forked from Yubico/yubihsm-shell
-
Notifications
You must be signed in to change notification settings - Fork 0
146 lines (143 loc) · 5.39 KB
/
build_and_test.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
name: Build and Test
on: [push, pull_request]
jobs:
build:
runs-on: ${{ matrix.os }}
strategy:
fail-fast: false
matrix:
include:
- os: ubuntu-22.04
cc: gcc-11
libext: so
test: true
- os: ubuntu-22.04
cc: clang-14
libext: so
test: false
- os: ubuntu-20.04
cc: gcc-10
libext: so
test: false
- os: ubuntu-20.04
cc: clang-10
libext: so
test: true
- os: macos-latest
cc: clang
libext: dylib
test: false
steps:
- uses: actions/checkout@v1
- name: Dependencies
env:
CC: ${{ matrix.cc }}
OS: ${{ matrix.os }}
run: |
if [ "$OS" = "macos-latest" ]; then
# no update - no upgrade
brew install gengetopt help2man libedit
else
sudo apt -q update
sudo apt install -q -y cmake gengetopt help2man lcov libcurl4-openssl-dev libedit-dev libengine-pkcs11-openssl libpcsclite-dev libusb-1.0-0-dev opensc python3-pip python3-setuptools pkg-config swig libssl-dev libffi-dev
if [ "${CC%-*}" == "clang" ]; then
sudo apt install -q -y ${CC%-*}-tools-${CC#clang-}
else
sudo apt install -q -y "${CC}"
fi
dpkg -l | grep libssl
fi
- name: Prep
if: ${{ matrix.test }}
env:
tlspwd: ${{ secrets.TLSKEY }}
run: |
git clone https://github.com/YubicoLabs/python-pkcs11tester.git /tmp/python-pkcs11tester
git clone https://github.com/YubicoLabs/pkcs11test.git /tmp/pkcs11test
git clone https://github.com/YubicoLabs/yubihsm_sunpkcs11_tests.git /tmp/yubihsm_sunpkcs11_tests
pushd /tmp/pkcs11test
make
echo "PKCS11TEST_PATH=/tmp/pkcs11test" >> $GITHUB_ENV
popd
wget -q https://github.com/square/ghostunnel/releases/download/v1.3.1/ghostunnel-v1.3.1-$(uname -s | tr '[:upper:]' '[:lower:]')-amd64-with-pkcs11 -O /tmp/ghostunnel
chmod +x /tmp/ghostunnel
openssl aes-256-cbc -k "$tlspwd" -md sha256 -in ./.ci/client-combined.pem.enc -out ./.ci/client-combined.pem -d
/tmp/ghostunnel client --listen localhost:12345 --target hsm-connector01.sthlm.in.yubico.org:8443 --keystore ./.ci/client-combined.pem --cacert ./.ci/server-crt.pem &
sleep 3
DEFAULT_CONNECTOR_URL=$(curl -s http://localhost:12345/dispatcher/request)
test -n "$DEFAULT_CONNECTOR_URL" || (echo "Unable to obtain a connector URL, aborting"; exit 1)
echo $DEFAULT_CONNECTOR_URL
echo "DEFAULT_CONNECTOR_URL=$DEFAULT_CONNECTOR_URL" >> $GITHUB_ENV
- name: Build
env:
CC: ${{ matrix.cc }}
LIBEXT: ${{ matrix.libext }}
run: |
export PKG_CONFIG_PATH=/usr/local/opt/[email protected]/lib/pkgconfig:PKG_CONFIG_PATH
cmake -Bbuild -H. -DDEFAULT_CONNECTOR_URL="$DEFAULT_CONNECTOR_URL"
cmake --build build -- --jobs=2
test -e ./build/src/yubihsm-shell
test -e ./build/lib/libyubihsm.$LIBEXT
test -e ./build/pkcs11/yubihsm_pkcs11.$LIBEXT
test -e ./build/yhwrap/yubihsm-wrap
- name: Test
if: ${{ matrix.test }}
env:
OS: ${{ matrix.os }}
run: |
pushd build
./src/yubihsm-shell --connector "$DEFAULT_CONNECTOR_URL" -p password -a reset
sleep 3
if [ "$OS" = "ubuntu-20.04" ]; then
# on 20.04 we skip the engine tests (for now) since it ships with a broken curl version
ctest --output-on-failure -E engine
else
ctest --output-on-failure
fi
popd
echo connector=$DEFAULT_CONNECTOR_URL
curl "$DEFAULT_CONNECTOR_URL/connector/status"
pushd resources/tests/bash
./cmdline_test.sh $GITHUB_WORKSPACE/build/src/yubihsm-shell $DEFAULT_CONNECTOR_URL
popd
- name: Python PKCS11 Test
if: ${{ matrix.test }}
env:
LIBEXT: ${{ matrix.libext }}
OS: ${{ matrix.os }}
run: |
export YUBIHSM_PKCS11_MODULE="`pwd`/build/pkcs11/yubihsm_pkcs11.$LIBEXT"
pushd /tmp/python-pkcs11tester
echo "connector=$DEFAULT_CONNECTOR_URL" >yubihsm_pkcs11.conf
if [ "$OS" = "macos-latest" ]; then
export PATH="$(brew --prefix python3)/bin:$PATH"
fi
pip3 install --upgrade pip==20.3.4
python3 -m pip install 'pykcs11' 'cryptography>=1.4.0'
python3 setup.py test
popd
- name: SunPKCS11 Test
if: ${{ matrix.test }}
env:
LIBEXT: ${{ matrix.libext }}
OS: ${{ matrix.os }}
run: |
if [ "$OS" != "ubuntu-20.04" ]; then
export YUBIHSM_PKCS11_MODULE="`pwd`/build/pkcs11/yubihsm_pkcs11.$LIBEXT"
echo "connector=$DEFAULT_CONNECTOR_URL" >yubihsm_pkcs11.conf
export YUBIHSM_PKCS11_CONF=`pwd`/yubihsm_pkcs11.conf
pushd /tmp/yubihsm_sunpkcs11_tests
pushd src/main/resources
./test_setup.sh $GITHUB_WORKSPACE/build/src/yubihsm-shell $DEFAULT_CONNECTOR_URL
popd
pwd
./gradlew build
./gradlew runMain -Pargs=$YUBIHSM_PKCS11_MODULE
popd
fi
- name: Cleanup
if: ${{ always() }}
run: |
if [ -n "$DEFAULT_CONNECTOR_URL" ]; then
curl -s http://localhost:12345/dispatcher/release?connector=$DEFAULT_CONNECTOR_URL
fi