Skip to content
Permalink

Comparing changes

This is a direct comparison between two commits made in this repository or its related repositories. View the default comparison for this range or learn more about diff comparisons.

Open a pull request

Create a new pull request by comparing changes across two branches. If you need to, you can also . Learn more about diff comparisons here.
base repository: dogtagpki/pki
Failed to load repositories. Confirm that selected base ref is valid, then try again.
Loading
base: 546af88d30c862a7422b840f3c0557afc0c0eb38
Choose a base ref
..
head repository: dogtagpki/pki
Failed to load repositories. Confirm that selected head ref is valid, then try again.
Loading
compare: 916c75c2b4c0e39e01c7d30f213b18722306e858
Choose a head ref
Showing with 6,000 additions and 1,768 deletions.
  1. +194 −3 .github/workflows/acme-basic-test.yml
  2. +883 −0 .github/workflows/acme-existing-nssdb-test.yml
  3. +7 −8 .github/workflows/acme-postgresql-test.yml
  4. +205 −48 .github/workflows/acme-separate-test.yml
  5. +5 −0 .github/workflows/acme-tests.yml
  6. +129 −0 .github/workflows/ca-custom-ports-test.yml
  7. +136 −30 .github/workflows/ca-profile-caDirPinUserCert-test.yml
  8. +145 −45 .github/workflows/ca-profile-caDirUserCert-test.yml
  9. +16 −29 .github/workflows/ca-profile-caServerCert-test.yml
  10. +5 −0 .github/workflows/ca-tests.yml
  11. +396 −0 .github/workflows/est-ds-realm-separate-test.yml
  12. +407 −0 .github/workflows/est-ds-realm-test.yml
  13. +452 −0 .github/workflows/est-postgresql-realm-test.yml
  14. +432 −0 .github/workflows/est-separate-provided-certs-test.yml
  15. +21 −0 .github/workflows/est-tests.yml
  16. +10 −0 .github/workflows/ipa-acme-test.yml
  17. +15 −151 .github/workflows/ipa-basic-test.yml
  18. +20 −0 .github/workflows/ipa-clone-test.yml
  19. +296 −0 .github/workflows/ipa-kra-test.yml
  20. +10 −0 .github/workflows/ipa-subca-test.yml
  21. +5 −0 .github/workflows/ipa-tests.yml
  22. +30 −48 .github/workflows/kra-existing-certs-test.yml
  23. +36 −66 .github/workflows/kra-existing-ds-test.yml
  24. +30 −48 .github/workflows/kra-existing-hsm-test.yml
  25. +30 −48 .github/workflows/kra-existing-nssdb-test.yml
  26. +36 −30 .github/workflows/kra-external-certs-test.yml
  27. +36 −30 .github/workflows/kra-standalone-test.yml
  28. +30 −25 .github/workflows/ocsp-crl-direct-test.yml
  29. +30 −25 .github/workflows/ocsp-crl-ldap-test.yml
  30. +30 −25 .github/workflows/ocsp-external-certs-test.yml
  31. +30 −25 .github/workflows/ocsp-standalone-test.yml
  32. +24 −20 .github/workflows/tks-external-certs-test.yml
  33. +24 −12 .github/workflows/tps-external-certs-test.yml
  34. +16 −1 base/common/python/pki/nssdb.py
  35. +20 −0 base/est/CMakeLists.txt
  36. +7 −0 base/est/bin/estauthz
  37. +0 −1 base/est/conf/realm.conf
  38. +2 −0 base/est/shared/authorizer.conf
  39. +5 −0 base/est/shared/backend.conf
