Proxy tests #1501

Workflow file for this run

.github/workflows/proxy-test.yml at 2c758e4

	name: Proxy tests

	on:
	push:
	pull_request:
	branches: [ devel ]
	schedule:
	# * is a special character in YAML so you have to quote this string
	- cron: '0 2 * * 6'

	jobs:
	proxy_tests:
	name: "proxy_tests"
	runs-on: ubuntu-latest
	strategy:
	fail-fast: false
	max-parallel: 1
	matrix:
	websrv: ['apache2', 'nginx']
	dbhandler: ['wsgi', 'django']

	steps:

	- name: "checkout GIT"
	uses: actions/checkout@v4

	- name: "get runner ip"
	run: \|
	echo RUNNER_IP=$(ip addr show eth0 \| grep -i "inet " \| cut -d ' ' -f 6 \| cut -d '/' -f 1) >> $GITHUB_ENV
	echo RUNNER_PATH=$(pwd \| sed 's_/_\\/_g') >> $GITHUB_ENV
	- run: echo "runner IP is ${{ env.RUNNER_IP }}"

	- name: "Build container"
	uses: ./.github/actions/container_prep
	with:
	DB_HANDLER: ${{ matrix.dbhandler }}
	WEB_SRV: ${{ matrix.websrv }}

	- name: "Install dnsmasq"
	run: \|
	sudo apt-get update
	sudo apt-get install -y dnsmasq
	sudo systemctl disable systemd-resolved
	sudo systemctl stop systemd-resolved
	sudo mkdir -p dnsmasq
	sudo cp .github/dnsmasq.conf dnsmasq/
	sudo chmod -R 777 dnsmasq/dnsmasq.conf
	sudo sed -i "s/RUNNER_IP/$RUNNER_IP/g" dnsmasq/dnsmasq.conf
	sudo echo "address=/$WES_HOST/$RUNNER_IP" >> dnsmasq/dnsmasq.conf
	cat dnsmasq/dnsmasq.conf
	sudo cp dnsmasq/dnsmasq.conf /etc/
	sudo systemctl enable dnsmasq
	sudo systemctl start dnsmasq
	env:
	RUNNER_IP: ${{ env.RUNNER_IP }}
	WES_HOST: ${{ secrets.WES_HOST }}

	- name: "test dns resulution"
	run: \|
	host $WES_HOST 127.0.0.1
	env:
	WES_HOST: ${{ secrets.WES_HOST }}

	- name: "proxy container"
	run: \|
	docker pull mosajjal/pproxy:latest
	docker run -d -it --name=proxy --network acme --rm -p 8080:8080 mosajjal/pproxy:latest -vv &

	- name: "Sleep for 10s"
	uses: juliangruber/[email protected]
	with:
	time: 10s

	- name: "Setup openssl ca_handler"
	run: \|
	sudo mkdir -p examples/Docker/data/acme_ca/certs
	sudo cp test/ca/sub-ca-key.pem test/ca/sub-ca-crl.pem test/ca/sub-ca-cert.pem test/ca/root-ca-cert.pem examples/Docker/data/acme_ca/
	sudo cp .github/openssl_ca_handler.py_acme_srv_choosen_handler.cfg examples/Docker/data/acme_srv.cfg
	sudo chmod 777 examples/Docker/data/acme_srv.cfg
	sudo sed -i "s/debug: True/debug: True\nproxy_server_list: {\"acme-sh.acme\$\": \"socks5:\/\/proxy.acme:8080\", \"acme-sh.\$\": \"http\:\/\/proxy.acme:8080\"}/g" examples/Docker/data/acme_srv.cfg
	cd examples/Docker/
	docker-compose restart

	- name: "Sleep for 10s"
	uses: juliangruber/[email protected]
	with:
	time: 10s

	- name: "Openssl - Test http://acme-srv/directory is accessible"
	run: docker run -i --rm --network acme curlimages/curl -f http://acme-srv/directory

	- name: "Openssl - Test if https://acme-srv/directory is accessible"
	run: docker run -i --rm --network acme curlimages/curl --insecure -f https://acme-srv/directory

	- name: "Prepare acme.sh container"
	run: \|
	docker run --rm -id -v "$(pwd)/acme-sh":/acme.sh --network acme --name=acme-sh neilpang/acme.sh:latest daemon

	- name: "Openssl - Enroll acme.sh - http challenge validation"
	run: \|
	docker exec -i acme-sh acme.sh --server http://acme-srv --accountemail '[email protected]' --issue -d acme-sh.acme -d acme-sh. --standalone --debug 3 --output-insecure --force
	openssl verify -CAfile examples/Docker/data/acme_ca/root-ca-cert.pem -untrusted examples/Docker/data/acme_ca/sub-ca-cert.pem acme-sh/acme-sh.acme_ecc/acme-sh.acme.cer

