Skip to content

Commit

Permalink
Generate SSL certificates for DB during testing
Browse files Browse the repository at this point in the history
  • Loading branch information
atodorov committed Jul 28, 2022
1 parent 58c453a commit e01a99d
Show file tree
Hide file tree
Showing 4 changed files with 136 additions and 0 deletions.
68 changes: 68 additions & 0 deletions .github/workflows/ssl-db.yml
Original file line number Diff line number Diff line change
@@ -0,0 +1,68 @@
name: database-connection-via-ssl

on:
push:
branches: master
pull_request:

jobs:
mariadb:
runs-on: ubuntu-latest
strategy:
matrix:
python-version: [3.8]

steps:
- uses: actions/checkout@v3
- name: Set up Python ${{ matrix.python-version }}
uses: actions/setup-python@v4
with:
python-version: ${{ matrix.python-version }}

- name: Generate DB certificates
run: |
# docker run -v $(pwd)/tests/db-certs/:/Kiwi/db-certs/:Z --rm -i kiwitcms/kiwi \
# /usr/bin/sscg \
# -v -f \
# --country BG --locality Sofia \
# --organization "Kiwi TCMS" \
# --organizational-unit "DevOps" \
# --ca-file /Kiwi/db-certs/ca.crt \
# --ca-key-file /Kiwi/db-certs/ca.key \
# --cert-file /Kiwi/db-certs/server.crt \
# --cert-key-file /Kiwi/db-certs/server.key
# re-enable & add client cert when https://github.com/sgallagher/sscg/issues/3 is fixed
pushd ./tests/ && ./gen-db-certs.sh && popd
- name: Create database
run: |
docker-compose -f docker-compose.mariadb-ssl pull db
docker-compose -f docker-compose.mariadb-ssl run -d -p 3306:3306 --name kiwi_db db
sleep 20 # wait to initialize
set -e
docker exec -i kiwi_db mariadb -u root -pkiwi-1s-aw3s0m3 \
--ssl-ca=/etc/certs/ca.pem \
--ssl-cert=/etc/certs/client-cert.pem \
--ssl-key=/etc/certs/client-key.pem -e 'status' | grep "Cipher in use is"
- name: Initialize DB tables & records
run: |
sudo apt-get update
sudo apt-get install gettext
sudo mkdir /Kiwi
sudo chmod a+w /Kiwi
pip install -r requirements/devel.txt
pip install -r requirements/mariadb.txt
pushd tcms/ && npm install && popd
export LANG=bg-bg
set -e
coverage run --source='.' ./manage.py migrate -v2 --noinput --settings tcms.settings.test.mariadb
- name: Send coverage to codecov.io
run: |
coverage report -m
bash <(curl -s https://codecov.io/bash)
1 change: 1 addition & 0 deletions .gitignore
Original file line number Diff line number Diff line change
Expand Up @@ -16,4 +16,5 @@ docs/target/
.vscode/
.cache/
tcms/node_modules/
tests/db-certs/*.pem
package-lock.json
24 changes: 24 additions & 0 deletions docker-compose.mariadb-ssl
Original file line number Diff line number Diff line change
@@ -0,0 +1,24 @@
version: '2'

services:
db:
container_name: kiwi_db
image: mariadb:latest
command: [ "--character-set-server=utf8mb4",
"--collation-server=utf8mb4_unicode_ci",
"--require-secure-transport=ON",
"--ssl-ca=/etc/certs/ca.pem",
"--ssl-cert=/etc/certs/server-cert.pem",
"--ssl-key=/etc/certs/server-key.pem" ]
volumes:
- db_data:/var/lib/mysql
- ./tests/db-certs/:/etc/certs/
restart: always
environment:
MYSQL_ROOT_PASSWORD: kiwi-1s-aw3s0m3
MYSQL_DATABASE: kiwi
MYSQL_USER: kiwi
MYSQL_PASSWORD: kiwi

volumes:
db_data:
43 changes: 43 additions & 0 deletions tests/gen-db-certs.sh
Original file line number Diff line number Diff line change
@@ -0,0 +1,43 @@
#!/bin/bash

OPENSSL_SUBJ="/C=BG/ST=Sofia/L=Sofia"
OPENSSL_CA="${OPENSSL_SUBJ}/CN=fake-CA"
OPENSSL_SERVER="${OPENSSL_SUBJ}/CN=fake-server"
OPENSSL_CLIENT="${OPENSSL_SUBJ}/CN=fake-client"

mkdir -p db-certs/
pushd db-certs/

# Generate new CA certificate ca.pem file.
openssl genrsa 2048 > ca-key.pem

# TODO This has interaction that must be automated
openssl req -new -x509 -nodes -days 3600 \
-subj "${OPENSSL_CA}" \
-key ca-key.pem -out ca.pem


# Create the server-side certificates
# This has more interaction that must be automated

openssl req -newkey rsa:2048 -days 3600 -nodes \
-subj "${OPENSSL_SERVER}" \
-keyout server-key.pem -out server-req.pem
openssl rsa -in server-key.pem -out server-key.pem
openssl x509 -req -in server-req.pem -days 3600 \
-CA ca.pem -CAkey ca-key.pem -set_serial 01 -out server-cert.pem

# Create the client-side certificates
openssl req -newkey rsa:2048 -days 3600 -nodes \
-subj "${OPENSSL_CLIENT}" \
-keyout client-key.pem -out client-req.pem
openssl rsa -in client-key.pem -out client-key.pem
openssl x509 -req -in client-req.pem -days 3600 \
-CA ca.pem -CAkey ca-key.pem -set_serial 01 -out client-cert.pem

# Verify the certificates are correct
openssl verify -CAfile ca.pem server-cert.pem client-cert.pem

# make the keys readable b/c we're having issues with uid/gid inside the containers
chmod 644 client-key.pem server-key.pem ca-key.pem
popd

0 comments on commit e01a99d

Please sign in to comment.