This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
name: CA handler tests - MicrosoftCA | |
on: | |
push: | |
pull_request: | |
branches: [ devel ] | |
schedule: | |
# * is a special character in YAML so you have to quote this string | |
- cron: '0 2 * * 6' | |
jobs: | |
container_build: | |
name: "container_build" | |
runs-on: ubuntu-latest | |
strategy: | |
fail-fast: false | |
matrix: | |
websrv: ['apache2', 'nginx'] | |
dbhandler: ['wsgi', 'django'] | |
steps: | |
- name: "checkout GIT" | |
uses: actions/checkout@v4 | |
- name: "Build container" | |
uses: ./.github/actions/container_build_upload | |
with: | |
DB_HANDLER: ${{ matrix.dbhandler }} | |
WEB_SRV: ${{ matrix.websrv }} | |
mscertsrv_handler_tests: | |
name: "mscertsrv_handler_tests" | |
runs-on: ubuntu-latest | |
needs: container_build | |
strategy: | |
fail-fast: false | |
# max-parallel: 1 | |
matrix: | |
websrv: ['apache2', 'nginx'] | |
dbhandler: ['wsgi', 'django'] | |
steps: | |
- name: "checkout GIT" | |
uses: actions/checkout@v4 | |
- name: "Download container" | |
uses: actions/download-artifact@v4 | |
with: | |
name: a2c-${{ github.run_id }}.${{ matrix.websrv }}.${{ matrix.dbhandler }}.tar.gz | |
path: /tmp | |
- name: "Import container" | |
run: | | |
sudo apt-get install -y docker-compose | |
gunzip /tmp/a2c-${{ github.run_id }}.${{ matrix.websrv }}.${{ matrix.dbhandler }}.tar.gz | |
docker load -i /tmp/a2c-${{ github.run_id }}.${{ matrix.websrv }}.${{ matrix.dbhandler }}.tar | |
docker images | |
- name: "Prepare container environment" | |
uses: ./.github/actions/container_prep | |
with: | |
DB_HANDLER: ${{ matrix.dbhandler }} | |
WEB_SRV: ${{ matrix.websrv }} | |
CONTAINER_BUILD: false | |
NAME_SPACE: local | |
- name: "Get runner ip" | |
run: | | |
echo RUNNER_IP=$(ip addr show eth0 | grep -i "inet " | cut -d ' ' -f 6 | cut -d '/' -f 1) >> $GITHUB_ENV | |
echo RUNNER_PATH=$(pwd | sed 's_/_\\/_g') >> $GITHUB_ENV | |
- run: echo "runner IP is ${{ env.RUNNER_IP }}" | |
- name: "Setup tunnel" | |
uses: ./.github/actions/wf_specific/ms_ca_handler/tunnel_setup | |
with: | |
WCCE_SSH_USER: ${{ secrets.WCCE_SSH_USER }} | |
WCCE_SSH_HOST: ${{ secrets.WCCE_SSH_HOST }} | |
WCCE_SSH_PORT: ${{ secrets.WCCE_SSH_PORT }} | |
WCCE_HOST: ${{ secrets.WCCE_HOST }} | |
WCCE_FQDN_WOTLD: ${{ secrets.WCCE_FQDN_WOTLD }} | |
WCCE_FQDN: ${{ secrets.WCCE_FQDN }} | |
WCCE_SSH_KNOWN_HOSTS: ${{ secrets.WCCE_SSH_KNOWN_HOSTS }} | |
WCCE_SSH_ACCESS_KEY: ${{ secrets.WCCE_SSH_ACCESS_KEY }} | |
NAME_SPACE: local | |
- name: "KRB - Setup a2c with mscertsrv_ca_handler using kerberos" | |
run: | | |
sudo touch examples/Docker/data/ca_certs.pem | |
sudo chmod 777 examples/Docker/data/ca_certs.pem | |
sudo cp test/ca/certsrv_ca_certs.pem examples/Docker/data/ca_certs.pem | |
sudo touch examples/Docker/data/acme_srv.cfg | |
sudo chmod 777 examples/Docker/data/acme_srv.cfg | |
sudo head -n -8 .github/openssl_ca_handler.py_acme_srv_default_handler.cfg > examples/Docker/data/acme_srv.cfg | |
sudo echo "handler_file: examples/ca_handler/mscertsrv_ca_handler.py" >> examples/Docker/data/acme_srv.cfg | |
sudo echo "host: $WCCE_FQDN" >> examples/Docker/data/acme_srv.cfg | |
sudo echo "user: $WES_USER" >> examples/Docker/data/acme_srv.cfg | |
sudo echo "password: $WES_PASSWORD" >> examples/Docker/data/acme_srv.cfg | |
sudo echo "auth_method: gssapi" >> examples/Docker/data/acme_srv.cfg | |
sudo echo "template: $WES_TEMPLATE" >> examples/Docker/data/acme_srv.cfg | |
sudo echo "ca_bundle: /var/www/acme2certifier/volume/ca_certs.pem" >> examples/Docker/data/acme_srv.cfg | |
sudo echo "krb5_config: /var/www/acme2certifier/volume/krb5.conf" >> examples/Docker/data/acme_srv.cfg | |
sudo echo "verify: False" >> examples/Docker/data/acme_srv.cfg | |
sudo echo "request_timeout: 30" >> examples/Docker/data/acme_srv.cfg | |
sudo sed -i "s/tnauthlist_support: False/tnauthlist_support: False\nheader_info_list: [\"HTTP_USER_AGENT\"]/g" examples/Docker/data/acme_srv.cfg | |
sudo sed -i "s/revocation_reason_check_disable: False/revocation_reason_check_disable: False\nenrollment_timeout: 40/g" examples/Docker/data/acme_srv.cfg | |
sudo touch examples/Docker/data/krb5.conf | |
sudo chmod 777 examples/Docker/data/krb5.conf | |
cat <<EOF > examples/Docker/data/krb5.conf | |
$WES_KRB5_CONF | |
EOF | |
env: | |
WES_HOST: ${{ secrets.WES_HOST }} | |
WES_USER: ${{ secrets.WES_USER }} | |
WES_PASSWORD: ${{ secrets.WES_PASSWORD }} | |
WES_TEMPLATE: ${{ secrets.WES_TEMPLATE }} | |
WES_AUTHMETHOD: ${{ secrets.WES_AUTHMETHOD }} | |
WCCE_HOST: ${{ secrets.WCCE_HOST }} | |
WCCE_ADS_DOMAIN: ${{ secrets.WCCE_ADS_DOMAIN }} | |
WES_KRB5_CONF: ${{ secrets.WES_KRB5_CONF }} | |
WCCE_FQDN: ${{ secrets.WCCE_FQDN }} | |
WCCE_FQDN_WOTLD: ${{ secrets.WCCE_FQDN_WOTLD }} | |
- name: "Bring up a2c container" | |
uses: ./.github/actions/container_up | |
with: | |
DB_HANDLER: ${{ matrix.dbhandler }} | |
WEB_SRV: ${{ matrix.websrv }} | |
NAME_SPACE: local | |
- name: "Sleep for 10s" | |
uses: juliangruber/[email protected] | |
with: | |
time: 10s | |
- name: "KRB - enrollment mit default profile and headerinfo" | |
uses: ./.github/actions/wf_specific/ms_ca_handler/enroll_default_headerinfo | |
with: | |
NAME_SPACE: local | |
- name: "NTLM - Setup a2c with mscertsrv_ca_handler using ntlm" | |
run: | | |
sudo touch examples/Docker/data/acme_srv.cfg | |
sudo chmod 777 examples/Docker/data/acme_srv.cfg | |
sudo head -n -8 .github/openssl_ca_handler.py_acme_srv_default_handler.cfg > examples/Docker/data/acme_srv.cfg | |
sudo echo "handler_file: examples/ca_handler/mscertsrv_ca_handler.py" >> examples/Docker/data/acme_srv.cfg | |
sudo echo "host: $WCCE_FQDN" >> examples/Docker/data/acme_srv.cfg | |
sudo echo "user: $WES_USER" >> examples/Docker/data/acme_srv.cfg | |
sudo echo "password: $WES_PASSWORD" >> examples/Docker/data/acme_srv.cfg | |
sudo echo "auth_method: ntlm" >> examples/Docker/data/acme_srv.cfg | |
sudo echo "template: $WES_TEMPLATE" >> examples/Docker/data/acme_srv.cfg | |
sudo echo "ca_bundle: /var/www/acme2certifier/volume/ca_certs.pem" >> examples/Docker/data/acme_srv.cfg | |
sudo echo "verify: False" >> examples/Docker/data/acme_srv.cfg | |
sudo echo "request_timeout: 30" >> examples/Docker/data/acme_srv.cfg | |
sudo sed -i "s/tnauthlist_support: False/tnauthlist_support: False\nheader_info_list: [\"HTTP_USER_AGENT\"]/g" examples/Docker/data/acme_srv.cfg | |
sudo sed -i "s/revocation_reason_check_disable: False/revocation_reason_check_disable: False\nenrollment_timeout: 40/g" examples/Docker/data/acme_srv.cfg | |
env: | |
WES_HOST: ${{ secrets.WES_HOST }} | |
WES_USER: ${{ secrets.WES_USER }} | |
WES_PASSWORD: ${{ secrets.WES_PASSWORD }} | |
WES_TEMPLATE: ${{ secrets.WES_TEMPLATE }} | |
WES_AUTHMETHOD: ${{ secrets.WES_AUTHMETHOD }} | |
WCCE_HOST: ${{ secrets.WCCE_HOST }} | |
WCCE_ADS_DOMAIN: ${{ secrets.WCCE_ADS_DOMAIN }} | |
WES_KRB5_CONF: ${{ secrets.WES_KRB5_CONF }} | |
WCCE_FQDN: ${{ secrets.WCCE_FQDN }} | |
WCCE_FQDN_WOTLD: ${{ secrets.WCCE_FQDN_WOTLD }} | |
- name: "NTLM - enrollment mit default profile and headerinfo" | |
uses: ./.github/actions/wf_specific/ms_ca_handler/enroll_default_headerinfo | |
with: | |
NAME_SPACE: local | |
- name: "NTLM - Setup a2c with mscertsrv_ca_handler with allowed_domainlist configuration" | |
run: | | |
sudo sed -i "s/challenge_validation_disable: False/challenge_validation_disable: True/g" examples/Docker/data/acme_srv.cfg | |
sudo echo "allowed_domainlist: [\"*.acme\", \"foo1.bar\", \"*.bar.local\"]" >> examples/Docker/data/acme_srv.cfg | |
cd examples/Docker/ | |
docker-compose restart | |
- name: "NTLM - enrollment allowed domainlist" | |
uses: ./.github/actions/wf_specific/ms_ca_handler/enroll_allowed_domain_list | |
with: | |
NAME_SPACE: local | |
- name: "Verify allowed_domainlist error" | |
run: | | |
cd examples/Docker | |
docker-compose logs | grep "allowed_domainlist" | grep -i "either CN or SANs are not allowed by configuration" | |
- name: "Check container configuration" | |
uses: ./.github/actions/container_check | |
