.github/workflows/ca-container-test.yml

name: CA container

on: workflow_call

env:
  DB_IMAGE: ${{ vars.DB_IMAGE || 'quay.io/389ds/dirsrv' }}

jobs:
  # https://github.com/dogtagpki/pki/wiki/Deploying-CA-Container
  test:
    name: Test
    runs-on: ubuntu-latest
    env:
      SHARED: /tmp/workdir/pki
    steps:
      - name: Clone repository
        uses: actions/checkout@v3

      - name: Retrieve PKI images
        uses: actions/cache@v3
        with:
          key: pki-images-${{ github.sha }}
          path: pki-images.tar

      - name: Load PKI images
        run: docker load --input pki-images.tar

      - name: Create network
        run: docker network create example

      - name: Set up client container
        run: |
          tests/bin/runner-init.sh client
        env:
          HOSTNAME: client.example.com

      - name: Connect client container to network
        run: docker network connect example client --alias client.example.com

      - name: Create CA signing cert
        run: |
          docker exec client pki \
              nss-cert-request \
              --subject "CN=CA Signing Certificate" \
              --ext /usr/share/pki/server/certs/ca_signing.conf \
              --csr ca_signing.csr
          docker exec client pki \
              nss-cert-issue \
              --csr ca_signing.csr \
              --ext /usr/share/pki/server/certs/ca_signing.conf \
              --validity-length 1 \
              --validity-unit year \
              --cert ca_signing.crt
          docker exec client pki \
              nss-cert-import \
              --cert ca_signing.crt \
              --trust CT,C,C \
              ca_signing
          docker exec client pki \
              nss-cert-show \
              ca_signing

      - name: Create OCSP signing cert
        run: |
          docker exec client pki \
              nss-cert-request \
              --subject "CN=OCSP Signing Certificate" \
              --ext /usr/share/pki/server/certs/ocsp_signing.conf \
              --csr ocsp_signing.csr
          docker exec client pki \
              nss-cert-issue \
              --issuer ca_signing \
              --csr ocsp_signing.csr \
              --ext /usr/share/pki/server/certs/ocsp_signing.conf \
              --cert ocsp_signing.crt
          docker exec client pki \
              nss-cert-import \
              --cert ocsp_signing.crt \
              ocsp_signing
          docker exec client pki \
              nss-cert-show \
              ocsp_signing

      - name: Create audit signing cert
        run: |
          docker exec client pki \
              nss-cert-request \
              --subject "CN=Audit Signing Certificate" \
              --ext /usr/share/pki/server/certs/audit_signing.conf \
              --csr audit_signing.csr
          docker exec client pki \
              nss-cert-issue \
              --issuer ca_signing \
              --csr audit_signing.csr \
              --ext /usr/share/pki/server/certs/audit_signing.conf \
              --cert audit_signing.crt
          docker exec client pki \
              nss-cert-import \
              --cert audit_signing.crt \
              --trust ,,P \
              audit_signing
          docker exec client pki \
              nss-cert-show \
              audit_signing

      - name: Create subsystem cert
        run: |
          docker exec client pki \
              nss-cert-request \
              --subject "CN=Subsystem Certificate" \
              --ext /usr/share/pki/server/certs/subsystem.conf \
              --csr subsystem.csr
          docker exec client pki \
              nss-cert-issue \
              --issuer ca_signing \
              --csr subsystem.csr \
              --ext /usr/share/pki/server/certs/subsystem.conf \
              --cert subsystem.crt
          docker exec client pki \
              nss-cert-import \
              --cert subsystem.crt \
              subsystem
          docker exec client pki \
              nss-cert-show \
              subsystem

      - name: Create SSL server cert
        run: |
          docker exec client pki \
              nss-cert-request \
              --subject "CN=ca.example.com" \
              --ext /usr/share/pki/server/certs/sslserver.conf \
              --csr sslserver.csr
          docker exec client pki \
              nss-cert-issue \
              --issuer ca_signing \
              --csr sslserver.csr \
              --ext /usr/share/pki/server/certs/sslserver.conf \
              --cert sslserver.crt
          docker exec client pki \
              nss-cert-import \
              --cert sslserver.crt \
              sslserver
          docker exec client pki \
              nss-cert-show \
              sslserver

      - name: Create admin cert
        run: |
          docker exec client pki \
              nss-cert-request \
              --subject "CN=Administrator" \
              --ext /usr/share/pki/server/certs/admin.conf \
              --csr admin.csr
          docker exec client pki \
              nss-cert-issue \
              --issuer ca_signing \
              --csr admin.csr \
              --ext /usr/share/pki/server/certs/admin.conf \
              --cert admin.crt
          docker exec client pki \
              nss-cert-import \
              --cert admin.crt \
              admin
          docker exec client pki \
              nss-cert-show \
              admin

