v1.0.1

.gitignore

@@ -3,13 +3,17 @@
 **/target
 *.log
 out/
-pkits-testsuite/src/site/markdown/
-
+bin/
 docs/configs/tuTestObjects/
+docs/configs/inttest/pkits_ltu_run.yml
+testDataTemplates/tsl/TSL_default_new_nextUpdate.xml
+docker-compose-deployHot.yml
+docker-compose-deployLTU_DEV.yml
 docs/dev/
 LICENSE_PLACEHOLDER
 Pipeline.CI.Jenkinsfile
 Pipeline.DeployGitHub.Jenkinsfile
 Pipeline.InternalRelease.Jenkinsfile
 Pipeline.CodeCheck.Jenkinsfile
+Pipeline.LTU_DEV.Jenkinsfile
 

README.md

@@ -12,9 +12,9 @@ development is still ongoing [see Todo section](./README.md#todo)
 ## tl;dr
 
 ```console 
-$ git clone https://github.com/gematik/app-PkiTestsuite
+$ Download release zip file from https://github.com/gematik/app-PkiTestsuite/releases und extract it
 $ cp <UserDefinedConfigfile>.yml ./config/pkits.yml (examples see: /docs/config/inttest/)
-$ ./initialTslAndTa.sh (generates VA and TSL in ./out for import in test object)
+$ ./initialTslAndTa.sh (generates trust anchor and TSL in ./out for import in test object)
 $ # The test object has to be started and accessible from now on.
 $ ./checkInitialState.sh (acquires TSL sequence number from the test object by analysing a tsl download request and applying a use case)
 $ ./startApprovalTest.sh (chose tests that shall be executed from allTests.txt)
@@ -28,27 +28,30 @@ implemented as maven modules:
 
 ### 1. PKI Test Suite
 
-This is the tests suite itself. It is used to start all following modules, configure them and read
+This is the test suite itself. It is used to start all following modules, configure them and read
 the results. It has
-a [package](pkits-testsuite/src/test/java/de/gematik/pki/pkits/testsuite/approval/) with classes to
+a [package](pkits-testsuite/src/main/java/de/gematik/pki/pkits/testsuite/approval/) with classes to
 all
-approval tests which are executed via maven-failsafe-plugin. The test suite calls a use
+approval tests. The test suite calls a use
 case (see [Use Case Modules](./README.md#4-use-case-modules)) and expects it to either pass or fail,
 depending on the test data used. If the expectation is fulfilled, the test case is passed.
 
 ### 2. TSL Provider
 
-The TSL provider is started as an own process. It is configured and started during the PKI tests by
-the PKI test suite module to deliver a TSL to the test object. It is implemented as a spring boot
-tomcat web server.
+The TSL provider is to deliver TSLs to the test object.
+The behaviour of the TSL provider, such as the content of a TSL offered to the test object, is configured in test cases over a REST interface.
+The TSL provider is implemented as a spring boot tomcat web server and runs as its own process. 
+The TSL provider can be started independently or by the test suite during its execution.
+To started independently then set `appPath` to `"externalStartup"`. 
 
 ### 3. OCSP Responder
 
-The OCSP responder is started as an own process. It is started and configured during the PKI tests
-by the PKI test suite module to answer OCSP requests sent by the test object. This configuration is
-done over a REST interface and absolutely transparent to the user. Depending on the tests executed
-it is configured to deliver unsigned OCSP responses, wrong cert hashes and so on. It is implemented
-as a spring boot tomcat web server.
+The OCSP responder is to generate responses to OCSP requests sent by the test object.
+The behaviour of the OCSP responder is configured over a REST interface and absolutely transparent to the user. 
+Depending on the tests executed it is configured to deliver unsigned OCSP responses, wrong cert hashes and so on.
+Similar to the TSL provider, it is implemented as a spring boot tomcat web server and runs as its own process.
+The OCSP responder can be started independently or by the test suite during its execution.
+To started independently then set `appPath` to `"externalStartup"`.
 
 ### 4. Use Case Modules
 
@@ -74,12 +77,12 @@ successful, **not if the script could be executed successful!**
 ## Configuration
 
 All configuration is done in one file: [/config/pkits.yml](./config/pkits.yml). You can find
-examples in [/docs/config/inttest/](./docs/configs/inttest/). The most important parameters
-are how to reach the test object and where to find the test data as well as where the test object
-can reach the TSL- and OCSP- simulators provided by this test suite. Paths are relative to the
-directory `./pkits-testsuite` or can be absolute. All available parameters including a short
-description can be found in [all_pkits_parameters.yml](./docs/all_pkits_parameters.yml). As this is
-a YAML file remember to strictly follow the syntax.