with: | |
DB_HANDLER: ${{ matrix.dbhandler }} | |
WEB_SRV: ${{ matrix.websrv }} | |
- name: "[ * ] collecting test logs" | |
if: ${{ failure() }} | |
run: | | |
mkdir -p ${{ github.workspace }}/artifact/upload | |
sudo cp -rp examples/Docker/data/ ${{ github.workspace }}/artifact/data/ | |
sudo cp /etc/hosts ${{ github.workspace }}/artifact/data/ | |
sudo cp /etc/resolv.conf ${{ github.workspace }}/artifact/data/ | |
sudo cp -rp acme-sh/ ${{ github.workspace }}/artifact/acme-sh/ | |
sudo cp -rp certbot/ ${{ github.workspace }}/artifact/certbot/ | |
sudo cp -rp lego/ ${{ github.workspace }}/artifact/lego/ | |
cd examples/Docker | |
docker-compose logs > ${{ github.workspace }}/artifact/docker-compose.log | |
sudo tar -C ${{ github.workspace }}/artifact/ -cvzf ${{ github.workspace }}/artifact/upload/artifact.tar.gz docker-compose.log data acme-sh certbot lego dnsmasq | |
- name: "[ * ] uploading artificates" | |
uses: actions/upload-artifact@v4 | |
if: ${{ failure() }} | |
with: | |
name: mscertsrv_handler_tests-${{ matrix.websrv }}-${{ matrix.dbhandler }}.tar.gz | |
path: ${{ github.workspace }}/artifact/upload/ | |
mscertsrv_handler_eab_profiling_tests: | |
name: "mscertsrv_handler_eab_profiling_tests" | |
runs-on: ubuntu-latest | |
needs: container_build | |
strategy: | |
fail-fast: false | |
# max-parallel: 1 | |
matrix: | |
websrv: ['apache2', 'nginx'] | |
dbhandler: ['wsgi', 'django'] | |
steps: | |
- name: "checkout GIT" | |
uses: actions/checkout@v4 | |
- name: "create folders and networks" | |
run: | | |
mkdir lego | |
mkdir acme-sh | |
mkdir certbot | |
- name: "Download container" | |
uses: actions/download-artifact@v4 | |
with: | |
name: a2c-${{ github.run_id }}.${{ matrix.websrv }}.${{ matrix.dbhandler }}.tar.gz | |
path: /tmp | |
- name: "Import container" | |
run: | | |
sudo apt-get install -y docker-compose | |
gunzip /tmp/a2c-${{ github.run_id }}.${{ matrix.websrv }}.${{ matrix.dbhandler }}.tar.gz | |
docker load -i /tmp/a2c-${{ github.run_id }}.${{ matrix.websrv }}.${{ matrix.dbhandler }}.tar | |
docker images | |
- name: "Prepare container environment" | |
uses: ./.github/actions/container_prep | |
with: | |
DB_HANDLER: ${{ matrix.dbhandler }} | |
WEB_SRV: ${{ matrix.websrv }} | |
CONTAINER_BUILD: false | |
NAME_SPACE: local | |
- name: "Get runner ip" | |
run: | | |
echo RUNNER_IP=$(ip addr show eth0 | grep -i "inet " | cut -d ' ' -f 6 | cut -d '/' -f 1) >> $GITHUB_ENV | |
echo RUNNER_PATH=$(pwd | sed 's_/_\\/_g') >> $GITHUB_ENV | |
- run: echo "runner IP is ${{ env.RUNNER_IP }}" | |
- name: "Setup tunnel" | |
uses: ./.github/actions/wf_specific/ms_ca_handler/tunnel_setup | |
with: | |
WCCE_SSH_USER: ${{ secrets.WCCE_SSH_USER }} | |
WCCE_SSH_HOST: ${{ secrets.WCCE_SSH_HOST }} | |
WCCE_SSH_PORT: ${{ secrets.WCCE_SSH_PORT }} | |
WCCE_HOST: ${{ secrets.WCCE_HOST }} | |
WCCE_FQDN_WOTLD: ${{ secrets.WCCE_FQDN_WOTLD }} | |
WCCE_FQDN: ${{ secrets.WCCE_FQDN }} | |
WCCE_SSH_KNOWN_HOSTS: ${{ secrets.WCCE_SSH_KNOWN_HOSTS }} | |
WCCE_SSH_ACCESS_KEY: ${{ secrets.WCCE_SSH_ACCESS_KEY }} | |
NAME_SPACE: local | |
- name: "EAB with headerinfo - Setup a2c with mscertsrv_ca_handler using kerberos" | |
run: | | |
sudo touch examples/Docker/data/ca_certs.pem | |
sudo chmod 777 examples/Docker/data/ca_certs.pem | |
sudo cp test/ca/certsrv_ca_certs.pem examples/Docker/data/ca_certs.pem | |
sudo touch examples/Docker/data/acme_srv.cfg | |
sudo chmod 777 examples/Docker/data/acme_srv.cfg | |
sudo head -n -8 .github/openssl_ca_handler.py_acme_srv_default_handler.cfg > examples/Docker/data/acme_srv.cfg | |
sudo echo "handler_file: examples/ca_handler/mscertsrv_ca_handler.py" >> examples/Docker/data/acme_srv.cfg | |
sudo echo "host: $WCCE_FQDN" >> examples/Docker/data/acme_srv.cfg | |
sudo echo "user: $WES_USER" >> examples/Docker/data/acme_srv.cfg | |
sudo echo "password: $WES_PASSWORD" >> examples/Docker/data/acme_srv.cfg | |
sudo echo "auth_method: gssapi" >> examples/Docker/data/acme_srv.cfg | |
sudo echo "template: $WES_TEMPLATE" >> examples/Docker/data/acme_srv.cfg | |
sudo echo "ca_bundle: /var/www/acme2certifier/volume/ca_certs.pem" >> examples/Docker/data/acme_srv.cfg | |
sudo echo "krb5_config: /var/www/acme2certifier/volume/krb5.conf" >> examples/Docker/data/acme_srv.cfg | |
sudo echo "verify: False" >> examples/Docker/data/acme_srv.cfg | |
sudo echo "request_timeout: 30" >> examples/Docker/data/acme_srv.cfg | |
sudo sed -i "s/tnauthlist_support: False/tnauthlist_support: False\nheader_info_list: [\"HTTP_USER_AGENT\"]/g" examples/Docker/data/acme_srv.cfg | |
sudo sed -i "s/revocation_reason_check_disable: False/revocation_reason_check_disable: False\nenrollment_timeout: 40/g" examples/Docker/data/acme_srv.cfg | |
sudo echo "eab_profiling: True" >> examples/Docker/data/acme_srv.cfg | |
sudo echo -e "\n\n[EABhandler]" >> examples/Docker/data/acme_srv.cfg | |
sudo echo "eab_handler_file: /var/www/acme2certifier/examples/eab_handler/kid_profile_handler.py" >> examples/Docker/data/acme_srv.cfg | |
sudo echo "key_file: volume/kid_profiles.json" >> examples/Docker/data/acme_srv.cfg | |
sudo touch examples/Docker/data/krb5.conf | |
sudo chmod 777 examples/Docker/data/krb5.conf | |
cat <<EOF > examples/Docker/data/krb5.conf | |
$WES_KRB5_CONF | |
EOF | |
sudo cp examples/eab_handler/kid_profiles.json examples/Docker/data/kid_profiles.json | |
sudo chmod 777 examples/eab_handler/kid_profiles.json | |
sudo sed -i "s/\"profile_id\"\: \[\"profile_1\", \"profile_2\", \"profile_3\"\]/\"template\"\: \[\"WebServerModified\"\, \"WebServer\"]/g" examples/Docker/data/kid_profiles.json | |
sudo sed -i "s/\"profile_id\"\: \"profile_2\"/\"template\"\: \"WebServerModified\"/g" examples/Docker/data/kid_profiles.json | |
sudo sed -i "s/\"ca_name\": \"example_ca_2\",/\"unknown_key\": \"unknown_value\"/g" examples/Docker/data/kid_profiles.json | |
sudo sed -i "s/\"ca_name\": \"example_ca\",/\"unknown_key\": \"unknown_value\"/g" examples/Docker/data/kid_profiles.json | |
sudo sed -i "s/example.net/local/g" examples/Docker/data/kid_profiles.json | |
sudo sed -i '18,19d' examples/Docker/data/kid_profiles.json | |
sudo sed -i '8,9d' examples/Docker/data/kid_profiles.json | |
env: | |
WES_HOST: ${{ secrets.WES_HOST }} | |
WES_USER: ${{ secrets.WES_USER }} | |
WES_PASSWORD: ${{ secrets.WES_PASSWORD }} | |
WES_TEMPLATE: ${{ secrets.WES_TEMPLATE }} | |
WES_AUTHMETHOD: ${{ secrets.WES_AUTHMETHOD }} | |
WCCE_HOST: ${{ secrets.WCCE_HOST }} | |
WCCE_ADS_DOMAIN: ${{ secrets.WCCE_ADS_DOMAIN }} | |
WES_KRB5_CONF: ${{ secrets.WES_KRB5_CONF }} | |
WCCE_FQDN: ${{ secrets.WCCE_FQDN }} | |
WCCE_FQDN_WOTLD: ${{ secrets.WCCE_FQDN_WOTLD }} | |
- name: "Bring up a2c container" | |
uses: ./.github/actions/container_up | |
with: | |
DB_HANDLER: ${{ matrix.dbhandler }} | |
WEB_SRV: ${{ matrix.websrv }} | |
NAME_SPACE: local | |
- name: "EAB with headerinfo - enrollment" | |
uses: ./.github/actions/wf_specific/ms_ca_handler/enroll_eab | |
with: | |
NAME_SPACE: local | |
- name: "Check container configuration" | |
uses: ./.github/actions/container_check | |
with: | |
DB_HANDLER: ${{ matrix.dbhandler }} | |
WEB_SRV: ${{ matrix.websrv }} | |
- name: "[ * ] collecting test logs" | |
if: ${{ failure() }} | |
run: | | |
mkdir -p ${{ github.workspace }}/artifact/upload | |
sudo cp -rp examples/Docker/data/ ${{ github.workspace }}/artifact/data/ | |
sudo cp /etc/hosts ${{ github.workspace }}/artifact/data/ | |
sudo cp /etc/resolv.conf ${{ github.workspace }}/artifact/data/ | |
sudo cp -rp acme-sh/ ${{ github.workspace }}/artifact/acme-sh/ | |
sudo cp -rp certbot/ ${{ github.workspace }}/artifact/certbot/ | |
sudo cp -rp lego/ ${{ github.workspace }}/artifact/lego/ | |
cd examples/Docker | |
docker-compose logs > ${{ github.workspace }}/artifact/docker-compose.log | |
sudo tar -C ${{ github.workspace }}/artifact/ -cvzf ${{ github.workspace }}/artifact/upload/artifact.tar.gz docker-compose.log data acme-sh certbot lego dnsmasq | |
- name: "[ * ] uploading artificates" | |
uses: actions/upload-artifact@v4 | |
if: ${{ failure() }} | |
