m/rdp-proxy
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Initial project snapshot

Browse Source
This commit is contained in:
Mikhail
2026-04-28 22:29:50 +03:00
commit 8ba0561f4f
365 changed files with 91832 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files
scripts/smoke/prepare-platform-ca-direct-worker.ps1
+132
View File
@@ -0,0 +1,132 @@
param(
[string]$DockerSshAlias = "docker-test",
[string]$RemoteOutputDir = "/tmp/rap-p3-5-platform-ca",
[string]$LocalCaOutputPath = "artifacts/p3-5-platform-ca.crt",
[string]$WorkerHost = "192.168.200.61",
[string]$WorkerDnsName = "",
[string]$ClusterId = "default",
[string]$WorkerId = "rdp-worker-1",
[int]$Days = 30
)
Set-StrictMode -Version Latest
$ErrorActionPreference = "Stop"
function Quote-Bash {
param([string]$Value)
return "'" + $Value.Replace("'", "'\''") + "'"
}
$remoteDir = Quote-Bash $RemoteOutputDir
$workerHost = Quote-Bash $WorkerHost
$workerDnsName = Quote-Bash $WorkerDnsName
$clusterId = Quote-Bash $ClusterId
$workerId = Quote-Bash $WorkerId
$remoteScript = @"
set -euo pipefail
REMOTE_DIR=$remoteDir
WORKER_HOST=$workerHost
WORKER_DNS_NAME=$workerDnsName
CLUSTER_ID=$clusterId
WORKER_ID=$workerId
DAYS=$Days
mkdir -p "`$REMOTE_DIR"
chmod 700 "`$REMOTE_DIR"
rm -f "`$REMOTE_DIR"/ca.crt "`$REMOTE_DIR"/ca.key "`$REMOTE_DIR"/ca.srl \
"`$REMOTE_DIR"/worker.crt "`$REMOTE_DIR"/worker.key "`$REMOTE_DIR"/worker.csr \
"`$REMOTE_DIR"/ca-openssl.cnf "`$REMOTE_DIR"/worker-openssl.cnf
cat >"`$REMOTE_DIR/ca-openssl.cnf" <<'EOF_CA'
[req]
distinguished_name = dn
x509_extensions = v3_ca
prompt = no
[dn]
CN = RAP Test Platform Root CA
[v3_ca]
basicConstraints = critical,CA:true,pathlen:1
keyUsage = critical,keyCertSign,cRLSign
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid:always,issuer
EOF_CA
cat >"`$REMOTE_DIR/worker-openssl.cnf" <<EOF_WORKER
[req]
distinguished_name = dn
req_extensions = v3_req
prompt = no
[dn]
CN = `$WORKER_ID
[v3_req]
basicConstraints = critical,CA:false
keyUsage = critical,digitalSignature,keyEncipherment
extendedKeyUsage = serverAuth
subjectAltName = @alt_names
[alt_names]
IP.1 = `$WORKER_HOST
URI.1 = spiffe://rap/cluster/`$CLUSTER_ID/worker/`$WORKER_ID
EOF_WORKER
if [ -n "`$WORKER_DNS_NAME" ]; then
printf 'DNS.1 = %s\n' "`$WORKER_DNS_NAME" >>"`$REMOTE_DIR/worker-openssl.cnf"
fi
openssl genrsa -out "`$REMOTE_DIR/ca.key" 3072 >/dev/null 2>&1
openssl req -x509 -new -nodes -key "`$REMOTE_DIR/ca.key" -sha256 -days "`$DAYS" \
-out "`$REMOTE_DIR/ca.crt" -config "`$REMOTE_DIR/ca-openssl.cnf" >/dev/null 2>&1
openssl genrsa -out "`$REMOTE_DIR/worker.key" 3072 >/dev/null 2>&1
openssl req -new -key "`$REMOTE_DIR/worker.key" -out "`$REMOTE_DIR/worker.csr" \
-config "`$REMOTE_DIR/worker-openssl.cnf" >/dev/null 2>&1
openssl x509 -req -in "`$REMOTE_DIR/worker.csr" -CA "`$REMOTE_DIR/ca.crt" -CAkey "`$REMOTE_DIR/ca.key" \
-CAcreateserial -out "`$REMOTE_DIR/worker.crt" -days "`$DAYS" -sha256 \
-extensions v3_req -extfile "`$REMOTE_DIR/worker-openssl.cnf" >/dev/null 2>&1
if [ -f /tmp/rap-dp1d1/dp-public.pem ]; then
cp /tmp/rap-dp1d1/dp-public.pem "`$REMOTE_DIR/dp-public.pem"
elif [ -f /tmp/rap-dp1c/dp-public.pem ]; then
cp /tmp/rap-dp1c/dp-public.pem "`$REMOTE_DIR/dp-public.pem"
fi
chmod 600 "`$REMOTE_DIR"/ca.key "`$REMOTE_DIR"/worker.key
chmod 644 "`$REMOTE_DIR"/ca.crt "`$REMOTE_DIR"/worker.crt
echo "remote_dir=`$REMOTE_DIR"
echo "ca_cert=`$REMOTE_DIR/ca.crt"
echo "worker_cert=`$REMOTE_DIR/worker.crt"
echo "worker_key=`$REMOTE_DIR/worker.key"
openssl x509 -in "`$REMOTE_DIR/worker.crt" -noout -subject -ext subjectAltName
"@
$remoteScript | & ssh $DockerSshAlias "bash -s"
if ($LASTEXITCODE -ne 0) {
throw "Failed to prepare platform CA and worker certificate on SSH alias '$DockerSshAlias'."
}
$localCaPsPath = if ([System.IO.Path]::IsPathRooted($LocalCaOutputPath)) {
$LocalCaOutputPath
} else {
Join-Path (Resolve-Path -LiteralPath ".").Path $LocalCaOutputPath
}
$resolvedLocalCaPath = $ExecutionContext.SessionState.Path.GetUnresolvedProviderPathFromPSPath($localCaPsPath)
$localCaDirectory = Split-Path -Parent $resolvedLocalCaPath
if (-not [string]::IsNullOrWhiteSpace($localCaDirectory)) {
New-Item -ItemType Directory -Force -Path $localCaDirectory | Out-Null
}
$remoteCaSource = "$DockerSshAlias`:$RemoteOutputDir/ca.crt"
& scp $remoteCaSource $resolvedLocalCaPath
if ($LASTEXITCODE -ne 0) {
throw "Failed to copy platform CA certificate from '$remoteCaSource'."
}
Write-Host "Local platform CA bundle: $resolvedLocalCaPath"
Write-Host "Remote worker TLS directory: $RemoteOutputDir"