diff --git a/.github/workflows/ca-basic-test.yml b/.github/workflows/ca-basic-test.yml index 6cee397611b..e6716213fe3 100644 --- a/.github/workflows/ca-basic-test.yml +++ b/.github/workflows/ca-basic-test.yml @@ -33,20 +33,18 @@ jobs: tests/bin/ds-create.sh \ --image=${{ env.DS_IMAGE }} \ --hostname=ds.example.com \ + --network=example \ + --network-alias=ds.example.com \ --password=Secret.123 \ ds - - name: Connect DS container to network - run: docker network connect example ds --alias ds.example.com - - name: Set up PKI container run: | - tests/bin/runner-init.sh pki - env: - HOSTNAME: pki.example.com - - - name: Connect PKI container to network - run: docker network connect example pki --alias pki.example.com + tests/bin/runner-init.sh \ + --hostname=pki.example.com \ + --network=example \ + --network-alias=pki.example.com \ + pki - name: Install CA run: | @@ -249,12 +247,13 @@ jobs: - name: Check CA signing cert run: | docker exec pki pki-server cert-export ca_signing \ - --cert-file ca_signing.crt + --cert-file $SHARED/ca_signing.crt docker exec pki openssl req -text -noout \ -in /var/lib/pki/pki-tomcat/conf/certs/ca_signing.csr # check CA signing cert extensions - docker exec pki /usr/share/pki/tests/ca/bin/test-ca-signing-cert-ext.sh + docker exec pki /usr/share/pki/tests/ca/bin/test-ca-signing-cert-ext.sh \ + $SHARED/ca_signing.crt - name: Check CA OCSP signing cert run: | @@ -301,23 +300,67 @@ jobs: - name: Update CA configuration run: | - # enable signed audit log + docker exec pki dnf install -y xmlstarlet + + # disable access log buffer + docker exec pki xmlstarlet edit --inplace \ + -u "//Valve[@className='org.apache.catalina.valves.AccessLogValve']/@buffered" \ + -v "false" \ + -i "//Valve[@className='org.apache.catalina.valves.AccessLogValve' and not(@buffered)]" \ + -t attr \ + -n "buffered" \ + -v "false" \ + /etc/pki/pki-tomcat/server.xml + + # enable CA signed audit log docker exec pki pki-server ca-config-set log.instance.SignedAudit.logSigning true - # restart CA subsystem - docker exec pki pki-server ca-redeploy --wait + # restart PKI server + docker exec pki pki-server restart --wait - name: Initialize PKI client run: | - docker exec pki pki-server cert-export ca_signing --cert-file ca_signing.crt - docker exec pki pki nss-cert-import \ - --cert ca_signing.crt \ + --cert $SHARED/ca_signing.crt \ --trust CT,C,C \ ca_signing + - name: Check pki info with default API + run: | docker exec pki pki info + # check HTTP methods, paths, protocols, status, and authenticated users + docker exec pki find /var/log/pki/pki-tomcat \ + -name "localhost_access_log.*" \ + -exec cat {} \; \ + | tail -1 \ + | sed -e 's/^.* .* \(.*\) \[.*\] "\(.*\)" \(.*\) .*$/\2 \3 \1/' \ + | tee output + + cat > expected << EOF + GET /pki/v1/info HTTP/1.1 200 - + EOF + + diff expected output + + - name: Check pki info with API v2 + run: | + docker exec pki pki --api v2 info + + # check HTTP methods, paths, protocols, status, and authenticated users + docker exec pki find /var/log/pki/pki-tomcat \ + -name "localhost_access_log.*" \ + -exec cat {} \; \ + | tail -1 \ + | sed -e 's/^.* .* \(.*\) \[.*\] "\(.*\)" \(.*\) .*$/\2 \3 \1/' \ + | tee output + + cat > expected << EOF + GET /pki/v2/info HTTP/1.1 200 - + EOF + + diff expected output + - name: Test CA certs run: | docker exec pki /usr/share/pki/tests/ca/bin/test-ca-signing-cert.sh @@ -439,21 +482,12 @@ jobs: run: | docker exec pki journalctl -x --no-pager -u pki-tomcatd@pki-tomcat.service - - name: Check CA debug log + - name: Check PKI server access log if: always() run: | - docker exec pki find /var/lib/pki/pki-tomcat/logs/ca -name "debug.*" -exec cat {} \; + docker exec pki find /var/log/pki/pki-tomcat -name "localhost_access_log.*" -exec cat {} \; - - name: Gather artifacts + - name: Check CA debug log if: always() run: | - tests/bin/ds-artifacts-save.sh ds - tests/bin/pki-artifacts-save.sh pki - continue-on-error: true - - - name: Upload artifacts - if: always() - uses: actions/upload-artifact@v4 - with: - name: ca-basic - path: /tmp/artifacts + docker exec pki find /var/lib/pki/pki-tomcat/logs/ca -name "debug.