with: | |
name: mscertsrv_handler_profiling_tests-${{ matrix.websrv }}-${{ matrix.dbhandler }}.tar.gz | |
path: ${{ github.workspace }}/artifact/upload/ | |
mswcce_handler_tests: | |
name: "mswcce_handler_tests" | |
runs-on: ubuntu-latest | |
needs: container_build | |
strategy: | |
fail-fast: false | |
# max-parallel: 1 | |
matrix: | |
websrv: ['apache2', 'nginx'] | |
dbhandler: ['wsgi', 'django'] | |
steps: | |
- name: "checkout GIT" | |
uses: actions/checkout@v4 | |
- name: "create folders" | |
run: | | |
mkdir lego | |
mkdir acme-sh | |
mkdir certbot | |
- name: "Download container" | |
uses: actions/download-artifact@v4 | |
with: | |
name: a2c-${{ github.run_id }}.${{ matrix.websrv }}.${{ matrix.dbhandler }}.tar.gz | |
path: /tmp | |
- name: "Import container" | |
run: | | |
sudo apt-get install -y docker-compose | |
gunzip /tmp/a2c-${{ github.run_id }}.${{ matrix.websrv }}.${{ matrix.dbhandler }}.tar.gz | |
docker load -i /tmp/a2c-${{ github.run_id }}.${{ matrix.websrv }}.${{ matrix.dbhandler }}.tar | |
docker images | |
- name: "Prepare container environment" | |
uses: ./.github/actions/container_prep | |
with: | |
DB_HANDLER: ${{ matrix.dbhandler }} | |
WEB_SRV: ${{ matrix.websrv }} | |
CONTAINER_BUILD: false | |
- name: "[ PREPARE ] get runner ip" | |
run: | | |
echo RUNNER_IP=$(ip addr show eth0 | grep -i "inet " | cut -d ' ' -f 6 | cut -d '/' -f 1) >> $GITHUB_ENV | |
echo RUNNER_PATH=$(pwd | sed 's_/_\\/_g') >> $GITHUB_ENV | |
- run: echo "runner IP is ${{ env.RUNNER_IP }}" | |
- name: "Install dnsmasq" | |
run: | | |
sudo apt-get update | |
sudo apt-get install -y dnsmasq | |
sudo systemctl disable systemd-resolved | |
sudo systemctl stop systemd-resolved | |
sudo mkdir -p dnsmasq | |
sudo cp .github/dnsmasq.conf dnsmasq/ | |
sudo chmod -R 777 dnsmasq/dnsmasq.conf | |
sudo sed -i "s/RUNNER_IP/$RUNNER_IP/g" dnsmasq/dnsmasq.conf | |
sudo echo "address=/$WCCE_FQDN/$RUNNER_IP" >> dnsmasq/dnsmasq.conf | |
sudo echo "address=/$WCCE_ADS_DOMAIN/$RUNNER_IP" >> dnsmasq/dnsmasq.conf | |
sudo echo "address=/$WES_HOST/$RUNNER_IP" >> dnsmasq/dnsmasq.conf | |
cat dnsmasq/dnsmasq.conf | |
sudo cp dnsmasq/dnsmasq.conf /etc/ | |
sudo systemctl enable dnsmasq | |
sudo systemctl start dnsmasq | |
env: | |
RUNNER_IP: ${{ env.RUNNER_IP }} | |
WCCE_ADS_DOMAIN: ${{ secrets.WCCE_ADS_DOMAIN }} | |
WCCE_FQDN: ${{ secrets.WCCE_FQDN }} | |
WES_HOST: ${{ secrets.WES_HOST }} | |
- name: "[ PREPARE ] test dns resulution" | |
run: | | |
host $WCCE_ADS_DOMAIN 127.0.0.1 | |
host $WCCE_FQDN 127.0.0.1 | |
host $WES_HOST 127.0.0.1 | |
env: | |
WCCE_ADS_DOMAIN: ${{ secrets.WCCE_ADS_DOMAIN }} | |
WCCE_FQDN: ${{ secrets.WCCE_FQDN }} | |
WES_HOST: ${{ secrets.WES_HOST }} | |
- name: "Setup tunnel" | |
uses: ./.github/actions/wf_specific/ms_ca_handler/tunnel_setup | |
with: | |
WCCE_SSH_USER: ${{ secrets.WCCE_SSH_USER }} | |
WCCE_SSH_HOST: ${{ secrets.WCCE_SSH_HOST }} | |
WCCE_SSH_PORT: ${{ secrets.WCCE_SSH_PORT }} | |
WCCE_HOST: ${{ secrets.WCCE_HOST }} | |
WCCE_FQDN_WOTLD: ${{ secrets.WCCE_FQDN_WOTLD }} | |
WCCE_FQDN: ${{ secrets.WCCE_FQDN }} | |
WCCE_SSH_KNOWN_HOSTS: ${{ secrets.WCCE_SSH_KNOWN_HOSTS }} | |
WCCE_SSH_ACCESS_KEY: ${{ secrets.WCCE_SSH_ACCESS_KEY }} | |
- name: "NTLM - Setup a2c with ms_wcce_ca_handler (ntlm)" | |
run: | | |
sudo cp .github/acme2certifier.pem examples/Docker/data/acme2certifier.pem | |
sudo cp .github/acme2certifier_cert.pem examples/Docker/data/acme2certifier_cert.pem | |
sudo cp .github/acme2certifier_key.pem examples/Docker/data/acme2certifier_key.pem | |
sudo cp .github/django_settings.py examples/Docker/data/settings.py | |
sudo touch examples/Docker/data/ca_certs.pem | |
sudo chmod 777 examples/Docker/data/ca_certs.pem | |
sudo echo "$WCCE_CA_BUNDLE" > examples/Docker/data/ca_certs.pem | |
sudo touch examples/Docker/data/acme_srv.cfg | |
sudo chmod 777 examples/Docker/data/acme_srv.cfg | |
sudo head -n -8 .github/openssl_ca_handler.py_acme_srv_default_handler.cfg > examples/Docker/data/acme_srv.cfg | |
sudo echo "handler_file: /var/www/acme2certifier/examples/ca_handler/mswcce_ca_handler.py" >> examples/Docker/data/acme_srv.cfg | |
sudo echo "host: $RUNNER_IP" >> examples/Docker/data/acme_srv.cfg | |
sudo echo "user: $WCCE_USER" >> examples/Docker/data/acme_srv.cfg | |
sudo echo "password: $WCCE_PASSWORD" >> examples/Docker/data/acme_srv.cfg | |
sudo echo "template: $WCCE_TEMPLATE" >> examples/Docker/data/acme_srv.cfg | |
sudo echo "ca_name: $WCCE_CA_NAME" >> examples/Docker/data/acme_srv.cfg | |
sudo echo "target_domain: $WCCE_ADS_DOMAIN" >> examples/Docker/data/acme_srv.cfg | |
sudo echo "ca_bundle: volume/ca_certs.pem" >> examples/Docker/data/acme_srv.cfg | |
sudo echo "timeout: 20" >> examples/Docker/data/acme_srv.cfg | |
sudo echo "ssh_host: $SSH_HOST:$SSH_PORT" >> examples/Docker/data/acme_srv.cfg | |
sudo sed -i "s/tnauthlist_support: False/tnauthlist_support: False\nheader_info_list: [\"HTTP_USER_AGENT\"]/g" examples/Docker/data/acme_srv.cfg | |
sudo sed -i "s/revocation_reason_check_disable: False/revocation_reason_check_disable: False\nenrollment_timeout: 40/g" examples/Docker/data/acme_srv.cfg | |
env: | |
RUNNER_IP: ${{ env.RUNNER_IP }} | |
WCCE_USER: ${{ secrets.WCCE_USER }} | |
WCCE_PASSWORD: ${{ secrets.WCCE_PASSWORD }} | |
WCCE_TEMPLATE: ${{ secrets.WCCE_TEMPLATE }} | |
WCCE_CA_NAME: ${{ secrets.WCCE_CA_NAME }} | |
WCCE_ADS_DOMAIN: ${{ secrets.WCCE_ADS_DOMAIN }} | |
WCCE_CA_BUNDLE: ${{ secrets.WCCE_CA_BUNDLE }} | |
WCCE_HOST: ${{ secrets.WCCE_HOST }} | |
SSH_HOST: ${{ secrets.WCCE_SSH_HOST }} | |
SSH_PORT: ${{ secrets.WCCE_SSH_PORT }} | |
- name: "Bring up a2c container" | |
uses: ./.github/actions/container_up | |
with: | |
DB_HANDLER: ${{ matrix.dbhandler }} | |
WEB_SRV: ${{ matrix.websrv }} | |
- name: "NTLM - enrollment mit default profile and headerinfo" | |
uses: ./.github/actions/wf_specific/ms_ca_handler/enroll_default_headerinfo | |
- name: "KRB - Setup a2c with ms_wcce_ca_handler (Kerboros)" | |
run: | | |
sudo touch examples/Docker/data/ca_certs.pem | |
sudo chmod 777 examples/Docker/data/ca_certs.pem | |
sudo echo "$WCCE_CA_BUNDLE" > examples/Docker/data/ca_certs.pem | |
sudo touch examples/Docker/data/acme_srv.cfg | |
sudo chmod 777 examples/Docker/data/acme_srv.cfg | |
sudo head -n -8 .github/openssl_ca_handler.py_acme_srv_default_handler.cfg > examples/Docker/data/acme_srv.cfg | |
sudo echo "handler_file: /var/www/acme2certifier/examples/ca_handler/mswcce_ca_handler.py" >> examples/Docker/data/acme_srv.cfg | |
sudo echo "host: $WCCE_FQDN" >> examples/Docker/data/acme_srv.cfg | |
sudo echo "user: $WCCE_USER" >> examples/Docker/data/acme_srv.cfg | |
sudo echo "password: $WCCE_PASSWORD" >> examples/Docker/data/acme_srv.cfg | |
sudo echo "template: $WCCE_TEMPLATE" >> examples/Docker/data/acme_srv.cfg | |
sudo echo "ca_name: $WCCE_CA_NAME" >> examples/Docker/data/acme_srv.cfg | |
sudo echo "target_domain: $WCCE_ADS_DOMAIN" >> examples/Docker/data/acme_srv.cfg | |
sudo echo "domain_controller: $RUNNER_IP" >> examples/Docker/data/acme_srv.cfg | |
sudo echo "ca_bundle: volume/ca_certs.pem" >> examples/Docker/data/acme_srv.cfg | |
sudo echo "timeout: 20" >> examples/Docker/data/acme_srv.cfg | |
sudo echo "use_kerberos: True" >> examples/Docker/data/acme_srv.cfg | |
sudo sed -i "s/tnauthlist_support: False/tnauthlist_support: False\nheader_info_list: [\"HTTP_USER_AGENT\"]/g" examples/Docker/data/acme_srv.cfg | |
sudo sed -i "s/revocation_reason_check_disable: False/revocation_reason_check_disable: False\nenrollment_timeout: 40/g" examples/Docker/data/acme_srv.cfg | |
cd examples/Docker/ | |
docker-compose restart | |
env: | |
RUNNER_IP: ${{ env.RUNNER_IP }} | |
DNSMASQ_IP: ${{ env.DNSMASQ_IP }} | |
WCCE_USER: ${{ secrets.WCCE_USER }} | |
WCCE_PASSWORD: ${{ secrets.WCCE_PASSWORD }} | |
WCCE_TEMPLATE: ${{ secrets.WCCE_TEMPLATE }} | |
WCCE_CA_NAME: ${{ secrets.WCCE_CA_NAME }} | |
WCCE_ADS_DOMAIN: ${{ secrets.WCCE_ADS_DOMAIN }} | |
WCCE_CA_BUNDLE: ${{ secrets.WCCE_CA_BUNDLE }} | |
WCCE_FQDN: ${{ secrets.WCCE_FQDN }} | |
- name: "KRB - Sleep for 10s" | |
