commit 55f47d97b03bcda8f778a55b6cb2d1ffc9355432 Author: Adam Samalik Date: Thu Feb 23 11:48:00 2023 +0000 update modulemd etc diff --git a/README.md b/README.md new file mode 100644 index 0000000..cd73a68 --- /dev/null +++ b/README.md @@ -0,0 +1,3 @@ +# pki-core + +The pki-core package diff --git a/gating.yaml b/gating.yaml new file mode 100644 index 0000000..d66e5fb --- /dev/null +++ b/gating.yaml @@ -0,0 +1,8 @@ +--- !Policy +product_versions: + - rhel-8 +decision_context: osci_compose_gate_modules +subject_type: redhat-module +rules: + - !PassingTestCaseRule {test_case_name: baseos-ci.redhat-module.tier0.functional} + - !PassingTestCaseRule {test_case_name: idm-ci.redhat-module.tier1.functional} diff --git a/pki-core.yaml b/pki-core.yaml new file mode 100644 index 0000000..4d9bcaa --- /dev/null +++ b/pki-core.yaml @@ -0,0 +1,42 @@ +--- +document: modulemd +version: 2 +data: + name: pki-core + stream: 10.6 + summary: PKI Core module for PKI 10.6 or later + description: >- + A module for PKI Core packages for PKI version 10.6 or later. + license: + module: + - MIT + dependencies: + - buildrequires: + platform: [el8] + golang-ecosystem: [1.0] + pki-deps: [10.6] + requires: + platform: [el8] + pki-deps: [10.6] + references: + community: https://www.dogtagpki.org + documentation: https://www.dogtagpki.org + tracker: https://github.com/dogtagpki/pki/issues + components: + rpms: + jss: + rationale: JSS packages + ref: stream-pki-10.6-rhel-8.8.0 + ldapjdk: + rationale: LDAP JDK packages + ref: stream-pki-10.6-rhel-8.8.0 + buildorder: 1 + pki-core: + rationale: PKI Core packages + ref: stream-pki-10.6-rhel-8.8.0 + buildorder: 2 + tomcatjss: + rationale: TomcatJSS packages + ref: stream-pki-10.6-rhel-8.8.0 + buildorder: 1 +... diff --git a/tests/roles/Test_Execution/files/config_templates/ansible_constants.py b/tests/roles/Test_Execution/files/config_templates/ansible_constants.py new file mode 100644 index 0000000..8fa9004 --- /dev/null +++ b/tests/roles/Test_Execution/files/config_templates/ansible_constants.py @@ -0,0 +1,56 @@ +#common to all subsystems +MASTER_HOSTNAME = 'pki1.example.com' +CLONE_HOSTNAME = 'pki2.example.com' + +CLIENT_PKCS12_PASSWORD = 'SECret.123' +CLIENT_DIR_PASSWORD = 'SECret.123' +BACKUP_PASSWORD = 'SECret.123' +CLIENT_DATABASE_PASSWORD = 'SECret.123' +NSSDB = '/opt/pki/certdb' +#CA Instance +CA_HTTPS_PORT = '20443' +CA_HTTP_PORT = '20080' +CA_AJP_PORT = '20009' +CA_TOMCAT_PORT = '20005' +CA_CLIENT_DIR = '/opt/topology-CA' +CA_INSTANCE_NAME = 'topology-CA' +SECURITY_DOMAIN_PASSWORD = 'SECret.123' +CA_PASSWORD = 'SECret.123' +CA_SECURITY_DOMAIN_NAME = 'topology_Foobarmaster.org' +CA_ADMIN_USERNAME = 'caadmin' +CA_ADMIN_NICK = 'PKI CA Administrator for Example.Org' +#KRA Instance +KRA_INSTANCE_NAME = 'topology-KRA' +KRA_HTTPS_PORT = 21443 +KRA_HTTP_PORT = 21080 +KRA_AJP_PORT = 21009 +KRA_TOMCAT_PORT = 21005 +KRA_PASSWORD = 'SECret.123' +KRA_CLIENT_DIR = '/opt/topology-KRA' +KRA_ADMIN_NICK = 'PKI KRA Administrator for Example.Org' +#OCSP Instance +OCSP_INSTANCE_NAME = 'topology-OCSP' +OCSP_HTTPS_PORT = 22443 +OCSP_HTTP_PORT = 22080 +OCSP_AJP_PORT = 22009 +OCSP_TOMCAT_PORT = 22005 +OCSP_PASSWORD = 'SECret.123' +OCSP_CLIENT_DIR = '/opt/topology-OCSP' +OCSP_ADMIN_NICK = 'PKI OCSP Administrator for Example.Org' +#TKS Instance +TKS_INSTANCE_NAME = 'topology-TKS' +TKS_HTTPS_PORT = 23443 +TKS_HTTP_PORT = 23080 +TKS_AJP_PORT = 23009 +TKS_TOMCAT_PORT = 23005 +TKS_PASSWORD = 'SECret.123' +TKS_CLIENT_DIR = '/opt/topology-TKS' +#TPS instance +TPS_INSTANCE_NAME = 'topology-TPS' +TPS_HTTPS_PORT = '25443' +TPS_HTTP_PORT = '25080' +TPS_AJP_PORT = '25009' +TPS_TOMCAT_PORT = '25005' +TPS_PASSWORD = 'SECret.123' +TPS_CLIENT_DIR = '/opt/topology-TPS' +TPS_ADMIN_NICK = 'PKI TPS Administrator for Example.Org' diff --git a/tests/roles/Test_Execution/files/test/script b/tests/roles/Test_Execution/files/test/script new file mode 100755 index 0000000..c98e4ae --- /dev/null +++ b/tests/roles/Test_Execution/files/test/script @@ -0,0 +1,79 @@ +#!/bin/sh +#Generate Noise using Openssl +echo "Defining variables " +tks_password="/tmp/tkspassword.txt" +tps_password="/tmp/tpspassword.txt" +tks_alias="/var/lib/pki/$1-TKS/alias" +tps_alias="/var/lib/pki/$1-TPS/alias" +tks_noise="/tmp/tks_noise" +tks_shared_secret="sharedSecret" +tks_conf="/var/lib/pki/$1-TKS/tks/conf/CS.cfg" +tps_conf="/var/lib/pki/$1-TPS/tps/conf/CS.cfg" +tps_input_file="/tmp/tps-input.txt" +tks_secret_output="/tmp/secret" +tks_input_file="/tmp/tks-input.txt" +tks_input="proceed\r\n" +tks_secret_output="/tmp/sharedSecret.out" +tps_key_import_status="/tmp/sharedSecretImport.out" +echo "proceed\r\n" > $tks_input_file +echo "Generate Noise using OpenSSL" +openssl rand -hex 2048 | perl -p -e 's/\n//' > $tks_noise +cat /var/lib/pki/$1-TKS/conf/password.conf | sed 's/^internal=//' > $tks_password +cat /var/lib/pki/$1-TPS/conf/password.conf | sed 's/^internal=//' > $tps_password + +echo "Stopping TKS & TPS instance" +systemctl stop pki-tomcatd@$1-TKS.service +systemctl stop pki-tomcatd@$1-TPS.service +echo "Generating shared secret" +/usr/bin/tkstool -D -d $tks_alias -n "TPS-`hostname`-25443 sharedSecret" -f $tks_password +/usr/bin/tkstool -T -d $tks_alias -n $tks_shared_secret -f $tks_password -z $tks_noise > $tks_secret_output < $tks_input_file +/usr/bin/tkstool -L -d $tks_alias -n $tks_shared_secret -f $tks_password > /tmp/sharedSecretList1.out +grep "$tks_shared_secret" /tmp/sharedSecretList1.out +first_session_tmp1=$(cat $tks_secret_output | grep -A1 "first\ssession\skey\sshare:") +first_session_tmp2=$(echo $first_session_tmp1 | sed 's/^first session key share://') +first_session_key=$(echo ${first_session_tmp2%% }) +first_session_KCV_tmp1=$(cat $tks_secret_output | grep "first\ssession\skey\sshare\sKCV:") +first_session_KCV_tmp2=$(echo $first_session_KCV_tmp1 | sed 's/^first session key share KCV://') +first_session_KCV_key=$(echo ${first_session_KCV_tmp2%% }) + +second_session_tmp1=$(cat $tks_secret_output | grep -A1 "second\ssession\skey\sshare:") +second_session_tmp2=$(echo $second_session_tmp1 | sed 's/^second session key share://') +second_session_key=$(echo ${second_session_tmp2%% }) +second_session_KCV_tmp1=$(cat $tks_secret_output | grep "second\ssession\skey\sshare\sKCV:") +second_session_KCV_tmp2=$(echo $second_session_KCV_tmp1 | sed 's/^second session key share KCV://') +second_session_KCV_key=$(echo ${second_session_KCV_tmp2%% }) + +third_session_tmp1=$(cat $tks_secret_output | grep -A1 "third\ssession\skey\sshare:") +third_session_tmp2=$(echo $third_session_tmp1 | sed 's/^third session key share://') +third_session_key=$(echo ${third_session_tmp2%% }) +third_session_KCV_tmp1=$(cat $tks_secret_output | grep "third\ssession\skey\sshare\sKCV:") +third_session_KCV_tmp2=$(echo $third_session_KCV_tmp1 | sed 's/^third session key share KCV://') +third_session_KCV_key=$(echo ${third_session_KCV_tmp2%% }) + +sed -i -e "/tps.0.nickname=/s/=.*/=$tks_shared_secret/g" $tks_conf +sed -i -e "/tks.tksSharedSymKeyName=/s/=.*/=$tks_shared_secret/g" $tks_conf +echo "Restart $1-TKS instance" +systemctl restart pki-tomcatd@$1-TKS.service +echo "proceed\r\n" > $tps_input_file +echo "$first_session_key\r\n" >> $tps_input_file +echo "\r\n" >> $tps_input_file +echo "$first_session_KCV_key\r\n" >> $tps_input_file +echo "proceed\r\n" >> $tps_input_file +echo "proceed\r\n" >> $tps_input_file +echo "$second_session_key\r\n" >> $tps_input_file +echo "\r\n" >> $tps_input_file +echo "$second_session_KCV_key\r\n" >> $tps_input_file +echo "proceed\r\n" >> $tps_input_file +echo "proceed\r\n" >> $tps_input_file +echo "$third_session_key\r\n" >> $tps_input_file +echo "\r\n" >> $tps_input_file +echo "$third_session_KCV_key\r\n" >> $tps_input_file +echo "proceed\r\n" >> $tps_input_file + +/usr/bin/tkstool -I -d $tps_alias -n $tks_shared_secret -f $tps_password < $tps_input_file > $tps_key_import_status +/usr/bin/tkstool -L -d $tps_alias -n $tks_shared_secret -f $tps_password > /tmp/sharedSecretList2.out +grep "$tks_shared_secret" /tmp/sharedSecretList2.out +sed -i -e "/tps.connector.tks1.tksSharedSymKeyName=/s/=.