      - name: Export system certs and keys
        run: |
          docker exec client pki \
              pkcs12-export \
              --pkcs12 server.p12 \
              --password Secret.123 \
              ca_signing \
              ocsp_signing \
              audit_signing \
              subsystem \
              sslserver

      - name: Export admin cert and key
        run: |
          docker exec client pki \
              pkcs12-export \
              --pkcs12 admin.p12 \
              --password Secret.123 \
              admin

      - name: Set up CA container
        run: |
          mkdir certs
          docker cp client:server.p12 certs
          docker cp client:admin.p12 certs
          docker cp client:ca_signing.csr certs
          docker cp client:ocsp_signing.csr certs
          docker cp client:audit_signing.csr certs
          docker cp client:subsystem.csr certs
          docker cp client:sslserver.csr certs
          docker cp client:admin.csr certs
          ls -la certs

          docker run \
              --name ca \
              --hostname=ca.example.com \
              --network=example \
              --network-alias=ca.example.com \
              -v $PWD/certs:/certs \
              --detach \
              pki-ca

      - name: Wait for CA container to start
        run: |
          docker exec client curl \
              --retry 180 \
              --retry-delay 0 \
              --retry-connrefused \
              -s \
              -k \
              -o /dev/null \
              https://ca.example.com:8443

      - name: Check basic operations from CA container
        run: |
          # check PKI server info
          docker exec ca pki info

      - name: Check basic operations from client container
        run: |
          # check PKI server info
          docker exec client pki \
              -U https://ca.example.com:8443 \
              info

      - name: Set up DS container
        run: |
          tests/bin/ds-container-create.sh ds
        env:
          IMAGE: ${{ env.DB_IMAGE }}
          HOSTNAME: ds.example.com
          PASSWORD: Secret.123

      - name: Connect DS container to network
        run: docker network connect example ds --alias ds.example.com

      # https://github.com/dogtagpki/pki/wiki/Setting-up-CA-Database
      - name: Configure DS database
        run: |
          docker exec ds ldapadd \
              -H ldap://ds.example.com:3389 \
              -D "cn=Directory Manager" \
              -w Secret.123 \
              -f $SHARED/base/server/database/ds/config.ldif

      - name: Add PKI schema
        run: |
          docker exec ds ldapmodify \
              -H ldap://ds.example.com:3389 \
              -D "cn=Directory Manager" \
              -w Secret.123 \
              -f $SHARED/base/server/database/ds/schema.ldif

      - name: Add CA base entry
        run: |
          docker exec -i ds ldapadd \
              -H ldap://ds.example.com:3389 \
              -D "cn=Directory Manager" \
              -w Secret.123 << EOF
          dn: dc=ca,dc=pki,dc=example,dc=com
          objectClass: dcObject
          dc: ca
          EOF

      - name: Add CA database entries
        run: |
          sed \
              -e 's/{rootSuffix}/dc=ca,dc=pki,dc=example,dc=com/g' \
              base/ca/database/ds/create.ldif \
              | tee create.ldif
          docker exec ds ldapadd \
              -H ldap://ds.example.com:3389 \
              -D "cn=Directory Manager" \
              -w Secret.123 \
              -f $SHARED/create.ldif

      - name: Add CA ACL resources
        run: |
          sed \
              -e 's/{rootSuffix}/dc=ca,dc=pki,dc=example,dc=com/g' \
              base/ca/database/ds/acl.ldif \
              | tee acl.ldif
          docker exec ds ldapadd \
              -H ldap://ds.example.com:3389 \
              -D "cn=Directory Manager" \
              -w Secret.123 \
              -f $SHARED/acl.ldif

      - name: Add CA search indexes
        run: |
          sed \
              -e 's/{database}/userroot/g' \
              base/ca/database/ds/index.ldif \
              | tee index.ldif
          docker exec ds ldapadd \
              -H ldap://ds.example.com:3389 \
              -D "cn=Directory Manager" \
              -w Secret.123 \
              -f $SHARED/index.ldif

      - name: Rebuild CA search indexes
        run: |
          # start rebuild task
          sed \
              -e 's/{database}/userroot/g' \
              base/ca/database/ds/indextasks.ldif \
              | tee indextasks.ldif
          docker exec ds ldapadd \
              -H ldap://ds.example.com:3389 \
              -D "cn=Directory Manager" \
              -w Secret.123 \
              -f $SHARED/indextasks.ldif

