.github/workflows/ca-clone-secure-ds-test.yml

name: CA clone with secure DS

on: workflow_call

env:
  DB_IMAGE: ${{ vars.DB_IMAGE || 'quay.io/389ds/dirsrv' }}

jobs:
  # docs/installation/ca/Installing_CA_Clone.md
  # docs/installation/ca/Installing_CA_with_Secure_Database_Connection.md
  test:
    name: Test
    runs-on: ubuntu-latest
    env:
      SHARED: /tmp/workdir/pki
    steps:
      - name: Clone repository
        uses: actions/checkout@v3

      - name: Retrieve PKI images
        uses: actions/cache@v3
        with:
          key: pki-images-${{ github.sha }}
          path: pki-images.tar

      - name: Load PKI images
        run: docker load --input pki-images.tar

      - name: Create network
        run: docker network create example

      - name: Set up primary DS container
        run: |
          tests/bin/ds-container-create.sh primaryds
        env:
          IMAGE: pki-runner
          HOSTNAME: primaryds.example.com
          PASSWORD: Secret.123

      - name: Connect primary DS container to network
        run: docker network connect example primaryds --alias primaryds.example.com

      - name: Set up primary PKI container
        run: |
          tests/bin/runner-init.sh primary
        env:
          HOSTNAME: primary.example.com

      - name: Connect primary PKI container to network
        run: docker network connect example primary --alias primary.example.com

      - name: Create DS signing cert in primary PKI container
        run: |
          docker exec primary pki \
              nss-cert-request \
              --subject "CN=DS Signing Certificate" \
              --ext /usr/share/pki/server/certs/ca_signing.conf \
              --csr ds_signing.csr
          docker exec primary pki \
              nss-cert-issue \
              --csr ds_signing.csr \
              --ext /usr/share/pki/server/certs/ca_signing.conf \
              --cert ds_signing.crt
          docker exec primary pki \
              nss-cert-import \
              --cert ds_signing.crt \
              --trust CT,C,C \
              Self-Signed-CA
          docker exec primary certutil -L -d /root/.dogtag/nssdb

      - name: Create DS server cert in primary PKI container
        run: |
          docker exec primary pki \
              nss-cert-request \
              --subject "CN=primaryds.example.com" \
              --ext /usr/share/pki/server/certs/sslserver.conf \
              --csr ds_server.csr
          docker exec primary pki \
              nss-cert-issue \
              --issuer Self-Signed-CA \
              --csr ds_server.csr \
              --ext /usr/share/pki/server/certs/sslserver.conf \
              --cert ds_server.crt
          docker exec primary pki \
              nss-cert-import \
              --cert ds_server.crt \
              Server-Cert
          docker exec primary certutil -L -d /root/.dogtag/nssdb

      - name: Import certs into primary DS container
        run: |
          docker exec primary pk12util \
              -d /root/.dogtag/nssdb \
              -o ds_server.p12 \
              -W Secret.123 \
              -n Server-Cert
          docker cp primary:ds_server.p12 primaryds_server.p12
          tests/bin/ds-container-certs-import.sh primaryds primaryds_server.p12
          tests/bin/ds-container-stop.sh primaryds
          tests/bin/ds-container-start.sh primaryds

      - name: Install CA in primary PKI container
        run: |
          docker exec primary pkispawn \
              -f /usr/share/pki/server/examples/installation/ca-secure-ds-primary.cfg \
              -s CA \
              -D pki_ds_url=ldaps://primaryds.example.com:3636 \
              -v

          docker exec primary pki-server cert-find

      - name: Verify DS connection in primary PKI container
        run: |
          docker exec primary pki-server ca-db-config-show > output
          cat output
          echo "primaryds.example.com" > expected
          sed -n 's/^\s\+Hostname:\s\+\(\S\+\)$/\1/p' output > actual
          diff expected actual
          echo "3636" > expected
          sed -n 's/^\s\+Port:\s\+\(\S\+\)$/\1/p' output > actual
          diff expected actual
          echo "true" > expected
          sed -n 's/^\s\+Secure:\s\+\(\S\+\)$/\1/p' output > actual
          diff expected actual

      - name: Verify users and DS hosts in primary PKI container
        run: |
          docker exec primary pki-server cert-export ca_signing --cert-file ca_signing.crt
          docker exec primary pki client-cert-import ca_signing --ca-cert ca_signing.crt
          docker exec primary pki pkcs12-import \
              --pkcs12 /root/.dogtag/pki-tomcat/ca_admin_cert.p12 \
              --pkcs12-password Secret.123
          docker exec primary pki -n caadmin ca-user-find
          docker exec primary pki securitydomain-host-find

      - name: Check cert requests in primary CA
        run: |
          docker exec primary pki -n caadmin ca-cert-request-find

      - name: Set up secondary DS container
        run: |
          tests/bin/ds-container-create.sh secondaryds
        env:
          IMAGE: pki-runner
          HOSTNAME: secondaryds.example.com
          PASSWORD: Secret.123

      - name: Connect secondary DS container to network
        run: docker network connect example secondaryds --alias secondaryds.example.com

      - name: Set up secondary PKI container
        run: |
          tests/bin/runner-init.sh secondary
        env:
          HOSTNAME: secondary.example.com

      - name: Connect secondary PKI container to network
        run: docker network connect example secondary --alias secondary.example.com

      - name: Import DS signing cert into secondary PKI container
        run: |
          docker exec primary pki \
              pkcs12-export \
              --pkcs12-file ${SHARED}/ds_signing.p12 \
              --pkcs12-password Secret.123 \
              Self-Signed-CA
          docker exec secondary pki \
              pkcs12-import \
              --pkcs12-file ${SHARED}/ds_signing.p12 \
              --pkcs12-password Secret.123
          docker exec secondary pki \
              nss-cert-export \
              --output-file ds_signing.crt \
              Self-Signed-CA
          docker exec secondary certutil -L -d /root/.dogtag/nssdb

