From 26680f210a91535db851dbd9aa84e746a1c7eb4b Mon Sep 17 00:00:00 2001 From: "Endi S. Dewata" Date: Mon, 30 Sep 2024 08:45:57 -0500 Subject: [PATCH] Add pki --api option The pki CLI has been updated to provide an option to specify the REST API version to use when communicating with the server. Currently the default is set to v1, but it might change later. The PKIClient class has been modified to store the API version which will automatically be used by other client classes (e.g. InfoClient). The pki info has been modified to show the API version in use. The basic CA test has been updated to run pki info with the option and verify the access logs generated by these commands. --- .github/workflows/ca-basic-test.yml | 85 ++++++++++++------- .../com/netscape/certsrv/client/Client.java | 2 +- .../netscape/certsrv/client/PKIClient.java | 10 +++ .../java/org/dogtagpki/common/InfoClient.java | 2 +- .../com/netscape/cmstools/cli/InfoCLI.java | 5 ++ .../com/netscape/cmstools/cli/MainCLI.java | 13 ++- 6 files changed, 84 insertions(+), 33 deletions(-) diff --git a/.github/workflows/ca-basic-test.yml b/.github/workflows/ca-basic-test.yml index 6cee397611b..55510050aa0 100644 --- a/.github/workflows/ca-basic-test.yml +++ b/.github/workflows/ca-basic-test.yml @@ -33,20 +33,18 @@ jobs: tests/bin/ds-create.sh \ --image=${{ env.DS_IMAGE }} \ --hostname=ds.example.com \ + --network=example \ + --network-alias=ds.example.com \ --password=Secret.123 \ ds - - name: Connect DS container to network - run: docker network connect example ds --alias ds.example.com - - name: Set up PKI container run: | - tests/bin/runner-init.sh pki - env: - HOSTNAME: pki.example.com - - - name: Connect PKI container to network - run: docker network connect example pki --alias pki.example.com + tests/bin/runner-init.sh \ + --hostname=pki.example.com \ + --network=example \ + --network-alias=pki.example.com \ + pki - name: Install CA run: | @@ -249,12 +247,13 @@ jobs: - name: Check CA signing cert run: | docker exec pki pki-server cert-export ca_signing \ - --cert-file ca_signing.crt + --cert-file $SHARED/ca_signing.crt docker exec pki openssl req -text -noout \ -in /var/lib/pki/pki-tomcat/conf/certs/ca_signing.csr # check CA signing cert extensions - docker exec pki /usr/share/pki/tests/ca/bin/test-ca-signing-cert-ext.sh + docker exec pki /usr/share/pki/tests/ca/bin/test-ca-signing-cert-ext.sh \ + $SHARED/ca_signing.crt - name: Check CA OCSP signing cert run: | @@ -301,23 +300,58 @@ jobs: - name: Update CA configuration run: | - # enable signed audit log + docker exec pki dnf install -y xmlstarlet + + # disable access log buffer + docker exec pki xmlstarlet edit --inplace \ + -u "//Valve[@className='org.apache.catalina.valves.AccessLogValve']/@buffered" \ + -v "false" \ + -i "//Valve[@className='org.apache.catalina.valves.AccessLogValve' and not(@buffered)]" \ + -t attr \ + -n "buffered" \ + -v "false" \ + /etc/pki/pki-tomcat/server.xml + + # enable CA signed audit log docker exec pki pki-server ca-config-set log.instance.SignedAudit.logSigning true - # restart CA subsystem - docker exec pki pki-server ca-redeploy --wait + # restart PKI server + docker exec pki pki-server restart --wait - name: Initialize PKI client run: | - docker exec pki pki-server cert-export ca_signing --cert-file ca_signing.crt - docker exec pki pki nss-cert-import \ - --cert ca_signing.crt \ + --cert $SHARED/ca_signing.crt \ --trust CT,C,C \ ca_signing + - name: Check PKI server info + run: | + # use default API docker exec pki pki info + # use API v1 + docker exec pki pki --api v1 info + + # use API v2 + docker exec pki pki --api v2 info + + # check HTTP methods, paths, protocols, status, and authenticated users + docker exec pki find /var/log/pki/pki-tomcat \ + -name "localhost_access_log.*" \ + -exec cat {} \; \ + | tail -3 \ + | sed -e 's/^.* .* \(.*\) \[.*\] "\(.*\)" \(.*\) .*$/\2 \3 \1/' \ + | tee output + + cat > expected << EOF + GET /pki/v1/info HTTP/1.1 200 - + GET /pki/v1/info HTTP/1.1 200 - + GET /pki/v2/info HTTP/1.1 200 - + EOF + + diff expected output + - name: Test CA certs run: | docker exec pki /usr/share/pki/tests/ca/bin/test-ca-signing-cert.sh @@ -439,21 +473,12 @@ jobs: run: | docker exec pki journalctl -x --no-pager -u pki-tomcatd@pki-tomcat.service - - name: Check CA debug log + - name: Check PKI server access log if: always() run: | - docker exec pki find /var/lib/pki/pki-tomcat/logs/ca -name "debug.*" -exec cat {} \; + docker exec pki find /var/log/pki/pki-tomcat -name "localhost_access_log.*" -exec cat {} \; - - name: Gather artifacts + - name: Check CA debug log if: always() run: | - tests/bin/ds-artifacts-save.sh ds - tests/bin/pki-artifacts-save.sh pki - continue-on-error: true - - - name: Upload artifacts - if: always() - uses: actions/upload-artifact@v4 - with: - name: ca-basic - path: /tmp/artifacts + docker exec pki find /var/lib/pki/pki-tomcat/logs/ca -name "debug.