uses: juliangruber/[email protected] | |
with: | |
time: 10s | |
- name: "KRB - enrollment mit default profile and headerinfo" | |
uses: ./.github/actions/wf_specific/ms_ca_handler/enroll_default_headerinfo | |
- name: "KRB - Setup a2c with mswcce_ca_handler with allowed_domainlist configuration" | |
run: | | |
sudo sed -i "s/challenge_validation_disable: False/challenge_validation_disable: True/g" examples/Docker/data/acme_srv.cfg | |
sudo echo "allowed_domainlist: [\"*.acme\", \"foo1.bar\", \"*.bar.local\"]" >> examples/Docker/data/acme_srv.cfg | |
cd examples/Docker/ | |
docker-compose restart | |
- name: "KRB - enrollment allowed domainlist" | |
uses: ./.github/actions/wf_specific/ms_ca_handler/enroll_allowed_domain_list | |
- name: "Verify allowed_domainlist error" | |
run: | | |
cd examples/Docker | |
docker-compose logs | grep "allowed_domainlist" | grep -i "either CN or SANs are not allowed by configuration" | |
- name: "Check container configuration" | |
uses: ./.github/actions/container_check | |
with: | |
DB_HANDLER: ${{ matrix.dbhandler }} | |
WEB_SRV: ${{ matrix.websrv }} | |
- name: "[ * ] collecting test logs" | |
if: ${{ failure() }} | |
run: | | |
mkdir -p ${{ github.workspace }}/artifact/upload | |
sudo cp -rp examples/Docker/data/ ${{ github.workspace }}/artifact/data/ | |
sudo cp -rp acme-sh/ ${{ github.workspace }}/artifact/acme-sh/ | |
sudo cp -rp certbot/ ${{ github.workspace }}/artifact/certbot/ | |
sudo cp -rp lego/ ${{ github.workspace }}/artifact/lego/ | |
sudo cp -rp dnsmasq/ ${{ github.workspace }}/artifact/dnsmasq/ | |
cd examples/Docker | |
docker-compose logs > ${{ github.workspace }}/artifact/docker-compose.log | |
sudo tar -C ${{ github.workspace }}/artifact/ -cvzf ${{ github.workspace }}/artifact/upload/artifact.tar.gz docker-compose.log data dnsmasq | |
- name: "[ * ] uploading artificates" | |
uses: actions/upload-artifact@v4 | |
if: ${{ failure() }} | |
with: | |
name: mswcce_handler_tests-${{ matrix.websrv }}-${{ matrix.dbhandler }}.tar.gz | |
path: ${{ github.workspace }}/artifact/upload/ | |
mswcce_handler_eab_profiling_tests: | |
name: "mswcce_handler_eab_profiling_tests" | |
runs-on: ubuntu-latest | |
needs: container_build | |
strategy: | |
fail-fast: false | |
# max-parallel: 2 | |
matrix: | |
websrv: ['apache2', 'nginx'] | |
dbhandler: ['wsgi', 'django'] | |
steps: | |
- name: "checkout GIT" | |
uses: actions/checkout@v4 | |
- name: "create folders" | |
run: | | |
mkdir lego | |
mkdir acme-sh | |
mkdir certbot | |
- name: "[ PREPARE ] get runner ip" | |
run: | | |
echo RUNNER_IP=$(ip addr show eth0 | grep -i "inet " | cut -d ' ' -f 6 | cut -d '/' -f 1) >> $GITHUB_ENV | |
echo RUNNER_PATH=$(pwd | sed 's_/_\\/_g') >> $GITHUB_ENV | |
- run: echo "runner IP is ${{ env.RUNNER_IP }}" | |
- name: "Install dnsmasq" | |
run: | | |
sudo apt-get update | |
sudo apt-get install -y dnsmasq | |
sudo systemctl disable systemd-resolved | |
sudo systemctl stop systemd-resolved | |
sudo mkdir -p dnsmasq | |
sudo cp .github/dnsmasq.conf dnsmasq/ | |
sudo chmod -R 777 dnsmasq/dnsmasq.conf | |
sudo sed -i "s/RUNNER_IP/$RUNNER_IP/g" dnsmasq/dnsmasq.conf | |
sudo echo "address=/$WCCE_FQDN/$RUNNER_IP" >> dnsmasq/dnsmasq.conf | |
sudo echo "address=/$WCCE_ADS_DOMAIN/$RUNNER_IP" >> dnsmasq/dnsmasq.conf | |
sudo echo "address=/$WES_HOST/$RUNNER_IP" >> dnsmasq/dnsmasq.conf | |
cat dnsmasq/dnsmasq.conf | |
sudo cp dnsmasq/dnsmasq.conf /etc/ | |
sudo systemctl enable dnsmasq | |
sudo systemctl start dnsmasq | |
env: | |
RUNNER_IP: ${{ env.RUNNER_IP }} | |
WCCE_ADS_DOMAIN: ${{ secrets.WCCE_ADS_DOMAIN }} | |
WCCE_FQDN: ${{ secrets.WCCE_FQDN }} | |
WES_HOST: ${{ secrets.WES_HOST }} | |
- name: "[ PREPARE ] test dns resulution" | |
run: | | |
host $WCCE_ADS_DOMAIN 127.0.0.1 | |
host $WCCE_FQDN 127.0.0.1 | |
host $WES_HOST 127.0.0.1 | |
env: | |
WCCE_ADS_DOMAIN: ${{ secrets.WCCE_ADS_DOMAIN }} | |
WCCE_FQDN: ${{ secrets.WCCE_FQDN }} | |
WES_HOST: ${{ secrets.WES_HOST }} | |
- name: "Download container" | |
uses: actions/download-artifact@v4 | |
with: | |
name: a2c-${{ github.run_id }}.${{ matrix.websrv }}.${{ matrix.dbhandler }}.tar.gz | |
path: /tmp | |
- name: "Import container" | |
run: | | |
sudo apt-get install -y docker-compose | |
gunzip /tmp/a2c-${{ github.run_id }}.${{ matrix.websrv }}.${{ matrix.dbhandler }}.tar.gz | |
docker load -i /tmp/a2c-${{ github.run_id }}.${{ matrix.websrv }}.${{ matrix.dbhandler }}.tar | |
docker images | |
- name: "Prepare container environment" | |
uses: ./.github/actions/container_prep | |
with: | |
DB_HANDLER: ${{ matrix.dbhandler }} | |
WEB_SRV: ${{ matrix.websrv }} | |
CONTAINER_BUILD: false | |
- name: "Setup tunnel" | |
uses: ./.github/actions/wf_specific/ms_ca_handler/tunnel_setup | |
with: | |
WCCE_SSH_USER: ${{ secrets.WCCE_SSH_USER }} | |
WCCE_SSH_HOST: ${{ secrets.WCCE_SSH_HOST }} | |
WCCE_SSH_PORT: ${{ secrets.WCCE_SSH_PORT }} | |
WCCE_HOST: ${{ secrets.WCCE_HOST }} | |
WCCE_FQDN_WOTLD: ${{ secrets.WCCE_FQDN_WOTLD }} | |
WCCE_FQDN: ${{ secrets.WCCE_FQDN }} | |
WCCE_SSH_KNOWN_HOSTS: ${{ secrets.WCCE_SSH_KNOWN_HOSTS }} | |
WCCE_SSH_ACCESS_KEY: ${{ secrets.WCCE_SSH_ACCESS_KEY }} | |
- name: "EAB with headerinfo - Setup a2c with ms_wcce_ca_handler (Kerboros)" | |
run: | | |
sudo cp .github/acme2certifier.pem examples/Docker/data/acme2certifier.pem | |
sudo cp .github/acme2certifier_cert.pem examples/Docker/data/acme2certifier_cert.pem | |
sudo cp .github/acme2certifier_key.pem examples/Docker/data/acme2certifier_key.pem | |
sudo cp .github/django_settings.py examples/Docker/data/settings.py | |
sudo touch examples/Docker/data/ca_certs.pem | |
sudo chmod 777 examples/Docker/data/ca_certs.pem | |
sudo echo "$WCCE_CA_BUNDLE" > examples/Docker/data/ca_certs.pem | |
sudo touch examples/Docker/data/acme_srv.cfg | |
sudo chmod 777 examples/Docker/data/acme_srv.cfg | |
sudo head -n -8 .github/openssl_ca_handler.py_acme_srv_default_handler.cfg > examples/Docker/data/acme_srv.cfg | |
sudo echo "handler_file: /var/www/acme2certifier/examples/ca_handler/mswcce_ca_handler.py" >> examples/Docker/data/acme_srv.cfg | |
sudo echo "host: $WCCE_FQDN" >> examples/Docker/data/acme_srv.cfg | |
sudo echo "user: $WCCE_USER" >> examples/Docker/data/acme_srv.cfg | |
sudo echo "password: $WCCE_PASSWORD" >> examples/Docker/data/acme_srv.cfg | |
sudo echo "template: $WCCE_TEMPLATE" >> examples/Docker/data/acme_srv.cfg | |
sudo echo "ca_name: $WCCE_CA_NAME" >> examples/Docker/data/acme_srv.cfg | |
sudo echo "target_domain: $WCCE_ADS_DOMAIN" >> examples/Docker/data/acme_srv.cfg | |
sudo echo "domain_controller: $RUNNER_IP" >> examples/Docker/data/acme_srv.cfg | |
sudo echo "ca_bundle: volume/ca_certs.pem" >> examples/Docker/data/acme_srv.cfg | |
sudo echo "timeout: 20" >> examples/Docker/data/acme_srv.cfg | |
sudo echo "use_kerberos: True" >> examples/Docker/data/acme_srv.cfg | |
sudo sed -i "s/tnauthlist_support: False/tnauthlist_support: False\nheader_info_list: [\"HTTP_USER_AGENT\"]/g" examples/Docker/data/acme_srv.cfg | |
sudo sed -i "s/revocation_reason_check_disable: False/revocation_reason_check_disable: False\nenrollment_timeout: 40/g" examples/Docker/data/acme_srv.cfg | |
sudo echo "eab_profiling: True" >> examples/Docker/data/acme_srv.cfg | |
sudo echo -e "\n\n[EABhandler]" >> examples/Docker/data/acme_srv.cfg | |
sudo echo "eab_handler_file: /var/www/acme2certifier/examples/eab_handler/kid_profile_handler.py" >> examples/Docker/data/acme_srv.cfg | |
sudo echo "key_file: volume/kid_profiles.json" >> examples/Docker/data/acme_srv.cfg | |
sudo cp examples/eab_handler/kid_profiles.json examples/Docker/data/kid_profiles.json | |
sudo chmod 777 examples/eab_handler/kid_profiles.json | |
sudo sed -i "s/\"profile_id\"\: \[\"profile_1\", \"profile_2\", \"profile_3\"\]/\"template\"\: \[\"WebServerModified\"\, \"WebServer\"]/g" examples/Docker/data/kid_profiles.json | |
sudo sed -i "s/\"profile_id\"\: \"profile_2\"/\"template\"\: \"WebServerModified\"/g" examples/Docker/data/kid_profiles.json | |