	- name: "Check proxy logs"
	run: \|
	docker logs proxy \| grep socks5 \| grep -- "->"
	docker logs proxy \| grep http \| grep -- "->"
	docker stop proxy
	docker run -d -it --name=proxy --network acme --rm -p 8080:8080 mosajjal/pproxy:latest -vv &

	- name: "Openssl - Enroll acme.sh - alpn challenge validation"
	run: \|
	docker exec -i acme-sh acme.sh --server http://acme-srv --accountemail '[email protected]' --issue -d acme-sh.acme --alpn -d acme-sh. --alpn --standalone --debug 3 --output-insecure --force
	openssl verify -CAfile examples/Docker/data/acme_ca/root-ca-cert.pem -untrusted examples/Docker/data/acme_ca/sub-ca-cert.pem acme-sh/acme-sh.acme_ecc/acme-sh.acme.cer

	- name: "Check proxy logs"
	run: \|
	docker logs proxy \| grep socks5 \| grep -- "->"
	docker logs proxy \| grep http \| grep -- "->"
	docker stop proxy
	docker run -d -it --name=proxy --network acme --rm -p 8080:8080 mosajjal/pproxy:latest -vv &


	- name: "Setup certifier ca_handler for proxy usage"
	run: \|
	sudo cp .github/openssl_ca_handler.py_acme_srv_default_handler.cfg examples/Docker/data/acme_srv.cfg
	sudo chmod 777 examples/Docker/data/acme_srv.cfg
	sudo head -n -8 .github/openssl_ca_handler.py_acme_srv_default_handler.cfg > examples/Docker/data/acme_srv.cfg
	sudo echo "handler_file: examples/ca_handler/certifier_ca_handler.py" >> examples/Docker/data/acme_srv.cfg
	sudo echo "api_host: ${{ secrets.NCM_API_HOST }}" >> examples/Docker/data/acme_srv.cfg
	sudo echo "api_user: ${{ secrets.NCM_API_USER }}" >> examples/Docker/data/acme_srv.cfg
	sudo echo "api_password: ${{ secrets.NCM_API_PASSWORD }}" >> examples/Docker/data/acme_srv.cfg
	sudo echo "ca_name: ${{ secrets.NCM_CA_NAME }}" >> examples/Docker/data/acme_srv.cfg
	sudo echo "ca_bundle: ${{ secrets.NCM_CA_BUNDLE }}" >> examples/Docker/data/acme_srv.cfg
	sudo sed -i "s/debug: True/debug: True\nproxy_server_list: {\"ncm.nclm.eu\$\": \"socks5:\/\/proxy.acme:8080\"}/g" examples/Docker/data/acme_srv.cfg
	cd examples/Docker/
	docker-compose restart

	- name: "Sleep for 5s"
	uses: juliangruber/[email protected]
	with:
	time: 5s

	- name: "Certifier - Enroll via certifier ca_handler"
	run: \|
	docker exec -i acme-sh acme.sh --server http://acme-srv --accountemail '[email protected]' --issue -d acme-sh.acme --standalone --debug 3 --output-insecure --force
	awk 'BEGIN {c=0;} /BEGIN CERT/{c++} { print > "cert-" c ".pem"}' < acme-sh/acme-sh.acme_ecc/ca.cer
	openssl verify -CAfile cert-2.pem -untrusted cert-1.pem acme-sh/acme-sh.acme_ecc/acme-sh.acme.cer

	- name: "Certifier - Revoke via certifier ca_handler"
	run: \|
	docker exec -i acme-sh acme.sh --server http://acme-srv --revoke -d acme-sh.acme --standalone --debug 3 --output-insecure

	- name: "Check proxy logs"
	run: \|
	docker logs proxy \| grep socks5 \| grep -- "->"
	docker stop proxy
	docker run -d -it --name=proxy --network acme --rm -p 8080:8080 mosajjal/pproxy:latest -vv &

