.gitlab-ci.yml

variables:
  LANG: C.UTF-8
  IMAGE_NAME: linotp-build-test-environment_buster
  BUILD_CODE_IMAGE: $REGISTRY_URL/$IMAGE_NAME:$CI_COMMIT_REF_NAME
  LATEST_CODE_IMAGE: $REGISTRY_URL/$IMAGE_NAME:$CI_PIPELINE_ID
  DOCKERFY_URL: http://avocado.corp.lsexperts.de/jenkins/dockerfy/dockerfy
  DEBIAN_MIRROR: ftp.de.debian.org
  DEPENDENCY_DEB_REPO: http://debs-devel.corp.linotp.de/linotp3 buster linotp
  # DEPENDENCY_GPG_KEYID: 7CC736921C5A21B7
  DEPENDENCY_GPG_KEYID: ""
  DEPENDENCY_GPG_KEY_URL: http://avocado.corp.lsexperts.de/deb-repo/ki-archive-keyring.gpg
  DOCKER_TAGS: $CI_PIPELINE_ID
  CI_IMAGE_PREFIX: $REGISTRY_URL/$CI_PROJECT_NAME/ci
  NOSE_COVER_PACKAGE: linotp
  DOCKER_COMPOSE_VERSION: "1.22.0"
  # Docker network per build - needed for DNS resolution between services (service linotp needs db)
  FF_NETWORK_PER_BUILD: 1
workflow:
  rules:
    - if: $CI_PIPELINE_SOURCE == 'schedule'              # Execute nightly pipeline
    - if: '$CI_PIPELINE_SOURCE == "merge_request_event"' # Execute pipeline in merge request context
    - if: '$CI_PIPELINE_SOURCE == "web"'                 # Execute pipeline manually triggered from the web
    - if: $CI_COMMIT_TAG                                 # Execute pipeline on release tag
    - if: '$CI_COMMIT_BRANCH =~ /^(branch-v|master)/'    # Execute pipeline when a new commit is pushed to a stable or master branch
    - if: $NIGHTLY_PIPELINE                              # Execute pipeline if run with this variable set

stages:
  - pre-check
  - build
  - lint
  - test
  - coverage-report
  - apidocs
  - upload-debian-packages

.docker-registry: &docker-registry
  before_script:
    - docker login -u $REGISTRY_USERNAME -p $REGISTRY_PASSWORD $REGISTRY_URL

include:
  - template: Code-Quality.gitlab-ci.yml

pre-commit-check:
  stage: pre-check
  image: python:3.7
  cache:
    paths:
      - $CI_PROJECT_DIR/.pre-commit-cache
  rules:
    - exists:
      - .pre-commit-config.yaml
  before_script:
    - pip install pre-commit
  script:
    - PRE_COMMIT_HOME=$CI_PROJECT_DIR/.pre-commit-cache pre-commit run --all-files

