.github/workflows/ca-clone-test.yml

name: CA clone

on: workflow_call

env:
  DB_IMAGE: ${{ vars.DB_IMAGE || 'quay.io/389ds/dirsrv' }}

jobs:
  # docs/installation/ca/Installing_CA.md
  test:
    name: Test
    runs-on: ubuntu-latest
    env:
      SHARED: /tmp/workdir/pki
    steps:
      - name: Clone repository
        uses: actions/checkout@v3

      - name: Retrieve PKI images
        uses: actions/cache@v3
        with:
          key: pki-images-${{ github.sha }}
          path: pki-images.tar

      - name: Load PKI images
        run: docker load --input pki-images.tar

      - name: Create network
        run: docker network create example

      - name: Set up primary DS container
        run: |
          tests/bin/ds-container-create.sh primaryds
        env:
          IMAGE: ${{ env.DB_IMAGE }}
          HOSTNAME: primaryds.example.com
          PASSWORD: Secret.123

      - name: Connect primary DS container to network
        run: docker network connect example primaryds --alias primaryds.example.com

      - name: Set up primary PKI container
        run: |
          tests/bin/runner-init.sh primary
        env:
          HOSTNAME: primary.example.com

      - name: Connect primary PKI container to network
        run: docker network connect example primary --alias primary.example.com

      - name: Install CA in primary PKI container
        run: |
          docker exec primary pkispawn \
              -f /usr/share/pki/server/examples/installation/ca.cfg \
              -s CA \
              -D pki_ds_url=ldap://primaryds.example.com:3389 \
              -v

          docker exec primary pki-server cert-find

      - name: Verify users and SD hosts in primary PKI container
        run: |
          docker exec primary pki-server cert-export ca_signing --cert-file ${SHARED}/ca_signing.crt
          docker exec primary pki client-cert-import ca_signing --ca-cert ${SHARED}/ca_signing.crt
          docker exec primary pki pkcs12-import \
              --pkcs12 /root/.dogtag/pki-tomcat/ca_admin_cert.p12 \
              --pkcs12-password Secret.123
          docker exec primary pki -n caadmin ca-user-find
          docker exec primary pki securitydomain-host-find

      - name: Check cert requests in primary CA
        run: |
          docker exec primary pki -n caadmin ca-cert-request-find

      - name: Set up secondary DS container
        run: |
          tests/bin/ds-container-create.sh secondaryds
        env:
          IMAGE: ${{ env.DB_IMAGE }}
          HOSTNAME: secondaryds.example.com
          PASSWORD: Secret.123

      - name: Connect secondary DS container to network
        run: docker network connect example secondaryds --alias secondaryds.example.com

      - name: Set up secondary PKI container
        run: |
          tests/bin/runner-init.sh secondary
        env:
          HOSTNAME: secondary.example.com

      - name: Connect secondary PKI container to network
        run: docker network connect example secondary --alias secondary.example.com

      - name: Install CA in secondary PKI container
        run: |
          # get CS.cfg from primary CA before cloning
          docker cp primary:/etc/pki/pki-tomcat/ca/CS.cfg CS.cfg.primary

          docker exec primary pki-server ca-clone-prepare --pkcs12-file ${SHARED}/ca-certs.p12 --pkcs12-password Secret.123
          docker exec secondary pkispawn \
              -f /usr/share/pki/server/examples/installation/ca-clone.cfg \
              -s CA \
              -D pki_cert_chain_path=${SHARED}/ca_signing.crt \
              -D pki_clone_pkcs12_path=${SHARED}/ca-certs.p12 \
              -D pki_clone_pkcs12_password=Secret.123 \
              -D pki_ds_url=ldap://secondaryds.example.com:3389 \
              -v

          docker exec secondary pki-server cert-find

      - name: Check CS.cfg in primary CA after cloning
        run: |
          # get CS.cfg from primary CA after cloning
          docker cp primary:/etc/pki/pki-tomcat/ca/CS.cfg CS.cfg.primary.after

          docker exec primary pki-server ca-config-find | grep ca.crl.MasterCRL

          # normalize expected result:
          # - remove params that cannot be compared
          # - set dbs.enableSerialManagement to true (automatically enabled when cloned)
          sed -e '/^dbs.beginReplicaNumber=/d' \
              -e '/^dbs.endReplicaNumber=/d' \
              -e '/^dbs.nextBeginReplicaNumber=/d' \
              -e '/^dbs.nextEndReplicaNumber=/d' \
              -e 's/^\(dbs.enableSerialManagement\)=.*$/\1=true/' \
              CS.cfg.primary \
              | sort > expected

