Add test for self-signed user cert validation #585
Workflow file for this run
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: Tomcat Tests | |
| on: [push, pull_request] | |
| env: | |
| NAMESPACE: ${{ vars.REGISTRY_NAMESPACE || 'dogtagpki' }} | |
| jobs: | |
| build: | |
| name: Waiting for build | |
| runs-on: ubuntu-latest | |
| steps: | |
| - name: Wait for build | |
| uses: lewagon/[email protected] | |
| with: | |
| ref: ${{ github.ref }} | |
| check-name: 'Building JSS' | |
| repo-token: ${{ secrets.GITHUB_TOKEN }} | |
| wait-interval: 30 | |
| if: github.event_name == 'push' | |
| - name: Wait for build | |
| uses: lewagon/[email protected] | |
| with: | |
| ref: ${{ github.event.pull_request.head.sha }} | |
| check-name: 'Building JSS' | |
| repo-token: ${{ secrets.GITHUB_TOKEN }} | |
| wait-interval: 30 | |
| if: github.event_name == 'pull_request' | |
| # docs/admin/server/Configuring-HTTPS-Connector-with-NSS-Database.adoc | |
| https-nssdb-test: | |
| name: Testing HTTPS connector with NSS database | |
| needs: build | |
| runs-on: ubuntu-latest | |
| env: | |
| SHARED: /tmp/workdir/pki | |
| steps: | |
| - name: Install dependencies | |
| run: | | |
| sudo apt-get update | |
| sudo apt-get -y install xmlstarlet | |
| - name: Clone repository | |
| uses: actions/checkout@v4 | |
| - name: Retrieve JSS images | |
| uses: actions/cache@v4 | |
| with: | |
| key: jss-images-${{ github.sha }} | |
| path: jss-images.tar | |
| - name: Load JSS images | |
| run: docker load --input jss-images.tar | |
| - name: Create network | |
| run: docker network create example | |
| - name: Set up JSS container | |
| run: | | |
| tests/bin/runner-init.sh \ | |
| --hostname=server.example.com \ | |
| --network=example \ | |
| --network-alias=server.example.com \ | |
| server | |
| - name: Import LDAP SDK packages | |
| run: | | |
| docker create --name=ldapjdk-dist quay.io/$NAMESPACE/ldapjdk-dist:latest | |
| docker cp ldapjdk-dist:/root/RPMS/. /tmp/RPMS/ | |
| docker rm -f ldapjdk-dist | |
| - name: Import PKI packages | |
| run: | | |
| docker create --name=pki-dist quay.io/$NAMESPACE/pki-dist:latest | |
| docker cp pki-dist:/root/RPMS/. /tmp/RPMS/ | |
| docker rm -f pki-dist | |
| - name: Install packages | |
| run: | | |
| docker cp /tmp/RPMS/. server:/root/RPMS/ | |
| docker exec server bash -c "dnf localinstall -y /root/RPMS/*" | |
| - name: Create Tomcat | |
| run: | | |
| docker exec server pki-server create -v | |
| - name: Create NSS database in Tomcat | |
| run: | | |
| docker exec server pki-server nss-create --no-password | |
| - name: Create SSL server cert | |
| run: | | |
| docker exec server pki -d /var/lib/pki/pki-tomcat/alias \ | |
| nss-cert-request \ | |
| --subject "CN=server.example.com" \ | |
| --ext /usr/share/pki/server/certs/sslserver.conf \ | |
| --csr sslserver.csr | |
| docker exec server pki -d /var/lib/pki/pki-tomcat/alias \ | |
| nss-cert-issue \ | |
| --csr sslserver.csr \ | |
| --ext /usr/share/pki/server/certs/sslserver.conf \ | |
| --cert sslserver.crt | |
| docker exec server pki -d /var/lib/pki/pki-tomcat/alias \ | |
| nss-cert-import \ | |
| --cert sslserver.crt \ | |
| sslserver | |
| - name: Create HTTPS connector with NSS database | |
| run: | | |
| docker exec server pki-server jss-enable | |