	- name: "Setup using http-basic-auth for proxy usage"
	run: \|
	sudo mkdir -p examples/Docker/data/est
	sudo chmod -R 777 examples/Docker/data/est
	sudo touch $HOME/.rnd
	sudo openssl ecparam -genkey -name prime256v1 -out examples/Docker/data/est/est_client_key.pem
	sudo openssl req -new -key examples/Docker/data/est/est_client_key.pem -out /tmp/request.p10 -subj '/CN=acme2certifier'
	sudo curl http://testrfc7030.com/dstcax3.pem --output /tmp/dstcax3.pem
	sudo curl https://testrfc7030.com:8443/.well-known/est/cacerts -o /tmp/cacerts.p7 --cacert /tmp/dstcax3.pem
	sudo openssl base64 -d -in /tmp/cacerts.p7 \| openssl pkcs7 -inform DER -outform PEM -print_certs -out examples/Docker/data/est/ca_bundle.pem
	sudo curl https://testrfc7030.com:8443/.well-known/est/simpleenroll --anyauth -u estuser:estpwd -s -o /tmp/cert.p7 --cacert /tmp/dstcax3.pem --data-binary @/tmp/request.p10 -H "Content-Type: application/pkcs10" --dump-header /tmp/resp.hdr
	sudo openssl base64 -d -in /tmp/cert.p7 \| openssl pkcs7 -inform DER -outform PEM -print_certs -out examples/Docker/data/est/est_client_cert.pem
	sudo cp .github/openssl_ca_handler.py_acme_srv_default_handler.cfg examples/Docker/data/acme_srv.cfg
	sudo chmod 777 examples/Docker/data/acme_srv.cfg
	sudo head -n -8 .github/openssl_ca_handler.py_acme_srv_default_handler.cfg > examples/Docker/data/acme_srv.cfg
	sudo echo "handler_file: examples/ca_handler/est_ca_handler.py" >> examples/Docker/data/acme_srv.cfg
	sudo echo "est_host: https://testrfc7030.com:8443" >> examples/Docker/data/acme_srv.cfg
	sudo echo "est_user: estuser" >> examples/Docker/data/acme_srv.cfg
	sudo echo "est_password: estpwd" >> examples/Docker/data/acme_srv.cfg
	sudo echo "ca_bundle: False" >> examples/Docker/data/acme_srv.cfg
	sudo sed -i "s/debug: True/debug: True\nproxy_server_list: {\"testrfc7030.com\$\": \"socks5:\/\/proxy.acme:8080\"}/g" examples/Docker/data/acme_srv.cfg
	cd examples/Docker/
	docker-compose restart

	- name: "Sleep for 5s"
	uses: juliangruber/[email protected]
	with:
	time: 5s

	- name: "EST - Enroll via EST using http-basic-auth"
	run: \|
	docker exec -i acme-sh acme.sh --server http://acme-srv --accountemail '[email protected]' --issue -d acme-sh.acme --standalone --debug 3 --output-insecure --force

	- name: "Check proxy logs"
	run: \|
	docker logs proxy \| grep socks5 \| grep -- "->"
	docker stop proxy
	docker run -d -it --name=proxy --network acme --rm -p 8080:8080 mosajjal/pproxy:latest -vv &

	#- name: "setup nclm ca_handler for proxy usage"
	# run: \|
	# sudo cp examples/ca_handler/nclm_ca_handler.py examples/Docker/data/ca_handler.py
	# sudo cp .github/openssl_ca_handler.py_acme_srv_default_handler.cfg examples/Docker/data/acme_srv.cfg
	# sudo chmod 777 examples/Docker/data/acme_srv.cfg
	# sudo head -n -8 .github/openssl_ca_handler.py_acme_srv_default_handler.cfg > examples/Docker/data/acme_srv.cfg
	# sudo echo "api_host: ${{ secrets.NCLM_API_HOST }}" >> examples/Docker/data/acme_srv.cfg
	# sudo echo "api_user: ${{ secrets.NCLM_API_USER }}" >> examples/Docker/data/acme_srv.cfg
	# sudo echo "api_password: ${{ secrets.NCLM_API_PASSWORD }}" >> examples/Docker/data/acme_srv.cfg
	# sudo echo "tsg_name: ${{ secrets.NCLM_TSG_NAME }}" >> examples/Docker/data/acme_srv.cfg
	# sudo echo "ca_name: ${{ secrets.NCLM_CA_NAME }}" >> examples/Docker/data/acme_srv.cfg
	# sudo echo "ca_id_list: [${{ secrets.NCLM_CA_ID_LIST }}]" >> examples/Docker/data/acme_srv.cfg
	# sudo sed -i "s/debug: True/debug: True\nproxy_server_list: {\"nclm.eu\$\": \"http:\/\/proxy.acme:8080\"}/g" examples/Docker/data/acme_srv.cfg
	# cd examples/Docker/
	# docker-compose restart
	# docker-compose logs

	#- name: "Sleep for 5s"
	# uses: juliangruber/[email protected]
	# with:
	# time: 5s

	#- name: "Enroll via nclm ca_handler"
	# run: \|
	# docker exec -i acme-sh acme.sh --server http://acme-srv --accountemail '[email protected]' --issue -d acme-sh.acme --standalone --debug 3 --output-insecure --force
	# # openssl verify -CAfile acme.sh/acme-sh.acme/ca.cer acme-sh/acme-sh.acme_ecc/acme-sh.acme.cer

	#- name: "Check proxy logs"
	# run: \|
	# docker logs proxy \| grep http \| grep -- "->"
	# docker stop proxy
	# docker run -d -it --name=proxy --network acme --rm -p 8080:8080 mosajjal/pproxy:latest -vv &