*" -exec cat {} \; diff --git a/base/common/src/main/java/com/netscape/certsrv/client/Client.java b/base/common/src/main/java/com/netscape/certsrv/client/Client.java index 66ceb76e798..53bce162192 100644 --- a/base/common/src/main/java/com/netscape/certsrv/client/Client.java +++ b/base/common/src/main/java/com/netscape/certsrv/client/Client.java @@ -44,7 +44,7 @@ public class Client { public LinkedHashMap clients = new LinkedHashMap<>(); public Client(PKIClient client, String subsystem, String name) { - this(client, subsystem, "rest", name); + this(client, subsystem, client.getAPIVersion(), name); } public Client(PKIClient client, String subsystem, String prefix, String name) { diff --git a/base/common/src/main/java/com/netscape/certsrv/client/PKIClient.java b/base/common/src/main/java/com/netscape/certsrv/client/PKIClient.java index 5ab4c4f9587..aeb2c405c39 100644 --- a/base/common/src/main/java/com/netscape/certsrv/client/PKIClient.java +++ b/base/common/src/main/java/com/netscape/certsrv/client/PKIClient.java @@ -48,6 +48,7 @@ public class PKIClient implements AutoCloseable { public ClientConfig config; public PKIConnection connection; + public String apiVersion; public MediaType messageFormat; public InfoClient infoClient; public Info info; @@ -57,7 +58,12 @@ public PKIClient(ClientConfig config) throws Exception { } public PKIClient(ClientConfig config, SSLCertificateApprovalCallback callback) throws Exception { + this(config, "v1", callback); + } + + public PKIClient(ClientConfig config, String apiVersion, SSLCertificateApprovalCallback callback) throws Exception { this.config = config; + this.apiVersion = apiVersion; connection = new PKIConnection(config); connection.setCallback(callback); @@ -72,6 +78,10 @@ public PKIClient(ClientConfig config, SSLCertificateApprovalCallback callback) t this.messageFormat = MediaType.valueOf("application/" + messageFormat); } + public String getAPIVersion() { + return apiVersion; + } + public MediaType getMessageFormat() { return messageFormat; } diff --git a/base/common/src/main/java/org/dogtagpki/common/InfoClient.java b/base/common/src/main/java/org/dogtagpki/common/InfoClient.java index 7bacdcbfb60..3c3c4bfd7aa 100644 --- a/base/common/src/main/java/org/dogtagpki/common/InfoClient.java +++ b/base/common/src/main/java/org/dogtagpki/common/InfoClient.java @@ -27,7 +27,7 @@ public class InfoClient extends Client { public InfoClient(PKIClient client) throws Exception { - super(client, "pki", "v2", "info"); + super(client, "pki", "info"); } public Info getInfo() throws Exception { diff --git a/base/tools/src/main/java/com/netscape/cmstools/cli/InfoCLI.java b/base/tools/src/main/java/com/netscape/cmstools/cli/InfoCLI.java index a28ecac448a..d8643ac7dca 100644 --- a/base/tools/src/main/java/com/netscape/cmstools/cli/InfoCLI.java +++ b/base/tools/src/main/java/com/netscape/cmstools/cli/InfoCLI.java @@ -51,5 +51,10 @@ public void execute(CommandLine cmd) throws Exception { if (!StringUtils.isEmpty(version)) { System.out.println(" Server Version: " + version); } + + String apiVersion = client.getAPIVersion(); + if (!StringUtils.isEmpty(version)) { + System.out.println(" API Version: " + apiVersion); + } } } diff --git a/base/tools/src/main/java/com/netscape/cmstools/cli/MainCLI.java b/base/tools/src/main/java/com/netscape/cmstools/cli/MainCLI.java index fa95c2b9e44..749b9a39a8f 100644 --- a/base/tools/src/main/java/com/netscape/cmstools/cli/MainCLI.java +++ b/base/tools/src/main/java/com/netscape/cmstools/cli/MainCLI.java @@ -86,6 +86,7 @@ public class MainCLI extends CLI { public ClientConfig config = new ClientConfig(); NSSDatabase nssdb; + String apiVersion; public Collection rejectedCertStatuses = new HashSet<>(); public Collection ignoredCertStatuses = new HashSet<>(); @@ -141,6 +142,10 @@ public String getManPage() { return "pki"; } + public String getAPIVersion() { + return apiVersion; + } + public void printVersion() { Package pkg = MainCLI.class.getPackage(); System.out.println("PKI Command-Line Interface " + pkg.getImplementationVersion()); @@ -213,6 +218,10 @@ public void createOptions() throws UnknownHostException { option.setArgName("token"); options.addOption(option); + option = new Option(null, "api", true, "API version: v1 (default), v2"); + option.setArgName("version"); + options.addOption(option); + option = new Option(null, "output", true, "Folder to store HTTP messages"); option.setArgName("folder"); options.addOption(option); @@ -454,6 +463,8 @@ public void parseOptions(CommandLine cmd) throws Exception { // store user password config.setPassword(password); + apiVersion = cmd.getOptionValue("api", "v1"); + String list = cmd.getOptionValue("reject-cert-status"); convertCertStatusList(list, rejectedCertStatuses); @@ -593,7 +604,7 @@ public PKIClient getClient() throws Exception { logger.info("Connecting to " + config.getServerURL()); SSLCertificateApprovalCallback callback = createCertApprovalCallback(); - client = new PKIClient(config, callback); + client = new PKIClient(config, apiVersion, callback); if (output != null) { File file = new File(output);