[feat] log enrollment config in various ca_handlers #761
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
name: CA handler tests - EJBCA handler | |
on: | |
push: | |
pull_request: | |
branches: [ devel ] | |
schedule: | |
# * is a special character in YAML so you have to quote this string | |
- cron: '0 2 * * 6' | |
jobs: | |
ejb_ca_tests: | |
name: "ejbca_hander_handler_tests docker image" | |
runs-on: ubuntu-latest | |
strategy: | |
fail-fast: false | |
matrix: | |
websrv: ['apache2', 'nginx'] | |
dbhandler: ['wsgi', 'django'] | |
steps: | |
- name: "checkout GIT" | |
uses: actions/checkout@v4 | |
- name: "Get runner ip" | |
run: | | |
echo RUNNER_IP=$(ip addr show eth0 | grep -i "inet " | cut -d ' ' -f 6 | cut -d '/' -f 1) >> $GITHUB_ENV | |
echo RUNNER_PATH=$(pwd | sed 's_/_\\/_g') >> $GITHUB_ENV | |
- run: echo "runner IP is ${{ env.RUNNER_IP }}" | |
- name: "Instanciate ejbca" | |
uses: ./.github/actions/wf_specific/ejbca_ca_handler/ejbca_prep | |
with: | |
RUNNER_IP: ${{ env.RUNNER_IP }} | |
WORKING_DIR: ${{ github.workspace }}/examples/Docker | |
- name: "Build container" | |
uses: ./.github/actions/container_prep | |
with: | |
DB_HANDLER: ${{ matrix.dbhandler }} | |
WEB_SRV: ${{ matrix.websrv }} | |
- name: "Default - setup a2c with ejbca_ca_handler" | |
run: | | |
sudo touch examples/Docker/data/acme_srv.cfg | |
sudo chmod 777 examples/Docker/data/acme_srv.cfg | |
sudo head -n -8 .github/openssl_ca_handler.py_acme_srv_default_handler.cfg > examples/Docker/data/acme_srv.cfg | |
sudo echo "handler_file: examples/ca_handler/ejbca_ca_handler.py" >> examples/Docker/data/acme_srv.cfg | |
sudo echo "api_host: https://ejbca" >> examples/Docker/data/acme_srv.cfg | |
sudo echo "cert_file: volume/acme_ca/superadmin.p12" >> examples/Docker/data/acme_srv.cfg | |
sudo echo "cert_passphrase: $SAEC" >> examples/Docker/data/acme_srv.cfg | |
sudo echo "ca_bundle: volume/acme_ca/ca_bundle.pem" >> examples/Docker/data/acme_srv.cfg | |
sudo echo "ca_name: acmesubca" >> examples/Docker/data/acme_srv.cfg | |
sudo echo "cert_profile_name: acmeca1" >> examples/Docker/data/acme_srv.cfg | |
sudo echo "ee_profile_name: acmeca" >> examples/Docker/data/acme_srv.cfg | |
sudo echo "username: acme_srv" >> examples/Docker/data/acme_srv.cfg | |
sudo echo "enrollment_code: acme_srv" >> examples/Docker/data/acme_srv.cfg | |
cd examples/Docker/ | |
docker-compose restart | |
docker-compose logs | |
env: | |
SAEC: ${{ env.SAEC }} | |
- name: "Test enrollment" | |
uses: ./.github/actions/acme_clients | |
- name: "EAB without headerinfo - setup a2c with ejbca_ca_handler" | |
run: | | |
sudo head -n -8 .github/openssl_ca_handler.py_acme_srv_default_handler.cfg > examples/Docker/data/acme_srv.cfg | |
sudo echo "handler_file: examples/ca_handler/ejbca_ca_handler.py" >> examples/Docker/data/acme_srv.cfg | |
