.github/workflows/ca-cmc-shared-token-test.yml

name: CA with CMC shared token

on: workflow_call

env:
  DS_IMAGE: ${{ vars.DS_IMAGE || 'quay.io/389ds/dirsrv' }}

jobs:
  # https://github.com/dogtagpki/pki/wiki/Issuing-User-Certificate-with-CMC-Shared-Token
  test:
    name: Test
    runs-on: ubuntu-latest
    env:
      SHARED: /tmp/workdir/pki
    steps:
      - name: Clone repository
        uses: actions/checkout@v4

      - name: Retrieve PKI images
        uses: actions/cache@v4
        with:
          key: pki-images-${{ github.sha }}
          path: pki-images.tar

      - name: Load PKI images
        run: docker load --input pki-images.tar

      - name: Create network
        run: docker network create example

      - name: Set up DS container
        run: |
          tests/bin/ds-create.sh \
              --image=${{ env.DS_IMAGE }} \
              --hostname=ds.example.com \
              --password=Secret.123 \
              ds

      - name: Connect DS container to network
        run: docker network connect example ds --alias ds.example.com

      - name: Set up PKI container
        run: |
          tests/bin/runner-init.sh pki
        env:
          HOSTNAME: pki.example.com

      - name: Connect PKI container to network
        run: docker network connect example pki --alias pki.example.com

      - name: Install CA
        run: |
          docker exec pki pkispawn \
              -f /usr/share/pki/server/examples/installation/ca.cfg \
              -s CA \
              -D pki_ds_url=ldap://ds.example.com:3389 \
              -v

          # disable audit event filters
          docker exec pki pki-server ca-config-unset log.instance.SignedAudit.filters.CMC_USER_SIGNED_REQUEST_SIG_VERIFY

      - name: Install CA admin cert
        run: |
          docker exec pki pki-server cert-export ca_signing --cert-file ca_signing.crt

          docker exec pki pki nss-cert-import \
              --cert ca_signing.crt \
              --trust CT,C,C \
              ca_signing

          docker exec pki pki pkcs12-import \
              --pkcs12 /root/.dogtag/pki-tomcat/ca_admin_cert.p12 \
              --pkcs12-password Secret.123

      # https://github.com/dogtagpki/pki/wiki/Creating-Issuance-Protection-Certificate
      - name: Create issuance protection cert
        run: |
          # generate cert request
          docker exec pki pki \
              -d /var/lib/pki/pki-tomcat/conf/alias \
              -f /var/lib/pki/pki-tomcat/conf/password.conf \
              nss-cert-request \
              --subject "CN=CA Issuance Protection" \
              --csr ca_issuance_protection.csr

          # check generated CSR
          docker exec pki openssl req -text -noout -in ca_issuance_protection.csr

          # create CMC request
          docker exec pki CMCRequest \
              /usr/share/pki/server/examples/cmc/ca_issuance_protection-cmc-request.cfg \

          # submit CMC request
          docker exec pki HttpClient \
              /usr/share/pki/server/examples/cmc/ca_issuance_protection-cmc-submit.cfg \

          # convert CMC response (DER PKCS #7) into PEM PKCS #7 cert chain
          docker exec pki CMCResponse \
              -d /var/lib/pki/pki-tomcat/conf/alias \
              -i ca_issuance_protection.cmc-response \
              -o ca_issuance_protection.p7b | tee output

          echo "SUCCESS" > expected
          sed -n 's/^ *Status: *\(.*\)/\1/p' output > actual
          diff expected actual

          # check issued cert chain
          docker exec pki openssl pkcs7 \
              -print_certs \
              -in ca_issuance_protection.p7b

          # import cert chain
          docker exec pki pki \
              -d /var/lib/pki/pki-tomcat/conf/alias \
              -f /var/lib/pki/pki-tomcat/conf/password.conf \
              pkcs7-import \
              --pkcs7 ca_issuance_protection.p7b \
              ca_issuance_protection

          # check imported cert chain
          docker exec pki pki \
              -d /var/lib/pki/pki-tomcat/conf/alias \
              -f /var/lib/pki/pki-tomcat/conf/password.conf \
              nss-cert-find

          # configure issuance protection nickname
          docker exec pki pki-server ca-config-set ca.cert.issuance_protection.nickname ca_issuance_protection

      # https://github.com/dogtagpki/pki/wiki/Configuring-CMC-Shared-Token-Authentication
      - name: Configure shared token auth
        run: |
          # update schema
          docker exec pki ldapmodify \
              -H ldap://ds.example.com:3389 \
              -x \
              -D "cn=Directory Manager" \
              -w Secret.123 \
              -f /usr/share/pki/ca/auth/ds/schema.ldif

          # add user subtree
          docker exec pki ldapadd \
              -H ldap://ds.example.com:3389 \
              -x \
              -D "cn=Directory Manager" \
              -w Secret.123 \
              -f /usr/share/pki/ca/auth/ds/create.ldif

          # add user records
          docker exec pki ldapadd \
              -H ldap://ds.example.com:3389 \
              -x \
              -D "cn=Directory Manager" \
              -w Secret.123 \
              -f /usr/share/pki/ca/auth/ds/example.ldif

