Add pki --api option

The pki CLI has been updated to provide an option to specify the REST API version to use when communicating with the server. Currently the default is set to v1, but it might change later. The PKIClient class has been modified to store the API version which will automatically be used by other client classes (e.g. InfoClient). The pki info has been modified to show the API version in use. The basic CA test has been updated to run pki info with the option and verify the access logs generated by these commands.
dogtagpki · Sep 30, 2024 · 26680f2 · 26680f2
1 parent bbd6664
commit 26680f2
Show file tree

Hide file tree

Showing 6 changed files with 84 additions and 33 deletions.
diff --git a/.github/workflows/ca-basic-test.yml b/.github/workflows/ca-basic-test.yml
@@ -33,20 +33,18 @@ jobs:
           tests/bin/ds-create.sh \
               --image=${{ env.DS_IMAGE }} \
               --hostname=ds.example.com \
+              --network=example \
+              --network-alias=ds.example.com \
               --password=Secret.123 \
               ds
 
-      - name: Connect DS container to network
-        run: docker network connect example ds --alias ds.example.com
-
       - name: Set up PKI container
         run: |
-          tests/bin/runner-init.sh pki
-        env:
-          HOSTNAME: pki.example.com
-
-      - name: Connect PKI container to network
-        run: docker network connect example pki --alias pki.example.com
+          tests/bin/runner-init.sh \
+              --hostname=pki.example.com \
+              --network=example \
+              --network-alias=pki.example.com \
+              pki
 
       - name: Install CA
         run: |
@@ -249,12 +247,13 @@ jobs:
       - name: Check CA signing cert
         run: |
           docker exec pki pki-server cert-export ca_signing \
-              --cert-file ca_signing.crt
+              --cert-file $SHARED/ca_signing.crt
           docker exec pki openssl req -text -noout \
               -in /var/lib/pki/pki-tomcat/conf/certs/ca_signing.csr
 
           # check CA signing cert extensions
-          docker exec pki /usr/share/pki/tests/ca/bin/test-ca-signing-cert-ext.sh
+          docker exec pki /usr/share/pki/tests/ca/bin/test-ca-signing-cert-ext.sh \
+              $SHARED/ca_signing.crt
 
       - name: Check CA OCSP signing cert
         run: |
@@ -301,23 +300,58 @@ jobs:
 
       - name: Update CA configuration
         run: |
-          # enable signed audit log
+          docker exec pki dnf install -y xmlstarlet
+
+          # disable access log buffer
+          docker exec pki xmlstarlet edit --inplace \
+              -u "//Valve[@className='org.apache.catalina.valves.AccessLogValve']/@buffered" \
+              -v "false" \
+              -i "//Valve[@className='org.apache.catalina.valves.AccessLogValve' and not(@buffered)]" \
+              -t attr \
+              -n "buffered" \
+              -v "false" \
+              /etc/pki/pki-tomcat/server.xml
+
+          # enable CA signed audit log
           docker exec pki pki-server ca-config-set log.instance.SignedAudit.logSigning true
 
-          # restart CA subsystem
-          docker exec pki pki-server ca-redeploy --wait
+          # restart PKI server
+          docker exec pki pki-server restart --wait
 
       - name: Initialize PKI client
         run: |
-          docker exec pki pki-server cert-export ca_signing --cert-file ca_signing.crt
-
           docker exec pki pki nss-cert-import \
-              --cert ca_signing.crt \
+              --cert $SHARED/ca_signing.crt \
               --trust CT,C,C \
               ca_signing
 
+      - name: Check PKI server info
+        run: |
+          # use default API
           docker exec pki pki info
 
+          # use API v1
+          docker exec pki pki --api v1 info
+
+          # use API v2
+          docker exec pki pki --api v2 info
+
+          # check HTTP methods, paths, protocols, status, and authenticated users
+          docker exec pki find /var/log/pki/pki-tomcat \
+              -name "localhost_access_log.*" \
+              -exec cat {} \; \
+              | tail -3 \
+              | sed -e 's/^.* .* \(.*\) \[.*\] "\(.*\)" \(.*\) .*$/\2 \3 \1/' \
+              | tee output
+
+          cat > expected << EOF
+          GET /pki/v1/info HTTP/1.1 200 -
+          GET /pki/v1/info HTTP/1.1 200 -
+          GET /pki/v2/info HTTP/1.1 200 -
+          EOF
+
+          diff expected output
+
       - name: Test CA certs
         run: |
           docker exec pki /usr/share/pki/tests/ca/bin/test-ca-signing-cert.sh
@@ -439,21 +473,12 @@ jobs:
         run: |
           docker exec pki journalctl -x --no-pager -u [email protected]
 
-      - name: Check CA debug log
+      - name: Check PKI server access log
         if: always()
         run: |
-          docker exec pki find /var/lib/pki/pki-tomcat/logs/ca -name "debug.*" -exec cat {} \;
+          docker exec pki find /var/log/pki/pki-tomcat -name "localhost_access_log.*" -exec cat {} \;
 