+examples in [/docs/config/inttest/](./docs/configs/inttest/). 
+The most important parameters are how to reach the test object and where to find the test data as well as where the test object can reach the TSL- and OCSP- simulators provided by this test suite.
+Paths in the `pkits.yml` in are relative to the base directory. 
+Absolute paths can be used as well.
+All available parameters including a short description can be found in [all_pkits_parameters.yml](./docs/all_pkits_parameters.yml). 
+As this is a YAML file remember to strictly follow the syntax.
 
 ### Test Data
 
@@ -92,19 +95,19 @@ the fly. If you use your own test data make sure that issuing certificates are a
 ### Initial TSL and Trust Anchor
 
 For the configuration of the test object it is necessary to initialize it with a trust space
-compatible to the test suite. For this, a convenient script is provided by the test suite:
-By executing `initialTslAndTa.sh` an initial TSL and the corresponding trust anchor are written to
+compatible to the test suite. 
+For this, a convenient script is provided by the test suite:
+By executing `./initialTslAndTa.sh` an initial TSL and the corresponding trust anchor are written to
 the `./out` directory for import into the test object. This TSL contains the TU trust store as well,
 this means, that the test object can be used during the pki tests by other services as well.
 
 ## Test Execution
 
 The test suite expects a test object that is running and accessible over the configured IP address
 and port (see [Configuration](./README.md#configuration)). Tests are executed via the
-script `./startApprovalTest.sh`. It will compile all modules
-and run the approval test classes via maven-failsafe-plugin. Furthermore,
-the [OCSP responder](./README.md#3-ocsp-responder)
-and [TSL provider](./README.md#2-tsl-provider) are started at the configured sockets (if they are
+script `./startApprovalTest.sh`. 
+Furthermore, the [OCSP responder](./README.md#3-ocsp-responder)
+and [TSL provider](./README.md#2-tsl-provider) communicate at the configured sockets (if they are
 not deactivated). Logs are written to the `./out/logs` directory. Afterwards a test report is
 generated in the `./out/testreport` directory.
 
@@ -121,8 +124,7 @@ and running and accessible by the testsuite and its components.
 
 Besides executing all tests, it is possible to select or exclude specific tests for execution.
 This is done via the file `allTests.txt`.
-The file lists test classes `CertificateApprovalTestsIT`, `OcspApprovalTestsIT`
-, `TslApprovalTestsIT`, `TslITSignerApprovalTestIT` and all tests defined in the test classes.
+The file lists test classes `CertificateApprovalTestsIT`, `OcspApprovalTestsIT`, `TslApprovalTestsIT`, `TslITSignerApprovalTestIT`, `TslVaApprovalTestsIT` and all tests defined in the test classes.
 Test classes as well as separate tests can be marked with `+` or `-`.
 Tests marked with a `+` will be executed when `./startApprovalTests.sh` is used the next time.
 Tests marked with a `-` are excluded from the execution.

ReleaseNotes.md

@@ -2,14 +2,20 @@
 
 # Release notes PKI Test Suite
 
+## Release 1.0.1
+
+- migrate from maven based execution of approval tests to binary (jar) based
+- enable building docker images for OCSP Responder and TSL Provider
+- add verification of expected sequence number in OCSP responses
+
 ## Release 0.4.1
 
 - add test cases checking number of retries for primary and backend endpoints for TSL download
 - add test cases in the context of Trust Anchor Change verification - the tests are set to run as the last
 - add test cases in the context of TSL signer certificate verification
 - add test cases in the context of TSL approval verification
 - force trust anchor change tests to run as last
-- add documentation of all AFOs and correspondings test cases
+- add documentation of all AFOs and corresponding test cases
   files: [AFOs description](./docs/afoCoverage_afoDescriptions.txt),
