From 375dabf56c6f4f70bec0779bbf7be249bb2f2b13 Mon Sep 17 00:00:00 2001 From: "Endi S. Dewata" Date: Mon, 16 Sep 2024 14:26:19 -0500 Subject: [PATCH] Update ACME tests to check server files and folders --- .github/workflows/acme-basic-test.yml | 144 ++++++++++++++++++++++++++ 1 file changed, 144 insertions(+) diff --git a/.github/workflows/acme-basic-test.yml b/.github/workflows/acme-basic-test.yml index 0807dbf290f..3b5e963b893 100644 --- a/.github/workflows/acme-basic-test.yml +++ b/.github/workflows/acme-basic-test.yml @@ -105,6 +105,120 @@ jobs: -D url=ldap://ds.example.com:3389 docker exec pki pki-server acme-deploy --wait + - name: Check PKI server base dir after installation + run: | + # check file types, owners, and permissions + docker exec pki ls -l /var/lib/pki/pki-tomcat \ + | sed \ + -e '/^total/d' \ + -e 's/^\(\S*\) *\S* *\(\S*\) *\(\S*\) *\S* *\S* *\S* *\S* *\(.*\)$/\1 \2 \3 \4/' \ + | tee output + + # TODO: review permissions + cat > expected << EOF + lrwxrwxrwx pkiuser pkiuser alias -> /etc/pki/pki-tomcat/alias + lrwxrwxrwx pkiuser pkiuser bin -> /usr/share/tomcat/bin + drwxrwx--- pkiuser pkiuser ca + drwxrwx--- pkiuser pkiuser common + lrwxrwxrwx pkiuser pkiuser conf -> /etc/pki/pki-tomcat + lrwxrwxrwx pkiuser pkiuser lib -> /usr/share/pki/server/lib + lrwxrwxrwx pkiuser pkiuser logs -> /var/log/pki/pki-tomcat + drwxrwx--- pkiuser pkiuser temp + drwxr-xr-x pkiuser pkiuser webapps + drwxrwx--- pkiuser pkiuser work + EOF + + diff expected output + + - name: Check PKI server conf dir after installation + run: | + # check file types, owners, and permissions + docker exec pki ls -l /etc/pki/pki-tomcat \ + | sed \ + -e '/^total/d' \ + -e 's/^\(\S*\) *\S* *\(\S*\) *\(\S*\) *\S* *\S* *\S* *\S* *\(.*\)$/\1 \2 \3 \4/' \ + | tee output + + # TODO: review permissions + cat > expected << EOF + drwxrwx--- pkiuser pkiuser Catalina + drwxr-x--- pkiuser pkiuser acme + drwxrwx--- pkiuser pkiuser alias + drwxrwx--- pkiuser pkiuser ca + -rw-r--r-- pkiuser pkiuser catalina.policy + lrwxrwxrwx pkiuser pkiuser catalina.properties -> /usr/share/pki/server/conf/catalina.properties + drwxrwx--- pkiuser pkiuser certs + lrwxrwxrwx pkiuser pkiuser context.xml -> /etc/tomcat/context.xml + lrwxrwxrwx pkiuser pkiuser logging.properties -> /usr/share/pki/server/conf/logging.properties + -rw-rw---- pkiuser pkiuser password.conf + -rw-rw---- pkiuser pkiuser server.xml + -rw-rw---- pkiuser pkiuser serverCertNick.conf + -rw-rw---- pkiuser pkiuser tomcat.conf + lrwxrwxrwx pkiuser pkiuser web.xml -> /etc/tomcat/web.xml + EOF + + diff expected output + + - name: Check PKI server logs dir after installation + run: | + # check file types, owners, and permissions + # ignore backup dir since it doesn't always exist + docker exec pki ls -l /var/log/pki/pki-tomcat \ + | sed \ + -e '/^total/d' \ + -e 's/^\(\S*\) *\S* *\(\S*\) *\(\S*\) *\S* *\S* *\S* *\S* *\(.*\)$/\1 \2 \3 \4/' \ + -e '/^\S* *\S* *\S* *backup$/d' \ + | tee output + + DATE=$(date +'%Y-%m-%d') + + # TODO: review permissions + cat > expected << EOF + drwxr-xr-x pkiuser pkiuser acme + drwxrwx--- pkiuser pkiuser ca + -rw-rw-r-- pkiuser pkiuser catalina.$DATE.log + -rw-rw-r-- pkiuser pkiuser host-manager.$DATE.log + -rw-rw-r-- pkiuser pkiuser localhost.$DATE.log + -rw-r--r-- pkiuser pkiuser localhost_access_log.$DATE.txt + -rw-rw-r-- pkiuser pkiuser manager.$DATE.log + drwxr-xr-x pkiuser pkiuser pki + EOF + + diff expected output + + - name: Check ACME conf dir + run: | + # check file types, owners, and permissions + docker exec pki ls -l /etc/pki/pki-tomcat/acme \ + | sed \ + -e '/^total/d' \ + -e 's/^\(\S*\) *\S* *\(\S*\) *\(\S*\) *\S* *\S* *\S* *\S* *\(.*\)$/\1 \2 \3 \4/' \ + | tee output + + # TODO: review permissions + cat > expected << EOF + -rw-rw---- pkiuser pkiuser database.conf + -rw-rw---- pkiuser pkiuser issuer.conf + -rw-rw---- pkiuser pkiuser realm.conf + EOF + + diff expected output + + - name: Check ACME database config + if: always() + run: | + docker exec pki cat /etc/pki/pki-tomcat/acme/database.conf + + - name: Check ACME issuer config + if: always() + run: | + docker exec pki cat /etc/pki/pki-tomcat/acme/issuer.conf + + - name: Check ACME realm config + if: always() + run: | + docker exec pki cat /etc/pki/pki-tomcat/acme/realm.conf + - name: Check initial ACME accounts run: | docker exec ds ldapsearch \ @@ -547,6 +661,36 @@ jobs: sed -n 's/^acmeStatus: *\(.*\)$/\1/p' output > actual diff expected actual + - name: Check DS server systemd journal + if: always() + run: | + docker exec ds journalctl -x --no-pager -u dirsrv@localhost.service + + - name: Check DS container logs + if: always() + run: | + docker logs ds + + - name: Check PKI server systemd journal + if: always() + run: | + docker exec pki journalctl -x --no-pager -u pki-tomcatd@pki-tomcat.service + + - name: Check CA debug log + if: always() + run: | + docker exec pki find /var/lib/pki/pki-tomcat/logs/ca -name "debug.*" -exec cat {} \; + + - name: Check ACME debug log + if: always() + run: | + docker exec pki find /var/lib/pki/pki-tomcat/logs/acme -name "debug.*" -exec cat {} \; + + - name: Check certbot log + if: always() + run: | + docker exec client cat /var/log/letsencrypt/letsencrypt.log + - name: Gather artifacts from server containers if: always() run: |