diff --git a/.config/starte2e.sh b/.config/starte2e.sh index 8923882..5fa94ff 100755 --- a/.config/starte2e.sh +++ b/.config/starte2e.sh @@ -10,6 +10,14 @@ export PATH="${PATH}:/usr/bin" touch tests/environment/zitadel/service-user.json chmod a+rw tests/environment/zitadel/service-user.json +# We only take down ldap if the cert are too old and need regeneration +ldap_down="" +file_creation=$(date -r ./tests/environment/certs/ca.crt +%s || echo 0) +if [ $(( $(date +%s) - $file_creation )) -gt 2160000 ]; # 25 days old? +then +ldap_down="-v ldap" +fi + # Shut down any still running test-setup first -docker compose --project-directory ./tests/environment down -v test-setup || true +docker compose --project-directory ./tests/environment down -v test-setup $ldap_down || true docker compose --project-directory ./tests/environment up --wait diff --git a/.gitignore b/.gitignore index 7b94d5a..cf614b1 100644 --- a/.gitignore +++ b/.gitignore @@ -2,3 +2,6 @@ /target /tests/environment/zitadel/service-user.json /tests/environment/config.yaml +/tests/environment/certs/*.crt +/tests/environment/certs/*.key +.DS_Store diff --git a/Cargo.lock b/Cargo.lock index 3b49e96..6697b4b 100644 --- a/Cargo.lock +++ b/Cargo.lock @@ -727,7 +727,6 @@ dependencies = [ "csv", "http 1.1.0", "indoc", - "itertools 0.13.0", "ldap-poller", "ldap3", "reqwest 0.11.27", @@ -1404,15 +1403,6 @@ dependencies = [ "either", ] -[[package]] -name = "itertools" -version = "0.13.0" -source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "413ee7dfc52ee1a4949ceeb7dbc8a33f2d6c088194d9f922fb8318faf1f01186" -dependencies = [ - "either", -] - [[package]] name = "itoa" version = "1.0.11" diff --git a/tests/environment/certs/ca.crt b/tests/environment/certs/ca.crt deleted file mode 100644 index 3ce681b..0000000 --- a/tests/environment/certs/ca.crt +++ /dev/null @@ -1,20 +0,0 @@ ------BEGIN CERTIFICATE----- -MIIDRjCCAi6gAwIBAgIUJOx9Ol0tRyUE3/iVcNB2Rzz5a0gwDQYJKoZIhvcNAQEL -BQAwIzELMAkGA1UEBhMCREUxFDASBgNVBAMMC2V4YW1wbGUub3JnMB4XDTI0MTAx -NTExMTYwN1oXDTI0MTExNDExMTYwN1owIzELMAkGA1UEBhMCREUxFDASBgNVBAMM -C2V4YW1wbGUub3JnMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAvgnq -xqGvH+AAegua+e0oUwMn9cFSF2WfxBylT5NwQCuIRfXfOHwzAx7dViUBm8DuK4NX -+FfldWCzz8IDO726/hEVa+ePARd+RbAa5QIaWHPiyYVlfqncDJI9oHBNUM1TYvVR -FP+PrcTn6myb5KKhPA63TP1aLw34aO+J+8EcZXcSviYDQO1FQT4CMtIYEUTqzDb9 -5N7pl1RJynnTFm4SgTWnvIANq9/XqfPFD1Ov8dx0SLITXGvlf/rMEIh+TIjA3axM -p25HqSen3+wAHi22XoFheSz0k44broXqTWKj6Quowo4NcRrV9BMj0rhX5JQksHvw -Bq5XsLDa6WM+0iMkpwIDAQABo3IwcDAdBgNVHQ4EFgQUtKWU9QGEikd9M8bJFYQ1 -rycTpZ4wHwYDVR0jBBgwFoAUtKWU9QGEikd9M8bJFYQ1rycTpZ4wDwYDVR0TAQH/ -BAUwAwEB/zAdBgNVHREEFjAUggd6aXRhZGVsgglsb2NhbGhvc3QwDQYJKoZIhvcN -AQELBQADggEBAHkB0NMuYGGZcSui6i3CSOgE+tsIam4JDwBk5ZRfYJJpZP8nXCPz -KiWyrOfN5g/rhuatLypimmPpiYsd2RrWBCSLd3sxDYjxr6qoJY1gLDq/emOlDA22 -5ItcYcVo/wGFEolN141VVhLWXyyUfZp+1xay9Mi9baYKIUnRXQ7ugtl+gegdj8UA -TTjr8QDnmBmCF4BEdv/Vhd69uOgYBZMyY5wLN3o3ufimphq5WI1qxOHIIPD1Acmn -KOZBmPK5H57hUOedUCfniUC0uv0jZ8IVRnUuHpUYt+5P1EUmcnKm5hAGcIvpKffK -3JoxDTI/y+py5wbxAdX9bDXkO3kKIxJ9MJU= ------END CERTIFICATE----- diff --git a/tests/environment/certs/client.crt b/tests/environment/certs/client.crt deleted file mode 100644 index 6ef0098..0000000 --- a/tests/environment/certs/client.crt +++ /dev/null @@ -1,19 +0,0 @@ ------BEGIN CERTIFICATE----- -MIIDIDCCAgigAwIBAgIULs9q9mmwLrJtLo2osTDPw56uAbwwDQYJKoZIhvcNAQEL -BQAwIzELMAkGA1UEBhMCREUxFDASBgNVBAMMC2V4YW1wbGUub3JnMB4XDTI0MTAx -NTExMTYwN1oXDTM0MTAxMzExMTYwN1owHDEaMBgGA1UEAwwRYWRtaW4uZXhhbXBs -ZS5vcmcwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDCIUKlNMGkkF1D -//+NU8ti+uGaKaEIIxfM2jt7iNtk36yBA+kOVFKPg8ytKu7SfKvDb9YpIPtgqN+c -VGwoseCRkDH1glmmVXOepIIEGFUuRIUgrDpJWd/CqTmoDRpRtf1ZNsMWt+IGcABY -GwAronjiWXLB17pG3pTR0sCJ8nGDYBVS4NWmvppwuoi8XImIHy0kjHjApqM8lpBr -ZRp5FQO8jwo6xK1Kay2QQO/50FP4QW66n/95F0uEGUm3sH+i1PWiWPHMH1oNP8kR -nzOudPASkmhs8/RuqZxQUSHTKTHFs3CX6jTFtvdtS1tyLKG5QCNVDZFqtf4LgliC -3G9ZsgaNAgMBAAGjUzBRMB0GA1UdDgQWBBT6RrrXHs1K/cXNY6lWodRSWebx/jAf -BgNVHSMEGDAWgBS0pZT1AYSKR30zxskVhDWvJxOlnjAPBgNVHRMBAf8EBTADAQH/ -MA0GCSqGSIb3DQEBCwUAA4IBAQCekQ7cPTShRg72LsAWzaSFBOfgn7190GckuWOO -8HlFncgJ0tevfhc86Hy2UT0hdG8guv/v2L4kRh8DLzfXxkpMyUNyaSCQ+By5RQqj -0Xo8etdADnBi/HPyzj0ynVAUsrPy3APKDYBn6NBvbgUOyQ9V/FSmOyusylzF1bG+ -RldMy+Abm9WmlWfLFRCZj+wlNkSOm6jR+U+wj9AG0UFqEdtJhvxazBLDwuDaFLVN -+SGEPWfuFsC6HMyASAriFhcQhCoNulCMx50NShSjDTY0WPQ823OiULau2yqHxJga -350n7lC8iReZcD0RxVhnuR9v4hDXtJLLZFF2AZX/PTu92Gf5 ------END CERTIFICATE----- diff --git a/tests/environment/certs/client.key b/tests/environment/certs/client.key deleted file mode 100644 index f702e88..0000000 --- a/tests/environment/certs/client.key +++ /dev/null @@ -1,28 +0,0 @@ ------BEGIN PRIVATE KEY----- -MIIEvgIBADANBgkqhkiG9w0BAQEFAASCBKgwggSkAgEAAoIBAQDCIUKlNMGkkF1D -//+NU8ti+uGaKaEIIxfM2jt7iNtk36yBA+kOVFKPg8ytKu7SfKvDb9YpIPtgqN+c -VGwoseCRkDH1glmmVXOepIIEGFUuRIUgrDpJWd/CqTmoDRpRtf1ZNsMWt+IGcABY -GwAronjiWXLB17pG3pTR0sCJ8nGDYBVS4NWmvppwuoi8XImIHy0kjHjApqM8lpBr -ZRp5FQO8jwo6xK1Kay2QQO/50FP4QW66n/95F0uEGUm3sH+i1PWiWPHMH1oNP8kR -nzOudPASkmhs8/RuqZxQUSHTKTHFs3CX6jTFtvdtS1tyLKG5QCNVDZFqtf4LgliC -3G9ZsgaNAgMBAAECggEAAPf3hCmCOdb6kCdL2CGt5x2HWKSSiB7ctIn2OASTy6oO -C0rAs/CZxNuMfuSy8lvq43vAXs4qUu4kx3voWj+g9jj49teiqODOReFeQLT6X9O5 -slMJq2oGYstDXWJLWlMFI5fRW2CpgQy4A7iGxLD313FI0EzKQiZEKdPaYBXUmSo0 -UkPkyeRrbu6NkplgYYDGvddcueNnDwyYhWI4npm3P6qo2oRgSkFNp9A4yG2eZtY4 -lqXN6PxztcIqm3BT0mPK6sXsyigxFOnReCEgSHMpM25OImH6X/X5dSARGrCg3sl/ -ix8HZlT+uYZ9xgthza1CdwSaQC4Hw9dFhzh4SdosRQKBgQD/VrZQuqtxE/0r7WN3 -kt3PAWrE0GTLuREeedQYBubG8g1EP+nwSO6sc+U3ilI1TYmLew45zopJu9oasGTM -YQmkQmXa1OPgLWrZSTU/o+G+0pQ9FPTu5UJTvLZcCoMDm5AIMbH/Llvjk0saAyWA -Whx25d2Ox1DWSnMx+koB4aAa3wKBgQDCofeXGIke6OKLqW9MxJgTR9hzi/LQHTww -+ymq51lp5fq2LyCQq7A+eZ3MSAjSXxMmraWwsVAuPcZVssvjO9VBRj0Fragb2N0/ -rVR+KMJwMxIU4nofa2F50dL1usRGG8ISlL50uLXYuoRTzaJCNNCT8qhc1thH8+rZ -bSxBYDj4EwKBgQD4ij8MdadLelmE2J1pVtvxE0AKM47pfkrbj1qTyKP6IsInHM9p -xJQN6QHE/i7nE4I+8pj2S8Tv4Jp8QBbdmdb4vGjIiVEGdS78MfZS7AJg7Di+/Bcu -MppNR/N5xAGjEVkxoK3R5h4rdsQznbxzI0NxuG3g/MIC1JUsoKRJEIX3oQKBgDVt -TI+3dnx7pSR9YEYMeUphoHMnaYHjZJB1gZyeYRcGwGmeSiwsVPbxX3WiGHnXC2TE -qgT0x3PKFVWU/Q7lb8a5Ryr13n22bBV8uQLgoW83NbFx8eAKE/nitSwrFpHAMOf0 -2MsloRVbLdPrUK0n3lGefMTvXPNza3Y/17Qie8DtAoGBALkGPd8iJAZ9aY4SDnwi -qBPfC1+gDutE3mQnUlW6FfI47+G2g4uCwqfWGxrC0ehjWxZpuavzk0dzV3qBeL18 -3S1EyoB/uJPJJI5jC1nBShgnkLwdoVR3Jd3hUiLI47D7Fs4cKXs609SPhvL+lgxn -KWIRYiwaz7OOHiHfYiFIATmA ------END PRIVATE KEY----- diff --git a/tests/environment/certs/generate-certs.sh b/tests/environment/certs/generate-certs.sh index 93b4f72..f99f301 100755 --- a/tests/environment/certs/generate-certs.sh +++ b/tests/environment/certs/generate-certs.sh @@ -1,20 +1,36 @@ #!/bin/sh set -eux -openssl req -x509 -new -nodes -sha256 -newkey rsa:2048 \ - -keyout server.key \ - -out server.crt \ - -subj "/C=DE/CN=example.org" \ - -addext "subjectAltName = DNS:zitadel, DNS:localhost" - -# These keys are not actually secret, and when passed into the docker -# container the server key needs to be readable by the container user -chmod go+r server.key - -openssl x509 -outform pem -in server.crt -out ca.crt -openssl req -x509 -nodes -days 3650 -sha256 -newkey rsa:2048 \ - -CAkey server.key \ - -CA ca.crt \ - -keyout client.key \ - -out client.crt \ - -subj "/CN=admin.example.org" +script_dir=$(dirname $0) + +file_creation=$(date -r $script_dir/ca.crt +%s || echo 0) + +if [ $(( $(date +%s) - $file_creation )) -gt 2160000 ]; # 25 days old? +then + + # We need to set EKUs (extendedKeyUsage) otherwise MacOS won't trust + # the certificate + openssl req -x509 -new -nodes -sha256 -newkey rsa:2048 \ + -keyout $script_dir/server.key \ + -out $script_dir/server.crt \ + -subj "/C=DE/CN=example.org" \ + -addext "subjectAltName = DNS:zitadel, DNS:localhost" \ + -addext "extendedKeyUsage = serverAuth, clientAuth" + + # These keys are not actually secret, and when passed into the docker + # container the server key needs to be readable by the container user + chmod go+r $script_dir/server.key + + openssl x509 -outform pem -in $script_dir/server.crt -out $script_dir/ca.crt + openssl req -x509 -nodes -days 3650 -sha256 -newkey rsa:2048 \ + -CAkey $script_dir/server.key \ + -CA $script_dir/ca.crt \ + -keyout $script_dir/client.key \ + -out $script_dir/client.crt \ + -subj "/CN=admin.example.org" + + chmod a+r $script_dir/client.key + chmod a+r $script_dir/client.crt + chmod a+r $script_dir/server.crt + +fi diff --git a/tests/environment/certs/server.crt b/tests/environment/certs/server.crt deleted file mode 100644 index 3ce681b..0000000 --- a/tests/environment/certs/server.crt +++ /dev/null @@ -1,20 +0,0 @@ ------BEGIN CERTIFICATE----- -MIIDRjCCAi6gAwIBAgIUJOx9Ol0tRyUE3/iVcNB2Rzz5a0gwDQYJKoZIhvcNAQEL -BQAwIzELMAkGA1UEBhMCREUxFDASBgNVBAMMC2V4YW1wbGUub3JnMB4XDTI0MTAx -NTExMTYwN1oXDTI0MTExNDExMTYwN1owIzELMAkGA1UEBhMCREUxFDASBgNVBAMM -C2V4YW1wbGUub3JnMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAvgnq -xqGvH+AAegua+e0oUwMn9cFSF2WfxBylT5NwQCuIRfXfOHwzAx7dViUBm8DuK4NX -+FfldWCzz8IDO726/hEVa+ePARd+RbAa5QIaWHPiyYVlfqncDJI9oHBNUM1TYvVR -FP+PrcTn6myb5KKhPA63TP1aLw34aO+J+8EcZXcSviYDQO1FQT4CMtIYEUTqzDb9 -5N7pl1RJynnTFm4SgTWnvIANq9/XqfPFD1Ov8dx0SLITXGvlf/rMEIh+TIjA3axM -p25HqSen3+wAHi22XoFheSz0k44broXqTWKj6Quowo4NcRrV9BMj0rhX5JQksHvw -Bq5XsLDa6WM+0iMkpwIDAQABo3IwcDAdBgNVHQ4EFgQUtKWU9QGEikd9M8bJFYQ1 -rycTpZ4wHwYDVR0jBBgwFoAUtKWU9QGEikd9M8bJFYQ1rycTpZ4wDwYDVR0TAQH/ -BAUwAwEB/zAdBgNVHREEFjAUggd6aXRhZGVsgglsb2NhbGhvc3QwDQYJKoZIhvcN -AQELBQADggEBAHkB0NMuYGGZcSui6i3CSOgE+tsIam4JDwBk5ZRfYJJpZP8nXCPz -KiWyrOfN5g/rhuatLypimmPpiYsd2RrWBCSLd3sxDYjxr6qoJY1gLDq/emOlDA22 -5ItcYcVo/wGFEolN141VVhLWXyyUfZp+1xay9Mi9baYKIUnRXQ7ugtl+gegdj8UA -TTjr8QDnmBmCF4BEdv/Vhd69uOgYBZMyY5wLN3o3ufimphq5WI1qxOHIIPD1Acmn -KOZBmPK5H57hUOedUCfniUC0uv0jZ8IVRnUuHpUYt+5P1EUmcnKm5hAGcIvpKffK -3JoxDTI/y+py5wbxAdX9bDXkO3kKIxJ9MJU= ------END CERTIFICATE----- diff --git a/tests/environment/certs/server.key b/tests/environment/certs/server.key