ca-basic-test.yml

name: Basic CA

on: workflow_call

env:
  DS_IMAGE: ${{ vars.DS_IMAGE || 'quay.io/389ds/dirsrv' }}

jobs:
  # docs/installation/ca/Installing_CA.md
  test:
    name: Test
    runs-on: ubuntu-latest
    env:
      SHARED: /tmp/workdir/pki
    steps:
      - name: Clone repository
        uses: actions/checkout@v4

      - name: Retrieve PKI images
        uses: actions/cache@v4
        with:
          key: pki-images-${{ github.sha }}
          path: pki-images.tar

      - name: Load PKI images
        run: docker load --input pki-images.tar

      - name: Create network
        run: docker network create example

      - name: Set up DS container
        run: |
          tests/bin/ds-create.sh \
              --image=${{ env.DS_IMAGE }} \
              --hostname=ds.example.com \
              --network=example \
              --network-alias=ds.example.com \
              --password=Secret.123 \
              ds

      - name: Set up PKI container
        run: |
          tests/bin/runner-init.sh \
              --hostname=pki.example.com \
              --network=example \
              --network-alias=pki.example.com \
              pki

      - name: Install CA
        run: |
          docker exec pki pkispawn \
              -f /usr/share/pki/server/examples/installation/ca.cfg \
              -s CA \
              -D pki_ds_url=ldap://ds.example.com:3389 \
              -v

      - name: Check PKI server base dir after installation
        run: |
          # check file types, owners, and permissions
          docker exec pki ls -l /var/lib/pki/pki-tomcat \
              | sed \
                  -e '/^total/d' \
                  -e 's/^\(\S*\) *\S* *\(\S*\) *\(\S*\) *\S* *\S* *\S* *\S* *\(.*\)$/\1 \2 \3 \4/' \
              | tee output

          # TODO: review permissions
          cat > expected << EOF
          lrwxrwxrwx pkiuser pkiuser alias -> /var/lib/pki/pki-tomcat/conf/alias
          lrwxrwxrwx pkiuser pkiuser bin -> /usr/share/tomcat/bin
          drwxrwx--- pkiuser pkiuser ca
          drwxrwx--- pkiuser pkiuser common
          lrwxrwxrwx pkiuser pkiuser conf -> /etc/pki/pki-tomcat
          lrwxrwxrwx pkiuser pkiuser lib -> /usr/share/pki/server/lib
          lrwxrwxrwx pkiuser pkiuser logs -> /var/log/pki/pki-tomcat
          drwxrwx--- pkiuser pkiuser temp
          drwxr-xr-x pkiuser pkiuser webapps
          drwxrwx--- pkiuser pkiuser work
          EOF

          diff expected output

      - name: Check PKI server conf dir after installation
        run: |
          # check file types, owners, and permissions
          docker exec pki ls -l /etc/pki/pki-tomcat \
              | sed \
                  -e '/^total/d' \
                  -e 's/^\(\S*\) *\S* *\(\S*\) *\(\S*\) *\S* *\S* *\S* *\S* *\(.*\)$/\1 \2 \3 \4/' \
              | tee output

          # TODO: review permissions
          cat > expected << EOF
          drwxrwx--- pkiuser pkiuser Catalina
          drwxrwx--- pkiuser pkiuser alias
          drwxrwx--- pkiuser pkiuser ca
          -rw-r--r-- pkiuser pkiuser catalina.policy
          lrwxrwxrwx pkiuser pkiuser catalina.properties -> /usr/share/pki/server/conf/catalina.properties
          drwxrwx--- pkiuser pkiuser certs
          lrwxrwxrwx pkiuser pkiuser context.xml -> /etc/tomcat/context.xml
          lrwxrwxrwx pkiuser pkiuser logging.properties -> /usr/share/pki/server/conf/logging.properties
          -rw-rw---- pkiuser pkiuser password.conf
          -rw-rw---- pkiuser pkiuser server.xml
          -rw-rw---- pkiuser pkiuser serverCertNick.conf
          -rw-rw---- pkiuser pkiuser tomcat.conf
          lrwxrwxrwx pkiuser pkiuser web.xml -> /etc/tomcat/web.xml
          EOF

          diff expected output

      - name: Check server.xml
        if: always()
        run: |
          docker exec pki cat /etc/pki/pki-tomcat/server.xml