          # wait for task to complete
          while true; do
              sleep 1

              docker exec ds ldapsearch \
                  -H ldap://ds.example.com:3389 \
                  -D "cn=Directory Manager" \
                  -w Secret.123 \
                  -b "cn=index1160589770, cn=index, cn=tasks, cn=config" \
                  -LLL \
                  nsTaskExitCode \
                  | tee output

              sed -n -e 's/nsTaskExitCode:\s*\(.*\)/\1/p' output > nsTaskExitCode
              cat nsTaskExitCode

              if [ -s nsTaskExitCode ]; then
                  break
              fi
          done

          echo "0" > expected
          diff expected nsTaskExitCode

      - name: Add CA VLV indexes
        run: |
          sed \
              -e 's/{instanceId}/pki-tomcat/g' \
              -e 's/{database}/userroot/g' \
              -e 's/{rootSuffix}/dc=ca,dc=pki,dc=example,dc=com/g' \
              base/ca/database/ds/vlv.ldif \
              | tee vlv.ldif
          docker exec ds ldapadd \
              -H ldap://ds.example.com:3389 \
              -D "cn=Directory Manager" \
              -w Secret.123 \
              -f $SHARED/vlv.ldif

      - name: Rebuild CA VLV indexes
        run: |
          # start rebuild task
          sed \
              -e 's/{database}/userroot/g' \
              -e 's/{instanceId}/pki-tomcat/g' \
              base/ca/database/ds/vlvtasks.ldif \
              | tee vlvtasks.ldif
          docker exec ds ldapadd \
              -H ldap://ds.example.com:3389 \
              -D "cn=Directory Manager" \
              -w Secret.123 \
              -f $SHARED/vlvtasks.ldif

          # wait for task to complete
          while true; do
              sleep 1

              docker exec ds ldapsearch \
                  -H ldap://ds.example.com:3389 \
                  -D "cn=Directory Manager" \
                  -w Secret.123 \
                  -b "cn=index1160589769, cn=index, cn=tasks, cn=config" \
                  -LLL \
                  nsTaskExitCode \
                  | tee output

              sed -n -e 's/nsTaskExitCode:\s*\(.*\)/\1/p' output > nsTaskExitCode
              cat nsTaskExitCode

              if [ -s nsTaskExitCode ]; then
                  break
              fi
          done

          echo "0" > expected
          diff expected nsTaskExitCode

      # https://github.com/dogtagpki/pki/wiki/Setting-up-CA-Admin-User
      - name: Add admin user
        run: |
          docker exec -i ds ldapadd \
              -H ldap://ds.example.com:3389 \
              -D "cn=Directory Manager" \
              -w Secret.123 << EOF
          dn: uid=admin,ou=people,dc=ca,dc=pki,dc=example,dc=com
          objectClass: person
          objectClass: organizationalPerson
          objectClass: inetOrgPerson
          objectClass: cmsuser
          cn: admin
          sn: admin
          uid: admin
          mail: admin@example.com
          userPassword: Secret.123
          userState: 1
          userType: adminType
          EOF

      - name: Assign admin cert to admin user
        run: |
          # convert cert from PEM to DER
          docker cp client:admin.crt admin.crt
          openssl x509 -outform der -in admin.crt -out admin.der
          docker cp admin.der ds:admin.der

          # get serial number
          openssl x509 -text -noout -in admin.crt | tee output
          SERIAL=$(sed -En 'N; s/^ *Serial Number:\n *(.*)$/\1/p; D' output)
          echo "SERIAL: $SERIAL"
          HEX_SERIAL=$(echo "$SERIAL" | tr -d ':')
          echo "HEX_SERIAL: $HEX_SERIAL"
          DEC_SERIAL=$(python -c "print(int('$HEX_SERIAL', 16))")
          echo "DEC_SERIAL: $DEC_SERIAL"

          docker exec -i ds ldapmodify \
              -H ldap://ds.example.com:3389 \
              -D "cn=Directory Manager" \
              -w Secret.123 << EOF
          dn: uid=admin,ou=people,dc=ca,dc=pki,dc=example,dc=com
          changetype: modify
          add: description
          description: 2;$DEC_SERIAL;CN=CA Signing Certificate;CN=Administrator
          -
          add: userCertificate
          userCertificate:< file:admin.der
          -
          EOF