sudo echo "api_host: https://ejbca" >> examples/Docker/data/acme_srv.cfg | |
sudo echo "cert_file: volume/acme_ca/superadmin.p12" >> examples/Docker/data/acme_srv.cfg | |
sudo echo "cert_passphrase: $SAEC" >> examples/Docker/data/acme_srv.cfg | |
sudo echo "ca_bundle: volume/acme_ca/ca_bundle.pem" >> examples/Docker/data/acme_srv.cfg | |
sudo echo "ca_name: acmesubca" >> examples/Docker/data/acme_srv.cfg | |
sudo echo "cert_profile_name: acmeca1" >> examples/Docker/data/acme_srv.cfg | |
sudo echo "ee_profile_name: acmeca" >> examples/Docker/data/acme_srv.cfg | |
sudo echo "username: acme_srv" >> examples/Docker/data/acme_srv.cfg | |
sudo echo "enrollment_code: acme_srv" >> examples/Docker/data/acme_srv.cfg | |
sudo echo "eab_profiling: True" >> examples/Docker/data/acme_srv.cfg | |
sudo echo -e "\n[EABhandler]" >> examples/Docker/data/acme_srv.cfg | |
sudo echo "eab_handler_file: /var/www/acme2certifier/examples/eab_handler/kid_profile_handler.py" >> examples/Docker/data/acme_srv.cfg | |
sudo echo "key_file: volume/kid_profiles.json" >> examples/Docker/data/acme_srv.cfg | |
sudo cp examples/eab_handler/kid_profiles.json examples/Docker/data/kid_profiles.json | |
sudo chmod 777 examples/eab_handler/kid_profiles.json | |
sudo sed -i "s/\"profile_id\"\: \[\"profile_1\", \"profile_2\", \"profile_3\"\]/\"cert_profile_name\"\: \[\"acmeca2\", \"acmeca1\"\]/g" examples/Docker/data/kid_profiles.json | |
sudo sed -i "s/\"profile_id\"\: \"profile_2\"/\"cert_profile_name\"\: \"acmeca2\"/g" examples/Docker/data/kid_profiles.json | |
sudo sed -i "s/\"ca_name\": \"example_ca_2\",/\"ca_name\": \"acmeca\"/" examples/Docker/data/kid_profiles.json | |
sudo sed -i "s/\"ca_name\": \"example_ca\",/\"unknown\": \"unknown\"/g" examples/Docker/data/kid_profiles.json | |
sudo sed -i "s/example.net/acme/g" examples/Docker/data/kid_profiles.json | |
sudo sed -i '18,19d' examples/Docker/data/kid_profiles.json | |
sudo sed -i '8,9d' examples/Docker/data/kid_profiles.json | |
cd examples/Docker/ | |
docker-compose restart | |
docker-compose logs | |
env: | |
SAEC: ${{ env.SAEC }} | |
- name: "EAB without headerinfo - enrollment" | |
uses: ./.github/actions/wf_specific/ejbca_ca_handler/enroll_eab_wo_headerinfo | |
- name: "EAB with headerinfo - setup a2c with ejbca_ca_handler" | |
run: | | |
sudo head -n -8 .github/openssl_ca_handler.py_acme_srv_default_handler.cfg > examples/Docker/data/acme_srv.cfg | |
sudo echo "handler_file: examples/ca_handler/ejbca_ca_handler.py" >> examples/Docker/data/acme_srv.cfg | |
sudo echo "api_host: https://ejbca" >> examples/Docker/data/acme_srv.cfg | |
sudo echo "cert_file: volume/acme_ca/superadmin.p12" >> examples/Docker/data/acme_srv.cfg | |
sudo echo "cert_passphrase: $SAEC" >> examples/Docker/data/acme_srv.cfg | |