  40. +7 −0 base/est/shared/realm/ds.conf
  41. +4 −0 base/est/shared/realm/in-memory.conf
  42. +5 −0 base/est/shared/realm/postgresql.conf
  43. +23 −0 base/est/shared/realm/postgresql/create.sql
  44. +31 −0 base/est/shared/realm/postgresql/statements.conf
  45. +25 −0 base/est/webapps/est/index.jsp
  46. +30 −1 base/server/etc/default.cfg
  47. +3 −0 base/server/examples/installation/acme.cfg
  48. +11 −0 base/server/examples/installation/est.cfg
  49. +4 −4 base/server/healthcheck/pki/server/healthcheck/meta/connectivity.py
  50. +60 −28 base/server/python/pki/server/__init__.py
  51. +14 −14 base/server/python/pki/server/cli/__init__.py
  52. +24 −10 base/server/python/pki/server/cli/acme.py
  53. +18 −18 base/server/python/pki/server/cli/subsystem.py
  54. +675 −315 base/server/python/pki/server/deployment/__init__.py
  55. +2 −6 base/server/python/pki/server/deployment/pkiconfig.py
  56. +4 −466 base/server/python/pki/server/deployment/pkihelper.py
  57. +2 −11 base/server/python/pki/server/deployment/pkiparser.py
  58. +7 −8 base/server/python/pki/server/deployment/scriptlets/configuration.py
  59. +5 −4 base/server/python/pki/server/deployment/scriptlets/finalization.py
  60. +5 −3 base/server/python/pki/server/deployment/scriptlets/initialization.py
  61. +2 −2 base/server/python/pki/server/deployment/scriptlets/instance_layout.py
  62. +8 −1 base/server/python/pki/server/deployment/scriptlets/subsystem_layout.py
  63. +2 −5 base/server/python/pki/server/pkidestroy.py
  64. +17 −6 base/server/python/pki/server/pkispawn.py
  65. +241 −30 base/server/python/pki/server/subsystem.py
  66. +5 −3 base/server/src/main/java/com/netscape/cms/realm/PKIPostgreSQLRealm.java
  67. +1 −1 base/server/src/main/java/org/dogtagpki/server/rest/v2/GroupServlet.java
  68. +1 −0 base/tools/src/main/java/com/netscape/cmstools/ca/CACertCLI.java
  69. +501 −0 base/tools/src/main/java/com/netscape/cmstools/ca/CACertIssueCLI.java
  70. +5 −4 base/tools/src/main/java/com/netscape/cmstools/ca/CACertRequestSubmitCLI.java
  71. +47 −98 tests/ansible/ocsp/tasks/certificate_self_validation_with_crl.yml
  72. +6 −12 tests/ca/bin/sslserver-create.sh
197 changes: 194 additions & 3 deletions .github/workflows/acme-basic-test.yml
Original file line number Diff line number Diff line change
@@ -108,6 +108,122 @@ jobs:
-D acme_realm_url=ldap://ds.example.com:3389 \
-v
- name: Check PKI server base dir after installation
run: |
# check file types, owners, and permissions
docker exec pki ls -l /var/lib/pki/pki-tomcat \
| sed \
-e '/^total/d' \
-e 's/^\(\S*\) *\S* *\(\S*\) *\(\S*\) *\S* *\S* *\S* *\S* *\(.*\)$/\1 \2 \3 \4/' \
| tee output
# TODO: review permissions
cat > expected << EOF
drwxrwx--- pkiuser pkiuser acme
lrwxrwxrwx pkiuser pkiuser alias -> /var/lib/pki/pki-tomcat/conf/alias
lrwxrwxrwx pkiuser pkiuser bin -> /usr/share/tomcat/bin
drwxrwx--- pkiuser pkiuser ca
drwxrwx--- pkiuser pkiuser common
