From eecbca1e0699d5ff5847c59e499084d31f7acca5 Mon Sep 17 00:00:00 2001 From: "Endi S. Dewata" Date: Wed, 5 Feb 2025 20:14:32 -0600 Subject: [PATCH] Add IPA test --- .github/workflows/ipa-reinstall-test.yml | 186 +++++++++++++++++++++++ .github/workflows/ipa-tests.yml | 5 + 2 files changed, 191 insertions(+) create mode 100644 .github/workflows/ipa-reinstall-test.yml diff --git a/.github/workflows/ipa-reinstall-test.yml b/.github/workflows/ipa-reinstall-test.yml new file mode 100644 index 00000000000..fa5b79be96b --- /dev/null +++ b/.github/workflows/ipa-reinstall-test.yml @@ -0,0 +1,186 @@ +name: IPA reinstall + +on: workflow_call + +env: + DS_IMAGE: ${{ vars.DS_IMAGE || 'quay.io/389ds/dirsrv' }} + +jobs: + test: + name: Test + runs-on: ubuntu-latest + env: + SHARED: /tmp/workdir/pki + steps: + - name: Clone repository + uses: actions/checkout@v4 + + - name: Retrieve IPA images + uses: actions/cache@v4 + with: + key: ipa-images-${{ github.sha }} + path: ipa-images.tar + + - name: Load IPA images + run: docker load --input ipa-images.tar + + - name: Run IPA container + run: | + tests/bin/runner-init.sh ipa + env: + IMAGE: ipa-runner + HOSTNAME: ipa.example.com + + - name: Install IPA server + run: | + docker exec ipa sysctl net.ipv6.conf.lo.disable_ipv6=0 + docker exec ipa ipa-server-install \ + -U \ + --domain example.com \ + -r EXAMPLE.COM \ + -p Secret.123 \ + -a Secret.123 \ + --no-host-dns \ + --no-ntp + + echo Secret.123 | docker exec -i ipa kinit admin + docker exec ipa ipa ping + + - name: Import CA signing cert + run: | + docker exec ipa pki-server cert-export \ + --cert-file ca_signing.crt \ + ca_signing + + docker exec ipa pki nss-cert-import \ + --cert ca_signing.crt \ + --trust CT,C,C \ + ca_signing + + docker exec ipa pki nss-cert-find + + - name: Check CA agent cert + run: | + docker exec ipa ls -l /root + + docker exec ipa pki pkcs12-import \ + --pkcs12 /root/ca-agent.p12 \ + --password Secret.123 + + docker exec ipa pki nss-cert-find + docker exec ipa pki nss-cert-show ipa-ca-agent | tee ipa-ca-agent.orig + + # CA agent should be able to access PKI users + docker exec ipa pki -n ipa-ca-agent ca-user-find + + - name: Check RA agent cert + run: | + docker exec ipa ls -l /var/lib/ipa + + # import RA agent cert and key into PKCS #12 file + docker exec ipa openssl pkcs12 -export \ + -in /var/lib/ipa/ra-agent.pem \ + -inkey /var/lib/ipa/ra-agent.key \ + -out ra-agent.p12 \ + -passout pass:Secret.123 \ + -name ipa-ra-agent + + # import PKCS #12 file into NSS database + docker exec ipa pki pkcs12-import \ + --pkcs12 ra-agent.p12 \ + --password Secret.123 + + docker exec ipa pki nss-cert-find + docker exec ipa pki nss-cert-show ipa-ra-agent | tee ipa-ra-agent.orig + + # RA agent should be able to access cert requests + docker exec ipa pki -n ipa-ra-agent ca-cert-request-find + + - name: Check IPA CA install log + if: always() + run: | + docker exec ipa cat /var/log/ipaserver-install.log + + - name: Check PKI server systemd journal + if: always() + run: | + docker exec ipa journalctl -x --no-pager -u pki-tomcatd@pki-tomcat.service + + - name: Check PKI server access log + if: always() + run: | + docker exec ipa find /var/log/pki/pki-tomcat -name "localhost_access_log.*" -exec cat {} \; + + - name: Check CA debug log + if: always() + run: | + docker exec ipa find /var/lib/pki/pki-tomcat/logs/ca -name "debug.*" -exec cat {} \; + + - name: Remove IPA server + run: docker exec ipa ipa-server-install --uninstall -U + + - name: Check PKI server access log after removal + if: always() + run: | + docker exec ipa ls -lR /var/log/pki + + - name: Check CA debug log after removal + if: always() + run: | + docker exec ipa ls -lR /var/lib/pki + + - name: Check CA admin cert after removal + run: | + docker exec ipa ls -lR /root/.dogtag + + - name: Install IPA server again + run: | + docker exec ipa ipa-server-install \ + -U \ + --domain example.com \ + -r EXAMPLE.COM \ + -p Secret.123 \ + -a Secret.123 \ + --no-host-dns \ + --no-ntp + + echo Secret.123 | docker exec -i ipa kinit admin + docker exec ipa ipa ping + + - name: Import CA signing cert again + run: | + # create new NSS database + docker exec ipa pki nss-create --force + + docker exec ipa pki-server cert-export \ + --cert-file ca_signing.crt \ + ca_signing + + docker exec ipa pki nss-cert-import \ + --cert ca_signing.crt \ + --trust CT,C,C \ + ca_signing + + docker exec ipa pki nss-cert-find + + - name: Check CA agent cert again + run: | + docker exec ipa ls -l /root + + docker exec ipa pki pkcs12-import \ + --pkcs12 /root/ca-agent.p12 \ + --password Secret.123 + + docker exec ipa pki nss-cert-show ipa-ca-agent | tee ipa-ca-agent.new + + # CA agent cert should be different + rc=0 + diff ipa-ca-agent.orig ipa-ca-agent.new || rc=$? + + [ $rc -ne 0 ] + + # CA agent should be able to access PKI users + docker exec ipa pki -n ipa-ca-agent ca-user-find + + - name: Remove IPA server again + run: docker exec ipa ipa-server-install --uninstall -U diff --git a/.github/workflows/ipa-tests.yml b/.github/workflows/ipa-tests.yml index c46f3c13e14..75f064f34b5 100644 --- a/.github/workflows/ipa-tests.yml +++ b/.github/workflows/ipa-tests.yml @@ -94,6 +94,11 @@ jobs: needs: build uses: ./.github/workflows/ipa-acme-test.yml + ipa-reinstall-test: + name: IPA reinstall + needs: build + uses: ./.github/workflows/ipa-reinstall-test.yml + ipa-renewal-test: name: IPA renewal needs: build