Update pki-server status

The pki-server status command has been modified to no longer
show the subsystem "Type" field since it's redundant. Instead,
it will show an "SD Manager" field which will indicate whether
the subsystem is a security domain manager. Some CI tests have
been updated to validate this command.

Author: edewata

.github/workflows/ca-basic-test.yml

@@ -56,6 +56,15 @@ jobs:
               -D pki_ds_url=ldap://ds.example.com:3389 \
               -v
 
+      - name: Check CA server status
+        run: |
+          docker exec pki pki-server status | tee output
+
+          # CA should be a domain manager
+          echo "True" > expected
+          sed -n 's/^ *SD Manager: *\(.*\)$/\1/p' output > actual
+          diff expected actual
+
       - name: Check webapps
         run: |
           docker exec pki pki-server webapp-find | tee output

.github/workflows/ca-clone-test.yml

@@ -56,6 +56,17 @@ jobs:
               -D pki_ds_url=ldap://primaryds.example.com:3389 \
               -v
 
+      - name: Check primary CA server status
+        run: |
+          docker exec primary pki-server status | tee output
+
+          # primary CA should be a domain manager
+          echo "True" > expected
+          sed -n 's/^ *SD Manager: *\(.*\)$/\1/p' output > actual
+          diff expected actual
+
+      - name: Check primary CA system certs
+        run: |
           docker exec primary pki-server cert-find
 
       - name: Verify users and SD hosts in primary PKI container
@@ -107,6 +118,17 @@ jobs:
               -D pki_ds_url=ldap://secondaryds.example.com:3389 \
               -v
 
+      - name: Check secondary CA server status
+        run: |
+          docker exec secondary pki-server status | tee output
+
+          # secondary CA should be a domain manager
+          echo "True" > expected
+          sed -n 's/^ *SD Manager: *\(.*\)$/\1/p' output > actual
+          diff expected actual
+
+      - name: Check secondary CA system certs
+        run: |
           docker exec secondary pki-server cert-find
 
       - name: Check schema in primary DS and secondary DS

.github/workflows/kra-basic-test.yml

@@ -103,6 +103,16 @@ jobs:
               -D pki_ds_url=ldap://ds.example.com:3389 \
               -v
 
+      - name: Check PKI server status
+        run: |
+          docker exec pki pki-server status | tee output
+
+          # CA should be a domain manager, but KRA should not
+          echo "True" > expected
+          echo "False" >> expected
+          sed -n 's/^ *SD Manager: *\(.*\)$/\1/p' output > actual
+          diff expected actual
+
       - name: Check security domain config in KRA
         run: |
           # KRA should join security domain in CA

.github/workflows/kra-separate-test.yml

@@ -56,6 +56,15 @@ jobs:
               -D pki_ds_url=ldap://rootcads.example.com:3389 \
               -v
 
+      - name: Check root CA server status
+        run: |
+          docker exec rootca pki-server status | tee output
+
+          # root CA should be a domain manager
+          echo "True" > expected
+          sed -n 's/^ *SD Manager: *\(.*\)$/\1/p' output > actual
+          diff expected actual
+
       - name: Check security domain config in root CA
         run: |
           # root CA should run security domain service
@@ -123,6 +132,16 @@ jobs:
               -D pki_issuing_ca_uri=https://rootca.example.com:8443 \
               -v
 
+      - name: Check sub CA server status
+        run: |
+          docker exec subca pki-server status | tee output
+
+          # this sub CA should be a domain manager since it's created with
+          # pki_subordinate_create_new_security_domain=True
+          echo "True" > expected
+          sed -n 's/^ *SD Manager: *\(.*\)$/\1/p' output > actual
+          diff expected actual
+
       - name: Check sub CA certs
         if: always()
         run: |
@@ -219,6 +238,15 @@ jobs:
               -D pki_ds_url=ldap://krads.example.com:3389 \
               -v
 
+      - name: Check KRA server status
+        run: |
+          docker exec kra pki-server status | tee output
+
+          # KRA should not be a domain manager
+          echo "False" > expected
+          sed -n 's/^ *SD Manager: *\(.*\)$/\1/p' output > actual
+          diff expected actual
+
       - name: Check security domain config in KRA
         run: |
           # KRA should join existing security domain in sub CA

.github/workflows/kra-standalone-test.yml

@@ -186,24 +186,26 @@ jobs:
               -D pki_admin_cert_path=${SHARED}/kra_admin.crt \
               -v
 
