.github/workflows/acme-container-test.yml

name: ACME container

on: workflow_call

env:
  DS_IMAGE: ${{ vars.DS_IMAGE || 'quay.io/389ds/dirsrv' }}

jobs:
  # docs/installation/podman/Deploying_PKI_ACME_Responder_on_Podman.md
  test:
    name: Test
    runs-on: ubuntu-latest
    env:
      SHARED: /tmp/workdir/pki
    steps:
      - name: Install dependencies
        run: |
          sudo apt-get update

          # Currently certbot fails to run inside podman.
          # TODO: Replace docker with podman when the issue is resolved.
          # sudo apt-get -y purge --auto-remove docker-ce-cli
          # sudo apt-get -y install podman-docker

      - name: Clone repository
        uses: actions/checkout@v4

      - name: Retrieve ACME images
        uses: actions/cache@v4
        with:
          key: acme-images-${{ github.sha }}
          path: acme-images.tar

      - name: Load ACME images
        run: docker load --input acme-images.tar

      - name: Create network
        run: docker network create example

      - name: Set up client container
        run: |
          tests/bin/runner-init.sh \
              --hostname=client.example.com \
              --network=example \
              client

      - name: Install dependencies in client container
        run: docker exec client dnf install -y certbot

      - name: Create shared folders
        run: |
          mkdir certs
          mkdir metadata
          mkdir database
          mkdir issuer
          mkdir realm
          mkdir conf
          mkdir logs

      - name: Set up ACME container
        run: |
          docker run \
              --name acme \
              --hostname acme.example.com \
              --network example \
              --network-alias acme.example.com \
              -v $PWD/certs:/certs \
              -v $PWD/metadata:/metadata \
              -v $PWD/database:/database \
              -v $PWD/issuer:/issuer \
              -v $PWD/realm:/realm \
              -v $PWD/conf:/conf \
              -v $PWD/logs:/logs \
              --detach \
              pki-acme

          # wait for ACME to start
          docker exec client curl \
              --retry 60 \
              --retry-delay 0 \
              --retry-connrefused \
              -s \
              -k \
              -o /dev/null \
              http://acme.example.com:8080/acme/directory

      - name: Check conf dir
        if: always()
        run: |
          ls -l conf \
              | sed \
                  -e '/^total/d' \
                  -e 's/^\(\S*\) *\S* *\S* *\(\S*\) *\S* *\S* *\S* *\S* *\(.*\)$/\1 \2 \3/' \
              | tee output

          # everything should be owned by root group (GID=0)
          # TODO: review owners/permissions
          cat > expected << EOF
          drwxrwxrwx root Catalina
          drwxrwxrwx root acme
          drwxrwxrwx root alias
          -rw-rw-rw- root catalina.policy
          lrwxrwxrwx root catalina.properties -> /usr/share/pki/server/conf/catalina.properties
          drwxrwxrwx root certs
          lrwxrwxrwx root context.xml -> /etc/tomcat/context.xml
          -rw-rw-rw- root jss.conf
          lrwxrwxrwx root logging.properties -> /usr/share/pki/server/conf/logging.properties
          -rw-rw-rw- root password.conf
          -rw-rw-rw- root server.xml
          -rw-rw-rw- root tomcat.conf
          lrwxrwxrwx root web.xml -> /etc/tomcat/web.xml
          EOF

          diff expected output

      - name: Check conf/acme dir
        if: always()
        run: |
          ls -l conf/acme \
              | sed \
                  -e '/^total/d' \
                  -e 's/^\(\S*\) *\S* *\S* *\(\S*\) *\S* *\S* *\S* *\S* *\(.*\)$/\1 \2 \3/' \
              | tee output

          # everything should be owned by root group (GID=0)
          # TODO: review owners/permissions
          cat > expected << EOF
          -rw-rw-rw- root database.conf
          -rw-rw-rw- root issuer.conf
          -rw-rw-rw- root realm.conf
          EOF

          diff expected output

      - name: Check logs dir
        if: always()
        run: |
          ls -l logs \
              | sed \
                  -e '/^total/d' \
                  -e 's/^\(\S*\) *\S* *\S* *\(\S*\) *\S* *\S* *\S* *\S* *\(.*\)$/\1 \2 \3/' \
              | tee output

          DATE=$(date +'%Y-%m-%d')

