.github/workflows/conformance.yml

name: Conformance Checks

on:
  push:
    branches: [main]
  pull_request:
    branches: [main]
  schedule:
    - cron: '55 11 * * 1'
  workflow_dispatch:

jobs:
  build:
    if: ${{ github.repository == 'panva/node-oidc-provider' || github.event_name == 'workflow_dispatch' }}
    uses: panva/.github/.github/workflows/build-conformance-suite.yml@main

  run:
    runs-on: ubuntu-latest
    needs:
      - build
    env:
      SUITE_BASE_URL: https://localhost.emobix.co.uk:8443
      SETUP: ${{ toJSON(matrix.setup) }}
    continue-on-error: ${{ startsWith(matrix.setup.plan, 'fapi2') }}
    strategy:
      fail-fast: false
      matrix:
        setup:
          # OP Basic
          - plan: oidcc-basic-certification-test-plan

          # OP Hybrid
          - plan: oidcc-hybrid-certification-test-plan

          # OP Implicit
          - plan: oidcc-implicit-certification-test-plan

          # OP Dynamic
          - plan: oidcc-dynamic-certification-test-plan
            response_type: code
          - plan: oidcc-dynamic-certification-test-plan
            response_type: id_token
          - plan: oidcc-dynamic-certification-test-plan
            response_type: id_token token
          - plan: oidcc-dynamic-certification-test-plan
            response_type: code id_token
          - plan: oidcc-dynamic-certification-test-plan
            response_type: code token
          - plan: oidcc-dynamic-certification-test-plan
            response_type: code id_token token

          # RP-Initiated OP
          - plan: oidcc-rp-initiated-logout-certification-test-plan

          # Back-Channel OP
          - plan: oidcc-backchannel-rp-initiated-logout-certification-test-plan

          # FAPI 1.0 R/W (ID2)
          - plan: fapi-rw-id2-test-plan
            fapi_auth_request_method: by_value
            client_auth_type: private_key_jwt
            fapi_response_mode: plain_response
          - plan: fapi-rw-id2-test-plan
            fapi_auth_request_method: pushed
            client_auth_type: private_key_jwt
            fapi_response_mode: plain_response
          - plan: fapi-rw-id2-test-plan
            fapi_auth_request_method: by_value
            client_auth_type: private_key_jwt
            fapi_response_mode: jarm
          - plan: fapi-rw-id2-test-plan
            fapi_auth_request_method: pushed
            client_auth_type: private_key_jwt
            fapi_response_mode: jarm
          - plan: fapi-rw-id2-test-plan
            fapi_auth_request_method: by_value
            client_auth_type: mtls
            fapi_response_mode: plain_response
          - plan: fapi-rw-id2-test-plan
            fapi_auth_request_method: pushed
            client_auth_type: mtls
            fapi_response_mode: plain_response
          - plan: fapi-rw-id2-test-plan
            fapi_auth_request_method: by_value
            client_auth_type: mtls
            fapi_response_mode: jarm
          - plan: fapi-rw-id2-test-plan
            fapi_auth_request_method: pushed
            client_auth_type: mtls
            fapi_response_mode: jarm

          # FAPI 1.0 Advanced (Final)
          - plan: fapi1-advanced-final-test-plan
            fapi_auth_request_method: by_value
            client_auth_type: private_key_jwt
            fapi_response_mode: plain_response
          - plan: fapi1-advanced-final-test-plan
            fapi_auth_request_method: pushed
            client_auth_type: private_key_jwt
            fapi_response_mode: plain_response
          - plan: fapi1-advanced-final-test-plan
            fapi_auth_request_method: by_value
            client_auth_type: private_key_jwt
            fapi_response_mode: jarm
          - plan: fapi1-advanced-final-test-plan
            fapi_auth_request_method: pushed
            client_auth_type: private_key_jwt
            fapi_response_mode: jarm
          - plan: fapi1-advanced-final-test-plan
            fapi_auth_request_method: by_value
            client_auth_type: mtls
            fapi_response_mode: plain_response
          - plan: fapi1-advanced-final-test-plan
            fapi_auth_request_method: pushed
            client_auth_type: mtls
            fapi_response_mode: plain_response
          - plan: fapi1-advanced-final-test-plan
            fapi_auth_request_method: by_value
            client_auth_type: mtls
            fapi_response_mode: jarm
          - plan: fapi1-advanced-final-test-plan
            fapi_auth_request_method: pushed
            client_auth_type: mtls
            fapi_response_mode: jarm

          # FAPI RW-CIBA-ID1
          - plan: fapi-ciba-id1-test-plan
            client_auth_type: private_key_jwt
            ciba_mode: poll
          - plan: fapi-ciba-id1-test-plan
            client_auth_type: private_key_jwt
            ciba_mode: ping
          - plan: fapi-ciba-id1-test-plan
            client_auth_type: mtls
            ciba_mode: poll
          - plan: fapi-ciba-id1-test-plan
            client_auth_type: mtls
            ciba_mode: ping