*/=$tks_shared_secret/g" $tps_conf +sed -i -e "/conn.tks1.tksSharedSymKeyName=/s/=.*/=$tks_shared_secret/g" $tps_conf +echo "Restart $1-TPS instance" +systemctl restart pki-tomcatd@$1-TPS.service diff --git a/tests/roles/Test_Execution/handlers/config_templates/ansible_constants.py b/tests/roles/Test_Execution/handlers/config_templates/ansible_constants.py new file mode 100644 index 0000000..8fa9004 --- /dev/null +++ b/tests/roles/Test_Execution/handlers/config_templates/ansible_constants.py @@ -0,0 +1,56 @@ +#common to all subsystems +MASTER_HOSTNAME = 'pki1.example.com' +CLONE_HOSTNAME = 'pki2.example.com' + +CLIENT_PKCS12_PASSWORD = 'SECret.123' +CLIENT_DIR_PASSWORD = 'SECret.123' +BACKUP_PASSWORD = 'SECret.123' +CLIENT_DATABASE_PASSWORD = 'SECret.123' +NSSDB = '/opt/pki/certdb' +#CA Instance +CA_HTTPS_PORT = '20443' +CA_HTTP_PORT = '20080' +CA_AJP_PORT = '20009' +CA_TOMCAT_PORT = '20005' +CA_CLIENT_DIR = '/opt/topology-CA' +CA_INSTANCE_NAME = 'topology-CA' +SECURITY_DOMAIN_PASSWORD = 'SECret.123' +CA_PASSWORD = 'SECret.123' +CA_SECURITY_DOMAIN_NAME = 'topology_Foobarmaster.org' +CA_ADMIN_USERNAME = 'caadmin' +CA_ADMIN_NICK = 'PKI CA Administrator for Example.Org' +#KRA Instance +KRA_INSTANCE_NAME = 'topology-KRA' +KRA_HTTPS_PORT = 21443 +KRA_HTTP_PORT = 21080 +KRA_AJP_PORT = 21009 +KRA_TOMCAT_PORT = 21005 +KRA_PASSWORD = 'SECret.123' +KRA_CLIENT_DIR = '/opt/topology-KRA' +KRA_ADMIN_NICK = 'PKI KRA Administrator for Example.Org' +#OCSP Instance +OCSP_INSTANCE_NAME = 'topology-OCSP' +OCSP_HTTPS_PORT = 22443 +OCSP_HTTP_PORT = 22080 +OCSP_AJP_PORT = 22009 +OCSP_TOMCAT_PORT = 22005 +OCSP_PASSWORD = 'SECret.123' +OCSP_CLIENT_DIR = '/opt/topology-OCSP' +OCSP_ADMIN_NICK = 'PKI OCSP Administrator for Example.Org' +#TKS Instance +TKS_INSTANCE_NAME = 'topology-TKS' +TKS_HTTPS_PORT = 23443 +TKS_HTTP_PORT = 23080 +TKS_AJP_PORT = 23009 +TKS_TOMCAT_PORT = 23005 +TKS_PASSWORD = 'SECret.123' +TKS_CLIENT_DIR = '/opt/topology-TKS' +#TPS instance +TPS_INSTANCE_NAME = 'topology-TPS' +TPS_HTTPS_PORT = '25443' +TPS_HTTP_PORT = '25080' +TPS_AJP_PORT = '25009' +TPS_TOMCAT_PORT = '25005' +TPS_PASSWORD = 'SECret.123' +TPS_CLIENT_DIR = '/opt/topology-TPS' +TPS_ADMIN_NICK = 'PKI TPS Administrator for Example.Org' diff --git a/tests/roles/Test_Execution/handlers/main.yml b/tests/roles/Test_Execution/handlers/main.yml new file mode 100644 index 0000000..3342a9a --- /dev/null +++ b/tests/roles/Test_Execution/handlers/main.yml @@ -0,0 +1,3 @@ +- name: Inclue pki-core handlers + include: pki-core.yml + tags: pki-core \ No newline at end of file diff --git a/tests/roles/Test_Execution/handlers/pki-core.yml b/tests/roles/Test_Execution/handlers/pki-core.yml new file mode 100644 index 0000000..ed22477 --- /dev/null +++ b/tests/roles/Test_Execution/handlers/pki-core.yml @@ -0,0 +1,54 @@ +- name: STOPCA + service: + name: pki-tomcatd@{{ topology }}-CA + state: stopped + +- name: STARTCA + service: + name: pki-tomcatd@{{ topology }}-CA + state: started + +- name: STOPKRA + service: + name: pki-tomcatd@{{ topology }}-KRA + state: stopped + +- name: STARTKRA + service: + name: pki-tomcatd@{{ topology }}-KRA + state: started + +- name: STOPOCSP + service: + name: pki-tomcatd@{{ topology }}-OCSP + state: stopped + +- name: STARTOCSP + service: + name: pki-tomcatd@{{ topology }}-OCSP + state: started + +- name: STOPTKS + service: + name: pki-tomcatd@{{ topology }}-TKS + state: stopped + +- name: STARTTKS + service: + name: pki-tomcatd@{{ topology }}-TKS + state: started + +- name: STOPTPS + service: + name: pki-tomcatd@{{ topology }}-TPS + state: stopped + +- name: STARTTPS + service: + name: pki-tomcatd@{{ topology }}-TPS + state: started + +- name: INC_CONSTANTS + include_vars: + file: /tmp/test_dir/constants.yml + name: variable diff --git a/tests/roles/Test_Execution/tasks/configure_ca.yml b/tests/roles/Test_Execution/tasks/configure_ca.yml new file mode 100644 index 0000000..a1de87d --- /dev/null +++ b/tests/roles/Test_Execution/tasks/configure_ca.yml @@ -0,0 +1,18 @@ +- name: Install CA master + shell: pkispawn -s CA -f /tmp/test_dir/ca.cfg + +- name : Stopping CA Subsystem + shell: systemctl stop pki-tomcatd@{{ topology }}-CA.service + +- name: Enable SignedAudit for Subsystem + replace: dest=/etc/pki/{{ topology }}-CA/ca/CS.cfg regexp="log.instance.SignedAudit.logSigning=false" replace="log.instance.SignedAudit.logSigning=true" + +- name: Getting certificate nickname for CA CS.cfg + shell: grep "ca.ocsp_signing.nickname" /etc/pki/{{ topology }}-CA/ca/CS.cfg |awk -F"=" ' { print $2 } ' + register: nickname_ocsp + +- name: Importing client certificate for OCSP + shell: certutil -L -d /var/lib/pki/{{ topology }}-CA/alias -n "{{ nickname_ocsp.stdout }}" -a > /tmp/test_dir/ocsp_signing.crt + +- name : Starting CA Subsystem + shell: systemctl start pki-tomcatd@{{ topology }}-CA.service diff --git a/tests/roles/Test_Execution/tasks/configure_common.yml b/tests/roles/Test_Execution/tasks/configure_common.yml new file mode 100644 index 0000000..9b4e6e8 --- /dev/null +++ b/tests/roles/Test_Execution/tasks/configure_common.yml @@ -0,0 +1,80 @@ +- name: Disable firewalld before LDAP and Subsystem installation + systemd: state=stopped name=firewalld + when: ansible_distribution == "RedHat" and ansible_distribution_version <= '7.4' + +- name : Set hostname for machines Bydefault we choose pki1 for master and pki2 for clones. + hostname: name=pki1.example.com + tags: platform-ci + +- name: Install a required package for modify hostname task below + dnf: pkg={{item}} state=latest + with_items: + - libselinux-python + when: ansible_distribution == "Fedora" + +- name : Modify hostname for master in /etc/hosts + lineinfile: dest=/etc/hosts regexp='.*{{ inventory_hostname }}$' create=yes insertafter=EOF line="{{ inventory_hostname }} {{ansible_fqdn}}" state=present + tags: platform-ci + +- name: install 389-ds-base module rhel8 + shell: dnf module enable 389-ds:1.4 -y + when: ansible_distribution == "RedHat" and ansible_distribution_major_version == '8' + +- name: install 389-ds-base + shell: dnf -y install 389-ds-base 389-ds-base-snmp 389-ds-base-legacy-tools + when: ansible_distribution == "RedHat" and ansible_distribution_major_version == '8' + +- name: install pki-core module rhel8 + shell: dnf module enable pki-core:10.6 -y + when: ansible_distribution == "RedHat" and ansible_distribution_major_version == '8' + +- name: install pki-core module rhel8 + shell: dnf install pki-ca pki-kra -y + when: ansible_distribution == "RedHat" and ansible_distribution_major_version == '8' + +- name: Install list of packages for CS Master for Redhat + yum : pkg={{item}} state=latest + with_items: + - redhat-pki + - redhat-pki-console-theme + - redhat-pki-server-theme + - pki-console + - 389-ds-base + - pki-ca + - pki-kra + - pki-ocsp + - pki-tks + - pki-tps + - policycoreutils-python + - expect + - libselinux-python + when: ansible_distribution == "RedHat" and ansible_distribution_version <= '7.6' + tags: platform-ci + +- name: Install list of packages for CS Master for Fedora + dnf : pkg={{item}} state=latest + with_items: + - 389-ds-base + - dogtag-pki + - dogtag-pki-console-theme + - dogtag-pki-server-theme + - policycoreutils-python + - expect + when: ansible_distribution == "Fedora" + tags: platform-ci + +- name: Check for Removed dependency from mod_revocator and mod_nss.If failes refer BZ 1295276 + command: rpm -q {{item}} + with_items: + - mod_revocator + - mod_nss + register: rpm_check + failed_when: "rpm_check.rc == 0" + +- name: Check for Removed dependency of perl from pki-server.If fails, refer BZ 1305769 + command: rpm -qR pki-server | grep perl + register: rpm_check + failed_when: "rpm_check.rc == 0" + +- name: Making constants.py file compatable