handler.cfg > examples/Docker/data/acme_srv.cfg + sudo echo "handler_file: examples/ca_handler/certifier_ca_handler.py" >> examples/Docker/data/acme_srv.cfg + # sudo echo "api_host: $NCM_API_HOST" >> examples/Docker/data/acme_srv.cfg + sudo echo "api_host: https://forwarder.acme:8084" >> examples/Docker/data/acme_srv.cfg + sudo echo "ca_bundle: False" >> examples/Docker/data/acme_srv.cfg + sudo echo "api_user: $NCM_API_USER" >> examples/Docker/data/acme_srv.cfg + sudo echo "api_password: $NCM_API_PASSWORD" >> examples/Docker/data/acme_srv.cfg + sudo echo "ca_name: $NCM_CA_NAME" >> examples/Docker/data/acme_srv.cfg + # sudo echo "ca_bundle: $NCM_CA_BUNDLE" >> examples/Docker/data/acme_srv.cfg + sudo sed -i "s/tnauthlist_support: False/tnauthlist_support: False\nheader_info_list: [\"HTTP_USER_AGENT\"]/g" examples/Docker/data/acme_srv.cfg + cd examples/Docker/ + docker-compose restart + env: + NCM_API_HOST: ${{ secrets.NCM_API_HOST }} + NCM_API_USER: ${{ secrets.NCM_API_USER }} + NCM_API_PASSWORD: ${{ secrets.NCM_API_PASSWORD }} + NCM_CA_NAME: ${{ secrets.NCM_CA_NAME }} + NCM_CA_BUNDLE: ${{ secrets.NCM_CA_BUNDLE }} + + - name: "Header-info - Enrollmnet" + uses: ./.github/actions/wf_specific/certifier_ca_handler/enroll_headerinfo + + - name: "EAB without headerinfo - Setup a2c with certifier_ca_handler" + run: | + sudo head -n -8 .github/openssl_ca_handler.py_acme_srv_default_handler.cfg > examples/Docker/data/acme_srv.cfg + sudo echo "handler_file: examples/ca_handler/certifier_ca_handler.py" >> examples/Docker/data/acme_srv.cfg + # sudo echo "api_host: $NCM_API_HOST" >> examples/Docker/data/acme_srv.cfg + sudo echo "api_host: https://forwarder.acme:8084" >> examples/Docker/data/acme_srv.cfg + sudo echo "ca_bundle: False" >> examples/Docker/data/acme_srv.cfg + sudo echo "api_user: $NCM_API_USER" >> examples/Docker/data/acme_srv.cfg + sudo echo "api_password: $NCM_API_PASSWORD" >> examples/Docker/data/acme_srv.cfg + sudo echo "ca_name: $NCM_CA_NAME" >> examples/Docker/data/acme_srv.cfg + # sudo echo "ca_bundle: $NCM_CA_BUNDLE" >> examples/Docker/data/acme_srv.cfg + sudo echo "profile_id: 100" >> examples/Docker/data/acme_srv.cfg + sudo echo "eab_profiling: True" >> examples/Docker/data/acme_srv.cfg + sudo echo -e "\n[EABhandler]" >> examples/Docker/data/acme_srv.cfg + sudo echo "eab_handler_file: /var/www/acme2certifier/examples/eab_handler/kid_profile_handler.py" >> examples/Docker/data/acme_srv.cfg + sudo echo "key_file: volume/kid_profiles.json" >> examples/Docker/data/acme_srv.cfg + + sudo cp examples/eab_handler/kid_profiles.json examples/Docker/data/kid_profiles.json + sudo chmod 777 examples/eab_handler/kid_profiles.json + sudo sed -i "s/\"profile_id\"\: \[\"profile_1\", \"profile_2\", \"profile_3\"\]/\"profile_id\"\: \[\"102\", \"101\"\, \"100\"]/g" examples/Docker/data/kid_profiles.json + sudo sed -i "s/\"profile_id\"\: \"profile_2\"/\"profile_id\"\: \"102\"/g" examples/Docker/data/kid_profiles.json + sudo sed -i "s/\"ca_name\": \"example_ca_2\",/\"ca_name\": \"SubCA2\"/" examples/Docker/data/kid_profiles.json + sudo sed -i "s/\"ca_name\": \"example_ca\",/\"unknown_key\": \"unknown_value\"/g" examples/Docker/data/kid_profiles.json + sudo sed -i "s/example.net/acme/g" examples/Docker/data/kid_profiles.json + sudo sed -i '18,19d' examples/Docker/data/kid_profiles.json + sudo sed -i '8,9d' examples/Docker/data/kid_profiles.json + + cd examples/Docker/ + docker-compose restart + env: + NCM_API_HOST: ${{ secrets.NCM_API_HOST }} + NCM_API_USER: ${{ secrets.NCM_API_USER }} + NCM_API_PASSWORD: ${{ secrets.NCM_API_PASSWORD }} + NCM_CA_NAME: ${{ secrets.NCM_CA_NAME }} + NCM_CA_BUNDLE: ${{ secrets.NCM_CA_BUNDLE }} + + - name: "EAB without headerinfo - Enrollment" + uses: ./.github/actions/wf_specific/certifier_ca_handler/enroll_eab_wo_headerinfo + + - name: "EAB with headerinfo - Setup a2c with certifier_ca_handler" + run: | + sudo touch examples/Docker/data/acme_srv.cfg + sudo chmod 777 examples/Docker/data/acme_srv.cfg + sudo head -n -8 .github/openssl_ca_handler.py_acme_srv_default_handler.cfg > examples/Docker/data/acme_srv.cfg + sudo echo "handler_file: examples/ca_handler/certifier_ca_handler.py" >> examples/Docker/data/acme_srv.cfg + # sudo echo "api_host: $NCM_API_HOST" >> examples/Docker/data/acme_srv.cfg + sudo echo "api_host: https://forwarder.acme:8084" >> examples/Docker/data/acme_srv.cfg + sudo echo "ca_bundle: False" >> examples/Docker/data/acme_srv.cfg + sudo echo "api_user: $NCM_API_USER" >> examples/Docker/data/acme_srv.cfg + sudo echo "api_password: $NCM_API_PASSWORD" >> examples/Docker/data/acme_srv.cfg + sudo echo "ca_name: $NCM_CA_NAME" >> examples/Docker/data/acme_srv.cfg + # sudo echo "ca_bundle: $NCM_CA_BUNDLE" >> examples/Docker/data/acme_srv.cfg + sudo echo "profile_id: 100" >> examples/Docker/data/acme_srv.cfg + sudo echo "eab_profiling: True" >> examples/Docker/data/acme_srv.cfg + sudo sed -i "s/tnauthlist_support: False/tnauthlist_support: False\nheader_info_list: [\"HTTP_USER_AGENT\"]/g" examples/Docker/data/acme_srv.cfg + sudo echo -e "\n[EABhandler]" >> examples/Docker/data/acme_srv.cfg + sudo echo "eab_handler_file: /var/www/acme2certifier/examples/eab_handler/kid_profile_handler.py" >> examples/Docker/data/acme_srv.cfg + sudo echo "key_file: volume/kid_profiles.json" >> examples/Docker/data/acme_srv.cfg + + sudo cp examples/eab_handler/kid_profiles.json examples/Docker/data/kid_profiles.json + sudo chmod 777 examples/eab_handler/kid_profiles.json + sudo sed -i "s/\"profile_id\"\: \[\"profile_1\", \"profile_2\", \"profile_3\"\]/\"profile_id\"\: \[\"102\", \"101\"\, \"100\"]/g" examples/Docker/data/kid_profiles.json + sudo sed -i "s/\"profile_id\"\: \"profile_2\"/\"profile_id\"\: \"102\"/g" examples/Docker/data/kid_profiles.json + sudo sed -i "s/\"ca_name\": \"example_ca_2\",/\"ca_name\": \"SubCA2\"/" examples/Docker/data/kid_profiles.json + sudo sed -i "s/\"ca_name\": \"example_ca\",/\"unknown_key\": \"unknown_value\"/g" examples/Docker/data/kid_profiles.json + sudo sed -i "s/example.net/acme/g" examples/Docker/data/kid_profiles.json + sudo sed -i '18,19d' examples/Docker/data/kid_profiles.json + sudo sed -i '8,9d' examples/Docker/data/kid_profiles.json + cd