ca-profile-caDirPinUserCert-test.yml

name: CA with caDirPinUserCert profile
# https://github.com/dogtagpki/pki/wiki/Certificate-Enrollment-with-PIN-Authenticated-Profile

on: workflow_call

env:
  DS_IMAGE: ${{ vars.DS_IMAGE || 'quay.io/389ds/dirsrv' }}

jobs:
  test:
    name: Test
    runs-on: ubuntu-latest
    env:
      SHARED: /tmp/workdir/pki
    steps:
      - name: Install dependencies
        run: |
          sudo apt-get update
          sudo apt-get -y install jq libxml2-utils moreutils xmlstarlet

      - name: Clone repository
        uses: actions/checkout@v4

      - name: Retrieve PKI images
        uses: actions/cache@v4
        with:
          key: pki-images-${{ github.sha }}
          path: pki-images.tar

      - name: Load PKI images
        run: docker load --input pki-images.tar

      - name: Create network
        run: docker network create example

      - name: Set up DS container
        run: |
          tests/bin/ds-create.sh \
              --image=${{ env.DS_IMAGE }} \
              --hostname=ds.example.com \
              --password=Secret.123 \
              ds

      - name: Connect DS container to network
        run: docker network connect example ds --alias ds.example.com

      - name: Add LDAP users and PIN manager
        run: |
          docker exec -i ds ldapadd \
              -H ldap://ds.example.com:3389 \
              -D "cn=Directory Manager" \
              -w Secret.123 << EOF
          dn: uid=pinmanager,dc=example,dc=com
          objectClass: person
          objectClass: organizationalPerson
          objectClass: inetOrgPerson
          uid: pinmanager
          cn: PIN Manager
          sn: Manager
          userPassword: Secret.123

          dn: ou=people,dc=example,dc=com
          objectclass: top
          objectclass: organizationalUnit
          ou: people
          aci: (target="ldap:///ou=people,dc=example,dc=com")
           (targetattr=objectClass||dc||ou||uid||cn||sn||givenName)
           (version 3.0; acl "Allow anyone to read and search basic attributes"; allow (search, read) userdn = "ldap:///anyone";)
          aci: (target="ldap:///ou=people,dc=example,dc=com")
           (targetattr=*)
           (version 3.0; acl "Allow anyone to read and search itself"; allow (search, read) userdn = "ldap:///self";)

          dn: uid=testuser1,ou=people,dc=example,dc=com
          objectClass: person
          objectClass: organizationalPerson
          objectClass: inetOrgPerson
          uid: testuser1
          cn: Test User 1
          sn: User
          userPassword: Secret.123

          dn: uid=testuser2,ou=people,dc=example,dc=com
          objectClass: person
          objectClass: organizationalPerson
          objectClass: inetOrgPerson
          uid: testuser2
          cn: Test User 2
          sn: User
          userPassword: Secret.123

          dn: uid=testuser3,ou=people,dc=example,dc=com
          objectClass: person
          objectClass: organizationalPerson
          objectClass: inetOrgPerson
          uid: testuser3
          cn: Test User 3
          sn: User
          userPassword: Secret.123
          EOF

      - name: Set up PKI container
        run: |
          tests/bin/runner-init.sh pki
        env:
          HOSTNAME: pki.example.com

      - name: Connect PKI container to network
        run: docker network connect example pki --alias pki.example.com

      - name: Set up LDAP schema and ACI attrs
        run: |
          # configure setpin.conf
          docker exec pki sed \
              -e "s/^host=.*$/host=ds.example.com/" \
              -e "s/^port=.*$/port=3389/" \
              -e "s/^binddn=.*$/binddn=cn=Directory Manager/" \
              -e "s/^bindpw=.*$/bindpw=Secret.123/" \
              -e "s/^pinmanager=.*$/pinmanager=uid=pinmanager,dc=example,dc=com/" \
              -e "s/^pinmanagerpwd=.*$/pinmanagerpwd=Secret.123/" \
              -e "s/^basedn=.*$/basedn=ou=people,dc=example,dc=com/" \
              /usr/share/pki/tools/setpin.conf | tee setpin.conf