      - name: Add admin user into CA groups
        run: |
          docker exec -i ds ldapmodify \
              -H ldap://ds.example.com:3389 \
              -D "cn=Directory Manager" \
              -w Secret.123 << EOF
          dn: cn=Administrators,ou=groups,dc=ca,dc=pki,dc=example,dc=com
          changetype: modify
          add: uniqueMember
          uniqueMember: uid=admin,ou=people,dc=ca,dc=pki,dc=example,dc=com
          -

          dn: cn=Certificate Manager Agents,ou=groups,dc=ca,dc=pki,dc=example,dc=com
          changetype: modify
          add: uniqueMember
          uniqueMember: uid=admin,ou=people,dc=ca,dc=pki,dc=example,dc=com
          -

          dn: cn=Security Domain Administrators,ou=groups,dc=ca,dc=pki,dc=example,dc=com
          changetype: modify
          add: uniqueMember
          uniqueMember: uid=admin,ou=people,dc=ca,dc=pki,dc=example,dc=com
          -

          dn: cn=Enterprise CA Administrators,ou=groups,dc=ca,dc=pki,dc=example,dc=com
          changetype: modify
          add: uniqueMember
          uniqueMember: uid=admin,ou=people,dc=ca,dc=pki,dc=example,dc=com
          -

          dn: cn=Enterprise KRA Administrators,ou=groups,dc=ca,dc=pki,dc=example,dc=com
          changetype: modify
          add: uniqueMember
          uniqueMember: uid=admin,ou=people,dc=ca,dc=pki,dc=example,dc=com
          -

          dn: cn=Enterprise RA Administrators,ou=groups,dc=ca,dc=pki,dc=example,dc=com
          changetype: modify
          add: uniqueMember
          uniqueMember: uid=admin,ou=people,dc=ca,dc=pki,dc=example,dc=com
          -

          dn: cn=Enterprise TKS Administrators,ou=groups,dc=ca,dc=pki,dc=example,dc=com
          changetype: modify
          add: uniqueMember
          uniqueMember: uid=admin,ou=people,dc=ca,dc=pki,dc=example,dc=com
          -

          dn: cn=Enterprise OCSP Administrators,ou=groups,dc=ca,dc=pki,dc=example,dc=com
          changetype: modify
          add: uniqueMember
          uniqueMember: uid=admin,ou=people,dc=ca,dc=pki,dc=example,dc=com
          -

          dn: cn=Enterprise TPS Administrators,ou=groups,dc=ca,dc=pki,dc=example,dc=com
          changetype: modify
          add: uniqueMember
          uniqueMember: uid=admin,ou=people,dc=ca,dc=pki,dc=example,dc=com
          -
          EOF

      # https://github.com/dogtagpki/pki/wiki/Setting-up-CA-Database-User
      - name: Add database user
        run: |
          docker exec -i ds ldapadd \
              -H ldap://ds.example.com:3389 \
              -D "cn=Directory Manager" \
              -w Secret.123 << EOF
          dn: uid=pkidbuser,ou=people,dc=ca,dc=pki,dc=example,dc=com
          objectClass: person
          objectClass: organizationalPerson
          objectClass: inetOrgPerson
          objectClass: cmsuser
          cn: pkidbuser
          sn: pkidbuser
          uid: pkidbuser
          userState: 1
          userType: agentType
          EOF

      - name: Assign subsystem cert to database user
        run: |
          # convert cert from PEM to DER
          docker cp client:subsystem.crt subsystem.crt
          openssl x509 -outform der -in subsystem.crt -out subsystem.der
          docker cp subsystem.der ds:subsystem.der

          # get serial number
          openssl x509 -text -noout -in subsystem.crt | tee output
          SERIAL=$(sed -En 'N; s/^ *Serial Number:\n *(.*)$/\1/p; D' output)
          echo "SERIAL: $SERIAL"
          HEX_SERIAL=$(echo "$SERIAL" | tr -d ':')
          echo "HEX_SERIAL: $HEX_SERIAL"
          DEC_SERIAL=$(python -c "print(int('$HEX_SERIAL', 16))")
          echo "DEC_SERIAL: $DEC_SERIAL"

          docker exec -i ds ldapmodify \
              -H ldap://ds.example.com:3389 \
              -D "cn=Directory Manager" \
              -w Secret.123 << EOF
          dn: uid=pkidbuser,ou=people,dc=ca,dc=pki,dc=example,dc=com
          changetype: modify
          add: description
          description: 2;$DEC_SERIAL;CN=CA Signing Certificate;CN=Subsystem Certificate
          -
          add: seeAlso
          seeAlso: CN=Subsystem Certificate
          -
          add: userCertificate
          userCertificate:< file:subsystem.der
          -
          EOF

