.github/workflows/tps-basic-test.yml

name: Basic TPS

on: workflow_call

env:
  DS_IMAGE: ${{ vars.DS_IMAGE || 'quay.io/389ds/dirsrv' }}

jobs:
  # docs/installation/tps/Installing_TPS.md
  test:
    name: Test
    runs-on: ubuntu-latest
    env:
      SHARED: /tmp/workdir/pki
    steps:
      - name: Clone repository
        uses: actions/checkout@v4

      - name: Retrieve PKI images
        uses: actions/cache@v4
        with:
          key: pki-images-${{ github.sha }}
          path: pki-images.tar

      - name: Load PKI images
        run: docker load --input pki-images.tar

      - name: Create network
        run: docker network create example

      - name: Set up DS container
        run: |
          tests/bin/ds-create.sh \
              --image=${{ env.DS_IMAGE }} \
              --hostname=ds.example.com \
              --password=Secret.123 \
              ds

      - name: Connect DS container to network
        run: docker network connect example ds --alias ds.example.com

      - name: Set up PKI container
        run: |
          tests/bin/runner-init.sh pki
        env:
          HOSTNAME: pki.example.com

      - name: Connect PKI container to network
        run: docker network connect example pki --alias pki.example.com

      - name: Install CA
        run: |
          docker exec pki pkispawn \
              -f /usr/share/pki/server/examples/installation/ca.cfg \
              -s CA \
              -D pki_ds_url=ldap://ds.example.com:3389 \
              -v

          docker exec pki pki-server cert-find

      - name: Install KRA
        run: |
          docker exec pki pkispawn \
              -f /usr/share/pki/server/examples/installation/kra.cfg \
              -s KRA \
              -D pki_ds_url=ldap://ds.example.com:3389 \
              -v

          docker exec pki pki-server cert-find

      - name: Install TKS
        run: |
          docker exec pki pkispawn \
              -f /usr/share/pki/server/examples/installation/tks.cfg \
              -s TKS \
              -D pki_ds_url=ldap://ds.example.com:3389 \
              -v

          docker exec pki pki-server cert-find

      - name: Install TPS
        run: |
          docker exec pki pkispawn \
              -f /usr/share/pki/server/examples/installation/tps.cfg \
              -s TPS \
              -D pki_ds_url=ldap://ds.example.com:3389 \
              -D pki_authdb_url=ldap://ds.example.com:3389 \
              -D pki_enable_server_side_keygen=True \
              -v

      - name: Check PKI server base dir after installation
        run: |
          # check file types, owners, and permissions
          docker exec pki ls -l /var/lib/pki/pki-tomcat \
              | sed \
                  -e '/^total/d' \
                  -e 's/^\(\S*\) *\S* *\(\S*\) *\(\S*\) *\S* *\S* *\S* *\S* *\(.*\)$/\1 \2 \3 \4/' \
              | tee output

          # TODO: review permissions
          cat > expected << EOF
          lrwxrwxrwx pkiuser pkiuser alias -> /var/lib/pki/pki-tomcat/conf/alias
          lrwxrwxrwx pkiuser pkiuser bin -> /usr/share/tomcat/bin
          drwxrwx--- pkiuser pkiuser ca
          drwxrwx--- pkiuser pkiuser common
          lrwxrwxrwx pkiuser pkiuser conf -> /etc/pki/pki-tomcat
          drwxrwx--- pkiuser pkiuser kra
          lrwxrwxrwx pkiuser pkiuser lib -> /usr/share/pki/server/lib
          lrwxrwxrwx pkiuser pkiuser logs -> /var/log/pki/pki-tomcat
          drwxrwx--- pkiuser pkiuser temp
          drwxrwx--- pkiuser pkiuser tks
          drwxrwx--- pkiuser pkiuser tps
          drwxr-xr-x pkiuser pkiuser webapps
          drwxrwx--- pkiuser pkiuser work
          EOF

          diff expected output

      - name: Check PKI server conf dir after installation
        run: |
          # check file types, owners, and permissions
          docker exec pki ls -l /etc/pki/pki-tomcat \
              | sed \
                  -e '/^total/d' \
                  -e 's/^\(\S*\) *\S* *\(\S*\) *\(\S*\) *\S* *\S* *\S* *\S* *\(.*\)$/\1 \2 \3 \4/' \
              | tee output