lrwxrwxrwx pkiuser pkiuser conf -> /etc/pki/pki-tomcat
lrwxrwxrwx pkiuser pkiuser lib -> /usr/share/pki/server/lib
lrwxrwxrwx pkiuser pkiuser logs -> /var/log/pki/pki-tomcat
drwxrwx--- pkiuser pkiuser temp
drwxr-xr-x pkiuser pkiuser webapps
drwxrwx--- pkiuser pkiuser work
EOF
diff expected output
- name: Check PKI server conf dir after installation
run: |
# check file types, owners, and permissions
docker exec pki ls -l /etc/pki/pki-tomcat \
| sed \
-e '/^total/d' \
-e 's/^\(\S*\) *\S* *\(\S*\) *\(\S*\) *\S* *\S* *\S* *\S* *\(.*\)$/\1 \2 \3 \4/' \
| tee output
# TODO: review permissions
cat > expected << EOF
drwxrwx--- pkiuser pkiuser Catalina
drwxrwx--- pkiuser pkiuser acme
drwxrwx--- pkiuser pkiuser alias
drwxrwx--- pkiuser pkiuser ca
-rw-r--r-- pkiuser pkiuser catalina.policy
lrwxrwxrwx pkiuser pkiuser catalina.properties -> /usr/share/pki/server/conf/catalina.properties
drwxrwx--- pkiuser pkiuser certs
lrwxrwxrwx pkiuser pkiuser context.xml -> /etc/tomcat/context.xml
lrwxrwxrwx pkiuser pkiuser logging.properties -> /usr/share/pki/server/conf/logging.properties
-rw-rw---- pkiuser pkiuser password.conf
-rw-rw---- pkiuser pkiuser server.xml
-rw-rw---- pkiuser pkiuser serverCertNick.conf
-rw-rw---- pkiuser pkiuser tomcat.conf
lrwxrwxrwx pkiuser pkiuser web.xml -> /etc/tomcat/web.xml
EOF
diff expected output
- name: Check PKI server logs dir after installation
run: |
# check file types, owners, and permissions
docker exec pki ls -l /var/log/pki/pki-tomcat \
| sed \
-e '/^total/d' \
-e 's/^\(\S*\) *\S* *\(\S*\) *\(\S*\) *\S* *\S* *\S* *\S* *\(.*\)$/\1 \2 \3 \4/' \
| tee output
DATE=$(date +'%Y-%m-%d')
# TODO: review permissions
cat > expected << EOF
drwxrwx--- pkiuser pkiuser acme
drwxr-x--- pkiuser pkiuser backup
drwxrwx--- pkiuser pkiuser ca
-rw-rw-r-- pkiuser pkiuser catalina.$DATE.log
-rw-rw-r-- pkiuser pkiuser host-manager.$DATE.log
-rw-rw-r-- pkiuser pkiuser localhost.$DATE.log
-rw-r--r-- pkiuser pkiuser localhost_access_log.$DATE.txt
-rw-rw-r-- pkiuser pkiuser manager.$DATE.log
drwxr-xr-x pkiuser pkiuser pki
EOF
diff expected output
- name: Check ACME base dir
if: always()
run: |
docker exec pki ls -l /var/lib/pki/pki-tomcat/acme \
| sed \
-e '/^total/d' \
-e 's/^\(\S*\) *\S* *\(\S*\) *\(\S*\) *\S* *\S* *\S* *\S* *\(.*\)$/\1 \2 \3 \4/' \
| tee output
# TODO: review permissions
cat > expected << EOF
lrwxrwxrwx pkiuser pkiuser conf -> /var/lib/pki/pki-tomcat/conf/acme
lrwxrwxrwx pkiuser pkiuser logs -> /var/lib/pki/pki-tomcat/logs/acme
EOF
diff expected output
- name: Check ACME conf dir
run: |
# check file types, owners, and permissions
docker exec pki ls -l /etc/pki/pki-tomcat/acme \
| sed \
-e '/^total/d' \
-e 's/^\(\S*\) *\S* *\(\S*\) *\(\S*\) *\S* *\S* *\S* *\S* *\(.*\)$/\1 \2 \3 \4/' \
| tee output
# TODO: review permissions
cat > expected << EOF
-rw-rw---- pkiuser pkiuser database.conf
-rw-rw---- pkiuser pkiuser issuer.conf
-rw-rw---- pkiuser pkiuser realm.conf
EOF