for including as vars. + shell: sed -e "s/ =/:/g;s/'//g" /tmp/test_dir/constants.py > /tmp/test_dir/constants.yml diff --git a/tests/roles/Test_Execution/tasks/configure_kra.yml b/tests/roles/Test_Execution/tasks/configure_kra.yml new file mode 100644 index 0000000..a8bdc87 --- /dev/null +++ b/tests/roles/Test_Execution/tasks/configure_kra.yml @@ -0,0 +1,36 @@ +- name: Install KRA master + shell: pkispawn -s KRA -f /tmp/test_dir/kra.cfg + +- name : Stopping KRA Subsystem + shell: echo "Stopping Subsystem for enabling Audit logging" + notify: + - STOPKRA + - INC_CONSTANTS + +- meta: flush_handlers + +- name: Enable SignedAudit + replace: dest=/etc/pki/{{ topology }}-KRA/kra/CS.cfg regexp="log.instance.SignedAudit.logSigning=false" replace="log.instance.SignedAudit.logSigning=true" + +- name: Enable OCSP for KRA + replace: dest=/etc/pki/{{ topology }}-KRA/server.xml regexp='enableOCSP="false"' replace='enableOCSP="true"' + +- name: Pointing KRA to correct OCSP port + replace: dest=/etc/pki/{{ topology }}-KRA/server.xml regexp='([0-9]+)/ca/ocsp' replace={{ variable.CA_HTTP_PORT }}/ca/ocsp + +- name: Picking the password in run-time from password.conf of KRA + shell: grep -i "internal=" /etc/pki/{{ topology }}-KRA/password.conf | awk -F"=" ' { print $2 } ' > /tmp/test_dir/certutil_password + +- name: Importing OCSP certificate in kra nssdb + shell: certutil -A -d /etc/pki/{{ topology }}-KRA/alias -n "ocspSigningCert cert-pki-ca" -t "C,," -i /tmp/test_dir/ocsp_signing.crt -f /tmp/test_dir/certutil_password + notify: + - STARTKRA + +- name: Removing file generated with password + file: + path: "{{ item }}" + state: absent + with_items: + - /tmp/test_dir/certutil_password + + diff --git a/tests/roles/Test_Execution/tasks/configure_ldap.yml b/tests/roles/Test_Execution/tasks/configure_ldap.yml new file mode 100644 index 0000000..18a79c1 --- /dev/null +++ b/tests/roles/Test_Execution/tasks/configure_ldap.yml @@ -0,0 +1,26 @@ +- name: add nondefault port to selinux context + shell: | + semanage port -a -t ldap_port_t -p tcp 3389 + semanage port -a -t ldap_port_t -p udp 3389 + semanage port -l | grep ldap_port_t + when: topology == "topology-02" + +- name: Setup DS Service + shell: setup-ds.pl --silent --file=/tmp/test_dir/ldap.cfg + when: topology == "topology-01" or topology == "topology-02" or topology == "topology-03" or topology == "topology-04" or topology == "topology-05" or topology == "topology-ecc" + +- name: Setup DS Service + shell: setup-ds.pl --silent --file=/tmp/test_dir/ldap_kra.cfg + when: topology == "topology-05" + +- name: Setup DS Service + shell: setup-ds.pl --silent --file=/tmp/test_dir/ldap_ocsp.cfg + when: topology == "topology-05" + +- name: Setup DS Service + shell: setup-ds.pl --silent --file=/tmp/test_dir/ldap_tks.cfg + when: topology == "topology-05" + +- name: Setup DS Service + shell: setup-ds.pl --silent --file=/tmp/test_dir/ldap_tps.cfg + when: topology == "topology-05" diff --git a/tests/roles/Test_Execution/tasks/configure_ocsp.yml b/tests/roles/Test_Execution/tasks/configure_ocsp.yml new file mode 100644 index 0000000..688f64d --- /dev/null +++ b/tests/roles/Test_Execution/tasks/configure_ocsp.yml @@ -0,0 +1,35 @@ +- name: sleep + shell: sleep 5s + +- name: Install OCSP master + shell: pkispawn -s OCSP -f /tmp/test_dir/ocsp.cfg + +- name : Stopping OCSP Subsystem + shell: echo "Stopping Subsystem for enabling Audit logging" + notify: + - STOPOCSP + +- name: Enable SignedAudit + replace: dest=/etc/pki/{{ topology }}-OCSP/ocsp/CS.cfg regexp="log.instance.SignedAudit.logSigning=false" replace="log.instance.SignedAudit.logSigning=true" + notify: + - STARTOCSP + +- meta: flush_handlers + +- name: Enable OCSP + replace: dest=/etc/pki/{{ topology }}-OCSP/server.xml regexp='enableOCSP="false"' replace='enableOCSP="true"' + +- name: Picking the password in run-time from password.conf of OCSP. + shell: grep -i "internal=" /etc/pki/{{ topology }}-OCSP/password.conf | awk -F"=" ' { print $2 } ' > /tmp/test_dir/certutil_password + +- name: Importing OCSP certificate in ocsp nssdb + shell: certutil -A -d /etc/pki/{{ topology }}-OCSP/alias -n "ocspSigningCert cert-pki-ca" -t "C,," -i /tmp/test_dir/ocsp_signing.crt -f /tmp/test_dir/certutil_password + notify: + - STARTOCSP + +- name: Removing file generated with password + file: + path: "{{ item }}" + state: absent + with_items: + - /tmp/test_dir/certutil_password diff --git a/tests/roles/Test_Execution/tasks/configure_shared.yml b/tests/roles/Test_Execution/tasks/configure_shared.yml new file mode 100644 index 0000000..3a858af --- /dev/null +++ b/tests/roles/Test_Execution/tasks/configure_shared.yml @@ -0,0 +1,19 @@ +- name: Install CA master + shell: pkispawn -s CA -f /tmp/test_dir/ca.cfg + +- name: Install KRA master + shell: pkispawn -s KRA -f /tmp/test_dir/kra.cfg + +- name : Stopping pki-tomcat Instance + shell: systemctl stop pki-tomcatd@pki-tomcat.service +# notify: +# - INC_CONSTANTS + +- name: Enable SignedAudit for all subsystem + replace: dest=/etc/pki/pki-tomcat/{{ item }}/CS.cfg regexp="log.instance.SignedAudit.logSigning=false" replace="log.instance.SignedAudit.logSigning=true" + with_items: + - ca + - kra + +- name : Starting pki-tomcat Instance + shell: systemctl start pki-tomcatd@pki-tomcat.service \ No newline at end of file diff --git a/tests/roles/Test_Execution/tasks/configure_sharedsecret.yml b/tests/roles/Test_Execution/tasks/configure_sharedsecret.yml new file mode 100644 index 0000000..f2e4de4 --- /dev/null +++ b/tests/roles/Test_Execution/tasks/configure_sharedsecret.yml @@ -0,0 +1,4 @@ +- name: Shared Secret sharing between TPS and TKS + script: test/script {{ topology }} + when: topology == "topology-02" or topology == "topology-05" + tags: platform-ci diff --git a/tests/roles/Test_Execution/tasks/configure_tks.yml b/tests/roles/Test_Execution/tasks/configure_tks.yml new file mode 100644 index 0000000..2d578a5 --- /dev/null +++ b/tests/roles/Test_Execution/tasks/configure_tks.yml @@ -0,0 +1,39 @@ +- name: Install TKS master + shell: pkispawn -s TKS -f /tmp/test_dir/tks.cfg + +- name : Stopping TKS Subsystem + shell: echo "Stopping Subsystem for enabling Audit logging" + notify: + - STOPTKS + - INC_CONSTANTS + +- meta: flush_handlers + +- name: Enable SignedAudit + replace: dest=/etc/pki/{{ topology }}-TKS/tks/CS.cfg regexp="log.instance.SignedAudit.logSigning=false" replace="log.instance.SignedAudit.logSigning=true" + +- name: Enable OCSP for TKS + replace: dest=/etc/pki/{{ topology }}-TKS/server.xml regexp='enableOCSP="false"' replace='enableOCSP="true"' + +- name: Pointing TKS to correct OCSP port + replace: dest=/etc/pki/{{ topology }}-TKS/server.xml regexp='([0-9]+)/ca/ocsp' replace={{ variable.CA_HTTP_PORT }}/ca/ocsp + +- name: Picking the password in run-time from password.conf of TKS + shell: grep -i "internal=" /etc/pki/{{ topology }}-TKS/password.conf | awk -F"=" ' { print $2 } ' > /tmp/test_dir/certutil_password + +- name: Importing OCSP certificate in TKS nssdb + shell: certutil -A -d /etc/pki/{{ topology }}-TKS/alias -n "ocspSigningCert cert-pki-ca" -t "C,," -i /tmp/test_dir/ocsp_signing.crt -f /tmp/test_dir/certutil_password + notify: + - STARTTKS + +- meta: flush_handlers + +- name: Sleep for a while to start TKS + shell: sleep 3s + +- name: Removing file generated with password + file: + path: "{{ item }}" + state: absent + with_items: + - /tmp/test_dir/certutil_password diff --git a/tests/roles/Test_Execution/tasks/configure_tps.yml b/tests/roles/Test_Execution/tasks/configure_tps.yml new file mode 100644 index 0000000..b8292b7 --- /dev/null +++ b/tests/roles/Test_Execution/tasks/configure_tps.yml @@ -0,0 +1,34 @@ +- name: Install TPS master + shell: pkispawn -s TPS -f /tmp/test_dir/tps.cfg + +- name : Stopping TPS Subsystem + shell: echo "Stopping Subsystem for enabling Audit logging" + notify: + - STOPTPS + - INC_CONSTANTS + +- meta: flush_handlers + +- name: Enable SignedAudit + replace: dest=/etc/pki/{{ topology }}-TPS/tps/CS.cfg regexp="log.instance.SignedAudit.logSigning=false" replace="log.instance.SignedAudit.logSigning=true" + +- name: Enable OCSP for TPS + replace: dest=/etc/pki/{{ topology }}-TPS/server.xml regexp='enableOCSP="false"' replace='enableOCSP="true"' + +- name: Pointing TPS to correct OCSP port + replace: dest=/etc/pki/{{ topology }}-TPS/server.xml regexp='([0-9]+)/ca/ocsp' replace={{ variable.CA_HTTP_PORT }}/ca/ocsp + +- name: Picking the password in run-time from password.conf of TPS + shell: grep -i "internal=" /etc/pki/{{ topology }}-TPS/password.conf | awk -F"=" ' { print $2 } ' > /tmp/test_dir/certutil_password + +- name: Importing OCSP certificate in tps nssdb + shell: certutil -A -d /etc/pki/{{ topology }}-TPS/alias -n "ocspSigningCert cert-pki-ca" -t "C,," -i /tmp/test_dir/ocsp_signing.crt -f /tmp/test_dir/certutil_password + notify: + - STARTTPS + +- name: Removing file generated with password + file: + path: "{{ item }}" + state: absent + with_items: + - /tmp/test_dir/certutil_password diff --git a/tests/roles/Test_Execution/tasks/main.yml b/tests/roles/Test_Execution/tasks/main.yml new file mode 100644 index 0000000..f56ccfa --- /dev/null +++ b/tests/roles/Test_Execution/tasks/main.yml @@ -0,0 +1,11 @@ +--- +- include: configure_common.yml + when: topology == "topology-00" or topology == "topology-01" or topology == "topology-02" or topology == "topology-03" or topology == "topology-04" or topology == "topology-05" or topology == "topology-ecc" +- include: configure_ldap.yml + when: topology == "topology-01" or topology == "topology-02" or topology == "topology-03" or topology == "topology-04" or topology == "topology-05" or topology == "topology-ecc" +- include: configure_shared.yml + when: topology == "topology-01" +- include: configure_ca.yml + when: topology == "topology-02" or topology == "topology-03" or topology == "topology-04" or topology == "topology-05" or topology == "topology-ecc" +- include: configure_kra.yml + when: topology == "topology-02" or topology == "topology-03" or topology == "topology-04" or topology == "topology-05" or topology == "topology-ecc" diff --git a/tests/roles/Test_Trigger/files/config_templates/ansible_constants.py b/tests/roles/Test_Trigger/files/config_templates/ansible_constants.py new file mode 100644 index 0000000..c530163 --- /dev/null +++ b/tests/roles/Test_Trigger/files/config_templates/ansible_constants.py @@ -0,0 +1,75 @@ +#common to all subsystems +MASTER_HOSTNAME = 'pki1.example.com' +CLONE_HOSTNAME = 'pki2.example.com' + +CLIENT_PKCS12_PASSWORD = 'SECret.123' +CLIENT_DIR_PASSWORD = 'SECret.123' +BACKUP_PASSWORD = 'SECret.123' +CLIENT_DATABASE_PASSWORD = 'SECret.123' +NSSDB = '/opt/pki/certdb' +#CA Instance +CA_HTTPS_PORT = '20443' +CA_HTTP_PORT = '20080' +CA_AJP_PORT = '20009' +CA_TOMCAT_PORT = '20005' +CA_CLIENT_DIR = '/opt/topology-CA' +CA_INSTANCE_NAME = 'topology-CA' +SECURITY_DOMAIN_PASSWORD = 'SECret.123' +CA_PASSWORD = 'SECret.123' +CA_SECURITY_DOMAIN_NAME = 'topology_Foobarmaster.org' +CA_ADMIN_USERNAME = 'caadmin' +CA_ADMIN_NICK = 'PKI CA Administrator for Example.Org' +#KRA Instance +KRA_INSTANCE_NAME = 'topology-KRA' +KRA_HTTPS_PORT = 21443 +KRA_HTTP_PORT = 21080 +KRA_AJP_PORT = 21009 +KRA_TOMCAT_PORT = 21005 +KRA_PASSWORD = 'SECret.123' +KRA_CLIENT_DIR = '/opt/topology-KRA' +KRA_ADMIN_NICK = 'PKI KRA Administrator for Example.Org' +#OCSP Instance +OCSP_INSTANCE_NAME = 'topology-OCSP' +OCSP_HTTPS_PORT = 22443 +OCSP_HTTP_PORT = 22080 +OCSP_AJP_PORT = 22009 +OCSP_TOMCAT_PORT = 22005 +OCSP_PASSWORD = 'SECret.123' +OCSP_CLIENT_DIR = '/opt/topology-OCSP' +OCSP_ADMIN_NICK = 'PKI OCSP Administrator for Example.Org' +#TKS Instance +TKS_INSTANCE_NAME = 'topology-TKS' +TKS_HTTPS_PORT = 23443 +TKS_HTTP_PORT = 23080 +TKS_AJP_PORT = 23009 +TKS_TOMCAT_PORT = 23005 +TKS_PASSWORD = 'SECret.123' +TKS_CLIENT_DIR = '/opt/topology-TKS' +#TPS instance +TPS_INSTANCE_NAME = 'topology-TPS' +TPS_HTTPS_PORT = '25443' +TPS_HTTP_PORT = '25080' +TPS_AJP_PORT = '25009' +TPS_TOMCAT_PORT = '25005' +TPS_PASSWORD = 'SECret.123' +TPS_CLIENT_DIR = '/opt/topology-TPS' +TPS_ADMIN_NICK = 'PKI TPS Administrator for Example.Org' +#LDAP Details +LDAP_PORT = 'ldapServerPort' +LDAP_BIND_DN = 'cn=Directory Manager' +LDAP_PASSWD = 'SECret.123' +LDAP_BASE_DN = 'dc=example,dc=org' +LDAP_KRA_PORT = 'ldapkraServerPort' +LDAP_OCSP_PORT = 'ldapocspServerPort' +LDAP_TKS_PORT = 'ldaptksServerPort' +LDAP_TPS_PORT = 'ldaptpsServerPort' +LDAP_USER = 'foobar' +LDAP_USER_ENROLL = 'testuser' +CUID = '40906145C76224192D2B' +CUID_01 = '40906145C76224192D11' +TPS_OPERATION = 'ra_enroll' +#Details for tps-activity cli automation +LDAP_USER1 = 'jdoe' +TOKEN_FORMAT = 'ra_format' +TOKEN_RESET_PIN = 'ra_reset_pin' +TOKEN_CUID = '40000000000000000002' diff --git a/tests/roles/Test_Trigger/files/test/ca.cfg b/tests/roles/Test_Trigger/files/test/ca.cfg new file mode 100644 index 0000000..c142381 --- /dev/null +++ b/tests/roles/Test_Trigger/files/test/ca.cfg @@ -0,0 +1,55 @@ +[DEFAULT] +pki_instance_name = topology-CA +pki_https_port = capki_https_port +pki_http_port = capki_http_port + +pki_token_password = SECret.123 + + +pki_admin_password = SECret.123 +pki_admin_key_type=rsa +pki_admin_key_size=2048 +pki_admin_key_algorithm=SHA512withRSA + +pki_hostname = SERVERNAME +pki_security_domain_name = topology_Foobarmaster.org +pki_security_domain_password = SECret.123 + +pki_client_dir = /opt/topology-CA +pki_client_pkcs12_password = SECret.123 +pki_backup_keys = True +pki_backup_password = SECret.123 +pki_ds_password = SECret.123 +pki_ds_ldap_port = ldapServerPort + +pki_sslserver_key_algorithm=SHA512withRSA +pki_sslserver_key_size=2048 +pki_sslserver_key_type=rsa + +pki_subsystem_key_type=rsa +pki_subsystem_key_size=2048 +pki_subsystem_key_algorithm=SHA512withRSA + +pki_audit_signing_key_algorithm=SHA512withRSA +pki_audit_signing_key_size=2048 +pki_audit_signing_key_type=rsa +pki_audit_signing_signing_algorithm=SHA512withRSA + +[Tomcat] +pki_ajp_port = capki_ajp_port +pki_tomcat_server_port = capki_tomcat_port + +[CA] +pki_import_admin_cert = False +pki_ds_hostname = SERVERNAME +pki_admin_nickname = PKI CA Administrator for Example.Org + +pki_ca_signing_key_algorithm=SHA512withRSA +pki_ca_signing_key_size=2048 +pki_ca_signing_key_type=rsa +pki_ca_signing_signing_algorithm=SHA512withRSA + +pki_ocsp_signing_key_algorithm=SHA512withRSA +pki_ocsp_signing_key_size=2048 +pki_ocsp_signing_key_type=rsa +pki_ocsp_signing_signing_algorithm=SHA512withRSA \ No newline at end of file diff --git a/tests/roles/Test_Trigger/files/test/constants.py b/tests/roles/Test_Trigger/files/test/constants.py new file mode 100644 index 0000000..c0bd59a --- /dev/null +++ b/tests/roles/Test_Trigger/files/test/constants.py @@ -0,0 +1,76 @@ +#common to all subsystems +MASTER_HOSTNAME = 'pki1.example.com' +CLONE_HOSTNAME = 'pki2.example.com' + +CLIENT_PKCS12_PASSWORD = 'SECret.123' +CLIENT_DIR_PASSWORD = 'SECret.123' +BACKUP_PASSWORD = 'SECret.123' +CLIENT_DATABASE_PASSWORD = 'SECret.123' +NSSDB = '/opt/pki/certdb' +#CA Instance +CA_HTTPS_PORT = 'capki_https_port' +CA_HTTP_PORT = 'capki_http_port' +CA_AJP_PORT = 'capki_ajp_port' +CA_TOMCAT_PORT = 'capki_tomcat_port' +CA_CLIENT_DIR = '/opt/topology-CA' +CA_INSTANCE_NAME = 'topology-CA' +SECURITY_DOMAIN_PASSWORD = 'SECret.123' +CA_PASSWORD = 'SECret.123' +CA_SECURITY_DOMAIN_NAME = 'topology_Foobarmaster.org' +CA_ADMIN_USERNAME = 'caadmin' +CA_ADMIN_NICK = 'PKI CA Administrator for Example.Org' +#KRA Instance +KRA_INSTANCE_NAME = 'topology-KRA' +KRA_HTTPS_PORT = 'krapki_https_port' +KRA_HTTP_PORT = 'krapki_http_port' +KRA_AJP_PORT = 'krapki_ajp_port' +KRA_TOMCAT_PORT = 'krapki_tomcat_server_port' +KRA_PASSWORD = 'SECret.123' +KRA_CLIENT_DIR = '/opt/topology-KRA' +KRA_ADMIN_NICK = 'PKI KRA Administrator for Example.Org' +#OCSP Instance +OCSP_INSTANCE_NAME = 'topology-OCSP' +OCSP_HTTPS_PORT = 'ocsppki_https_port' +OCSP_HTTP_PORT = 'ocsppki_http_port' +OCSP_AJP_PORT = 'ocsppki_ajp_port' +OCSP_TOMCAT_PORT = 'ocsppki_tomcat_server_port' +OCSP_PASSWORD = 'SECret.123' +OCSP_CLIENT_DIR = '/opt/topology-OCSP' +OCSP_ADMIN_NICK = 'PKI OCSP Administrator for Example.Org' +#TKS Instance +TKS_INSTANCE_NAME = 'topology-TKS' +TKS_HTTPS_PORT = 'tkspki_https_port' +TKS_HTTP_PORT = 'tkspki_http_port' +TKS_AJP_PORT = 'tkspki_ajp_port' +TKS_TOMCAT_PORT = 'tkspki_tomcat_server_port' +TKS_PASSWORD = 'SECret.123' +TKS_CLIENT_DIR = '/opt/topology-TKS' +TKS_ADMIN_NICK = 'PKI TKS Administrator for Example.Org' +#TPS instance +TPS_INSTANCE_NAME = 'topology-TPS' +TPS_HTTPS_PORT = 'tpspki_https_port' +TPS_HTTP_PORT = 'tpspki_http_port' +TPS_AJP_PORT = 'tpspki_ajp_port' +TPS_TOMCAT_PORT = 'tpspki_tomcat_server_port' +TPS_PASSWORD = 'SECret.123' +TPS_CLIENT_DIR = '/opt/topology-TPS' +TPS_ADMIN_NICK = 'PKI TPS Administrator for Example.Org' +#LDAP Details +LDAP_PORT = 'ldapServerPort' +LDAP_BIND_DN = 'cn=Directory Manager' +LDAP_PASSWD = 'SECret.123' +LDAP_BASE_DN = 'dc=example,dc=org' +LDAP_KRA_PORT = 'ldapkraServerPort' +LDAP_OCSP_PORT = 'ldapocspServerPort' +LDAP_TKS_PORT = 'ldaptksServerPort' +LDAP_TPS_PORT = 'ldaptpsServerPort' +LDAP_USER = 'foobar' +LDAP_USER_ENROLL = 'testuser' +CUID = '40906145C76224192D2B' +CUID_01 = '40906145C76224192D11' +TPS_OPERATION = 'ra_enroll' +#Details for tps-activity cli automation +LDAP_USER1 = 'jdoe' +TOKEN_FORMAT = 'ra_format' +TOKEN_RESET_PIN = 'ra_reset_pin' +TOKEN_CUID = '40000000000000000002' \ No newline at end of file diff --git a/tests/roles/Test_Trigger/files/test/kra.cfg b/tests/roles/Test_Trigger/files/test/kra.cfg new file mode 100644 index 0000000..6f33f52 --- /dev/null +++ b/tests/roles/Test_Trigger/files/test/kra.cfg @@ -0,0 +1,61 @@ +[DEFAULT] +pki_instance_name = topology-KRA +pki_https_port = krapki_https_port +pki_http_port = krapki_http_port + +pki_token_password = SECret.123 +pki_admin_password = SECret.123 +pki_admin_key_type=rsa +pki_admin_key_size=2048 +pki_admin_key_algorithm=SHA512withRSA + +pki_hostname = SERVERNAME +pki_security_domain_hostname = SERVERNAME +pki_security_domain_https_port = secure_domain_port +pki_security_domain_name = topology_Foobarmaster.org +pki_security_domain_password = SECret.123 + +pki_client_dir = /opt/topology-KRA +pki_client_pkcs12_password = SECret.123 +pki_client_database_password = SECret.123 + +pki_backup_keys = True +pki_backup_password = SECret.123 + +pki_ds_password = SECret.123 +pki_ds_ldap_port = ldapServerPort + + +pki_sslserver_key_algorithm=SHA512withRSA +pki_sslserver_key_size=2048 +pki_sslserver_key_type=rsa + +pki_subsystem_key_algorithm=SHA512withRSA +pki_subsystem_key_size=2048 +pki_subsystem_key_type=rsa + +pki_audit_signing_key_algorithm=SHA512withRSA +pki_audit_signing_key_size=2048 +pki_audit_signing_key_type=rsa +pki_audit_signing_signing_algorithm=SHA512withRSA + +[Tomcat] +pki_ajp_port = krapki_ajp_port +pki_tomcat_server_port = krapki_tomcat_server_port + +[KRA] +pki_import_admin_cert = False +pki_admin_nickname = PKI KRA Administrator for Example.Org + +pki_ds_hostname = SERVERNAME + +pki_storage_key_algorithm=SHA512withRSA +pki_storage_key_size=2048 +pki_storage_key_type=rsa +pki_storage_signing_algorithm=SHA512withRSA + +pki_transport_key_algorithm=SHA512withRSA +pki_transport_key_size=2048 +pki_transport_key_type=rsa +pki_transport_signing_algorithm=SHA512withRSA + diff --git a/tests/roles/Test_Trigger/files/test/ldap.cfg b/tests/roles/Test_Trigger/files/test/ldap.cfg new file mode 100644 index 0000000..b7cde1f --- /dev/null +++ b/tests/roles/Test_Trigger/files/test/ldap.cfg @@ -0,0 +1,12 @@ +[General] +FullMachineName = SERVERNAME +SuiteSpotUserID = nobody +SuiteSpotGroup = nobody +ConfigDirectoryAdminID = admin + +[slapd] +ServerIdentifier = topology-testingmaster +ServerPort = ldapServerPort +Suffix = dc=example,dc=com +RootDN = CN=Directory Manager +RootDNPwd = SECret.123 diff --git a/tests/roles/Test_Trigger/files/test/ocsp.cfg b/tests/roles/Test_Trigger/files/test/ocsp.cfg new file mode 100644 index 0000000..e91bd3b --- /dev/null +++ b/tests/roles/Test_Trigger/files/test/ocsp.cfg @@ -0,0 +1,56 @@ +[DEFAULT] +pki_instance_name = topology-OCSP +pki_https_port = ocsppki_https_port +pki_http_port = ocsppki_http_port + +pki_token_password = SECret.123 + +pki_admin_password = SECret.123 +pki_admin_key_type=rsa +pki_admin_key_size=2048 +pki_admin_key_algorithm=SHA512withRSA + +pki_hostname = SERVERNAME +pki_security_domain_hostname = SERVERNAME +pki_security_domain_name = topology_Foobarmaster.org +pki_security_domain_password = SECret.123 +pki_security_domain_https_port = secure_domain_port + +pki_client_dir = /opt/topology-OCSP +pki_client_pkcs12_password = SECret.123 +pki_client_database_password = SECret.123 + +pki_backup_keys = True +pki_backup_password = SECret.123 + +pki_ds_password = SECret.123 +pki_ds_ldap_port = ldapServerPort + +pki_sslserver_key_algorithm=SHA512withRSA +pki_sslserver_key_size=2048 +pki_sslserver_key_type=rsa + +pki_subsystem_key_algorithm=SHA512withRSA +pki_subsystem_key_size=2048 +pki_subsystem_key_type=rsa + +pki_audit_signing_key_type=rsa +pki_audit_signing_key_size=2048 +pki_audit_signing_key_algorithm=SHA512withRSA +pki_audit_signing_signing_algorithm=SHA512withRSA + +[Tomcat] +pki_ajp_port = ocsppki_ajp_port +pki_tomcat_server_port = ocsppki_tomcat_server_port + +[OCSP] +pki_import_admin_cert = False +pki_admin_nickname= PKI OCSP Administrator for Example.Org + + +pki_ds_hostname = SERVERNAME + +pki_ocsp_signing_key_algorithm=SHA512withRSA +pki_ocsp_signing_key_size=2048 +pki_ocsp_signing_key_type=rsa +pki_ocsp_signing_signing_algorithm=SHA512withRSA \ No newline at end of file diff --git a/tests/roles/Test_Trigger/files/test/script b/tests/roles/Test_Trigger/files/test/script new file mode 100755 index 0000000..c98e4ae --- /dev/null +++ b/tests/roles/Test_Trigger/files/test/script @@ -0,0 +1,79 @@ +#!/bin/sh +#Generate Noise using Openssl +echo "Defining variables " +tks_password="/tmp/tkspassword.txt" +tps_password="/tmp/tpspassword.txt" +tks_alias="/var/lib/pki/$1-TKS/alias" +tps_alias="/var/lib/pki/$1-TPS/alias" +tks_noise="/tmp/tks_noise" +tks_shared_secret="sharedSecret" +tks_conf="/var/lib/pki/$1-TKS/tks/conf/CS.cfg" +tps_conf="/var/lib/pki/$1-TPS/tps/conf/CS.cfg" +tps_input_file="/tmp/tps-input.txt" +tks_secret_output="/tmp/secret" +tks_input_file="/tmp/tks-input.txt" +tks_input="proceed\r\n" +tks_secret_output="/tmp/sharedSecret.out" +tps_key_import_status="/tmp/sharedSecretImport.out" +echo "proceed\r\n" > $tks_input_file +echo "Generate Noise using OpenSSL" +openssl rand -hex 2048 | perl -p -e 's/\n//' > $tks_noise +cat /var/lib/pki/$1-TKS/conf/password.conf | sed 's/^internal=//' > $tks_password +cat /var/lib/pki/$1-TPS/conf/password.conf | sed 's/^internal=//' > $tps_password + +echo "Stopping TKS & TPS instance" +systemctl stop pki-tomcatd@$1-TKS.service +systemctl stop pki-tomcatd@$1-TPS.service +echo "Generating shared secret" +/usr/bin/tkstool -D -d $tks_alias -n "TPS-`hostname`-25443 sharedSecret" -f $tks_password +/usr/bin/tkstool -T -d $tks_alias -n $tks_shared_secret -f $tks_password -z $tks_noise > $tks_secret_output < $tks_input_file +/usr/bin/tkstool -L -d $tks_alias -n $tks_shared_secret -f $tks_password > /tmp/sharedSecretList1.out +grep "$tks_shared_secret" /tmp/sharedSecretList1.out +first_session_tmp1=$(cat $tks_secret_output | grep -A1 "first\ssession\skey\sshare:") +first_session_tmp2=$(echo $first_session_tmp1 | sed 's/^first session key share://') +first_session_key=$(echo ${first_session_tmp2%% }) +first_session_KCV_tmp1=$(cat $tks_secret_output | grep "first\ssession\skey\sshare\sKCV:") +first_session_KCV_tmp2=$(echo $first_session_KCV_tmp1 | sed 's/^first session key share KCV://') +first_session_KCV_key=$(echo ${first_session_KCV_tmp2%% }) + +second_session_tmp1=$(cat $tks_secret_output | grep -A1 "second\ssession\skey\sshare:") +second_session_tmp2=$(echo $second_session_tmp1 | sed 's/^second session key share://') +second_session_key=$(echo ${second_session_tmp2%% }) +second_session_KCV_tmp1=$(cat $tks_secret_output | grep "second\ssession\skey\sshare\sKCV:") +second_session_KCV_tmp2=$(echo $second_session_KCV_tmp1 | sed 's/^second session key share KCV://') +second_session_KCV_key=$(echo ${second_session_KCV_tmp2%% }) + +third_session_tmp1=$(cat $tks_secret_output | grep -A1 "third\ssession\skey\sshare:") +third_session_tmp2=$(echo $third_session_tmp1 | sed 's/^third session key share://') +third_session_key=$(echo ${third_session_tmp2%% }) +third_session_KCV_tmp1=$(cat $tks_secret_output | grep "third\ssession\skey\sshare\sKCV:") +third_session_KCV_tmp2=$(echo $third_session_KCV_tmp1 | sed 's/^third session key share KCV://') +third_session_KCV_key=$(echo ${third_session_KCV_tmp2%% }) + +sed -i -e "/tps.0.nickname=/s/=.