          # everything should be owned by root group (GID=0)
          # TODO: review owners/permissions
          cat > expected << EOF
          drwxrwx--- root backup
          -rw-rw-rw- root catalina.$DATE.log
          -rw-rw-rw- root host-manager.$DATE.log
          -rw-rw-rw- root localhost.$DATE.log
          -rw-rw-rw- root localhost_access_log.$DATE.txt
          -rw-rw-rw- root manager.$DATE.log
          drwxrwxrwx root pki
          EOF

          diff expected output

      - name: Install CA signing cert
        run: |
          docker exec acme pki \
              -d /conf/alias \
              -f /conf/password.conf \
              nss-cert-export \
              --output-file /conf/certs/ca_signing.crt \
              ca_signing

          docker exec client pki nss-cert-import \
              --cert $SHARED/conf/certs/ca_signing.crt \
              --trust CT,C,C \
              ca_signing

      - name: Check ACME status
        run: |
          docker exec client pki \
              -U https://acme.example.com:8443 \
              acme-info

      - name: Register ACME account
        run: |
          docker exec client certbot register \
              --server http://acme.example.com:8080/acme/directory \
              --email user1@example.com \
              --agree-tos \
              --non-interactive

      - name: Enroll client cert
        run: |
          docker exec client certbot certonly \
              --server http://acme.example.com:8080/acme/directory \
              -d client.example.com \
              --key-type rsa \
              --standalone \
              --non-interactive

      - name: Check client cert
        run: |
          docker exec client openssl x509 \
              -text \
              -noout \
              -in /etc/letsencrypt/live/client.example.com/fullchain.pem

      - name: Renew client cert
        run: |
          docker exec client certbot renew \
              --server http://acme.example.com:8080/acme/directory \
              --cert-name client.example.com \
              --force-renewal \
              --no-random-sleep-on-renew \
              --non-interactive

      # - name: Revoke client cert
      #   run: |
      #     By default the pki-acme container uses NSS issuer (instead of
      #     PKI issuer) which does not support cert revocation, so the
      #     revocation test is disabled.
      #
      #     docker exec client certbot revoke \
      #         --server http://acme.example.com:8080/acme/directory \
      #         --cert-name client.example.com \
      #         --non-interactive

      - name: Update ACME account
        run: |
          docker exec client certbot update_account \
              --server http://acme.example.com:8080/acme/directory \
              --email user2@example.com \
              --non-interactive

      - name: Remove ACME account
        run: |
          docker exec client certbot unregister \
              --server http://acme.example.com:8080/acme/directory \
              --non-interactive

      - name: Restart ACME
        run: |
          docker restart acme
          sleep 5

          # wait for ACME to restart
          docker exec client curl \
              --retry 60 \
              --retry-delay 0 \
              --retry-connrefused \
              -s \
              -k \
              -o /dev/null \
              http://acme.example.com:8080/acme/directory

      - name: Check ACME status again
        run: |
          docker exec client pki \
              -U https://acme.example.com:8443 \
              acme-info

      - name: Check ACME container logs
        if: always()
        run: |
          docker logs acme 2>&1

      - name: Check certbot logs
        if: always()
        run: |
          docker exec client cat /var/log/letsencrypt/letsencrypt.log

      - name: Check client container logs
        if: always()
        run: |
          docker logs client 2>&1

      - name: Gather artifacts
        if: always()
        run: |
          mkdir -p /tmp/artifacts/acme
          cp -r certs /tmp/artifacts/acme
          cp -r metadata /tmp/artifacts/acme
          cp -r database /tmp/artifacts/acme
          cp -r issuer /tmp/artifacts/acme
          cp -r realm /tmp/artifacts/acme
          cp -r conf /tmp/artifacts/acme
          cp -r logs /tmp/artifacts/acme

          docker logs acme > /tmp/artifacts/acme/container.out 2> /tmp/artifacts/acme/container.err

          docker exec client ls -la /etc/letsencrypt/live
          mkdir -p /tmp/artifacts/client/etc/letsencrypt
          docker cp client:/etc/letsencrypt/live /tmp/artifacts/client/etc/letsencrypt

          docker exec client ls -la /var/log/letsencrypt
          mkdir -p /tmp/artifacts/client/var/log/letsencrypt
          docker cp client:/var/log/letsencrypt/letsencrypt.log /tmp/artifacts/client/var/log/letsencrypt
        continue-on-error: true

      - name: Upload artifacts
        if: always()
        uses: actions/upload-artifact@v4
        with:
          name: acme-container
          path: /tmp/artifacts