diff expected output
- name: Check ACME database config
if: always()
run: |
@@ -123,6 +239,11 @@ jobs:
run: |
docker exec pki cat /etc/pki/pki-tomcat/acme/realm.conf
- name: Check ACME logs dir
if: always()
run: |
docker exec pki ls -l /var/log/pki/pki-tomcat/acme
- name: Check initial ACME accounts
run: |
docker exec ds ldapsearch \
@@ -566,13 +687,83 @@ jobs:
diff expected actual
- name: Remove ACME from PKI container
run: |
docker exec pki pki-server acme-undeploy --wait
docker exec pki pki-server acme-remove
run: docker exec pki pkidestroy -s ACME -v

- name: Remove CA from PKI container
run: docker exec pki pkidestroy -s CA -v

- name: Check PKI server base dir after removal
run: |
# check file types, owners, and permissions
docker exec pki ls -l /var/lib/pki/pki-tomcat \
| sed \
-e '/^total/d' \
-e 's/^\(\S*\) *\S* *\(\S*\) *\(\S*\) *\S* *\S* *\S* *\S* *\(.*\)$/\1 \2 \3 \4/' \
| tee output
# TODO: review permissions
cat > expected << EOF
lrwxrwxrwx pkiuser pkiuser conf -> /etc/pki/pki-tomcat
lrwxrwxrwx pkiuser pkiuser logs -> /var/log/pki/pki-tomcat
EOF
diff expected output
- name: Check PKI server conf dir after removal
run: |
# check file types, owners, and permissions
docker exec pki ls -l /etc/pki/pki-tomcat \
| sed \
-e '/^total/d' \
-e 's/^\(\S*\) *\S* *\(\S*\) *\(\S*\) *\S* *\S* *\S* *\S* *\(.*\)$/\1 \2 \3 \4/' \
| tee output
# TODO: review permissions
cat > expected << EOF
drwxrwx--- pkiuser pkiuser Catalina
drwxrwx--- pkiuser pkiuser acme
drwxrwx--- pkiuser pkiuser alias
drwxrwx--- pkiuser pkiuser ca
-rw-r--r-- pkiuser pkiuser catalina.policy
lrwxrwxrwx pkiuser pkiuser catalina.properties -> /usr/share/pki/server/conf/catalina.properties
drwxrwx--- pkiuser pkiuser certs
lrwxrwxrwx pkiuser pkiuser context.xml -> /etc/tomcat/context.xml
lrwxrwxrwx pkiuser pkiuser logging.properties -> /usr/share/pki/server/conf/logging.properties
-rw-rw---- pkiuser pkiuser password.conf
-rw-rw---- pkiuser pkiuser server.xml
-rw-rw---- pkiuser pkiuser serverCertNick.conf
-rw-rw---- pkiuser pkiuser tomcat.conf
lrwxrwxrwx pkiuser pkiuser web.xml -> /etc/tomcat/web.xml
EOF
diff expected output
- name: Check PKI server logs dir after removal
run: |
# check file types, owners, and permissions
docker exec pki ls -l /var/log/pki/pki-tomcat \
| sed \
-e '/^total/d' \
-e 's/^\(\S*\) *\S* *\(\S*\) *\(\S*\) *\S* *\S* *\S* *\S* *\(.*\)$/\1 \2 \3 \4/' \
| tee output
DATE=$(date +'%Y-%m-%d')
# TODO: review permissions
cat > expected << EOF
drwxrwx--- pkiuser pkiuser acme
drwxr-x--- pkiuser pkiuser backup
drwxrwx--- pkiuser pkiuser ca
-rw-rw-r-- pkiuser pkiuser catalina.$DATE.log
-rw-rw-r-- pkiuser pkiuser host-manager.$DATE.log
-rw-rw-r-- pkiuser pkiuser localhost.$DATE.log
-rw-r--r-- pkiuser pkiuser localhost_access_log.$DATE.txt
-rw-rw-r-- pkiuser pkiuser manager.$DATE.log
drwxr-xr-x pkiuser pkiuser pki
EOF
diff expected output
- name: Check DS server systemd journal
if: always()
run: |
Loading