.github/workflows/tps-basic-test.yml

name: Basic TPS

on:
  workflow_call:
    inputs:
      os:
        required: true
        type: string
      db-image:
        required: false
        type: string

jobs:
  # docs/installation/tps/Installing_TPS.md
  test:
    name: Test
    runs-on: ubuntu-latest
    env:
      SHARED: /tmp/workdir/pki
    steps:
      - name: Clone repository
        uses: actions/checkout@v3

      - name: Retrieve runner image
        uses: actions/cache@v3
        with:
          key: pki-tps-runner-${{ inputs.os }}-${{ github.run_id }}
          path: pki-runner.tar

      - name: Load runner image
        run: docker load --input pki-runner.tar

      - name: Create network
        run: docker network create example

      - name: Set up DS container
        run: |
          tests/bin/ds-container-create.sh ds
        env:
          IMAGE: ${{ inputs.db-image }}
          HOSTNAME: ds.example.com
          PASSWORD: Secret.123

      - name: Connect DS container to network
        run: docker network connect example ds --alias ds.example.com

      - name: Set up PKI container
        run: |
          tests/bin/runner-init.sh pki
        env:
          HOSTNAME: pki.example.com

      - name: Connect PKI container to network
        run: docker network connect example pki --alias pki.example.com

      - name: Install CA
        run: |
          docker exec pki pkispawn \
              -f /usr/share/pki/server/examples/installation/ca.cfg \
              -s CA \
              -D pki_ds_hostname=ds.example.com \
              -D pki_ds_ldap_port=3389 \
              -D pki_cert_id_generator=random \
              -D pki_request_id_generator=random \
              -v

          docker exec pki pki-server cert-find

      - name: Install KRA
        run: |
          docker exec pki pkispawn \
              -f /usr/share/pki/server/examples/installation/kra.cfg \
              -s KRA \
              -D pki_ds_hostname=ds.example.com \
              -D pki_ds_ldap_port=3389 \
              -D pki_key_id_generator=random \
              -D pki_request_id_generator=random \
              -v

          docker exec pki pki-server cert-find

      - name: Install TKS
        run: |
          docker exec pki pkispawn \
              -f /usr/share/pki/server/examples/installation/tks.cfg \
              -s TKS \
              -D pki_ds_hostname=ds.example.com \
              -D pki_ds_ldap_port=3389 \
              -v

          docker exec pki pki-server cert-find

      - name: Install TPS
        run: |
          docker exec pki pkispawn \
              -f /usr/share/pki/server/examples/installation/tps.cfg \
              -s TPS \
              -D pki_ds_hostname=ds.example.com \
              -D pki_ds_ldap_port=3389 \
              -D pki_authdb_hostname=ds.example.com \
              -D pki_authdb_port=3389 \
              -v

      - name: Check TPS audit signing cert
        run: |
          docker exec pki pki-server cert-export tps_audit_signing \
              --csr-file tps_audit_signing.csr \
              --cert-file tps_audit_signing.crt
          docker exec pki openssl req -text -noout -in tps_audit_signing.csr
          docker exec pki openssl x509 -text -noout -in tps_audit_signing.crt

      - name: Check subsystem cert
        run: |
          docker exec pki pki-server cert-export subsystem \
              --csr-file subsystem.csr \
              --cert-file subsystem.crt
          docker exec pki openssl req -text -noout -in subsystem.csr
          docker exec pki openssl x509 -text -noout -in subsystem.crt

      - name: Check SSL server cert
        run: |
          docker exec pki pki-server cert-export sslserver \
              --csr-file sslserver.csr \
              --cert-file sslserver.crt
          docker exec pki openssl req -text -noout -in sslserver.csr
          docker exec pki openssl x509 -text -noout -in sslserver.crt

      - name: Check TPS admin cert
        run: |
          docker exec pki openssl x509 -text -noout -in /root/.dogtag/pki-tomcat/ca_admin.cert

      - name: Run PKI healthcheck
        run: docker exec pki pki-healthcheck --failures-only

      - name: Check TPS admin
        run: |
          docker exec pki pki-server cert-export ca_signing --cert-file ca_signing.crt
          docker exec pki pki client-cert-import ca_signing --ca-cert ca_signing.crt
          docker exec pki pki client-cert-import \
              --pkcs12 /root/.dogtag/pki-tomcat/ca_admin_cert.p12 \
              --pkcs12-password Secret.123
          docker exec pki pki -n caadmin tps-user-show tpsadmin

      - name: Set up TPS authentication
        run: |
          # import sample TPS users
          docker exec ds ldapadd \
              -H ldap://ds.example.com:3389 \
              -D "cn=Directory Manager" \
              -w Secret.123 \
              -f /usr/share/pki/tps/auth/ds/create.ldif
          docker exec ds ldapadd \
              -H ldap://ds.example.com:3389 \
              -D "cn=Directory Manager" \
              -w Secret.123 \
              -f /usr/share/pki/tps/auth/ds/example.ldif

          # configure TPS to use the sample TPS users
          docker exec pki pki-server tps-config-set \
              auths.instance.ldap1.ldap.basedn \
              ou=people,dc=example,dc=com

          # restart TPS subsystem
          docker exec pki pki-server tps-redeploy --wait

      - name: Add token
        run: |
          hexdump -v -n "10" -e '1/1 "%02x"' /dev/urandom > cuid
          CUID=$(cat cuid)
          docker exec pki pki -n caadmin tps-token-add $CUID | tee output

          echo "UNFORMATTED" > expected
          sed -n 's/\s*Status:\s\+\(\S\+\)\s*/\1/p' output > actual
          diff expected actual

          docker exec pki pki -n caadmin tps-cert-find --token $CUID

      - name: Format token
        run: |
          CUID=$(cat cuid)
          docker exec pki /usr/share/pki/tps/bin/pki-tps-format \
              --user=testuser \
              --password=Secret.123 \
              $CUID

          echo "FORMATTED" > expected
          docker exec pki pki -n caadmin tps-token-show $CUID | tee output
          sed -n 's/\s*Status:\s\+\(\S\+\)\s*/\1/p' output > actual
          diff expected actual

          docker exec pki pki -n caadmin tps-cert-find --token $CUID

      - name: Enroll token
        run: |
          CUID=$(cat cuid)
          docker exec pki /usr/share/pki/tps/bin/pki-tps-enroll \
              --user=testuser \
              --password=Secret.123 \
              $CUID

          echo "ACTIVE" > expected
          docker exec pki pki -n caadmin tps-token-show $CUID | tee output
          sed -n 's/\s*Status:\s\+\(\S\+\)\s*/\1/p' output > actual
          diff expected actual

          docker exec pki pki -n caadmin tps-cert-find --token $CUID

      - name: Gather artifacts
        if: always()
        run: |
          tests/bin/ds-artifacts-save.sh --output=/tmp/artifacts/pki ds
          tests/bin/pki-artifacts-save.sh pki
        continue-on-error: true

      - name: Remove TPS
        run: docker exec pki pkidestroy -i pki-tomcat -s TPS -v

      - name: Remove TKS
        run: docker exec pki pkidestroy -i pki-tomcat -s TKS -v

      - name: Remove KRA
        run: docker exec pki pkidestroy -i pki-tomcat -s KRA -v

      - name: Remove CA
        run: docker exec pki pkidestroy -i pki-tomcat -s CA -v

      - name: Upload artifacts
        if: always()
        uses: actions/upload-artifact@v3
        with:
          name: tps-basic-test-${{ inputs.os }}
          path: |
            /tmp/artifacts/pki