---

on: push

jobs:

  test:
    runs-on: docker
    steps:
      - uses: https://code.forgejo.org/actions/checkout@v4
      - name: Run unit tests
        run: |
          apt update; apt install -y python3-pip
          pip3 install --break-system-packages -e .[test]
          python3 -m coverage run --rcfile=setup.cfg -m unittest discover easywks
          python3 -m coverage combine
          python3 -m coverage report --rcfile=setup.cfg

  codestyle:
    runs-on: docker
    steps:
      - uses: https://code.forgejo.org/actions/checkout@v4
      - name: pycodestyle
        run: |
          apt update; apt install -y python3-pip
          pip3 install --break-system-packages -e .[test]
          pycodestyle easywks

  easywksserver_gpgwksclient:
    runs-on: docker
    steps:
      - uses: https://code.forgejo.org/actions/checkout@v4
      - name: Integration Test against gpg-wks-client
        run: |
          apt update; apt install --yes gnupg2 socat ca-certificates python3-pip
          echo "openpgpkey" > /etc/hostname
          echo "127.0.0.1 openpgpkey.example.org openpgpkey example.org" > /etc/hosts
          pip3 install --break-system-packages -e .[test]
          openssl req -x509 -newkey rsa:4096 -keyout /etc/ssl/key.pem -out /etc/ssl/cert.pem -sha256 -days 365 -nodes -subj '/CN=openpgpkey.example.org'
          cp /etc/ssl/cert.pem /usr/local/share/ca-certificates/local.crt
          update-ca-certificates
          mkdir -p /tmp/easywks
          cat > /tmp/easywks.yml <<EOF
          directory: /tmp/easywks
          httpd:
            host: 127.0.0.1
            port: 8080
          mailing_method: stdout
          domains:
            example.org:
              submission_address: webkey@example.org
              policy_flags:
                me.s3lph.easywks_permit-unsigned-response: true  # required for gpg-wks-client compat
          EOF
          easywks --config /tmp/easywks.yml init
          easywks --config /tmp/easywks.yml webserver &
          socat OPENSSL-LISTEN:443,fork,reuseaddr,verify=0,cert=/etc/ssl/cert.pem,key=/etc/ssl/key.pem TCP:127.0.0.1:8080 &
          sleep 3
          install -m 0700 -d /tmp/gpg /tmp/cleangpg
          export GNUPGHOME=/tmp/gpg
          test/genkey.sh alice@example.org
          export FINGERPRINT="$(gpg --with-colons --fingerprint alice@example.org | grep -A1 ^pub | grep ^fpr | cut -d: -f10)"
          /usr/lib/gnupg/gpg-wks-client --supported alice@example.org
          /usr/lib/gnupg/gpg-wks-client --check webkey@example.org
          PUBREQ="$(/usr/lib/gnupg/gpg-wks-client --create "${FINGERPRINT}" alice@example.org)"
          CONFREQ="$(echo "${PUBREQ}" | easywks --config /tmp/easywks.yml process)"
          CONFRESP="$(echo "${CONFREQ}" | /usr/lib/gnupg/gpg-wks-client --receive --verbose)"
          PUBRESP="$(echo "${CONFRESP}" | easywks --config /tmp/easywks.yml process)"
          echo "${PUBRESP}" | gpg --batch --decrypt
          /usr/lib/gnupg/gpg-wks-client --check alice@example.org
          export GNUPGHOME=/tmp/gpg
          gpg --auto-key-locate=clear,wkd,nodefault --locate-keys alice@example.org
          kill %2 || true
          kill %1 || true

  easywksserver_easywksclient:
    runs-on: docker
    steps:
      - uses: https://code.forgejo.org/actions/checkout@v4
      - name: Integration Test against easywks-client
        run: |
          # General system setup
          useradd -d /home/alice -m alice
          useradd -d /home/webkey -m webkey
          echo alice:supersecurepassword | chpasswd
          echo "postfix postfix/mailname string example.org" | debconf-set-selections
          echo "postfix postfix/main_mailer_type string 'Local only'" | debconf-set-selections
          apt update; apt install --yes gnupg2 ca-certificates python3-pip apache2 dovecot-imapd postfix expect
          echo "openpgpkey" > /etc/hostname
          echo "127.0.0.1 openpgpkey.example.org openpgpkey example.org" > /etc/hosts
          pip3 install --break-system-packages -e .[test]
          openssl req -x509 -newkey rsa:4096 -keyout /etc/ssl/key.pem -out /etc/ssl/cert.pem -sha256 -days 365 -nodes -subj '/CN=openpgpkey.example.org' -addext 'subjectAltName=DNS:openpgpkey.example.org,DNS:example.org'
          cp /etc/ssl/cert.pem /usr/local/share/ca-certificates/local.crt
          update-ca-certificates
          # Setup Apache
          a2enmod ssl proxy_http rewrite
          rm /etc/apache2/sites-enabled/000-default.conf
          cp test/apache.conf /etc/apache2/sites-enabled/easywks.conf
          apache2ctl start
          mkdir -p /var/www/html/.well-known/autoconfig/mail/
          cp test/config-v1.1.xml /var/www/html/.well-known/autoconfig/mail/config-v1.1.xml
          # Setup Dovecot
          cp test/dovecot.conf /etc/dovecot/conf.d/99-local.conf
          dovecot -F &
          # Setup Postfix
          /usr/lib/postfix/configure-instance.sh -
          cp test/transport /etc/postfix/transport
          postmap /etc/postfix/transport
          postconf smtpd_tls_cert_file=/etc/ssl/cert.pem
          postconf smtpd_tls_key_file=/etc/ssl/key.pem
          postconf transport_maps=hash:/etc/postfix/transport
          postconf smtpd_sasl_type=dovecot
          postconf smtpd_sasl_path=private/auth
          postconf smtpd_sasl_auth_enable=yes
          /usr/sbin/postmulti -i - -p start
          # Setup EasyWKS
          mkdir -p /tmp/easywks
          cp test/easywks.yml /tmp/easywks.yml
          easywks --config /tmp/easywks.yml init
          easywks --config /tmp/easywks.yml webserver &
          easywks --config /tmp/easywks.yml lmtpd &
          sleep 3
          # Run the test
          install -m 0700 -d /tmp/gpg /tmp/cleangpg
          export GNUPGHOME=/tmp/gpg
          test/genkey.sh alice@example.org
          export FINGERPRINT="$(gpg --with-colons --fingerprint alice@example.org | grep -A1 ^pub | grep ^fpr | cut -d: -f10)"
          test/expect
          gpg --auto-key-locate=clear,wkd,nodefault --locate-keys alice@example.org
          # Teardown
          apache2ctl stop
          doveadm stop
          /usr/sbin/postmulti -i - -p stop
          kill %1 || true
          kill %2 || true
          sleep 5  # wait for daemons to terminate