Skip to content

[feat] log enrollment config in various ca_handlers #761

[feat] log enrollment config in various ca_handlers

[feat] log enrollment config in various ca_handlers #761

name: CA handler tests - EJBCA handler
on:
push:
pull_request:
branches: [ devel ]
schedule:
# * is a special character in YAML so you have to quote this string
- cron: '0 2 * * 6'
jobs:
ejb_ca_tests:
name: "ejbca_hander_handler_tests docker image"
runs-on: ubuntu-latest
strategy:
fail-fast: false
matrix:
websrv: ['apache2', 'nginx']
dbhandler: ['wsgi', 'django']
steps:
- name: "checkout GIT"
uses: actions/checkout@v4
- name: "Get runner ip"
run: |
echo RUNNER_IP=$(ip addr show eth0 | grep -i "inet " | cut -d ' ' -f 6 | cut -d '/' -f 1) >> $GITHUB_ENV
echo RUNNER_PATH=$(pwd | sed 's_/_\\/_g') >> $GITHUB_ENV
- run: echo "runner IP is ${{ env.RUNNER_IP }}"
- name: "Instanciate ejbca"
uses: ./.github/actions/wf_specific/ejbca_ca_handler/ejbca_prep
with:
RUNNER_IP: ${{ env.RUNNER_IP }}
WORKING_DIR: ${{ github.workspace }}/examples/Docker
- name: "Build container"
uses: ./.github/actions/container_prep
with:
DB_HANDLER: ${{ matrix.dbhandler }}
WEB_SRV: ${{ matrix.websrv }}
- name: "Default - setup a2c with ejbca_ca_handler"
run: |
sudo touch examples/Docker/data/acme_srv.cfg
sudo chmod 777 examples/Docker/data/acme_srv.cfg
sudo head -n -8 .github/openssl_ca_handler.py_acme_srv_default_handler.cfg > examples/Docker/data/acme_srv.cfg
sudo echo "handler_file: examples/ca_handler/ejbca_ca_handler.py" >> examples/Docker/data/acme_srv.cfg
sudo echo "api_host: https://ejbca" >> examples/Docker/data/acme_srv.cfg
sudo echo "cert_file: volume/acme_ca/superadmin.p12" >> examples/Docker/data/acme_srv.cfg
sudo echo "cert_passphrase: $SAEC" >> examples/Docker/data/acme_srv.cfg
sudo echo "ca_bundle: volume/acme_ca/ca_bundle.pem" >> examples/Docker/data/acme_srv.cfg
sudo echo "ca_name: acmesubca" >> examples/Docker/data/acme_srv.cfg
sudo echo "cert_profile_name: acmeca1" >> examples/Docker/data/acme_srv.cfg
sudo echo "ee_profile_name: acmeca" >> examples/Docker/data/acme_srv.cfg
sudo echo "username: acme_srv" >> examples/Docker/data/acme_srv.cfg
sudo echo "enrollment_code: acme_srv" >> examples/Docker/data/acme_srv.cfg
cd examples/Docker/
docker-compose restart
docker-compose logs
env:
SAEC: ${{ env.SAEC }}
- name: "Test enrollment"
uses: ./.github/actions/acme_clients
- name: "EAB without headerinfo - setup a2c with ejbca_ca_handler"
run: |
sudo head -n -8 .github/openssl_ca_handler.py_acme_srv_default_handler.cfg > examples/Docker/data/acme_srv.cfg
sudo echo "handler_file: examples/ca_handler/ejbca_ca_handler.py" >> examples/Docker/data/acme_srv.cfg
sudo echo "api_host: https://ejbca" >> examples/Docker/data/acme_srv.cfg
sudo echo "cert_file: volume/acme_ca/superadmin.p12" >> examples/Docker/data/acme_srv.cfg
sudo echo "cert_passphrase: $SAEC" >> examples/Docker/data/acme_srv.cfg
sudo echo "ca_bundle: volume/acme_ca/ca_bundle.pem" >> examples/Docker/data/acme_srv.cfg
sudo echo "ca_name: acmesubca" >> examples/Docker/data/acme_srv.cfg
sudo echo "cert_profile_name: acmeca1" >> examples/Docker/data/acme_srv.cfg
sudo echo "ee_profile_name: acmeca" >> examples/Docker/data/acme_srv.cfg