# Build docker images and debs
# This builds the .debs and docker images (builder, linotp, testenv).
# Everything else depends on these, so we build everything in one go
# to make the build of all the images as fast as possible. We use
# Docker caching to speed things up.
.build-debs-and-images:
  stage: build
  image: docker:latest
  retry:
    max: 2
  needs: []
  <<: *docker-registry
  script:
    - apk add --no-cache make
    - REGISTRY_IMAGE=$CI_IMAGE_PREFIX/${DEBIAN_RELEASE_NAME}/linotp
    - BUILDER_CACHE_KEY=$(sha256sum Dockerfile.builder | cut -d ' ' -f1)
    - BUILDER_CACHE_IMAGE=$REGISTRY_IMAGE-builder:${BUILDER_CACHE_KEY}
    - LINOTP_CACHE_KEY=$(sha256sum Dockerfile | cut -d ' ' -f1)
    - LINOTP_CACHE_IMAGE=$REGISTRY_IMAGE:${LINOTP_CACHE_KEY}
    # Pull the old images to speedup the build process, the hope is
    # that the modified time will always be the same unless the file
    # has actually been changed
    - export DOCKER_BUILDKIT=1
    - docker pull debian:${DEBIAN_RELEASE_NAME}
    - docker pull $BUILDER_CACHE_IMAGE || true
    - docker pull $LINOTP_CACHE_IMAGE || true
    # Build the images
    - >
        make
        docker-build-linotp-builder
        docker-build-linotp
        docker-build-linotp-test-image
        docker-build-linotp-softhsm
        BUILDDIR="${CI_PROJECT_DIR}"
        DOCKER_BUILD_ARGS="
        --build-arg BUILDKIT_INLINE_CACHE=1
        --cache-from=$BUILDER_CACHE_IMAGE
        --cache-from=$LINOTP_CACHE_IMAGE
        "
    # Tag and push images to repository in the form:
    #  registry/ci/release/linotp-IMAGENAME:pipelineID
    #  registry/ci/release/linotp-IMAGENAME:sha256
    # First for linotp-builder
    - docker tag linotp-builder:latest "${BUILDER_CACHE_IMAGE}"
    - docker tag linotp-builder:latest "$REGISTRY_IMAGE-builder:${CI_PIPELINE_ID}"
    - docker push "${BUILDER_CACHE_IMAGE}"
    - docker push "$REGISTRY_IMAGE-builder:${CI_PIPELINE_ID}"
    # Now do the same for linotp
    - docker tag linotp:latest "${LINOTP_CACHE_IMAGE}"
    - docker tag linotp:latest "$REGISTRY_IMAGE:${CI_PIPELINE_ID}"
    - docker push "${LINOTP_CACHE_IMAGE}"
    - docker push "$REGISTRY_IMAGE:${CI_PIPELINE_ID}"
    # Now we push the testenv and softhsm images. We do not bother to cache
    # this because they change every time we do a new linotp build.
    - docker tag linotp-testenv:latest "$REGISTRY_IMAGE-testenv:${CI_PIPELINE_ID}"
    - docker push "$REGISTRY_IMAGE-testenv:${CI_PIPELINE_ID}"
    - docker tag linotp-softhsm:latest "$REGISTRY_IMAGE-softhsm:${CI_PIPELINE_ID}"
    - docker push "$REGISTRY_IMAGE-softhsm:${CI_PIPELINE_ID}"
    # Log all the images to stdout
    - docker images
    # Save build job id to artifacts for later uploads
    - echo "$CI_JOB_ID" > apt/"$DEBIAN_RELEASE_NAME"_build_job_id.txt

build:debian-buster:
  extends: .build-debs-and-images
  variables:
    DEBIAN_RELEASE_NAME: buster
  artifacts:
    expose_as: apt-buster
    paths:
      - apt/
    name: "linotp-debs${CI_COMMIT_REF_SLUG}"
    expire_in: 2 weeks


.lint:
  stage: lint
  image: ${CI_IMAGE_PREFIX}/${DEBIAN_RELEASE_NAME}/linotp-testenv:${CI_PIPELINE_ID}
  needs: ["build:debian-buster"]
  variables:
    LINTED_MODULE: ""
    DEBIAN_RELEASE_NAME: buster
    EXIT_ON_FATAL: "1"
    EXIT_ON_ERROR: "0"
    EXIT_ON_WARNING: "0"
  script:
    - pylint3 linotp/${LINTED_MODULE} && STATUS=0 || STATUS=$?
    - echo STATUS:$STATUS
    - "test $(( $STATUS & 32 )) -eq 0 || (echo 'Fail: usage error'; false)"
    - "test $(( $EXIT_ON_FATAL && $STATUS & 1 )) -eq 0 || (echo 'Fail: Fatal errors'; false)"
    - "test $(( $EXIT_ON_ERROR && $STATUS & 2 )) -eq 0 || (echo 'Fail: Errors'; false)"
    - "test $(( $EXIT_ON_WARNING && $STATUS & 4 )) -eq 0 || (echo 'Fail: Warnings'; false)"