          # normalize actual result:
          # - remove params that cannot be compared
          sed -e '/^dbs.beginReplicaNumber=/d' \
              -e '/^dbs.endReplicaNumber=/d' \
              -e '/^dbs.nextBeginReplicaNumber=/d' \
              -e '/^dbs.nextEndReplicaNumber=/d' \
              CS.cfg.primary.after \
              | sort > actual

          diff expected actual

      - name: Check CS.cfg in secondary CA
        run: |
          # get CS.cfg from secondary CA
          docker cp secondary:/etc/pki/pki-tomcat/ca/CS.cfg CS.cfg.secondary

          docker exec secondary pki-server ca-config-find | grep ca.crl.MasterCRL

          # normalize expected result:
          # - remove params that cannot be compared
          # - replace primary.example.com with secondary.example.com
          # - replace primaryds.example.com with secondaryds.example.com
          # - set ca.crl.MasterCRL.enableCRLCache to false (automatically disabled in the clone)
          # - set ca.crl.MasterCRL.enableCRLUpdates to false (automatically disabled in the clone)
          # - add params for the clone
          sed -e '/^installDate=/d' \
              -e '/^dbs.beginReplicaNumber=/d' \
              -e '/^dbs.endReplicaNumber=/d' \
              -e '/^dbs.nextBeginReplicaNumber=/d' \
              -e '/^dbs.nextEndReplicaNumber=/d' \
              -e '/^ca.sslserver.cert=/d' \
              -e '/^ca.sslserver.certreq=/d' \
              -e 's/primary.example.com/secondary.example.com/' \
              -e 's/primaryds.example.com/secondaryds.example.com/' \
              -e 's/^\(ca.crl.MasterCRL.enableCRLCache\)=.*$/\1=false/' \
              -e 's/^\(ca.crl.MasterCRL.enableCRLUpdates\)=.*$/\1=false/' \
              -e '$ a ca.certStatusUpdateInterval=0' \
              -e '$ a ca.listenToCloneModifications=false' \
              -e '$ a master.ca.agent.host=primary.example.com' \
              -e '$ a master.ca.agent.port=8443' \
              CS.cfg.primary.after \
              | sort > expected

          # normalize actual result:
          # - remove params that cannot be compared
          sed -e '/^installDate=/d' \
              -e '/^dbs.beginReplicaNumber=/d' \
              -e '/^dbs.endReplicaNumber=/d' \
              -e '/^dbs.nextBeginReplicaNumber=/d' \
              -e '/^dbs.nextEndReplicaNumber=/d' \
              -e '/^ca.sslserver.cert=/d' \
              -e '/^ca.sslserver.certreq=/d' \
              CS.cfg.secondary \
              | sort > actual

          diff expected actual

      - name: Verify users and SD hosts in secondary PKI container
        run: |
          docker exec primary cp /root/.dogtag/pki-tomcat/ca_admin_cert.p12 ${SHARED}/ca_admin_cert.p12
          docker exec secondary pki client-cert-import ca_signing --ca-cert ${SHARED}/ca_signing.crt
          docker exec secondary pki pkcs12-import \
              --pkcs12 ${SHARED}/ca_admin_cert.p12 \
              --pkcs12-password Secret.123
          docker exec secondary pki -n caadmin ca-user-find
          docker exec secondary pki securitydomain-host-find

      - name: Check cert requests in secondary CA
        run: |
          docker exec secondary pki -n caadmin ca-cert-request-find