sudo sed -i "s/\"ca_name\": \"example_ca_2\",/\"unknown_key\": \"unknown_value\"/g" examples/Docker/data/kid_profiles.json | |
sudo sed -i "s/\"ca_name\": \"example_ca\",/\"unknown_key\": \"unknown_value\"/g" examples/Docker/data/kid_profiles.json | |
sudo sed -i "s/example.net/acme/g" examples/Docker/data/kid_profiles.json | |
sudo sed -i '18,19d' examples/Docker/data/kid_profiles.json | |
sudo sed -i '8,9d' examples/Docker/data/kid_profiles.json | |
env: | |
RUNNER_IP: ${{ env.RUNNER_IP }} | |
DNSMASQ_IP: ${{ env.DNSMASQ_IP }} | |
WCCE_USER: ${{ secrets.WCCE_USER }} | |
WCCE_PASSWORD: ${{ secrets.WCCE_PASSWORD }} | |
WCCE_TEMPLATE: ${{ secrets.WCCE_TEMPLATE }} | |
WCCE_CA_NAME: ${{ secrets.WCCE_CA_NAME }} | |
WCCE_ADS_DOMAIN: ${{ secrets.WCCE_ADS_DOMAIN }} | |
WCCE_CA_BUNDLE: ${{ secrets.WCCE_CA_BUNDLE }} | |
WCCE_FQDN: ${{ secrets.WCCE_FQDN }} | |
- name: "Bring up a2c container" | |
uses: ./.github/actions/container_up | |
with: | |
DB_HANDLER: ${{ matrix.dbhandler }} | |
WEB_SRV: ${{ matrix.websrv }} | |
- name: "EAB with headerinfo - enrollment" | |
uses: ./.github/actions/wf_specific/ms_ca_handler/enroll_eab | |
- name: "Check container configuration" | |
uses: ./.github/actions/container_check | |
with: | |
DB_HANDLER: ${{ matrix.dbhandler }} | |
WEB_SRV: ${{ matrix.websrv }} | |
- name: "[ * ] collecting test logs" | |
if: ${{ failure() }} | |
run: | | |
mkdir -p ${{ github.workspace }}/artifact/upload | |
sudo cp -rp examples/Docker/data/ ${{ github.workspace }}/artifact/data/ | |
sudo cp -rp acme-sh/ ${{ github.workspace }}/artifact/acme-sh/ | |
sudo cp -rp certbot/ ${{ github.workspace }}/artifact/certbot/ | |
sudo cp -rp lego/ ${{ github.workspace }}/artifact/lego/ | |
sudo cp -rp dnsmasq/ ${{ github.workspace }}/artifact/dnsmasq/ | |
cd examples/Docker | |
docker-compose logs > ${{ github.workspace }}/artifact/docker-compose.log | |
sudo tar -C ${{ github.workspace }}/artifact/ -cvzf ${{ github.workspace }}/artifact/upload/artifact.tar.gz docker-compose.log data acme-sh certbot lego dnsmasq | |
- name: "[ * ] uploading artificates" | |
uses: actions/upload-artifact@v4 | |
if: ${{ failure() }} | |
with: | |
name: mswcce_handler_profiling_tests-${{ matrix.websrv }}-${{ matrix.dbhandler }}.tar.gz | |
path: ${{ github.workspace }}/artifact/upload/ | |
cleanup: | |
name: "cleanup" | |
runs-on: ubuntu-latest | |
needs: [mscertsrv_handler_tests, mswcce_handler_tests, mswcce_handler_eab_profiling_tests, mscertsrv_handler_eab_profiling_tests ] | |
strategy: | |
fail-fast: false | |
matrix: | |
websrv: ['apache2', 'nginx'] | |
dbhandler: ['wsgi', 'django'] | |
steps: | |
- uses: geekyeggo/delete-artifact@v5 | |
with: | |
name: a2c-${{ github.run_id }}.${{ matrix.websrv }}.${{ matrix.dbhandler }}.tar.gz | |
rpm_build_and_upload: | |
name: "rpm_build_and_upload" | |
runs-on: ubuntu-latest | |
steps: | |
- name: "checkout GIT" | |
uses: actions/checkout@v4 | |
- name: "Build rpm package" | |
id: rpm_build | |
uses: ./.github/actions/rpm_build_upload | |
mscertsrv_handler_tests_rpm: | |
name: "mscertsrv_handler_tests_rpm" | |
runs-on: ubuntu-latest | |
needs: rpm_build_and_upload | |
strategy: | |
# max-parallel: 1 | |
fail-fast: false | |
matrix: | |
rhversion: [8, 9] | |
steps: | |
- name: "checkout GIT" | |
uses: actions/checkout@v4 | |
- name: "Prepare Alma environment" | |
uses: ./.github/actions/rpm_prep | |
with: | |
GH_SBOM_USER: ${{ secrets.GH_SBOM_USER }} | |
GH_SBOM_TOKEN: ${{ secrets.GH_SBOM_TOKEN }} | |
RH_VERSION: ${{ matrix.rhversion }} | |
RPM_BUILD: false | |
NAME_SPACE: "local" | |
- name: Download rpm package | |
uses: actions/download-artifact@v4 | |
with: | |
name: acme2certifier-${{ github.run_id }}.noarch.rpm | |
path: data/ | |
- name: "Get runner ip" | |
run: | | |
echo RUNNER_IP=$(ip addr show eth0 | grep -i "inet " | cut -d ' ' -f 6 | cut -d '/' -f 1) >> $GITHUB_ENV | |
echo RUNNER_PATH=$(pwd | sed 's_/_\\/_g') >> $GITHUB_ENV | |
- run: echo "runner IP is ${{ env.RUNNER_IP }}" | |
- name: "Setup tunnel" | |
uses: ./.github/actions/wf_specific/ms_ca_handler/tunnel_setup | |
with: | |
WCCE_SSH_USER: ${{ secrets.WCCE_SSH_USER }} | |
WCCE_SSH_HOST: ${{ secrets.WCCE_SSH_HOST }} | |
WCCE_SSH_PORT: ${{ secrets.WCCE_SSH_PORT }} | |
WCCE_HOST: ${{ secrets.WCCE_HOST }} | |
WCCE_FQDN_WOTLD: ${{ secrets.WCCE_FQDN_WOTLD }} | |
WCCE_FQDN: ${{ secrets.WCCE_FQDN }} | |
WCCE_SSH_KNOWN_HOSTS: ${{ secrets.WCCE_SSH_KNOWN_HOSTS }} | |
WCCE_SSH_ACCESS_KEY: ${{ secrets.WCCE_SSH_ACCESS_KEY }} | |
NAME_SPACE: local | |
- name: "KRB - Setup a2c with mscertsrv_ca_handler using kerberos" | |
run: | | |
mkdir -p data/acme_ca | |
sudo cp test/ca/certsrv_ca_certs.pem data/acme_ca/ca_certs.pem | |
sudo touch data/acme_srv.cfg | |
sudo chmod 777 data/acme_srv.cfg | |
sudo head -n -8 .github/openssl_ca_handler.py_acme_srv_default_handler.cfg > data/acme_srv.cfg | |
sudo echo "handler_file: /opt/acme2certifier/examples/ca_handler/mscertsrv_ca_handler.py" >> data/acme_srv.cfg | |
sudo echo "host: $WCCE_FQDN" >> data/acme_srv.cfg | |
sudo echo "user: $WES_USER" >> data/acme_srv.cfg | |
sudo echo "password: $WES_PASSWORD" >> data/acme_srv.cfg | |
sudo echo "auth_method: gssapi" >> data/acme_srv.cfg | |
sudo echo "template: $WES_TEMPLATE" >> data/acme_srv.cfg | |
sudo echo "ca_bundle: volume/acme_ca/ca_certs.pem" >> data/acme_srv.cfg | |
sudo echo "krb5_config: volume/acme_ca/krb5.conf" >> data/acme_srv.cfg | |
sudo echo "verify: False" >> data/acme_srv.cfg | |
sudo echo "request_timeout: 30" >> data/acme_srv.cfg | |
sudo sed -i "s/tnauthlist_support: False/tnauthlist_support: False\nheader_info_list: [\"HTTP_USER_AGENT\"]/g" data/acme_srv.cfg | |
sudo sed -i "s/revocation_reason_check_disable: False/revocation_reason_check_disable: False\nenrollment_timeout: 40/g" data/acme_srv.cfg | |
sudo touch data/acme_ca/krb5.conf | |
sudo chmod 777 data/acme_ca/krb5.conf | |
cat <<EOF > data/acme_ca/krb5.conf | |
$WES_KRB5_CONF | |
EOF | |
env: | |
WES_HOST: ${{ secrets.WES_HOST }} | |
WES_USER: ${{ secrets.WES_USER }} | |
WES_PASSWORD: ${{ secrets.WES_PASSWORD }} | |
WES_AUTHMETHOD: ${{ secrets.WES_AUTHMETHOD }} | |
WES_TEMPLATE: ${{ secrets.WES_TEMPLATE }} | |
WCCE_FQDN: ${{ secrets.WCCE_FQDN }} | |
WES_KRB5_CONF: ${{ secrets.WES_KRB5_CONF }} | |
- name: "KRB - Execute install scipt" | |
run: | | |
docker exec acme-srv sh /tmp/acme2certifier/rpm_tester.sh | |
docker exec acme-srv yum install -y krb5-libs | |
- name: "KRB - enrollment mit default profile and headerinfo" | |
uses: ./.github/actions/wf_specific/ms_ca_handler/enroll_default_headerinfo | |
with: | |
NAME_SPACE: local | |
- name: "NTLM - Setup a2c with mscertsrv_ca_handler" | |
run: | | |
sudo head -n -8 .github/openssl_ca_handler.py_acme_srv_default_handler.cfg > data/acme_srv.cfg | |
sudo echo "handler_file: /opt/acme2certifier/examples/ca_handler/mscertsrv_ca_handler.py" >> data/acme_srv.cfg | |
sudo echo "host: $WCCE_FQDN" >> data/acme_srv.cfg | |
sudo echo "user: $WES_USER" >> data/acme_srv.cfg | |
sudo echo "password: $WES_PASSWORD" >> data/acme_srv.cfg | |
sudo echo "auth_method: $WES_AUTHMETHOD" >> data/acme_srv.cfg | |
sudo echo "template: $WES_TEMPLATE" >> data/acme_srv.cfg | |
sudo echo "ca_bundle: volume/acme_ca/ca_certs.pem" >> data/acme_srv.cfg | |
sudo echo "verify: False" >> data/acme_srv.cfg | |
sudo echo "request_timeout: 30" >> data/acme_srv.cfg | |
sudo sed -i "s/tnauthlist_support: False/tnauthlist_support: False\nheader_info_list: [\"HTTP_USER_AGENT\"]/g" data/acme_srv.cfg | |
sudo sed -i "s/revocation_reason_check_disable: False/revocation_reason_check_disable: False\nenrollment_timeout: 40/g" data/acme_srv.cfg | |
env: | |
WES_HOST: ${{ secrets.WES_HOST }} | |
WES_USER: ${{ secrets.WES_USER }} | |
WES_PASSWORD: ${{ secrets.WES_PASSWORD }} | |
WES_AUTHMETHOD: ${{ secrets.WES_AUTHMETHOD }} | |
WES_TEMPLATE: ${{ secrets.WES_TEMPLATE }} | |
WCCE_FQDN: ${{ secrets.WCCE_FQDN }} | |
- name: "NTLM - Reconfigure a2c " | |
run: | | |
docker exec acme-srv sh /tmp/acme2certifier/rpm_tester.sh restart | |
- name: "NTLM - enrollment mit default profile and headerinfo" | |
