Modify pkispawn to deploy EST

EST deployment is included in pkispwn. The installation does not perform all the steps done for CA and other subsystems so there is no security domain management and user administration. During the installation there is no DS or other DBs connection which has to be performed by the user before or after the installation.
dogtagpki · Sep 17, 2024 · 3ad0aca · 3ad0aca
1 parent 0ff1fc4
commit 3ad0aca
Show file tree

Hide file tree

Showing 21 changed files with 646 additions and 13 deletions.
diff --git a/.github/workflows/acme-separate-test.yml b/.github/workflows/acme-separate-test.yml
@@ -102,6 +102,7 @@ jobs:
       - name: Create PKI server for ACME
         run: |
           docker exec acme pki-server create
+          docker exec acme pki-server start
           docker exec acme pki-server nss-create --password Secret.123
 
       - name: Import CA signing cert for ACME

diff --git a/.github/workflows/est-ds-realm-test.yml b/.github/workflows/est-ds-realm-test.yml
@@ -0,0 +1,235 @@
+name: EST with ds realm
+
+on: workflow_call
+
+env:
+  DB_IMAGE: ${{ vars.DB_IMAGE || 'quay.io/389ds/dirsrv' }}
+
+jobs:
+  # docs/installation/ca/Installing_CA.md
+  test:
+    name: Test
+    runs-on: ubuntu-latest
+    env:
+      SHARED: /tmp/workdir/pki
+    steps:
+      - name: Clone repository
+        uses: actions/checkout@v4
+
+      - name: Retrieve PKI images
+        uses: actions/cache@v4
+        with:
+          key: pki-images-${{ github.sha }}
+          path: pki-images.tar
+
+      - name: Load PKI images
+        run: docker load --input pki-images.tar
+
+      - name: Create network
+        run: docker network create example
+
+      - name: Set up DS container
+        run: |
+          tests/bin/ds-create.sh \
+              --image=${{ env.DB_IMAGE }} \
+              --hostname=ds.example.com \
+              --password=Secret.123 \
+              ds
+
+      - name: Connect DS container to network
+        run: docker network connect example ds --alias ds.example.com
+
+      - name: Set up PKI container
+        run: |
+          tests/bin/runner-init.sh pki
+        env:
+          HOSTNAME: pki.example.com
+
+      - name: Connect PKI container to network
+        run: docker network connect example pki --alias pki.example.com
+
+      - name: Install CA
+        run: |
+          docker exec pki pkispawn \
+              -f /usr/share/pki/server/examples/installation/ca.cfg \
+              -s CA \
+              -D pki_ds_url=ldap://ds.example.com:3389 \
+              -v
+
+      - name: Initialize PKI client
+        run: |
+          docker exec pki pki-server cert-export ca_signing --cert-file ca_signing.crt
+
+          docker exec pki pki nss-cert-import \
+              --cert ca_signing.crt \
+              --trust CT,C,C \
+              ca_signing
+
+          docker exec pki pki pkcs12-import \
+              --pkcs12 /root/.dogtag/pki-tomcat/ca_admin_cert.p12 \
+              --pkcs12-password Secret.123
+
+          docker exec pki pki info
+
+      - name: Add CA EST user
+        run: |
+          docker exec pki pki -n caadmin ca-group-add "EST RA Agents"
+          docker exec pki pki -n caadmin ca-user-add \
+              est-ra-1 --fullName "EST RA 1" --password Secret.est
+          docker exec pki pki -n caadmin ca-group-member-add "EST RA Agents" est-ra-1
+          
+      - name: Configure CA est profile
+        run: |
+          docker exec pki pki -n caadmin ca-profile-add \
+              --raw /usr/share/pki/ca/profiles/ca/estServiceCert.cfg
+          docker exec pki pki -n caadmin ca-profile-enable estServiceCert
+          docker exec pki pki-server restart --wait
+
+      - name: Install EST
+        run: |
+          docker exec pki pkispawn \
+              -f /usr/share/pki/server/examples/installation/est.cfg \
+              -s EST \
+              -D est_realm_url=ldap://ds.example.com:3389 \
+              -v
+
+      - name: Check EST backend config
+        if: always()
+        run: |
+          docker exec pki cat /etc/pki/pki-tomcat/est/backend.conf
+
+      - name: Check EST authorizer config
+        if: always()
+        run: |
+          docker exec pki cat /etc/pki/pki-tomcat/est/authorizer.conf
+
+      - name: Check EST realm config
+        if: always()
+        run: |
+          docker exec pki cat /etc/pki/pki-tomcat/est/realm.conf
+
+      - name: Check webapps
+        run: |
