[feat] log enrollment config in various ca_handlers #196
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
name: Tests header_info feature | |
on: | |
push: | |
pull_request: | |
branches: [ devel ] | |
schedule: | |
# * is a special character in YAML so you have to quote this string | |
- cron: '0 2 * * 6' | |
jobs: | |
header_info_tests: | |
name: "header_info_tests" | |
runs-on: ubuntu-latest | |
strategy: | |
fail-fast: false | |
matrix: | |
websrv: ['apache2', 'nginx'] | |
dbhandler: ['wsgi', 'django'] | |
steps: | |
- name: "Checkout GIT" | |
uses: actions/checkout@v4 | |
- name: "Create folders" | |
run: | | |
mkdir lego | |
mkdir acme-sh | |
mkdir certbot | |
- name: "Build container" | |
uses: ./.github/actions/container_prep | |
with: | |
DB_HANDLER: ${{ matrix.dbhandler }} | |
WEB_SRV: ${{ matrix.websrv }} | |
- name: "Setup a2c with xca_ca_handler" | |
run: | | |
sudo cp examples/ca_handler/xca_ca_handler.py examples/Docker/data/ca_handler.py | |
sudo chmod 777 examples/Docker/data/ca_handler.py | |
sudo sed -i "s/error = eab_profile_header_info_check(self.logger, self, csr, 'template_name')/qset = header_info_get(self.logger, csr=csr)\n if qset:\n self.logger.info('header_info: %s', qset[-1]['header_info'])/g" examples/Docker/data/ca_handler.py | |
sudo sed -i "s/eab_profile_header_info_check/header_info_get/g" examples/Docker/data/ca_handler.py | |
sudo mkdir -p examples/Docker/data/xca | |
sudo chmod -R 777 examples/Docker/data/xca | |
sudo cp test/ca/acme2certifier-clean.xdb examples/Docker/data/xca/$XCA_DB_NAME | |
sudo mkdir -p examples/Docker/data/acme_ca/certs | |
sudo cp test/ca/sub-ca-key.pem test/ca/sub-ca-crl.pem test/ca/sub-ca-cert.pem test/ca/root-ca-cert.pem examples/Docker/data/acme_ca/ | |
sudo touch examples/Docker/data/acme_srv.cfg | |
sudo chmod 777 examples/Docker/data/acme_srv.cfg | |
sudo head -n -8 .github/openssl_ca_handler.py_acme_srv_default_handler.cfg > examples/Docker/data/acme_srv.cfg | |
sudo echo "xdb_file: volume/xca/$XCA_DB_NAME" >> examples/Docker/data/acme_srv.cfg | |
sudo echo "issuing_ca_name: $XCA_ISSUING_CA" >> examples/Docker/data/acme_srv.cfg | |
sudo echo "passphrase: $XCA_PASSPHRASE" >> examples/Docker/data/acme_srv.cfg | |
sudo echo "ca_cert_chain_list: [\"root-ca\"]" >> examples/Docker/data/acme_srv.cfg | |
sudo echo "template_name: $XCA_TEMPLATE" >> examples/Docker/data/acme_srv.cfg | |
sudo sed -i "s/tnauthlist_support: False/tnauthlist_support: False\nheader_info_list: [\"HTTP_USER_AGENT\"]/g" examples/Docker/data/acme_srv.cfg | |
cd examples/Docker/ | |
docker-compose restart | |
env: | |
XCA_PASSPHRASE: ${{ secrets.XCA_PASSPHRASE }} | |
XCA_ISSUING_CA: ${{ secrets.XCA_ISSUING_CA }} | |
XCA_TEMPLATE: ${{ secrets.XCA_TEMPLATE }} | |
XCA_DB_NAME: ${{ secrets.XCA_DB_NAME }} | |
- name: "Sleep for 10s" | |
uses: juliangruber/[email protected] | |
with: | |
time: 10s | |
- name: "Test http://acme-srv/directory is accessible" | |
run: docker run -i --rm --network acme curlimages/curl -f http://acme-srv/directory | |
- name: "Test if https://acme-srv/directory is accessible" | |
run: docker run -i --rm --network acme curlimages/curl --insecure -f https://acme-srv/directory | |
- name: "Enroll lego" | |
run: | | |
docker run -i -v $PWD/lego:/.lego/ --rm --name lego --network acme goacme/lego -s http://acme-srv -a --email "[email protected]" --user-agent foo-bar-doo -d lego.acme --http run | |
sudo cat lego/certificates/lego.acme.issuer.crt | awk 'BEGIN {c=0;} /BEGIN CERT/{c++} { print > "cert-" c ".pem"}' | |
sudo openssl verify -CAfile cert-2.pem -untrusted cert-1.pem lego/certificates/lego.acme.crt | |