uses: ./.github/actions/wf_specific/ms_ca_handler/enroll_default_headerinfo | |
with: | |
NAME_SPACE: local | |
- name: "NTLM - Setup a2c with mscertsrv_ca_handler with allowed_domainlist configuration" | |
run: | | |
sudo sed -i "s/challenge_validation_disable: False/challenge_validation_disable: True/g" data/acme_srv.cfg | |
sudo echo "allowed_domainlist: [\"*.acme\", \"foo1.bar\", \"*.bar.local\"]" >> data/acme_srv.cfg | |
- name: "NTLM - Reconfigure a2c " | |
run: | | |
docker exec acme-srv sh /tmp/acme2certifier/rpm_tester.sh restart | |
- name: "NTLM - enrollment allowed domainlist" | |
uses: ./.github/actions/wf_specific/ms_ca_handler/enroll_allowed_domain_list | |
with: | |
NAME_SPACE: local | |
- name: "Verify allowed_domainlist error" | |
run: | | |
docker exec acme-srv grep -i "either CN or SANs are not allowed by configuration" /var/log/messages | |
- name: "[ * ] collecting test logs" | |
if: ${{ failure() }} | |
run: | | |
mkdir -p ${{ github.workspace }}/artifact/upload | |
docker exec acme-srv tar cvfz /tmp/acme2certifier/a2c.tgz /opt/acme2certifier | |
sudo rm -rf data/*.rpm | |
sudo cp -rp data/ ${{ github.workspace }}/artifact/data/ | |
sudo cp -rp acme-sh/ ${{ github.workspace }}/artifact/acme-sh/ | |
docker exec acme-srv ls -la /tmp > ${{ github.workspace }}/artifact/data/tmp_list | |
docker exec acme-srv ls -la /tmp | |
docker exec acme-srv cat /var/log/messages > ${{ github.workspace }}/artifact/acme-srv.log | |
sudo tar -C ${{ github.workspace }}/artifact/ -cvzf ${{ github.workspace }}/artifact/upload/artifact.tar.gz data acme-srv.log acme-sh | |
- name: "[ * ] uploading artificates" | |
uses: actions/upload-artifact@v4 | |
if: ${{ failure() }} | |
with: | |
name: mscertsrv_handler_tests_rpm-rh${{ matrix.rhversion }}.tar.gz | |
path: ${{ github.workspace }}/artifact/upload/ | |
mscertsrv_handler_eab_profile_tests_rpm: | |
name: "mscertsrv_handler_eab_profile_tests_rpm" | |
runs-on: ubuntu-latest | |
needs: mscertsrv_handler_tests_rpm | |
strategy: | |
# max-parallel: 1 | |
fail-fast: false | |
matrix: | |
rhversion: [8, 9] | |
steps: | |
- name: "checkout GIT" | |
uses: actions/checkout@v4 | |
- name: "Prepare Alma environment" | |
uses: ./.github/actions/rpm_prep | |
with: | |
GH_SBOM_USER: ${{ secrets.GH_SBOM_USER }} | |
GH_SBOM_TOKEN: ${{ secrets.GH_SBOM_TOKEN }} | |
RH_VERSION: ${{ matrix.rhversion }} | |
RPM_BUILD: false | |
NAME_SPACE: "local" | |
- name: Download rpm package | |
uses: actions/download-artifact@v4 | |
with: | |
name: acme2certifier-${{ github.run_id }}.noarch.rpm | |
path: data/ | |
- name: "Get runner ip" | |
run: | | |
echo RUNNER_IP=$(ip addr show eth0 | grep -i "inet " | cut -d ' ' -f 6 | cut -d '/' -f 1) >> $GITHUB_ENV | |
echo RUNNER_PATH=$(pwd | sed 's_/_\\/_g') >> $GITHUB_ENV | |
- run: echo "runner IP is ${{ env.RUNNER_IP }}" | |
- name: "Setup tunnel" | |
uses: ./.github/actions/wf_specific/ms_ca_handler/tunnel_setup | |
with: | |
WCCE_SSH_USER: ${{ secrets.WCCE_SSH_USER }} | |
WCCE_SSH_HOST: ${{ secrets.WCCE_SSH_HOST }} | |
WCCE_SSH_PORT: ${{ secrets.WCCE_SSH_PORT }} | |
WCCE_HOST: ${{ secrets.WCCE_HOST }} | |
WCCE_FQDN_WOTLD: ${{ secrets.WCCE_FQDN_WOTLD }} | |
WCCE_FQDN: ${{ secrets.WCCE_FQDN }} | |
WCCE_SSH_KNOWN_HOSTS: ${{ secrets.WCCE_SSH_KNOWN_HOSTS }} | |
WCCE_SSH_ACCESS_KEY: ${{ secrets.WCCE_SSH_ACCESS_KEY }} | |
NAME_SPACE: local | |
- name: "EAB with headerinfo - Setup a2c with mscertsrv_ca_handler using kerberos" | |
run: | | |
mkdir -p data/acme_ca | |
sudo cp test/ca/certsrv_ca_certs.pem data/acme_ca/ca_certs.pem | |
sudo touch data/acme_srv.cfg | |
sudo chmod 777 data/acme_srv.cfg | |
sudo head -n -8 .github/openssl_ca_handler.py_acme_srv_default_handler.cfg > data/acme_srv.cfg | |
sudo echo "handler_file: /opt/acme2certifier/examples/ca_handler/mscertsrv_ca_handler.py" >> data/acme_srv.cfg | |
sudo echo "host: $WCCE_FQDN" >> data/acme_srv.cfg | |
sudo echo "user: $WES_USER" >> data/acme_srv.cfg | |
sudo echo "password: $WES_PASSWORD" >> data/acme_srv.cfg | |
sudo echo "auth_method: gssapi" >> data/acme_srv.cfg | |
sudo echo "template: $WES_TEMPLATE" >> data/acme_srv.cfg | |
sudo echo "ca_bundle: volume/acme_ca/ca_certs.pem" >> data/acme_srv.cfg | |
sudo echo "krb5_config: volume/acme_ca/krb5.conf" >> data/acme_srv.cfg | |
sudo echo "verify: False" >> data/acme_srv.cfg | |
sudo echo "request_timeout: 30" >> data/acme_srv.cfg | |
sudo sed -i "s/tnauthlist_support: False/tnauthlist_support: False\nheader_info_list: [\"HTTP_USER_AGENT\"]/g" data/acme_srv.cfg | |
sudo sed -i "s/revocation_reason_check_disable: False/revocation_reason_check_disable: False\nenrollment_timeout: 40/g" data/acme_srv.cfg | |
sudo echo "eab_profiling: True" >> data/acme_srv.cfg | |
sudo echo -e "\n[EABhandler]" >> data/acme_srv.cfg | |
sudo echo "eab_handler_file: /opt/acme2certifier/examples/eab_handler/kid_profile_handler.py" >> data/acme_srv.cfg | |
sudo echo "key_file: /opt/acme2certifier/volume/acme_ca/kid_profiles.json" >> data/acme_srv.cfg | |
sudo cp examples/eab_handler/kid_profiles.json data/acme_ca/kid_profiles.json | |
sudo chmod 777 data/acme_ca/kid_profiles.json | |
sudo sed -i "s/\"profile_id\"\: \[\"profile_1\", \"profile_2\", \"profile_3\"\]/\"template\"\: \[\"WebServerModified\"\, \"WebServer\"]/g" data/acme_ca/kid_profiles.json | |
sudo sed -i "s/\"profile_id\"\: \"profile_2\"/\"template\"\: \"WebServerModified\"/g" data/acme_ca/kid_profiles.json | |
sudo sed -i "s/\"ca_name\": \"example_ca_2\",/\"unknown_key\": \"unknown_value\"/g" data/acme_ca/kid_profiles.json | |
sudo sed -i "s/\"ca_name\": \"example_ca\",/\"unknown_key\": \"unknown_value\"/g" data/acme_ca/kid_profiles.json | |
sudo sed -i "s/example.net/local/g" data/acme_ca/kid_profiles.json | |
sudo sed -i '18,19d' data/acme_ca/kid_profiles.json | |
sudo sed -i '8,9d' data/acme_ca/kid_profiles.json | |
sudo touch data/acme_ca/krb5.conf | |
sudo chmod 777 data/acme_ca/krb5.conf | |
cat <<EOF > data/acme_ca/krb5.conf | |
$WES_KRB5_CONF | |
EOF | |
env: | |
WES_HOST: ${{ secrets.WES_HOST }} | |
WES_USER: ${{ secrets.WES_USER }} | |
WES_PASSWORD: ${{ secrets.WES_PASSWORD }} | |
WES_AUTHMETHOD: ${{ secrets.WES_AUTHMETHOD }} | |
WES_TEMPLATE: ${{ secrets.WES_TEMPLATE }} | |
WCCE_FQDN: ${{ secrets.WCCE_FQDN }} | |
WES_KRB5_CONF: ${{ secrets.WES_KRB5_CONF }} | |
- name: "KRB - Execute install scipt" | |
run: | | |
docker exec acme-srv sh /tmp/acme2certifier/rpm_tester.sh | |
docker exec acme-srv yum install -y krb5-libs | |
- name: "EAB with headerinfo - enrollment" | |
uses: ./.github/actions/wf_specific/ms_ca_handler/enroll_eab | |
with: | |
NAME_SPACE: local | |
- name: "[ * ] collecting test logs" | |
if: ${{ failure() }} | |
run: | | |
mkdir -p ${{ github.workspace }}/artifact/upload | |
docker exec acme-srv tar cvfz /tmp/acme2certifier/a2c.tgz /opt/acme2certifier | |
sudo rm -rf data/*.rpm | |
sudo cp -rp data/ ${{ github.workspace }}/artifact/data/ | |
sudo cp -rp acme-sh/ ${{ github.workspace }}/artifact/acme-sh/ | |
docker exec acme-srv ls -la /tmp > ${{ github.workspace }}/artifact/data/tmp_list | |
docker exec acme-srv ls -la /tmp | |
docker exec acme-srv cat /var/log/messages > ${{ github.workspace }}/artifact/acme-srv.log | |
sudo tar -C ${{ github.workspace }}/artifact/ -cvzf ${{ github.workspace }}/artifact/upload/artifact.tar.gz data acme-srv.log acme-sh | |
- name: "[ * ] uploading artificates" | |
uses: actions/upload-artifact@v4 | |
if: ${{ failure() }} | |
with: | |
name: mscertsrv_handler_profile_tests_rpm-rh${{ matrix.rhversion }}.tar.gz | |
path: ${{ github.workspace }}/artifact/upload/ | |
mswcce_handler_tests_rpm: | |
name: "mswcce_handler_tests_rpm" | |
runs-on: ubuntu-latest | |
needs: mscertsrv_handler_tests_rpm | |
strategy: | |
# max-parallel: 1 | |
fail-fast: false | |
matrix: | |
rhversion: [8, 9] | |
steps: | |
- name: "checkout GIT" | |
uses: actions/checkout@v4 | |
- name: "Prepare Alma environment" | |
uses: ./.github/actions/rpm_prep | |
with: | |
GH_SBOM_USER: ${{ secrets.GH_SBOM_USER }} | |
