Add test for self-signed user cert validation #330
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: Third party Tests | |
| on: [push, pull_request] | |
| env: | |
| NAMESPACE: ${{ vars.REGISTRY_NAMESPACE || 'dogtagpki' }} | |
| jobs: | |
| build: | |
| name: Waiting for build | |
| runs-on: ubuntu-latest | |
| steps: | |
| - name: Wait for build | |
| uses: lewagon/[email protected] | |
| with: | |
| ref: ${{ github.ref }} | |
| check-name: 'Building JSS' | |
| repo-token: ${{ secrets.GITHUB_TOKEN }} | |
| wait-interval: 30 | |
| if: github.event_name == 'push' | |
| - name: Wait for build | |
| uses: lewagon/[email protected] | |
| with: | |
| ref: ${{ github.event.pull_request.head.sha }} | |
| check-name: 'Building JSS' | |
| repo-token: ${{ secrets.GITHUB_TOKEN }} | |
| wait-interval: 30 | |
| if: github.event_name == 'pull_request' | |
| postgresql-test: | |
| name: Testing connection to postrgresql | |
| needs: build | |
| runs-on: ubuntu-latest | |
| env: | |
| SHARED: /tmp/workdir/jss | |
| steps: | |
| - name: Clone repository | |
| uses: actions/checkout@v4 | |
| - name: Retrieve JSS images | |
| uses: actions/cache@v4 | |
| with: | |
| key: jss-images-${{ github.sha }} | |
| path: jss-images.tar | |
| - name: Load JSS images | |
| run: docker load --input jss-images.tar | |
| - name: Create network | |
| run: docker network create example | |
| - name: Set up JSS container | |
| run: | | |
| tests/bin/runner-init.sh \ | |
| --image=jss-builder \ | |
| --hostname=jss.example.com \ | |
| --network=example \ | |
| --network-alias=jss.example.com \ | |
| jss | |
| - name: Set up jss and database drivers | |
| run: | | |
| docker exec jss dnf install -y postgresql-jdbc | |
| docker exec -t jss sh -c 'dnf install -y /root/jss/build/RPMS/*.rpm' | |
| - name: Import LDAP SDK packages | |
| run: | | |
| docker create --name=ldapjdk-dist quay.io/$NAMESPACE/ldapjdk-dist:latest | |
| docker cp ldapjdk-dist:/root/RPMS/. /tmp/RPMS/ | |
| docker rm -f ldapjdk-dist | |
| - name: Import PKI packages | |
| run: | | |
| docker create --name=pki-dist quay.io/$NAMESPACE/pki-dist:latest | |
| docker cp pki-dist:/root/RPMS/. /tmp/RPMS/ | |
| docker rm -f pki-dist | |
| - name: Install packages | |
| run: | | |
| docker cp /tmp/RPMS/. jss:/root/RPMS/ | |
| docker exec jss bash -c "dnf localinstall -y /root/RPMS/*" | |
| - name: Create postgresql certificates | |
| run: | | |
| docker exec jss pki nss-cert-request \ | |
| --subject "CN=postgresql.example.com" \ | |
| --csr /root/sslserver.csr \ | |
| --ext /usr/share/pki/server/certs/sslserver.conf | |
| docker exec jss openssl req -text -noout -in /root/sslserver.csr | |
| docker exec jss pki nss-cert-issue \ | |
| --csr /root/sslserver.csr \ | |
| --ext /usr/share/pki/server/certs/sslserver.conf \ | |
| --cert /root/sslserver.crt | |
| docker exec jss openssl x509 -text -noout -in /root/sslserver.crt | |
| docker exec jss pki nss-cert-import --cert /root/sslserver.crt --trust "TC,C,C" postgres | |
| docker exec jss pk12util -o /root/ssl.p12 -n postgres -d /root/.dogtag/nssdb/ -W myPassword | |
| docker cp jss:/root/ssl.p12 ssl.p12 | |
| openssl pkcs12 -in ssl.p12 -nokeys -out sslserver.crt -password pass:myPassword | |
| openssl pkcs12 -in ssl.p12 -nocerts -noenc -out sslserver.key -password pass:myPassword | |
| - name: Create postgresql Docker file | |
| run: | | |
| cat > Dockerfile-Postgresql <<EOF | |
| FROM postgres AS postgres-ssl | |
| # Copy certificates | |