      - name: Create DS server cert in secondary PKI container
        run: |
          docker exec secondary pki \
              nss-cert-request \
              --subject "CN=secondaryds.example.com" \
              --ext /usr/share/pki/server/certs/sslserver.conf \
              --csr ds_server.csr
          docker exec secondary pki \
              nss-cert-issue \
              --issuer Self-Signed-CA \
              --csr ds_server.csr \
              --ext /usr/share/pki/server/certs/sslserver.conf \
              --cert ds_server.crt
          docker exec secondary pki \
              nss-cert-import \
              --cert ds_server.crt \
              Server-Cert
          docker exec secondary certutil -L -d /root/.dogtag/nssdb

      - name: Import certs into secondary DS container
        run: |
          docker exec secondary pk12util \
              -d /root/.dogtag/nssdb \
              -o ds_server.p12 \
              -W Secret.123 \
              -n Server-Cert
          docker cp secondary:ds_server.p12 secondaryds_server.p12
          tests/bin/ds-container-certs-import.sh secondaryds secondaryds_server.p12
          tests/bin/ds-container-stop.sh secondaryds
          tests/bin/ds-container-start.sh secondaryds

      - name: Install CA in secondary PKI container
        run: |
          docker exec primary pki-server cert-export ca_signing --cert-file ${SHARED}/ca_signing.crt
          docker exec primary pki-server ca-clone-prepare --pkcs12-file ${SHARED}/ca-certs.p12 --pkcs12-password Secret.123
          docker exec secondary pkispawn \
              -f /usr/share/pki/server/examples/installation/ca-secure-ds-secondary.cfg \
              -s CA \
              -D pki_cert_chain_path=${SHARED}/ca_signing.crt \
              -D pki_clone_pkcs12_path=${SHARED}/ca-certs.p12 \
              -D pki_ds_url=ldaps://secondaryds.example.com:3636 \
              -v

          docker exec secondary pki-server cert-find

      - name: Run PKI healthcheck in primary PKI container
        run: docker exec primary pki-healthcheck --failures-only

      - name: Run PKI healthcheck in secondary PKI container
        run: docker exec secondary pki-healthcheck --failures-only

      - name: Verify DS connection in secondary PKI container
        run: |
          docker exec secondary pki-server ca-db-config-show > output
          cat output
          echo "secondaryds.example.com" > expected
          sed -n 's/^\s\+Hostname:\s\+\(\S\+\)$/\1/p' output > actual
          diff expected actual
          echo "3636" > expected
          sed -n 's/^\s\+Port:\s\+\(\S\+\)$/\1/p' output > actual
          diff expected actual
          echo "true" > expected
          sed -n 's/^\s\+Secure:\s\+\(\S\+\)$/\1/p' output > actual
          diff expected actual

      - name: Verify users and SD hosts in secondary PKI container
        run: |
          docker exec primary cp /root/.dogtag/pki-tomcat/ca_admin_cert.p12 ${SHARED}/ca_admin_cert.p12
          docker exec secondary pki-server cert-export ca_signing --cert-file ca_signing.crt
          docker exec secondary pki client-cert-import ca_signing --ca-cert ca_signing.crt
          docker exec secondary pki pkcs12-import \
              --pkcs12 ${SHARED}/ca_admin_cert.p12 \
              --pkcs12-password Secret.123
          docker exec secondary pki -n caadmin ca-user-find
          docker exec secondary pki securitydomain-host-find

      - name: Check cert requests in secondary CA
        run: |
          docker exec secondary pki -n caadmin ca-cert-request-find

      - name: Remove CA from secondary PKI container
        run: |
          docker exec secondary pkidestroy -i pki-tomcat -s CA -v

      - name: Re-install CA in secondary PKI container
        run: |
          docker exec secondary pkispawn \
              -f /usr/share/pki/server/examples/installation/ca-secure-ds-secondary.cfg \
              -s CA \
              -D pki_cert_chain_path=${SHARED}/ca_signing.crt \
              -D pki_clone_pkcs12_path=${SHARED}/ca-certs.p12 \
              -D pki_ds_url=ldaps://secondaryds.example.com:3636 \
              -v

      - name: Gather artifacts from primary containers
        if: always()
        run: |
          tests/bin/ds-artifacts-save.sh --output=/tmp/artifacts/primary primaryds
          tests/bin/pki-artifacts-save.sh primary
        continue-on-error: true

      - name: Gather artifacts from secondary containers
        if: always()
        run: |
          tests/bin/ds-artifacts-save.sh --output=/tmp/artifacts/secondary secondaryds
          tests/bin/pki-artifacts-save.sh secondary
        continue-on-error: true

      - name: Remove CA from secondary PKI container
        run: |
          docker exec secondary pki -n caadmin ca-user-find
          docker exec secondary pki securitydomain-host-find
          docker exec secondary pkidestroy -i pki-tomcat -s CA -v

      - name: Remove CA from primary PKI container
        run: |
          docker exec primary pki -n caadmin ca-user-find
          docker exec primary pki securitydomain-host-find
          docker exec primary pkidestroy -i pki-tomcat -s CA -v

      - name: Upload artifacts from primary containers
        if: always()
        uses: actions/upload-artifact@v3
        with:
          name: ca-clone-secure-ds-primary
          path: |
            /tmp/artifacts/primary

      - name: Upload artifacts from secondary containers
        if: always()
        uses: actions/upload-artifact@v3
        with:
          name: ca-clone-secure-ds-secondary
          path: |
            /tmp/artifacts/secondary