sudo echo "username: acme_srv" >> examples/Docker/data/acme_srv.cfg
sudo echo "enrollment_code: acme_srv" >> examples/Docker/data/acme_srv.cfg
sudo echo "eab_profiling: True" >> examples/Docker/data/acme_srv.cfg
sudo echo -e "\n[EABhandler]" >> examples/Docker/data/acme_srv.cfg
sudo echo "eab_handler_file: /var/www/acme2certifier/examples/eab_handler/kid_profile_handler.py" >> examples/Docker/data/acme_srv.cfg
sudo echo "key_file: volume/kid_profiles.json" >> examples/Docker/data/acme_srv.cfg
sudo cp examples/eab_handler/kid_profiles.json examples/Docker/data/kid_profiles.json
sudo chmod 777 examples/eab_handler/kid_profiles.json
sudo sed -i "s/\"profile_id\"\: \[\"profile_1\", \"profile_2\", \"profile_3\"\]/\"cert_profile_name\"\: \[\"acmeca2\", \"acmeca1\"\]/g" examples/Docker/data/kid_profiles.json
sudo sed -i "s/\"profile_id\"\: \"profile_2\"/\"cert_profile_name\"\: \"acmeca2\"/g" examples/Docker/data/kid_profiles.json
sudo sed -i "s/\"ca_name\": \"example_ca_2\",/\"ca_name\": \"acmeca\"/" examples/Docker/data/kid_profiles.json
sudo sed -i "s/\"ca_name\": \"example_ca\",/\"unknown\": \"unknown\"/g" examples/Docker/data/kid_profiles.json
sudo sed -i "s/example.net/acme/g" examples/Docker/data/kid_profiles.json
sudo sed -i '18,19d' examples/Docker/data/kid_profiles.json
sudo sed -i '8,9d' examples/Docker/data/kid_profiles.json
cd examples/Docker/
docker-compose restart
docker-compose logs
env:
SAEC: ${{ env.SAEC }}
- name: "EAB without headerinfo - enrollment"
uses: ./.github/actions/wf_specific/ejbca_ca_handler/enroll_eab_wo_headerinfo
- name: "EAB with headerinfo - setup a2c with ejbca_ca_handler"
run: |
sudo head -n -8 .github/openssl_ca_handler.py_acme_srv_default_handler.cfg > examples/Docker/data/acme_srv.cfg
sudo echo "handler_file: examples/ca_handler/ejbca_ca_handler.py" >> examples/Docker/data/acme_srv.cfg
sudo echo "api_host: https://ejbca" >> examples/Docker/data/acme_srv.cfg
sudo echo "cert_file: volume/acme_ca/superadmin.p12" >> examples/Docker/data/acme_srv.cfg
sudo echo "cert_passphrase: $SAEC" >> examples/Docker/data/acme_srv.cfg
sudo echo "ca_bundle: volume/acme_ca/ca_bundle.pem" >> examples/Docker/data/acme_srv.cfg
sudo echo "ca_name: acmesubca" >> examples/Docker/data/acme_srv.cfg
sudo echo "cert_profile_name: acmeca1" >> examples/Docker/data/acme_srv.cfg
sudo echo "ee_profile_name: acmeca" >> examples/Docker/data/acme_srv.cfg
sudo echo "username: acme_srv" >> examples/Docker/data/acme_srv.cfg
sudo echo "enrollment_code: acme_srv" >> examples/Docker/data/acme_srv.cfg
sudo echo "eab_profiling: True" >> examples/Docker/data/acme_srv.cfg
sudo sed -i "s/tnauthlist_support: False/tnauthlist_support: False\nheader_info_list: [\"HTTP_USER_AGENT\"]/g" examples/Docker/data/acme_srv.cfg
sudo echo -e "\n[EABhandler]" >> examples/Docker/data/acme_srv.cfg
sudo echo "eab_handler_file: /var/www/acme2certifier/examples/eab_handler/kid_profile_handler.py" >> examples/Docker/data/acme_srv.cfg
sudo echo "key_file: volume/kid_profiles.json" >> examples/Docker/data/acme_srv.cfg
sudo cp examples/eab_handler/kid_profiles.json examples/Docker/data/kid_profiles.json
