fix(sdk): Fuzz testing and protocol fixes #760
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
name: "Checks" | |
on: | |
pull_request: | |
branches: | |
- main | |
push: | |
branches: | |
- main | |
merge_group: | |
branches: | |
- main | |
types: | |
- checks_requested | |
permissions: | |
contents: read | |
jobs: | |
pr: | |
name: Validate PR title | |
if: contains(fromJSON('["pull_request", "pull_request_target"]'), github.event_name) | |
runs-on: ubuntu-22.04 | |
permissions: | |
pull-requests: read | |
steps: | |
- uses: amannn/action-semantic-pull-request@e9fabac35e210fea40ca5b14c0da95a099eff26f | |
env: | |
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} | |
mavenverify: | |
runs-on: ubuntu-latest | |
steps: | |
- uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 | |
- uses: bufbuild/buf-setup-action@2211e06e8cf26d628cda2eea15c95f8c42b080b3 | |
with: | |
github_token: ${{ secrets.GITHUB_TOKEN }} | |
- name: Set up JDK | |
uses: actions/setup-java@5896cecc08fd8a1fbdfaf517e29b571164b031f7 | |
with: | |
java-version: "11" | |
distribution: "adopt" | |
server-id: github | |
- name: Maven Verify | |
run: mvn --batch-mode verify | |
env: | |
BUF_INPUT_HTTPS_USERNAME: opentdf-bot | |
BUF_INPUT_HTTPS_PASSWORD: ${{ secrets.PERSONAL_ACCESS_TOKEN_OPENTDF }} | |
sonarcloud: | |
name: SonarCloud Scan | |
runs-on: ubuntu-22.04 | |
steps: | |
- name: Check out repository | |
uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 | |
with: | |
fetch-depth: 0 | |
- uses: bufbuild/buf-setup-action@2211e06e8cf26d628cda2eea15c95f8c42b080b3 | |
with: | |
github_token: ${{ secrets.GITHUB_TOKEN }} | |
- name: Set up JDK | |
uses: actions/setup-java@5896cecc08fd8a1fbdfaf517e29b571164b031f7 | |
with: | |
java-version: "17" | |
distribution: "temurin" | |
server-id: github | |
- name: Cache SonarCloud packages | |
uses: actions/cache@v4 | |
with: | |
path: ~/.sonar/cache | |
key: ${{ runner.os }}-sonar | |
restore-keys: ${{ runner.os }}-sonar | |
- name: Cache Maven packages | |
uses: actions/cache@v4 | |
with: | |
path: ~/.m2 | |
key: ${{ runner.os }}-m2-${{ hashFiles('**/pom.xml') }} | |
restore-keys: ${{ runner.os }}-m2 | |
- name: Maven Test Coverage | |
env: | |
SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }} | |
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} | |
BUF_INPUT_HTTPS_USERNAME: opentdf-bot | |
BUF_INPUT_HTTPS_PASSWORD: ${{ secrets.PERSONAL_ACCESS_TOKEN_OPENTDF }} | |
run: mvn --batch-mode clean verify org.sonarsource.scanner.maven:sonar-maven-plugin:sonar -Dsonar.projectKey=opentdf_java-sdk -P coverage | |
platform-integration: | |
runs-on: ubuntu-22.04 | |
steps: | |
- name: Checkout Java SDK | |
uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 | |
- uses: bufbuild/buf-setup-action@2211e06e8cf26d628cda2eea15c95f8c42b080b3 | |
with: | |
github_token: ${{ secrets.GITHUB_TOKEN }} | |
- name: Set up JDK | |
uses: actions/setup-java@5896cecc08fd8a1fbdfaf517e29b571164b031f7 | |
with: | |
java-version: "11" | |
distribution: "adopt" | |
server-id: github | |
- name: Build java SDK | |
run: | | |
mvn --batch-mode clean install -DskipTests | |
env: | |
BUF_INPUT_HTTPS_USERNAME: opentdf-bot | |
BUF_INPUT_HTTPS_PASSWORD: ${{ secrets.PERSONAL_ACCESS_TOKEN_OPENTDF }} | |
- name: Check out platform | |
uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 | |
with: | |
repository: opentdf/platform | |
ref: main | |
path: platform | |
- name: Set up go | |
uses: actions/setup-go@0c52d547c9bc32b1aa3301fd7a9cb496313a4491 | |
with: | |
go-version: "1.22.3" | |
check-latest: false | |
cache-dependency-path: | | |
platform/service/go.sum | |
platform/examples/go.sum | |
platform/protocol/go/go.sum | |
platform/sdk/go.sum | |
- run: go mod download | |
working-directory: platform | |
- run: go mod verify | |
working-directory: platform | |
- name: Create keys | |
run: | | |
.github/scripts/init-temp-keys.sh | |
cp opentdf-dev.yaml opentdf.yaml | |
sudo chmod -R 777 ./keys | |
working-directory: platform | |
- name: Trust the locally issued cert | |
run: | | |
keytool \ | |
-importcert \ | |
-storepass changeit \ | |
-noprompt \ | |
-file localhost.crt \ | |
-keystore $JAVA_HOME/lib/security/cacerts \ | |
-alias localhost-for-tests | |
working-directory: platform/keys | |
- name: Bring the services up | |
run: docker compose up -d --wait --wait-timeout 240 | |
working-directory: platform | |
- name: Provision keycloak | |
run: go run ./service provision keycloak | |
working-directory: platform | |
- name: Provision fixtures | |
run: go run ./service provision fixtures | |