examples/Docker/ + docker-compose restart + env: + NCM_API_HOST: ${{ secrets.NCM_API_HOST }} + NCM_API_USER: ${{ secrets.NCM_API_USER }} + NCM_API_PASSWORD: ${{ secrets.NCM_API_PASSWORD }} + NCM_CA_NAME: ${{ secrets.NCM_CA_NAME }} + NCM_CA_BUNDLE: ${{ secrets.NCM_CA_BUNDLE }} + + - name: "EAB with headerinfo - Enrollment" + uses: ./.github/actions/wf_specific/certifier_ca_handler/enroll_eab_w_headerinfo + + - name: "EAB with headerinfo - Reconfigure key_file without restarting" + run: | + sudo sed -i "s/\"allowed_domainlist\": \[\"www.example.com\", \"www.example.org\"\]/\"allowed_domainlist\": \[\"www.example.com\", \"www.example.org\", \"*.acme\"\]/g" examples/Docker/data/kid_profiles.json + sudo sed -i '26,27d' examples/Docker/data/kid_profiles.json + sudo sed -i "s/ \"hmac\": \"YW5kX2ZpbmFsbHlfdGhlX2xhc3RfaG1hY19rZXlfd2hpY2hfaXNfbG9uZ2VyX3RoYW5fMjU2X2JpdHNfYW5kX3Nob3VsZF93b3Jr\"/ \"hmac\": \"YW5kX2ZpbmFsbHlfdGhlX2xhc3RfaG1hY19rZXlfd2hpY2hfaXNfbG9uZ2VyX3RoYW5fMjU2X2JpdHNfYW5kX3Nob3VsZF93b3Jr\"\n },\n \"keyid_04\": {\n \"hmac\": \"YW5kX2hlcmVfaXNfYW5vdGhlcl92ZXJ5X2xvbmdfbWFja19obWFjX2tleV90b19jaGVja19pZl9jaGFuZ2VzX2FmZmVjdF9pbW1lZGF0ZWx5\",\n \"cahandler\": {}\n }\n}/g" examples/Docker/data/kid_profiles.json + + - name: "EAB with headerinfo - Enrollment after reconfiguration" + uses: ./.github/actions/wf_specific/certifier_ca_handler/enroll_eab_w_headerinfo + with: + RECONFIGURE: true + + - name: "kid-file in yaml format - Reconfiguration" + run: | + sudo sed -i "s/kid_profiles.json/kid_profiles.yml/g" examples/Docker/data/acme_srv.cfg + sudo pip3 install yq + sudo pip3 install jq + sudo sh -c "cat examples/Docker/data/kid_profiles.json | yq -y '.' > examples/Docker/data/kid_profiles.yml" + sudo rm examples/Docker/data/kid_profiles.json + sudo sed -i '33,34d' examples/Docker/data/kid_profiles.yml + # sudo cat examples/Docker/data/kid_profiles.yml + + - name: "kid-file in yaml format - Enrollment after reconfiguration" + uses: ./.github/actions/wf_specific/certifier_ca_handler/enroll_eab_w_headerinfo + with: + RECONFIGURE: true + + - name: "Check container configuration" + uses: ./.github/actions/container_check + with: + DB_HANDLER: ${{ matrix.dbhandler }} + WEB_SRV: ${{ matrix.websrv }} + + - name: "[ * ] collecting test logs" + if: ${{ failure() }} + run: | + mkdir -p ${{ github.workspace }}/artifact/upload + sudo cp -rp examples/Docker/data/ ${{ github.workspace }}/artifact/data/ + sudo cp -rp acme-sh/ ${{ github.workspace }}/artifact/acme-sh/ + sudo cp -rp certbot/ ${{ github.workspace }}/artifact/certbot/ + sudo cp -rp lego/ ${{ github.workspace }}/artifact/lego/ + cd examples/Docker + docker-compose logs > ${{ github.workspace }}/artifact/docker-compose.log + sudo tar -C ${{ github.workspace }}/artifact/ -cvzf ${{ github.workspace }}/artifact/upload/artifact.tar.gz docker-compose.log data acme-sh certbot lego + + - name: "[ * ] uploading artificates" + uses: actions/upload-artifact@v4 + if: ${{ failure() }} + with: + name: ncm-${{ matrix.websrv }}-${{ matrix.dbhandler }}.tar.gz + path: ${{ github.workspace }}/artifact/upload/ + + certifier_handler_tests_rpm: + name: "certifier_handler_tests_rpm" + runs-on: ubuntu-latest + # needs: certifier_handler_tests + strategy: + fail-fast: false + max-parallel: 1 + matrix: + rhversion: [8, 9] + steps: + - name: "checkout GIT" + uses: actions/checkout@v4 + + - name: "Prepare Alma environment" + uses: ./.github/actions/rpm_prep + with: + GH_SBOM_USER: ${{ secrets.GH_SBOM_USER }} + GH_SBOM_TOKEN: ${{ secrets.GH_SBOM_TOKEN }} + RH_VERSION: ${{ matrix.rhversion }} + + - name: "Setup tunnel" + uses: ./.github/actions/wf_specific/certifier_ca_handler/tunnel_setup + with: + WCCE_SSH_USER: ${{ secrets.WCCE_SSH_USER }} + WCCE_SSH_HOST: ${{ secrets.WCCE_SSH_HOST }} + WCCE_SSH_PORT: ${{ secrets.WCCE_SSH_PORT }} + NCM_API_HOST: ${{ secrets.NCM_API_HOST }} + WCCE_SSH_KNOWN_HOSTS: ${{ secrets.WCCE_SSH_KNOWN_HOSTS }} + WCCE_SSH_ACCESS_KEY: ${{ secrets.WCCE_SSH_ACCESS_KEY }} + NCM_API_USER: ${{ secrets.NCM_API_USER }} + NCM_API_PASSWORD: ${{ secrets.NCM_API_PASSWORD }} + + - name: "No profile - Setup a2c with certifier_ca_handler" + run: | + mkdir -p data/acme_ca + sudo cp test/ca/certsrv_ca_certs.pem data/acme_ca/ca_certs.pem + sudo touch data/acme_srv.cfg + sudo chmod 777 data/acme_srv.cfg + sudo head -n -8 .github/openssl_ca_handler.py_acme_srv_default_handler.cfg > data/acme_srv.cfg + sudo echo "handler_file: examples/ca_handler/certifier_ca_handler.py" >> data/acme_srv.cfg + # sudo echo "api_host: $NCM_API_HOST" >> data/acme_srv.cfg + sudo echo "api_host: https://forwarder.acme:8084" >> data/acme_srv.cfg + sudo echo "ca_bundle: False" >> data/acme_srv.cfg + sudo echo "api_user: $NCM_API_USER" >> data/acme_srv.cfg + sudo echo "api_password: $NCM_API_PASSWORD" >> data/acme_srv.cfg + sudo echo "ca_name: $NCM_CA_NAME" >> data/acme_srv.cfg + # sudo echo "ca_bundle: $NCM_CA_BUNDLE" >> data/acme_srv.cfg + sudo echo "allowed_domainlist: [\"bar.local\", \"*.acme\"]" >> data/acme_srv.cfg + env: + NCM_API_HOST: ${{ secrets.NCM_API_HOST }} + NCM_API_USER: ${{ secrets.NCM_API_USER }} + NCM_API_PASSWORD: ${{ secrets.NCM_API_PASSWORD }} + NCM_CA_NAME: ${{ secrets.NCM_CA_NAME }} + NCM_CA_BUNDLE: ${{ secrets.NCM_CA_BUNDLE }} + + - name: "Execute install scipt" + run: | + docker exec acme-srv sh /tmp/acme2certifier/rpm_tester.sh + + - name: "Test enrollment" + uses: ./.github/actions/acme_clients + with: + TEST_ADL: "true" + + - name: "Verify allowed_domainlist error" + run: | + docker exec acme-srv grep -i "either CN or SANs are not allowed by configuration" /var/log/messages + + - name: "No profile - Enrollmnet" + uses: ./.github/actions/wf_specific/certifier_ca_handler/enroll_no_profile + + - name: "Profile 101 - Setup a2c with certifier_ca_handler with profile 101" + run: | + sudo head -n -8 .github/openssl_ca_handler.py_acme_srv_default_handler.cfg > data/acme_srv.cfg + sudo echo "handler_file: examples/ca_handler/certifier_ca_handler.py" >> data/acme_srv.cfg + # sudo echo "api_host: $NCM_API_HOST" >> data/acme_srv.cfg + sudo echo "api_host: https://forwarder.acme:8084" >> data/acme_srv.cfg + sudo echo "ca_bundle: False" >> data/acme_srv.cfg + sudo echo "api_user: $NCM_API_USER" >> data/acme_srv.cfg + sudo echo "api_password: $NCM_API_PASSWORD" >> data/acme_srv.cfg + sudo echo "ca_name: $NCM_CA_NAME" >> data/acme_srv.cfg + # sudo echo "ca_bundle: $NCM_CA_BUNDLE" >> data/acme_srv.cfg + sudo echo "profile_id: 101" >> data/acme_srv.cfg + env: + NCM_API_HOST: ${{ secrets.NCM_API_HOST }} + NCM_API_USER: ${{ secrets.NCM_API_USER }} + NCM_API_PASSWORD: ${{ secrets.NCM_API_PASSWORD }} + NCM_CA_NAME: ${{ secrets.NCM_CA_NAME }} + NCM_CA_BUNDLE: ${{ secrets.NCM_CA_BUNDLE }} + PROFILE: ${{ secrets.PROFILE }} + + - name: "Profile 101 - Reconfigure a2c " + run: | + docker exec acme-srv sh /tmp/acme2certifier/rpm_tester.sh restart + + - name: "Profile 101 - Enrollmnet" + uses: ./.github/actions/wf_specific/certifier_ca_handler/enroll_101_profile + + - name: "Profile 102 - Setup a2c with certifier_ca_handler with profile 101" + run: | + sudo head -n -8 .github/openssl_ca_handler.py_acme_srv_default_handler.cfg > data/acme_srv.cfg + sudo echo "handler_file: examples/ca_handler/certifier_ca_handler.py" >> data/acme_srv.cfg + # sudo echo "api_host: $NCM_API_HOST" >> data/acme_srv.cfg + sudo echo "api_host: https://forwarder.acme:8084" >> data/acme_srv.cfg + sudo echo "ca_bundle: False" >> data/acme_srv.cfg + sudo echo "api_user: $NCM_API_USER" >> data/acme_srv.cfg + sudo echo "api_password: $NCM_API_PASSWORD" >> data/acme_srv.cfg + sudo echo "ca_name: $NCM_CA_NAME" >> data/acme_srv.cfg + # sudo echo "ca_bundle: $NCM_CA_BUNDLE" >> data/acme_srv.cfg + sudo echo "profile_id: 102" >> data/acme_srv.cfg + env: + NCM_API_HOST: ${{ secrets.NCM_API_HOST }} + NCM_API_USER: ${{ secrets.NCM_API_USER }} + NCM_API_PASSWORD: ${{ secrets.NCM_API_PASSWORD }} + NCM_CA_NAME: ${{ secrets.NCM_CA_NAME }} + NCM_CA_BUNDLE: ${{ secrets.NCM_CA_BUNDLE }} + PROFILE: ${{ secrets.PROFILE }} + + - name: "Profile 102 - Reconfigure a2c " + run: | + docker exec acme-srv sh /tmp/acme2certifier/rpm_tester.sh restart + + - name: "Profile 102 - Enrollmnet" + uses: ./.github/actions/wf_specific/certifier_ca_handler/enroll_102_profile + + - name: "Header-info - Setup a2c with certifier_ca_handler" + run: | + sudo head -n -8 .github/openssl_ca_handler.py_acme_srv_default_handler.cfg > data/acme_srv.cfg + sudo echo "handler_file: examples/ca_handler/certifier_ca_handler.py" >> data/acme_srv.cfg + # sudo echo "api_host: $NCM_API_HOST" >> data/acme_srv.cfg + sudo echo "api_host: https://forwarder.acme:8084" >> data/acme_srv.cfg + sudo echo "ca_bundle: False" >> data/acme_srv.cfg + sudo echo "api_user: $NCM_API_USER" >> data/acme_srv.cfg + sudo echo "api_password: $NCM_API_PASSWORD" >> data/acme_srv.cfg + sudo echo "ca_name: $NCM_CA_NAME" >> data/acme_srv.cfg + # sudo echo "ca_bundle: $NCM_CA_BUNDLE" >> data/acme_srv.cfg + sudo sed -i "s/tnauthlist_support: False/tnauthlist_support: False\nheader_info_list: [\"HTTP_USER_AGENT\"]/g" data/acme_srv.cfg + env: + NCM_API_HOST: ${{ secrets.NCM_API_HOST }} + NCM_API_USER: ${{ secrets.NCM_API_USER }} + NCM_API_PASSWORD: ${{ secrets.NCM_API_PASSWORD }} + NCM_CA_NAME: ${{ secrets.NCM_CA_NAME }} + NCM_CA_BUNDLE: ${{ secrets.NCM_CA_BUNDLE }} + PROFILE: ${{ secrets.PROFILE }} + + - name: "Header-info - Reconfigure a2c " + run: | + docker exec acme-srv sh /tmp/acme2certifier/rpm_tester.sh restart + + - name: "Header-info - Enrollmnet" + uses: ./.github/actions/wf_specific/certifier_ca_handler/enroll_headerinfo + + - name: "EAB without headerinfo - Setup a2c with certifier_ca_handler" + run: | + sudo head -n -8 .github/openssl_ca_handler.py_acme_srv_default_handler.cfg > data/acme_srv.cfg + sudo echo "handler_file: examples/ca_handler/certifier_ca_handler.py" >> data/acme_srv.cfg + # sudo echo "api_host: $NCM_API_HOST" >> data/acme_srv.cfg + sudo echo "api_host: https://forwarder.acme:8084" >> data/acme_srv.cfg + sudo echo "ca_bundle: False" >> data/acme_srv.cfg + sudo echo "api_user: $NCM_API_USER" >> data/acme_srv.cfg + sudo echo "api_password: $NCM_API_PASSWORD" >> data/acme_srv.cfg + sudo echo "ca_name: $NCM_CA_NAME" >> data/acme_srv.cfg + # sudo echo "ca_bundle: $NCM_CA_BUNDLE" >> data/acme_srv.cfg + sudo echo "profile_id: 100" >> data/acme_srv.cfg + sudo echo "eab_profiling: True" >> data/acme_srv.cfg + sudo echo -e "\n\n[EABhandler]" >> data/acme_srv.cfg + sudo echo "eab_handler_file: /opt/acme2certifier/examples/eab_handler/kid_profile_handler.py" >> data/acme_srv.cfg + sudo echo "key_file: /opt/acme2certifier/volume/acme_ca/kid_profiles.json" >> data/acme_srv.cfg + + sudo cp examples/eab_handler/kid_profiles.json data/acme_ca/kid_profiles.json + sudo chmod 777 data/acme_ca/kid_profiles.json + sudo sed -i "s/\"profile_id\"\: \[\"profile_1\", \"profile_2\", \"profile_3\"\]/\"profile_id\"\: \[\"102\", \"101\"\, \"100\"]/g" data/acme_ca/kid_profiles.json + sudo sed -i "s/\"profile_id\"\: \"profile_2\"/\"profile_id\"\: \"102\"/g" data/acme_ca/kid_profiles.json + sudo sed -i "s/\"ca_name\": \"example_ca_2\",/\"ca_name\": \"SubCA2\"/" data/acme_ca/kid_profiles.json + sudo sed -i "s/\"ca_name\": \"example_ca\",/\"unknown_key\": \"unknown_value\"/g" data/acme_ca/kid_profiles.json + sudo sed -i "s/example.net/acme/g" data/acme_ca/kid_profiles.json + sudo sed -i '18,19d' data/acme_ca/kid_profiles.json + sudo sed -i '8,9d' data/acme_ca/kid_profiles.json + env: + NCM_API_HOST: ${{ secrets.NCM_API_HOST }} + NCM_API_USER: ${{ secrets.NCM_API_USER }} + NCM_API_PASSWORD: ${{ secrets.NCM_API_PASSWORD }} + NCM_CA_NAME: ${{ secrets.NCM_CA_NAME }} + NCM_CA_BUNDLE: ${{ secrets.NCM_CA_BUNDLE }} + PROFILE: ${{ secrets.PROFILE }} + + - name: "EAB without headerinfo - Reconfigure a2c " + run: | + docker exec acme-srv sh /tmp/acme2certifier/rpm_tester.sh restart + + - name: "EAB without headerinfo - Enrollment" + uses: ./.github/actions/wf_specific/certifier_ca_handler/enroll_eab_wo_headerinfo + + - name: "EAB with headerinfo - Setup a2c with certifier_ca_handler" + run: | + sudo head -n -8 .github/openssl_ca_handler.py_acme_srv_default_handler.cfg > data/acme_srv.cfg + sudo echo "handler_file: examples/ca_handler/certifier_ca_handler.py" >> data/acme_srv.cfg + # sudo echo "api_host: $NCM_API_HOST" >> data/acme_srv.cfg + sudo echo "api_host: https://forwarder.acme:8084" >> data/acme_srv.cfg + sudo echo "ca_bundle: False" >> data/acme_srv.cfg + sudo echo "api_user: $NCM_API_USER" >> data/acme_srv.cfg + sudo echo "api_password: $NCM_API_PASSWORD" >> data/acme_srv.cfg + sudo echo "ca_name: $NCM_CA_NAME" >> data/acme_srv.cfg + # sudo echo "ca_bundle: $NCM_CA_BUNDLE" >> data/acme_srv.cfg + sudo echo "profile_id: 100" >> data/acme_srv.cfg + sudo echo "eab_profiling: True" >> data/acme_srv.cfg + sudo sed -i "s/tnauthlist_support: False/tnauthlist_support: False\nheader_info_list: [\"HTTP_USER_AGENT\"]/g" data/acme_srv.cfg + sudo echo -e "\n\n[EABhandler]" >> data/acme_srv.cfg + sudo echo "eab_handler_file: /opt/acme2certifier/examples/eab_handler/kid_profile_handler.py" >> data/acme_srv.cfg + sudo echo "key_file: /opt/acme2certifier/volume/acme_ca/kid_profiles.json" >> data/acme_srv.cfg + + sudo cp examples/eab_handler/kid_profiles.json data/acme_ca/kid_profiles.json + sudo chmod 777 data/acme_ca/kid_profiles.json + sudo sed -i "s/\"profile_id\"\: \[\"profile_1\", \"profile_2\", \"profile_3\"\]/\"profile_id\"\: \[\"102\", \"101\"\, \"100\"]/g" data/acme_ca/kid_profiles.json + sudo sed -i "s/\"profile_id\"\: \"profile_2\"/\"profile_id\"\: \"102\"/g" data/acme_ca/kid_profiles.json + sudo sed -i "s/\"ca_name\": \"example_ca_2\",/\"ca_name\": \"SubCA2\"/" data/acme_ca/kid_profiles.json + sudo sed -i "s/\"ca_name\": \"example_ca\",/\"unknown_key\": \"unknown_value\"/g" data/acme_ca/kid_profiles.json + sudo sed -i "s/example.net/acme/g" data/acme_ca/kid_profiles.json + sudo sed -i '18,19d' data/acme_ca/kid_profiles.json + sudo sed -i '8,9d' data/acme_ca/kid_profiles.json + env: + NCM_API_HOST: ${{ secrets.NCM_API_HOST }} + NCM_API_USER: ${{ secrets.NCM_API_USER }} + NCM_API_PASSWORD: ${{ secrets.NCM_API_PASSWORD }} + NCM_CA_NAME: ${{ secrets.NCM_CA_NAME }} + NCM_CA_BUNDLE: ${{ secrets.NCM_CA_BUNDLE }} + PROFILE: ${{ secrets.PROFILE }} + + - name: "EAB with headerinfo - Reconfigure a2c " + run: | + docker exec acme-srv sh /tmp/acme2certifier/rpm_tester.sh restart + + - name: "EAB with headerinfo - Enrollment" + uses: ./.github/actions/wf_specific/certifier_ca_handler/enroll_eab_w_headerinfo + + - name: "EAB with headerinfo - Reconfigure key_file without restarting" + run: | + sudo sed -i "s/\"allowed_domainlist\": \[\"www.example.com\", \"www.example.org\"\]/\"allowed_domainlist\": \[\"www.example.com\", \"www.example.org\", \"*.acme\"\]/g" data/acme_ca/kid_profiles.json + sudo sed -i '26,27d' data/acme_ca/kid_profiles.json + sudo sed -i "s/ \"hmac\": \"YW5kX2ZpbmFsbHlfdGhlX2xhc3RfaG1hY19rZXlfd2hpY2hfaXNfbG9uZ2VyX3RoYW5fMjU2X2JpdHNfYW5kX3Nob3VsZF93b3Jr\"/ \"hmac\": \"YW5kX2ZpbmFsbHlfdGhlX2xhc3RfaG1hY19rZXlfd2hpY2hfaXNfbG9uZ2VyX3RoYW5fMjU2X2JpdHNfYW5kX3Nob3VsZF93b3Jr\"\n },\n \"keyid_04\": {\n \"hmac\": \"YW5kX2hlcmVfaXNfYW5vdGhlcl92ZXJ5X2xvbmdfbWFja19obWFjX2tleV90b19jaGVja19pZl9jaGFuZ2VzX2FmZmVjdF9pbW1lZGF0ZWx5\",\n \"cahandler\": {}\n }\n}/g" data/acme_ca/kid_profiles.json + + - name: "Update configuration" + run: | + docker exec acme-srv sh /tmp/acme2certifier/rpm_tester.sh update + + - name: "EAB with headerinfo - Enrollment after reconfiguration" + uses: ./.github/actions/wf_specific/certifier_ca_handler/enroll_eab_w_headerinfo + with: + RECONFIGURE: true + + - name: "kid-file in yaml format - Reconfiguration" + run: | + sudo sed -i "s/kid_profiles.json/kid_profiles.yml/g" data/acme_srv.cfg + sudo pip3 install yq + sudo pip3 install jq + sudo sh -c "cat data/acme_ca/kid_profiles.json | yq -y '.' > data/acme_ca/kid_profiles.yml" + sudo rm data/acme_ca/kid_profiles.json + sudo sed -i '33,34d' data/acme_ca/kid_profiles.yml + + - name: "kid-file in yaml format - update a2c " + run: | + docker exec acme-srv sh /tmp/acme2certifier/rpm_tester.sh restart + + - name: "kid-file in yaml format - Enrollment after reconfiguration" + uses: ./.github/actions/wf_specific/certifier_ca_handler/enroll_eab_w_headerinfo + with: + RECONFIGURE: true + + - name: "[ * ] collecting test logs" + if: ${{ failure() }} + run: | + mkdir -p ${{ github.workspace }}/artifact/upload + docker exec acme-srv tar cvfz /tmp/acme2certifier/a2c.tgz /opt/acme2certifier + sudo cp -rp data/ ${{ github.workspace }}/artifact/data/ + sudo rm ${{ github.workspace }}/artifact/data/*.rpm + sudo cp -rp acme-sh/ ${{ github.workspace }}/artifact/acme-sh/ + docker exec acme-srv cat /etc/nginx/nginx.conf.orig > ${{ github.workspace }}/artifact/data/nginx.conf.orig + docker exec acme-srv cat /etc/nginx/nginx.conf > ${{ github.workspace }}/artifact/data/nginx.conf + docker exec acme-srv cat /var/log/messages > ${{ github.workspace }}/artifact/acme-srv.log + sudo tar -C ${{ github.workspace }}/artifact/ -cvzf ${{ github.workspace }}/artifact/upload/artifact.tar.gz data acme-srv.log acme-sh + + - name: "[ * ] uploading artificates" + uses: actions/upload-artifact@v4 + if: ${{ failure() }} + with: + name: certifier_ca_handler_rpm-rh${{ matrix.rhversion }}.tar.gz + path: ${{ github.workspace }}/artifact/upload/ + diff --git a/.github/workflows/ca_handler_tests_xca.yml b/.github/workflows/ca_handler_tests_xca.yml deleted file mode 100644 index bf08c5ec..00000000 --- a/.github/workflows/ca_handler_tests_xca.yml +++ /dev/null @@ -1,470 +0,0 @@ -name: CA handler tests - XCA - -on: - push: - pull_request: - branches: [ devel ] - schedule: - # * is a special character in YAML so you have to quote this string - - cron: '0 2 * * 6' - -jobs: - xca_handler_tests: - name: "xca_handler_tests" - runs-on: ubuntu-latest - strategy: - fail-fast: false - matrix: - websrv: ['apache2', 'nginx'] - dbhandler: ['wsgi', 'django'] - steps: - - name: "checkout GIT" - uses: actions/checkout@v4 - - - name: "Build container" - uses: ./.github/actions/container_prep - with: - DB_HANDLER: ${{ matrix.dbhandler }} - WEB_SRV: ${{ matrix.websrv }} - - - name: "No template - Setup a2c with xca_ca_handler" - run: | - sudo cp .github/acme2certifier.pem examples/Docker/data/acme2certifier.pem - sudo cp .github/acme2certifier_cert.pem examples/Docker/data/acme2certifier_cert.pem - sudo cp .github/acme2certifier_key.pem examples/Docker/data/acme2certifier_key.pem - sudo cp .github/django_settings.py examples/Docker/data/settings.py - sudo mkdir -p examples/Docker/data/xca - sudo chmod -R 777 