*/=$tks_shared_secret/g" $tks_conf +sed -i -e "/tks.tksSharedSymKeyName=/s/=.*/=$tks_shared_secret/g" $tks_conf +echo "Restart $1-TKS instance" +systemctl restart pki-tomcatd@$1-TKS.service +echo "proceed\r\n" > $tps_input_file +echo "$first_session_key\r\n" >> $tps_input_file +echo "\r\n" >> $tps_input_file +echo "$first_session_KCV_key\r\n" >> $tps_input_file +echo "proceed\r\n" >> $tps_input_file +echo "proceed\r\n" >> $tps_input_file +echo "$second_session_key\r\n" >> $tps_input_file +echo "\r\n" >> $tps_input_file +echo "$second_session_KCV_key\r\n" >> $tps_input_file +echo "proceed\r\n" >> $tps_input_file +echo "proceed\r\n" >> $tps_input_file +echo "$third_session_key\r\n" >> $tps_input_file +echo "\r\n" >> $tps_input_file +echo "$third_session_KCV_key\r\n" >> $tps_input_file +echo "proceed\r\n" >> $tps_input_file + +/usr/bin/tkstool -I -d $tps_alias -n $tks_shared_secret -f $tps_password < $tps_input_file > $tps_key_import_status +/usr/bin/tkstool -L -d $tps_alias -n $tks_shared_secret -f $tps_password > /tmp/sharedSecretList2.out +grep "$tks_shared_secret" /tmp/sharedSecretList2.out +sed -i -e "/tps.connector.tks1.tksSharedSymKeyName=/s/=.*/=$tks_shared_secret/g" $tps_conf +sed -i -e "/conn.tks1.tksSharedSymKeyName=/s/=.*/=$tks_shared_secret/g" $tps_conf +echo "Restart $1-TPS instance" +systemctl restart pki-tomcatd@$1-TPS.service diff --git a/tests/roles/Test_Trigger/files/test/tks.cfg b/tests/roles/Test_Trigger/files/test/tks.cfg new file mode 100644 index 0000000..8e5289a --- /dev/null +++ b/tests/roles/Test_Trigger/files/test/tks.cfg @@ -0,0 +1,52 @@ +[DEFAULT] +pki_instance_name = topology-TKS +pki_https_port = tkspki_https_port +pki_http_port = tkspki_http_port + +pki_token_password = SECret.123 + +pki_admin_password = SECret.123 +pki_admin_key_type=rsa +pki_admin_key_size=2048 +pki_admin_key_algorithm=SHA512withRSA + +pki_hostname = SERVERNAME +pki_security_domain_hostname = SERVERNAME +pki_security_domain_name = topology_Foobarmaster.org +pki_security_domain_password = SECret.123 +pki_security_domain_https_port = secure_domain_port + +pki_client_dir = /opt/topology-TKS +pki_client_pkcs12_password = SECret.123 +pki_client_database_password = SECret.123 + +pki_backup_keys = True +pki_backup_password = SECret.123 + +pki_ds_password = SECret.123 +pki_ds_ldap_port = ldapServerPort + +pki_subsystem_key_type=rsa +pki_subsystem_key_size=2048 +pki_subsystem_key_algorithm=SHA512withRSA +pki_subsystem_signing_algorithm=SHA512withRSA + +pki_sslserver_key_type=rsa +pki_sslserver_key_size=2048 +pki_sslserver_key_algorithm=SHA512withRSA +pki_sslserver_signing_algorithm=SHA512withRSA + +[Tomcat] +pki_ajp_port = tkspki_ajp_port +pki_tomcat_server_port = tkspki_tomcat_server_port + +[TKS] +pki_import_admin_cert = False +pki_admin_nickname= PKI TKS Administrator for Example.Org + +pki_ds_hostname = SERVERNAME + +pki_audit_signing_key_algorithm=SHA512withRSA +pki_audit_signing_key_size=2048 +pki_audit_signing_key_type=rsa +pki_audit_signing_signing_algorithm=SHA512withRSA \ No newline at end of file diff --git a/tests/roles/Test_Trigger/files/test/tps.cfg b/tests/roles/Test_Trigger/files/test/tps.cfg new file mode 100644 index 0000000..9252560 --- /dev/null +++ b/tests/roles/Test_Trigger/files/test/tps.cfg @@ -0,0 +1,34 @@ +[DEFAULT] +pki_instance_name = topology-TPS +pki_https_port = tpspki_https_port +pki_http_port = tpspki_http_port +pki_token_password = SECret.123 +pki_admin_password = SECret.123 +pki_hostname = SERVERNAME +pki_security_domain_hostname = SERVERNAME +pki_security_domain_https_port = secure_domain_port +pki_security_domain_name = topology_Foobarmaster.org +pki_security_domain_password = SECret.123 +pki_client_dir = /opt/topology-TPS +pki_client_pkcs12_password = SECret.123 +pki_backup_keys = True +pki_backup_password = SECret.123 +pki_ds_password = SECret.123 +pki_ds_ldap_port = ldapServerPort +pki_client_database_password = SECret.123 + +[Tomcat] +pki_ajp_port = tpspki_ajp_port +pki_tomcat_server_port = tpspki_tomcat_server_port + +[TPS] +pki_import_admin_cert = False +pki_ds_hostname = SERVERNAME +pki_authdb_basedn = ou=People,dc=example,dc=org +pki_authdb_hostname=SERVERNAME +pki_authdb_port=3389 +pki_ca_uri=https://SERVERNAME:capki_https_port +pki_tks_uri=https://SERVERNAME:tkspki_https_port +pki_kra_uri=https://SERVERNAME:krapki_https_port +pki_admin_nickname=PKI TPS Administrator for Example.Org +pki_enable_server_side_keygen=True diff --git a/tests/roles/Test_Trigger/tasks/configure_ca.yml b/tests/roles/Test_Trigger/tasks/configure_ca.yml new file mode 100644 index 0000000..fd109ee --- /dev/null +++ b/tests/roles/Test_Trigger/tasks/configure_ca.yml @@ -0,0 +1,24 @@ + +- name: Replace CA specific changes + replace: dest={{item}} regexp="capki_https_port" replace={{capki_https_port}} + with_items: + - /tmp/test_dir/ca.cfg + - /tmp/test_dir/constants.py + +- name: Replace http port for CA. + replace: dest={{item}} regexp="capki_http_port" replace={{capki_http_port}} + with_items: + - /tmp/test_dir/ca.cfg + - /tmp/test_dir/constants.py + +- name: Replace ajp port for CA + replace: dest={{item}} regexp="capki_ajp_port" replace={{capki_ajp_port}} + with_items: + - /tmp/test_dir/ca.cfg + - /tmp/test_dir/constants.py + +- name : Replace tomcat port for CA + replace: dest={{item}} regexp="capki_tomcat_port" replace={{capki_tomcat_port}} + with_items: + - /tmp/test_dir/ca.cfg + - /tmp/test_dir/constants.py diff --git a/tests/roles/Test_Trigger/tasks/configure_common.yml b/tests/roles/Test_Trigger/tasks/configure_common.yml new file mode 100644 index 0000000..7d74d7a --- /dev/null +++ b/tests/roles/Test_Trigger/tasks/configure_common.yml @@ -0,0 +1,145 @@ +- name: Pick constants based on {{topology}} + include_vars: "{{ item }}" + with_items: + - "{{ playbook_dir }}/vars/ldap_shared.yml" + - "{{ playbook_dir }}/vars/ca_shared.yml" + when: topology == "topology-01" + +- name: Pick constants based on {{topology}} + include_vars: "{{ item }}" + with_items: + - "{{ playbook_dir }}/vars/ldap.yml" + - "{{ playbook_dir }}/vars/ca.yml" + - "{{ playbook_dir }}/vars/kra.yml" + - "{{ playbook_dir }}/vars/ocsp.yml" + - "{{ playbook_dir }}/vars/tks.yml" + - "{{ playbook_dir }}/vars/tps.yml" + when: topology == "topology-02" + +- name: Pick constants based on {{topology}} + include_vars: "{{ item }}" + with_items: + - "{{ playbook_dir }}/vars/ldap.yml" + - "{{ playbook_dir }}/vars/ca.yml" + - "{{ playbook_dir }}/vars/kra.yml" + - "{{ playbook_dir }}/vars/ocsp.yml" + when: topology == "topology-03" + +- name: Pick constants based on {{topology}} + include_vars: "{{ item }}" + with_items: + - "{{ playbook_dir }}/vars/ldap.yml" + - "{{ playbook_dir }}/vars/ca.yml" + - "{{ playbook_dir }}/vars/kra.yml" + - "{{ playbook_dir }}/vars/tks.yml" + - "{{ playbook_dir }}/vars/tps.yml" + when: topology == "topology-04" + +- name: Pick constants based on {{topology}} + include_vars: "{{ item }}" + with_items: + - "{{ playbook_dir }}/vars/ldap.yml" + - "{{ playbook_dir }}/vars/ca.yml" + - "{{ playbook_dir }}/vars/kra.yml" + - "{{ playbook_dir }}/vars/ocsp.yml" + - "{{ playbook_dir }}/vars/tks.yml" + - "{{ playbook_dir }}/vars/tps.yml" + when: topology == "topology-05" + +- name: Pick constants based on {{topology}} + include_vars: "{{ item }}" + with_items: + - "{{ playbook_dir }}/vars/ldap.yml" + - "{{ playbook_dir }}/vars/ca.yml" + - "{{ playbook_dir }}/vars/kra.yml" + - "{{ playbook_dir }}/vars/ocsp.yml" + - "{{ playbook_dir }}/vars/tks.yml" + - "{{ playbook_dir }}/vars/tps.yml" + when: topology == "topology-ecc" + +- name: Creates directory + file: path=/tmp/test_files state=directory + +- name: Copying templates to /tmp folder + copy : src=test/ dest=/tmp/test_dir + +- name: Replace Ldap server port in all configuration files + replace: dest={{item}} regexp="ldapServerPort" replace={{ldapServerPort}} + with_items: + - /tmp/test_dir/ldap.cfg + - /tmp/test_dir/ca.cfg + - /tmp/test_dir/kra.cfg + - /tmp/test_dir/ocsp.cfg + - /tmp/test_dir/tks.cfg + - /tmp/test_dir/tps.cfg + - /tmp/test_dir/constants.py + +- name: Replace topology in use in all configuration files + replace: dest={{item}} regexp="topology" replace={{topology}} + with_items: + - /tmp/test_dir/ldap.cfg + - /tmp/test_dir/ca.cfg + - /tmp/test_dir/kra.cfg + - /tmp/test_dir/ocsp.cfg + - /tmp/test_dir/tks.cfg + - /tmp/test_dir/tps.cfg + - /tmp/test_dir/constants.py + + +- name : Substitute SHA512withEC with SHA512withRSA when topology=topology-ecc + replace: dest={{item}} regexp="SHA512withRSA" replace="SHA512withEC" + with_items: + - /tmp/test_dir/ca.cfg + - /tmp/test_dir/kra.cfg + - /tmp/test_dir/ocsp.cfg + - /tmp/test_dir/tks.cfg + when: topology == "topology-ecc" + +- name : Substitute ecc with rsa when topology=topology-ecc + replace: dest={{item}} regexp="rsa" replace="ecc" + with_items: + - /tmp/test_dir/ca.cfg + - /tmp/test_dir/kra.cfg + - /tmp/test_dir/ocsp.cfg + - /tmp/test_dir/tks.cfg + when: topology == "topology-ecc" + +- name : Substitute keysize nistp521 with keysize 2048 when topology=topology-ecc + replace: dest={{item}} regexp="2048" replace="nistp521" + with_items: + - /tmp/test_dir/ca.cfg + - /tmp/test_dir/kra.cfg + - /tmp/test_dir/ocsp.cfg + - /tmp/test_dir/tks.cfg + when: topology == "topology-ecc" + +- name : For topology-01 + replace: dest={{item}} regexp="pki_instance_name" replace="#pki_instance_name" + with_items: + - /tmp/test_dir/ca.cfg + - /tmp/test_dir/kra.cfg + - /tmp/test_dir/ocsp.cfg + - /tmp/test_dir/tks.cfg + - /tmp/test_dir/tps.cfg + when: + - topology == "topology-01" + + +- name: Replace ServerName in all configuration files. + replace: dest={{item}} regexp="SERVERNAME" replace=pki1.example.com + with_items: + - /tmp/test_dir/ldap.cfg + - /tmp/test_dir/ca.cfg + - /tmp/test_dir/kra.cfg + - /tmp/test_dir/ocsp.cfg + - /tmp/test_dir/tks.cfg + - /tmp/test_dir/tps.cfg + +- name: Replace ServerName in all configuration files. + replace: dest={{item}} regexp="SERVERNAME" replace=pki1.example.com + with_items: + - /tmp/test_dir/ldap_kra.cfg + - /tmp/test_dir/ldap_ocsp.cfg + - /tmp/test_dir/ldap_tks.cfg + - /tmp/test_dir/ldap_tps.cfg + when: topology == "topology-05" diff --git a/tests/roles/Test_Trigger/tasks/configure_kra.yml b/tests/roles/Test_Trigger/tasks/configure_kra.yml new file mode 100644 index 0000000..adb3a76 --- /dev/null +++ b/tests/roles/Test_Trigger/tasks/configure_kra.yml @@ -0,0 +1,28 @@ +- name: Replace KRA specific changes + replace: dest={{item}} regexp="krapki_https_port" replace={{krapki_https_port}} + with_items: + - /tmp/test_dir/kra.cfg + - /tmp/test_dir/constants.py + +- name: Replace http port for KRA. + replace: dest={{item}} regexp="krapki_http_port" replace={{krapki_http_port}} + with_items: + - /tmp/test_dir/kra.cfg + - /tmp/test_dir/constants.py + +- name: Replace ajp port for KRA + replace: dest={{item}} regexp="krapki_ajp_port" replace={{krapki_ajp_port}} + with_items: + - /tmp/test_dir/kra.cfg + - /tmp/test_dir/constants.py + +- name : Replace tomcat port for KRA + replace: dest={{item}} regexp="krapki_tomcat_server_port" replace={{krapki_tomcat_server_port}} + with_items: + - /tmp/test_dir/kra.cfg + - /tmp/test_dir/constants.py + +- name : Replace tomcat port for KRA + replace: dest={{item}} regexp="secure_domain_port" replace={{capki_https_port}} + with_items: + - /tmp/test_dir/kra.cfg diff --git a/tests/roles/Test_Trigger/tasks/configure_ldap.yml b/tests/roles/Test_Trigger/tasks/configure_ldap.yml new file mode 100644 index 0000000..f9af68c --- /dev/null +++ b/tests/roles/Test_Trigger/tasks/configure_ldap.yml @@ -0,0 +1,47 @@ +- name : Create different ldap files for ca,kra,ocsp,tks and tps. + shell : for i in kra ocsp tks tps ;do cp /tmp/test_dir/ldap.cfg /tmp/test_dir/ldap_$i.cfg ; sed -i "s/testingmaster/$i-testingmaster/" /tmp/test_dir/ldap_$i.cfg; done + when: topology == "topology-05" + +- name : Conditional check before replacing values in ldap.cfg file. + replace: dest={{item}} regexp="3389" replace={{ldapkraServerPort}} + with_items: + - /tmp/test_dir/ldap_kra.cfg + - /tmp/test_dir/kra.cfg + when: topology == "topology-05" + +- name : Conditional check before replacing values in ldap.cfg file. + replace: dest={{item}} regexp="3389" replace={{ldapocspServerPort}} + with_items: + - /tmp/test_dir/ldap_ocsp.cfg + - /tmp/test_dir/ocsp.cfg + when: topology == "topology-05" + +- name : Conditional check before replacing values in ldap.cfg file. + replace: dest={{item}} regexp="3389" replace={{ldaptksServerPort}} + with_items: + - /tmp/test_dir/ldap_tks.cfg + - /tmp/test_dir/tks.cfg + when: topology == "topology-05" + +- name : Conditional check before replacing values in ldap.cfg file. + replace: dest={{item}} regexp="3389" replace={{ldaptpsServerPort}} + with_items: + - /tmp/test_dir/ldap_tps.cfg + - /tmp/test_dir/tps.cfg + when: topology == "topology-05" + +- name: Replace Ldap server port in all configuration files + replace: dest=/tmp/test_dir/constants.py regexp="ldapkraServerPort" replace={{ldapkraServerPort}} + when: topology == "topology-05" + +- name: Replace Ldap server port in all configuration files + replace: dest=/tmp/test_dir/constants.py regexp="ldapocspServerPort" replace={{ldapocspServerPort}} + when: topology == "topology-05" + +- name: Replace Ldap server port in all configuration files + replace: dest=/tmp/test_dir/constants.py regexp="ldaptksServerPort" replace={{ldaptksServerPort}} + when: topology == "topology-05" + +- name: Replace Ldap server port in all configuration files + replace: dest=/tmp/test_dir/constants.py regexp="ldaptpsServerPort" replace={{ldaptpsServerPort}} + when: topology == "topology-05" diff --git a/tests/roles/Test_Trigger/tasks/configure_ocsp.yml b/tests/roles/Test_Trigger/tasks/configure_ocsp.yml new file mode 100644 index 0000000..5aa9758 --- /dev/null +++ b/tests/roles/Test_Trigger/tasks/configure_ocsp.yml @@ -0,0 +1,28 @@ +- name: Replace OCSP specific changes + replace: dest={{item}} regexp="ocsppki_https_port" replace={{ocsppki_https_port}} + with_items: + - /tmp/test_dir/ocsp.cfg + - /tmp/test_dir/constants.py + +- name: Replace http port for OCSP. + replace: dest={{item}} regexp="ocsppki_http_port" replace={{ocsppki_http_port}} + with_items: + - /tmp/test_dir/ocsp.cfg + - /tmp/test_dir/constants.py + +- name: Replace ajp port for OCSP + replace: dest={{item}} regexp="ocsppki_ajp_port" replace={{ocsppki_ajp_port}} + with_items: + - /tmp/test_dir/ocsp.cfg + - /tmp/test_dir/constants.py + +- name : Replace tomcat port for OCSP + replace: dest={{item}} regexp="ocsppki_tomcat_server_port" replace={{ocsppki_tomcat_server_port}} + with_items: + - /tmp/test_dir/ocsp.cfg + - /tmp/test_dir/constants.py + +- name : Replace tomcat port for OCSP + replace: dest={{item}} regexp="secure_domain_port" replace={{capki_https_port}} + with_items: + - /tmp/test_dir/ocsp.cfg diff --git a/tests/roles/Test_Trigger/tasks/configure_tks.yml