From ab9bf235ef70eb940a1528e27366235c035c9a90 Mon Sep 17 00:00:00 2001
From: Marco Fargetta <mfargett@redhat.com>
Date: Thu, 21 Dec 2023 16:09:01 +0100
Subject: [PATCH] Add test for pki_*_opsFlag and pki_*_opsFlagMask

---
 .github/workflows/ca-hsm-operation-test.yml | 136 ++++++++++++++++++++
 .github/workflows/ca-tests2.yml             |   5 +
 2 files changed, 141 insertions(+)
 create mode 100644 .github/workflows/ca-hsm-operation-test.yml

diff --git a/.github/workflows/ca-hsm-operation-test.yml b/.github/workflows/ca-hsm-operation-test.yml
new file mode 100644
index 00000000000..4b52aebe220
--- /dev/null
+++ b/.github/workflows/ca-hsm-operation-test.yml
@@ -0,0 +1,136 @@
+name: CA with HSM and custom operation key flags
+
+on: workflow_call
+
+env:
+  DB_IMAGE: ${{ vars.DB_IMAGE || 'quay.io/389ds/dirsrv' }}
+
+jobs:
+  # docs/installation/ca/Installing_CA_with_HSM.md
+  test:
+    name: Test
+    runs-on: ubuntu-latest
+    env:
+      SHARED: /tmp/workdir/pki
+    steps:
+      - name: Clone repository
+        uses: actions/checkout@v3
+
+      - name: Retrieve PKI images
+        uses: actions/cache@v3
+        with:
+          key: pki-images-${{ github.sha }}
+          path: pki-images.tar
+
+      - name: Load PKI images
+        run: docker load --input pki-images.tar
+
+      - name: Create network
+        run: docker network create example
+
+      - name: Set up DS container
+        run: |
+          tests/bin/ds-container-create.sh ds
+        env:
+          IMAGE: ${{ env.DB_IMAGE }}
+          HOSTNAME: ds.example.com
+          PASSWORD: Secret.123
+
+      - name: Connect DS container to network
+        run: docker network connect example ds --alias ds.example.com
+
+      - name: Set up PKI container
+        run: |
+          tests/bin/runner-init.sh pki
+        env:
+          HOSTNAME: pki.example.com
+
+      - name: Connect PKI container to network
+        run: docker network connect example pki --alias pki.example.com
+
+      - name: Install dependencies
+        run: |
+          docker exec pki dnf install -y softhsm
+
+      - name: Create SoftHSM token
+        run: |
+          # allow PKI user to access SoftHSM files
+          docker exec pki usermod pkiuser -a -G ods
+
+          # create SoftHSM token for PKI server
+          docker exec pki runuser -u pkiuser -- \
+              softhsm2-util \
+              --init-token \
+              --label HSM \
+              --so-pin Secret.HSM \
+              --pin Secret.HSM \
+              --free
+
+          docker exec pki ls -laR /var/lib/softhsm/tokens
+
+      - name: Install CA with HSM and no sign flag
+        run: |
+          docker exec pki pkispawn \
+              -f /usr/share/pki/server/examples/installation/ca.cfg \
+              -s CA \
+              -D pki_instance_name=pki-failing-tomcat \
+              -D pki_ds_url=ldap://ds.example.com:3389 \
+              -D pki_hsm_enable=True \
+              -D pki_token_name=HSM \
+              -D pki_token_password=Secret.HSM \
+              -D pki_server_database_password=Secret.123 \
+              -D pki_ca_signing_token=HSM \
+              -D pki_ocsp_signing_token=HSM \
+              -D pki_audit_signing_token=HSM \
+              -D pki_subsystem_token=HSM \
+              -D pki_sslserver_token=internal \
+              -D pki_ca_signing_opsFlagMask=sign \
+              -v
+        continue-on-error: true
+        id: hsm_no_sign
+
+      - name: Check the install with no sign ops failed
+        if: job.steps.hsm_no_sign.status != failure()
+        run: exit 1
+        
+      - name: Install CA with HSM reintroducing sign flag
+        run: |
+          docker exec pki pkispawn \
+              -f /usr/share/pki/server/examples/installation/ca.cfg \
+              -s CA \
+              -D pki_ds_url=ldap://ds.example.com:3389 \
+              -D pki_hsm_enable=True \
+              -D pki_token_name=HSM \
+              -D pki_token_password=Secret.HSM \
+              -D pki_server_database_password=Secret.123 \
+              -D pki_ca_signing_token=HSM \
+              -D pki_ocsp_signing_token=HSM \
+              -D pki_audit_signing_token=HSM \
+              -D pki_subsystem_token=HSM \
+              -D pki_sslserver_token=internal \
+              -D pki_ca_signing_opsFlag=sign \
+              -D pki_ca_signing_opsFlagMask=sign \
+              -v
+
+      - name: Gather artifacts
+        if: always()
+        run: |
+          tests/bin/ds-artifacts-save.sh --output=/tmp/artifacts/pki ds
+          tests/bin/pki-artifacts-save.sh pki
+        continue-on-error: true
+
+      - name: Remove CA
+        run: docker exec pki pkidestroy -i pki-tomcat -s CA -v
+
+      - name: Remove SoftHSM token
+        run: |
+          docker exec pki ls -laR /var/lib/softhsm/tokens
+          docker exec pki runuser -u pkiuser -- softhsm2-util --delete-token --token HSM
+
+      - name: Upload artifacts
+        if: always()
+        uses: actions/upload-artifact@v3
+        with:
+          name: ca-hsm
+          path: |
+            /tmp/artifacts/pki
diff --git a/.github/workflows/ca-tests2.yml b/.github/workflows/ca-tests2.yml
index 19f7b5b4ffd..6cc8d8732c0 100644
--- a/.github/workflows/ca-tests2.yml
+++ b/.github/workflows/ca-tests2.yml
@@ -67,3 +67,8 @@ jobs:
     name: SCEP responder
     needs: build
     uses: ./.github/workflows/scep-test.yml
+
+  hsm-operation-test:
+    name: CA with HSM and custom operation key flags
+    needs: build
+    uses: ./.github/workflows/ca-hsm-operation-test.yml