Add pki --api option

.github/workflows/ca-basic-test.yml

@@ -33,20 +33,18 @@ jobs:
           tests/bin/ds-create.sh \
               --image=${{ env.DS_IMAGE }} \
               --hostname=ds.example.com \
+              --network=example \
+              --network-alias=ds.example.com \
               --password=Secret.123 \
               ds
 
-      - name: Connect DS container to network
-        run: docker network connect example ds --alias ds.example.com
-
       - name: Set up PKI container
         run: |
-          tests/bin/runner-init.sh pki
-        env:
-          HOSTNAME: pki.example.com
-
-      - name: Connect PKI container to network
-        run: docker network connect example pki --alias pki.example.com
+          tests/bin/runner-init.sh \
+              --hostname=pki.example.com \
+              --network=example \
+              --network-alias=pki.example.com \
+              pki
 
       - name: Install CA
         run: |
@@ -249,12 +247,13 @@ jobs:
       - name: Check CA signing cert
         run: |
           docker exec pki pki-server cert-export ca_signing \
-              --cert-file ca_signing.crt
+              --cert-file $SHARED/ca_signing.crt
           docker exec pki openssl req -text -noout \
               -in /var/lib/pki/pki-tomcat/conf/certs/ca_signing.csr
 
           # check CA signing cert extensions
-          docker exec pki /usr/share/pki/tests/ca/bin/test-ca-signing-cert-ext.sh
+          docker exec pki /usr/share/pki/tests/ca/bin/test-ca-signing-cert-ext.sh \
+              $SHARED/ca_signing.crt
 
       - name: Check CA OCSP signing cert
         run: |
@@ -301,28 +300,136 @@ jobs:
 
       - name: Update CA configuration
         run: |
-          # enable signed audit log
+          docker exec pki dnf install -y xmlstarlet
+
+          # disable access log buffer
+          docker exec pki xmlstarlet edit --inplace \
+              -u "//Valve[@className='org.apache.catalina.valves.AccessLogValve']/@buffered" \
+              -v "false" \
+              -i "//Valve[@className='org.apache.catalina.valves.AccessLogValve' and not(@buffered)]" \
+              -t attr \
+              -n "buffered" \
+              -v "false" \
+              /etc/pki/pki-tomcat/server.xml
+
+          # enable CA signed audit log
           docker exec pki pki-server ca-config-set log.instance.SignedAudit.logSigning true
 
-          # restart CA subsystem
-          docker exec pki pki-server ca-redeploy --wait
+          # restart PKI server
+          docker exec pki pki-server restart --wait
 
       - name: Initialize PKI client
         run: |
-          docker exec pki pki-server cert-export ca_signing --cert-file ca_signing.crt
-
           docker exec pki pki nss-cert-import \
-              --cert ca_signing.crt \
+              --cert $SHARED/ca_signing.crt \
               --trust CT,C,C \
               ca_signing
 
+      - name: Check pki info with default API
+        run: |
           docker exec pki pki info
 
