forked from dogtagpki/tomcatjss
-
Notifications
You must be signed in to change notification settings - Fork 0
202 lines (167 loc) · 6.11 KB
/
pki-tests.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
name: PKI Tests
on: [push, pull_request]
jobs:
init:
name: Initialization
uses: ./.github/workflows/init.yml
secrets: inherit
build:
name: Waiting for build
needs: init
runs-on: ubuntu-latest
steps:
- name: Wait for build
uses: lewagon/[email protected]
with:
ref: ${{ github.ref }}
check-name: 'Building Tomcat JSS'
repo-token: ${{ secrets.GITHUB_TOKEN }}
wait-interval: 30
if: github.event_name == 'push'
- name: Wait for build
uses: lewagon/[email protected]
with:
ref: ${{ github.event.pull_request.head.sha }}
check-name: 'Building Tomcat JSS'
repo-token: ${{ secrets.GITHUB_TOKEN }}
wait-interval: 30
if: github.event_name == 'pull_request'
# https://github.com/dogtagpki/pki/blob/master/docs/installation/server/Installing_Basic_PKI_Server.md
ssl-test:
name: Testing SSL Connector
needs: [init, build]
runs-on: ubuntu-latest
env:
SHARED: /tmp/workdir/tomcatjss
steps:
- name: Clone repository
uses: actions/checkout@v3
- name: Retrieve tomcatjss-runner image
uses: actions/cache@v3
with:
key: tomcatjss-runner-${{ github.sha }}
path: tomcatjss-runner.tar
- name: Load tomcatjss-runner image
run: docker load --input tomcatjss-runner.tar
- name: Run container
run: |
IMAGE=tomcatjss-runner \
NAME=pki \
HOSTNAME=pki.example.com \
tests/bin/runner-init.sh
- name: Install PKI packages
run: docker exec pki dnf install -y pki-server sslscan
- name: Create PKI server
run: docker exec pki pki-server create
- name: Create NSS database
run: docker exec pki pki-server nss-create --no-password
- name: Create SSL server cert request
run: |
docker exec pki pki \
-d /var/lib/pki/pki-tomcat/conf/alias \
nss-cert-request \
--subject "CN=pki.example.com" \
--ext /usr/share/pki/server/certs/sslserver.conf \
--csr sslserver.csr
docker exec pki openssl req -text -noout -in sslserver.csr
- name: Issue self-signed SSL server cert
run: |
docker exec pki pki \
-d /var/lib/pki/pki-tomcat/conf/alias \
nss-cert-issue \
--csr sslserver.csr \
--ext /usr/share/pki/server/certs/sslserver.conf \
--cert sslserver.crt
docker exec pki openssl x509 -text -noout -in sslserver.crt
- name: Import SSL server cert
run: |
docker exec pki pki \
-d /var/lib/pki/pki-tomcat/conf/alias \
nss-cert-import \
--cert sslserver.crt \
sslserver
- name: Enable JSS in PKI server
run: docker exec pki pki-server jss-enable
- name: Create SSL connector
run: |
docker exec pki pki-server http-connector-add \
--port 8443 \
--scheme https \
--secure true \
--sslEnabled true \
--sslProtocol SSL \
--sslImpl org.dogtagpki.tomcat.JSSImplementation \
Secure
- name: Configure SSL certificate
run: |
docker exec pki pki-server http-connector-cert-add \
--keyAlias sslserver \
--keystoreType pkcs11 \
--keystoreProvider Mozilla-JSS
- name: Create ROOT web application
run: |
docker exec pki mkdir /var/lib/pki/pki-tomcat/webapps/ROOT
docker exec pki touch /var/lib/pki/pki-tomcat/webapps/ROOT/index.html
- name: Start PKI server
run: docker exec pki pki-server start --wait
- name: Verify SSL connection
run: docker exec pki sslscan pki.example.com:8443
- name: Stop PKI server
run: docker exec pki pki-server stop --wait
- name: Remove PKI server
run: docker exec pki pki-server remove
# https://github.com/dogtagpki/pki/blob/master/docs/installation/ca/Installing_CA.md
ca-test:
name: Testing CA Installation
needs: [init, build]
runs-on: ubuntu-latest
env:
SHARED: /tmp/workdir/tomcatjss
steps:
- name: Clone repository
uses: actions/checkout@v3
- name: Retrieve tomcatjss-runner image
uses: actions/cache@v3
with:
key: tomcatjss-runner-${{ github.sha }}
path: tomcatjss-runner.tar
- name: Load tomcatjss-runner image
run: docker load --input tomcatjss-runner.tar
- name: Run container
run: |
IMAGE=tomcatjss-runner \
NAME=pki \
HOSTNAME=pki.example.com \
tests/bin/runner-init.sh
- name: Install DS and PKI packages
run: docker exec pki dnf install -y 389-ds-base pki-ca
- name: Install DS
run: docker exec pki ${SHARED}/tests/bin/ds-create.sh
- name: Install CA
run: docker exec pki pkispawn -f /usr/share/pki/server/examples/installation/ca.cfg -s CA -v
- name: Run PKI healthcheck
run: docker exec pki pki-healthcheck --debug
- name: Verify CA admin
run: |
docker exec pki pki-server cert-export ca_signing --cert-file ca_signing.crt
docker exec pki pki client-cert-import ca_signing --ca-cert ca_signing.crt
docker exec pki pki client-cert-import \
--pkcs12 /root/.dogtag/pki-tomcat/ca_admin_cert.p12 \
--pkcs12-password Secret.123
docker exec pki pki -n caadmin ca-user-show caadmin
- name: Gather artifacts
if: always()
run: |
tests/bin/ds-artifacts-save.sh pki
tests/bin/pki-artifacts-save.sh pki
- name: Remove CA
run: docker exec pki pkidestroy -i pki-tomcat -s CA -v
- name: Remove DS
run: docker exec pki ${SHARED}/tests/bin/ds-remove.sh
- name: Upload artifacts
if: always()
uses: actions/upload-artifact@v3
with:
name: ca
path: |
/tmp/artifacts/pki