-      - name: Gather artifacts
+      - name: Check CA debug log
         if: always()
         run: |
-          tests/bin/ds-artifacts-save.sh ds
-          tests/bin/pki-artifacts-save.sh pki
-        continue-on-error: true
-
-      - name: Upload artifacts
-        if: always()
-        uses: actions/upload-artifact@v4
-        with:
-          name: ca-basic
-          path: /tmp/artifacts
+          docker exec pki find /var/lib/pki/pki-tomcat/logs/ca -name "debug.*" -exec cat {} \;
diff --git a/base/common/src/main/java/com/netscape/certsrv/client/Client.java b/base/common/src/main/java/com/netscape/certsrv/client/Client.java
@@ -44,7 +44,7 @@ public class Client {
     public LinkedHashMap<String, Client> clients = new LinkedHashMap<>();
 
     public Client(PKIClient client, String subsystem, String name) {
-        this(client, subsystem, "rest", name);
+        this(client, subsystem, client.getAPIVersion(), name);
     }
 
     public Client(PKIClient client, String subsystem, String prefix, String name) {

diff --git a/base/common/src/main/java/com/netscape/certsrv/client/PKIClient.java b/base/common/src/main/java/com/netscape/certsrv/client/PKIClient.java
@@ -48,6 +48,7 @@ public class PKIClient implements AutoCloseable {
 
     public ClientConfig config;
     public PKIConnection connection;
+    public String apiVersion;
     public MediaType messageFormat;
     public InfoClient infoClient;
     public Info info;
@@ -57,7 +58,12 @@ public PKIClient(ClientConfig config) throws Exception {
     }
 
     public PKIClient(ClientConfig config, SSLCertificateApprovalCallback callback) throws Exception {
+        this(config, "v1", callback);
+    }
+
+    public PKIClient(ClientConfig config, String apiVersion, SSLCertificateApprovalCallback callback) throws Exception {
         this.config = config;
+        this.apiVersion = apiVersion;
 
         connection = new PKIConnection(config);
         connection.setCallback(callback);
@@ -72,6 +78,10 @@ public PKIClient(ClientConfig config, SSLCertificateApprovalCallback callback) t
         this.messageFormat = MediaType.valueOf("application/" + messageFormat);
     }
 
+    public String getAPIVersion() {
+        return apiVersion;
+    }
+
     public MediaType getMessageFormat() {
         return messageFormat;
     }

diff --git a/base/common/src/main/java/org/dogtagpki/common/InfoClient.java b/base/common/src/main/java/org/dogtagpki/common/InfoClient.java
@@ -27,7 +27,7 @@
 public class InfoClient extends Client {
 
     public InfoClient(PKIClient client) throws Exception {
-        super(client, "pki", "v2", "info");
+        super(client, "pki", "info");
     }
 
     public Info getInfo() throws Exception {

diff --git a/base/tools/src/main/java/com/netscape/cmstools/cli/InfoCLI.java b/base/tools/src/main/java/com/netscape/cmstools/cli/InfoCLI.java
@@ -51,5 +51,10 @@ public void execute(CommandLine cmd) throws Exception {
         if (!StringUtils.isEmpty(version)) {
             System.out.println("  Server Version: " + version);
         }
+
+        String apiVersion = client.getAPIVersion();
+        if (!StringUtils.isEmpty(version)) {
+            System.out.println("  API Version: " + apiVersion);
+        }
     }
 }
diff --git a/base/tools/src/main/java/com/netscape/cmstools/cli/MainCLI.java b/base/tools/src/main/java/com/netscape/cmstools/cli/MainCLI.java
@@ -86,6 +86,7 @@ public class MainCLI extends CLI {
     public ClientConfig config = new ClientConfig();
 
     NSSDatabase nssdb;
+    String apiVersion;
 
     public Collection<Integer> rejectedCertStatuses = new HashSet<>();
     public Collection<Integer> ignoredCertStatuses = new HashSet<>();
@@ -141,6 +142,10 @@ public String getManPage() {
         return "pki";
     }
 
+    public String getAPIVersion() {
+        return apiVersion;
+    }
+
     public void printVersion() {
         Package pkg = MainCLI.class.getPackage();
         System.out.println("PKI Command-Line Interface " + pkg.getImplementationVersion());
@@ -213,6 +218,10 @@ public void createOptions() throws UnknownHostException {
         option.setArgName("token");
         options.addOption(option);
 
+        option = new Option(null, "api", true, "API version: v1 (default), v2");
+        option.setArgName("version");
+        options.addOption(option);
+
         option = new Option(null, "output", true, "Folder to store HTTP messages");
         option.setArgName("folder");
         options.addOption(option);
@@ -454,6 +463,8 @@ public void parseOptions(CommandLine cmd) throws Exception {
         // store user password
         config.setPassword(password);
 
+        apiVersion = cmd.getOptionValue("api", "v1");
+
         String list = cmd.getOptionValue("reject-cert-status");
         convertCertStatusList(list, rejectedCertStatuses);
 
@@ -593,7 +604,7 @@ public PKIClient getClient() throws Exception {
         logger.info("Connecting to " + config.getServerURL());
 
         SSLCertificateApprovalCallback callback = createCertApprovalCallback();
-        client = new PKIClient(config, callback);
+        client = new PKIClient(config, apiVersion, callback);
 
         if (output != null) {
             File file = new File(output);