deleted file mode 100644 index 176fc1d..0000000 --- a/tests/environment/certs/server.key +++ /dev/null @@ -1,28 +0,0 @@ ------BEGIN PRIVATE KEY----- -MIIEvAIBADANBgkqhkiG9w0BAQEFAASCBKYwggSiAgEAAoIBAQC+CerGoa8f4AB6 -C5r57ShTAyf1wVIXZZ/EHKVPk3BAK4hF9d84fDMDHt1WJQGbwO4rg1f4V+V1YLPP -wgM7vbr+ERVr548BF35FsBrlAhpYc+LJhWV+qdwMkj2gcE1QzVNi9VEU/4+txOfq -bJvkoqE8DrdM/VovDfho74n7wRxldxK+JgNA7UVBPgIy0hgRROrMNv3k3umXVEnK -edMWbhKBNae8gA2r39ep88UPU6/x3HRIshNca+V/+swQiH5MiMDdrEynbkepJ6ff -7AAeLbZegWF5LPSTjhuuhepNYqPpC6jCjg1xGtX0EyPSuFfklCSwe/AGrlewsNrp -Yz7SIySnAgMBAAECggEAOtXTK//uug2d2CszpeD4tQqrGnjps3ixCAReYc6h2Bwi -Kpa+rzw0hujNWdhHMTOACVS2rZp43eg8gzvryFkrRXGAklG0goAFhgnJqdEG2w+1 -zPJRw+9Ow02basqaBUQsZtzQZ5Hfp8roijlp4lU/WdqsgVeGzj6jA8n1jE3zPq4f -tmVcvNjbNJ/RmbwqM4JuymduN7E0hT1GjlJXG+T1Fhu/UrOszcGQGCRObKq74K0Q -KGwUegxswMI8hcjiDCOD3yDUbHO7qCnDScYPiPNpoe9jMSEWH6mZ+/zOFgbgib0C -YYxTR5u77l/4E30MKCzTz3ekXcKIXZrWDGd7gN+VIQKBgQDwjialC3rZ6xg4X4MI -W3A3EiFxyNjq1Et99eStpjV3f88jURYlH6iwfkQ/+IfIniI6g7D+z/P/EAedxqEr -v2v15ExgHcrCjX4zQlLmKvlm6RHkI+eWhKgRSFoirrhQXuKqAw7IAV5RuG0qZfYJ -bxZJ4T9SSLMfxvhOAE8VWAsH3wKBgQDKPXV/8bLQ6Qwyuq7tMbJ0oY3HrEtJC6Kt -Jpt8uF1Vf07hTPgCBB+Pnks7fn56f/NyMxKH6tuXCS8lZ/CPbaA2QuxbgEZhJph6 -2rKyjZmRRwrXfO963biF0wVfXgDfR0UuGvyzFFnU7ifZO6OmycLYTsBqf8sLf8xW -ncLIf24cOQKBgGMoxadNFyQTM9WxEWt1fclFsQGdYEVUo5XVsaEfHXUX+0O8nhtJ -dJjkQ6/2+8nn3YYvWNuAzzx52BnikfddndwrcoxAW59dAgOROGjmmA4izxwy7Ljw -D/On1nfre9CtfFPGlOY/Iikfk+hhRU1YPGDR9+8sRqI3u40ztWW/+DQTAoGATPS6 -A2eLbadgduVGrwdcKrlW5AYR18fPrSelvv3AtkntUBojvVCoWdQYOJlXs3GAx5Hb -mVCrInviLs+wYEOM1Vj964uSPGGdYBJcMUlkiD2KSJlH328DShkUUEfK+St7jaHD -SrmRvU6qZyUkjtDzja/Z1CywrL2CmesKNZUX5zECgYBC6oWzprvjQ76pKXMafyyV -C5iQSxg8JgFuktCd4MpdqOoIfGPYdKITfXfaNBWUodGTgQcLIa7U9ybHFO82GbfH -Ocb+0BlfpKoDEio72UdxB4rrwd5kopp3uTHCL+JU/+KRgABxwmkZ4OQdQCK4yQGc -ewbrjn40U6p58Hehp18+ag== ------END PRIVATE KEY----- diff --git a/tests/environment/docker-compose.yaml b/tests/environment/docker-compose.yaml index e2f1dd5..159335c 100644 --- a/tests/environment/docker-compose.yaml +++ b/tests/environment/docker-compose.yaml @@ -1,4 +1,12 @@ services: + certs: + image: alpine/openssl:3.3.2 + volumes: + - type: bind + source: ./certs + target: /certs + entrypoint: /certs/generate-certs.sh + ldap: image: bitnami/openldap:2.5.18 ports: @@ -15,6 +23,9 @@ services: source: ./certs target: /certs read_only: true + depends_on: + certs: + condition: 'service_completed_successfully' test-setup: image: famedly/famedly-sync-testenv