+      - name: Check KRA server status
+        run: |
+          docker exec kra pki-server status | tee output
+
+          # standalone KRA should be a domain manager
+          echo "True" > expected
+          sed -n 's/^ *SD Manager: *\(.*\)$/\1/p' output > actual
+          diff expected actual
+
+      - name: Check KRA system certs
+        run: |
           docker exec kra pki-server cert-find
 
       # TODO: Fix DogtagKRAConnectivityCheck to work without CA
       # - name: Run PKI healthcheck
       #   run: docker exec kra pki-healthcheck --failures-only
 
-      - name: Check KRA security domain
-        run: |
-          docker exec kra pki client-cert-import ca_signing --ca-cert ${SHARED}/ca_signing.crt
-          docker exec kra pki securitydomain-show \
-              > >(tee stdout) 2> >(tee stderr >&2) || true
-
-          # standalone KRA should not return security domain info
-          echo "PKIException: Not Found" > expected
-          diff expected stderr
-
       - name: Check KRA admin
         run: |
+          docker exec kra pki client-cert-import ca_signing --ca-cert ${SHARED}/ca_signing.crt
           docker exec kra pki pkcs12-import \
               --pkcs12 /root/.dogtag/pki-tomcat/kra_admin_cert.p12 \
               --pkcs12-password Secret.123
@@ -220,6 +222,30 @@ jobs:
           echo "UserNotFoundException: User CA-ca.example.com-8443 not found" > expected
           diff expected stderr
 
+      - name: Check KRA security domain
+        run: |
+          # security domain should be enabled (i.e. securitydomain.select=new)
+          cat > expected << EOF
+          securitydomain.checkIP=false
+          securitydomain.checkinterval=300000
+          securitydomain.flushinterval=86400000
+          securitydomain.host=kra.example.com
+          securitydomain.httpport=8080
+          securitydomain.httpsadminport=8443
+          securitydomain.name=example.com Security Domain
+          securitydomain.select=new
+          securitydomain.source=ldap
+          EOF
+
+          docker exec kra pki-server kra-config-find | grep ^securitydomain. | sort | tee actual
+          diff expected actual
+
+          # TODO: Fix pki securitydomain-show to work with standalone KRA
+          # docker exec kra pki securitydomain-show \
+          #     > >(tee stdout) 2> >(tee stderr >&2) || true
+
+          # standalone KRA should return security domain info
+
       - name: Check KRA connector in CA
         run: |
           # KRA connector should not be configured

.github/workflows/ocsp-basic-test.yml

@@ -103,6 +103,16 @@ jobs:
               -D pki_ds_url=ldap://ds.example.com:3389 \
               -v
 
+      - name: Check PKI server status
+        run: |
+          docker exec pki pki-server status | tee output
+
+          # CA should be a domain manager, but OCSP should not
+          echo "True" > expected
+          echo "False" >> expected
+          sed -n 's/^ *SD Manager: *\(.*\)$/\1/p' output > actual
+          diff expected actual
+
       - name: Check security domain config in OCSP
         run: |
           # OCSP should join security domain in CA

.github/workflows/ocsp-standalone-test.yml

@@ -174,24 +174,26 @@ jobs:
               -D pki_admin_cert_path=${SHARED}/ocsp_admin.crt \
               -v
 
+      - name: Check OCSP server status
+        run: |
+          docker exec ocsp pki-server status | tee output
+
+          # standalone OCSP should be a domain manager
+          echo "True" > expected
+          sed -n 's/^ *SD Manager: *\(.*\)$/\1/p' output > actual
+          diff expected actual
+
+      - name: Check OCSP system certs
+        run: |
           docker exec ocsp pki-server cert-find
 
       # TODO: Fix DogtagOCSPConnectivityCheck to work without CA
       # - name: Run PKI healthcheck
       #   run: docker exec ocsp pki-healthcheck --failures-only
 