*" -exec cat {} \; diff --git a/base/common/src/main/java/com/netscape/certsrv/client/Client.java b/base/common/src/main/java/com/netscape/certsrv/client/Client.java index 66ceb76e798..53bce162192 100644 --- a/base/common/src/main/java/com/netscape/certsrv/client/Client.java +++ b/base/common/src/main/java/com/netscape/certsrv/client/Client.java @@ -44,7 +44,7 @@ public class Client { public LinkedHashMap clients = new LinkedHashMap<>(); public Client(PKIClient client, String subsystem, String name) { - this(client, subsystem, "rest", name); + this(client, subsystem, client.getAPIVersion(), name); } public Client(PKIClient client, String subsystem, String prefix, String name) { diff --git a/base/common/src/main/java/com/netscape/certsrv/client/PKIClient.java b/base/common/src/main/java/com/netscape/certsrv/client/PKIClient.java index 5ab4c4f9587..b4b0bbe4edb 100644 --- a/base/common/src/main/java/com/netscape/certsrv/client/PKIClient.java +++ b/base/common/src/main/java/com/netscape/certsrv/client/PKIClient.java @@ -48,6 +48,7 @@ public class PKIClient implements AutoCloseable { public ClientConfig config; public PKIConnection connection; + public String apiVersion; public MediaType messageFormat; public InfoClient infoClient; public Info info; @@ -57,7 +58,12 @@ public PKIClient(ClientConfig config) throws Exception { } public PKIClient(ClientConfig config, SSLCertificateApprovalCallback callback) throws Exception { + this(config, "rest", callback); + } + + public PKIClient(ClientConfig config, String apiVersion, SSLCertificateApprovalCallback callback) throws Exception { this.config = config; + this.apiVersion = apiVersion; connection = new PKIConnection(config); connection.setCallback(callback); @@ -72,6 +78,10 @@ public PKIClient(ClientConfig config, SSLCertificateApprovalCallback callback) t this.messageFormat = MediaType.valueOf("application/" + messageFormat); } + public String getAPIVersion() { + return apiVersion; + } + public MediaType getMessageFormat() { return messageFormat; } diff --git a/base/common/src/main/java/org/dogtagpki/common/InfoClient.java b/base/common/src/main/java/org/dogtagpki/common/InfoClient.java index 7bacdcbfb60..3c3c4bfd7aa 100644 --- a/base/common/src/main/java/org/dogtagpki/common/InfoClient.java +++ b/base/common/src/main/java/org/dogtagpki/common/InfoClient.java @@ -27,7 +27,7 @@ public class InfoClient extends Client { public InfoClient(PKIClient client) throws Exception { - super(client, "pki", "v2", "info"); + super(client, "pki", "info"); } public Info getInfo() throws Exception { diff --git a/base/tools/src/main/java/com/netscape/cmstools/cli/MainCLI.java b/base/tools/src/main/java/com/netscape/cmstools/cli/MainCLI.java index fa95c2b9e44..0c4b7ee95fb 100644 --- a/base/tools/src/main/java/com/netscape/cmstools/cli/MainCLI.java +++ b/base/tools/src/main/java/com/netscape/cmstools/cli/MainCLI.java @@ -86,6 +86,7 @@ public class MainCLI extends CLI { public ClientConfig config = new ClientConfig(); NSSDatabase nssdb; + String apiVersion; public Collection rejectedCertStatuses = new HashSet<>(); public Collection ignoredCertStatuses = new HashSet<>(); @@ -141,6 +142,10 @@ public String getManPage() { return "pki"; } + public String getAPIVersion() { + return apiVersion; + } + public void printVersion() { Package pkg = MainCLI.class.getPackage(); System.out.println("PKI Command-Line Interface " + pkg.getImplementationVersion()); @@ -213,6 +218,10 @@ public void createOptions() throws UnknownHostException { option.setArgName("token"); options.addOption(option); + option = new Option(null, "api", true, "API version: v1, v2"); + option.setArgName("version"); + options.addOption(option); + option = new Option(null, "output", true, "Folder to store HTTP messages"); option.setArgName("folder"); options.addOption(option); @@ -454,6 +463,8 @@ public void parseOptions(CommandLine cmd) throws Exception { // store user password config.setPassword(password); + apiVersion = cmd.getOptionValue("api", "rest"); + String list = cmd.getOptionValue("reject-cert-status"); convertCertStatusList(list, rejectedCertStatuses); @@ -593,7 +604,7 @@ public PKIClient getClient() throws Exception { logger.info("Connecting to " + config.getServerURL()); SSLCertificateApprovalCallback callback = createCertApprovalCallback(); - client = new PKIClient(config, callback); + client = new PKIClient(config, apiVersion, callback); if (output != null) { File file = new File(output);