sudo echo "ca_bundle: volume/acme_ca/ca_bundle.pem" >> examples/Docker/data/acme_srv.cfg | |
sudo echo "ca_name: acmesubca" >> examples/Docker/data/acme_srv.cfg | |
sudo echo "cert_profile_name: acmeca1" >> examples/Docker/data/acme_srv.cfg | |
sudo echo "ee_profile_name: acmeca" >> examples/Docker/data/acme_srv.cfg | |
sudo echo "username: acme_srv" >> examples/Docker/data/acme_srv.cfg | |
sudo echo "enrollment_code: acme_srv" >> examples/Docker/data/acme_srv.cfg | |
sudo echo "eab_profiling: True" >> examples/Docker/data/acme_srv.cfg | |
sudo sed -i "s/tnauthlist_support: False/tnauthlist_support: False\nheader_info_list: [\"HTTP_USER_AGENT\"]/g" examples/Docker/data/acme_srv.cfg | |
sudo echo -e "\n[EABhandler]" >> examples/Docker/data/acme_srv.cfg | |
sudo echo "eab_handler_file: /var/www/acme2certifier/examples/eab_handler/kid_profile_handler.py" >> examples/Docker/data/acme_srv.cfg | |
sudo echo "key_file: volume/kid_profiles.json" >> examples/Docker/data/acme_srv.cfg | |
sudo cp examples/eab_handler/kid_profiles.json examples/Docker/data/kid_profiles.json | |
sudo chmod 777 examples/eab_handler/kid_profiles.json | |
sudo sed -i "s/\"profile_id\"\: \[\"profile_1\", \"profile_2\", \"profile_3\"\]/\"cert_profile_name\"\: \[\"acmeca2\", \"acmeca1\"\]/g" examples/Docker/data/kid_profiles.json | |
sudo sed -i "s/\"profile_id\"\: \"profile_2\"/\"cert_profile_name\"\: \"acmeca2\"/g" examples/Docker/data/kid_profiles.json | |
sudo sed -i "s/\"ca_name\": \"example_ca_2\",/\"ca_name\": \"acmeca\"/" examples/Docker/data/kid_profiles.json | |
sudo sed -i "s/\"ca_name\": \"example_ca\",/\"unknown\": \"unknown\"/g" examples/Docker/data/kid_profiles.json | |
sudo sed -i "s/example.net/acme/g" examples/Docker/data/kid_profiles.json | |
sudo sed -i '18,19d' examples/Docker/data/kid_profiles.json | |
sudo sed -i '8,9d' examples/Docker/data/kid_profiles.json | |
cd examples/Docker/ | |
docker-compose restart | |
docker-compose logs | |
env: | |
SAEC: ${{ env.SAEC }} | |
- name: "EAB with headerinfo - enrollment" | |
uses: ./.github/actions/wf_specific/ejbca_ca_handler/enroll_eab_w_headerinfo | |
- name: "Check container configuration" | |
uses: ./.github/actions/container_check | |
with: | |
DB_HANDLER: ${{ matrix.dbhandler }} | |
WEB_SRV: ${{ matrix.websrv }} | |
- name: "[ * ] collecting test logs" | |
if: ${{ failure() }} | |
run: | | |
mkdir -p ${{ github.workspace }}/artifact/upload | |
sudo cp -rp examples/Docker/data/ ${{ github.workspace }}/artifact/data/ | |
sudo cp -rp acme-sh/ ${{ github.workspace }}/artifact/acme-sh/ | |
sudo cp -rp certbot/ ${{ github.workspace }}/artifact/certbot/ | |
sudo cp -rp lego/ ${{ github.workspace }}/artifact/lego/ | |
docker logs ejbca > ${{ github.workspace }}/artifact/ejbca.log | |
cd examples/Docker | |
docker-compose logs > ${{ github.workspace }}/artifact/a2c.log | |