examples/Docker/data/xca - sudo cp test/ca/acme2certifier-clean.xdb examples/Docker/data/xca/$XCA_DB_NAME - sudo mkdir -p examples/Docker/data/acme_ca/certs - sudo cp test/ca/sub-ca-key.pem test/ca/sub-ca-crl.pem test/ca/sub-ca-cert.pem test/ca/root-ca-cert.pem examples/Docker/data/acme_ca/ - sudo touch examples/Docker/data/acme_srv.cfg - sudo chmod 777 examples/Docker/data/acme_srv.cfg - sudo head -n -8 .github/openssl_ca_handler.py_acme_srv_default_handler.cfg > examples/Docker/data/acme_srv.cfg - sudo echo "handler_file: /var/www/acme2certifier/examples/ca_handler/xca_ca_handler.py" >> examples/Docker/data/acme_srv.cfg - sudo echo "xdb_file: volume/xca/$XCA_DB_NAME" >> examples/Docker/data/acme_srv.cfg - sudo echo "issuing_ca_name: $XCA_ISSUING_CA" >> examples/Docker/data/acme_srv.cfg - sudo echo "passphrase: $XCA_PASSPHRASE" >> examples/Docker/data/acme_srv.cfg - sudo echo "ca_cert_chain_list: [\"root-ca\"]" >> examples/Docker/data/acme_srv.cfg - # sudo echo "template_name: $XCA_TEMPLATE" >> examples/Docker/data/acme_srv.cfg - sudo echo "allowed_domainlist: [\"bar.local\", \"*.acme\"]" >> examples/Docker/data/acme_srv.cfg - cd examples/Docker/ - docker-compose restart - env: - XCA_PASSPHRASE: ${{ secrets.XCA_PASSPHRASE }} - XCA_ISSUING_CA: ${{ secrets.XCA_ISSUING_CA }} - XCA_TEMPLATE: ${{ secrets.XCA_TEMPLATE }} - XCA_DB_NAME: ${{ secrets.XCA_DB_NAME }} - - - name: "Test enrollment" - uses: ./.github/actions/acme_clients - with: - TEST_ADL: "true" - - - name: "Verify allowed_domainlist error" - run: | - cd examples/Docker - docker-compose logs | grep -i "either CN or SANs are not allowed by configuration" - - - name: "No Template - enrollment" - uses: ./.github/actions/wf_specific/xca_ca_handler/enroll_no_template - - - name: "Template - Setup a2c with xca_ca_handler" - run: | - sudo mkdir -p examples/Docker/data/xca - sudo chmod -R 777 examples/Docker/data/xca - sudo cp test/ca/acme2certifier-clean.xdb examples/Docker/data/xca/$XCA_DB_NAME - sudo mkdir -p examples/Docker/data/acme_ca/certs - sudo cp test/ca/sub-ca-key.pem test/ca/sub-ca-crl.pem test/ca/sub-ca-cert.pem test/ca/root-ca-cert.pem examples/Docker/data/acme_ca/ - sudo touch examples/Docker/data/acme_srv.cfg - sudo chmod 777 examples/Docker/data/acme_srv.cfg - sudo head -n -8 .github/openssl_ca_handler.py_acme_srv_default_handler.cfg > examples/Docker/data/acme_srv.cfg - sudo echo "handler_file: /var/www/acme2certifier/examples/ca_handler/xca_ca_handler.py" >> examples/Docker/data/acme_srv.cfg - sudo echo "xdb_file: volume/xca/$XCA_DB_NAME" >> examples/Docker/data/acme_srv.cfg - sudo echo "issuing_ca_name: $XCA_ISSUING_CA" >> examples/Docker/data/acme_srv.cfg - sudo echo "passphrase: $XCA_PASSPHRASE" >> examples/Docker/data/acme_srv.cfg - sudo echo "ca_cert_chain_list: [\"root-ca\"]" >> examples/Docker/data/acme_srv.cfg - sudo echo "template_name: $XCA_TEMPLATE" >> examples/Docker/data/acme_srv.cfg - cd examples/Docker/ - docker-compose restart - env: - XCA_PASSPHRASE: ${{ secrets.XCA_PASSPHRASE }} - XCA_ISSUING_CA: ${{ secrets.XCA_ISSUING_CA }} - XCA_TEMPLATE: ${{ secrets.XCA_TEMPLATE }} - XCA_DB_NAME: ${{ secrets.XCA_DB_NAME }} - - - name: "Test enrollment" - uses: ./.github/actions/acme_clients - - - name: "Template - enrollment" - uses: ./.github/actions/wf_specific/xca_ca_handler/enroll_template - - - name: "Header-info - Setup a2c with xca_ca_handler" - run: | - sudo cp .github/acme2certifier.pem examples/Docker/data/acme2certifier.pem - sudo cp .github/acme2certifier_cert.pem examples/Docker/data/acme2certifier_cert.pem - sudo cp .github/acme2certifier_key.pem examples/Docker/data/acme2certifier_key.pem - sudo cp .github/django_settings.py examples/Docker/data/settings.py - sudo mkdir -p examples/Docker/data/xca - sudo chmod -R 777 examples/Docker/data/xca - sudo cp test/ca/acme2certifier-clean.xdb examples/Docker/data/xca/$XCA_DB_NAME - sudo mkdir -p examples/Docker/data/acme_ca/certs - sudo cp test/ca/sub-ca-key.pem test/ca/sub-ca-crl.pem test/ca/sub-ca-cert.pem test/ca/root-ca-cert.pem examples/Docker/data/acme_ca/ - sudo touch examples/Docker/data/acme_srv.cfg - sudo chmod 777 examples/Docker/data/acme_srv.cfg - sudo head -n -8 .github/openssl_ca_handler.py_acme_srv_default_handler.cfg > examples/Docker/data/acme_srv.cfg - sudo echo "handler_file: /var/www/acme2certifier/examples/ca_handler/xca_ca_handler.py" >> examples/Docker/data/acme_srv.cfg - sudo echo "xdb_file: volume/xca/$XCA_DB_NAME" >> examples/Docker/data/acme_srv.cfg - sudo echo "issuing_ca_name: $XCA_ISSUING_CA" >> examples/Docker/data/acme_srv.cfg - sudo echo "passphrase: $XCA_PASSPHRASE" >> examples/Docker/data/acme_srv.cfg - sudo echo "ca_cert_chain_list: [\"root-ca\"]" >> examples/Docker/data/acme_srv.cfg - sudo echo "template_name: $XCA_TEMPLATE" >> examples/Docker/data/acme_srv.cfg - sudo sed -i "s/tnauthlist_support: False/tnauthlist_support: False\nheader_info_list: [\"HTTP_USER_AGENT\"]/g" examples/Docker/data/acme_srv.cfg - cd examples/Docker/ - docker-compose restart - env: - XCA_PASSPHRASE: ${{ secrets.XCA_PASSPHRASE }} - XCA_ISSUING_CA: ${{ secrets.XCA_ISSUING_CA }} - XCA_TEMPLATE: ${{ secrets.XCA_TEMPLATE }} - XCA_DB_NAME: ${{ secrets.XCA_DB_NAME }} - - - name: "Header-info - enrollment" - uses: ./.github/actions/wf_specific/xca_ca_handler/enroll_headerinfo - - - name: "EAB - Setup a2c with xca_ca_handler - profiling" - run: | - sudo cp .github/acme2certifier.pem examples/Docker/data/acme2certifier.pem - sudo cp .github/acme2certifier_cert.pem examples/Docker/data/acme2certifier_cert.pem - sudo cp .github/acme2certifier_key.pem examples/Docker/data/acme2certifier_key.pem - sudo cp .github/django_settings.py examples/Docker/data/settings.py - sudo mkdir -p examples/Docker/data/xca - sudo chmod -R 777 examples/Docker/data/xca - sudo cp test/ca/acme2certifier-clean.xdb examples/Docker/data/xca/$XCA_DB_NAME - sudo mkdir -p examples/Docker/data/acme_ca/certs - sudo cp test/ca/sub-ca-key.pem test/ca/sub-ca-crl.pem test/ca/sub-ca-cert.pem test/ca/root-ca-cert.pem examples/Docker/data/acme_ca/ - sudo touch examples/Docker/data/acme_srv.cfg - sudo chmod 777 examples/Docker/data/acme_srv.cfg - sudo head -n -8 .github/openssl_ca_handler.py_acme_srv_choosen_handler.cfg > examples/Docker/data/acme_srv.cfg - sudo echo "handler_file: /var/www/acme2certifier/examples/ca_handler/xca_ca_handler.py" >> examples/Docker/data/acme_srv.cfg - sudo echo "xdb_file: volume/xca/$XCA_DB_NAME" >> examples/Docker/data/acme_srv.cfg - sudo echo "issuing_ca_name: $XCA_ISSUING_CA" >> examples/Docker/data/acme_srv.cfg - sudo echo "passphrase: $XCA_PASSPHRASE" >> examples/Docker/data/acme_srv.cfg - sudo echo "ca_cert_chain_list: [\"root-ca\"]" >> examples/Docker/data/acme_srv.cfg - sudo echo "template_name: $XCA_TEMPLATE" >> examples/Docker/data/acme_srv.cfg - sudo echo "eab_profiling: True" >> examples/Docker/data/acme_srv.cfg - sudo sed -i "s/tnauthlist_support: False/tnauthlist_support: False\nheader_info_list: [\"HTTP_USER_AGENT\"]/g" examples/Docker/data/acme_srv.cfg - sudo echo -e "\n\n[EABhandler]" >> examples/Docker/data/acme_srv.cfg - sudo echo "eab_handler_file: /var/www/acme2certifier/examples/eab_handler/kid_profile_handler.py" >> examples/Docker/data/acme_srv.cfg - sudo echo "key_file: volume/kid_profiles.json" >> examples/Docker/data/acme_srv.cfg - - sudo cp examples/eab_handler/kid_profiles.json examples/Docker/data/kid_profiles.json - sudo chmod 777 examples/eab_handler/kid_profiles.json - sudo sed -i "s/\"profile_id\"\: \[\"profile_1\", \"profile_2\", \"profile_3\"\]/\"template_name\"\: \[\"template\", \"acme\"\]/g" examples/Docker/data/kid_profiles.json - sudo sed -i "s/\"profile_id\"\: \"profile_2\"/\"template_name\"\: \"template\"/g" examples/Docker/data/kid_profiles.json - sudo sed -i "s/\"ca_name\": \"example_ca_2\",/\"issuing_ca_name\": \"root-ca\",\n \"issuing_ca_key\": \"root-ca\"/g" examples/Docker/data/kid_profiles.json - sudo sed -i "s/\"ca_name\": \"example_ca\",/\"unknown_key\": \"unknown_value\"/g" examples/Docker/data/kid_profiles.json - sudo sed -i "s/example.net/acme/g" examples/Docker/data/kid_profiles.json - sudo sed -i '19,20d' examples/Docker/data/kid_profiles.json - sudo sed -i '8,9d' examples/Docker/data/kid_profiles.json - - cd examples/Docker/ - docker-compose restart - env: - XCA_PASSPHRASE: ${{ secrets.XCA_PASSPHRASE }} - XCA_ISSUING_CA: ${{ secrets.XCA_ISSUING_CA }} - XCA_TEMPLATE: ${{ secrets.XCA_TEMPLATE }} - XCA_DB_NAME: ${{ secrets.XCA_DB_NAME }} - - - name: "EAB - enrollment" - uses: ./.github/actions/wf_specific/xca_ca_handler/enroll_eab - - - name: "EAB subject profiling - Setup a2c with xca_ca_handler " - run: | - sudo cp .github/acme2certifier.pem examples/Docker/data/acme2certifier.pem - sudo cp .github/acme2certifier_cert.pem examples/Docker/data/acme2certifier_cert.pem - sudo cp .github/acme2certifier_key.pem examples/Docker/data/acme2certifier_key.pem - sudo cp .github/django_settings.py examples/Docker/data/settings.py - sudo mkdir -p examples/Docker/data/xca - sudo chmod -R 777 examples/Docker/data/xca - sudo cp test/ca/acme2certifier-clean.xdb examples/Docker/data/xca/$XCA_DB_NAME - sudo mkdir -p examples/Docker/data/acme_ca/certs - sudo cp test/ca/sub-ca-key.pem test/ca/sub-ca-crl.pem test/ca/sub-ca-cert.pem test/ca/root-ca-cert.pem examples/Docker/data/acme_ca/ - sudo touch examples/Docker/data/acme_srv.cfg - sudo chmod 777 examples/Docker/data/acme_srv.cfg - sudo head -n -8 .github/openssl_ca_handler.py_acme_srv_choosen_handler.cfg > examples/Docker/data/acme_srv.cfg - sudo echo "handler_file: /var/www/acme2certifier/examples/ca_handler/xca_ca_handler.py" >> examples/Docker/data/acme_srv.cfg - sudo echo "xdb_file: volume/xca/$XCA_DB_NAME" >> examples/Docker/data/acme_srv.cfg - sudo echo "issuing_ca_name: $XCA_ISSUING_CA" >> examples/Docker/data/acme_srv.cfg - sudo echo "passphrase: $XCA_PASSPHRASE" >> examples/Docker/data/acme_srv.cfg - sudo echo "ca_cert_chain_list: [\"root-ca\"]" >> examples/Docker/data/acme_srv.cfg - sudo echo "template_name: $XCA_TEMPLATE" >> examples/Docker/data/acme_srv.cfg - sudo echo "eab_profiling: True" >> examples/Docker/data/acme_srv.cfg - sudo sed -i "s/tnauthlist_support: False/tnauthlist_support: False\nheader_info_list: [\"HTTP_USER_AGENT\"]/g" examples/Docker/data/acme_srv.cfg - sudo echo -e "\n\n[EABhandler]" >> examples/Docker/data/acme_srv.cfg - sudo echo "eab_handler_file: /var/www/acme2certifier/examples/eab_handler/kid_profile_handler.py" >> examples/Docker/data/acme_srv.cfg - sudo echo "key_file: volume/kid_profiles.json" >> examples/Docker/data/acme_srv.cfg - - sudo cp examples/eab_handler/kid_profiles.json examples/Docker/data/kid_profiles.json - sudo chmod 777 examples/eab_handler/kid_profiles.json - sudo sed -i "s/\"profile_id\"\: \[\"profile_1\", \"profile_2\", \"profile_3\"\]/\"template_name\"\: \"acme\"/g" examples/Docker/data/kid_profiles.json - sudo sed -i "s/\"profile_id\"\: \"profile_2\"/\"template_name\"\: \"template\"/g" examples/Docker/data/kid_profiles.json - sudo sed -i "s/\"ca_name\": \"example_ca_2\",/\"issuing_ca_name\": \"root-ca\",\n \"issuing_ca_key\": \"root-ca\"/g" examples/Docker/data/kid_profiles.json - sudo sed -i "s/\"ca_name\": \"example_ca\",/\"unknown_key\": \"unknown_value\",/g" examples/Docker/data/kid_profiles.json - sudo sed -i "s/example.net/acme/g" examples/Docker/data/kid_profiles.json - sudo sed -i '19,20d' examples/Docker/data/kid_profiles.json - sudo sed -i '9d' examples/Docker/data/kid_profiles.json - sudo sed -i "s/\"api_user\"\: \"api_user\",/\"subject\"\: \{\n \"serialNumber\"\: \"*\",\n \"organizationName\"\: \"acme corp\",\n \"organizationalUnitName\"\: \[\"acme1\", \"acme2\"\],\n \"countryName\"\: \"AC\"\n \}/g" examples/Docker/data/kid_profiles.json - cd examples/Docker/ - docker-compose restart - env: - XCA_PASSPHRASE: ${{ secrets.XCA_PASSPHRASE }} - XCA_ISSUING_CA: ${{ secrets.XCA_ISSUING_CA }} - XCA_TEMPLATE: ${{ secrets.XCA_TEMPLATE }} - XCA_DB_NAME: ${{ secrets.XCA_DB_NAME }} - - - name: "EAB subject profiling - enrollment" - uses: ./.github/actions/wf_specific/xca_ca_handler/enroll_eab_sp - - - name: "[ * ] collecting test logs" - if: ${{ failure() }} - run: | - mkdir -p ${{ github.workspace }}/artifact/upload - sudo cp -rp examples/Docker/data/ ${{ github.workspace }}/artifact/data/ - sudo cp -rp acme-sh/ ${{ github.workspace }}/artifact/acme-sh/ - sudo cp -rp lego/ ${{ github.workspace }}/artifact/lego/ - cd examples/Docker - docker-compose logs > ${{ github.workspace }}/artifact/docker-compose.log - sudo tar -C ${{ github.workspace }}/artifact/ -cvzf ${{ github.workspace }}/artifact/upload/artifact.tar.gz docker-compose.log data acme-sh lego - - - name: "[ * ] uploading artificates" - uses: actions/upload-artifact@v4 - if: ${{ failure() }} - with: - name: xca_handler-${{ matrix.websrv }}-${{ matrix.dbhandler }}.tar.gz - path: ${{ github.workspace }}/artifact/upload/ - - xca_handler_tests_rpm: - name: "xca_handler_tests_rpm" - runs-on: ubuntu-latest - strategy: - fail-fast: false - matrix: - rhversion: [8, 9] - steps: - - name: "checkout GIT" - uses: actions/checkout@v4 - - - name: "Prepare Alma environment" - uses: ./.github/actions/rpm_prep - with: - GH_SBOM_USER: ${{ secrets.GH_SBOM_USER }} - GH_SBOM_TOKEN: ${{ secrets.GH_SBOM_TOKEN }} - RH_VERSION: ${{ matrix.rhversion }} - - - name: "No template - Setup a2c with xca_ca_handler" - run: | - mkdir -p data/acme_ca - sudo cp test/ca/acme2certifier-clean.xdb data/acme_ca/$XCA_DB_NAME - sudo mkdir -p examples/Docker/data/acme_ca/certs - sudo cp test/ca/sub-ca-key.pem test/ca/sub-ca-crl.pem test/ca/sub-ca-cert.pem test/ca/root-ca-cert.pem data/acme_ca/ - sudo touch data/acme_srv.cfg - sudo chmod 777 data/acme_srv.cfg - sudo head -n -8 .github/openssl_ca_handler.py_acme_srv_default_handler.cfg > data/acme_srv.cfg - sudo echo "handler_file: /opt/acme2certifier/examples/ca_handler/xca_ca_handler.py" >> data/acme_srv.cfg - sudo echo "xdb_file: volume/acme_ca/$XCA_DB_NAME" >> data/acme_srv.cfg - sudo echo "issuing_ca_name: $XCA_ISSUING_CA" >> data/acme_srv.cfg - sudo echo "passphrase: $XCA_PASSPHRASE" >> data/acme_srv.cfg - sudo echo "ca_cert_chain_list: [\"root-ca\"]" >> data/acme_srv.cfg - # sudo echo "template_name: $XCA_TEMPLATE" >> data/acme_srv.cfg - sudo echo "allowed_domainlist: [\"bar.local\", \"*.acme\"]" >> data/acme_srv.cfg - env: - XCA_PASSPHRASE: ${{ secrets.XCA_PASSPHRASE }} - XCA_ISSUING_CA: ${{ secrets.XCA_ISSUING_CA }} - XCA_TEMPLATE: ${{ secrets.XCA_TEMPLATE }} - XCA_DB_NAME: ${{ secrets.XCA_DB_NAME }} - - - name: "No template - Execute install scipt" - run: | - docker exec acme-srv sh /tmp/acme2certifier/rpm_tester.sh - - - name: "Test enrollment" - uses: ./.github/actions/acme_clients - with: - TEST_ADL: "true" - - - name: "Verify allowed_domainlist error" - run: | - docker exec acme-srv grep -i "either CN or SANs are not allowed by configuration" /var/log/messages - - - name: "No Template - enrollment" - uses: ./.github/actions/wf_specific/xca_ca_handler/enroll_no_template - - - name: "Template - Setup a2c with xca_ca_handler" - run: | - mkdir -p data/acme_ca - sudo cp test/ca/acme2certifier-clean.xdb data/acme_ca/$XCA_DB_NAME - sudo mkdir -p examples/Docker/data/acme_ca/certs - sudo cp test/ca/sub-ca-key.pem test/ca/sub-ca-crl.pem test/ca/sub-ca-cert.pem test/ca/root-ca-cert.pem data/acme_ca/ - sudo touch data/acme_srv.cfg - sudo chmod 777 data/acme_srv.cfg - sudo head -n -8 .github/openssl_ca_handler.py_acme_srv_default_handler.cfg > data/acme_srv.cfg - sudo echo "handler_file: /opt/acme2certifier/examples/ca_handler/xca_ca_handler.py" >> data/acme_srv.cfg - sudo echo "xdb_file: volume/acme_ca/$XCA_DB_NAME" >> data/acme_srv.cfg - sudo echo "issuing_ca_name: $XCA_ISSUING_CA" >> data/acme_srv.cfg - sudo echo "passphrase: $XCA_PASSPHRASE" >> data/acme_srv.cfg - sudo echo "ca_cert_chain_list: [\"root-ca\"]" >> data/acme_srv.cfg - sudo echo "template_name: $XCA_TEMPLATE" >> data/acme_srv.cfg - env: - XCA_PASSPHRASE: ${{ secrets.XCA_PASSPHRASE }} - XCA_ISSUING_CA: ${{ secrets.XCA_ISSUING_CA }} - XCA_TEMPLATE: ${{ secrets.XCA_TEMPLATE }} - XCA_DB_NAME: ${{ secrets.XCA_DB_NAME }} - - - name: "Template - Reconfigure a2c " - run: | - docker exec acme-srv sh /tmp/acme2certifier/rpm_tester.sh restart - - - name: "Template - Test enrollment" - uses: ./.github/actions/acme_clients - - - name: "Template - enrollment" - uses: ./.github/actions/wf_specific/xca_ca_handler/enroll_template - - - name: "Header-info - Setup a2c with xca_ca_handler" - run: | - mkdir -p data/acme_ca - sudo cp test/ca/acme2certifier-clean.xdb data/acme_ca/$XCA_DB_NAME - sudo mkdir -p examples/Docker/data/acme_ca/certs - sudo cp test/ca/sub-ca-key.pem test/ca/sub-ca-crl.pem test/ca/sub-ca-cert.pem test/ca/root-ca-cert.pem data/acme_ca/ - sudo touch data/acme_srv.cfg - sudo chmod 777 data/acme_srv.cfg - sudo head -n -8 .github/openssl_ca_handler.py_acme_srv_default_handler.cfg > data/acme_srv.cfg - sudo echo "handler_file: /opt/acme2certifier/examples/ca_handler/xca_ca_handler.py" >> data/acme_srv.cfg - sudo echo "xdb_file: volume/acme_ca/$XCA_DB_NAME" >> data/acme_srv.cfg - sudo echo "issuing_ca_name: $XCA_ISSUING_CA" >> data/acme_srv.cfg - sudo echo "passphrase: $XCA_PASSPHRASE" >> data/acme_srv.cfg - sudo echo "ca_cert_chain_list: [\"root-ca\"]" >> data/acme_srv.cfg - sudo echo "template_name: $XCA_TEMPLATE" >> data/acme_srv.cfg - sudo sed -i "s/tnauthlist_support: False/tnauthlist_support: False\nheader_info_list: [\"HTTP_USER_AGENT\"]/g" data/acme_srv.cfg - sudo echo "eab_handler_file: /opt/acme2certifier/examples/eab_handler/kid_profile_handler.py" >> data/acme_srv.cfg - sudo echo "key_file: /opt/acme2certifier/volume/acme_ca/kid_profiles.json" >> data/acme_srv.cfg - env: - XCA_PASSPHRASE: ${{ secrets.XCA_PASSPHRASE }} - XCA_ISSUING_CA: ${{ secrets.XCA_ISSUING_CA }} - XCA_TEMPLATE: ${{ secrets.XCA_TEMPLATE }} - XCA_DB_NAME: ${{ secrets.XCA_DB_NAME }} - - - name: "Header-info - Reconfigure a2c " - run: | - docker exec acme-srv sh /tmp/acme2certifier/rpm_tester.sh restart - - - name: "Header-info - enrollment" - uses: ./.github/actions/wf_specific/xca_ca_handler/enroll_headerinfo - - - name: "EAB - Setup a2c with xca_ca_handler" - run: | - mkdir -p data/acme_ca - sudo cp test/ca/acme2certifier-clean.xdb data/acme_ca/$XCA_DB_NAME - sudo mkdir -p examples/Docker/data/acme_ca/certs - sudo cp test/ca/sub-ca-key.pem test/ca/sub-ca-crl.pem test/ca/sub-ca-cert.pem test/ca/root-ca-cert.pem data/acme_ca/ - sudo touch data/acme_srv.cfg - sudo chmod 777 data/acme_srv.cfg - sudo head -n -8 .github/openssl_ca_handler.py_acme_srv_default_handler.cfg > data/acme_srv.cfg - sudo