sudo chmod 777 examples/eab_handler/kid_profiles.json
sudo sed -i "s/\"profile_id\"\: \[\"profile_1\", \"profile_2\", \"profile_3\"\]/\"cert_profile_name\"\: \[\"acmeca2\", \"acmeca1\"\]/g" examples/Docker/data/kid_profiles.json
sudo sed -i "s/\"profile_id\"\: \"profile_2\"/\"cert_profile_name\"\: \"acmeca2\"/g" examples/Docker/data/kid_profiles.json
sudo sed -i "s/\"ca_name\": \"example_ca_2\",/\"ca_name\": \"acmeca\"/" examples/Docker/data/kid_profiles.json
sudo sed -i "s/\"ca_name\": \"example_ca\",/\"unknown\": \"unknown\"/g" examples/Docker/data/kid_profiles.json
sudo sed -i "s/example.net/acme/g" examples/Docker/data/kid_profiles.json
sudo sed -i '18,19d' examples/Docker/data/kid_profiles.json
sudo sed -i '8,9d' examples/Docker/data/kid_profiles.json
cd examples/Docker/
docker-compose restart
docker-compose logs
env:
SAEC: ${{ env.SAEC }}
- name: "EAB with headerinfo - enrollment"
uses: ./.github/actions/wf_specific/ejbca_ca_handler/enroll_eab_w_headerinfo
- name: "Check container configuration"
uses: ./.github/actions/container_check
with:
DB_HANDLER: ${{ matrix.dbhandler }}
WEB_SRV: ${{ matrix.websrv }}
- name: "[ * ] collecting test logs"
if: ${{ failure() }}
run: |
mkdir -p ${{ github.workspace }}/artifact/upload
sudo cp -rp examples/Docker/data/ ${{ github.workspace }}/artifact/data/
sudo cp -rp acme-sh/ ${{ github.workspace }}/artifact/acme-sh/
sudo cp -rp certbot/ ${{ github.workspace }}/artifact/certbot/
sudo cp -rp lego/ ${{ github.workspace }}/artifact/lego/
docker logs ejbca > ${{ github.workspace }}/artifact/ejbca.log
cd examples/Docker
docker-compose logs > ${{ github.workspace }}/artifact/a2c.log
sudo tar -C ${{ github.workspace }}/artifact/ -cvzf ${{ github.workspace }}/artifact/upload/artifact.tar.gz ejbca.log a2c.log data acme-sh certbot lego
- name: "[ * ] uploading artificates"
uses: actions/upload-artifact@v4
if: ${{ failure() }}
with:
name: ejbca-${{ matrix.websrv }}-${{ matrix.dbhandler }}.tar.gz.tar.gz
path: ${{ github.workspace }}/artifact/upload/
ejbca_ca_handler_tests_rpm:
name: " ejbca_ca_handler_tests_rpm"
runs-on: ubuntu-latest
strategy:
fail-fast: false
matrix:
rhversion: [8, 9]
steps:
- name: "checkout GIT"
uses: actions/checkout@v4
- name: "Get runner ip"
run: |
echo RUNNER_IP=$(ip addr show eth0 | grep -i "inet " | cut -d ' ' -f 6 | cut -d '/' -f 1) >> $GITHUB_ENV
echo RUNNER_PATH=$(pwd | sed 's_/_\\/_g') >> $GITHUB_ENV
- run: echo "runner IP is ${{ env.RUNNER_IP }}"
- name: "Instanciate ejbca"
uses: ./.github/actions/wf_specific/ejbca_ca_handler/ejbca_prep
with:
RUNNER_IP: ${{ env.RUNNER_IP }}
WORKING_DIR: ${{ github.workspace }}
- name: "Prepare Alma environment"
uses: ./.github/actions/rpm_prep
with:
GH_SBOM_USER: ${{ secrets.GH_SBOM_USER }}
GH_SBOM_TOKEN: ${{ secrets.GH_SBOM_TOKEN }}
RH_VERSION: ${{ matrix.rhversion }}
- name: "Default - setup a2c with ejbca_ca_handler"
run: |
sudo touch data/acme_srv.cfg
sudo chmod 777 data/acme_srv.cfg
sudo head -n -8 .github/openssl_ca_handler.py_acme_srv_default_handler.cfg > data/acme_srv.cfg
sudo echo "handler_file: /opt/acme2certifier/examples/ca_handler/ejbca_ca_handler.py" >> data/acme_srv.cfg
sudo echo "api_host: https://ejbca" >> data/acme_srv.cfg