+          docker exec pki pki-server webapp-find | tee output
+
+          # CA instance should have ROOT, ca, and pki webapps
+          echo "ROOT" > expected
+          echo "ca" >> expected
+          echo "est" >> expected
+          echo "pki" >> expected
+          sed -n 's/^ *Webapp ID: *\(.*\)$/\1/p' output > actual
+          diff expected actual
+
+          docker exec pki pki-server webapp-show ROOT
+          docker exec pki pki-server webapp-show ca
+          docker exec pki pki-server webapp-show est
+          docker exec pki pki-server webapp-show pki
+
+      - name: Create EST users
+        run: |
+          docker exec -i pki ldapadd -x -H ldap://ds.example.com:3389 \
+              -D "cn=Directory Manager"  -w Secret.123 << EOF
+          dn: dc=est,dc=pki,dc=example,dc=com
+          objectClass: domain
+          dc: est 
+          
+          dn: ou=people,dc=est,dc=pki,dc=example,dc=com
+          ou: people
+          objectClass: top
+          objectClass: organizationalUnit
+          
+          dn: ou=groups,dc=est,dc=pki,dc=example,dc=com
+          ou: groups
+          objectClass: top
+          objectClass: organizationalUnit
+          
+          dn: uid=est-test-user,ou=people,dc=est,dc=pki,dc=example,dc=com
+          objectClass: top
+          objectClass: person
+          objectClass: organizationalPerson
+          objectClass: inetOrgPerson
+          objectClass: cmsuser
+          uid: est-test-user
+          sn: EST TEST USER
+          cn: EST TEST USER
+          usertype: undefined
+          userPassword: Secret.123
+          
+          dn: cn=estclient,ou=groups,dc=est,dc=pki,dc=example,dc=com
+          objectClass: top
+          objectClass: groupOfUniqueNames
+          cn: estclient
+          uniqueMember: uid=est-test-user,ou=People,dc=est,dc=pki,dc=example,dc=com
+          EOF
+
+      - name: Test CA certs
+        run: |
+          docker exec pki curl -o cacert.p7 -k https://pki.example.com:8443/.well-known/est/cacerts
+          docker exec pki openssl base64 -d --in cacert.p7 --out cacert.p7.der
+          docker exec pki openssl pkcs7 --in cacert.p7.der -inform DER -print_certs -out cacert.pem
+          docker exec pki openssl x509 -in cacert.pem -text -noout | tee actual
+          docker exec pki openssl x509 -in ca_signing.crt -text -noout | tee expected
+          diff expected actual
+
+      - name: Install est client
+        run: |
+          docker exec pki dnf copr enable -y @pki/libest 
+          docker exec pki dnf install -y libest
+
+      - name: Enroll certificate
+        run: |
+          docker exec -e EST_OPENSSL_CACERT=cacert.pem pki estclient -e -s pki.example.com -p 8443 \
+              --common-name test.example.com -o . -u est-test-user -h Secret.123
+
+          docker exec pki openssl base64 -d --in cert-0-0.pkcs7 --out cert-0-0.pkcs7.der
+          docker exec pki openssl pkcs7 -in cert-0-0.pkcs7.der -inform DER -print_certs -out cert.pem
+          docker exec pki openssl x509 -in cert.pem -subject -noout | tee actual
+          echo "subject=CN=test.example.com" > expected
+          diff expected actual
+
+      - name: Remove EST
+        run: |
+          docker exec pki pki-server est-undeploy --wait
+          docker exec pki pki-server est-remove
+
+      - name: Remove CA
+        run: docker exec pki pkidestroy -i pki-tomcat -s CA -v
+
+      - name: Check DS server systemd journal
+        if: always()
+        run: |
+          docker exec ds journalctl -x --no-pager -u dirsrv@localhost.service
+
+      - name: Check DS container logs
+        if: always()
+        run: |
+          docker logs ds
+
+      - name: Check PKI server systemd journal
+        if: always()
+        run: |
+          docker exec pki journalctl -x --no-pager -u pki-tomcatd@pki-tomcat.service
+
+      - name: Check CA debug log
+        if: always()
+        run: |
+          docker exec pki find /var/lib/pki/pki-tomcat/logs/ca -name "debug.*" -exec cat {} \;
+
+      - name: Check EST debug log
+        if: always()
+        run: |
+          docker exec pki find /var/lib/pki/pki-tomcat/logs/est -name "debug.*" -exec cat {} \;
+
+      - name: Gather artifacts
+        if: always()
+        run: |
+          tests/bin/ds-artifacts-save.sh ds
+          tests/bin/pki-artifacts-save.sh pki
+        continue-on-error: true
+
+      - name: Upload artifacts
+        if: always()