echo "handler_file: /opt/acme2certifier/examples/ca_handler/xca_ca_handler.py" >> data/acme_srv.cfg - sudo echo "xdb_file: volume/acme_ca/$XCA_DB_NAME" >> data/acme_srv.cfg - sudo echo "issuing_ca_name: $XCA_ISSUING_CA" >> data/acme_srv.cfg - sudo echo "passphrase: $XCA_PASSPHRASE" >> data/acme_srv.cfg - sudo echo "ca_cert_chain_list: [\"root-ca\"]" >> data/acme_srv.cfg - sudo echo "template_name: $XCA_TEMPLATE" >> data/acme_srv.cfg - sudo echo "eab_profiling: True" >> data/acme_srv.cfg - sudo sed -i "s/tnauthlist_support: False/tnauthlist_support: False\nheader_info_list: [\"HTTP_USER_AGENT\"]/g" data/acme_srv.cfg - sudo echo -e "\n\n[EABhandler]" >> data/acme_srv.cfg - sudo echo "eab_handler_file: /opt/acme2certifier/examples/eab_handler/kid_profile_handler.py" >> data/acme_srv.cfg - sudo echo "key_file: /opt/acme2certifier/volume/acme_ca/kid_profiles.json" >> data/acme_srv.cfg - sudo cp examples/eab_handler/kid_profiles.json data/acme_ca/kid_profiles.json - sudo chmod 777 data/acme_ca/kid_profiles.json - sudo sed -i "s/\"profile_id\"\: \[\"profile_1\", \"profile_2\", \"profile_3\"\]/\"template_name\"\: \[\"template\", \"acme\"\]/g" data/acme_ca/kid_profiles.json - sudo sed -i "s/\"profile_id\"\: \"profile_2\"/\"template_name\"\: \"template\"/g" data/acme_ca/kid_profiles.json - sudo sed -i "s/\"ca_name\": \"example_ca_2\",/\"issuing_ca_name\": \"root-ca\",\n \"issuing_ca_key\": \"root-ca\"/g" data/acme_ca/kid_profiles.json - sudo sed -i "s/\"ca_name\": \"example_ca\",/\"unknown_key\": \"unknown_value\"/g" data/acme_ca/kid_profiles.json - sudo sed -i "s/example.net/acme/g" data/acme_ca/kid_profiles.json - sudo sed -i '19,20d' data/acme_ca/kid_profiles.json - sudo sed -i '8,9d' data/acme_ca/kid_profiles.json - env: - XCA_PASSPHRASE: ${{ secrets.XCA_PASSPHRASE }} - XCA_ISSUING_CA: ${{ secrets.XCA_ISSUING_CA }} - XCA_TEMPLATE: ${{ secrets.XCA_TEMPLATE }} - XCA_DB_NAME: ${{ secrets.XCA_DB_NAME }} - - - name: "EAB - Reconfigure a2c " - run: | - docker exec acme-srv sh /tmp/acme2certifier/rpm_tester.sh restart - - - name: "EAB - enrollment" - uses: ./.github/actions/wf_specific/xca_ca_handler/enroll_eab - - - name: "EAB subject profiling - Setup a2c with xca_ca_handler" - run: | - mkdir -p data/acme_ca - sudo cp test/ca/acme2certifier-clean.xdb data/acme_ca/$XCA_DB_NAME - sudo mkdir -p examples/Docker/data/acme_ca/certs - sudo cp test/ca/sub-ca-key.pem test/ca/sub-ca-crl.pem test/ca/sub-ca-cert.pem test/ca/root-ca-cert.pem data/acme_ca/ - sudo touch data/acme_srv.cfg - sudo chmod 777 data/acme_srv.cfg - sudo head -n -8 .github/openssl_ca_handler.py_acme_srv_default_handler.cfg > data/acme_srv.cfg - sudo echo "handler_file: /opt/acme2certifier/examples/ca_handler/xca_ca_handler.py" >> data/acme_srv.cfg - sudo echo "xdb_file: volume/acme_ca/$XCA_DB_NAME" >> data/acme_srv.cfg - sudo echo "issuing_ca_name: $XCA_ISSUING_CA" >> data/acme_srv.cfg - sudo echo "passphrase: $XCA_PASSPHRASE" >> data/acme_srv.cfg - sudo echo "ca_cert_chain_list: [\"root-ca\"]" >> data/acme_srv.cfg - sudo echo "template_name: $XCA_TEMPLATE" >> data/acme_srv.cfg - sudo echo "eab_profiling: True" >> data/acme_srv.cfg - sudo sed -i "s/tnauthlist_support: False/tnauthlist_support: False\nheader_info_list: [\"HTTP_USER_AGENT\"]/g" data/acme_srv.cfg - sudo echo -e "\n\n[EABhandler]" >> data/acme_srv.cfg - sudo echo "eab_handler_file: /opt/acme2certifier/examples/eab_handler/kid_profile_handler.py" >> data/acme_srv.cfg - sudo echo "key_file: /opt/acme2certifier/volume/acme_ca/kid_profiles.json" >> data/acme_srv.cfg - sudo cp examples/eab_handler/kid_profiles.json data/acme_ca/kid_profiles.json - sudo chmod 777 data/acme_ca/kid_profiles.json - sudo sed -i "s/\"profile_id\"\: \[\"profile_1\", \"profile_2\", \"profile_3\"\]/\"template_name\"\: \[\"template\", \"acme\"\]/g" data/acme_ca/kid_profiles.json - sudo sed -i "s/\"profile_id\"\: \"profile_2\"/\"template_name\"\: \"template\"/g" data/acme_ca/kid_profiles.json - sudo sed -i "s/\"ca_name\": \"example_ca_2\",/\"issuing_ca_name\": \"root-ca\",\n \"issuing_ca_key\": \"root-ca\"/g" data/acme_ca/kid_profiles.json - sudo sed -i "s/\"ca_name\": \"example_ca\",/\"unknown_key\": \"unknown_value\",/g" data/acme_ca/kid_profiles.json - sudo sed -i "s/example.net/acme/g" data/acme_ca/kid_profiles.json - sudo sed -i '19,20d' data/acme_ca/kid_profiles.json - sudo sed -i '9d' data/acme_ca/kid_profiles.json - sudo sed -i "s/\"api_user\"\: \"api_user\",/\"subject\"\: \{\n \"serialNumber\"\: \"*\",\n \"organizationName\"\: \"acme corp\",\n \"organizationalUnitName\"\: \[\"acme1\", \"acme2\"\],\n \"countryName\"\: \"AC\"\n \}/g" data/acme_ca/kid_profiles.json - env: - XCA_PASSPHRASE: ${{ secrets.XCA_PASSPHRASE }} - XCA_ISSUING_CA: ${{ secrets.XCA_ISSUING_CA }} - XCA_TEMPLATE: ${{ secrets.XCA_TEMPLATE }} - XCA_DB_NAME: ${{ secrets.XCA_DB_NAME }} - - - name: "EAB subject profiling - Reconfigure a2c " - run: | - docker exec acme-srv sh /tmp/acme2certifier/rpm_tester.sh - docker exec acme-srv sh /tmp/acme2certifier/rpm_tester.sh restart - - - name: "EAB subject profiling - enrollment" - uses: ./.github/actions/wf_specific/xca_ca_handler/enroll_eab_sp - with: - DEPLOYMENT_TYPE: "rpm" - - - name: "[ * ] collecting test logs" - if: ${{ failure() }} - run: | - mkdir -p ${{ github.workspace }}/artifact/upload - docker exec acme-srv tar cvfz /tmp/acme2certifier/a2c.tgz /opt/acme2certifier - sudo cp -rp data/ ${{ github.workspace }}/artifact/data/ - sudo cp -rp acme-sh/ ${{ github.workspace }}/artifact/acme-sh/ - sudo rm ${{ github.workspace }}/artifact/data/*.rpm - docker exec acme-srv cat /etc/nginx/nginx.conf.orig > ${{ github.workspace }}/artifact/data/nginx.conf.orig - docker exec acme-srv cat /etc/nginx/nginx.conf > ${{ github.workspace }}/artifact/data/nginx.conf - docker exec acme-srv cat /var/log/messages > ${{ github.workspace }}/artifact/acme-srv.log - sudo tar -C ${{ github.workspace }}/artifact/ -cvzf ${{ github.workspace }}/artifact/upload/artifact.tar.gz data acme-srv.log acme-sh - - - name: "[ * ] uploading artificates" - uses: actions/upload-artifact@v4 - if: ${{ failure() }} - with: - name: xca_handler_tests_rpm-rh${{ matrix.rhversion }}.tar.gz - path: ${{ github.workspace }}/artifact/upload/