          # TODO: review permissions
          cat > expected << EOF
          drwxrwx--- pkiuser pkiuser Catalina
          drwxrwx--- pkiuser pkiuser alias
          drwxrwx--- pkiuser pkiuser ca
          -rw-r--r-- pkiuser pkiuser catalina.policy
          lrwxrwxrwx pkiuser pkiuser catalina.properties -> /usr/share/pki/server/conf/catalina.properties
          drwxrwx--- pkiuser pkiuser certs
          lrwxrwxrwx pkiuser pkiuser context.xml -> /etc/tomcat/context.xml
          drwxrwx--- pkiuser pkiuser kra
          lrwxrwxrwx pkiuser pkiuser logging.properties -> /usr/share/pki/server/conf/logging.properties
          -rw-rw---- pkiuser pkiuser password.conf
          -rw-rw---- pkiuser pkiuser server.xml
          -rw-rw---- pkiuser pkiuser serverCertNick.conf
          drwxrwx--- pkiuser pkiuser tks
          -rw-rw---- pkiuser pkiuser tomcat.conf
          drwxrwx--- pkiuser pkiuser tps
          lrwxrwxrwx pkiuser pkiuser web.xml -> /etc/tomcat/web.xml
          EOF

          diff expected output

      - name: Check server.xml
        if: always()
        run: |
          docker exec pki cat /etc/pki/pki-tomcat/server.xml

      - name: Check PKI server logs dir after installation
        run: |
          # check file types, owners, and permissions
          docker exec pki ls -l /var/log/pki/pki-tomcat \
              | sed \
                  -e '/^total/d' \
                  -e 's/^\(\S*\) *\S* *\(\S*\) *\(\S*\) *\S* *\S* *\S* *\S* *\(.*\)$/\1 \2 \3 \4/' \
              | tee output

          DATE=$(date +'%Y-%m-%d')

          # TODO: review permissions
          cat > expected << EOF
          drwxr-x--- pkiuser pkiuser backup
          drwxrwx--- pkiuser pkiuser ca
          -rw-rw-r-- pkiuser pkiuser catalina.$DATE.log
          -rw-rw-r-- pkiuser pkiuser host-manager.$DATE.log
          drwxrwx--- pkiuser pkiuser kra
          -rw-rw-r-- pkiuser pkiuser localhost.$DATE.log
          -rw-r--r-- pkiuser pkiuser localhost_access_log.$DATE.txt
          -rw-rw-r-- pkiuser pkiuser manager.$DATE.log
          drwxr-xr-x pkiuser pkiuser pki
          drwxrwx--- pkiuser pkiuser tks
          drwxrwx--- pkiuser pkiuser tps
          EOF

          diff expected output

      - name: Check TPS base dir
        run: |
          # check file types, owners, and permissions
          docker exec pki ls -l /var/lib/pki/pki-tomcat/tps \
              | sed \
                  -e '/^total/d' \
                  -e 's/^\(\S*\) *\S* *\(\S*\) *\(\S*\) *\S* *\S* *\S* *\S* *\(.*\)$/\1 \2 \3 \4/' \
              | tee output

          # TODO: review permissions
          cat > expected << EOF
          lrwxrwxrwx pkiuser pkiuser alias -> /var/lib/pki/pki-tomcat/alias
          lrwxrwxrwx pkiuser pkiuser conf -> /var/lib/pki/pki-tomcat/conf/tps
          lrwxrwxrwx pkiuser pkiuser logs -> /var/lib/pki/pki-tomcat/logs/tps
          lrwxrwxrwx pkiuser pkiuser registry -> /etc/sysconfig/pki/tomcat/pki-tomcat
          EOF

          diff expected output

      - name: Check TPS conf dir
        run: |
          # check file types, owners, and permissions
          docker exec pki ls -l /var/lib/pki/pki-tomcat/conf/tps \
              | sed \
                  -e '/^total/d' \
                  -e 's/^\(\S*\) *\S* *\(\S*\) *\(\S*\) *\S* *\S* *\S* *\S* *\(.*\)$/\1 \2 \3 \4/' \
              | tee output

          # TODO: review permissions
          cat > expected << EOF
          -rw-rw-r-- pkiuser pkiuser CS.cfg
          -rw-rw---- pkiuser pkiuser phoneHome.xml
          -rw-rw---- pkiuser pkiuser registry.cfg
          EOF

          diff expected output

      - name: Check TPS server status
        run: |
          docker exec pki pki-server status | tee output

          # CA should be a domain manager, but KRA, TKS, TPS should not
          echo "True" > expected
          echo "False" >> expected
          echo "False" >> expected
          echo "False" >> expected
          sed -n 's/^ *SD Manager: *\(.*\)$/\1/p' output > actual
          diff expected actual

      - name: Check TPS system certs
        run: |
          docker exec pki pki-server cert-find

      - name: Check TPS audit signing cert
        run: |
          docker exec pki pki-server cert-export tps_audit_signing \
              --cert-file tps_audit_signing.crt
          docker exec pki openssl req -text -noout \
              -in /var/lib/pki/pki-tomcat/conf/certs/tps_audit_signing.csr
          docker exec pki openssl x509 -text -noout -in tps_audit_signing.crt