      - name: Set up tertiary DS container
        run: |
          tests/bin/ds-container-create.sh tertiaryds
        env:
          IMAGE: ${{ env.DB_IMAGE }}
          HOSTNAME: tertiaryds.example.com
          PASSWORD: Secret.123

      - name: Connect tertiary DS container to network
        run: docker network connect example tertiaryds --alias tertiaryds.example.com

      - name: Set up tertiary PKI container
        run: |
          tests/bin/runner-init.sh tertiary
        env:
          HOSTNAME: tertiary.example.com

      - name: Connect tertiary PKI container to network
        run: docker network connect example tertiary --alias tertiary.example.com

      - name: Install CA in tertiary PKI container
        run: |
          # export system certs and keys (except sslserver)
          docker exec secondary pki-server ca-clone-prepare \
              --pkcs12-file ${SHARED}/ca-certs.p12 \
              --pkcs12-password Secret.123

          # export CA signing CSR
          docker exec secondary pki-server cert-export ca_signing \
              --csr-file ${SHARED}/ca_signing.csr

          # export CA OCSP signing CSR
          docker exec secondary pki-server cert-export ca_ocsp_signing \
              --csr-file ${SHARED}/ca_ocsp_signing.csr

          # export CA audit signing CSR
          docker exec secondary pki-server cert-export ca_audit_signing \
              --csr-file ${SHARED}/ca_audit_signing.csr

          # export subsystem CSR
          docker exec secondary pki-server cert-export subsystem \
              --csr-file ${SHARED}/subsystem.csr

          docker exec tertiary pkispawn \
              -f /usr/share/pki/server/examples/installation/ca-clone-of-clone.cfg \
              -s CA \
              -D pki_cert_chain_path=${SHARED}/ca_signing.crt \
              -D pki_clone_pkcs12_path=${SHARED}/ca-certs.p12 \
              -D pki_clone_pkcs12_password=Secret.123 \
              -D pki_ca_signing_csr_path=${SHARED}/ca_signing.csr \
              -D pki_ocsp_signing_csr_path=${SHARED}/ca_ocsp_signing.csr \
              -D pki_audit_signing_csr_path=${SHARED}/ca_audit_signing.csr \
              -D pki_subsystem_csr_path=${SHARED}/subsystem.csr \
              -D pki_ds_url=ldap://tertiaryds.example.com:3389 \
              -v

          docker exec tertiary pki-server cert-find

      - name: Check CS.cfg in secondary CA after cloning
        run: |
          # get CS.cfg from secondary CA after cloning
          docker cp secondary:/etc/pki/pki-tomcat/ca/CS.cfg CS.cfg.secondary.after

          docker exec secondary pki-server ca-config-find | grep ca.crl.MasterCRL

          # normalize expected result:
          # - remove params that cannot be compared
          sed -e '/^dbs.beginReplicaNumber=/d' \
              -e '/^dbs.endReplicaNumber=/d' \
              -e '/^dbs.nextBeginReplicaNumber=/d' \
              -e '/^dbs.nextEndReplicaNumber=/d' \
              CS.cfg.secondary \
              | sort > expected

          # normalize actual result:
          # - remove params that cannot be compared
          sed -e '/^dbs.beginReplicaNumber=/d' \
              -e '/^dbs.endReplicaNumber=/d' \
              -e '/^dbs.nextBeginReplicaNumber=/d' \
              -e '/^dbs.nextEndReplicaNumber=/d' \
              CS.cfg.secondary.after \
              | sort > actual

          diff expected actual

      - name: Check CS.cfg in tertiary CA
        run: |
          # get CS.cfg from tertiary CA
          docker cp tertiary:/etc/pki/pki-tomcat/ca/CS.cfg CS.cfg.tertiary

