ExternalVendorCode/HIRS
1
0
Fork 0
mirror of https://github.com/nsacyber/HIRS.git synced 2025-04-07 19:34:27 +00:00
Code Issues Actions 3 Packages Projects Releases Wiki Activity

Merge pull request #571 from nsacyber/v3_issue_570-githubActions

Browse Source 
updated github actions unit test yml, added Rocky 8.8 Dockerfile, resolves issue 570
This commit is contained in:
iadgovuser26 2023-08-18 11:29:11 -04:00 committed by GitHub
commit 15494adaa3
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
2 changed files with 139 additions and 130 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

58
.ci/docker/Dockerfile.rocky88ci Normal file
View File

@ -0,0 +1,58 @@
FROM rockylinux:8.8
# Purpose: This image is designed for HIRS ci testing on Rocky Linux
# Date Modified: 8/16/23
# Notes:
# * This image installs java, installs project dependencies, and runs gradlew to download gradlew
# dependencies. This saves time during a docker run. This also means the image should be
# re-built and re-posted to github each time the following occurs:
# 1) add/update a dependency
# 2) update gradle
# If not re-built, the docker run will still work, but will take longer as it downloads updates
# * Steps to login to registry, build image, tag image with ghcr.io registry, and push to registry:
# $ cat pat.txt | docker login ghcr.io -u iadgovuser## --password-stdin
# Note: pat requires permissions "upload packages from GitHub Package Registry" and possibly "repo"
# $ docker build . -f Dockerfile.rocky88ci -t hirs-rocky8-ci:latest
# Note: may need to use --no-cache when building, if 'git clone HIRS' or 'gradlew' is cached
# (bc need any updated dependencies)
# $ docker image tag hirs-rocky8-ci:latest ghcr.io/nsacyber/hirs/hirs-rocky8-ci:latest
# $ docker push ghcr.io/nsacyber/hirs/hirs-rocky8-ci:latest
# Update package installer
RUN dnf -y update
# Install Java 17
RUN dnf -y install java-17-openjdk-devel
# Ports needed for system-level tests
EXPOSE 8080
EXPOSE 8443
# Install HIRS dependencies
RUN dnf -y install mariadb-server initscripts firewalld policycoreutils net-tools git && dnf clean all
# maybe: libtool cmake make gcc-c++ sudo vim wget openssl openssl-devel protobuf tpm2-tools libcurl-devel libssh-devel
# prob not: rpmdevtools tpm2-tss-devel tpm2-abrmd protobuf-compiler protobuf-devel python36 log4cplus-devel re2-devel tpm2-tss-devel tpm2-abrmd-devel
# Install PACCOR for Device Info Gathering
# RUN mkdir paccor && pushd paccor && wget https://github.com/nsacyber/paccor/releases/download/v1.1.4r6/paccor-1.1.4-6.noarch.rpm && yum -y install paccor-*.rpm && popd
# Install TPM Emulator for Provisioning
# RUN mkdir ibmtpm && pushd ibmtpm && wget --no-check-certificate https://downloads.sourceforge.net/project/ibmswtpm2/ibmtpm1332.tar.gz && tar -zxvf ibmtpm1332.tar.gz && cd src && make -j5 && popd
# Install Microsoft dotnet and rpm package tool
# RUN wget https://dot.net/v1/dotnet-install.sh
# RUN sh dotnet-install.sh --os linux --channel LTS
# ENV PATH="/root/.dotnet:${PATH}"
# RUN wget https://packages.microsoft.com/rhel/8/prod/packages-microsoft-prod.rpm
# RUN dnf -y install packages-microsoft-prod.rpm
# RUN dnf makecache
# RUN dnf -y install dotnet-sdk-6.0
# RUN dotnet tool install --global dotnet-rpm
# Checkout HIRS main branch and run gradlew to install gradlew dependencies, then delete HIRS
# Use '--depth=1' so as to not download the history of all commits
RUN git clone -b main --depth=1 https://github.com/nsacyber/HIRS.git /hirsTemp