      - name: Check subsystem cert
        run: |
          docker exec pki pki-server cert-export subsystem \
              --cert-file subsystem.crt
          docker exec pki openssl req -text -noout \
              -in /var/lib/pki/pki-tomcat/conf/certs/subsystem.csr
          docker exec pki openssl x509 -text -noout -in subsystem.crt

      - name: Check SSL server cert
        run: |
          docker exec pki pki-server cert-export sslserver \
              --cert-file sslserver.crt
          docker exec pki openssl req -text -noout \
              -in /var/lib/pki/pki-tomcat/conf/certs/sslserver.csr
          docker exec pki openssl x509 -text -noout -in sslserver.crt

      - name: Check TPS admin cert
        run: |
          docker exec pki openssl x509 -text -noout -in /root/.dogtag/pki-tomcat/ca_admin.cert

      - name: Run PKI healthcheck
        run: docker exec pki pki-healthcheck --failures-only

      - name: Check TPS admin
        run: |
          docker exec pki pki-server cert-export ca_signing --cert-file ca_signing.crt

          docker exec pki pki nss-cert-import \
              --cert ca_signing.crt \
              --trust CT,C,C \
              ca_signing

          docker exec pki pki pkcs12-import \
              --pkcs12 /root/.dogtag/pki-tomcat/ca_admin_cert.p12 \
              --pkcs12-password Secret.123
          docker exec pki pki -n caadmin tps-user-show tpsadmin

      - name: Set up TPS authentication and misc cfg settings
        run: |
          # import sample TPS users
          docker exec pki ldapadd \
              -H ldap://ds.example.com:3389 \
              -D "cn=Directory Manager" \
              -w Secret.123 \
              -f /usr/share/pki/tps/auth/ds/create.ldif
          docker exec pki ldapadd \
              -H ldap://ds.example.com:3389 \
              -D "cn=Directory Manager" \
              -w Secret.123 \
              -f /usr/share/pki/tps/auth/ds/example.ldif

          # configure TPS to use the sample TPS users
          docker exec pki pki-server tps-config-set \
              auths.instance.ldap1.ldap.basedn \
              ou=people,dc=example,dc=com

          # configure TPS to allow tpsclient tests to work
          docker exec pki pki-server tps-config-set \
              channel.scp01.no.le.byte true

          # restart TPS subsystem
          docker exec pki pki-server tps-redeploy --wait

      - name: Add token
        run: |
          hexdump -v -n "10" -e '1/1 "%02x"' /dev/urandom > cuid
          CUID=$(cat cuid)
          docker exec pki pki -n caadmin tps-token-add $CUID | tee output

          echo "UNFORMATTED" > expected
          sed -n 's/\s*Status:\s\+\(\S\+\)\s*/\1/p' output > actual
          diff expected actual

          docker exec pki pki -n caadmin tps-cert-find --token $CUID

      - name: Format token
        run: |
          CUID=$(cat cuid)
          docker exec pki /usr/share/pki/tps/bin/pki-tps-format \
              --user=testuser \
              --password=Secret.123 \
              $CUID

          echo "FORMATTED" > expected
          docker exec pki pki -n caadmin tps-token-show $CUID | tee output
          sed -n 's/\s*Status:\s\+\(\S\+\)\s*/\1/p' output > actual
          diff expected actual

          docker exec pki pki -n caadmin tps-cert-find --token $CUID

      - name: Enroll token
        run: |
          CUID=$(cat cuid)
          docker exec pki /usr/share/pki/tps/bin/pki-tps-enroll \
              --user=testuser \
              --password=Secret.123 \
              $CUID

          echo "ACTIVE" > expected
          docker exec pki pki -n caadmin tps-token-show $CUID | tee output
          sed -n 's/\s*Status:\s\+\(\S\+\)\s*/\1/p' output > actual
          diff expected actual
          
          docker exec pki pki -n caadmin tps-cert-find --token $CUID

      - name: KRA key find
        run: |          
          CUID=$(cat cuid | tr [:lower:] [:upper:])
          USER="testuser"
          echo $CUID:$USER > expected
          docker exec pki pki -n caadmin kra-key-find --owner $CUID:$USER | tee output
          sed -n 's/\s*Owner:\s\+\(\S\+\)\s*/\1/p' output > actual
          diff expected actual

      - name: Gather artifacts
        if: always()
        run: |
          tests/bin/ds-artifacts-save.sh ds
          tests/bin/pki-artifacts-save.sh pki
        continue-on-error: true

      - name: Remove TPS
        run: docker exec pki pkidestroy -s TPS -v

      - name: Remove TKS
        run: docker exec pki pkidestroy -s TKS -v

      - name: Remove KRA
        run: docker exec pki pkidestroy -s KRA -v

      - name: Remove CA
        run: docker exec pki pkidestroy -s CA -v

      - name: Check PKI server base dir after removal
        run: |
          # check file types, owners, and permissions
          docker exec pki ls -l /var/lib/pki/pki-tomcat \
              | sed \
                  -e '/^total/d' \
                  -e 's/^\(\S*\) *\S* *\(\S*\) *\(\S*\) *\S* *\S* *\S* *\S* *\(.*\)$/\1 \2 \3 \4/' \
              | tee output