	- name: "Setup msca ca_handler for proxy usage"
	run: \|
	sudo cp .github/openssl_ca_handler.py_acme_srv_default_handler.cfg examples/Docker/data/acme_srv.cfg
	sudo cp test/ca/certsrv_ca_certs.pem examples/Docker/data/ca_certs.pem
	sudo chmod 777 examples/Docker/data/acme_srv.cfg
	sudo head -n -8 .github/openssl_ca_handler.py_acme_srv_default_handler.cfg > examples/Docker/data/acme_srv.cfg
	sudo echo "handler_file: examples/ca_handler/mscertsrv_ca_handler.py" >> examples/Docker/data/acme_srv.cfg
	sudo echo "host: ${{ secrets.WES_HOST }}" >> examples/Docker/data/acme_srv.cfg
	sudo echo "user: ${{ secrets.WES_USER }}" >> examples/Docker/data/acme_srv.cfg
	sudo echo "password: ${{ secrets.WES_PASSWORD }}" >> examples/Docker/data/acme_srv.cfg
	sudo echo "auth_method: ${{ secrets.WES_AUTHMETHOD }}" >> examples/Docker/data/acme_srv.cfg
	sudo echo "template: ${{ secrets.WES_TEMPLATE }}" >> examples/Docker/data/acme_srv.cfg
	sudo echo "ca_bundle: volume/ca_certs.pem" >> examples/Docker/data/acme_srv.cfg
	sudo sed -i "s/debug: True/debug: True\nproxy_server_list: {\"amazonaws.com\$\": \"socks5:\/\/proxy.acme:8080\"}/g" examples/Docker/data/acme_srv.cfg
	cd examples/Docker/
	docker-compose restart

	- name: "Prepare ssh environment on ramdisk "
	run: \|
	sudo mkdir -p /tmp/rd
	sudo mount -t tmpfs -o size=5M none /tmp/rd
	sudo echo "$SSH_KEY" > /tmp/rd/ak.tmp
	sudo chmod 600 /tmp/rd/ak.tmp
	sudo echo "$KNOWN_HOSTS" > /tmp/rd/known_hosts
	env:
	SSH_KEY: ${{ secrets.WCCE_SSH_ACCESS_KEY }}
	KNOWN_HOSTS: ${{ secrets.WCCE_SSH_KNOWN_HOSTS }}

	- name: "Setup ssh forwarder"
	run: \|
	docker run -d --rm --network acme --name=$WCCE_FQDN_WOTLD -e "MAPPINGS=445:$WCCE_HOST:445; 443:$WCCE_HOST:443; 88:$WCCE_HOST:88" -e "SSH_HOST=$SSH_HOST" -e "SSH_PORT=$SSH_PORT" -e "SSH_USER=$SSH_USER" -p 443:443 -p 445:445 -p 88:88 -v "/tmp/rd/ak.tmp:/ssh_key:ro" davidlor/ssh-port-forward-client:dev
	env:
	SSH_USER: ${{ secrets.WCCE_SSH_USER }}
	SSH_HOST: ${{ secrets.WCCE_SSH_HOST }}
	SSH_PORT: ${{ secrets.WCCE_SSH_PORT }}
	WCCE_HOST: ${{ secrets.WCCE_HOST }}
	WCCE_FQDN_WOTLD: ${{ secrets.WCCE_FQDN_WOTLD }}

	- name: "Sleep for 10s"
	uses: juliangruber/[email protected]
	with:
	time: 10s

	- name: "MScertsrv - Enroll via msca ca_handler"
	run: \|
	docker exec -i acme-sh acme.sh --server http://acme-srv --accountemail '[email protected]' --issue -d acme-sh.acme --standalone --debug 3 --output-insecure --force
	# openssl verify -CAfile acme.sh/acme-sh.acme/ca.cer acme-sh/acme-sh.acme_ecc/acme-sh.acme.cer

	- name: "Check proxy logs"
	run: \|
	docker logs proxy \| grep socks5 \| grep -- "->"
	docker stop proxy
	docker run -d -it --name=proxy --network acme --rm -p 8080:8080 mosajjal/pproxy:latest -vv &

	- name: "Stop proxy container"
	run: \|
	docker stop proxy

	- name: "Check container configuration"
	uses: ./.github/actions/container_check
	with:
	DB_HANDLER: ${{ matrix.dbhandler }}
	WEB_SRV: ${{ matrix.websrv }}

	- name: "[ * ] collecting test logs"
	if: ${{ failure() }}
	run: \|
	mkdir -p ${{ github.workspace }}/artifact/upload
	sudo cp -rp examples/Docker/data/ ${{ github.workspace }}/artifact/data/
	cd examples/Docker
	docker-compose logs > ${{ github.workspace }}/artifact/docker-compose.log
	sudo tar -C ${{ github.workspace }}/artifact/ -cvzf ${{ github.workspace }}/artifact/upload/artifact.tar.gz docker-compose.log data

	- name: "[ * ] uploading artificates"
	uses: actions/upload-artifact@v4
	if: ${{ failure() }}
	with:
	name: proxy-${{ matrix.websrv }}-${{ matrix.dbhandler }}.tar.gz
	path: ${{ github.workspace }}/artifact/upload/


	proxy_tests_rpm:
	name: "proxy_tests_rpm"
	runs-on: ubuntu-latest
	strategy:
	fail-fast: false
	max-parallel: 1
	matrix:
	rhversion: [8, 9]
	steps:

	- name: "checkout GIT"
	uses: actions/checkout@v4

	- name: "get runner ip"
	run: \|
	echo RUNNER_IP=$(ip addr show eth0 \| grep -i "inet " \| cut -d ' ' -f 6 \| cut -d '/' -f 1) >> $GITHUB_ENV
	echo RUNNER_PATH=$(pwd \| sed 's_/_\\/_g') >> $GITHUB_ENV

	- run: echo "runner IP is ${{ env.RUNNER_IP }}"

	- name: "Prepare Alma environment"
	uses: ./.github/actions/rpm_prep
	with:
	GH_SBOM_USER: ${{ secrets.GH_SBOM_USER }}
	GH_SBOM_TOKEN: ${{ secrets.GH_SBOM_TOKEN }}
	RH_VERSION: ${{ matrix.rhversion }}

	- name: "Install dnsmasq"
	run: \|
	sudo apt-get update
	sudo apt-get install -y dnsmasq
	sudo systemctl disable systemd-resolved
	sudo systemctl stop systemd-resolved
	sudo mkdir -p dnsmasq
	sudo cp .github/dnsmasq.conf dnsmasq/
	sudo chmod -R 777 dnsmasq/dnsmasq.conf
	sudo sed -i "s/RUNNER_IP/$RUNNER_IP/g" dnsmasq/dnsmasq.conf
	sudo echo "address=/$WES_HOST/$RUNNER_IP" >> dnsmasq/dnsmasq.conf
	cat dnsmasq/dnsmasq.conf
	sudo cp dnsmasq/dnsmasq.conf /etc/
	sudo systemctl enable dnsmasq
	sudo systemctl start dnsmasq
	env:
	RUNNER_IP: ${{ env.RUNNER_IP }}
	WES_HOST: ${{ secrets.WES_HOST }}

	- name: "test dns resulution"
	run: \|
	host $WES_HOST 127.0.0.1
	env:
	WES_HOST: ${{ secrets.WES_HOST }}

	- name: "proxy container"
	run: \|
	docker pull mosajjal/pproxy:latest
	docker run -d -it --name=proxy --network acme --rm -p 8080:8080 mosajjal/pproxy:latest -vv &

	- name: "Sleep for 10s"
	uses: juliangruber/[email protected]
	with:
	time: 10s

	- name: Retrieve proxy-ip
	run: \|
	echo PROXY_IP=$(docker inspect -f '{{range.NetworkSettings.Networks}}{{.IPAddress}}{{end}}' proxy) >> $GITHUB_ENV
	- run: echo "Latest tag is ${{ env.PROXY_IP }}"

	- name: "setup openssl ca_handler"
	run: \|
	sudo mkdir -p data/acme_ca/certs
	sudo cp test/ca/sub-ca-key.pem test/ca/sub-ca-crl.pem test/ca/sub-ca-cert.pem test/ca/root-ca-cert.pem data/acme_ca/
	sudo cp .github/openssl_ca_handler.py_acme_srv_choosen_handler.cfg data/acme_srv.cfg
	sudo chmod 777 data/acme_srv.cfg
	sudo sed -i "s/debug: True/debug: True\nproxy_server_list: {\"acme-sh.acme\$\": \"socks5:\/\/${{ env.PROXY_IP }}:8080\", \"acme-sh.\$\": \"http\:\/\/${{ env.PROXY_IP }}:8080\"}/g" data/acme_srv.cfg

	- name: "Execute install scipt"
	run: \|
	docker exec acme-srv sh /tmp/acme2certifier/rpm_tester.sh

	- name: "Test if http://acme-srv/directory is accessible"
	run: docker run -i --rm --network acme curlimages/curl -f http://acme-srv/directory

	- name: "Prepare acme.sh container"
	run: \|
	docker run --rm -id -v "$(pwd)/acme-sh":/acme.sh --network acme --name=acme-sh neilpang/acme.sh:latest daemon

	- name: "Enroll acme.sh - http challenge validation"
	run: \|
	docker exec -i acme-sh acme.sh --server http://acme-srv --accountemail '[email protected]' --issue -d acme-sh.acme -d acme-sh. --standalone --debug 3 --output-insecure --force
	openssl verify -CAfile data/acme_ca/root-ca-cert.pem -untrusted data/acme_ca/sub-ca-cert.pem acme-sh/acme-sh.acme_ecc/acme-sh.acme.cer

	- name: "Check proxy logs"
	run: \|
	docker logs proxy \| grep socks5 \| grep -- "->"
	docker logs proxy \| grep http \| grep -- "->"
	docker stop proxy
	docker run -d -it --name=proxy --network acme --rm -p 8080:8080 mosajjal/pproxy:latest -vv &

	- name: "Enroll acme.sh - alpn challenge validation"
	run: \|
	docker exec -i acme-sh acme.sh --server http://acme-srv --accountemail '[email protected]' --issue -d acme-sh.acme --alpn -d acme-sh. --alpn --standalone --debug 3 --output-insecure --force
	openssl verify -CAfile data/acme_ca/root-ca-cert.pem -untrusted data/acme_ca/sub-ca-cert.pem acme-sh/acme-sh.acme_ecc/acme-sh.acme.cer