sudo tar -C ${{ github.workspace }}/artifact/ -cvzf ${{ github.workspace }}/artifact/upload/artifact.tar.gz ejbca.log a2c.log data acme-sh certbot lego | |
- name: "[ * ] uploading artificates" | |
uses: actions/upload-artifact@v4 | |
if: ${{ failure() }} | |
with: | |
name: ejbca-${{ matrix.websrv }}-${{ matrix.dbhandler }}.tar.gz.tar.gz | |
path: ${{ github.workspace }}/artifact/upload/ | |
ejbca_ca_handler_tests_rpm: | |
name: " ejbca_ca_handler_tests_rpm" | |
runs-on: ubuntu-latest | |
strategy: | |
fail-fast: false | |
matrix: | |
rhversion: [8, 9] | |
steps: | |
- name: "checkout GIT" | |
uses: actions/checkout@v4 | |
- name: "Get runner ip" | |
run: | | |
echo RUNNER_IP=$(ip addr show eth0 | grep -i "inet " | cut -d ' ' -f 6 | cut -d '/' -f 1) >> $GITHUB_ENV | |
echo RUNNER_PATH=$(pwd | sed 's_/_\\/_g') >> $GITHUB_ENV | |
- run: echo "runner IP is ${{ env.RUNNER_IP }}" | |
- name: "Instanciate ejbca" | |
uses: ./.github/actions/wf_specific/ejbca_ca_handler/ejbca_prep | |
with: | |
RUNNER_IP: ${{ env.RUNNER_IP }} | |
WORKING_DIR: ${{ github.workspace }} | |
- name: "Prepare Alma environment" | |
uses: ./.github/actions/rpm_prep | |
with: | |
GH_SBOM_USER: ${{ secrets.GH_SBOM_USER }} | |
GH_SBOM_TOKEN: ${{ secrets.GH_SBOM_TOKEN }} | |
RH_VERSION: ${{ matrix.rhversion }} | |
- name: "Default - setup a2c with ejbca_ca_handler" | |
run: | | |
sudo touch data/acme_srv.cfg | |
sudo chmod 777 data/acme_srv.cfg | |
sudo head -n -8 .github/openssl_ca_handler.py_acme_srv_default_handler.cfg > data/acme_srv.cfg | |
sudo echo "handler_file: /opt/acme2certifier/examples/ca_handler/ejbca_ca_handler.py" >> data/acme_srv.cfg | |
sudo echo "api_host: https://ejbca" >> data/acme_srv.cfg | |
sudo echo "cert_file: /opt/acme2certifier/volume/acme_ca/superadmin.p12" >> data/acme_srv.cfg | |
sudo echo "cert_passphrase: $SAEC" >> data/acme_srv.cfg | |
sudo echo "ca_bundle: /opt/acme2certifier/volume/acme_ca/ca_bundle.pem" >> data/acme_srv.cfg | |
sudo echo "ca_name: acmesubca" >> data/acme_srv.cfg | |
sudo echo "cert_profile_name: acmeca1" >> data/acme_srv.cfg | |
sudo echo "ee_profile_name: acmeca" >> data/acme_srv.cfg | |
sudo echo "username: acme_srv" >> data/acme_srv.cfg | |
sudo echo "enrollment_code: acme_srv" >> data/acme_srv.cfg | |
env: | |
SAEC: ${{ env.SAEC }} | |
- name: "Execute install scipt" | |
run: | | |
docker exec acme-srv sh /tmp/acme2certifier/rpm_tester.sh | |
- name: "Test enrollment" | |
uses: ./.github/actions/acme_clients | |
- name: "EAB without headerinfo - setup a2c with ejbca_ca_handler" | |
run: | | |
sudo head -n -8 .github/openssl_ca_handler.py_acme_srv_default_handler.cfg > data/acme_srv.cfg | |
sudo echo "handler_file: /opt/acme2certifier/examples/ca_handler/ejbca_ca_handler.py" >> data/acme_srv.cfg | |
sudo echo "api_host: https://ejbca" >> data/acme_srv.cfg | |