+          # check HTTP methods, paths, protocols, status, and authenticated users
+          docker exec pki find /var/log/pki/pki-tomcat \
+              -name "localhost_access_log.*" \
+              -exec cat {} \; \
+              | tail -1 \
+              | sed -e 's/^.* .* \(.*\) \[.*\] "\(.*\)" \(.*\) .*$/\2 \3 \1/' \
+              | tee output
+
+          cat > expected << EOF
+          GET /pki/v1/info HTTP/1.1 200 -
+          EOF
+
+          diff expected output
+
+      - name: Check pki info with API v2
+        run: |
+          docker exec pki pki --api v2 info
+
+          # check HTTP methods, paths, protocols, status, and authenticated users
+          docker exec pki find /var/log/pki/pki-tomcat \
+              -name "localhost_access_log.*" \
+              -exec cat {} \; \
+              | tail -1 \
+              | sed -e 's/^.* .* \(.*\) \[.*\] "\(.*\)" \(.*\) .*$/\2 \3 \1/' \
+              | tee output
+
+          cat > expected << EOF
+          GET /pki/v2/info HTTP/1.1 200 -
+          EOF
+
+          diff expected output
+
       - name: Test CA certs
         run: |
           docker exec pki /usr/share/pki/tests/ca/bin/test-ca-signing-cert.sh
           docker exec pki /usr/share/pki/tests/ca/bin/test-subsystem-cert.sh
-          docker exec pki /usr/share/pki/tests/ca/bin/test-ca-certs.sh
+
+      - name: Check pki ca-cert-find with default API
+        run: |
+          docker exec pki pki ca-cert-find | tee output
+
+          # get certs returned
+          grep "Serial Number:" output | wc -l > actual
+
+          # there should be 6 certs returned
+          echo "6" > expected
+          diff expected actual
+
+          # get total certs found
+          sed -n "s/^\(\S*\) entries found$/\1/p" output > actual
+
+          # there should be 6 certs found
+          echo "6" > expected
+          diff expected actual
+
+          # check HTTP methods, paths, protocols, status, and authenticated users
+          docker exec pki find /var/log/pki/pki-tomcat \
+              -name "localhost_access_log.*" \
+              -exec cat {} \; \
+              | tail -2 \
+              | sed -e 's/^.* .* \(.*\) \[.*\] "\(.*\)" \(.*\) .*$/\2 \3 \1/' \
+              | tee output
+
+          cat > expected << EOF
+          GET /pki/v1/info HTTP/1.1 200 -
+          POST /ca/v1/certs/search HTTP/1.1 200 -
+          EOF
+
+          diff expected output
+
+      - name: Check pki ca-cert-find with API v2
+        run: |
+          docker exec pki pki --api v2 ca-cert-find | tee output
+
+          # get certs returned
+          grep "Serial Number:" output | wc -l > actual
+
+          # there should be 6 certs returned
+          echo "6" > expected
+          diff expected actual
+
+          # get total certs found
+          sed -n "s/^\(\S*\) entries found$/\1/p" output > actual
+
+          # there should be no total certs found
+          diff /dev/null actual
+
+          # check HTTP methods, paths, protocols, status, and authenticated users
+          docker exec pki find /var/log/pki/pki-tomcat \
+              -name "localhost_access_log.*" \
+              -exec cat {} \; \
+              | tail -2 \
+              | sed -e 's/^.* .* \(.*\) \[.*\] "\(.*\)" \(.*\) .*$/\2 \3 \1/' \
+              | tee output
+
+          cat > expected << EOF
+          GET /pki/v2/info HTTP/1.1 200 -
+          POST /ca/v2/certs/search HTTP/1.1 200 -
+          EOF
+
+          diff expected output
 
       - name: Test CA admin
         run: |
@@ -439,21 +546,12 @@ jobs:
         run: |
           docker exec pki journalctl -x --no-pager -u [email protected]
 
-      - name: Check CA debug log
+      - name: Check PKI server access log
         if: always()
         run: |
-          docker exec pki find /var/lib/pki/pki-tomcat/logs/ca -name "debug.*" -exec cat {} \;
+          docker exec pki find /var/log/pki/pki-tomcat -name "localhost_access_log.*" -exec cat {} \;
 
-      - name: Gather artifacts
+      - name: Check CA debug log
         if: always()
         run: |
-          tests/bin/ds-artifacts-save.sh ds
-          tests/bin/pki-artifacts-save.sh pki
-        continue-on-error: true
-
-      - name: Upload artifacts
-        if: always()
-        uses: actions/upload-artifact@v4
-        with:
-          name: ca-basic
-          path: /tmp/artifacts
+          docker exec pki find /var/lib/pki/pki-tomcat/logs/ca -name "debug.*" -exec cat {} \;

base/ca/src/main/java/org/dogtagpki/server/ca/rest/v2/CertServlet.java

@@ -220,7 +220,8 @@ private CertDataInfos listCerts(CertSearchRequest searchReq, int maxTime, int st
                 results.add(createCertDataInfo(rec));
             }
 
-            infos.setTotal(results.size());
+            // do not call infos.setTotal() in API v2
+
             logger.info("Search results: {}", results.size());
             infos.setEntries(results);
         } catch (Exception e) {

base/common/src/main/java/com/netscape/certsrv/base/DataCollection.java

@@ -20,20 +20,21 @@
 
 import java.util.ArrayList;
 import java.util.Collection;
+import java.util.Objects;
 
 /**
  * @author Endi S. Dewata
  */
 public class DataCollection<E> {
 
-    protected int total;
+    protected Integer total;
     protected Collection<E> entries = new ArrayList<>();
 
-    public int getTotal() {
+    public Integer getTotal() {
         return total;
     }
 
-    public void setTotal(int total) {
+    public void setTotal(Integer total) {
         this.total = total;
     }
 
@@ -57,11 +58,7 @@ public void removeEntry(E entry) {
 
     @Override
     public int hashCode() {
-        final int prime = 31;
-        int result = 1;
-        result = prime * result + ((entries == null) ? 0 : entries.hashCode());
-        result = prime * result + total;
-        return result;
+        return Objects.hash(entries, total);
     }
 
