Add dns config example and add it to integration tests

* Add action for starting integration tests * Configure nginx to resolve DNS record * Sync itest.yml and docs/scripts/Readme.md resolve #100
2025-12-22 05:40:11 +01:00 · 2022-05-16 15:20:37 +02:00 · 2022-05-16 15:20:37 +02:00 · 5577a0b088
commit 5577a0b088
parent c4deef74eb
9 changed files with 79 additions and 17 deletions
--- a/docs/scripts/DNSConfigForItest.sh
+++ b/docs/scripts/DNSConfigForItest.sh
@ -0,0 +1,42 @@
+#!/usr/bin/env bash
+#
+# This file is Free Software under the MIT License
+# without warranty, see README.md and LICENSES/MIT.txt for details.
+#
+# SPDX-License-Identifier: MIT
+#
+# SPDX-FileCopyrightText: 2022 German Federal Office for Information Security (BSI) <https://www.bsi.bund.de>
+# Software-Engineering: 2022 Intevation GmbH <https://intevation.de>
+
+# This script adds a new server block with the given DNS-Record and ajdust the "/etc/hosts" to
+# set the DNS-Record for the localhost for testing.
+
+set -e
+
+sudo touch /etc/nginx/sites-available/DNSConfig
+echo "
+    server {
+        listen 443 ssl http2;
+        listen [::]:443 ssl http2;
+
+        ssl_certificate  '${SSL_CERTIFICATE}'; # e.g. ssl_certificate /etc/ssl/csaf/bundle.crt
+        ssl_certificate_key '${SSL_CERTIFICATE_KEY}'; # e.g. ssl_certificate_key /etc/ssl/csaf/testserver-key.pem;
+
+        root /var/www/html;
+
+        server_name ${DNS_NAME}; # e.g. server_name csaf.data.security.domain.tld;
+
+        location / {
+                try_files /.well-known/csaf/provider-metadata.json =404;
+        }
+
+        access_log /var/log/nginx/dns-domain_access.log;
+        error_log /var/log/nginx/dns-domain_error.log;
+}
+" | sudo tee -a /etc/nginx/sites-available/DNSConfig
+
+sudo ln -s /etc/nginx/sites-available/DNSConfig /etc/nginx/sites-enabled/
+
+echo "
+    127.0.0.1 $DNS_NAME
+" | sudo tee -a /etc/hosts
--- a/docs/scripts/Readme.md
+++ b/docs/scripts/Readme.md
@ -19,7 +19,10 @@ Calling example (as root):
    git clone https://github.com/csaf-poc/csaf_distribution.git
    pushd csaf_distribution/docs/scripts/

-    env FOLDERNAME=devca1 ORGANAME="CSAF Tools Development (internal)" ./TLSConfigsForITest.sh
-    env FOLDERNAME=devca1 ORGANAME="CSAF Tools Development (internal)" ./TLSClientConfigsForITest.sh
+    export FOLDERNAME=devca1 ORGANAME="CSAF Tools Development (internal)"
+    source ./TLSConfigsForITest.sh
+    set +e  # for an interactive shell, reverse set -e done by previous line
+    ./TLSClientConfigsForITest.sh
    ./setupProviderForITest.sh
+    ./testAggregator.sh
 ```
--- a/docs/scripts/TLSClientConfigsForITest.sh
+++ b/docs/scripts/TLSClientConfigsForITest.sh
@ -38,7 +38,7 @@ echo '
                return 404;
            }
       }
-'> clientCertificateConfigs.txt
+'> ~/${FOLDERNAME}/clientCertificateConfigs.txt

 sudo sed -i "/^server {/r  ${HOME}/${FOLDERNAME}/clientCertificateConfigs.txt" $NGINX_CONFIG_PATH

--- a/docs/scripts/TLSConfigsForITest.sh
+++ b/docs/scripts/TLSConfigsForITest.sh
@ -1,5 +1,3 @@
-#!/usr/bin/env bash
-
 # This file is Free Software under the MIT License
 # without warranty, see README.md and LICENSES/MIT.txt for details.
 #
@ -35,14 +33,14 @@ echo '
        ssl_certificate_key '${SSL_CERTIFICATE_KEY}'; # e.g. ssl_certificate_key /etc/ssl/csaf/testserver-key.pem;

        ssl_protocols TLSv1.2 TLSv1.3;
-' > TLSConfigs.txt
+' > ~/${FOLDERNAME}/TLSConfigs.txt

 # a second listener port for testing setup where someone wants to tunnel access
 # to an unpriviledged port and still have the same access url
 echo '
        listen 8443 ssl default_server; # ipv4
        listen [::]:8443 ssl http2 default_server;  # ipv6
-' > TLS8443Configs.txt
+' > ~/${FOLDERNAME}/TLS8443Configs.txt

 sudo cp $NGINX_CONFIG_PATH $NGINX_CONFIG_PATH.org
 sudo sed -i "/^server {/r ${HOME}/${FOLDERNAME}/TLSConfigs.txt" $NGINX_CONFIG_PATH
--- a/docs/scripts/createWebserverCertForITest.sh
+++ b/docs/scripts/createWebserverCertForITest.sh
@ -8,7 +8,7 @@

 set -e

-cd ~/${FOLDERNAME}
+pushd ~/${FOLDERNAME}

 certtool --generate-privkey --outfile testserver-key.pem

@ -33,9 +33,11 @@ certtool --generate-certificate --load-privkey testserver-key.pem --outfile test

 cat testserver.crt rootca-cert.pem >bundle.crt

-SSL_CERTIFICATE=$(
+export SSL_CERTIFICATE=$(
 echo "$PWD/bundle.crt"
 )
-SSL_CERTIFICATE_KEY=$(
+export SSL_CERTIFICATE_KEY=$(
 echo "$PWD/testserver-key.pem"
 )
+
+popd
--- a/docs/scripts/setupProviderForITest.sh
+++ b/docs/scripts/setupProviderForITest.sh
@ -1,5 +1,5 @@
 #!/usr/bin/env bash
-
+#
 # This file is Free Software under the MIT License
 # without warranty, see README.md and LICENSES/MIT.txt for details.
 #
@ -16,7 +16,8 @@ set -e
 sudo chgrp -R www-data  /var/www
 sudo chmod -R g+w  /var/www

-NGINX_CONFIG_PATH=/etc/nginx/sites-available/default
+export NGINX_CONFIG_PATH=/etc/nginx/sites-available/default
+export DNS_NAME=csaf.data.security.domain.localhost

 sudo cp /usr/share/doc/fcgiwrap/examples/nginx.conf /etc/nginx/fcgiwrap.conf

@ -62,7 +63,7 @@ echo "
        autoindex on;
 " > locationConfig.txt
 sudo sed -i "/^\s*location \/ {/r locationConfig.txt" $NGINX_CONFIG_PATH # Insert config inside location{}
-
+./DNSConfigForItest.sh
 sudo systemctl reload nginx

 # assuming that we are in a checked out version in the docs/scripts directory
@ -94,3 +95,6 @@ popd

 # Upload files
 ./uploadToProvider.sh
+
+# Test resolving DNS record
+curl https://$DNS_NAME --insecure