          # configure CMC shared token authentication
          docker exec pki pki-server ca-config-set auths.instance.SharedToken.ldap.basedn ou=people,dc=example,dc=com
          docker exec pki pki-server ca-config-set auths.instance.SharedToken.ldap.ldapauth.authtype BasicAuth
          docker exec pki pki-server ca-config-set auths.instance.SharedToken.ldap.ldapauth.bindDN "cn=Directory Manager"
          docker exec pki pki-server ca-config-set auths.instance.SharedToken.ldap.ldapauth.bindPWPrompt "Rule SharedToken"
          docker exec pki pki-server ca-config-set auths.instance.SharedToken.ldap.ldapconn.host ds.example.com
          docker exec pki pki-server ca-config-set auths.instance.SharedToken.ldap.ldapconn.port 3389
          docker exec pki pki-server ca-config-set auths.instance.SharedToken.ldap.ldapconn.secureConn false
          docker exec pki pki-server ca-config-set auths.instance.SharedToken.pluginName SharedToken
          docker exec pki pki-server ca-config-set auths.instance.SharedToken.shrTokAttr shrTok

          # enable caFullCMCSharedTokenCert profile
          docker exec pki sed -i \
              -e "s/^\(enable\)=.*/\1=true/" \
              /var/lib/pki/pki-tomcat/ca/profiles/ca/caFullCMCSharedTokenCert.cfg

          # enable caFullCMCUserSignedCert profile
          docker exec pki sed -i \
              -e "s/^\(enable\)=.*/\1=true/" \
              /var/lib/pki/pki-tomcat/ca/profiles/ca/caFullCMCUserSignedCert.cfg

          # restart CA subsystem
          docker exec pki pki-server ca-redeploy --wait

      # https://github.com/dogtagpki/pki/wiki/Generating-CMC-Shared-Token
      - name: Generate shared token for user
        run: |
          # generate shared token
          docker exec pki CMCSharedToken \
              -d /var/lib/pki/pki-tomcat/conf/alias \
              -p Secret.123 \
              -n ca_issuance_protection \
              -s Secret.123 \
              -o $SHARED/testuser.b64

          # convert into a single line
          sed -e :a -e 'N;s/\r\n//;ba' testuser.b64 > token.txt
          SHARED_TOKEN=$(cat token.txt)
          echo "SHARED_TOKEN: $SHARED_TOKEN"

          cat > add.ldif << EOF
          dn: uid=testuser,ou=people,dc=example,dc=com
          changetype: modify
          add: objectClass
          objectClass: extensibleobject
          -
          add: shrTok
          shrTok: $SHARED_TOKEN
          -
          EOF
          cat add.ldif

          # add shared token into user record
          docker exec pki ldapmodify \
              -H ldap://ds.example.com:3389 \
              -x \
              -D "cn=Directory Manager" \
              -w Secret.123 \
              -f $SHARED/add.ldif

      # https://github.com/dogtagpki/pki/wiki/Issuing-User-Certificate-with-CMC-Shared-Token
      - name: Issue user cert with shared token
        run: |
          # create key
          docker exec pki pki nss-key-create --output-format json | tee output
          KEY_ID=$(jq -r '.keyId' output)
          echo "KEY_ID: $KEY_ID"

          # generated cert request
          docker exec pki pki \
              nss-cert-request \
              --key-id $KEY_ID \
              --subject "uid=testuser" \
              --ext /usr/share/pki/tools/examples/certs/testuser.conf \
              --csr testuser.csr

          # check generated CSR
          docker exec pki openssl req -text -noout -in testuser.csr

          # insert key ID into CMCRequest config
          docker cp \
              pki:/usr/share/pki/tools/examples/cmc/testuser-cmc-request.cfg \
              testuser-cmc-request.cfg
          sed -i \
              -e "s/^\(request.privKeyId\)=.*/\1=$KEY_ID/" \
              testuser-cmc-request.cfg
          cat testuser-cmc-request.cfg

          # create CMC request
          docker exec pki CMCRequest \
              $SHARED/testuser-cmc-request.cfg

          # submit CMC request
          docker exec pki HttpClient \
              /usr/share/pki/tools/examples/cmc/testuser-cmc-submit.cfg

          # convert CMC response (DER PKCS #7) into PEM PKCS #7 cert chain
          docker exec pki CMCResponse \
              -d /root/.dogtag/nssdb \
              -i testuser.cmc-response \
              -o testuser.p7b | tee output

          echo "SUCCESS" > expected
          sed -n 's/^ *Status: *\(.*\)/\1/p' output > actual
          diff expected actual

          # check issued cert chain
          docker exec pki pki \
              pkcs7-cert-find \
              --pkcs7 testuser.p7b

          # import cert chain
          docker exec pki pki \
              pkcs7-import \
              --pkcs7 testuser.p7b \
              testuser

          # check imported user cert
          docker exec pki pki nss-cert-show testuser | tee output

          # get user cert serial number
          sed -n 's/^ *Serial Number: *\(.*\)/\1/p' output > testuser.serial

      # https://github.com/dogtagpki/pki/wiki/Revoking-Certificate-with-CMC-Shared-Token
      - name: Revoke user cert with shared token
        run: |
          HEX_SERIAL=$(cat testuser.serial)
          echo "Hex serial: $HEX_SERIAL"