GH_SBOM_TOKEN: ${{ secrets.GH_SBOM_TOKEN }} | |
RH_VERSION: ${{ matrix.rhversion }} | |
DJANGO_DB: psql | |
RPM_BUILD: false | |
- name: Download rpm package | |
uses: actions/download-artifact@v4 | |
with: | |
name: acme2certifier-${{ github.run_id }}.noarch.rpm | |
path: data/ | |
- name: "Get runner ip" | |
run: | | |
echo RUNNER_IP=$(ip addr show eth0 | grep -i "inet " | cut -d ' ' -f 6 | cut -d '/' -f 1) >> $GITHUB_ENV | |
echo RUNNER_PATH=$(pwd | sed 's_/_\\/_g') >> $GITHUB_ENV | |
- run: echo "runner IP is ${{ env.RUNNER_IP }}" | |
- name: "Install dnsmasq" | |
run: | | |
sudo apt-get update | |
sudo apt-get install -y dnsmasq | |
sudo systemctl disable systemd-resolved | |
sudo systemctl stop systemd-resolved | |
# sudo chmod -R 777 /etc/resolv.conf | |
# sudo echo "nameserver 8.8.8.8" > /etc/resolv.conf | |
sudo mkdir -p dnsmasq | |
sudo cp .github/dnsmasq.conf dnsmasq/ | |
sudo chmod -R 777 dnsmasq/dnsmasq.conf | |
sudo sed -i "s/RUNNER_IP/$RUNNER_IP/g" dnsmasq/dnsmasq.conf | |
sudo echo "address=/$WCCE_FQDN/$RUNNER_IP" >> dnsmasq/dnsmasq.conf | |
sudo echo "address=/$WCCE_ADS_DOMAIN/$RUNNER_IP" >> dnsmasq/dnsmasq.conf | |
sudo echo "address=/$WES_HOST/$RUNNER_IP" >> dnsmasq/dnsmasq.conf | |
cat dnsmasq/dnsmasq.conf | |
sudo cp dnsmasq/dnsmasq.conf /etc/ | |
sudo sed -i "s/ --local-service/ /g" /etc/init.d/dnsmasq | |
sudo systemctl enable dnsmasq | |
sudo systemctl start dnsmasq | |
env: | |
RUNNER_IP: ${{ env.RUNNER_IP }} | |
WCCE_ADS_DOMAIN: ${{ secrets.WCCE_ADS_DOMAIN }} | |
WCCE_FQDN: ${{ secrets.WCCE_FQDN }} | |
WES_HOST: ${{ secrets.WES_HOST }} | |
- name: "Test dns resulution" | |
run: | | |
host $WCCE_ADS_DOMAIN ${{ env.RUNNER_IP }} | |
host $WCCE_FQDN ${{ env.RUNNER_IP }} | |
host $WES_HOST 127.0.0.1 | |
env: | |
WCCE_ADS_DOMAIN: ${{ secrets.WCCE_ADS_DOMAIN }} | |
WCCE_FQDN: ${{ secrets.WCCE_FQDN }} | |
WES_HOST: ${{ secrets.WES_HOST }} | |
- name: "Create letsencrypt and lego folder" | |
run: | | |
mkdir certbot | |
mkdir lego | |
mkdir acme-sh | |
- name: "Setup tunnel" | |
uses: ./.github/actions/wf_specific/ms_ca_handler/tunnel_setup | |
with: | |
WCCE_SSH_USER: ${{ secrets.WCCE_SSH_USER }} | |
WCCE_SSH_HOST: ${{ secrets.WCCE_SSH_HOST }} | |
WCCE_SSH_PORT: ${{ secrets.WCCE_SSH_PORT }} | |
WCCE_HOST: ${{ secrets.WCCE_HOST }} | |
WCCE_FQDN_WOTLD: ${{ secrets.WCCE_FQDN_WOTLD }} | |
WCCE_FQDN: ${{ secrets.WCCE_FQDN }} | |
WCCE_SSH_KNOWN_HOSTS: ${{ secrets.WCCE_SSH_KNOWN_HOSTS }} | |
WCCE_SSH_ACCESS_KEY: ${{ secrets.WCCE_SSH_ACCESS_KEY }} | |
- name: "NTLM - Prepare acme_srv.cfg with ms_wcce_ca_handler" | |
run: | | |
mkdir -p data/acme_ca | |
sudo touch data/acme_ca/ca_certs.pem | |
sudo chmod 777 data/acme_ca/ca_certs.pem | |
sudo echo "$WCCE_CA_BUNDLE" > data/acme_ca/ca_certs.pem | |
sudo touch data/acme_ca/acme_srv.cfg | |
sudo chmod 777 data/acme_ca/acme_srv.cfg | |
sudo head -n -8 .github/openssl_ca_handler.py_acme_srv_default_handler.cfg > data/acme_srv.cfg | |
sudo echo "handler_file: /opt/acme2certifier/examples/ca_handler/mswcce_ca_handler.py" >> data/acme_srv.cfg | |
sudo echo "host: $RUNNER_IP" >> data/acme_srv.cfg | |
sudo echo "user: $WCCE_USER" >> data/acme_srv.cfg | |
sudo echo "password: $WCCE_PASSWORD" >> data/acme_srv.cfg | |
sudo echo "template: $WCCE_TEMPLATE" >> data/acme_srv.cfg | |
sudo echo "ca_name: $WCCE_CA_NAME" >> data/acme_srv.cfg | |
sudo echo "target_domain: $WCCE_ADS_DOMAIN" >> data/acme_srv.cfg | |
sudo echo "ca_bundle: /opt/acme2certifier/volume/acme_ca/ca_certs.pem" >> data/acme_srv.cfg | |
sudo echo "timeout: 20" >> data/acme_srv.cfg | |
sudo sed -i "s/tnauthlist_support: False/tnauthlist_support: False\nheader_info_list: [\"HTTP_USER_AGENT\"]/g" data/acme_srv.cfg | |
sudo sed -i "s/revocation_reason_check_disable: False/revocation_reason_check_disable: False\nenrollment_timeout: 40/g" data/acme_srv.cfg | |
env: | |
RUNNER_IP: ${{ env.RUNNER_IP }} | |
WCCE_USER: ${{ secrets.WCCE_USER }} | |
WCCE_PASSWORD: ${{ secrets.WCCE_PASSWORD }} | |
WCCE_TEMPLATE: ${{ secrets.WCCE_TEMPLATE }} | |
WCCE_CA_NAME: ${{ secrets.WCCE_CA_NAME }} | |
WCCE_ADS_DOMAIN: ${{ secrets.WCCE_ADS_DOMAIN }} | |
WCCE_CA_BUNDLE: ${{ secrets.WCCE_CA_BUNDLE }} | |
- name: "NTLM - Execute install scipt" | |
run: | | |
docker exec acme-srv sh /tmp/acme2certifier/rpm_tester.sh | |
- name: "NTLM - enrollment mit default profile and headerinfo" | |
uses: ./.github/actions/wf_specific/ms_ca_handler/enroll_default_headerinfo | |
- name: "KRB - Setup a2c with ms_wcce_ca_handler (Kerberos)" | |
run: | | |
mkdir -p data/acme_ca | |
sudo touch data/acme_ca/ca_certs.pem | |
sudo chmod 777 data/acme_ca/ca_certs.pem | |
sudo echo "$WCCE_CA_BUNDLE" > data/acme_ca/ca_certs.pem | |
sudo touch data/acme_ca/acme_srv.cfg | |
sudo chmod 777 data/acme_ca/acme_srv.cfg | |
sudo head -n -8 .github/openssl_ca_handler.py_acme_srv_default_handler.cfg > data/acme_srv.cfg | |
sudo echo "handler_file: /opt/acme2certifier/examples/ca_handler/mswcce_ca_handler.py" >> data/acme_srv.cfg | |
sudo echo "host: $WCCE_FQDN" >> data/acme_srv.cfg | |
sudo echo "user: $WCCE_USER" >> data/acme_srv.cfg | |
sudo echo "password: $WCCE_PASSWORD" >> data/acme_srv.cfg | |
sudo echo "template: $WCCE_TEMPLATE" >> data/acme_srv.cfg | |
sudo echo "ca_name: $WCCE_CA_NAME" >> data/acme_srv.cfg | |
sudo echo "target_domain: $WCCE_ADS_DOMAIN" >> data/acme_srv.cfg | |
sudo echo "domain_controller: $RUNNER_IP" >> data/acme_srv.cfg | |
sudo echo "ca_bundle: /opt/acme2certifier/volume/acme_ca/ca_certs.pem" >> data/acme_srv.cfg | |
sudo echo "timeout: 20" >> data/acme_srv.cfg | |
sudo echo "use_kerberos: True" >> data/acme_srv.cfg | |
sudo sed -i "s/tnauthlist_support: False/tnauthlist_support: False\nheader_info_list: [\"HTTP_USER_AGENT\"]/g" data/acme_srv.cfg | |
sudo sed -i "s/revocation_reason_check_disable: False/revocation_reason_check_disable: False\nenrollment_timeout: 40/g" data/acme_srv.cfg | |
env: | |
RUNNER_IP: ${{ env.RUNNER_IP }} | |
WCCE_USER: ${{ secrets.WCCE_USER }} | |
WCCE_PASSWORD: ${{ secrets.WCCE_PASSWORD }} | |
WCCE_TEMPLATE: ${{ secrets.WCCE_TEMPLATE }} | |
WCCE_CA_NAME: ${{ secrets.WCCE_CA_NAME }} | |
WCCE_ADS_DOMAIN: ${{ secrets.WCCE_ADS_DOMAIN }} | |
WCCE_CA_BUNDLE: ${{ secrets.WCCE_CA_BUNDLE }} | |
WCCE_FQDN: ${{ secrets.WCCE_FQDN }} | |
- name: "KRB - Reconfigure a2c " | |
run: | | |
docker exec acme-srv sh /tmp/acme2certifier/rpm_tester.sh restart | |
- name: "KRB - enrollment mit default profile and headerinfo" | |
uses: ./.github/actions/wf_specific/ms_ca_handler/enroll_default_headerinfo | |
- name: "KRB - Setup a2c with mswcce_ca_handler with allowed_domainlist configuration" | |
run: | | |
sudo sed -i "s/challenge_validation_disable: False/challenge_validation_disable: True/g" data/acme_srv.cfg | |
sudo echo "allowed_domainlist: [\"*.acme\", \"foo1.bar\", \"*.bar.local\"]" >> data/acme_srv.cfg | |
- name: "KRB - Reconfigure a2c " | |
run: | | |
docker exec acme-srv sh /tmp/acme2certifier/rpm_tester.sh restart | |
- name: "KRB - enrollment allowed domainlist" | |
uses: ./.github/actions/wf_specific/ms_ca_handler/enroll_allowed_domain_list | |
- name: "Verify allowed_domainlist error" | |
run: | | |
docker exec acme-srv grep -i "either CN or SANs are not allowed by configuration" /var/log/messages | |
- name: "[ * ] collecting test logs" | |
if: ${{ failure() }} | |
run: | | |
mkdir -p ${{ github.workspace }}/artifact/upload | |
docker exec acme-srv tar cvfz /tmp/acme2certifier/a2c.tgz /opt/acme2certifier | |
sudo rm -rf data/*.rpm | |
sudo cp -rp data/ ${{ github.workspace }}/artifact/data/ | |
sudo cp -rp acme-sh/ ${{ github.workspace }}/artifact/acme-sh/ | |
sudo cp -rp dnsmasq/ ${{ github.workspace }}/artifact/dnsmasq/ | |
# docker exec acme-srv cat /etc/nginx/nginx.conf.orig > ${{ github.workspace }}/artifact/data/nginx.conf.orig | |
# docker exec acme-srv cat /etc/nginx/nginx.conf > ${{ github.workspace }}/artifact/data/nginx.conf | |
docker exec acme-srv cat /var/log/messages > ${{ github.workspace }}/artifact/acme-srv.log | |