WORKDIR "/hirsTemp"
RUN /bin/bash -c './gradlew clean build'
WORKDIR "/"
RUN rm -rf /hirsTemp

211
.github/workflows/hirs_unit_tests.yml vendored
View File

@ -1,147 +1,98 @@
# This workflow will build HIRS, run unit tests, and create HIRS artifacts
# Updated: 8/15/23
name: HIRS Build and Unit Test
on:
# Runs this workflow whenever there is a push to main from a branch annotated with "v3"
push:
branches:
- '*v2*'
- 'master'
# allows you to run this workflow manually from the Actions tab
- '*v3*'
- 'main'
# Allows you to run this workflow manually from the Actions tab
workflow_dispatch:
jobs:
# run the unit tests and package HIRS ACA, provisoner, and tools
ACA_Provisioner_unit_tests:
runs-on: ubuntu-latest
permissions:
contents: read
packages: write
# Run the unit tests and package HIRS ACA, provisoner, and tools
ACA_Provisioner_Unit_Tests:
runs-on: ubuntu-latest # Configures the job to run on the latest version of an Ubuntu Linux runner
steps:
- uses: actions/checkout@v2
- name: Set up JDK 11
uses: actions/setup-java@v2
with:
java-version: '8'
distribution: 'adopt'
server-id: github # Value of the distributionManagement/repository/id field of the pom.xml
settings-path: ${{ github.workspace }} # location for the settings.xml file
# Build will either archive war files if the build is successful, otherwise a set of build report will be archived
- name: directory setup
- uses: actions/checkout@v3 # run v3 of actions/checkout action, which checks out your repository onto the runner
# Build will archive build reports and will create a failedFile if build is not successful
- name: Directory setup
run: |
mkdir -p artifacts/wars
mkdir -p artifacts/reports/HIRS_AttestationCA
mkdir -p artifacts/reports/HIRS_AttestationCAPortal
mkdir -p artifacts/reports/HIRS_Provisioner
mkdir -p artifacts/reports/HIRS_ProvisionerTPM2
mkdir -p artifacts/reports/HIRS_Structs
mkdir -p artifacts/reports/HIRS_Utils
mkdir -p artifacts/reports/tcg_rim_tool
mkdir -p artifacts/reports/tcg_eventlog_tool
# Run the provisioner and ACA unit tests via gradle build in an Centos 7 Docker container
- name: Build HIRS and run Unit tests
mkdir -p artifacts/githubActionsResults
mkdir -p artifacts/upload_reports/HIRS_AttestationCA
mkdir -p artifacts/upload_reports/HIRS_AttestationCAPortal
mkdir -p artifacts/upload_reports/HIRS_Provisioner
mkdir -p artifacts/upload_reports/HIRS_ProvisionerTPM2
mkdir -p artifacts/upload_reports/HIRS_Structs
mkdir -p artifacts/upload_reports/HIRS_Utils
mkdir -p artifacts/upload_reports/tcg_rim_tool
mkdir -p artifacts/upload_reports/tcg_eventlog_tool
# Run the provisioner and ACA unit tests via gradle build in a Rocky Docker container
- name: Build HIRS and run unit tests
run: |
echo ${{ secrets.DOCKER_HUB_ACCESS_TOKEN }} | docker login -u ${{ secrets.DOCKER_HUB_USERNAME }} --password-stdin
docker run --rm \
-v $(pwd):/HIRS hirs/hirs-ci:centos7 /bin/bash \
-c 'pushd /HIRS; \
gradle_status=0; \
./gradlew :HIRS_AttestationCA:clean :HIRS_AttestationCA:build :HIRS_AttestationCA:test; \
if (( $? != "0" )) ; then gradle_status=1; fi; \
cp -r /HIRS/HIRS_AttestationCA/build/reports/ /HIRS/artifacts/reports/HIRS_AttestationCA/.; \