   [AFOs to tests mapping](./docs/afoCoverage_afoToTests.txt),
   [tests to AFOs mapping](./docs/afoCoverage_testToAfos.txt)

allTests.txt

@@ -64,9 +64,9 @@
 	verifyTslSignerCertInvalidKeyUsageAndExtendedKeyUsage           Test TSL signer certificates with invalid key usage and extended key usage
 	verifyTslSignerCertNotYetValid                                  Test TSL signer certificate that is not yet valid - notBefore is in the future
 
-+	de.gematik.pki.pkits.testsuite.approval.TslVaApprovalTestsIT
-	verifyHandlingOfStatusStartingTimeAndOverwriteOfAnnouncedTrustAnchors  Test overwrite behaviour and proper handling of StatusStartingTime of announced trust anchors
-	verifyMultipleAnnouncedTrustAnchorsInTsl                               Test multiple announced trust anchors in single TSL
-	verifyNewTrustAnchorInvalidTime                                        Test updating trust anchor with certificates that have invalid times
-	verifyNewTrustAnchorsIsBroken                                          Test for an announced broken trust anchor and cannot be extracted
-	verifyUpdateTrustAnchor                                                Test updating trust anchor
+-	de.gematik.pki.pkits.testsuite.approval.TslVaApprovalTestsIT
+-	verifyHandlingOfStatusStartingTimeAndOverwriteAnnouncedInactiveTrustAnchors  Test overwrite behaviour and proper handling of StatusStartingTime of announced trust anchors
+-	verifyMultipleAnnouncedTrustAnchorsInTsl                                     Test multiple announced trust anchors in single TSL
+-	verifyNewTrustAnchorInvalidTime                                              Test updating trust anchor with certificates that have invalid times
+-	verifyNewTrustAnchorsIsBroken                                                Test for an announced broken trust anchor and cannot be extracted
+-	verifyUpdateTrustAnchor                                                      Test updating trust anchor

assembly.xml

@@ -1,27 +1,27 @@
 <assembly xmlns="http://maven.apache.org/ASSEMBLY/2.1.1" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://maven.apache.org/ASSEMBLY/2.1.1 https://maven.apache.org/xsd/assembly-2.1.1.xsd">
-	<id>jar-with-dependencies</id>
-	<formats>
-		<format>jar</format>
-	</formats>
-	<includeBaseDirectory>false</includeBaseDirectory>
-	<dependencySets>
-		<dependencySet>
-			<outputDirectory>/</outputDirectory>
-			<useProjectArtifact>false</useProjectArtifact>
-			<scope>runtime</scope>
-			<unpack>true</unpack>
-			<unpackOptions>
-				<excludes>
-					<exclude>**/log4j2.xml</exclude>
-				</excludes>
-			</unpackOptions>
-		</dependencySet>
-	</dependencySets>
-	<!-- to fix problem with log4j2.xml taken from pkits-common, see PKITS-236 -->
-	<fileSets>
-		<fileSet>
-			<directory>${project.build.outputDirectory}</directory>
-			<outputDirectory>/</outputDirectory>
-		</fileSet>
-	</fileSets>
+  <id>jar-with-dependencies</id>
+  <formats>
+    <format>jar</format>
+  </formats>
+  <includeBaseDirectory>false</includeBaseDirectory>
+  <dependencySets>
+    <dependencySet>
+      <outputDirectory>/</outputDirectory>
+      <useProjectArtifact>false</useProjectArtifact>
+      <scope>runtime</scope>
+      <unpack>true</unpack>
+      <unpackOptions>
+        <excludes>
+          <exclude>**/log4j2.xml</exclude>
+        </excludes>
+      </unpackOptions>
+    </dependencySet>
+  </dependencySets>
+  <!-- to fix problem with log4j2.xml taken from pkits-common, see PKITS-236 -->
+  <fileSets>
+    <fileSet>
+      <directory>${project.build.outputDirectory}</directory>
+      <outputDirectory>/</outputDirectory>
+    </fileSet>
+  </fileSets>
 </assembly>

checkInitialState.sh

@@ -1,3 +1,5 @@
 #!/bin/bash
 
-mvn verify -Dit.test=de.gematik.pki.pkits.testsuite.approval.ApprovalTestsBaseIT#checkInitialState -DfailIfNoTests=false -Dl4j.level=info
+java -jar ./bin/pkits-testsuite.jar --tests-names "ApprovalTestsBaseIT#checkInitialState"
+
+printf "...done!"