      - name: Check PKI server logs dir after installation
        run: |
          # check file types, owners, and permissions
          docker exec pki ls -l /var/log/pki/pki-tomcat \
              | sed \
                  -e '/^total/d' \
                  -e 's/^\(\S*\) *\S* *\(\S*\) *\(\S*\) *\S* *\S* *\S* *\S* *\(.*\)$/\1 \2 \3 \4/' \
              | tee output

          DATE=$(date +'%Y-%m-%d')

          # TODO: review permissions
          cat > expected << EOF
          drwxr-x--- pkiuser pkiuser backup
          drwxrwx--- pkiuser pkiuser ca
          -rw-rw-r-- pkiuser pkiuser catalina.$DATE.log
          -rw-rw-r-- pkiuser pkiuser host-manager.$DATE.log
          -rw-rw-r-- pkiuser pkiuser localhost.$DATE.log
          -rw-r--r-- pkiuser pkiuser localhost_access_log.$DATE.txt
          -rw-rw-r-- pkiuser pkiuser manager.$DATE.log
          drwxr-xr-x pkiuser pkiuser pki
          EOF

          diff expected output

      - name: Check CA base dir
        run: |
          # check file types, owners, and permissions
          docker exec pki ls -l /var/lib/pki/pki-tomcat/ca \
              | sed \
                  -e '/^total/d' \
                  -e 's/^\(\S*\) *\S* *\(\S*\) *\(\S*\) *\S* *\S* *\S* *\S* *\(.*\)$/\1 \2 \3 \4/' \
              | tee output

          # TODO: review permissions
          cat > expected << EOF
          lrwxrwxrwx pkiuser pkiuser alias -> /var/lib/pki/pki-tomcat/alias
          lrwxrwxrwx pkiuser pkiuser conf -> /var/lib/pki/pki-tomcat/conf/ca
          lrwxrwxrwx pkiuser pkiuser emails -> /var/lib/pki/pki-tomcat/conf/ca/emails
          lrwxrwxrwx pkiuser pkiuser logs -> /var/lib/pki/pki-tomcat/logs/ca
          lrwxrwxrwx pkiuser pkiuser profiles -> /var/lib/pki/pki-tomcat/conf/ca/profiles
          lrwxrwxrwx pkiuser pkiuser registry -> /etc/sysconfig/pki/tomcat/pki-tomcat
          EOF

          diff expected output

      - name: Check CA conf dir
        run: |
          # check file types, owners, and permissions
          docker exec pki ls -l /var/lib/pki/pki-tomcat/conf/ca \
              | sed \
                  -e '/^total/d' \
                  -e 's/^\(\S*\) *\S* *\(\S*\) *\(\S*\) *\S* *\S* *\S* *\S* *\(.*\)$/\1 \2 \3 \4/' \
                  -e '/^.* CS\.cfg\..*$/d' \
              | tee output

          # TODO: review permissions
          cat > expected << EOF
          -rw-rw-r-- pkiuser pkiuser CS.cfg
          -rw-rw---- pkiuser pkiuser adminCert.profile
          drwxr-xr-x pkiuser pkiuser archives
          -rw-rw---- pkiuser pkiuser caAuditSigningCert.profile
          -rw-rw---- pkiuser pkiuser caCert.profile
          -rw-rw---- pkiuser pkiuser caOCSPCert.profile
          drwxrwx--- pkiuser pkiuser emails
          -rw-rw---- pkiuser pkiuser flatfile.txt
          drwxrwx--- pkiuser pkiuser profiles
          -rw-rw---- pkiuser pkiuser proxy.conf
          -rw-rw---- pkiuser pkiuser registry.cfg
          -rw-rw---- pkiuser pkiuser serverCert.profile
          -rw-rw---- pkiuser pkiuser subsystemCert.profile
          EOF

          diff expected output

      - name: Check CA server status
        run: |
          docker exec pki pki-server status | tee output

