diff --git a/.github/workflows/ca_handler_tests_cmp.yml b/.github/workflows/ca_handler_tests_cmp.yml new file mode 100644 index 00000000..39381416 --- /dev/null +++ b/.github/workflows/ca_handler_tests_cmp.yml @@ -0,0 +1,418 @@ +name: CA handler tests - CMPv2 + +on: + push: + pull_request: + branches: [ devel ] + schedule: + # * is a special character in YAML so you have to quote this string + - cron: '0 2 * * 6' + +jobs: + cmp_handler_tests: + name: "cmp_handler_tests" + runs-on: ubuntu-latest + strategy: + max-parallel: 2 + fail-fast: false + matrix: + websrv: ['apache2', 'nginx'] + dbhandler: ['wsgi', 'django'] + steps: + - name: "checkout GIT" + uses: actions/checkout@v4 + + - name: "Get runner ip" + run: | + echo RUNNER_IP=$(ip addr show eth0 | grep -i "inet " | cut -d ' ' -f 6 | cut -d '/' -f 1) >> $GITHUB_ENV + echo RUNNER_PATH=$(pwd | sed 's_/_\\/_g') >> $GITHUB_ENV + + - run: echo "runner IP is ${{ env.RUNNER_IP }}" + + - name: "Build container" + uses: ./.github/actions/container_prep + with: + DB_HANDLER: ${{ matrix.dbhandler }} + WEB_SRV: ${{ matrix.websrv }} + + - name: "Create ssh environment on ramdisk" + run: | + sudo mkdir -p /tmp/rd + sudo mount -t tmpfs -o size=5M none /tmp/rd + sudo echo "$SSH_KEY" > /tmp/rd/ak.tmp + sudo chmod 600 /tmp/rd/ak.tmp + sudo echo "$KNOWN_HOSTS" > /tmp/rd/known_hosts + env: + SSH_KEY: ${{ secrets.WCCE_SSH_ACCESS_KEY }} + KNOWN_HOSTS: ${{ secrets.WCCE_SSH_KNOWN_HOSTS }} + + - name: "Setup ssh forwarder" + run: | + docker run -d --rm --network acme --name=ssh-forwarder.acme -e "MAPPINGS=8086:$CMP_HOST:8086" -e "SSH_HOST=$SSH_HOST" -e "SSH_PORT=$SSH_PORT" -e "SSH_USER=$SSH_USER" -p 443:443 -p 445:445 -p 88:88 -v "/tmp/rd/ak.tmp:/ssh_key:ro" davidlor/ssh-port-forward-client:dev + env: + SSH_USER: ${{ secrets.CMP_SSH_USER }} + SSH_HOST: ${{ secrets.CMP_SSH_HOST }} + SSH_PORT: ${{ secrets.CMP_SSH_PORT }} + CMP_HOST: ${{ secrets.CMP_HOST }} + + - name: "Setup a2c with cmp_ca_handler with key-cert authentication" + run: | + sudo touch examples/Docker/data/ca_bundle.pem + sudo touch examples/Docker/data/ra_cert.pem + sudo touch examples/Docker/data/ra_key.pem + sudo chmod 777 examples/Docker/data/*.pem + sudo echo "$CMP_TRUSTED" > examples/Docker/data/ca_bundle.pem + sudo echo "$CMP_RA_CERT" > examples/Docker/data/ra_cert.pem + sudo echo "$CMP_RA_KEY" > examples/Docker/data/ra_key.pem + sudo touch examples/Docker/data/acme_srv.cfg + sudo chmod 777 examples/Docker/data/acme_srv.cfg + sudo head -n -8 .github/openssl_ca_handler.py_acme_srv_default_handler.cfg > examples/Docker/data/acme_srv.cfg + sudo echo "handler_file: /var/www/acme2certifier/examples/ca_handler/cmp_ca_handler.py" >> examples/Docker/data/acme_srv.cfg + sudo echo "cmp_path: pkix/" >> examples/Docker/data/acme_srv.cfg + sudo echo "cmp_ignore_keyusage: True" >> examples/Docker/data/acme_srv.cfg + sudo echo "cmp_msg_timeout: 3" >> examples/Docker/data/acme_srv.cfg + sudo echo "cmp_total_timeout: 5" >> examples/Docker/data/acme_srv.cfg + # sudo echo "cmp_server: $RUNNER_IP:8086" >> examples/Docker/data/acme_srv.cfg + sudo echo "cmp_server: ssh-forwarder.acme:8086" >> examples/Docker/data/acme_srv.cfg + sudo echo "cmp_cert: volume/ra_cert.pem" >> examples/Docker/data/acme_srv.cfg + sudo echo "cmp_key: volume/ra_key.pem" >> examples/Docker/data/acme_srv.cfg + sudo echo "cmp_trusted: volume/ca_bundle.pem" >> examples/Docker/data/acme_srv.cfg + sudo echo "cmp_recipient: $CMP_RECIPIENT" >> examples/Docker/data/acme_srv.cfg + cd examples/Docker/ + docker-compose restart + env: + RUNNER_IP: ${{ env.RUNNER_IP }} + CMP_RECIPIENT: ${{ secrets.CMP_RECIPIENT }} + CMP_RA_KEY: ${{ secrets.CMP_RA_KEY }} + CMP_RA_CERT: ${{ secrets.CMP_RA_CERT }} + CMP_TRUSTED: ${{ secrets.CMP_TRUSTED }} + + - name: "Sleep for 10s" + uses: juliangruber/sleep-action@v2.0.3 + with: + time: 10s + + - name: "Test http://acme-srv/directory is accessible" + run: docker run -i --rm --network acme curlimages/curl -f http://acme-srv/directory + + - name: "Test if https://acme-srv/directory is accessible" + run: docker run -i --rm --network acme curlimages/curl --insecure -f https://acme-srv/directory + + - name: "Enroll acme.sh" + run: | + docker run --rm -i -v "$(pwd)/acme-sh":/acme.sh --network acme --name=acme-sh neilpang/acme.sh:latest --issue --server http://acme-srv --accountemail 'acme-sh@example.com' -d acme-sh.acme --alpn --standalone --debug 3 --output-insecure --force + awk 'BEGIN {c=0;} /BEGIN CERT/{c++} { print > "cert-" c ".pem"}' < acme-sh/acme-sh.acme_ecc/ca.cer + openssl verify -CAfile cert-2.pem -untrusted cert-1.pem acme-sh/acme-sh.acme_ecc/acme-sh.acme.cer + sudo rm -rf acme-sh/* + + - name: "Setup a2c with cmp_ca_handler with PSK refnum authentication" + run: | + sudo touch examples/Docker/data/ca_bundle.pem + sudo touch examples/Docker/data/ra_cert.pem + sudo chmod 777 examples/Docker/data/*.pem + sudo echo "$CMP_TRUSTED" > examples/Docker/data/ca_bundle.pem + sudo echo "$CMP_RA_CERT" > examples/Docker/data/ra_cert.pem + sudo touch examples/Docker/data/acme_srv.cfg + sudo chmod 777 examples/Docker/data/acme_srv.cfg + sudo head -n -8 .github/openssl_ca_handler.py_acme_srv_default_handler.cfg > examples/Docker/data/acme_srv.cfg + sudo echo "handler_file: /var/www/acme2certifier/examples/ca_handler/cmp_ca_handler.py" >> examples/Docker/data/acme_srv.cfg + sudo echo "cmp_path: pkix/" >> examples/Docker/data/acme_srv.cfg + sudo echo "cmp_ignore_keyusage: True" >> examples/Docker/data/acme_srv.cfg + sudo echo "cmp_msg_timeout: 3" >> examples/Docker/data/acme_srv.cfg + sudo echo "cmp_total_timeout: 5" >> examples/Docker/data/acme_srv.cfg + # sudo echo "cmp_server: $RUNNER_IP:8086" >> examples/Docker/data/acme_srv.cfg + sudo echo "cmp_server: ssh-forwarder.acme:8086" >> examples/Docker/data/acme_srv.cfg + sudo echo "cmp_cert: volume/ra_cert.pem" >> examples/Docker/data/acme_srv.cfg + sudo echo "cmp_trusted: volume/ca_bundle.pem" >> examples/Docker/data/acme_srv.cfg + sudo echo "cmp_recipient: $CMP_RECIPIENT" >> examples/Docker/data/acme_srv.cfg + sudo echo "cmp_ref: $CMP_REF" >> examples/Docker/data/acme_srv.cfg + sudo echo "cmp_secret: $CMP_SECRET" >> examples/Docker/data/acme_srv.cfg + cd examples/Docker/ + docker-compose restart + env: + RUNNER_IP: ${{ env.RUNNER_IP }} + CMP_RECIPIENT: ${{ secrets.CMP_RECIPIENT }} + CMP_RA_CERT: ${{ secrets.CMP_RA_CERT }} + CMP_TRUSTED: ${{ secrets.CMP_TRUSTED }} + CMP_REF: ${{ secrets.CMP_REF }} + CMP_SECRET: ${{ secrets.CMP_SECRET }} + + - name: "Sleep for 10s" + uses: juliangruber/sleep-action@v2.0.3 + with: + time: 10s + + - name: "Sleep for 10s" + uses: juliangruber/sleep-action@v2.0.3 + with: + time: 10s + + - name: "Test http://acme-srv/directory is accessible" + run: docker run -i --rm --network acme curlimages/curl -f http://acme-srv/directory + + - name: "Test if https://acme-srv/directory is accessible" + run: docker run -i --rm --network acme curlimages/curl --insecure -f https://acme-srv/directory + + - name: "Enroll acme.sh" + run: | + docker run --rm -i -v "$(pwd)/acme-sh":/acme.sh --network acme --name=acme-sh neilpang/acme.sh:latest --issue --server http://acme-srv --accountemail 'acme-sh@example.com' -d acme-sh.acme --alpn --standalone --debug 3 --output-insecure --force + awk 'BEGIN {c=0;} /BEGIN CERT/{c++} { print > "cert-" c ".pem"}' < acme-sh/acme-sh.acme_ecc/ca.cer + openssl verify -CAfile cert-2.pem -untrusted cert-1.pem acme-sh/acme-sh.acme_ecc/acme-sh.acme.cer + - name: "Check container configuration" + uses: ./.github/actions/container_check + with: + DB_HANDLER: ${{ matrix.dbhandler }} + WEB_SRV: ${{ matrix.websrv }} + + - name: "[ * ] collecting test logs" + if: ${{ failure() }} + run: | + mkdir -p ${{ github.workspace }}/artifact/upload + sudo cp -rp examples/Docker/data/ ${{ github.workspace }}/artifact/data/ + sudo cp -rp acme-sh/ ${{ github.workspace }}/artifact/acme-sh/ + sudo cp -rp certbot/ ${{ github.workspace }}/artifact/certbot/ + sudo cp -rp lego/ ${{ github.workspace }}/artifact/lego/ + cd examples/Docker + docker-compose logs > ${{ github.workspace }}/artifact/docker-compose.log + sudo tar -C ${{ github.workspace }}/artifact/ -cvzf ${{ github.workspace }}/artifact/upload/artifact.tar.gz docker-compose.log data acme-sh certbot lego + + - name: "[ * ] uploading artificates" + uses: actions/upload-artifact@v4 + if: ${{ failure() }} + with: + name: cmp_handler_tests-${{ matrix.websrv }}-${{ matrix.dbhandler }}.tar.gz.tar.gz + path: ${{ github.workspace }}/artifact/upload/ + + rpm_cmp_handler_tests_keycert: + name: "rpm_cmp_handler_tests_keycert" + runs-on: ubuntu-latest + steps: + - name: "checkout GIT" + uses: actions/checkout@v4 + + - name: "Prepare Alma environment" + uses: ./.github/actions/rpm_prep + with: + GH_SBOM_USER: ${{ secrets.GH_SBOM_USER }} + GH_SBOM_TOKEN: ${{ secrets.GH_SBOM_TOKEN }} + RH_VERSION: 9 + + - name: "Get runner ip" + run: | + echo RUNNER_IP=$(ip addr show eth0 | grep -i "inet " | cut -d ' ' -f 6 | cut -d '/' -f 1) >> $GITHUB_ENV + echo RUNNER_PATH=$(pwd | sed 's_/_\\/_g') >> $GITHUB_ENV + + - run: echo "runner IP is ${{ env.RUNNER_IP }}" + + - name: "Create ssh environment on