          # Extensive
          - plan: oidcc-test-plan
            response_type: code
            client_auth_type: client_secret_basic
          - plan: oidcc-test-plan
            response_type: code id_token
            client_auth_type: client_secret_basic
          - plan: oidcc-test-plan
            response_type: code id_token token
            client_auth_type: client_secret_basic
          - plan: oidcc-test-plan
            response_type: code token
            client_auth_type: client_secret_basic
          - plan: oidcc-test-plan
            response_type: code
            client_auth_type: client_secret_post
          - plan: oidcc-test-plan
            response_type: code id_token
            client_auth_type: client_secret_post
          - plan: oidcc-test-plan
            response_type: code id_token token
            client_auth_type: client_secret_post
          - plan: oidcc-test-plan
            response_type: code token
            client_auth_type: client_secret_post
          - plan: oidcc-test-plan
            response_type: code
            client_auth_type: client_secret_jwt
          - plan: oidcc-test-plan
            response_type: code id_token
            client_auth_type: client_secret_jwt
          - plan: oidcc-test-plan
            response_type: code id_token token
            client_auth_type: client_secret_jwt
          - plan: oidcc-test-plan
            response_type: code token
            client_auth_type: client_secret_jwt
          - plan: oidcc-test-plan
            response_type: code
            client_auth_type: private_key_jwt
          - plan: oidcc-test-plan
            response_type: code id_token
            client_auth_type: private_key_jwt
          - plan: oidcc-test-plan
            response_type: code id_token token
            client_auth_type: private_key_jwt
          - plan: oidcc-test-plan
            response_type: code token
            client_auth_type: private_key_jwt
          - plan: oidcc-test-plan
            response_type: id_token
            client_auth_type: none
          - plan: oidcc-test-plan
            response_type: id_token token
            client_auth_type: none

    steps:
      - name: Checkout
        uses: actions/checkout@v3
      - name: Setup node
        uses: actions/setup-node@v3
        with:
          node-version: lts/hydrogen # 18
          cache: 'npm'
      - run: npm clean-install
      - name: Run oidc-provider (OIDC)
        run: |
          set -o pipefail
          node certification/oidc/docker |& tee server.log &
        if: ${{ startsWith(matrix.setup.plan, 'oidcc') }}
        env:
          PORT: 3000
          DEBUG: oidc-provider:*
          ISSUER: https://172.17.0.1:3000
          NODE_TLS_REJECT_UNAUTHORIZED: 0
      - name: Run oidc-provider (FAPI)
        run: |
          set -o pipefail
          node certification/fapi |& tee server.log &
        if: ${{ startsWith(matrix.setup.plan, 'fapi') }}
        env:
          ISSUER: https://172.17.0.1:3000
          PORT: 3000
          DEBUG: oidc-provider:*
          NODE_OPTIONS: --tls-cipher-list="DHE-RSA-AES128-GCM-SHA256 ECDHE-RSA-AES128-GCM-SHA256 DHE-RSA-AES256-GCM-SHA384 ECDHE-RSA-AES256-GCM-SHA384"
          NODE_TLS_REJECT_UNAUTHORIZED: 0
      - name: Set Conformance Suite Version
        run: |
          export VERSION=($(curl --silent "https://gitlab.com/api/v4/projects/4175605/releases" | jq -r '.[0].tag_name'))
          echo "VERSION=$VERSION" >> $GITHUB_ENV
      - name: Load Cached Conformance Suite Build
        uses: actions/cache@v3
        id: cache
        with:
          path: ./conformance-suite
          key: ${{ needs.build.outputs.cache-key }}
          fail-on-cache-miss: true
      - name: Run Conformance Suite
        working-directory: ./conformance-suite
        run: |
          docker-compose -f docker-compose-dev.yml up -d
          while ! curl -skfail https://localhost.emobix.co.uk:8443/api/runner/available >/dev/null; do sleep 2; done
      - name: Adjust configuration files for CI
        run: |
          sed -i -e 's/op.panva.cz/172.17.0.1:3000/g' certification/oidc/plan.json
          sed -i -e 's/mtls.fapi.panva.cz/172.17.0.1:3000/g' certification/fapi/plan.json
          sed -i -e 's/fapi.panva.cz/172.17.0.1:3000/g' certification/fapi/plan.json
      - name: Run the plan
        run: npx mocha --timeout 0 --retries 1 certification/runner
        env:
          NODE_TLS_REJECT_UNAUTHORIZED: 0
      - name: Add server log to artifact
        if: ${{ failure() }}
        run: |
          zip -ur ${{ env.EXPORT_FILE }} server.log
      - name: Upload test artifacts
        uses: actions/upload-artifact@v3
        with:
          path: export-*.zip
          name: certification html results
          if-no-files-found: ignore
        if: ${{ always() }}
      - name: Stop Conformance Suite
        working-directory: ./conformance-suite
        run: |
          killall -SIGINT node
          docker-compose -f docker-compose-dev.yml down
          sudo rm -rf mongo