sudo echo "cert_file: /opt/acme2certifier/volume/acme_ca/superadmin.p12" >> data/acme_srv.cfg
sudo echo "cert_passphrase: $SAEC" >> data/acme_srv.cfg
sudo echo "ca_bundle: /opt/acme2certifier/volume/acme_ca/ca_bundle.pem" >> data/acme_srv.cfg
sudo echo "ca_name: acmesubca" >> data/acme_srv.cfg
sudo echo "cert_profile_name: acmeca1" >> data/acme_srv.cfg
sudo echo "ee_profile_name: acmeca" >> data/acme_srv.cfg
sudo echo "username: acme_srv" >> data/acme_srv.cfg
sudo echo "enrollment_code: acme_srv" >> data/acme_srv.cfg
env:
SAEC: ${{ env.SAEC }}
- name: "Execute install scipt"
run: |
docker exec acme-srv sh /tmp/acme2certifier/rpm_tester.sh
- name: "Test enrollment"
uses: ./.github/actions/acme_clients
- name: "EAB without headerinfo - setup a2c with ejbca_ca_handler"
run: |
sudo head -n -8 .github/openssl_ca_handler.py_acme_srv_default_handler.cfg > data/acme_srv.cfg
sudo echo "handler_file: /opt/acme2certifier/examples/ca_handler/ejbca_ca_handler.py" >> data/acme_srv.cfg
sudo echo "api_host: https://ejbca" >> data/acme_srv.cfg
sudo echo "cert_file: /opt/acme2certifier/volume/acme_ca/superadmin.p12" >> data/acme_srv.cfg
sudo echo "cert_passphrase: $SAEC" >> data/acme_srv.cfg
sudo echo "ca_bundle: /opt/acme2certifier/volume/acme_ca/ca_bundle.pem" >> data/acme_srv.cfg
sudo echo "ca_name: acmesubca" >> data/acme_srv.cfg
sudo echo "cert_profile_name: acmeca1" >> data/acme_srv.cfg
sudo echo "ee_profile_name: acmeca" >> data/acme_srv.cfg
sudo echo "username: acme_srv" >> data/acme_srv.cfg
sudo echo "enrollment_code: acme_srv" >> data/acme_srv.cfg
sudo echo "eab_profiling: True" >> data/acme_srv.cfg
sudo echo -e "\n[EABhandler]" >> data/acme_srv.cfg
sudo echo "eab_handler_file: /opt/acme2certifier/examples/eab_handler/kid_profile_handler.py" >> data/acme_srv.cfg
sudo echo "key_file: /opt/acme2certifier/volume/acme_ca/kid_profiles.json" >> data/acme_srv.cfg
sudo cp examples/eab_handler/kid_profiles.json data/acme_ca/kid_profiles.json
sudo chmod 777 data/acme_ca/kid_profiles.json
sudo sed -i "s/\"profile_id\"\: \[\"profile_1\", \"profile_2\", \"profile_3\"\]/\"cert_profile_name\"\: \[\"acmeca2\", \"acmeca1\"\]/g" data/acme_ca/kid_profiles.json
sudo sed -i "s/\"profile_id\"\: \"profile_2\"/\"cert_profile_name\"\: \"acmeca2\"/g" data/acme_ca/kid_profiles.json
sudo sed -i "s/\"ca_name\": \"example_ca_2\",/\"ca_name\": \"acmeca\"/" data/acme_ca/kid_profiles.json
sudo sed -i "s/\"ca_name\": \"example_ca\",/\"unknown\": \"unknown\"/g" data/acme_ca/kid_profiles.json
sudo sed -i "s/example.net/acme/g" data/acme_ca/kid_profiles.json
sudo sed -i '18,19d' data/acme_ca/kid_profiles.json
sudo sed -i '8,9d' data/acme_ca/kid_profiles.json
env:
SAEC: ${{ env.SAEC }}
- name: "EAB without headerinfo - Reconfigure a2c "
run: |
docker exec acme-srv sh /tmp/acme2certifier/rpm_tester.sh restart
- name: "EAB without headerinfo - enrollment"
uses: ./.github/actions/wf_specific/ejbca_ca_handler/enroll_eab_wo_headerinfo
- name: "EAB with headerinfo - setup a2c with ejbca_ca_handler"
run: |
sudo head -n -8 .github/openssl_ca_handler.py_acme_srv_default_handler.cfg > data/acme_srv.cfg
sudo echo "handler_file: /opt/acme2certifier/examples/ca_handler/ejbca_ca_handler.py" >> data/acme_srv.cfg