docker-compose-base.yml

@@ -0,0 +1,60 @@
+version: '3.7'
+
+# Common Health Check Properties
+x-healthcheck-config: &healthcheck-ref
+  # Expects that the Spring Actuator port is 8180
+  #test: "curl --fail --silent http://localhost:8180/actuator/health | grep UP"
+  interval: 15s
+  timeout: 10s
+  retries: 40
+  start_period: 30s
+
+# Common Environment Timezone Entry
+x-environment-timezone: &environment-timezone-ref
+  TZ: Europe/Berlin
+
+# Common Environment Server ports
+x-environment-server-ports: &environment-server-ports-ref
+  MANAGEMENT_PORT: 8180 # Spring Actuator Port
+
+# Common Service Properties
+x-service-setup: &service-setup-ref
+  restart: always
+
+# Common Network
+x-service-network: &service-network-ref
+  networks:
+    pkits-federation:
+
+services:
+  # OCSP responder
+  pkitsocspresponder:
+    image: eu.gcr.io/gematik-all-infra-prod/pkits/pkits-ocsp-responder:${appVersion}
+    user: 10000:10000
+    container_name: pkits-ocsp-responder
+    <<: *service-network-ref
+    <<: *service-setup-ref
+    environment:
+      <<: *environment-timezone-ref
+      <<: *environment-server-ports-ref
+    healthcheck:
+      <<: *healthcheck-ref
+      test: "curl --fail --silent http://localhost:8083/actuator/health | grep UP"
+
+  # TSL provider
+  pkitstslprovider:
+    image: eu.gcr.io/gematik-all-infra-prod/pkits/pkits-tsl-provider:${appVersion}
+    user: 10000:10000
+    container_name: pkits-tsl-provider
+    <<: *service-network-ref
+    <<: *service-setup-ref
+    environment:
+      <<: *environment-timezone-ref
+      <<: *environment-server-ports-ref
+    healthcheck:
+      <<: *healthcheck-ref
+      test: "curl --fail --silent http://localhost:8084/actuator/health | grep UP"
+
+networks:
+  pkits-federation:
+    name: pkits-federation

docker-compose-deployLocal.yml

@@ -0,0 +1,10 @@
+version: '3.7'
+
+services:
+  pkitsocspresponder:
+    ports:
+      - "8083:8083"
+
+  pkitstslprovider:
+    ports:
+      - "8084:8084"

docs/afoCoverage_afoToTests.txt

@@ -39,14 +39,14 @@ GS-A_4642
   TslSignerApprovalTestsIT.verifyTslSignerCertExpired
   TslSignerApprovalTestsIT.verifyTslSignerCertInvalidKeyUsageAndExtendedKeyUsage
   TslSignerApprovalTestsIT.verifyTslSignerCertNotYetValid
-  TslVaApprovalTestsIT.verifyHandlingOfStatusStartingTimeAndOverwriteOfAnnouncedTrustAnchors
+  TslVaApprovalTestsIT.verifyHandlingOfStatusStartingTimeAndOverwriteAnnouncedInactiveTrustAnchors
   TslVaApprovalTestsIT.verifyMultipleAnnouncedTrustAnchorsInTsl
   TslVaApprovalTestsIT.verifyNewTrustAnchorInvalidTime
   TslVaApprovalTestsIT.verifyNewTrustAnchorsIsBroken
   TslVaApprovalTestsIT.verifyUpdateTrustAnchor
 
 GS-A_4643
-  TslVaApprovalTestsIT.verifyHandlingOfStatusStartingTimeAndOverwriteOfAnnouncedTrustAnchors
+  TslVaApprovalTestsIT.verifyHandlingOfStatusStartingTimeAndOverwriteAnnouncedInactiveTrustAnchors
   TslVaApprovalTestsIT.verifyMultipleAnnouncedTrustAnchorsInTsl
   TslVaApprovalTestsIT.verifyNewTrustAnchorInvalidTime
   TslVaApprovalTestsIT.verifyNewTrustAnchorsIsBroken

docs/afoCoverage_testToAfos.txt

@@ -65,8 +65,8 @@ de.gematik.pki.pkits.testsuite.approval.TslSignerApprovalTestsIT
   verifyTslSignerCertNotYetValid                                  GS-A_4642, GS-A_4648, GS-A_4650, GS-A_4653
 
 de.gematik.pki.pkits.testsuite.approval.TslVaApprovalTestsIT
-  verifyHandlingOfStatusStartingTimeAndOverwriteOfAnnouncedTrustAnchors  GS-A_4642, GS-A_4643
-  verifyMultipleAnnouncedTrustAnchorsInTsl                               GS-A_4642, GS-A_4643
-  verifyNewTrustAnchorInvalidTime                                        GS-A_4642, GS-A_4643
-  verifyNewTrustAnchorsIsBroken                                          GS-A_4642, GS-A_4643
-  verifyUpdateTrustAnchor                                                GS-A_4642, GS-A_4643
+  verifyHandlingOfStatusStartingTimeAndOverwriteAnnouncedInactiveTrustAnchors  GS-A_4642, GS-A_4643
+  verifyMultipleAnnouncedTrustAnchorsInTsl                                     GS-A_4642, GS-A_4643
+  verifyNewTrustAnchorInvalidTime                                              GS-A_4642, GS-A_4643
+  verifyNewTrustAnchorsIsBroken                                                GS-A_4642, GS-A_4643
+  verifyUpdateTrustAnchor                                                      GS-A_4642, GS-A_4643