b/tests/roles/Test_Trigger/tasks/configure_tks.yml new file mode 100644 index 0000000..8b0b49e --- /dev/null +++ b/tests/roles/Test_Trigger/tasks/configure_tks.yml @@ -0,0 +1,28 @@ +- name: Replace TKS specific changes + replace: dest={{item}} regexp="tkspki_https_port" replace={{tkspki_https_port}} + with_items: + - /tmp/test_dir/tks.cfg + - /tmp/test_dir/constants.py + +- name: Replace http port for TKS. + replace: dest={{item}} regexp="tkspki_http_port" replace={{tkspki_http_port}} + with_items: + - /tmp/test_dir/tks.cfg + - /tmp/test_dir/constants.py + +- name: Replace ajp port for TKS + replace: dest={{item}} regexp="tkspki_ajp_port" replace={{tkspki_ajp_port}} + with_items: + - /tmp/test_dir/tks.cfg + - /tmp/test_dir/constants.py + +- name : Replace tomcat port for TKS + replace: dest={{item}} regexp="tkspki_tomcat_server_port" replace={{tkspki_tomcat_server_port}} + with_items: + - /tmp/test_dir/tks.cfg + - /tmp/test_dir/constants.py + +- name : Replace tomcat port for TKS + replace: dest={{item}} regexp="secure_domain_port" replace={{capki_https_port}} + with_items: + - /tmp/test_dir/tks.cfg diff --git a/tests/roles/Test_Trigger/tasks/configure_tps.yml b/tests/roles/Test_Trigger/tasks/configure_tps.yml new file mode 100644 index 0000000..69fe4c5 --- /dev/null +++ b/tests/roles/Test_Trigger/tasks/configure_tps.yml @@ -0,0 +1,39 @@ +- name: Replace TPS specific changes + replace: dest={{item}} regexp="tpspki_https_port" replace={{tpspki_https_port}} + with_items: + - /tmp/test_dir/tps.cfg + - /tmp/test_dir/constants.py + +- name: Replace http port for TPS. + replace: dest={{item}} regexp="tpspki_http_port" replace={{tpspki_http_port}} + with_items: + - /tmp/test_dir/tps.cfg + - /tmp/test_dir/constants.py + +- name: Replace ajp port for TPS + replace: dest={{item}} regexp="tpspki_ajp_port" replace={{tpspki_ajp_port}} + with_items: + - /tmp/test_dir/tps.cfg + - /tmp/test_dir/constants.py + +- name : Replace tomcat port for TPS + replace: dest={{item}} regexp="tpspki_tomcat_server_port" replace={{tpspki_tomcat_server_port}} + with_items: + - /tmp/test_dir/tps.cfg + - /tmp/test_dir/constants.py + +- name : Replace tomcat port for TPS + replace: dest={{item}} regexp="secure_domain_port" replace={{capki_https_port}} + with_items: + - /tmp/test_dir/tps.cfg + - /tmp/test_dir/constants.py + +- name : Replace ca uri for TPS + replace: dest=/tmp/test_dir/tps.cfg regexp="capki_https_port" replace={{capki_https_port}} + +- name : Replace kra uri for TPS + replace: dest=/tmp/test_dir/tps.cfg regexp="krapki_https_port" replace={{krapki_https_port}} + +- name : Replace tks uri for TPS + replace: dest=/tmp/test_dir/tps.cfg regexp="tkspki_https_port" replace={{tkspki_https_port}} + diff --git a/tests/roles/Test_Trigger/tasks/main.yml b/tests/roles/Test_Trigger/tasks/main.yml new file mode 100644 index 0000000..0c8e25d --- /dev/null +++ b/tests/roles/Test_Trigger/tasks/main.yml @@ -0,0 +1,15 @@ +--- +- include: configure_common.yml + when: topology == "topology-01" or topology == "topology-02" or topology == "topology-03" or topology == "topology-04" or topology == "topology-05" or topology == "topology-ecc" +- include: configure_ca.yml + when: topology == "topology-01" or topology == "topology-02" or topology == "topology-03" or topology == "topology-04" or topology == "topology-05" or topology == "topology-ecc" +- include: configure_ldap.yml + when: topology == "topology-05" +- include: configure_kra.yml + when: topology == "topology-01" or topology == "topology-02" or topology == "topology-03" or topology == "topology-04" or topology == "topology-05" or topology == "topology-ecc" +- include: configure_ocsp.yml + when: topology == "topology-01" or topology == "topology-02" or topology == "topology-03" or topology == "topology-05" or topology == "topology-ecc" +- include: configure_tks.yml + when: topology == "topology-01" or topology == "topology-02" or topology == "topology-04" or topology == "topology-05" +- include: configure_tps.yml + when: topology == "topology-01" or topology == "topology-02" or topology == "topology-04" or topology == "topology-05" diff --git a/tests/tests.yml b/tests/tests.yml new file mode 100644 index 0000000..31fb099 --- /dev/null +++ b/tests/tests.yml @@ -0,0 +1,32 @@ +- hosts: localhost + vars: + - topology: 'topology-01' + remote_user: root + roles: + - role: Test_Trigger + - role: Test_Execution + - role: standard-test-basic + tags: + - classic + tests: + - verify_spawn_ca: + dir: . + run: "curl http://localhost:8080/ca/admin/ca/getStatus | grep 'running'" + - verify_spawn_kra: + dir: . + run: "curl http://localhost:8080/kra/admin/kra/getStatus | grep 'running'" + - destroy_kra: + dir: . + run: "pkidestroy -i pki-tomcat -s KRA && sleep 5" + - verify_destroy_kra: + dir: . + run: "curl http://localhost:8080/kra/admin/kra/getStatus | grep 'HTTP Status 404'" + - destroy_ca: + dir: . + run: "pkidestroy -i pki-tomcat -s CA" + - verify_destroy_ca: + dir: . + run: "curl http://localhost:8080/ca/admin/ca/getStatus &> testfile.log || true && grep 'Connection refused' testfile.log" + required_packages: + - pki-ca + - pki-kra diff --git a/tests/vars/ca.yml b/tests/vars/ca.yml new file mode 100644 index 0000000..6768f66 --- /dev/null +++ b/tests/vars/ca.yml @@ -0,0 +1,4 @@ +capki_https_port: '20443' +capki_http_port: '20080' +capki_ajp_port: '20009' +capki_tomcat_port: '20005' diff --git a/tests/vars/ca_shared.yml b/tests/vars/ca_shared.yml new file mode 100644 index 0000000..83aa43e --- /dev/null +++ b/tests/vars/ca_shared.yml @@ -0,0 +1,24 @@ +capki_https_port: '8443' +capki_http_port: '8080' +capki_ajp_port: '8009' +capki_tomcat_port: '8005' +capki_https_port: '8443' +capki_http_port: '8080' +capki_ajp_port: '8009' +capki_tomcat_port: '8005' +krapki_https_port: '8443' +krapki_http_port: '8080' +krapki_ajp_port: '8009' +krapki_tomcat_server_port: '8005' +ocsppki_https_port: '8443' +ocsppki_http_port: '8080' +ocsppki_ajp_port: '8009' +ocsppki_tomcat_server_port: '8005' +tkspki_https_port: '8443' +tkspki_http_port: '8080' +tkspki_ajp_port: '8009' +tkspki_tomcat_server_port: '8005' +tpspki_https_port: '8443' +tpspki_http_port: '8080' +tpspki_ajp_port: '8009' +tpspki_tomcat_server_port: '8005' diff --git a/tests/vars/kra.yml b/tests/vars/kra.yml new file mode 100644 index 0000000..2d45fab --- /dev/null +++ b/tests/vars/kra.yml @@ -0,0 +1,4 @@ +krapki_https_port: '21443' +krapki_http_port: '21080' +krapki_ajp_port: '21009' +krapki_tomcat_server_port: '21005' diff --git a/tests/vars/ldap.yml b/tests/vars/ldap.yml new file mode 100644 index 0000000..401c4a7 --- /dev/null +++ b/tests/vars/ldap.yml @@ -0,0 +1,8 @@ +ldapServerPort: '3389' +ldapRootDN: CN=Directory Manager +ldapRootDNPwd: Secret123 +ldapcaServerPort: '4389' +ldapkraServerPort: '5389' +ldapocspServerPort: '6389' +ldaptksServerPort: '7389' +ldaptpsServerPort: '8389' diff --git a/tests/vars/ldap_shared.yml b/tests/vars/ldap_shared.yml new file mode 100644 index 0000000..0e1d7e6 --- /dev/null +++ b/tests/vars/ldap_shared.yml @@ -0,0 +1,3 @@ +ldapServerPort: '2389' +ldapRootDN: CN=Directory Manager +ldapRootDNPwd: Secret123 diff --git a/tests/vars/ocsp.yml b/tests/vars/ocsp.yml new file mode 100644 index 0000000..497ebb8 --- /dev/null +++ b/tests/vars/ocsp.yml @@ -0,0 +1,4 @@ +ocsppki_https_port: '22443' +ocsppki_http_port: '22080' +ocsppki_ajp_port: '22009' +ocsppki_tomcat_server_port: '22005' diff --git a/tests/vars/tks.yml b/tests/vars/tks.yml new file mode 100644 index 0000000..3f402a4 --- /dev/null +++ b/tests/vars/tks.yml @@ -0,0 +1,4 @@ +tkspki_https_port: '23443' +tkspki_http_port: '23080' +tkspki_ajp_port: '23009' +tkspki_tomcat_server_port: '23005' diff --git a/tests/vars/tps.yml b/tests/vars/tps.yml new file mode 100644 index 0000000..92534c2 --- /dev/null +++ b/tests/vars/tps.yml @@ -0,0 +1,4 @@ +tpspki_https_port: '25443' +tpspki_http_port: '25080' +tpspki_ajp_port: '25009' +tpspki_tomcat_server_port: '25005'