lint-controllers:
  extends: .lint
  variables:
    LINTED_MODULE: controllers

lint-lib:
  extends: .lint
  variables:
    LINTED_MODULE: lib

lint-model:
  extends: .lint
  variables:
    LINTED_MODULE: model

lint-provider:
  extends: .lint
  variables:
    LINTED_MODULE: provider

lint-tokens:
  extends: .lint
  variables:
    LINTED_MODULE: tokens

lint-useridresolver:
  extends: .lint
  variables:
    LINTED_MODULE: useridresolver

# Provide pytest arguments based on base rules
# The tests need a number of arguments based on the type
# of job they represent. (database type, parallel run, nightly, etc.).
# We also need do decide whether to include parallel arguments depending on
# the job variables provided. We implement this as a shell command so that
# we can make use of the shell to put all the pieces together in once place.
#
# Pytest arguments can be specified in these variables:
#  NIGHTLY_ARGS     - Only used if this is a nightly (extended) pipeline
#  NON_NIGHTLY_ARGS - Only used for normal pipelines (MRs, merges, tags)
#  ALL_JOB_ARGS     - Both nightly and non-nightly jobs
#
# Behaviour configuration:
#  NIGHTLY_PIPELINE - If set, the pipeline runs in nightly mode and enables an
#                     extended set of tests
#
# Other variables used:
#  CI_JOB_NAME      - the test report file is derived from the job name
#  CI_NODE_TOTAL    - parallel run configuration
#  CI_NODE_INDEX
.pytest-args: &pytest-args |
  # Junit XML filename is based on the job name
  PYTESTARGS="--junitxml=`echo ${CI_JOB_NAME} | tr ' /' '_'`.xml"
  if [ -n "${CI_NODE_INDEX}" ]; then
    PYTESTARGS="$PYTESTARGS --test-group-count=${CI_NODE_TOTAL} --test-group=${CI_NODE_INDEX}"
  fi
  # Add arguments from job definition
  PYTESTARGS="$PYTESTARGS ${ALL_JOB_ARGS}"
  # Job definition of nightly / non-nightly arguments
  if [ -n "${NIGHTLY_PIPELINE}" ]; then
    PYTESTARGS="$PYTESTARGS ${NIGHTLY_ARGS}"
  else
    PYTESTARGS="$PYTESTARGS ${NON_NIGHTLY_ARGS}"
  fi
  # Coverage report
  PYTESTARGS="$PYTESTARGS --cov=linotp --cov-report=xml:${CI_PROJECT_DIR}/coverage.xml"

# Nightly tests are scheduled to run once a day and contain
# more tests than the regular set
.only-nightly:
  rules:
    - if: $NIGHTLY_PIPELINE                            # Nightly job is longer
      when: always

# Tests should run on Debian buster
.buster-tests:
  variables:
    DEBIAN_RELEASE_NAME: buster
  needs: ["build:debian-buster"]

# The next sections provide different database configurations
.mysql-vars: &mysql-vars
  MYSQL_DATABASE: linotp_db
  MYSQL_ROOT_PASSWORD: rootpass
  MYSQL_USER: linotp
  MYSQL_PASSWORD: linotppass
  LINOTP_DB_HOST: "db"
  LINOTP_DB_PORT: "3306"
  LINOTP_DB_WAITTIME: 2m
  LINOTP_DATABASE_URI: "mysql+mysqldb://linotp:linotppass@db/linotp_db?charset=utf8"
  LINOTP_PYTEST_DATABASE_URI: "mysql+mysqldb://linotp:linotppass@db/linotp_db?charset=utf8"

.mysql-database:
  variables:
    <<: *mysql-vars
    DB: mysql:5.5
  services:
    - name: ${DB}
      alias: db
      command: ["mysqld", "--character-set-server=utf8", "--collation-server=utf8_general_ci"]