      - name: Add database user into CA groups
        run: |
          docker exec -i ds ldapmodify \
              -H ldap://ds.example.com:3389 \
              -D "cn=Directory Manager" \
              -w Secret.123 << EOF
          dn: cn=Subsystem Group,ou=groups,dc=ca,dc=pki,dc=example,dc=com
          changetype: modify
          add: uniqueMember
          uniqueMember: uid=pkidbuser,ou=people,dc=ca,dc=pki,dc=example,dc=com
          -

          dn: cn=Certificate Manager Agents,ou=groups,dc=ca,dc=pki,dc=example,dc=com
          changetype: modify
          add: uniqueMember
          uniqueMember: uid=pkidbuser,ou=people,dc=ca,dc=pki,dc=example,dc=com
          -
          EOF

      - name: Grant database user access to CA database
        run: |
          sed \
              -e 's/{rootSuffix}/dc=example,dc=com/g' \
              -e 's/{dbuser}/uid=pkidbuser,ou=people,dc=ca,dc=pki,dc=example,dc=com/g' \
              base/server/database/ds/db-access-grant.ldif \
              | tee db-access-grant.ldif
          docker exec ds ldapadd \
              -H ldap://ds.example.com:3389 \
              -D "cn=Directory Manager" \
              -w Secret.123 \
              -f $SHARED/db-access-grant.ldif \
              -c

      - name: Check public operations from CA container
        run: |
          # check certs in CA
          docker exec ca pki ca-cert-find

      - name: Check admin operations from CA container
        run: |
          # check admin user
          docker exec ca pki \
              -n admin \
              ca-user-show \
              admin

          docker exec ca pki \
              client-cert-request \
              uid=testuser | tee output

          REQUEST_ID=$(sed -n -e 's/^ *Request ID: *\(.*\)$/\1/p' output)
          echo "REQUEST_ID: $REQUEST_ID"

          docker exec ca pki \
              -n admin \
              ca-cert-request-approve \
              $REQUEST_ID \
              --force

      - name: Check public operations from client container
        run: |
          # check certs in CA
          docker exec client pki \
              -U https://ca.example.com:8443 \
              ca-cert-find

      - name: Check admin operations from client container
        run: |
          # check admin user
          docker exec client pki \
              -U https://ca.example.com:8443 \
              -n admin \
              ca-user-show \
              admin

          docker exec client pki \
              -U https://ca.example.com:8443 \
              client-cert-request \
              uid=testuser | tee output

          REQUEST_ID=$(sed -n -e 's/^ *Request ID: *\(.*\)$/\1/p' output)
          echo "REQUEST_ID: $REQUEST_ID"

          docker exec client pki \
              -U https://ca.example.com:8443 \
              -n admin \
              ca-cert-request-approve \
              $REQUEST_ID \
              --force

      - name: Check CA container logs
        if: always()
        run: |
          docker logs ca 2>&1

      - name: Check CA debug logs
        if: always()
        run: |
          docker exec ca bash -c "cat /var/log/pki/pki-tomcat/ca/debug.*"

      - name: Gather artifacts from CA container
        if: always()
        run: |
          tests/bin/ds-artifacts-save.sh --output=/tmp/artifacts/ca ds

          docker exec ca ls -la /etc/pki
          mkdir -p /tmp/artifacts/ca/etc/pki
          docker cp ca:/etc/pki/pki.conf /tmp/artifacts/ca/etc/pki
          docker cp ca:/etc/pki/pki-tomcat /tmp/artifacts/ca/etc/pki

          docker exec ca ls -la /var/log/pki
          mkdir -p /tmp/artifacts/ca/var/log
          docker cp ca:/var/log/pki /tmp/artifacts/ca/var/log

          docker logs ca > /tmp/artifacts/ca/container.out 2> /tmp/artifacts/ca/container.err
        continue-on-error: true

      - name: Gather artifacts from client container
        if: always()
        run: |
          mkdir -p /tmp/artifacts/client
          docker logs client > /tmp/artifacts/client/container.out 2> /tmp/artifacts/client/container.err

      - name: Upload artifacts from CA container
        if: always()
        uses: actions/upload-artifact@v3
        with:
          name: ca-container-ca
          path: /tmp/artifacts/ca

      - name: Upload artifacts from client container
        if: always()
        uses: actions/upload-artifact@v3
        with:
          name: ca-container-client
          path: /tmp/artifacts/client