          # run setpin to set up LDAP schema and ACI attrs
          docker exec pki setpin optfile=$SHARED/setpin.conf

          # get ACI attrs
          docker exec pki ldapsearch \
              -H ldap://ds.example.com:3389 \
              -D "cn=Directory Manager" \
              -w Secret.123 \
              -b "ou=people,dc=example,dc=com" \
              -s base \
              -t \
              -o ldif_wrap=no \
              -LLL \
              aci | tee output

          # there should be 2 old ACI attrs and 2 new ones
          cat > expected << EOF
          aci: (target="ldap:///ou=people,dc=example,dc=com")(targetattr=objectClass||dc||ou||uid||cn||sn||givenName)(version 3.0; acl "Allow anyone to read and search basic attributes"; allow (search, read) userdn = "ldap:///anyone";)
          aci: (target="ldap:///ou=people,dc=example,dc=com")(targetattr=*)(version 3.0; acl "Allow anyone to read and search itself"; allow (search, read) userdn = "ldap:///self";)
          aci: (target="ldap:///ou=people,dc=example,dc=com")(targetattr="pin")(version 3.0; acl "Pin attribute"; allow (all) userdn = "ldap:///uid=pinmanager,dc=example,dc=com"; deny(proxy,selfwrite,compare,add,write,delete,search) userdn = "ldap:///self";)
          aci: (target="ldap:///ou=people,dc=example,dc=com")(targetattr="objectclass")(version 3.0; acl "Pin Objectclass"; allow (all) userdn = "ldap:///uid=pinmanager,dc=example,dc=com";)
          EOF

          grep '^aci:' output > actual
          diff expected actual

      - name: Generate user PINs
        run: |
          # disable setup mode
          sed -i "/^setup=/d" setpin.conf

          # run setpin to generate PINs for all users
          docker exec pki setpin \
              filter="(objectClass=person)" \
              optfile=$SHARED/setpin.conf \
              output=$SHARED/setpin.out \
              write

          cat setpin.out

          # check users
          docker exec pki ldapsearch \
              -H ldap://ds.example.com:3389 \
              -D "cn=Directory Manager" \
              -w Secret.123 \
              -b "ou=people,dc=example,dc=com" \
              -s one \
              -o ldif_wrap=no \
              -LLL

      - name: Install CA
        run: |
          docker exec pki pkispawn \
              -f /usr/share/pki/server/examples/installation/ca.cfg \
              -s CA \
              -D pki_ds_url=ldap://ds.example.com:3389 \
              -v

      - name: Configure caDirPinUserCert profile
        run: |
          # configure PIN-based authentication
          docker exec pki pki-server ca-config-set auths.instance.PinDirEnrollment.pluginName UidPwdPinDirAuth
          docker exec pki pki-server ca-config-set auths.instance.PinDirEnrollment.ldap.basedn ou=people,dc=example,dc=com
          docker exec pki pki-server ca-config-set auths.instance.PinDirEnrollment.ldap.ldapauth.authtype BasicAuth
          docker exec pki pki-server ca-config-set auths.instance.PinDirEnrollment.ldap.ldapconn.host ds.example.com
          docker exec pki pki-server ca-config-set auths.instance.PinDirEnrollment.ldap.ldapconn.port 3389

          # enable caDirPinUserCert profile
          docker exec pki sed -i \
              -e "s/^\(enable\)=.*/\1=true/" \
              /var/lib/pki/pki-tomcat/ca/profiles/ca/caDirPinUserCert.cfg

          # restart CA subsystem
          docker exec pki pki-server ca-redeploy --wait

      - name: Check CA admin
        run: |
          docker exec pki pki-server cert-export ca_signing --cert-file ca_signing.crt

          docker exec pki pki nss-cert-import \
              --cert ca_signing.crt \
              --trust CT,C,C \
              ca_signing

          docker exec pki pki pkcs12-import \
              --pkcs12 /root/.dogtag/pki-tomcat/ca_admin_cert.p12 \
              --pkcs12-password Secret.123
          docker exec pki pki -n caadmin ca-user-show caadmin

      - name: Check enrollment using pki ca-cert-issue
        run: |
          PIN=$(sed -En 'N; s/^dn:uid=testuser1,.*\npin:(.*)$/\1/p; D' setpin.out)
          echo "PIN: $PIN"