.mariadb-database:
  variables:
    <<: *mysql-vars
    DB: mariadb:10.1
  services:
    - name: ${DB}
      alias: db

.postgres-database:
  variables:
    DB: postgres:12
    POSTGRES_DB: linotp_db
    POSTGRES_USER: linotp
    POSTGRES_PASSWORD: "linotppass"
    POSTGRES_HOST_AUTH_METHOD: trust
    LINOTP_DB_HOST: "db"
    LINOTP_DB_PORT: "3306"
    LINOTP_DB_WAITTIME: 2m
    LINOTP_DATABASE_URI: postgres://linotp:linotppass@db/linotp_db
    LINOTP_PYTEST_DATABASE_URI: postgres://linotp:linotppass@db/linotp_db
  services:
    - name: ${DB}
      alias: db

## Test stages

.test-base:
  stage: test
  image: ${CI_IMAGE_PREFIX}/${DEBIAN_RELEASE_NAME}/linotp-testenv:${CI_PIPELINE_ID}
  artifacts:
    reports:
      cobertura: ${CI_PROJECT_DIR}/coverage.xml

# Unit tests
unit-test:
  extends:
    - .test-base
    - .buster-tests
  parallel: 4
  artifacts:
    reports:
      junit: linotp/tests/unit/unit-*.xml
  script:
    - *pytest-args
    - make unittests PYTESTARGS="$PYTESTARGS"

# Functional tests
.functional-test-base:
  extends:
    - .test-base
    - .buster-tests
  artifacts:
    reports:
      junit: linotp/tests/functional/functional-*.xml
  script:
    - *pytest-args
    - make functionaltests PYTESTARGS="$PYTESTARGS"

functional-test:
  extends: .functional-test-base
  parallel: 6

functional-test-mysql:
  extends:
    - .functional-test-base
    - .mysql-database
  variables:
    # Only run non-sqlite tests in regular pipeline
    NON_NIGHTLY_ARGS: "-m exclude_sqlite"

functional-test-mariadb:
  extends:
    - .functional-test-base
    - .mariadb-database
  variables:
    NON_NIGHTLY_ARGS: "-m exclude_sqlite"

functional-test-postgres:
  extends:
    - .functional-test-base
    - .postgres-database
  variables:
    NON_NIGHTLY_ARGS: "-m exclude_sqlite"