sudo echo "cert_file: /opt/acme2certifier/volume/acme_ca/superadmin.p12" >> data/acme_srv.cfg | |
sudo echo "cert_passphrase: $SAEC" >> data/acme_srv.cfg | |
sudo echo "ca_bundle: /opt/acme2certifier/volume/acme_ca/ca_bundle.pem" >> data/acme_srv.cfg | |
sudo echo "ca_name: acmesubca" >> data/acme_srv.cfg | |
sudo echo "cert_profile_name: acmeca1" >> data/acme_srv.cfg | |
sudo echo "ee_profile_name: acmeca" >> data/acme_srv.cfg | |
sudo echo "username: acme_srv" >> data/acme_srv.cfg | |
sudo echo "enrollment_code: acme_srv" >> data/acme_srv.cfg | |
sudo echo "eab_profiling: True" >> data/acme_srv.cfg | |
sudo echo -e "\n[EABhandler]" >> data/acme_srv.cfg | |
sudo echo "eab_handler_file: /opt/acme2certifier/examples/eab_handler/kid_profile_handler.py" >> data/acme_srv.cfg | |
sudo echo "key_file: /opt/acme2certifier/volume/acme_ca/kid_profiles.json" >> data/acme_srv.cfg | |
sudo cp examples/eab_handler/kid_profiles.json data/acme_ca/kid_profiles.json | |
sudo chmod 777 data/acme_ca/kid_profiles.json | |
sudo sed -i "s/\"profile_id\"\: \[\"profile_1\", \"profile_2\", \"profile_3\"\]/\"cert_profile_name\"\: \[\"acmeca2\", \"acmeca1\"\]/g" data/acme_ca/kid_profiles.json | |
sudo sed -i "s/\"profile_id\"\: \"profile_2\"/\"cert_profile_name\"\: \"acmeca2\"/g" data/acme_ca/kid_profiles.json | |
sudo sed -i "s/\"ca_name\": \"example_ca_2\",/\"ca_name\": \"acmeca\"/" data/acme_ca/kid_profiles.json | |
sudo sed -i "s/\"ca_name\": \"example_ca\",/\"unknown\": \"unknown\"/g" data/acme_ca/kid_profiles.json | |
sudo sed -i "s/example.net/acme/g" data/acme_ca/kid_profiles.json | |
sudo sed -i '18,19d' data/acme_ca/kid_profiles.json | |
sudo sed -i '8,9d' data/acme_ca/kid_profiles.json | |
env: | |
SAEC: ${{ env.SAEC }} | |
- name: "EAB without headerinfo - Reconfigure a2c " | |
run: | | |
docker exec acme-srv sh /tmp/acme2certifier/rpm_tester.sh restart | |
- name: "EAB without headerinfo - enrollment" | |
uses: ./.github/actions/wf_specific/ejbca_ca_handler/enroll_eab_wo_headerinfo | |
- name: "EAB with headerinfo - setup a2c with ejbca_ca_handler" | |
run: | | |
sudo head -n -8 .github/openssl_ca_handler.py_acme_srv_default_handler.cfg > data/acme_srv.cfg | |
sudo echo "handler_file: /opt/acme2certifier/examples/ca_handler/ejbca_ca_handler.py" >> data/acme_srv.cfg | |
sudo echo "api_host: https://ejbca" >> data/acme_srv.cfg | |
sudo echo "cert_file: /opt/acme2certifier/volume/acme_ca/superadmin.p12" >> data/acme_srv.cfg | |
sudo echo "cert_passphrase: $SAEC" >> data/acme_srv.cfg | |
sudo echo "ca_bundle: /opt/acme2certifier/volume/acme_ca/ca_bundle.pem" >> data/acme_srv.cfg | |
sudo echo "ca_name: acmesubca" >> data/acme_srv.cfg | |
sudo echo "cert_profile_name: acmeca1" >> data/acme_srv.cfg | |
sudo echo "ee_profile_name: acmeca" >> data/acme_srv.cfg | |