sudo tar -C ${{ github.workspace }}/artifact/ -cvzf ${{ github.workspace }}/artifact/upload/artifact.tar.gz data acme-srv.log acme-sh dnsmasq | |
- name: "[ * ] uploading artificates" | |
uses: actions/upload-artifact@v4 | |
if: ${{ failure() }} | |
with: | |
name: mswcce_handler_tests_rpm-rh${{ matrix.rhversion }}.tar.gz | |
path: ${{ github.workspace }}/artifact/upload/ | |
mswcce_handler_eab_profile_tests_rpm: | |
name: "mswcce_handler_eab_profile_tests_rpm" | |
runs-on: ubuntu-latest | |
needs: mscertsrv_handler_tests_rpm | |
strategy: | |
# max-parallel: 1 | |
fail-fast: false | |
matrix: | |
rhversion: [8, 9] | |
steps: | |
- name: "checkout GIT" | |
uses: actions/checkout@v4 | |
- name: "Prepare Alma environment" | |
uses: ./.github/actions/rpm_prep | |
with: | |
GH_SBOM_USER: ${{ secrets.GH_SBOM_USER }} | |
GH_SBOM_TOKEN: ${{ secrets.GH_SBOM_TOKEN }} | |
RH_VERSION: ${{ matrix.rhversion }} | |
DJANGO_DB: psql | |
RPM_BUILD: false | |
- name: Download rpm package | |
uses: actions/download-artifact@v4 | |
with: | |
name: acme2certifier-${{ github.run_id }}.noarch.rpm | |
path: data/ | |
- name: "Get runner ip" | |
run: | | |
echo RUNNER_IP=$(ip addr show eth0 | grep -i "inet " | cut -d ' ' -f 6 | cut -d '/' -f 1) >> $GITHUB_ENV | |
echo RUNNER_PATH=$(pwd | sed 's_/_\\/_g') >> $GITHUB_ENV | |
- run: echo "runner IP is ${{ env.RUNNER_IP }}" | |
- name: "Install dnsmasq" | |
run: | | |
sudo apt-get update | |
sudo apt-get install -y dnsmasq | |
sudo systemctl disable systemd-resolved | |
sudo systemctl stop systemd-resolved | |
# sudo chmod -R 777 /etc/resolv.conf | |
# sudo echo "nameserver 8.8.8.8" > /etc/resolv.conf | |
sudo mkdir -p dnsmasq | |
sudo cp .github/dnsmasq.conf dnsmasq/ | |
sudo chmod -R 777 dnsmasq/dnsmasq.conf | |
sudo sed -i "s/RUNNER_IP/$RUNNER_IP/g" dnsmasq/dnsmasq.conf | |
sudo echo "address=/$WCCE_FQDN/$RUNNER_IP" >> dnsmasq/dnsmasq.conf | |
sudo echo "address=/$WCCE_ADS_DOMAIN/$RUNNER_IP" >> dnsmasq/dnsmasq.conf | |
sudo echo "address=/$WES_HOST/$RUNNER_IP" >> dnsmasq/dnsmasq.conf | |
cat dnsmasq/dnsmasq.conf | |
sudo cp dnsmasq/dnsmasq.conf /etc/ | |
sudo sed -i "s/ --local-service/ /g" /etc/init.d/dnsmasq | |
sudo systemctl enable dnsmasq | |
sudo systemctl start dnsmasq | |
env: | |
RUNNER_IP: ${{ env.RUNNER_IP }} | |
WCCE_ADS_DOMAIN: ${{ secrets.WCCE_ADS_DOMAIN }} | |
WCCE_FQDN: ${{ secrets.WCCE_FQDN }} | |
WES_HOST: ${{ secrets.WES_HOST }} | |
- name: "Test dns resulution" | |
run: | | |
host $WCCE_ADS_DOMAIN ${{ env.RUNNER_IP }} | |
host $WCCE_FQDN ${{ env.RUNNER_IP }} | |
host $WES_HOST 127.0.0.1 | |
env: | |
WCCE_ADS_DOMAIN: ${{ secrets.WCCE_ADS_DOMAIN }} | |
WCCE_FQDN: ${{ secrets.WCCE_FQDN }} | |
WES_HOST: ${{ secrets.WES_HOST }} | |
- name: "Create letsencrypt and lego folder" | |
run: | | |
mkdir certbot | |
mkdir lego | |
mkdir acme-sh | |
- name: "Setup tunnel" | |
uses: ./.github/actions/wf_specific/ms_ca_handler/tunnel_setup | |
with: | |
WCCE_SSH_USER: ${{ secrets.WCCE_SSH_USER }} | |
WCCE_SSH_HOST: ${{ secrets.WCCE_SSH_HOST }} | |
WCCE_SSH_PORT: ${{ secrets.WCCE_SSH_PORT }} | |
WCCE_HOST: ${{ secrets.WCCE_HOST }} | |
WCCE_FQDN_WOTLD: ${{ secrets.WCCE_FQDN_WOTLD }} | |
WCCE_FQDN: ${{ secrets.WCCE_FQDN }} | |
WCCE_SSH_KNOWN_HOSTS: ${{ secrets.WCCE_SSH_KNOWN_HOSTS }} | |
WCCE_SSH_ACCESS_KEY: ${{ secrets.WCCE_SSH_ACCESS_KEY }} | |
- name: "EAB with headerinfo - Setup a2c with ms_wcce_ca_handler (Kerberos)" | |
run: | | |
mkdir -p data/acme_ca | |
sudo touch data/acme_ca/ca_certs.pem | |
sudo chmod 777 data/acme_ca/ca_certs.pem | |
sudo echo "$WCCE_CA_BUNDLE" > data/acme_ca/ca_certs.pem | |
sudo touch data/acme_ca/acme_srv.cfg | |
sudo chmod 777 data/acme_ca/acme_srv.cfg | |
sudo head -n -8 .github/openssl_ca_handler.py_acme_srv_default_handler.cfg > data/acme_srv.cfg | |
sudo echo "handler_file: /opt/acme2certifier/examples/ca_handler/mswcce_ca_handler.py" >> data/acme_srv.cfg | |
sudo echo "host: $WCCE_FQDN" >> data/acme_srv.cfg | |
sudo echo "user: $WCCE_USER" >> data/acme_srv.cfg | |
sudo echo "password: $WCCE_PASSWORD" >> data/acme_srv.cfg | |
sudo echo "template: $WCCE_TEMPLATE" >> data/acme_srv.cfg | |
sudo echo "ca_name: $WCCE_CA_NAME" >> data/acme_srv.cfg | |
sudo echo "target_domain: $WCCE_ADS_DOMAIN" >> data/acme_srv.cfg | |
sudo echo "domain_controller: $RUNNER_IP" >> data/acme_srv.cfg | |
sudo echo "ca_bundle: /opt/acme2certifier/volume/acme_ca/ca_certs.pem" >> data/acme_srv.cfg | |
sudo echo "timeout: 20" >> data/acme_srv.cfg | |
sudo echo "use_kerberos: True" >> data/acme_srv.cfg | |
sudo sed -i "s/tnauthlist_support: False/tnauthlist_support: False\nheader_info_list: [\"HTTP_USER_AGENT\"]/g" data/acme_srv.cfg | |
sudo sed -i "s/revocation_reason_check_disable: False/revocation_reason_check_disable: False\nenrollment_timeout: 40/g" data/acme_srv.cfg | |
sudo echo "eab_profiling: True" >> data/acme_srv.cfg | |
sudo echo -e "\n[EABhandler]" >> data/acme_srv.cfg | |
sudo echo "eab_handler_file: /opt/acme2certifier/examples/eab_handler/kid_profile_handler.py" >> data/acme_srv.cfg | |
sudo echo "key_file: /opt/acme2certifier/volume/acme_ca/kid_profiles.json" >> data/acme_srv.cfg | |
sudo cp examples/eab_handler/kid_profiles.json data/acme_ca/kid_profiles.json | |
sudo chmod 777 data/acme_ca/kid_profiles.json | |
sudo sed -i "s/\"profile_id\"\: \[\"profile_1\", \"profile_2\", \"profile_3\"\]/\"template\"\: \[\"WebServerModified\"\, \"WebServer\"]/g" data/acme_ca/kid_profiles.json | |
sudo sed -i "s/\"profile_id\"\: \"profile_2\"/\"template\"\: \"WebServerModified\"/g" data/acme_ca/kid_profiles.json | |
sudo sed -i "s/\"ca_name\": \"example_ca_2\",/\"unknown_key\": \"unknown_value\"/g" data/acme_ca/kid_profiles.json | |
sudo sed -i "s/\"ca_name\": \"example_ca\",/\"unknown_key\": \"unknown_value\"/g" data/acme_ca/kid_profiles.json | |
sudo sed -i "s/example.net/acme/g" data/acme_ca/kid_profiles.json | |
sudo sed -i '18,19d' data/acme_ca/kid_profiles.json | |
sudo sed -i '8,9d' data/acme_ca/kid_profiles.json | |
env: | |
RUNNER_IP: ${{ env.RUNNER_IP }} | |
WCCE_USER: ${{ secrets.WCCE_USER }} | |
WCCE_PASSWORD: ${{ secrets.WCCE_PASSWORD }} | |
WCCE_TEMPLATE: ${{ secrets.WCCE_TEMPLATE }} | |
WCCE_CA_NAME: ${{ secrets.WCCE_CA_NAME }} | |
WCCE_ADS_DOMAIN: ${{ secrets.WCCE_ADS_DOMAIN }} | |
WCCE_CA_BUNDLE: ${{ secrets.WCCE_CA_BUNDLE }} | |
WCCE_FQDN: ${{ secrets.WCCE_FQDN }} | |
- name: "EAB with headerinfo - Execute install scipt" | |
run: | | |
docker exec acme-srv sh /tmp/acme2certifier/rpm_tester.sh | |
- name: "EAB with headerinfo - enrollment" | |
uses: ./.github/actions/wf_specific/ms_ca_handler/enroll_eab | |
- name: "[ * ] collecting test logs" | |
if: ${{ failure() }} | |
run: | | |
mkdir -p ${{ github.workspace }}/artifact/upload | |
docker exec acme-srv tar cvfz /tmp/acme2certifier/a2c.tgz /opt/acme2certifier | |
sudo rm -rf data/*.rpm | |
sudo cp -rp data/ ${{ github.workspace }}/artifact/data/ | |
sudo cp -rp acme-sh/ ${{ github.workspace }}/artifact/acme-sh/ | |
sudo cp -rp dnsmasq/ ${{ github.workspace }}/artifact/dnsmasq/ | |
# docker exec acme-srv cat /etc/nginx/nginx.conf.orig > ${{ github.workspace }}/artifact/data/nginx.conf.orig | |
# docker exec acme-srv cat /etc/nginx/nginx.conf > ${{ github.workspace }}/artifact/data/nginx.conf | |
docker exec acme-srv cat /var/log/messages > ${{ github.workspace }}/artifact/acme-srv.log | |
sudo tar -C ${{ github.workspace }}/artifact/ -cvzf ${{ github.workspace }}/artifact/upload/artifact.tar.gz data acme-srv.log acme-sh dnsmasq | |
- name: "[ * ] uploading artificates" | |
uses: actions/upload-artifact@v4 | |
if: ${{ failure() }} | |
with: | |
name: mswcce_handler_profile_tests_rpm-rh${{ matrix.rhversion }}.tar.gz | |
path: ${{ github.workspace }}/artifact/upload/ | |
rpm_cleanup: | |
name: "rpm_cleanup" | |
runs-on: ubuntu-latest | |
needs: [mscertsrv_handler_tests_rpm, mscertsrv_handler_eab_profile_tests_rpm, mswcce_handler_tests_rpm, mswcce_handler_eab_profile_tests_rpm] | |
steps: | |
- name: "Delete artifact" | |
uses: geekyeggo/delete-artifact@v5 | |
with: | |
name: acme2certifier-${{ github.run_id }}.noarch.rpm |