Generating server certificate in the http-tests workflow

Author: namedgraph

.github/workflows/http-tests.yml

@@ -23,16 +23,15 @@ jobs:
             JENA_HOME: "${{ runner.temp }}/apache-jena-${{ env.JENA_VERSION }}"
       - name: Checkout code
         uses: actions/checkout@v3
-        with:
-          path: http-tests
+      - name: Generating server certificate
+        run: ./scripts/server-cert-gen.sh .env nginx ssl
       - name: Writing secrets to files
         run: |
           mkdir -p ./secrets
           printf "%s" "${{ secrets.HTTP_TEST_OWNER_CERT_PASSWORD }}" > ./secrets/owner_cert_password.txt
           printf "%s" "${{ secrets.HTTP_TEST_SECRETARY_CERT_PASSWORD }}" > ./secrets/secretary_cert_password.txt
           printf "%s" "${{ secrets.HTTP_TEST_SECRETARY_CERT_PASSWORD }}" > ./secrets/client_truststore_password.txt
         shell: bash
-        working-directory: http-tests
       - name: Build Docker image & Run Docker containers
         run: docker compose -f docker-compose.yml -f ./http-tests/docker-compose.http-tests.yml --env-file ./http-tests/.env up --build -d
       - name: Wait for the server to start...

scripts/server-cert-gen.sh

@@ -0,0 +1,91 @@
+#!/usr/bin/env bash
+set -e
+
+if [ "$#" -ne 3 ]; then
+    echo "Usage:   $0" '$env_file $proxy_host $out_folder' >&2
+    echo "Example: $0 .env nginx ssl" >&2
+    exit 1
+fi
+
+env_file="$1"
+proxy_host="$2"
+out_folder="$3"
+server_cert="${out_folder}/server/server.crt"
+server_public_key="${out_folder}/server/server.key"
+
+function envProp {
+  local expectedKey=$1
+  while IFS='=' read -r k v; do
+      if [ -n "$k" ] && [ "$k" == "$expectedKey" ] ; then
+        echo "$v";
+        break;
+      fi
+  done < "$env_file"
+}
+
+printf "### Output folder: %s\n" "$out_folder"
+
+if [ -z "$(envProp "PROTOCOL")" ]; then
+    echo "Configuration is incomplete: PROTOCOL is missing"
+    exit 1
+fi
+if [ -z "$(envProp "HTTPS_PORT")" ]; then
+    echo "Configuration is incomplete: HTTPS_PORT is missing"
+    exit 1
+fi
+if [ -z "$(envProp "HTTP_PORT")" ]; then
+    echo "Configuration is incomplete: HTTP_PORT is missing"
+    exit 1
+fi
+if [ -z "$(envProp "HOST")" ]; then
+    echo "Configuration is incomplete: HOST is missing"
+    exit 1
+fi
+if [ -z "$(envProp "ABS_PATH")" ]; then
+    echo "Configuration is incomplete: ABS_PATH is missing"
+    exit 1
+fi
+
+if [ "$(envProp "PROTOCOL")" = "https" ]; then
+    if [ "$(envProp "HTTPS_PORT")" = 443 ]; then
+        base_uri="$(envProp "PROTOCOL")://$(envProp "HOST")$(envProp "ABS_PATH")"
+    else
+        base_uri="$(envProp "PROTOCOL")://$(envProp "HOST"):$(envProp "HTTPS_PORT")$(envProp "ABS_PATH")"
+    fi
+else
+    if [ "$(envProp "HTTP_PORT")" = 80 ]; then
+        base_uri="$(envProp "PROTOCOL")://$(envProp "HOST")$(envProp "ABS_PATH")"
+    else
+        base_uri="$(envProp "PROTOCOL")://$(envProp "HOST"):$(envProp "HTTP_PORT")$(envProp "ABS_PATH")"
+    fi
+fi
+
+printf "\n### Base URI: %s\n" "$base_uri"
+
+### SERVER CERT ###
+
+mkdir -p "$out_folder"/server
+
+# crude check if the host is an IP address
+if [[ "$(envProp "HOST")" =~ ^([0-9]{1,3}\.){3}[0-9]{1,3}$ ]]; then
+    if [ -n "$proxy_host" ]; then
+        san="subjectAltName=IP:$(envProp "HOST"),DNS:${proxy_host}" # IP address - special case for localhost
+    else
+        san="subjectAltName=IP:$(envProp "HOST")" # IP address
+    fi
+else
+    if [ -n "$proxy_host" ]; then
+        san="subjectAltName=DNS:$(envProp "HOST"),DNS:${proxy_host}" # hostname - special case for localhost
+    else
+        san="subjectAltName=DNS:$(envProp "HOST")" # hostname
+    fi
+fi
+
+# openssl <= 1.1.1
+openssl req -x509 -newkey rsa:4096 -sha256 -days 3650 -nodes \
+  -keyout "$server_public_key" \
+  -out "$server_cert" \
+  -subj "/CN=$(envProp "HOST")/OU=LinkedDataHub/O=AtomGraph/L=Copenhagen/C=DK" \
+  -extensions san \
+  -config <(echo '[req]'; echo 'distinguished_name=req';
+            echo '[san]'; echo "$san")