          # generate cert request
          docker exec pki pki nss-cert-request \
              --subject "UID=testuser1" \
              --csr $SHARED/testuser1.csr

          echo "Secret.123" > password.txt
          echo "$PIN" > pin.txt

          # issue cert
          docker exec pki pki \
              ca-cert-issue \
              --profile caDirPinUserCert \
              --username testuser1 \
              --password-file $SHARED/password.txt \
              --pin-file $SHARED/pin.txt \
              --csr-file $SHARED/testuser1.csr \
              --output-file testuser1.crt

          # import cert
          docker exec pki pki nss-cert-import testuser1 --cert testuser1.crt
          docker exec pki pki nss-cert-show testuser1 | tee output

          # the cert should match the key (trust flags must be u,u,u)
          echo "u,u,u" > expected
          sed -n "s/^\s*Trust Flags:\s*\(\S*\)$/\1/p" output > actual
          diff expected actual

      - name: Check enrollment using XML
        run: |
          PIN=$(sed -En 'N; s/^dn:uid=testuser2,.*\npin:(.*)$/\1/p; D' setpin.out)
          echo "PIN: $PIN"

          # generate cert request
          docker exec pki pki nss-cert-request \
              --subject "UID=testuser2" \
              --csr $SHARED/testuser2.csr

          # retrieve request template
          docker exec pki curl \
              -k \
              -s \
              -H "Content-Type: application/xml" \
              -H "Accept: application/xml" \
              https://pki.example.com:8443/ca/rest/certrequests/profiles/caDirPinUserCert \
              | xmllint --format - \
              | tee testuser2-request.xml

          # insert username
          xmlstarlet edit --inplace \
              -s "/CertEnrollmentRequest/Attributes" --type elem --name "Attribute" -v "testuser2" \
              -i "/CertEnrollmentRequest/Attributes/Attribute[not(@name)]" -t attr -n "name" -v "uid" \
              testuser2-request.xml

          # insert password
          xmlstarlet edit --inplace \
              -s "/CertEnrollmentRequest/Attributes" --type elem --name "Attribute" -v "Secret.123" \
              -i "/CertEnrollmentRequest/Attributes/Attribute[not(@name)]" -t attr -n "name" -v "pwd" \
              testuser2-request.xml

          # insert PIN
          xmlstarlet edit --inplace \
              -s "/CertEnrollmentRequest/Attributes" --type elem --name "Attribute" -v "$PIN" \
              -i "/CertEnrollmentRequest/Attributes/Attribute[not(@name)]" -t attr -n "name" -v "pin" \
              testuser2-request.xml

          # insert request type
          xmlstarlet edit --inplace \
              -u "/CertEnrollmentRequest/Input/Attribute[@name='cert_request_type']/Value" \
              -v "pkcs10" \
              testuser2-request.xml

          # insert CSR
          xmlstarlet edit --inplace \
              -u "/CertEnrollmentRequest/Input/Attribute[@name='cert_request']/Value" \
              -v "$(cat testuser2.csr)" \
              testuser2-request.xml

          cat testuser2-request.xml

          # submit request
          docker exec pki curl \
              -k \
              -s \
              -X POST \
              -d @$SHARED/testuser2-request.xml \
              -H "Content-Type: application/xml" \
              -H "Accept: application/xml" \
              https://pki.example.com:8443/ca/rest/certrequests \
              | xmllint --format - \
              | tee testuser2-response.xml
          CERT_ID=$(xmlstarlet sel -t -v '/CertRequestInfos/CertRequestInfo/certID' testuser2-response.xml)

          # retrieve cert
          docker exec pki curl \
              -k \
              -s \
              -H "Content-Type: application/xml" \
              -H "Accept: application/xml" \
              https://pki.example.com:8443/ca/rest/certs/$CERT_ID \
              | xmllint --format - \
              | tee testuser2-cert.xml

          # The XML transformation in CertData.toXML() converts "\r"
          # chars in the cert into "&#13;" which need to be removed.
          # TODO: Fix CertData.toXML() to avoid adding "&#13;".
          xmlstarlet sel -t -v '/CertData/Encoded' testuser2-cert.xml \
              | sed 's/&#13;$//' \
              | tee testuser2.crt