working-directory: platform | |
- name: Start server in background | |
uses: JarvusInnovations/background-action@2428e7b970a846423095c79d43f759abf979a635 | |
with: | |
run: | | |
go run ./service start | |
wait-on: | | |
tcp:localhost:8080 | |
log-output-if: true | |
wait-for: 90s | |
working-directory: platform | |
- name: Get grpcurl | |
run: go install github.com/fullstorydev/grpcurl/cmd/grpcurl@v1.8.9 | |
- name: Make sure that the platform is up | |
run: | | |
grpcurl -plaintext localhost:8080 list && \ | |
grpcurl -plaintext localhost:8080 kas.AccessService/PublicKey | |
- name: Validate the SDK through the command line interface | |
run: | | |
printf 'here is some data to encrypt' > data | |
java -jar target/cmdline.jar \ | |
--client-id=opentdf-sdk \ | |
--client-secret=secret \ | |
--platform-endpoint=localhost:8080 \ | |
-h\ | |
encrypt --kas-url=localhost:8080 --mime-type=text/plain --attr https://example.com/attr/attr1/value/value1 --autoconfigure=false -f data -m 'here is some metadata' > test.tdf | |
java -jar target/cmdline.jar \ | |
--client-id=opentdf-sdk \ | |
--client-secret=secret \ | |
--platform-endpoint=localhost:8080 \ | |
-h\ | |
decrypt -f test.tdf > decrypted | |
java -jar target/cmdline.jar \ | |
--client-id=opentdf-sdk \ | |
--client-secret=secret \ | |
--platform-endpoint=localhost:8080 \ | |
-h\ | |
metadata -f test.tdf > metadata | |
if ! diff -q data decrypted; then | |
printf 'decrypted data is incorrect [%s]' "$(< decrypted)" | |
exit 1 | |
fi | |
if [ "$(< metadata)" != 'here is some metadata' ]; then | |
printf 'metadata is incorrect [%s]\n' "$(< metadata)" | |
exit 1 | |
fi | |
working-directory: cmdline | |
- name: Encrypt/Decrypt NanoTDF | |
run: | | |
echo 'here is some data to encrypt' > data | |
java -jar target/cmdline.jar \ | |
--client-id=opentdf-sdk \ | |
--client-secret=secret \ | |
--platform-endpoint=localhost:8080 \ | |
-h\ | |
encryptnano --kas-url=http://localhost:8080 --attr https://example.com/attr/attr1/value/value1 -f data -m 'here is some metadata' > nano.ntdf | |
java -jar target/cmdline.jar \ | |
--client-id=opentdf-sdk \ | |
--client-secret=secret \ | |
--platform-endpoint=localhost:8080 \ | |
-h\ | |
decryptnano -f nano.ntdf > decrypted | |
if ! diff -q data decrypted; then | |
printf 'decrypted data is incorrect [%s]' "$(< decrypted)" | |
exit 1 | |
fi | |
working-directory: cmdline | |
- uses: JarvusInnovations/background-action@2428e7b970a846423095c79d43f759abf979a635 | |
name: start another KAS server in background | |
with: | |
run: > | |
<opentdf.yaml >opentdf-beta.yaml yq e ' | |
(.server.port = 8282) | |
| (.mode = ["kas"]) | |
| (.sdk_config = {"endpoint":"http://localhost:8080","plaintext":true,"client_id":"opentdf","client_secret":"secret"}) | |
' | |
&& go run ./service --config-file ./opentdf-beta.yaml start | |
wait-on: | | |
tcp:localhost:8282 | |
log-output-if: true | |
wait-for: 90s | |
working-directory: platform | |
- name: Make sure that the second platform is up | |
run: | | |
grpcurl -plaintext localhost:8282 kas.AccessService/PublicKey | |
- name: Validate multikas through the command line interface | |
run: | | |
printf 'here is some data to encrypt' > data | |
java -jar target/cmdline.jar \ | |
--client-id=opentdf-sdk \ | |
--client-secret=secret \ | |
--platform-endpoint=localhost:8080 \ | |
-h\ | |
encrypt --kas-url=localhost:8080,localhost:8282 -f data -m 'here is some metadata' > test.tdf | |
java -jar target/cmdline.jar \ | |
--client-id=opentdf-sdk \ | |
--client-secret=secret \ | |
--platform-endpoint=localhost:8080 \ | |
-h\ | |
decrypt -f test.tdf > decrypted | |
java -jar target/cmdline.jar \ | |
--client-id=opentdf-sdk \ | |
--client-secret=secret \ | |
--platform-endpoint=localhost:8080 \ | |
-h\ | |
metadata -f test.tdf > metadata | |
if ! diff -q data decrypted; then | |
printf 'decrypted data is incorrect [%s]' "$(< decrypted)" | |
exit 1 | |
fi | |
if [ "$(< metadata)" != 'here is some metadata' ]; then | |
printf 'metadata is incorrect [%s]\n' "$(< metadata)" | |
exit 1 | |
fi | |
working-directory: cmdline | |
platform-xtest: | |
permissions: | |
contents: read | |
packages: read | |
needs: platform-integration | |
uses: opentdf/tests/.github/workflows/xtest.yml@main | |
with: | |
java-ref: ${{ github.ref }} | |
ci: | |
needs: | |
- platform-integration | |
- platform-xtest | |
- mavenverify | |
- sonarcloud | |
- pr | |
runs-on: ubuntu-latest | |
if: always() | |
steps: | |
- if: contains(needs.*.result, 'failure') | |
run: echo "Failed due to ${{ contains(needs.*.result, 'failure') }}" && exit 1 |