	- name: "Check proxy logs"
	run: \|
	docker logs proxy \| grep socks5 \| grep -- "->"
	docker logs proxy \| grep http \| grep -- "->"
	docker stop proxy
	docker run -d -it --name=proxy --network acme --rm -p 8080:8080 mosajjal/pproxy:latest -vv &

	- name: "Prepare acme_srv.cfg with certifier_ca_handler and proxy usage"
	run: \|
	mkdir -p data/acme_ca
	sudo cp test/ca/certsrv_ca_certs.pem data/acme_ca/ca_certs.pem
	sudo touch data/acme_srv.cfg
	sudo chmod 777 data/acme_srv.cfg
	sudo head -n -8 .github/openssl_ca_handler.py_acme_srv_default_handler.cfg > data/acme_srv.cfg
	sudo echo "handler_file: examples/ca_handler/certifier_ca_handler.py" >> data/acme_srv.cfg
	sudo echo "api_host: $NCM_API_HOST" >> data/acme_srv.cfg
	sudo echo "api_user: $NCM_API_USER" >> data/acme_srv.cfg
	sudo echo "api_password: $NCM_API_PASSWORD" >> data/acme_srv.cfg
	sudo echo "ca_name: $NCM_CA_NAME" >> data/acme_srv.cfg
	sudo echo "ca_bundle: $NCM_CA_BUNDLE" >> data/acme_srv.cfg
	sudo sed -i "s/debug: True/debug: True\nproxy_server_list: {\"ncm.nclm.eu\$\": \"socks5:\/\/proxy.acme:8080\"}/g" data/acme_srv.cfg
	env:
	NCM_API_HOST: ${{ secrets.NCM_API_HOST }}
	NCM_API_USER: ${{ secrets.NCM_API_USER }}
	NCM_API_PASSWORD: ${{ secrets.NCM_API_PASSWORD }}
	NCM_CA_NAME: ${{ secrets.NCM_CA_NAME }}
	NCM_CA_BUNDLE: ${{ secrets.NCM_CA_BUNDLE }}

	- name: "[ PREPARE ] reconfigure a2c "
	run: \|
	docker exec acme-srv sh /tmp/acme2certifier/rpm_tester.sh restart

	- name: "[ ENROLL] via certifier_ca_handler"
	run: \|
	docker exec -i acme-sh acme.sh --server http://acme-srv --issue -d acme-sh.acme --standalone --debug 3 --output-insecure &
	sleep 45
	awk 'BEGIN {c=0;} /BEGIN CERT/{c++} { print > "cert-" c ".pem"}' < acme-sh/acme-sh.acme_ecc/ca.cer
	openssl verify -CAfile cert-2.pem -untrusted cert-1.pem acme-sh/acme-sh.acme_ecc/acme-sh.acme.cer

	- name: "[ REVOKE ] via certifier ca_handler"
	run: \|
	docker exec -i acme-sh acme.sh --server http://acme-srv --revoke -d acme-sh.acme --standalone --debug 3 --output-insecure

	- name: "Check proxy logs"
	run: \|
	docker logs proxy \| grep socks5 \| grep -- "->"
	docker stop proxy
	docker run -d -it --name=proxy --network acme --rm -p 8080:8080 mosajjal/pproxy:latest -vv &

	- name: "setup esthandler using http-basic-auth"
	run: \|
	sudo mkdir -p data/acme_ca
	sudo chmod -R 777 data/acme_ca
	sudo touch $HOME/.rnd
	sudo openssl ecparam -genkey -name prime256v1 -out data/acme_ca/est_client_key.pem
	sudo chmod a+rx data/acme_ca/est_client_key.pem
	sudo openssl req -new -key data/acme_ca/est_client_key.pem -out /tmp/request.p10 -subj '/CN=acme2certifier'
	sudo curl http://testrfc7030.com/dstcax3.pem --output /tmp/dstcax3.pem
	sudo curl https://testrfc7030.com:8443/.well-known/est/cacerts -o /tmp/cacerts.p7 --cacert /tmp/dstcax3.pem
	sudo openssl base64 -d -in /tmp/cacerts.p7 \| openssl pkcs7 -inform DER -outform PEM -print_certs -out data/acme_ca/ca_bundle.pem
	sudo curl https://testrfc7030.com:8443/.well-known/est/simpleenroll --anyauth -u estuser:estpwd -s -o /tmp/cert.p7 --cacert /tmp/dstcax3.pem --data-binary @/tmp/request.p10 -H "Content-Type: application/pkcs10" --dump-header /tmp/resp.hdr
	sudo openssl base64 -d -in /tmp/cert.p7 \| openssl pkcs7 -inform DER -outform PEM -print_certs -out data/acme_ca/est_client_cert.pem
	sudo cp .github/openssl_ca_handler.py_acme_srv_default_handler.cfg data/acme_srv.cfg
	sudo chmod 777 data/acme_srv.cfg
	sudo head -n -8 .github/openssl_ca_handler.py_acme_srv_default_handler.cfg > data/acme_srv.cfg
	sudo echo "handler_file: /opt/acme2certifier/examples/ca_handler/est_ca_handler.py" >> data/acme_srv.cfg
	sudo echo "est_host: https://testrfc7030.com:8443" >> data/acme_srv.cfg
	sudo echo "est_user: estuser" >> data/acme_srv.cfg
	sudo echo "est_password: estpwd" >> data/acme_srv.cfg
	sudo echo "ca_bundle: False" >> data/acme_srv.cfg
	sudo sed -i "s/debug: True/debug: True\nproxy_server_list: {\"testrfc7030.com\$\": \"socks5:\/\/proxy.acme:8080\"}/g" data/acme_srv.cfg