          # CA should be a domain manager
          echo "True" > expected
          sed -n 's/^ *SD Manager: *\(.*\)$/\1/p' output > actual
          diff expected actual

      - name: Check webapps
        run: |
          docker exec pki pki-server webapp-find | tee output

          # CA instance should have ROOT, ca, and pki webapps
          echo "ROOT" > expected
          echo "ca" >> expected
          echo "pki" >> expected
          sed -n 's/^ *Webapp ID: *\(.*\)$/\1/p' output > actual
          diff expected actual

          docker exec pki pki-server webapp-show ROOT
          docker exec pki pki-server webapp-show ca
          docker exec pki pki-server webapp-show pki

      - name: Check subsystems
        run: |
          docker exec pki pki-server subsystem-find | tee output

          # CA instance should have CA subsystem
          echo "ca" > expected
          sed -n 's/^ *Subsystem ID: *\(.*\)$/\1/p' output > actual
          diff expected actual

          docker exec pki pki-server subsystem-show ca | tee output

          # CA subsystem should be enabled
          echo "True" > expected
          sed -n 's/^ *Enabled: *\(.*\)$/\1/p' output > actual
          diff expected actual

      - name: Check CA certs and keys
        run: |
          # check certs
          docker exec pki pki-server cert-find

          # check keys
          echo "Secret.123" > password.txt
          docker cp password.txt pki:password.txt
          docker exec pki certutil -K \
              -d /var/lib/pki/pki-tomcat/conf/alias \
              -f password.txt | tee output

          # there should be no orphaned keys
          echo "0" > expected
          grep "(orphan)" output | wc -l > actual
          diff expected actual

      - name: Check CA signing cert
        run: |
          docker exec pki pki-server cert-export ca_signing \
              --cert-file $SHARED/ca_signing.crt
          docker exec pki openssl req -text -noout \
              -in /var/lib/pki/pki-tomcat/conf/certs/ca_signing.csr

          # check CA signing cert extensions
          docker exec pki /usr/share/pki/tests/ca/bin/test-ca-signing-cert-ext.sh \
              $SHARED/ca_signing.crt

      - name: Check CA OCSP signing cert
        run: |
          docker exec pki pki-server cert-export ca_ocsp_signing \
              --cert-file ca_ocsp_signing.crt
          docker exec pki openssl req -text -noout \
              -in /var/lib/pki/pki-tomcat/conf/certs/ca_ocsp_signing.csr
          docker exec pki openssl x509 -text -noout -in ca_ocsp_signing.crt

      - name: Check CA audit signing cert
        run: |
          docker exec pki pki-server cert-export ca_audit_signing \
              --cert-file ca_audit_signing.crt
          docker exec pki openssl req -text -noout \
              -in /var/lib/pki/pki-tomcat/conf/certs/ca_audit_signing.csr
          docker exec pki openssl x509 -text -noout -in ca_audit_signing.crt

      - name: Check subsystem cert
        run: |
          docker exec pki pki-server cert-export subsystem \
              --cert-file subsystem.crt
          docker exec pki openssl req -text -noout \
              -in /var/lib/pki/pki-tomcat/conf/certs/subsystem.csr
          docker exec pki openssl x509 -text -noout -in subsystem.crt

      - name: Check SSL server cert
        run: |
          docker exec pki pki-server cert-export sslserver \
              --cert-file sslserver.crt
          docker exec pki openssl req -text -noout \
              -in /var/lib/pki/pki-tomcat/conf/certs/sslserver.csr
          docker exec pki openssl x509 -text -noout -in sslserver.crt

      - name: Check CA admin cert
        run: |
          docker exec pki openssl x509 -text -noout -in /root/.dogtag/pki-tomcat/ca_admin.cert

      - name: Check CA audit events
        run: |
          docker exec pki pki-server ca-audit-event-find

      - name: Run PKI healthcheck
        run: docker exec pki pki-healthcheck --failures-only

      - name: Update CA configuration
        run: |
          docker exec pki dnf install -y xmlstarlet