- name: "Sleep for 15s" | |
uses: juliangruber/[email protected] | |
with: | |
time: 15s | |
- name: "check header info" | |
run: | | |
cd examples/Docker/ | |
docker-compose logs | grep foo-bar-doo | |
- name: "[ * ] collecting test logs" | |
if: ${{ failure() }} | |
run: | | |
mkdir -p ${{ github.workspace }}/artifact/upload | |
sudo cp -rp examples/Docker/data/ ${{ github.workspace }}/artifact/data/ | |
sudo cp -rp lego/ ${{ github.workspace }}/artifact/lego/ | |
cd examples/Docker | |
docker-compose logs > ${{ github.workspace }}/artifact/docker-compose.log | |
sudo tar -C ${{ github.workspace }}/artifact/ -cvzf ${{ github.workspace }}/artifact/upload/artifact.tar.gz docker-compose.log data lego | |
- name: "[ * ] uploading artificates" | |
uses: actions/upload-artifact@v4 | |
if: ${{ failure() }} | |
with: | |
name: header_info-${{ matrix.websrv }}-${{ matrix.dbhandler }}.tar.gz | |
path: ${{ github.workspace }}/artifact/upload/ | |
header_info_tests_rpm: | |
name: "header_info_tests_rpm" | |
runs-on: ubuntu-latest | |
strategy: | |
fail-fast: false | |
matrix: | |
rhversion: [8, 9] | |
execscript: ['rpm_tester.sh', 'django_tester.sh'] | |
steps: | |
- name: "Checkout GIT" | |
uses: actions/checkout@v4 | |
- name: "Prepare Alma environment" | |
uses: ./.github/actions/rpm_prep | |
with: | |
GH_SBOM_USER: ${{ secrets.GH_SBOM_USER }} | |
GH_SBOM_TOKEN: ${{ secrets.GH_SBOM_TOKEN }} | |
RH_VERSION: ${{ matrix.rhversion }} | |
- name: "Create lego folder" | |
run: | | |
mkdir lego | |
- name: "RPM - Setup acme_srv.cfg with xca_ca_handler" | |
if: matrix.execscript == 'rpm_tester.sh' | |
run: | | |
mkdir -p data/acme_ca | |
sudo cp test/ca/acme2certifier-clean.xdb data/acme_ca/$XCA_DB_NAME | |
sudo cp test/ca/sub-ca-key.pem test/ca/sub-ca-crl.pem test/ca/sub-ca-cert.pem test/ca/root-ca-cert.pem data/acme_ca/ | |
sudo cp examples/ca_handler/xca_ca_handler.py data/acme_ca/ca_handler.py | |
sudo chmod 777 data/acme_ca/ca_handler.py | |
sudo sed -i "s/error = eab_profile_header_info_check(self.logger, self, csr, 'template_name')/qset = header_info_get(self.logger, csr=csr)\n if qset:\n self.logger.info('header_info: %s', qset[-1]['header_info'])/g" data/acme_ca/ca_handler.py | |
sudo sed -i "s/eab_profile_header_info_check/header_info_get/g" data/acme_ca/ca_handler.py | |
sudo touch data/acme_srv.cfg | |
sudo chmod 777 data/acme_srv.cfg | |
sudo head -n -8 .github/openssl_ca_handler.py_acme_srv_default_handler.cfg > data/acme_srv.cfg | |
sudo echo "handler_file: /opt/acme2certifier/volume/acme_ca/ca_handler.py" >> data/acme_srv.cfg | |
sudo echo "xdb_file: volume/acme_ca/$XCA_DB_NAME" >> data/acme_srv.cfg | |
sudo echo "issuing_ca_name: $XCA_ISSUING_CA" >> data/acme_srv.cfg | |
sudo echo "passphrase: $XCA_PASSPHRASE" >> data/acme_srv.cfg | |
sudo echo "ca_cert_chain_list: [\"root-ca\"]" >> data/acme_srv.cfg | |
sudo echo "template_name: $XCA_TEMPLATE" >> data/acme_srv.cfg | |
sudo sed -i "s/tnauthlist_support: False/tnauthlist_support: False\nheader_info_list: [\"HTTP_USER_AGENT\"]/g" data/acme_srv.cfg | |
env: | |
XCA_PASSPHRASE: ${{ secrets.XCA_PASSPHRASE }} | |
XCA_ISSUING_CA: ${{ secrets.XCA_ISSUING_CA }} | |
XCA_TEMPLATE: ${{ secrets.XCA_TEMPLATE }} | |
XCA_DB_NAME: ${{ secrets.XCA_DB_NAME }} | |
- name: "DJango - Setup acme_srv.cfg with xca_ca_handler" | |
if: matrix.execscript == 'django_tester.sh' | |
run: | | |
mkdir -p data/volume/acme_ca/certs | |
sudo cp test/ca/acme2certifier-clean.xdb data/volume/acme_ca/$XCA_DB_NAME | |
sudo cp test/ca/sub-ca-key.pem test/ca/sub-ca-crl.pem test/ca/sub-ca-cert.pem test/ca/root-ca-cert.pem data/volume/acme_ca/ | |