          docker exec tertiary pki-server ca-config-find | grep ca.crl.MasterCRL

          # normalize expected result:
          # - remove params that cannot be compared
          # - replace secondary.example.com with tertiary.example.com
          # - replace secondaryds.example.com with tertiaryds.example.com
          # - set master.ca.agent.host to secondary.example.com
          sed -e '/^installDate=/d' \
              -e '/^dbs.beginReplicaNumber=/d' \
              -e '/^dbs.endReplicaNumber=/d' \
              -e '/^dbs.nextBeginReplicaNumber=/d' \
              -e '/^dbs.nextEndReplicaNumber=/d' \
              -e '/^ca.sslserver.cert=/d' \
              -e '/^ca.sslserver.certreq=/d' \
              -e 's/secondary.example.com/tertiary.example.com/' \
              -e 's/secondaryds.example.com/tertiaryds.example.com/' \
              -e 's/^\(master.ca.agent.host\)=.*$/\1=secondary.example.com/' \
              CS.cfg.secondary.after \
              | sort > expected

          # normalize actual result:
          # - remove params that cannot be compared
          sed -e '/^installDate=/d' \
              -e '/^dbs.beginReplicaNumber=/d' \
              -e '/^dbs.endReplicaNumber=/d' \
              -e '/^dbs.nextBeginReplicaNumber=/d' \
              -e '/^dbs.nextEndReplicaNumber=/d' \
              -e '/^ca.sslserver.cert=/d' \
              -e '/^ca.sslserver.certreq=/d' \
              CS.cfg.tertiary \
              | sort > actual

          diff expected actual

      - name: Verify users and SD hosts in tertiary PKI container
        run: |
          docker exec tertiary pki client-cert-import ca_signing --ca-cert ${SHARED}/ca_signing.crt
          docker exec tertiary pki pkcs12-import \
              --pkcs12 ${SHARED}/ca_admin_cert.p12 \
              --pkcs12-password Secret.123
          docker exec tertiary pki -n caadmin ca-user-find
          docker exec tertiary pki securitydomain-host-find

      - name: Check cert requests in tertiary CA
        run: |
          docker exec tertiary pki -n caadmin ca-cert-request-find

      - name: Gather artifacts from primary containers
        if: always()
        run: |
          tests/bin/ds-artifacts-save.sh --output=/tmp/artifacts/primary primaryds
          tests/bin/pki-artifacts-save.sh primary
        continue-on-error: true

      - name: Gather artifacts from secondary containers
        if: always()
        run: |
          tests/bin/ds-artifacts-save.sh --output=/tmp/artifacts/secondary secondaryds
          tests/bin/pki-artifacts-save.sh secondary
        continue-on-error: true

      - name: Gather artifacts from tertiary containers
        if: always()
        run: |
          tests/bin/ds-artifacts-save.sh --output=/tmp/artifacts/tertiary tertiaryds
          tests/bin/pki-artifacts-save.sh tertiary
        continue-on-error: true

      - name: Remove CA from tertiary PKI container
        run: |
          docker exec tertiary pki -n caadmin ca-user-find
          docker exec tertiary pki securitydomain-host-find
          docker exec tertiary pkidestroy -i pki-tomcat -s CA -v

      - name: Remove CA from secondary PKI container
        run: |
          docker exec secondary pki -n caadmin ca-user-find
          docker exec secondary pki securitydomain-host-find
          docker exec secondary pkidestroy -i pki-tomcat -s CA -v

      - name: Remove CA from primary PKI container
        run: |
          docker exec primary pki -n caadmin ca-user-find
          docker exec primary pki securitydomain-host-find
          docker exec primary pkidestroy -i pki-tomcat -s CA -v

      - name: Upload artifacts from primary containers
        if: always()
        uses: actions/upload-artifact@v3
        with:
          name: ca-clone-primary
          path: |
            /tmp/artifacts/primary

      - name: Upload artifacts from secondary containers
        if: always()
        uses: actions/upload-artifact@v3
        with:
          name: ca-clone-secondary
          path: |
            /tmp/artifacts/secondary

      - name: Upload artifacts from tertiary containers
        if: always()
        uses: actions/upload-artifact@v3
        with:
          name: ca-clone-tertiary
          path: |
            /tmp/artifacts/tertiary