          # disable access log buffer
          docker exec pki xmlstarlet edit --inplace \
              -u "//Valve[@className='org.apache.catalina.valves.AccessLogValve']/@buffered" \
              -v "false" \
              -i "//Valve[@className='org.apache.catalina.valves.AccessLogValve' and not(@buffered)]" \
              -t attr \
              -n "buffered" \
              -v "false" \
              /etc/pki/pki-tomcat/server.xml

          # enable CA signed audit log
          docker exec pki pki-server ca-config-set log.instance.SignedAudit.logSigning true

          # restart PKI server
          docker exec pki pki-server restart --wait

      - name: Initialize PKI client
        run: |
          docker exec pki pki nss-cert-import \
              --cert $SHARED/ca_signing.crt \
              --trust CT,C,C \
              ca_signing

      - name: Check pki info with default API
        run: |
          docker exec pki pki info

          # check HTTP methods, paths, protocols, status, and authenticated users
          docker exec pki find /var/log/pki/pki-tomcat \
              -name "localhost_access_log.*" \
              -exec cat {} \; \
              | tail -1 \
              | sed -e 's/^.* .* \(.*\) \[.*\] "\(.*\)" \(.*\) .*$/\2 \3 \1/' \
              | tee output

          cat > expected << EOF
          GET /pki/v1/info HTTP/1.1 200 -
          EOF

          diff expected output

      - name: Check pki info with API v2
        run: |
          docker exec pki pki --api v2 info

          # check HTTP methods, paths, protocols, status, and authenticated users
          docker exec pki find /var/log/pki/pki-tomcat \
              -name "localhost_access_log.*" \
              -exec cat {} \; \
              | tail -1 \
              | sed -e 's/^.* .* \(.*\) \[.*\] "\(.*\)" \(.*\) .*$/\2 \3 \1/' \
              | tee output

          cat > expected << EOF
          GET /pki/v2/info HTTP/1.1 200 -
          EOF

          diff expected output

      - name: Test CA certs
        run: |
          docker exec pki /usr/share/pki/tests/ca/bin/test-ca-signing-cert.sh
          docker exec pki /usr/share/pki/tests/ca/bin/test-subsystem-cert.sh

      - name: Check certs in DS
        run: |
          docker exec ds ldapsearch \
              -H ldap://ds.example.com:3389 \
              -D "cn=Directory Manager" \
              -w Secret.123 \
              -x \
              -b "ou=certificateRepository,ou=ca,dc=ca,dc=pki,dc=example,dc=com" \
              -o ldif_wrap=no \
              -LLL

      - name: Check pki ca-cert-find with default API
        run: |
          docker exec pki pki ca-cert-find | tee output

          # get certs returned
          grep "Serial Number:" output | wc -l > actual

          # there should be 6 certs returned
          echo "6" > expected
          diff expected actual

          # get total certs found
          sed -n "s/^\(\S*\) entries found$/\1/p" output > actual

          # there should be 6 certs found
          echo "6" > expected
          diff expected actual

          # check HTTP methods, paths, protocols, status, and authenticated users
          docker exec pki find /var/log/pki/pki-tomcat \
              -name "localhost_access_log.*" \
              -exec cat {} \; \
              | tail -2 \
              | sed -e 's/^.* .* \(.*\) \[.*\] "\(.*\)" \(.*\) .*$/\2 \3 \1/' \
              | tee output

          cat > expected << EOF
          GET /pki/v1/info HTTP/1.1 200 -
          POST /ca/v1/certs/search HTTP/1.1 200 -
          EOF

          diff expected output

      - name: Check pki ca-cert-find with API v2
        run: |
          docker exec pki pki --api v2 ca-cert-find | tee output