+        uses: actions/upload-artifact@v4
+        with:
+          name: ca-basic
+          path: /tmp/artifacts
diff --git a/.github/workflows/est-tests.yml b/.github/workflows/est-tests.yml
@@ -40,3 +40,9 @@ jobs:
           ansible-playbook  -e 'pki_subsystem="est"' tests/ansible/pki-playbook.yml 
         env:
           ANSIBLE_CONFIG: ${{ github.workspace }}/tests/ansible/ansible.cfg
+
+
+  est-ds-realm-test:
+    name: EST with ds realm
+    needs: build
+    uses: ./.github/workflows/est-ds-realm-test.yml
diff --git a/base/est/CMakeLists.txt b/base/est/CMakeLists.txt
@@ -96,3 +96,24 @@ install(
     DESTINATION
         ${DATA_INSTALL_DIR}/est/webapps/est/WEB-INF/lib
 )
+
+install(
+    DIRECTORY
+        shared/
+    DESTINATION
+        ${SHARE_INSTALL_PREFIX}/${APPLICATION_NAME}/${PROJECT_NAME}/conf/
+    PATTERN
+        "CMakeLists.txt" EXCLUDE
+)
+
+install(
+  FILES
+      ${CMAKE_CURRENT_SOURCE_DIR}/bin/estauthz
+  DESTINATION
+      ${LIBEXEC_INSTALL_DIR}
+  PERMISSIONS
+      OWNER_EXECUTE OWNER_WRITE OWNER_READ
+      GROUP_EXECUTE GROUP_READ
+      WORLD_EXECUTE WORLD_READ
+
+)
diff --git a/base/est/bin/estauthz b/base/est/bin/estauthz
@@ -0,0 +1,7 @@
+#!/usr/bin/python3
+import json, sys
+ALLOWED_ROLE = 'estclient'
+obj = json.loads(sys.stdin.read())
+if not ALLOWED_ROLE in obj['authzData']['principal']['roles']:
+    print(f'Principal does not have required role {ALLOWED_ROLE!r}')
+    sys.exit(1)
diff --git a/base/est/conf/realm.conf b/base/est/conf/realm.conf
diff --git a/base/est/shared/authorizer.conf b/base/est/shared/authorizer.conf
@@ -0,0 +1,2 @@
+class=org.dogtagpki.est.ExternalProcessRequestAuthorizer
+executable=/usr/local/libexec/estauthz
diff --git a/base/est/shared/backend.conf b/base/est/shared/backend.conf
@@ -0,0 +1,5 @@
+class=org.dogtagpki.est.DogtagRABackend
+url=https://fedora:8443
+profile=estServiceCert
+username=est-ra-1
+password=est4ever
diff --git a/base/est/shared/realm/ds.conf b/base/est/shared/realm/ds.conf
@@ -0,0 +1,7 @@
+class=com.netscape.cms.realm.PKILDAPRealm
+url=ldap://localhost.localdomain:389
+authType=BasicAuth
+bindDN=cn=Directory Manager
+bindPassword=Secret.123
+usersDN=ou=people,dc=est,dc=pki,dc=example,dc=com
+groupsDN=ou=groups,dc=est,dc=pki,dc=example,dc=com
diff --git a/base/est/shared/realm/in-memory.conf b/base/est/shared/realm/in-memory.conf
@@ -0,0 +1,4 @@
+class=com.netscape.cms.realm.PKIInMemoryRealm
+username=admin
+password=Secret.123
+roles=estclient
diff --git a/base/est/shared/realm/postgresql.conf b/base/est/shared/realm/postgresql.conf
@@ -0,0 +1,5 @@
+class=com.netscape.cms.realm.PKIPostgreSQLRealm
+url=jdbc:postgresql://localhost.localdomain:5432/est
+user=est
+password=Secret.123
+statements=/usr/share/pki/est/conf/realm/statements.conf
diff --git a/base/est/shared/realm/statements.conf b/base/est/shared/realm/statements.conf
@@ -0,0 +1,31 @@
+getUserByID=\
+SELECT \
+    "id", "full_name", "password" \
+FROM \
+    "users" \
+WHERE \
+    "id" = ?
+
+getUserByCertID=\
+SELECT \
+    u."id", u."full_name", u."password" \
+FROM \
+    "users" u, "user_certs" uc \
+WHERE \
+    u."id" = uc."user_id" AND uc."cert_id" = ?
+
+getUserCerts=\
+SELECT \
+    "data" \
+FROM \
+    "user_certs" \
+WHERE \
+    "user_id" = ?
+
+getUserRoles=\
+SELECT \
+    "group_id" \
+FROM \
+    "group_members" \
+WHERE \
+    "user_id" = ?
diff --git a/base/est/webapps/est/index.jsp b/base/est/webapps/est/index.jsp
@@ -0,0 +1,25 @@
+<!-- --- BEGIN COPYRIGHT BLOCK ---
+     This program is free software; you can redistribute it and/or modify
+     it under the terms of the GNU General Public License as published by
+     the Free Software Foundation; version 2 of the License.
+
+     This program is distributed in the hope that it will be useful,
+     but WITHOUT ANY WARRANTY; without even the implied warranty of
+     MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+     GNU General Public License for more details.
+
+     You should have received a copy of the GNU General Public License along
+     with this program; if not, write to the Free Software Foundation, Inc.,
+     51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+
+     Copyright (C) 2013 Red Hat, Inc.
+     All rights reserved.
+     --- END COPYRIGHT BLOCK --- -->
+<html>
+<head>
+    <title>Enrollment over Secure Transport</title>
+    <meta name="viewport" content="width=device-width, initial-scale=1.0">
+</head>
+<body>
+</body>
+</html>