     @Override
@@ -72,14 +69,7 @@ public boolean equals(Object obj) {
             return false;
         if (getClass() != obj.getClass())
             return false;
-        DataCollection<E> other = (DataCollection<E>) obj;
-        if (entries == null) {
-            if (other.entries != null)
-                return false;
-        } else if (!entries.equals(other.entries))
-            return false;
-        if (total != other.total)
-            return false;
-        return true;
+        DataCollection other = (DataCollection) obj;
+        return Objects.equals(entries, other.entries) && Objects.equals(total, other.total);
     }
 }

base/common/src/main/java/com/netscape/certsrv/client/Client.java

@@ -44,7 +44,7 @@ public class Client {
     public LinkedHashMap<String, Client> clients = new LinkedHashMap<>();
 
     public Client(PKIClient client, String subsystem, String name) {
-        this(client, subsystem, "rest", name);
+        this(client, subsystem, client.getAPIVersion(), name);
     }
 
     public Client(PKIClient client, String subsystem, String prefix, String name) {

base/common/src/main/java/com/netscape/certsrv/client/PKIClient.java

@@ -48,6 +48,7 @@ public class PKIClient implements AutoCloseable {
 
     public ClientConfig config;
     public PKIConnection connection;
+    public String apiVersion;
     public MediaType messageFormat;
     public InfoClient infoClient;
     public Info info;
@@ -57,7 +58,12 @@ public PKIClient(ClientConfig config) throws Exception {
     }
 
     public PKIClient(ClientConfig config, SSLCertificateApprovalCallback callback) throws Exception {
+        this(config, "rest", callback);
+    }
+
+    public PKIClient(ClientConfig config, String apiVersion, SSLCertificateApprovalCallback callback) throws Exception {
         this.config = config;
+        this.apiVersion = apiVersion;
 
         connection = new PKIConnection(config);
         connection.setCallback(callback);
@@ -72,6 +78,10 @@ public PKIClient(ClientConfig config, SSLCertificateApprovalCallback callback) t
         this.messageFormat = MediaType.valueOf("application/" + messageFormat);
     }
 
+    public String getAPIVersion() {
+        return apiVersion;
+    }
+
     public MediaType getMessageFormat() {
         return messageFormat;
     }

base/common/src/main/java/org/dogtagpki/common/InfoClient.java

@@ -27,7 +27,7 @@
 public class InfoClient extends Client {
 
     public InfoClient(PKIClient client) throws Exception {
-        super(client, "pki", "v2", "info");
+        super(client, "pki", "info");
     }
 
     public Info getInfo() throws Exception {

base/tools/src/main/java/com/netscape/cmstools/ca/CACertFindCLI.java

@@ -227,8 +227,11 @@ public void execute(CommandLine cmd) throws Exception {
         CACertClient certClient = certCLI.getCertClient();
         CertDataInfos certs = certClient.findCerts(searchData, start, size);
 
-        MainCLI.printMessage(certs.getTotal() + " entries found");
-        if (certs.getTotal() == 0) return;
+        Integer total = certs.getTotal();
+        if (total != null) {
+            MainCLI.printMessage(total + " entries found");
+            if (total == 0) return;
+        }
 
         boolean first = true;
 

base/tools/src/main/java/com/netscape/cmstools/cli/MainCLI.java

@@ -86,6 +86,7 @@ public class MainCLI extends CLI {
     public ClientConfig config = new ClientConfig();
 
     NSSDatabase nssdb;
+    String apiVersion;
 
     public Collection<Integer> rejectedCertStatuses = new HashSet<>();
     public Collection<Integer> ignoredCertStatuses = new HashSet<>();
@@ -141,6 +142,10 @@ public String getManPage() {
         return "pki";
     }
 
+    public String getAPIVersion() {
+        return apiVersion;
+    }
+
     public void printVersion() {
         Package pkg = MainCLI.class.getPackage();
         System.out.println("PKI Command-Line Interface " + pkg.getImplementationVersion());
@@ -213,6 +218,10 @@ public void createOptions() throws UnknownHostException {
         option.setArgName("token");
         options.addOption(option);
 
+        option = new Option(null, "api", true, "API version: v1, v2");
+        option.setArgName("version");
+        options.addOption(option);
+
         option = new Option(null, "output", true, "Folder to store HTTP messages");
         option.setArgName("folder");
         options.addOption(option);
@@ -454,6 +463,8 @@ public void parseOptions(CommandLine cmd) throws Exception {
         // store user password
         config.setPassword(password);
 
+        apiVersion = cmd.getOptionValue("api", "rest");
+
         String list = cmd.getOptionValue("reject-cert-status");
         convertCertStatusList(list, rejectedCertStatuses);
 
@@ -593,7 +604,7 @@ public PKIClient getClient() throws Exception {
         logger.info("Connecting to " + config.getServerURL());
 
         SSLCertificateApprovalCallback callback = createCertApprovalCallback();
-        client = new PKIClient(config, callback);
+        client = new PKIClient(config, apiVersion, callback);
 
         if (output != null) {
             File file = new File(output);