          # get certs returned
          grep "Serial Number:" output | wc -l > actual

          # there should be 6 certs returned
          echo "6" > expected
          diff expected actual

          # get total certs found
          sed -n "s/^\(\S*\) entries found$/\1/p" output > actual

          # there should be no total certs found
          diff /dev/null actual

          # check HTTP methods, paths, protocols, status, and authenticated users
          docker exec pki find /var/log/pki/pki-tomcat \
              -name "localhost_access_log.*" \
              -exec cat {} \; \
              | tail -2 \
              | sed -e 's/^.* .* \(.*\) \[.*\] "\(.*\)" \(.*\) .*$/\2 \3 \1/' \
              | tee output

          cat > expected << EOF
          GET /pki/v2/info HTTP/1.1 200 -
          POST /ca/v2/certs/search HTTP/1.1 200 -
          EOF

          diff expected output

      - name: Check users in DS
        run: |
          docker exec ds ldapsearch \
              -H ldap://ds.example.com:3389 \
              -D "cn=Directory Manager" \
              -w Secret.123 \
              -x \
              -b "ou=people,dc=ca,dc=pki,dc=example,dc=com" \
              -o ldif_wrap=no \
              -LLL

      - name: Check pki ca-user-show with default API
        run: |
          docker exec pki pki pkcs12-import \
              --pkcs12 /root/.dogtag/pki-tomcat/ca_admin_cert.p12 \
              --pkcs12-password Secret.123

          docker exec pki pki -n caadmin ca-user-show caadmin

          # check HTTP methods, paths, protocols, status, and authenticated users
          docker exec pki find /var/log/pki/pki-tomcat \
              -name "localhost_access_log.*" \
              -exec cat {} \; \
              | tail -4 \
              | sed -e 's/^.* .* \(.*\) \[.*\] "\(.*\)" \(.*\) .*$/\2 \3 \1/' \
              | tee output

          cat > expected << EOF
          GET /pki/v1/info HTTP/1.1 200 -
          GET /ca/v1/account/login HTTP/1.1 200 caadmin
          GET /ca/v1/admin/users/caadmin HTTP/1.1 200 caadmin
          GET /ca/v1/account/logout HTTP/1.1 204 caadmin
          EOF

          diff expected output

      - name: Check pki ca-user-show with API v2
        run: |
          docker exec pki pki -n caadmin --api v2 ca-user-show caadmin

          # check HTTP methods, paths, protocols, status, and authenticated users
          docker exec pki find /var/log/pki/pki-tomcat \
              -name "localhost_access_log.*" \
              -exec cat {} \; \
              | tail -4 \
              | sed -e 's/^.* .* \(.*\) \[.*\] "\(.*\)" \(.*\) .*$/\2 \3 \1/' \
              | tee output

          cat > expected << EOF
          GET /pki/v2/info HTTP/1.1 200 -
          GET /ca/v2/account/login HTTP/1.1 200 caadmin
          GET /ca/v2/admin/users/caadmin HTTP/1.1 200 caadmin
          GET /ca/v2/account/logout HTTP/1.1 204 caadmin
          EOF

          diff expected output

      - name: Check cert requests in DS
        run: |
          docker exec ds ldapsearch \
              -H ldap://ds.example.com:3389 \
              -D "cn=Directory Manager" \
              -w Secret.123 \
              -x \
              -b "ou=requests,dc=ca,dc=pki,dc=example,dc=com" \
              -o ldif_wrap=no \
              -LLL

      - name: Check cert requests in CA
        run: |
          docker exec pki pki -n caadmin ca-cert-request-find

      - name: Test CA auditor
        run: |
          docker exec pki /usr/share/pki/tests/ca/bin/test-ca-auditor-create.sh
          docker exec pki /usr/share/pki/tests/ca/bin/test-ca-auditor-cert.sh
          docker exec pki /usr/share/pki/tests/ca/bin/test-ca-auditor-logs.sh

      - name: Check CA profiles
        run: |
          docker exec pki pki -n caadmin ca-profile-find

          # create custom profile
          docker exec pki pki -n caadmin ca-profile-show caUserCert --output ${SHARED}/profile.xml
          sed -i "s/caUserCert/caCustomUser/g" profile.xml
          docker exec pki pki --debug -n caadmin ca-profile-add ${SHARED}/profile.xml
          docker exec pki pki -n caadmin ca-profile-show caCustomUser