| docker exec server pki-server http-connector-add \ | |
| --port 8443 \ | |
| --scheme https \ | |
| --secure true \ | |
| --sslEnabled true \ | |
| --sslProtocol SSL \ | |
| --sslImpl org.dogtagpki.jss.tomcat.JSSImplementation \ | |
| Secure | |
| docker exec server pki-server http-connector-cert-add \ | |
| --keyAlias sslserver \ | |
| --keystoreType pkcs11 \ | |
| --keystoreProvider Mozilla-JSS | |
| - name: Start Tomcat | |
| run: | | |
| docker exec server pki-server start --wait -v | |
| - name: Set up client container | |
| run: | | |
| tests/bin/runner-init.sh \ | |
| --hostname=client.example.com \ | |
| --network=example \ | |
| --network-alias=client.example.com \ | |
| client | |
| - name: Install dependencies | |
| run: docker exec client dnf install -y sslscan | |
| - name: Check SSL connection | |
| run: | | |
| docker exec client sslscan --xml=$SHARED/sslscan.xml server.example.com:8443 | |
| cat sslscan.xml | |
| # TLS 1.0 should be disabled | |
| echo -n "0" > expected | |
| xmlstarlet sel -t -v \ | |
| "/document/ssltest/protocol[@type='tls' and @version='1.0']/@enabled" \ | |
| sslscan.xml > actual | |
| diff expected actual | |
| # TLS 1.1 should be disabled | |
| echo -n "0" > expected | |
| xmlstarlet sel -t -v \ | |
| "/document/ssltest/protocol[@type='tls' and @version='1.1']/@enabled" \ | |
| sslscan.xml > actual | |
| diff expected actual | |
| # TLS 1.2 should be disabled | |
| echo -n "0" > expected | |
| xmlstarlet sel -t -v \ | |
| "/document/ssltest/protocol[@type='tls' and @version='1.2']/@enabled" \ | |
| sslscan.xml > actual | |
| diff expected actual | |
| # TLS 1.3 should be enabled | |
| echo -n "1" > expected | |
| xmlstarlet sel -t -v \ | |
| "/document/ssltest/protocol[@type='tls' and @version='1.3']/@enabled" \ | |
| sslscan.xml > actual | |
| diff expected actual | |
| # cert subject should be server.example.com | |
| echo -n "server.example.com" > expected | |
| xmlstarlet sel -t -v \ | |
| "/document/ssltest/certificates/certificate/subject" \ | |
| sslscan.xml > actual | |
| diff expected actual | |
| # SAN extension should be DNS:server.example.com | |
| echo -n "DNS:server.example.com" > expected | |
| xmlstarlet sel -t -v \ | |
| "/document/ssltest/certificates/certificate/altnames" \ | |
| sslscan.xml > actual | |
| diff expected actual | |
| # cert issuer should be server.example.com | |
| echo -n "server.example.com" > expected | |
| xmlstarlet sel -t -v \ | |
| "/document/ssltest/certificates/certificate/issuer" \ | |
| sslscan.xml > actual | |
| diff expected actual | |
| # cert should be self-signed | |
| echo -n "true" > expected | |
| xmlstarlet sel -t -v \ | |
| "/document/ssltest/certificates/certificate/self-signed" \ | |
| sslscan.xml > actual | |
| diff expected actual | |
| - name: Stop Tomcat | |
| run: | | |
| docker exec server pki-server stop --wait -v | |
| - name: Remove Tomcat | |
| run: | | |
| docker exec server pki-server remove -v | |
| - name: Gather artifacts from server container | |
| if: always() | |
| run: | | |
| tests/bin/pki-artifacts-save.sh server | |
| continue-on-error: true | |
| - name: Upload artifacts from server container | |
| if: always() | |
| uses: actions/upload-artifact@v4 | |
| with: | |
| name: https-nssdb-test | |
| path: | | |
| /tmp/artifacts/server |