          # import cert
          docker exec pki pki nss-cert-import testuser2 --cert $SHARED/testuser2.crt
          docker exec pki pki nss-cert-show testuser2 | tee output

          # the cert should match the key (trust flags must be u,u,u)
          echo "u,u,u" > expected
          sed -n "s/^\s*Trust Flags:\s*\(\S*\)$/\1/p" output > actual
          diff expected actual

      - name: Check enrollment using JSON
        run: |
          PIN=$(sed -En 'N; s/^dn:uid=testuser3,.*\npin:(.*)$/\1/p; D' setpin.out)
          echo "PIN: $PIN"

          # generate cert request
          docker exec pki pki nss-cert-request \
              --subject "UID=testuser3" \
              --csr $SHARED/testuser3.csr

          # retrieve request template
          docker exec pki curl \
              -k \
              -s \
              -H "Content-Type: application/json" \
              -H "Accept: application/json" \
              https://pki.example.com:8443/ca/rest/certrequests/profiles/caDirPinUserCert \
              | python -m json.tool \
              | tee testuser3-request.json

          # insert username
          jq '.Attributes.Attribute[.Attributes.Attribute|length] |= . + { "name": "uid", "value": "testuser3" }' \
              testuser3-request.json | sponge testuser3-request.json

          # insert password
          jq '.Attributes.Attribute[.Attributes.Attribute|length] |= . + { "name": "pwd", "value": "Secret.123" }' \
              testuser3-request.json | sponge testuser3-request.json

          # insert PIN
          jq --arg PIN "$PIN" '.Attributes.Attribute[.Attributes.Attribute|length] |= . + { "name": "pin", "value": $PIN }' \
              testuser3-request.json | sponge testuser3-request.json

          # insert request type
          jq '( .Input[].Attribute[] | select(.name=="cert_request_type") ).Value |= "pkcs10"' \
              testuser3-request.json | sponge testuser3-request.json

          # insert CSR
          jq --rawfile cert_request testuser2.csr '( .Input[].Attribute[] | select(.name=="cert_request") ).Value |= $cert_request' \
              testuser3-request.json | sponge testuser3-request.json

          cat testuser3-request.json

          # submit request
          docker exec pki curl \
              -k \
              -s \
              -X POST \
              -d @$SHARED/testuser3-request.json \
              -H "Content-Type: application/json" \
              -H "Accept: application/json" \
              https://pki.example.com:8443/ca/rest/certrequests \
              | python -m json.tool \
              | tee testuser3-response.json
          CERT_ID=$(jq -j '.entries[].certId' testuser3-response.json)

          # retrieve cert
          docker exec pki curl \
              -k \
              -s \
              -H "Content-Type: application/json" \
              -H "Accept: application/json" \
              https://pki.example.com:8443/ca/rest/certs/$CERT_ID \
              | python -m json.tool \
              | tee testuser3-cert.json
          jq -j '.Encoded' testuser3-cert.json | tee testuser3.crt

          # import cert
          docker exec pki pki nss-cert-import testuser3 --cert $SHARED/testuser3.crt
          docker exec pki pki nss-cert-show testuser3 | tee output

          # the cert should match the key (trust flags must be u,u,u)
          echo "u,u,u" > expected
          sed -n "s/^\s*Trust Flags:\s*\(\S*\)$/\1/p" output > actual
          diff expected actual

      - name: Remove CA
        run: docker exec pki pkidestroy -s CA -v

      - name: Check PKI server systemd journal
        if: always()
        run: |
          docker exec pki journalctl -x --no-pager -u pki-tomcatd@pki-tomcat.service

      - name: Check CA debug log
        if: always()
        run: |
          docker exec pki find /var/lib/pki/pki-tomcat/logs/ca -name "debug.*" -exec cat {} \;

      - name: Gather artifacts
        if: always()
        run: |
          tests/bin/ds-artifacts-save.sh ds
          tests/bin/pki-artifacts-save.sh pki
        continue-on-error: true

      - name: Upload artifacts
        if: always()
        uses: actions/upload-artifact@v4
        with:
          name: ca-profile-caDirPinUserCert-test
          path: /tmp/artifacts