      - name: Remove CA
        run: docker exec pki pkidestroy -s CA -v

      - name: Check PKI server base dir after removal
        run: |
          # check file types, owners, and permissions
          docker exec pki ls -l /var/lib/pki/pki-tomcat \
              | sed \
                  -e '/^total/d' \
                  -e 's/^\(\S*\) *\S* *\(\S*\) *\(\S*\) *\S* *\S* *\S* *\S* *\(.*\)$/\1 \2 \3 \4/' \
              | tee output

          # TODO: review permissions
          cat > expected << EOF
          lrwxrwxrwx pkiuser pkiuser conf -> /etc/pki/pki-tomcat
          lrwxrwxrwx pkiuser pkiuser logs -> /var/log/pki/pki-tomcat
          EOF

          diff expected output

      - name: Check PKI server conf dir after removal
        run: |
          # check file types, owners, and permissions
          docker exec pki ls -l /etc/pki/pki-tomcat \
              | sed \
                  -e '/^total/d' \
                  -e 's/^\(\S*\) *\S* *\(\S*\) *\(\S*\) *\S* *\S* *\S* *\S* *\(.*\)$/\1 \2 \3 \4/' \
              | tee output

          # TODO: review permissions
          cat > expected << EOF
          drwxrwx--- pkiuser pkiuser Catalina
          drwxrwx--- pkiuser pkiuser alias
          drwxrwx--- pkiuser pkiuser ca
          -rw-r--r-- pkiuser pkiuser catalina.policy
          lrwxrwxrwx pkiuser pkiuser catalina.properties -> /usr/share/pki/server/conf/catalina.properties
          drwxrwx--- pkiuser pkiuser certs
          lrwxrwxrwx pkiuser pkiuser context.xml -> /etc/tomcat/context.xml
          lrwxrwxrwx pkiuser pkiuser logging.properties -> /usr/share/pki/server/conf/logging.properties
          -rw-rw---- pkiuser pkiuser password.conf
          -rw-rw---- pkiuser pkiuser server.xml
          -rw-rw---- pkiuser pkiuser serverCertNick.conf
          -rw-rw---- pkiuser pkiuser tomcat.conf
          lrwxrwxrwx pkiuser pkiuser web.xml -> /etc/tomcat/web.xml
          EOF

          diff expected output

      - name: Check PKI server logs dir after removal
        run: |
          # check file types, owners, and permissions
          docker exec pki ls -l /var/log/pki/pki-tomcat \
              | sed \
                  -e '/^total/d' \
                  -e 's/^\(\S*\) *\S* *\(\S*\) *\(\S*\) *\S* *\S* *\S* *\S* *\(.*\)$/\1 \2 \3 \4/' \
              | tee output

          DATE=$(date +'%Y-%m-%d')

          # TODO: review permissions
          cat > expected << EOF
          drwxr-x--- pkiuser pkiuser backup
          drwxrwx--- pkiuser pkiuser ca
          -rw-rw-r-- pkiuser pkiuser catalina.$DATE.log
          -rw-rw-r-- pkiuser pkiuser host-manager.$DATE.log
          -rw-rw-r-- pkiuser pkiuser localhost.$DATE.log
          -rw-r--r-- pkiuser pkiuser localhost_access_log.$DATE.txt
          -rw-rw-r-- pkiuser pkiuser manager.$DATE.log
          drwxr-xr-x pkiuser pkiuser pki
          EOF

          diff expected output

      - name: Check DS server systemd journal
        if: always()
        run: |
          docker exec ds journalctl -x --no-pager -u dirsrv@localhost.service

      - name: Check DS container logs
        if: always()
        run: |
          docker logs ds

      - name: Check PKI server systemd journal
        if: always()
        run: |
          docker exec pki journalctl -x --no-pager -u pki-tomcatd@pki-tomcat.service

      - name: Check PKI server access log
        if: always()
        run: |
          docker exec pki find /var/log/pki/pki-tomcat -name "localhost_access_log.*" -exec cat {} \;

      - name: Check CA debug log
        if: always()
        run: |
          docker exec pki find /var/lib/pki/pki-tomcat/logs/ca -name "debug.*" -exec cat {} \;