sudo cp examples/ca_handler/xca_ca_handler.py data/volume/ca_handler.py | |
sudo chmod 777 data/volume/ca_handler.py | |
sudo sed -i "s/error = eab_profile_header_info_check(self.logger, self, csr, 'template_name')/qset = header_info_get(self.logger, csr=csr)\n if qset:\n self.logger.info('header_info: %s', qset[-1]['header_info'])/g" data/volume/ca_handler.py | |
sudo sed -i "s/eab_profile_header_info_check/header_info_get/g" data/volume/ca_handler.py | |
sudo touch data/volume/acme_srv.cfg | |
sudo chmod 777 data/volume/acme_srv.cfg | |
sudo head -n -8 .github/openssl_ca_handler.py_acme_srv_default_handler.cfg > data/volume/acme_srv.cfg | |
sudo echo "handler_file: /opt/acme2certifier/volume/ca_handler.py" >> data/volume/acme_srv.cfg | |
sudo echo "xdb_file: volume/acme_ca/$XCA_DB_NAME" >> data/volume/acme_srv.cfg | |
sudo echo "issuing_ca_name: $XCA_ISSUING_CA" >> data/volume/acme_srv.cfg | |
sudo echo "passphrase: $XCA_PASSPHRASE" >> data/volume/acme_srv.cfg | |
sudo echo "ca_cert_chain_list: [\"root-ca\"]" >> data/volume/acme_srv.cfg | |
sudo echo "template_name: $XCA_TEMPLATE" >> data/volume/acme_srv.cfg | |
sudo sed -i "s/tnauthlist_support: False/tnauthlist_support: False\nheader_info_list: [\"HTTP_USER_AGENT\"]/g" data/volume/acme_srv.cfg | |
env: | |
XCA_PASSPHRASE: ${{ secrets.XCA_PASSPHRASE }} | |
XCA_ISSUING_CA: ${{ secrets.XCA_ISSUING_CA }} | |
XCA_TEMPLATE: ${{ secrets.XCA_TEMPLATE }} | |
XCA_DB_NAME: ${{ secrets.XCA_DB_NAME }} | |
- name: "Execute install scipt" | |
run: | | |
docker exec acme-srv sh /tmp/acme2certifier/$EXEC_SCRIPT | |
env: | |
EXEC_SCRIPT: ${{ matrix.execscript }} | |
- name: "Sleep for 10s" | |
uses: juliangruber/[email protected] | |
with: | |
time: 10s | |
- name: "Test http://acme-srv/directory is accessible" | |
run: docker run -i --rm --network acme curlimages/curl -f http://acme-srv/directory | |
- name: "Test if https://acme-srv/directory is accessible" | |
run: docker run -i --rm --network acme curlimages/curl --insecure -f https://acme-srv/directory | |
- name: "Enroll lego" | |
run: | | |
docker run -i -v $PWD/lego:/.lego/ --rm --name lego --network acme goacme/lego -s http://acme-srv -a --email "[email protected]" --user-agent foo-bar-doo -d lego.acme --http run | |
sudo cat lego/certificates/lego.acme.issuer.crt | awk 'BEGIN {c=0;} /BEGIN CERT/{c++} { print > "cert-" c ".pem"}' | |
sudo openssl verify -CAfile cert-2.pem -untrusted cert-1.pem lego/certificates/lego.acme.crt | |
- name: "Sleep for 15s" | |
uses: juliangruber/[email protected] | |
with: | |
time: 15s | |
- name: "check header info" | |
run: | | |
docker exec acme-srv grep foo-bar-doo /var/log/messages | |
- name: "[ * ] collecting test logs" | |
if: ${{ failure() }} | |
run: | | |
mkdir -p ${{ github.workspace }}/artifact/upload | |
docker exec acme-srv tar cvfz /tmp/acme2certifier/a2c.tgz /opt/acme2certifier | |
sudo cp -rp data/ ${{ github.workspace }}/artifact/data/ | |
sudo rm ${{ github.workspace }}/artifact/data/*.rpm | |
docker exec acme-srv cat /etc/nginx/nginx.conf.orig > ${{ github.workspace }}/artifact/data/nginx.conf.orig | |
docker exec acme-srv cat /etc/nginx/nginx.conf > ${{ github.workspace }}/artifact/data/nginx.conf | |
docker exec acme-srv cat /var/log/messages > ${{ github.workspace }}/artifact/acme-srv.log | |
sudo tar -C ${{ github.workspace }}/artifact/ -cvzf ${{ github.workspace }}/artifact/upload/artifact.tar.gz data acme-srv.log | |
- name: "[ * ] uploading artificates" | |
uses: actions/upload-artifact@v4 | |
if: ${{ failure() }} | |
with: | |
name: rpm_header_info.ap_wsgi-rh${{ matrix.rhversion }}.tar.gz | |
path: ${{ github.workspace }}/artifact/upload/ |