| COPY sslserver.key /var/lib/postgresql/server.key | |
| COPY sslserver.crt /var/lib/postgresql/server.crt | |
| RUN chown postgres:postgres /var/lib/postgresql/server.crt && \ | |
| chown postgres:postgres /var/lib/postgresql/server.key && \ | |
| chmod 600 /var/lib/postgresql/server.key | |
| EOF | |
| - name: Build postgrsql image with certificates | |
| uses: docker/build-push-action@v5 | |
| with: | |
| context: . | |
| tags: postgres-ssl | |
| target: postgres-ssl | |
| file: Dockerfile-Postgresql | |
| - name: Deploy postgresql | |
| run: | | |
| docker run -d --name postgresql \ | |
| --hostname postgresql.example.com \ | |
| --network example \ | |
| --network-alias postgresql.example.com \ | |
| -e POSTGRES_PASSWORD=mysecretpassword \ | |
| -e POSTGRES_USER=jss \ | |
| postgres-ssl -c ssl=on \ | |
| -c ssl_cert_file=/var/lib/postgresql/server.crt \ | |
| -c ssl_key_file=/var/lib/postgresql/server.key | |
| - name: Build the tests | |
| run: docker exec jss ./build.sh --work-dir=./build | |
| - name: Test connection with java | |
| run: | | |
| docker exec jss mkdir /root/.postgresql | |
| docker exec jss cp /root/sslserver.crt /root/.postgresql/root.crt | |
| docker exec -t jss sh -c 'java -cp \ | |
| "/usr/share/java/*:/usr/share/java/ongres-stringprep/*:/usr/share/java/ongres-scram/*:usr/lib/java/jss.jar:/usr/share/java/slf4j/*:/root/jss/build/classes/tests" \ | |
| org.mozilla.jss.tests.JSSConnectionPostgres jss mysecretpassword \ | |
| '"'"'jdbc:postgresql://postgresql.example.com:5432/jss?ssl=true&sslmode=verify-full'"'" | tee output-java | |
| grep "Connection DONE" output-java | |
| - name: Create JSS DB and configuration files | |
| run: | | |
| cat > java.security <<EOF | |
| security.provider.1=org.mozilla.jss.JSSProvider /root/jss/jss.cfg | |
| security.provider.2=sun.security.provider.Sun | |
| security.provider.3=sun.security.ssl.SunJSSE | |
| security.provider.4=sun.security.rsa.SunRsaSign | |
| security.provider.5=sun.security.ec.SunEC | |
| security.provider.6=com.sun.net.ssl.internal.ssl.Provider | |
| security.provider.7=com.sun.crypto.provider.SunJCE | |
| security.provider.8=sun.security.jgss.SunProvider | |
| security.provider.9=com.sun.security.sasl.Provider | |
| security.provider.10=org.jcp.xml.dsig.internal.dom.XMLDSigRI | |
| security.provider.11=sun.security.smartcardio.SunPCSC | |
| EOF | |
| cat java.security | |
| docker cp java.security jss:/root/jss/java.security | |
| cat > jss.cfg <<EOF | |
| nss.config_dir=/root/.dogtag/nssdb | |
| jss.password=m1oZilla | |
| jss.experimental.sslengine=true | |
| EOF | |
| cat jss.cfg | |
| docker cp jss.cfg jss:/root/jss/jss.cfg | |
| echo "m1oZilla" > password_file | |
| docker cp password_file jss:/root/jss | |
| - name: Test connection with JSS | |
| run: | | |
| docker exec -t jss sh -c 'java -cp \ | |
| "/usr/share/java/*:/usr/share/java/ongres-stringprep/*:/usr/share/java/ongres-scram/*:/usr/lib/java/jss.jar:/usr/share/java/slf4j/slf4j-api.jar:/usr/share/java/slf4j/slf4j-jdk14.jar:/root/jss/build/classes/tests" \ | |
| -Djava.security.properties==/root/jss/java.security \ | |
| org.mozilla.jss.tests.JSSConnectionPostgres jss mysecretpassword \ | |
| '"'"'jdbc:postgresql://postgresql.example.com:5432/jss?ssl=true&sslmode=verify-full'"'" | tee output-jss | |
| grep "JSS CryptoManager" output-jss | |
| - name: Verify the output match | |
| run: | | |
| grep -v "CryptoManager" output-jss > output-jss-clean | |
| diff output-jss-clean output-java |