sudo echo "api_host: https://ejbca" >> data/acme_srv.cfg
sudo echo "cert_file: /opt/acme2certifier/volume/acme_ca/superadmin.p12" >> data/acme_srv.cfg
sudo echo "cert_passphrase: $SAEC" >> data/acme_srv.cfg
sudo echo "ca_bundle: /opt/acme2certifier/volume/acme_ca/ca_bundle.pem" >> data/acme_srv.cfg
sudo echo "ca_name: acmesubca" >> data/acme_srv.cfg
sudo echo "cert_profile_name: acmeca1" >> data/acme_srv.cfg
sudo echo "ee_profile_name: acmeca" >> data/acme_srv.cfg
sudo echo "username: acme_srv" >> data/acme_srv.cfg
sudo echo "enrollment_code: acme_srv" >> data/acme_srv.cfg
sudo echo "eab_profiling: True" >> data/acme_srv.cfg
sudo sed -i "s/tnauthlist_support: False/tnauthlist_support: False\nheader_info_list: [\"HTTP_USER_AGENT\"]/g" data/acme_srv.cfg
sudo echo -e "\n[EABhandler]" >> data/acme_srv.cfg
sudo echo "eab_handler_file: /opt/acme2certifier/examples/eab_handler/kid_profile_handler.py" >> data/acme_srv.cfg
sudo echo "key_file: /opt/acme2certifier/volume/acme_ca/kid_profiles.json" >> data/acme_srv.cfg
sudo cp examples/eab_handler/kid_profiles.json data/acme_ca/kid_profiles.json
sudo chmod 777 data/acme_ca/kid_profiles.json
sudo sed -i "s/\"profile_id\"\: \[\"profile_1\", \"profile_2\", \"profile_3\"\]/\"cert_profile_name\"\: \[\"acmeca2\", \"acmeca1\"\]/g" data/acme_ca/kid_profiles.json
sudo sed -i "s/\"profile_id\"\: \"profile_2\"/\"cert_profile_name\"\: \"acmeca2\"/g" data/acme_ca/kid_profiles.json
sudo sed -i "s/\"ca_name\": \"example_ca_2\",/\"ca_name\": \"acmeca\"/" data/acme_ca/kid_profiles.json
sudo sed -i "s/\"ca_name\": \"example_ca\",/\"unknown\": \"unknown\"/g" data/acme_ca/kid_profiles.json
sudo sed -i "s/example.net/acme/g" data/acme_ca/kid_profiles.json
sudo sed -i '18,19d' data/acme_ca/kid_profiles.json
sudo sed -i '8,9d' data/acme_ca/kid_profiles.json
env:
SAEC: ${{ env.SAEC }}
- name: "EAB with headerinfo - Reconfigure a2c "
run: |
docker exec acme-srv sh /tmp/acme2certifier/rpm_tester.sh restart
- name: "EAB with headerinfo - enrollment"
uses: ./.github/actions/wf_specific/ejbca_ca_handler/enroll_eab_w_headerinfo
- name: "[ * ] collecting test logs"
if: ${{ failure() }}
run: |
mkdir -p ${{ github.workspace }}/artifact/upload
docker exec acme-srv tar cvfz /tmp/acme2certifier/a2c.tgz /opt/acme2certifier
docker logs ejbca > ${{ github.workspace }}/artifact/ejbca.log
sudo cp -rp data/ ${{ github.workspace }}/artifact/data/
sudo rm ${{ github.workspace }}/artifact/data/*.rpm
sudo cp -rp acme-sh/ ${{ github.workspace }}/artifact/acme-sh/
docker exec acme-srv cat /etc/nginx/nginx.conf.orig > ${{ github.workspace }}/artifact/data/nginx.conf.orig
docker exec acme-srv cat /etc/nginx/nginx.conf > ${{ github.workspace }}/artifact/data/nginx.conf
docker exec acme-srv cat /var/log/messages > ${{ github.workspace }}/artifact/acme-srv.log
sudo tar -C ${{ github.workspace }}/artifact/ -cvzf ${{ github.workspace }}/artifact/upload/artifact.tar.gz data ejbca.log acme-srv.log acme-sh
- name: "[ * ] uploading artificates"
uses: actions/upload-artifact@v4
if: ${{ failure() }}
with:
name: ejb_rpm-rh${{ matrix.rhversion }}.tar.gz
path: ${{ github.workspace }}/artifact/upload/