From 154b694bf104c51eee8260ec66a5e22f0734f929 Mon Sep 17 00:00:00 2001
From: "Endi S. Dewata" <edewata@redhat.com>
Date: Thu, 27 Apr 2023 15:12:23 -0500
Subject: [PATCH] Add test for CA admin user

A new test has been added to validate removing and restoring the
admin cert.
---
 .github/workflows/ca-admin-user-test.yml | 142 +++++++++++++++++++++++
 .github/workflows/ca-tests.yml           |   7 ++
 2 files changed, 149 insertions(+)
 create mode 100644 .github/workflows/ca-admin-user-test.yml

diff --git a/.github/workflows/ca-admin-user-test.yml b/.github/workflows/ca-admin-user-test.yml
new file mode 100644
index 00000000000..a7894f19074
--- /dev/null
+++ b/.github/workflows/ca-admin-user-test.yml
@@ -0,0 +1,142 @@
+name: CA admin user
+
+on:
+  workflow_call:
+    inputs:
+      db-image:
+        required: false
+        type: string
+
+jobs:
+  test:
+    name: Test
+    runs-on: ubuntu-latest
+    env:
+      SHARED: /tmp/workdir/pki
+    steps:
+      - name: Clone repository
+        uses: actions/checkout@v3
+
+      - name: Retrieve PKI images
+        uses: actions/cache@v3
+        with:
+          key: pki-images-${{ github.sha }}
+          path: pki-images.tar
+
+      - name: Load PKI images
+        run: docker load --input pki-images.tar
+
+      - name: Create network
+        run: docker network create example
+
+      - name: Set up DS container
+        run: |
+          tests/bin/ds-container-create.sh ds
+        env:
+          IMAGE: ${{ inputs.db-image }}
+          HOSTNAME: ds.example.com
+          PASSWORD: Secret.123
+
+      - name: Connect DS container to network
+        run: docker network connect example ds --alias ds.example.com
+
+      - name: Set up PKI container
+        run: |
+          tests/bin/runner-init.sh pki
+        env:
+          HOSTNAME: pki.example.com
+
+      - name: Connect PKI container to network
+        run: docker network connect example pki --alias pki.example.com
+
+      - name: Install CA
+        run: |
+          docker exec pki pkispawn \
+              -f /usr/share/pki/server/examples/installation/ca.cfg \
+              -s CA \
+              -D pki_ds_url=ldap://ds.example.com:3389 \
+              -D pki_cert_id_generator=random \
+              -D pki_request_id_generator=random \
+              -v
+
+      - name: Check CA admin user
+        run: |
+          docker exec pki pki-server ca-user-show caadmin | tee output
+
+          echo "adminType" > expected
+          sed -n 's/^ *Type: *\(.*\)$/\1/p' output > actual
+          diff expected actual
+
+      - name: Check CA admin certs
+        run: |
+          docker exec pki pki-server ca-user-cert-find caadmin | tee output
+
+          sed -n 's/^ *Cert ID: *\(.*\)$/\1/p' output > cert.id
+          CERT_ID=$(cat cert.id)
+          echo "CERT_ID: $CERT_ID"
+
+      - name: Authentication with CA admin cert should work
+        run: |
+          docker exec pki pki-server cert-export ca_signing --cert-file ca_signing.crt
+          docker exec pki pki client-cert-import ca_signing --ca-cert ca_signing.crt
+
+          docker exec pki pki pkcs12-import \
+              --pkcs12 /root/.dogtag/pki-tomcat/ca_admin_cert.p12 \
+              --pkcs12-password Secret.123
+
+          docker exec pki pki -n caadmin ca-user-find
+
+      - name: Remove CA admin cert
+        run: |
+          CERT_ID=$(cat cert.id)
+          echo "CERT_ID: $CERT_ID"
+
+          docker exec pki pki-server ca-user-cert-del caadmin "$CERT_ID"
+
+          # admin should have no certs
+          docker exec pki pki-server ca-user-cert-find caadmin | tee actual
+          diff /dev/null actual
+
+      - name: Authentication with CA admin cert should not work
+        run: |
+          rc=0
+          docker exec pki pki -n caadmin ca-user-find \
+              > >(tee stdout) 2> >(tee stderr >&2) || true
+
+          echo "PKIException: Unauthorized" > expected
+          diff expected stderr
+
+      - name: Restore CA admin cert
+        run: |
+          CERT_ID=$(cat cert.id)
+          echo "CERT_ID: $CERT_ID"
+
+          docker exec pki pki nss-cert-export caadmin > caadmin.crt
+          cat caadmin.crt | docker exec -i pki pki-server ca-user-cert-add caadmin
+
+          # new admin cert ID should match the original admin cert ID
+          docker exec pki pki-server ca-user-cert-find caadmin | tee output
+          sed -n 's/^ *Cert ID: *\(.*\)$/\1/p' output > actual
+          diff cert.id actual
+
+      - name: Authentication with CA admin cert should work again
+        run: |
+          docker exec pki pki -n caadmin ca-user-find
+
+      - name: Gather artifacts
+        if: always()
+        run: |
+          tests/bin/ds-artifacts-save.sh --output=/tmp/artifacts/pki ds
+          tests/bin/pki-artifacts-save.sh pki
+        continue-on-error: true
+
+      - name: Remove CA
+        run: docker exec pki pkidestroy -i pki-tomcat -s CA -v
+
+      - name: Upload artifacts
+        if: always()
+        uses: actions/upload-artifact@v3
+        with:
+          name: ca-admin-user
+          path: |
+            /tmp/artifacts/pki
diff --git a/.github/workflows/ca-tests.yml b/.github/workflows/ca-tests.yml
index 53332067ac7..ff792ce8c00 100644
--- a/.github/workflows/ca-tests.yml
+++ b/.github/workflows/ca-tests.yml
@@ -129,6 +129,13 @@ jobs:
     with:
       db-image: ${{ needs.init.outputs.db-image }}
 
+  ca-admin-user-test:
+    name: CA admin user
+    needs: [init, build]
+    uses: ./.github/workflows/ca-admin-user-test.yml
+    with:
+      db-image: ${{ needs.init.outputs.db-image }}
+
   ca-non-default-user-test:
     name: CA with non-default user
     needs: [init, build]