ramdisk" + run: | + sudo mkdir -p /tmp/rd + sudo mount -t tmpfs -o size=5M none /tmp/rd + sudo echo "$SSH_KEY" > /tmp/rd/ak.tmp + sudo chmod 600 /tmp/rd/ak.tmp + sudo echo "$KNOWN_HOSTS" > /tmp/rd/known_hosts + env: + SSH_KEY: ${{ secrets.WCCE_SSH_ACCESS_KEY }} + KNOWN_HOSTS: ${{ secrets.WCCE_SSH_KNOWN_HOSTS }} + + - name: "Setup ssh forwarder" + run: | + docker run -d --rm --network acme --name=ssh-forwarder.acme -e "MAPPINGS=8086:$CMP_HOST:8086" -e "SSH_HOST=$SSH_HOST" -e "SSH_PORT=$SSH_PORT" -e "SSH_USER=$SSH_USER" -p 443:443 -p 445:445 -p 88:88 -v "/tmp/rd/ak.tmp:/ssh_key:ro" davidlor/ssh-port-forward-client:dev + env: + SSH_USER: ${{ secrets.CMP_SSH_USER }} + SSH_HOST: ${{ secrets.CMP_SSH_HOST }} + SSH_PORT: ${{ secrets.CMP_SSH_PORT }} + CMP_HOST: ${{ secrets.CMP_HOST }} + + - name: "Sleep for 5s" + uses: juliangruber/sleep-action@v2.0.3 + with: + time: 5s + + - name: "Setup a2c with cmp_ca_handler" + run: | + sudo mkdir data/acme_ca + sudo cp test/ca/root-ca-cert.pem data/acme_ca + sudo cp test/ca/sub-ca-cert.pem data/acme_ca + sudo touch data/acme_ca/ca_bundle.pem + sudo touch data/acme_ca/ra_cert.pem + sudo touch data/acme_ca/ra_key.pem + sudo chmod 777 data/acme_ca/*.pem + sudo echo "$CMP_TRUSTED" > data/acme_ca/ca_bundle.pem + sudo echo "$CMP_RA_CERT" > data/acme_ca/ra_cert.pem + sudo echo "$CMP_RA_KEY" > data/acme_ca/ra_key.pem + sudo touch data/acme_srv.cfg + sudo chmod 777 data/acme_srv.cfg + sudo head -n -8 .github/openssl_ca_handler.py_acme_srv_default_handler.cfg > data/acme_srv.cfg + sudo echo "handler_file: /opt/acme2certifier/examples/ca_handler/cmp_ca_handler.py" >> data/acme_srv.cfg + sudo echo "cmp_path: pkix/" >> data/acme_srv.cfg + sudo echo "cmp_ignore_keyusage: True" >> data/acme_srv.cfg + sudo echo "cmp_msg_timeout: 3" >> data/acme_srv.cfg + sudo echo "cmp_total_timeout: 5" >> data/acme_srv.cfg + sudo echo "cmp_server: ssh-forwarder.acme:8086" >> data/acme_srv.cfg + sudo echo "cmp_cert: /opt/acme2certifier/volume/acme_ca/ra_cert.pem" >> data/acme_srv.cfg + sudo echo "cmp_key: /opt/acme2certifier/volume/acme_ca/ra_key.pem" >> data/acme_srv.cfg + sudo echo "cmp_trusted: /opt/acme2certifier/volume/acme_ca/ca_bundle.pem" >> data/acme_srv.cfg + sudo echo "cmp_recipient: $CMP_RECIPIENT" >> data/acme_srv.cfg + env: + RUNNER_IP: ${{ env.RUNNER_IP }} + CMP_RECIPIENT: ${{ secrets.CMP_RECIPIENT }} + CMP_RA_KEY: ${{ secrets.CMP_RA_KEY }} + CMP_RA_CERT: ${{ secrets.CMP_RA_CERT }} + CMP_TRUSTED: ${{ secrets.CMP_TRUSTED }} + + - name: "Execute install scipt" + run: | + docker exec acme-srv sh /tmp/acme2certifier/rpm_tester.sh + + - name: "Sleep for 10s" + uses: juliangruber/sleep-action@v2.0.3 + with: + time: 10s + + - name: "Test http://acme-srv/directory is accessible" + run: docker run -i --rm --network acme curlimages/curl -f http://acme-srv/directory + + - name: "Test if https://acme-srv/directory is accessible" + run: docker run -i --rm --network acme curlimages/curl --insecure -f https://acme-srv/directory + + - name: "Enroll acme.sh" + run: | + docker run --rm -i -v "$(pwd)/acme-sh":/acme.sh --network acme --name=acme-sh neilpang/acme.sh:latest --issue --server http://acme-srv --accountemail 'acme-sh@example.com' -d acme-sh.acme --alpn --standalone --debug 3 --output-insecure --force + awk 'BEGIN {c=0;} /BEGIN CERT/{c++} { print > "cert-" c ".pem"}' < acme-sh/acme-sh.acme_ecc/ca.cer + openssl verify -CAfile cert-2.pem -untrusted cert-1.pem acme-sh/acme-sh.acme_ecc/acme-sh.acme.cer + + - name: "[ * ] collecting test logs" + if: ${{ failure() }} + run: | + mkdir -p ${{ github.workspace }}/artifact/upload + docker exec acme-srv tar cvfz /tmp/acme2certifier/a2c.tgz /opt/acme2certifier + sudo cp -rp data/ ${{ github.workspace }}/artifact/data/ + sudo rm ${{ github.workspace }}/artifact/data/*.rpm + sudo cp -rp acme-sh/ ${{ github.workspace }}/artifact/acme-sh/ + docker exec acme-srv cat /var/log/messages > ${{ github.workspace }}/artifact/acme-srv.log + sudo tar -C ${{ github.workspace }}/artifact/ -cvzf ${{ github.workspace }}/artifact/upload/artifact.tar.gz data acme-srv.log acme-sh + + - name: "[ * ] uploading artificates" + uses: actions/upload-artifact@v4 + if: ${{ failure() }} + with: + name: rpm_cmp_handler_tests_keycert.tar.gz + path: ${{ github.workspace }}/artifact/upload/ + + rpm_cmp_handler_tests_refpsk: + name: "rpm_cmp_handler_tests_refpsk" + runs-on: ubuntu-latest + steps: + - name: "checkout GIT" + uses: actions/checkout@v4 + + - name: "Prepare Alma environment" + uses: ./.github/actions/rpm_prep + with: + GH_SBOM_USER: ${{ secrets.GH_SBOM_USER }} + GH_SBOM_TOKEN: ${{ secrets.GH_SBOM_TOKEN }} + RH_VERSION: 9 + + - name: "Get runner ip" + run: | + echo RUNNER_IP=$(ip addr show eth0 | grep -i "inet " | cut -d ' ' -f 6 | cut -d '/' -f 1) >> $GITHUB_ENV + echo RUNNER_PATH=$(pwd | sed 's_/_\\/_g') >> $GITHUB_ENV + + - run: echo "runner IP is ${{ env.RUNNER_IP }}" + + - name: "Create ssh environment on ramdisk" + run: | + sudo mkdir -p /tmp/rd + sudo mount -t tmpfs -o size=5M none /tmp/rd + sudo echo "$SSH_KEY" > /tmp/rd/ak.tmp + sudo chmod 600 /tmp/rd/ak.tmp + sudo echo "$KNOWN_HOSTS" > /tmp/rd/known_hosts + env: + SSH_KEY: ${{ secrets.WCCE_SSH_ACCESS_KEY }} + KNOWN_HOSTS: ${{ secrets.WCCE_SSH_KNOWN_HOSTS }} + + - name: "Setup ssh forwarder" + run: | + docker run -d --rm --network acme --name=ssh-forwarder.acme -e "MAPPINGS=8086:$CMP_HOST:8086" -e "SSH_HOST=$SSH_HOST" -e "SSH_PORT=$SSH_PORT" -e "SSH_USER=$SSH_USER" -p 443:443 -p 445:445 -p 88:88 -v "/tmp/rd/ak.tmp:/ssh_key:ro" davidlor/ssh-port-forward-client:dev + env: + SSH_USER: ${{ secrets.CMP_SSH_USER }} + SSH_HOST: ${{ secrets.CMP_SSH_HOST }} + SSH_PORT: ${{ secrets.CMP_SSH_PORT }} + CMP_HOST: ${{ secrets.CMP_HOST }} + + - name: "[ PREPARE ] Sleep for 5s" + uses: juliangruber/sleep-action@v2.0.3 + with: + time: 5s + + - name: "Setup a2c with cmp_ca_handler" + run: | + sudo mkdir data/acme_ca + sudo cp test/ca/root-ca-cert.pem data/acme_ca + sudo cp test/ca/sub-ca-cert.pem data/acme_ca + sudo touch data/acme_ca/ca_bundle.pem + sudo touch data/acme_ca/ra_cert.pem + sudo chmod 777 data/acme_ca/*.pem + sudo echo "$CMP_TRUSTED" > data/acme_ca/ca_bundle.pem + sudo echo "$CMP_RA_CERT" > data/acme_ca/ra_cert.pem + sudo touch data/acme_srv.cfg + sudo chmod 777 data/acme_srv.cfg + sudo head -n -8 .github/openssl_ca_handler.py_acme_srv_default_handler.cfg > data/acme_srv.cfg + sudo echo "handler_file: /opt/acme2certifier/examples/ca_handler/cmp_ca_handler.py" >> data/acme_srv.cfg + sudo echo "cmp_path: pkix/" >> data/acme_srv.cfg + sudo echo "cmp_ignore_keyusage: True" >> data/acme_srv.cfg + sudo echo "cmp_msg_timeout: 3" >> data/acme_srv.cfg + sudo echo "cmp_total_timeout: 5" >> data/acme_srv.cfg + sudo echo "cmp_server: ssh-forwarder.acme:8086" >> data/acme_srv.cfg + sudo echo "cmp_cert: /opt/acme2certifier/volume/acme_ca/ra_cert.pem" >> data/acme_srv.cfg + sudo echo "cmp_trusted: /opt/acme2certifier/volume/acme_ca/ca_bundle.pem" >> data/acme_srv.cfg + sudo echo "cmp_recipient: $CMP_RECIPIENT" >> data/acme_srv.cfg + sudo echo "cmp_ref: $CMP_REF" >> data/acme_srv.cfg + sudo echo "cmp_secret: $CMP_SECRET" >> data/acme_srv.cfg + env: + RUNNER_IP: ${{ env.RUNNER_IP }} + CMP_RECIPIENT: ${{ secrets.CMP_RECIPIENT }} + CMP_RA_CERT: ${{ secrets.CMP_RA_CERT }} + CMP_TRUSTED: ${{ secrets.CMP_TRUSTED }} + CMP_REF: ${{ secrets.CMP_REF }} + CMP_SECRET: ${{ secrets.CMP_SECRET }} + + - name: "Execute install scipt" + run: | + docker exec acme-srv sh /tmp/acme2certifier/rpm_tester.sh + + - name: "Sleep for 10s" + uses: juliangruber/sleep-action@v2.0.3 + with: + time: 10s + + - name: "Test http://acme-srv/directory is accessible" + run: docker run -i --rm --network acme curlimages/curl -f http://acme-srv/directory + + - name: "Test if https://acme-srv/directory is accessible" + run: docker run -i --rm --network acme curlimages/curl --insecure -f https://acme-srv/directory + + - name: "Enroll acme.sh" + run: | + docker run --rm -i -v "$(pwd)/acme-sh":/acme.sh --network acme --name=acme-sh neilpang/acme.sh:latest --issue --server http://acme-srv --accountemail 'acme-sh@example.com' -d acme-sh.acme --alpn --standalone --debug 3 --output-insecure --force + awk 'BEGIN {c=0;} /BEGIN CERT/{c++} { print > "cert-" c ".pem"}' < acme-sh/acme-sh.acme_ecc/ca.cer + openssl verify -CAfile cert-2.pem -untrusted cert-1.pem acme-sh/acme-sh.acme_ecc/acme-sh.acme.cer + + - name: "[ * ] collecting test logs" + if: ${{ failure() }} + run: | + mkdir -p ${{ github.workspace }}/artifact/upload + docker exec acme-srv tar cvfz /tmp/acme2certifier/a2c.tgz /opt/acme2certifier + sudo cp -rp data/ ${{ github.workspace }}/artifact/data/ + sudo rm ${{ github.workspace }}/artifact/data/*.rpm + sudo cp -rp acme-sh/ ${{ github.workspace }}/artifact/acme-sh/ + docker exec acme-srv cat /var/log/messages > ${{ github.workspace }}/artifact/acme-srv.log + sudo tar -C ${{ github.workspace }}/artifact/ -cvzf ${{ github.workspace }}/artifact/upload/artifact.tar.gz data acme-srv.log acme-sh + + - name: "[ * ] uploading artificates" + uses: actions/upload-artifact@v4 + if: ${{ failure() }} + with: + name: rpm_cmp_handler_tests_refpsk.tar_rpm.gz + path: ${{ github.workspace }}/artifact/upload/ \ No newline at end of file diff --git a/.github/workflows/ca_handler_tests_est.yml b/.github/workflows/ca_handler_tests_est.yml new file mode 100644 index 00000000..4780f7ca --- /dev/null +++ b/.github/workflows/ca_handler_tests_est.yml @@ -0,0 +1,151 @@ +name: CA handler tests - EST handler +# Clientauth tests are not working on testrfc7030 and are done insed openxpi wf + +on: + push: + pull_request: + branches: [ devel ] + schedule: + # * is a special character in YAML so you have to quote this string + - cron: '0 2 * * 6' + +jobs: + est_handler_tests: + name: "est_handler_tests" + runs-on: ubuntu-latest + strategy: + max-parallel: 1 + fail-fast: false + matrix: + websrv: ['apache2', 'nginx'] + dbhandler: ['wsgi', 'django'] + + steps: + - name: "checkout GIT" + uses: actions/checkout@v4 + + - name: "Build container" + uses: ./.github/actions/container_prep + with: + DB_HANDLER: ${{ matrix.dbhandler }} + WEB_SRV: ${{ matrix.websrv }} + + - name: "Setup esthandler using http-basic-auth" + run: | + sudo cp .github/openssl_ca_handler.py_acme_srv_default_handler.cfg examples/Docker/data/acme_srv.cfg + sudo chmod 777 examples/Docker/data/acme_srv.cfg + sudo head -n -8 .github/openssl_ca_handler.py_acme_srv_default_handler.cfg > examples/Docker/data/acme_srv.cfg + sudo echo "handler_file: examples/ca_handler/est_ca_handler.py" >> examples/Docker/data/acme_srv.cfg + sudo echo "est_host: https://testrfc7030.com:8443" >> examples/Docker/data/acme_srv.cfg + sudo echo "est_user: estuser" >> examples/Docker/data/acme_srv.cfg + sudo echo "est_password: estpwd" >> examples/Docker/data/acme_srv.cfg + sudo echo "ca_bundle: False" >> examples/Docker/data/acme_srv.cfg + sudo echo "request_timeout: 30" >> examples/Docker/data/acme_srv.cfg + sudo echo "allowed_domainlist: [\"bar.local\", \"*.acme\"]" >> examples/Docker/data/acme_srv.cfg + sudo sed -i "s/revocation_reason_check_disable: False/revocation_reason_check_disable: False\nenrollment_timeout: 40/g" examples/Docker/data/acme_srv.cfg + cd examples/Docker/ + docker-compose restart + + - name: "Test enrollment" + uses: ./.github/actions/acme_clients + with: + REVOCATION: "false" + VERIFY_CERT: "false" + USE_CERTBOT: "false" + TEST_ADL: "true" + + - name: "Verify allowed_domainlist error" + run: | + cd examples/Docker + docker-compose logs | grep "allowed_domainlist" | grep -i "either CN or SANs are not allowed by configuration" + + - name: "Check container configuration" + uses: ./.github/actions/container_check + with: + DB_HANDLER: ${{ matrix.dbhandler }} + WEB_SRV: ${{ matrix.websrv }} + + - name: "[ * ] collecting test logs" + if: ${{ failure() }} + run: | + mkdir -p ${{ github.workspace }}/artifact/upload + sudo cp -rp examples/Docker/data/ ${{ github.workspace }}/artifact/data/ + cd examples/Docker + docker-compose logs > ${{ github.workspace }}/artifact/docker-compose.log + sudo tar -C ${{ github.workspace }}/artifact/ -cvzf ${{ github.workspace }}/artifact/upload/artifact.tar.gz docker-compose.log data + + - name: "[ * ] uploading artificates" + uses: actions/upload-artifact@v4 + if: ${{ failure() }} + with: + name: est-${{ matrix.websrv }}-${{ matrix.dbhandler }}.tar.gz.tar.gz + path: ${{ github.workspace }}/artifact/upload/ + + est_handler_tests_rpm: + name: "est_handler_tests_rpm" + runs-on: ubuntu-latest + strategy: + max-parallel: 1 + fail-fast: false + matrix: + rhversion: [8, 9] + steps: + - name: "checkout GIT" + uses: actions/checkout@v4 + + - name: "Prepare Alma environment" + uses: ./.github/actions/rpm_prep + with: + GH_SBOM_USER: ${{ secrets.GH_SBOM_USER }} + GH_SBOM_TOKEN: ${{ secrets.GH_SBOM_TOKEN }} + RH_VERSION: ${{ matrix.rhversion }} + + - name: "setup esthandler using http-basic-auth" + run: | + sudo cp .github/openssl_ca_handler.py_acme_srv_default_handler.cfg data/acme_srv.cfg + sudo chmod 777 data/acme_srv.cfg + sudo head -n -8 .github/openssl_ca_handler.py_acme_srv_default_handler.cfg > data/acme_srv.cfg + sudo echo "handler_file: /opt/acme2certifier/examples/ca_handler/est_ca_handler.py" >> data/acme_srv.cfg + sudo echo "est_host: https://testrfc7030.com:8443" >> data/acme_srv.cfg + sudo echo "est_user: estuser" >> data/acme_srv.cfg + sudo echo "est_password: estpwd" >> data/acme_srv.cfg + sudo echo "ca_bundle: False" >> data/acme_srv.cfg + sudo echo "request_timeout: 30" >> data/acme_srv.cfg + sudo echo "allowed_domainlist: [\"bar.local\", \"*.acme\"]" >> data/acme_srv.cfg + sudo sed -i "s/revocation_reason_check_disable: False/revocation_reason_check_disable: False\nenrollment_timeout: 40/g" data/acme_srv.cfg + + - name: "Execute install scipt" + run: | + docker exec acme-srv sh /tmp/acme2certifier/rpm_tester.sh + + - name: "Test enrollment" + uses: ./.github/actions/acme_clients + with: + REVOCATION: "false" + VERIFY_CERT: "false" + USE_CERTBOT: "false" + TEST_ADL: "true" + + - name: "Verify allowed_domainlist error" + run: | + docker exec acme-srv grep -i "either CN or SANs are not allowed by configuration" /var/log/messages + + - name: "[ * ] collecting test logs" + if: ${{ failure() }} + run: | + mkdir -p ${{ github.workspace }}/artifact/upload + docker exec acme-srv tar cvfz /tmp/acme2certifier/a2c.tgz /opt/acme2certifier + sudo cp -rp data/ ${{ github.workspace }}/artifact/data/ + sudo rm ${{ github.workspace }}/artifact/data/*.rpm + sudo cp -rp acme-sh/ ${{ github.workspace }}/artifact/acme-sh/ + docker exec acme-srv cat /etc/nginx/nginx.conf.orig > ${{ github.workspace }}/artifact/data/nginx.conf.orig + docker exec acme-srv cat /etc/nginx/nginx.conf > ${{ github.workspace }}/artifact/data/nginx.conf + docker exec acme-srv cat /var/log/messages > ${{ github.workspace }}/artifact/acme-srv.log + sudo tar -C ${{ github.workspace }}/artifact/ -cvzf ${{ github.workspace }}/artifact/upload/artifact.tar.gz data acme-srv.log acme-sh + + - name: "[ * ] uploading artificates" + uses: actions/upload-artifact@v4 + if: ${{ failure() }} + with: + name: est-rpm-rh${{ matrix.rhversion }}.tar.gz + path: ${{ github.workspace }}/artifact/upload/ \ No newline at end of file