-      - name: Check OCSP security domain
-        run: |
-          docker exec ocsp pki client-cert-import ca_signing --ca-cert ${SHARED}/ca_signing.crt
-          docker exec ocsp pki securitydomain-show \
-              > >(tee stdout) 2> >(tee stderr >&2) || true
-
-          # standalone OCSP should not return security domain info
-          echo "PKIException: Not Found" > expected
-          diff expected stderr
-
       - name: Check OCSP admin cert
         run: |
+          docker exec ocsp pki client-cert-import ca_signing --ca-cert ${SHARED}/ca_signing.crt
           docker exec ocsp pki pkcs12-import \
               --pkcs12 /root/.dogtag/pki-tomcat/ocsp_admin_cert.p12 \
               --pkcs12-password Secret.123
@@ -208,6 +210,30 @@ jobs:
           echo "UserNotFoundException: User CA-ca.example.com-8443 not found" > expected
           diff expected stderr
 
+      - name: Check OCSP security domain
+        run: |
+          # security domain should be enabled (i.e. securitydomain.select=new)
+          cat > expected << EOF
+          securitydomain.checkIP=false
+          securitydomain.checkinterval=300000
+          securitydomain.flushinterval=86400000
+          securitydomain.host=ocsp.example.com
+          securitydomain.httpport=8080
+          securitydomain.httpsadminport=8443
+          securitydomain.name=example.com Security Domain
+          securitydomain.select=new
+          securitydomain.source=ldap
+          EOF
+
+          docker exec ocsp pki-server ocsp-config-find | grep ^securitydomain. | sort | tee actual
+          diff expected actual
+
+          # TODO: Fix pki securitydomain-show to work with standalone OCSP
+          # docker exec ocsp pki securitydomain-show \
+          #     > >(tee stdout) 2> >(tee stderr >&2) || true
+
+          # standalone OCSP should return security domain info
+
       - name: Check OCSP publishing in CA
         run: |
           # OCSP publishing should not be configured

.github/workflows/subca-basic-test.yml

@@ -56,6 +56,17 @@ jobs:
               -D pki_ds_url=ldap://rootds.example.com:3389 \
               -v
 
+      - name: Check root CA server status
+        run: |
+          docker exec root pki-server status | tee output
+
+          # root CA should be a domain manager
+          echo "True" > expected
+          sed -n 's/^ *SD Manager: *\(.*\)$/\1/p' output > actual
+          diff expected actual
+
+      - name: Check root CA system certs
+        run: |
           docker exec root pki-server cert-find
 
       - name: Install banner in root container
@@ -91,6 +102,19 @@ jobs:
               -D pki_ds_url=ldap://subds.example.com:3389 \
               -v
 
+      - name: Check sub CA server status
+        run: |
+          docker exec subordinate pki-server status | tee output
+
+          # sub CA should not be a domain manager
+          echo "False" > expected
+          sed -n 's/^ *SD Manager: *\(.*\)$/\1/p' output > actual
+          diff expected actual
+
+      - name: Check sub CA system certs
+        run: |
+          docker exec subordinate pki-server cert-find
+
       - name: Install banner in subordinate container
         run: docker exec subordinate cp /usr/share/pki/server/examples/banner/banner.txt /etc/pki/pki-tomcat
 

.github/workflows/tks-basic-test.yml

@@ -66,6 +66,20 @@ jobs:
               -D pki_ds_url=ldap://ds.example.com:3389 \
               -v
 
+      - name: Check TKS server status
+        run: |
+          docker exec pki pki-server status | tee output
+
+          # CA should be a domain manager, but TKS should not
+          echo "True" > expected
+          echo "False" >> expected
+          sed -n 's/^ *SD Manager: *\(.*\)$/\1/p' output > actual
+          diff expected actual
+
+      - name: Check TKS system certs
+        run: |
+          docker exec pki pki-server cert-find
+
       - name: Check TKS audit signing cert
         run: |
           docker exec pki pki-server cert-export tks_audit_signing \

.github/workflows/tps-basic-test.yml

@@ -89,6 +89,22 @@ jobs:
               -D pki_enable_server_side_keygen=True \
               -v
 
+      - name: Check TPS server status
+        run: |
+          docker exec pki pki-server status | tee output
+
+          # CA should be a domain manager, but KRA, TKS, TPS should not
+          echo "True" > expected
+          echo "False" >> expected
+          echo "False" >> expected
+          echo "False" >> expected
+          sed -n 's/^ *SD Manager: *\(.*\)$/\1/p' output > actual
+          diff expected actual
+
+      - name: Check TPS system certs
+        run: |
+          docker exec pki pki-server cert-find
+
       - name: Check TPS audit signing cert
         run: |
           docker exec pki pki-server cert-export tps_audit_signing \