          DEC_SERIAL=$(python -c "print(int('$HEX_SERIAL', 16))")
          echo "Dec serial: $DEC_SERIAL"

          SHARED_TOKEN=$(cat token.txt)

          cat > modify.ldif << EOF
          dn: cn=$DEC_SERIAL,ou=certificateRepository,ou=ca,dc=ca,dc=pki,dc=example,dc=com
          changetype: modify
          add: metaInfo
          metaInfo: revShrTok:$SHARED_TOKEN
          -
          EOF
          cat modify.ldif

          # add shared token into cert record
          docker exec pki ldapmodify \
              -H ldap://ds.example.com:3389 \
              -x \
              -D "cn=Directory Manager" \
              -w Secret.123 \
              -f $SHARED/modify.ldif

          # insert user cert serial number into CMCRequest config
          docker cp \
              pki:/usr/share/pki/tools/examples/cmc/testuser-cmc-revocation-request.cfg \
              testuser-cmc-revocation-request.cfg
          sed -i \
              -e "s/^\(revRequest.serial\)=.*/\1=$HEX_SERIAL/" \
              testuser-cmc-revocation-request.cfg
          cat testuser-cmc-revocation-request.cfg

          # create CMC request
          docker exec pki CMCRequest \
              $SHARED/testuser-cmc-revocation-request.cfg

          # submit CMC request
          docker exec pki HttpClient \
              /usr/share/pki/tools/examples/cmc/testuser-cmc-revocation-submit.cfg

          # process CMC response
          docker exec pki CMCResponse \
              -d /root/.dogtag/nssdb \
              -i testuser.cmc-revocation-response | tee output

          echo "SUCCESS" > expected
          sed -n 's/^ *Status: *\(.*\)/\1/p' output > actual
          diff expected actual

          # check cert status
          docker exec pki pki ca-cert-show $HEX_SERIAL | tee output

          echo "REVOKED" > expected
          sed -n 's/^ *Status: *\(.*\)/\1/p' output > actual
          diff expected actual

      - name: Check CMC_USER_SIGNED_REQUEST_SIG_VERIFY events
        if: always()
        run: |
          docker exec pki grep \
              "\[AuditEvent=CMC_USER_SIGNED_REQUEST_SIG_VERIFY\]" \
              /var/lib/pki/pki-tomcat/logs/ca/signedAudit/ca_audit | tee output

          # there should be 1 event from user cert enrollment
          echo "1" > expected
          cat output | wc -l > actual
          diff expected actual

      - name: Check CERT_STATUS_CHANGE_REQUEST_PROCESSED events
        if: always()
        run: |
          docker exec pki grep \
              "\[AuditEvent=CERT_STATUS_CHANGE_REQUEST_PROCESSED\]" \
              /var/lib/pki/pki-tomcat/logs/ca/signedAudit/ca_audit | tee output

          # there should be 1 event from user cert revocation
          echo "1" > expected
          cat output | wc -l > actual
          diff expected actual

      - name: Check CMC_REQUEST_RECEIVED events
        if: always()
        run: |
          docker exec pki grep \
              "\[AuditEvent=CMC_REQUEST_RECEIVED\]" \
              /var/lib/pki/pki-tomcat/logs/ca/signedAudit/ca_audit | tee output

          # there should be 3 events from issuance protection cert enrollment,
          # user cert enrollment, user cert revocation
          echo "3" > expected
          cat output | wc -l > actual
          diff expected actual

      - name: Check CMC_RESPONSE_SENT events
        if: always()
        run: |
          docker exec pki grep \
              "\[AuditEvent=CMC_RESPONSE_SENT\]" \
              /var/lib/pki/pki-tomcat/logs/ca/signedAudit/ca_audit | tee output

          # there should be 3 events from issuance protection cert enrollment,
          # user cert enrollment, user cert revocation
          echo "3" > expected
          cat output | wc -l > actual
          diff expected actual

      - name: Remove CA
        run: docker exec pki pkidestroy -s CA -v

      - name: Check DS server systemd journal
        if: always()
        run: |
          docker exec ds journalctl -x --no-pager -u dirsrv@localhost.service

      - name: Check DS container logs
        if: always()
        run: |
          docker logs ds

      - name: Check PKI server systemd journal
        if: always()
        run: |
          docker exec pki journalctl -x --no-pager -u pki-tomcatd@pki-tomcat.service

      - name: Check CA debug log
        if: always()
        run: |
          docker exec pki find /var/lib/pki/pki-tomcat/logs/ca -name "debug.*" -exec cat {} \;

      - name: Gather artifacts
        if: always()
        run: |
          tests/bin/ds-artifacts-save.sh ds
          tests/bin/pki-artifacts-save.sh pki
        continue-on-error: true

      - name: Upload artifacts
        if: always()
        uses: actions/upload-artifact@v4
        with:
          name: ca-cmc-shared-token
          path: /tmp/artifacts