sudo echo "username: acme_srv" >> data/acme_srv.cfg | |
sudo echo "enrollment_code: acme_srv" >> data/acme_srv.cfg | |
sudo echo "eab_profiling: True" >> data/acme_srv.cfg | |
sudo sed -i "s/tnauthlist_support: False/tnauthlist_support: False\nheader_info_list: [\"HTTP_USER_AGENT\"]/g" data/acme_srv.cfg | |
sudo echo -e "\n[EABhandler]" >> data/acme_srv.cfg | |
sudo echo "eab_handler_file: /opt/acme2certifier/examples/eab_handler/kid_profile_handler.py" >> data/acme_srv.cfg | |
sudo echo "key_file: /opt/acme2certifier/volume/acme_ca/kid_profiles.json" >> data/acme_srv.cfg | |
sudo cp examples/eab_handler/kid_profiles.json data/acme_ca/kid_profiles.json | |
sudo chmod 777 data/acme_ca/kid_profiles.json | |
sudo sed -i "s/\"profile_id\"\: \[\"profile_1\", \"profile_2\", \"profile_3\"\]/\"cert_profile_name\"\: \[\"acmeca2\", \"acmeca1\"\]/g" data/acme_ca/kid_profiles.json | |
sudo sed -i "s/\"profile_id\"\: \"profile_2\"/\"cert_profile_name\"\: \"acmeca2\"/g" data/acme_ca/kid_profiles.json | |
sudo sed -i "s/\"ca_name\": \"example_ca_2\",/\"ca_name\": \"acmeca\"/" data/acme_ca/kid_profiles.json | |
sudo sed -i "s/\"ca_name\": \"example_ca\",/\"unknown\": \"unknown\"/g" data/acme_ca/kid_profiles.json | |
sudo sed -i "s/example.net/acme/g" data/acme_ca/kid_profiles.json | |
sudo sed -i '18,19d' data/acme_ca/kid_profiles.json | |
sudo sed -i '8,9d' data/acme_ca/kid_profiles.json | |
env: | |
SAEC: ${{ env.SAEC }} | |
- name: "EAB with headerinfo - Reconfigure a2c " | |
run: | | |
docker exec acme-srv sh /tmp/acme2certifier/rpm_tester.sh restart | |
- name: "EAB with headerinfo - enrollment" | |
uses: ./.github/actions/wf_specific/ejbca_ca_handler/enroll_eab_w_headerinfo | |
- name: "[ * ] collecting test logs" | |
if: ${{ failure() }} | |
run: | | |
mkdir -p ${{ github.workspace }}/artifact/upload | |
docker exec acme-srv tar cvfz /tmp/acme2certifier/a2c.tgz /opt/acme2certifier | |
docker logs ejbca > ${{ github.workspace }}/artifact/ejbca.log | |
sudo cp -rp data/ ${{ github.workspace }}/artifact/data/ | |
sudo rm ${{ github.workspace }}/artifact/data/*.rpm | |
sudo cp -rp acme-sh/ ${{ github.workspace }}/artifact/acme-sh/ | |
docker exec acme-srv cat /etc/nginx/nginx.conf.orig > ${{ github.workspace }}/artifact/data/nginx.conf.orig | |
docker exec acme-srv cat /etc/nginx/nginx.conf > ${{ github.workspace }}/artifact/data/nginx.conf | |
docker exec acme-srv cat /var/log/messages > ${{ github.workspace }}/artifact/acme-srv.log | |
sudo tar -C ${{ github.workspace }}/artifact/ -cvzf ${{ github.workspace }}/artifact/upload/artifact.tar.gz data ejbca.log acme-srv.log acme-sh | |
- name: "[ * ] uploading artificates" | |
uses: actions/upload-artifact@v4 | |
if: ${{ failure() }} | |
with: | |
name: ejb_rpm-rh${{ matrix.rhversion }}.tar.gz | |
path: ${{ github.workspace }}/artifact/upload/ |