./gradlew :HIRS_AttestationCAPortal:clean :HIRS_AttestationCAPortal:build :HIRS_AttestationCAPortal:test; \
if (( $? != "0" )) ; then gradle_status=1; fi; \
cp -r /HIRS/HIRS_AttestationCAPortal/build/reports/ /HIRS/artifacts/reports/HIRS_AttestationCAPortal/.; \
./gradlew :HIRS_Provisioner:clean :HIRS_Provisioner:build :HIRS_Provisioner:test; \
if (( $? != "0" )) ; then gradle_status=1; fi; \
cp -r /HIRS/HIRS_Provisioner/build/reports/ /HIRS/artifacts/reports/HIRS_Provisioner/.; \
./gradlew :HIRS_ProvisionerTPM2:clean :HIRS_ProvisionerTPM2:build :HIRS_ProvisionerTPM2:test; \
if (( $? != "0" )) ; then gradle_status=1; fi; \
cp -r /HIRS/HIRS_ProvisionerTPM2/docs/ /HIRS/artifacts/reports/HIRS_ProvisionerTPM2/.; \
./gradlew :HIRS_Structs:clean :HIRS_Structs:build :HIRS_Structs:test; \
if (( $? != "0" )) ; then gradle_status=1; fi; \
cp -r /HIRS/HIRS_Structs/build/reports/ /HIRS/artifacts/reports/HIRS_Structs/.; \
./gradlew :HIRS_Utils:clean :HIRS_Utils:build :HIRS_Utils:test; \
if (( $? != "0" )) ; then gradle_status=1; fi; \
cp -r /HIRS/HIRS_Utils/build/reports/ /HIRS/artifacts/reports/HIRS_Utils/.; \
./gradlew :TPM_Utils:clean :TPM_Utils:build :TPM_Utils:test; \
if (( $? != "0" )) ; then gradle_status=1; fi; \
# Use the war file archive to fail the Build ACA tests by not placing them in the artifacts folder
if (( $gradle_status == "0" )) ; then \
cp /HIRS/HIRS_AttestationCA/build/libs/HIRS_AttestationCA.war /HIRS/artifacts/wars/.; \
cp /HIRS/HIRS_AttestationCAPortal/build/libs/HIRS_AttestationCAPortal.war /HIRS/artifacts/wars/.; \
echo "Build Worked"; \
else \
echo "Build Failed"; \
fi; popd;' \
- name: Archive Report files
uses: actions/upload-artifact@v2
# log into and run docker (note: must set up secrets in github for ghcr username and access_token)
echo ${{ secrets.GITHUB_TOKEN }} | docker login ghcr.io -u $ --password-stdin
# docker run options:
# create a mount between curr directory on the runner and the HIRS folder created by the cloning of HIRS repo
# -v $(pwd):/HIRS
# image used for the container, given by <repository>:<tag_name>
# rocky8: ghcr.io/nsacyber/hirs/hirs-rocky8-ci:latest [repo: https://github.com/orgs/nsacyber/packages]
# bash commands to clean/build/test each subproject
# /bin/bash -c '<commands>'
docker run --rm \
-v $(pwd):/HIRS \
ghcr.io/nsacyber/hirs/hirs-rocky8-ci:latest /bin/bash -c \
'pushd /HIRS
gradle_status=0
# git added a feature that gives error if user is not owner of the top-level directory; need to override this
git config --global --add safe.directory /HIRS
# clean, build and run unit tests on all sub-projects; copy build reports to an artifacts directory
./gradlew :HIRS_AttestationCA:clean :HIRS_AttestationCA:build :HIRS_AttestationCA:test
if (( $? != "0" )) ; then gradle_status=1; fi
#cp -r /HIRS/HIRS_AttestationCA/build/reports/ /HIRS/artifacts/upload_reports/HIRS_AttestationCA/.
./gradlew :HIRS_AttestationCAPortal:clean :HIRS_AttestationCAPortal:build :HIRS_AttestationCAPortal:test
if (( $? != "0" )) ; then gradle_status=1; fi
#cp -r /HIRS/HIRS_AttestationCAPortal/build/reports/ /HIRS/artifacts/upload_reports/HIRS_AttestationCAPortal/.
#./gradlew :HIRS_Provisioner:clean :HIRS_Provisioner:build :HIRS_Provisioner:test
#if (( $? != "0" )) ; then gradle_status=1; fi
#cp -r /HIRS/HIRS_Provisioner/build/reports/ /HIRS/artifacts/upload_reports/HIRS_Provisioner/.