	- name: "[ PREPARE ] reconfigure a2c "
	run: \|
	docker exec acme-srv sh /tmp/acme2certifier/rpm_tester.sh restart

	- name: "Enroll via EST using http-basic-auth"
	run: \|
	docker exec -i acme-sh acme.sh --server http://acme-srv --accountemail '[email protected]' --issue -d acme-sh.acme --standalone --debug 3 --output-insecure --force

	- name: "Check proxy logs"
	run: \|
	docker logs proxy \| grep socks5 \| grep -- "->"
	docker stop proxy
	docker run -d -it --name=proxy --network acme --rm -p 8080:8080 mosajjal/pproxy:latest -vv &

	#- name: "Prepare acme_srv.cfg with nclm_ca_handler"
	# run: \|
	# mkdir -p data/acme_ca
	# sudo cp test/ca/certsrv_ca_certs.pem data/acme_ca/ca_certs.pem
	# sudo touch data/acme_srv.cfg
	# sudo chmod 777 data/acme_srv.cfg
	# sudo head -n -8 .github/openssl_ca_handler.py_acme_srv_default_handler.cfg > data/acme_srv.cfg
	# sudo echo "handler_file: examples/ca_handler/nclm_ca_handler.py" >> data/acme_srv.cfg
	# sudo echo "api_host: $NCLM_API_HOST" >> data/acme_srv.cfg
	# sudo echo "api_user: $NCLM_API_USER" >> data/acme_srv.cfg
	# sudo echo "api_password: $NCLM_API_PASSWORD" >> data/acme_srv.cfg
	# sudo echo "tsg_name: $NCLM_TSG_NAME" >> data/acme_srv.cfg
	# sudo echo "ca_name: $NCLM_CA_NAME" >> data/acme_srv.cfg
	# sudo echo "ca_id_list: [$NCLM_CA_ID_LIST]" >> data/acme_srv.cfg
	# sudo sed -i "s/revocation_reason_check_disable: False/revocation_reason_check_disable: False\nenrollment_timeout: 30/g" data/acme_srv.cfg
	# sudo sed -i "s/debug: True/debug: True\nproxy_server_list: {\"nclm.eu\$\": \"http:\/\/proxy.acme:8080\"}/g" data/acme_srv.cfg
	# env:
	# NCLM_API_HOST: ${{ secrets.NCLM_API_HOST }}
	# NCLM_API_USER: ${{ secrets.NCLM_API_USER }}
	# NCLM_API_PASSWORD: ${{ secrets.NCLM_API_PASSWORD }}
	# NCLM_TSG_NAME: ${{ secrets.NCLM_TSG_NAME }}
	# NCLM_CA_NAME: ${{ secrets.NCLM_CA_NAME }}
	# NCLM_CA_ID_LIST: ${{ secrets.NCLM_CA_ID_LIST }}

	#- name: "[ PREPARE ] reconfigure a2c "
	# run: \|
	# docker exec acme-srv sh /tmp/acme2certifier/rpm_tester.sh restart

	#- name: "Enroll via nclm_ca_handler"
	# run: \|
	# docker exec -i acme-sh acme.sh --server http://acme-srv --accountemail '[email protected]' --issue -d acme-sh.acme --standalone --debug 3 --output-insecure --force &
	# docker stop proxy
	# docker run -d -it --name=proxy --network acme --rm -p 8080:8080 mosajjal/pproxy:latest -vv &

	#- name: "Check proxy logs"
	# run: \|
	# docker logs proxy \| grep socks5 \| grep -- "->"

	- name: "ssh environment on ramdisk"
	run: \|
	sudo mkdir -p /tmp/rd
	sudo mount -t tmpfs -o size=5M none /tmp/rd
	sudo echo "$SSH_KEY" > /tmp/rd/ak.tmp
	sudo chmod 600 /tmp/rd/ak.tmp
	sudo echo "$KNOWN_HOSTS" > /tmp/rd/known_hosts
	env:
	SSH_KEY: ${{ secrets.WCCE_SSH_ACCESS_KEY }}
	KNOWN_HOSTS: ${{ secrets.WCCE_SSH_KNOWN_HOSTS }}