          # TODO: review permissions
          cat > expected << EOF
          lrwxrwxrwx pkiuser pkiuser conf -> /etc/pki/pki-tomcat
          lrwxrwxrwx pkiuser pkiuser logs -> /var/log/pki/pki-tomcat
          EOF

          diff expected output

      - name: Check PKI server conf dir after removal
        run: |
          # check file types, owners, and permissions
          docker exec pki ls -l /etc/pki/pki-tomcat \
              | sed \
                  -e '/^total/d' \
                  -e 's/^\(\S*\) *\S* *\(\S*\) *\(\S*\) *\S* *\S* *\S* *\S* *\(.*\)$/\1 \2 \3 \4/' \
              | tee output

          # TODO: review permissions
          cat > expected << EOF
          drwxrwx--- pkiuser pkiuser Catalina
          drwxrwx--- pkiuser pkiuser alias
          drwxrwx--- pkiuser pkiuser ca
          -rw-r--r-- pkiuser pkiuser catalina.policy
          lrwxrwxrwx pkiuser pkiuser catalina.properties -> /usr/share/pki/server/conf/catalina.properties
          drwxrwx--- pkiuser pkiuser certs
          lrwxrwxrwx pkiuser pkiuser context.xml -> /etc/tomcat/context.xml
          drwxrwx--- pkiuser pkiuser kra
          lrwxrwxrwx pkiuser pkiuser logging.properties -> /usr/share/pki/server/conf/logging.properties
          -rw-rw---- pkiuser pkiuser password.conf
          -rw-rw---- pkiuser pkiuser server.xml
          -rw-rw---- pkiuser pkiuser serverCertNick.conf
          drwxrwx--- pkiuser pkiuser tks
          -rw-rw---- pkiuser pkiuser tomcat.conf
          drwxrwx--- pkiuser pkiuser tps
          lrwxrwxrwx pkiuser pkiuser web.xml -> /etc/tomcat/web.xml
          EOF

          diff expected output

      - name: Check PKI server logs dir after removal
        run: |
          # check file types, owners, and permissions
          docker exec pki ls -l /var/log/pki/pki-tomcat \
              | sed \
                  -e '/^total/d' \
                  -e 's/^\(\S*\) *\S* *\(\S*\) *\(\S*\) *\S* *\S* *\S* *\S* *\(.*\)$/\1 \2 \3 \4/' \
              | tee output

          DATE=$(date +'%Y-%m-%d')

          # TODO: review permissions
          cat > expected << EOF
          drwxr-x--- pkiuser pkiuser backup
          drwxrwx--- pkiuser pkiuser ca
          -rw-rw-r-- pkiuser pkiuser catalina.$DATE.log
          -rw-rw-r-- pkiuser pkiuser host-manager.$DATE.log
          drwxrwx--- pkiuser pkiuser kra
          -rw-rw-r-- pkiuser pkiuser localhost.$DATE.log
          -rw-r--r-- pkiuser pkiuser localhost_access_log.$DATE.txt
          -rw-rw-r-- pkiuser pkiuser manager.$DATE.log
          drwxr-xr-x pkiuser pkiuser pki
          drwxrwx--- pkiuser pkiuser tks
          drwxrwx--- pkiuser pkiuser tps
          EOF

          diff expected output

      - name: Check DS server systemd journal
        if: always()
        run: |
          docker exec ds journalctl -x --no-pager -u dirsrv@localhost.service

      - name: Check DS container logs
        if: always()
        run: |
          docker logs ds

      - name: Check PKI server systemd journal
        if: always()
        run: |
          docker exec pki journalctl -x --no-pager -u pki-tomcatd@pki-tomcat.service

      - name: Check CA debug log
        if: always()
        run: |
          docker exec pki find /var/lib/pki/pki-tomcat/logs/ca -name "debug.*" -exec cat {} \;

      - name: Check KRA debug log
        if: always()
        run: |
          docker exec pki find /var/lib/pki/pki-tomcat/logs/kra -name "debug.*" -exec cat {} \;

      - name: Check TKS debug log
        if: always()
        run: |
          docker exec pki find /var/lib/pki/pki-tomcat/logs/tks -name "debug.*" -exec cat {} \;

      - name: Check TPS debug log
        if: always()
        run: |
          docker exec pki find /var/lib/pki/pki-tomcat/logs/tps -name "debug.*" -exec cat {} \;

      - name: Upload artifacts
        if: always()
        uses: actions/upload-artifact@v4
        with:
          name: tps-basic
          path: /tmp/artifacts