#./gradlew :HIRS_ProvisionerTPM2:clean :HIRS_ProvisionerTPM2:build :HIRS_ProvisionerTPM2:test
#if (( $? != "0" )) ; then gradle_status=1; fi
#cp -r /HIRS/HIRS_ProvisionerTPM2/docs/ /HIRS/artifacts/upload_reports/HIRS_ProvisionerTPM2/.
#./gradlew :HIRS_Structs:clean :HIRS_Structs:build :HIRS_Structs:test
#if (( $? != "0" )) ; then gradle_status=1; fi
#cp -r /HIRS/HIRS_Structs/build/reports/ /HIRS/artifacts/upload_reports/HIRS_Structs/.
./gradlew :HIRS_Utils:clean :HIRS_Utils:build :HIRS_Utils:test
if (( $? != "0" )) ; then gradle_status=1; fi
cp -r /HIRS/HIRS_Utils/build/reports/ /HIRS/artifacts/upload_reports/HIRS_Utils/.
#./gradlew :TPM_Utils:clean :TPM_Utils:build :TPM_Utils:test
#if (( $? != "0" )) ; then gradle_status=1; fi
# Create "fail file" to fail the Build ACA tests if gradle exited with anything other than 0
if (( $gradle_status == "0" )) ; then
echo "In docker: Build Passed"
else
echo "In docker: Build Failed"
touch /HIRS/artifacts/githubActionsResults/buildFailed.txt
fi; popd;'
# Upload build report files
- name: Archive report files
uses: actions/upload-artifact@v3
with:
name: HIRS_Build_Reports
path: artifacts/reports/*
path: artifacts/upload_reports/*
if-no-files-found: ignore
# if-no-files-found used to fail the ACA unti tests
- name: Archive WAR files
uses: actions/upload-artifact@v2
# If buildFailed file exists, use that to fail the ACA unit tests
- name: Check if build/test passed or failed
if: ${{ hashFiles('artifacts/githubActionsResults/buildFailed.txt') != '' }}
uses: actions/github-script@v6
with:
name: WAR_Files
path: artifacts/wars/*
if-no-files-found: error
# Process eventlog and rim tool seperately to save time building
tcg_eventlog_tool_tests:
runs-on: ubuntu-latest
permissions:
contents: read
packages: write
steps:
- uses: actions/checkout@v2
- name: Set up JDK 8
uses: actions/setup-java@v2
with:
java-version: '8'
distribution: 'adopt'
server-id: github # Value of the distributionManagement/repository/id field of the pom.xml
settings-path: ${{ github.workspace }} # location for the settings.xml file
- name: build and test event log tool
run: |
mkdir -p artifacts/reports/tcg_eventlog_tool;
./gradlew :tools/tcg_eventlog_tool:build :tools/tcg_eventlog_tool:test;
if (( $? != "0" )) ; then
cp -r tools/tcg_eventlog_tool/build/reports/ artifacts/reports/tcg_eventlog_tool/.;
fi
- name: Archive Report files
uses: actions/upload-artifact@v2
with:
name: tcg_eventlog_tool_reports
path: artifacts/reports/*
if-no-files-found: ignore
tcg_rim_tool_tests:
runs-on: ubuntu-latest
permissions:
contents: read
packages: write
steps:
- uses: actions/checkout@v2
- name: Set up JDK 8
uses: actions/setup-java@v2
with:
java-version: '8'
distribution: 'adopt'
server-id: github # Value of the distributionManagement/repository/id field of the pom.xml
settings-path: ${{ github.workspace }} # location for the settings.xml file
- name: build and test event log tool
run: |
mkdir -p artifacts/reports/tcg_rim_tool;
./gradlew :tools/tcg_rim_tool:build :tools/tcg_rim_tool:test;
if (( $? != "0" )) ; then
cp -r tools/tcg_rim_tool/build/reports/ artifacts/reports/tcg_rim_tool/.;
fi
- name: Archive Report files
uses: actions/upload-artifact@v2
with:
name: tcg_rim_tool_reports
path: artifacts/reports/*
if-no-files-found: ignore
script: |
core.setFailed('Build or Unit Test Failed')