	- name: "establish SSH connection"
	run: sudo ssh $SSH_USER@$SSH_HOST -i /tmp/rd/ak.tmp -p $SSH_PORT -o UserKnownHostsFile=/tmp/rd/known_hosts -L 443:$WES_IP:443 -g ping -c 180 $WES_IP &
	env:
	SSH_USER: ${{ secrets.CMP_SSH_USER }}
	SSH_HOST: ${{ secrets.CMP_SSH_HOST }}
	SSH_PORT: ${{ secrets.CMP_SSH_PORT }}
	WES_IP: ${{ secrets.WES_IP }}

	- name: "Sleep for 5s"
	uses: juliangruber/[email protected]
	with:
	time: 5s

	- name: "setup msca ca_handler for proxy usage"
	run: \|
	mkdir -p data/acme_ca
	sudo cp test/ca/certsrv_ca_certs.pem data/acme_ca/ca_certs.pem
	sudo touch data/acme_srv.cfg
	sudo chmod 777 data/acme_srv.cfg
	sudo head -n -8 .github/openssl_ca_handler.py_acme_srv_default_handler.cfg > data/acme_srv.cfg
	sudo echo "handler_file: /opt/acme2certifier/examples/ca_handler/mscertsrv_ca_handler.py" >> data/acme_srv.cfg
	sudo echo "host: $WES_HOST" >> data/acme_srv.cfg
	sudo echo "user: $WES_USER" >> data/acme_srv.cfg
	sudo echo "password: $WES_PASSWORD" >> data/acme_srv.cfg
	sudo echo "auth_method: $WES_AUTHMETHOD" >> data/acme_srv.cfg
	sudo echo "template: $WES_TEMPLATE" >> data/acme_srv.cfg
	sudo echo "ca_bundle: volume/acme_ca/ca_certs.pem" >> data/acme_srv.cfg
	sudo sed -i "s/debug: True/debug: True\nproxy_server_list: {\"amazonaws.com\$\": \"socks5:\/\/proxy.acme:8080\"}/g" data/acme_srv.cfg
	env:
	WES_HOST: ${{ secrets.WES_HOST }}
	WES_USER: ${{ secrets.WES_USER }}
	WES_PASSWORD: ${{ secrets.WES_PASSWORD }}
	WES_AUTHMETHOD: ${{ secrets.WES_AUTHMETHOD }}
	WES_TEMPLATE: ${{ secrets.WES_TEMPLATE }}

	- name: "[ PREPARE ] reconfigure a2c "
	run: \|
	docker exec acme-srv sh /tmp/acme2certifier/rpm_tester.sh restart

	- name: "Enroll via msca ca_handler"
	run: \|
	docker exec -i acme-sh acme.sh --server http://acme-srv --accountemail '[email protected]' --issue -d acme-sh.acme --standalone --debug 3 --output-insecure --force &
	# sleep 45
	# openssl verify -CAfile data/acme_ca/ca_certs.pem acme-sh/acme-sh.acme_ecc/acme-sh.acme.cer

	- name: "Check proxy logs"
	run: \|
	docker logs proxy \| grep socks5 \| grep -- "->"
	docker stop proxy
	docker run -d -it --name=proxy --network acme --rm -p 8080:8080 mosajjal/pproxy:latest -vv &

	- name: "[ * ] collecting test logs"
	if: ${{ failure() }}
	run: \|
	mkdir -p ${{ github.workspace }}/artifact/upload
	docker exec acme-srv tar cvfz /tmp/acme2certifier/a2c.tgz /opt/acme2certifier
	sudo cp -rp data/ ${{ github.workspace }}/artifact/data/
	sudo cp -rp acme-sh/ ${{ github.workspace }}/artifact/acme-sh/
	sudo rm ${{ github.workspace }}/artifact/data/*.rpm
	docker exec acme-srv cat /etc/nginx/nginx.conf.orig > ${{ github.workspace }}/artifact/data/nginx.conf.orig
	docker exec acme-srv cat /etc/nginx/nginx.conf > ${{ github.workspace }}/artifact/data/nginx.conf
	docker exec acme-srv cat /var/log/messages > ${{ github.workspace }}/artifact/acme-srv.log
	docker logs proxy > ${{ github.workspace }}/artifact/proxy.log
	sudo tar -C ${{ github.workspace }}/artifact/ -cvzf ${{ github.workspace }}/artifact/upload/artifact.tar.gz data proxy.log acme-srv.log acme-sh

	- name: "[ * ] uploading artificates"
	uses: actions/upload-artifact@v4
	if: ${{ failure() }}
	with:
	name: proxy-rpm-rh${{ matrix.rhversion }}.tar.gz
	path: ${{ github.workspace }}/artifact/upload/

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Proxy tests #1501

Workflow file

Proxy tests #1501

Jobs

Run details

Workflow file for this run