.e2e-test:
  extends:
    - .test-base
    - .buster-tests
  variables:
    LINOTP_IMAGE: "linotp"
    LINOTP_HOST: "test-linotp"
    LINOTP_PORT: "443"
    LINOTP_PROTOCOL: "https"
    LINOTP_USERNAME: "admin"
    LINOTP_PASSWORD: "admin"
    HEALTHCHECK_PORT: "80"
    SELENIUM_DRIVER: "chrome"
    SELENIUM_PROTOCOL: "http"
    SELENIUM_HOST: "test-chrome"
    SELENIUM_PORT: "4444"
    SSL_TRUSTED_CERT: "
      Issuer: C = DE, O = LSE Leading Security Experts GmbH, CN = LSE CA 2015
      Subject: C = DE, O = LSE Leading Security Experts GmbH, CN = LSE CA 2015
      Validity
          Not Before: Apr  1 00:00:00 2015 GMT
          Not After : Apr  1 00:00:00 2027 GMT
      -----BEGIN CERTIFICATE-----
      MIIF2TCCA8GgAwIBAgICAJ8wDQYJKoZIhvcNAQENBQAwTzELMAkGA1UEBhMCREUx
      KjAoBgNVBAoMIUxTRSBMZWFkaW5nIFNlY3VyaXR5IEV4cGVydHMgR21iSDEUMBIG
      A1UEAwwLTFNFIENBIDIwMTUwIhgPMjAxNTA0MDEwMDAwMDBaGA8yMDI3MDQwMTAw
      MDAwMFowTzELMAkGA1UEBhMCREUxKjAoBgNVBAoMIUxTRSBMZWFkaW5nIFNlY3Vy
      aXR5IEV4cGVydHMgR21iSDEUMBIGA1UEAwwLTFNFIENBIDIwMTUwggIiMA0GCSqG
      SIb3DQEBAQUAA4ICDwAwggIKAoICAQDl6h7g1XKpEjrG/psF2ZaKulnRjYp72QNC
      9tCYKWP5AX0azKMLvzVAgdL4DRHyT5Hi19deUHiB0yte/h2devhvwgoAzYla/DXD
      ibUh0MsPjmK1d3R6AVjHypGAxFF3ar/kO/dOSCgVpzNQ4EC5KzbfwUxfXj5oEaVB
      ZRs2v+X7xWRKyv9JKC6t3rMsrAQiUZZws5FiSvSZpFHKb1tzttf/qq7TAt8N35ri
      +nU9saUQXZczTwUlXIvlRsQRCuxeh/mVVwsXv30pd9nF3GyUMvz8+BNwKiFeJqYZ
      Lrvt2cUtQFYSwwnzpxwZE+TMf9PY0W0JzroAm4YroJapP79M379euJuvtmmSpugk
      aPu3+YqZAbqMFMr9V9fhiyE9IUi02XaCF9ZnwWeW7zttD99lH4YMDXbJotHq+B1Y
      r/dnx/CV/9Hodj3y1HyC0LT0tDPOk7T1Zhawnfgx3aj+Au98ahhfqjVKFKFwyEP6
      waOdMbJPWtZhnu8tU/oZzD3z8Y49T5uL/tCJ7lMxOVhAPXI1q785LsRPbmj+XmJw
      eNpDJ3t3JUWUsFnKzo1qgOrVlfP3psp8IXtwhp3SLzno6wa3dhkfcP9Ii48KsNyW
      e7AWpYJX9tZPs6LNJ43LGxiE1vUqTAintgLmrharcBhqp9wsy3xfv7uTgBVRKz/F
      u698oqnAlwIDAQABo4G6MIG3MBIGA1UdEwEB/wQIMAYBAf8CAQEwHQYDVR0OBBYE
      FOSYlUpVl3nYrcQ3wBPY6yswIvX2MB8GA1UdIwQYMBaAFOSYlUpVl3nYrcQ3wBPY
      6yswIvX2MA4GA1UdDwEB/wQEAwIBBjBRBgNVHSAESjBIMEYGCisGAQQBgrwUAQEw
      ODA2BggrBgEFBQcCARYqaHR0cHM6Ly9jcHMuY29ycC5sc2V4cGVydHMuZGUvY3Bz
      L2Nwcy5odG1sMA0GCSqGSIb3DQEBDQUAA4ICAQCbtoR9nmg5Bg2budR8fNZf6WRa
      1EFR8IrrSqrMr2jST8JNzjBu3/BOw/zaA6YdvtNBgl1Z/jpEufYuK5BtSuVvNZrE
      wDNRJtydFmqjt2B12do06XHFK3SMMoNM9B/CzImbFYjS/y6HXmB8mgWJk4lD01uw
      /TsxwmbvtyJVIUl4AzYUtgeUARnEqKQ1hWhT52TyOl2RHlxxm0xFmyWWcb96/dbs
      83qSR9EoV/wXbx96EHnwbMPQLWwtbxhWSWCYAr0Xu8Gs2n900aslbYnZLgahk0eO
      6odOJNAE+tEKslux4RUIibxEJndZTjkr9Gk/h1vbXeDKFB3Y/1fDR0X3RHkibY6U
      eDy6UlUl0/glevSjXyHHWriLCQvpvD6PZ2rrHQk5clvMMefG6ihtujmZDeZjVqFY
      su73kHg54EZtX3tIsS1k3VOOnUWtwWrctF7xdPg7bU26HyFPDFi9pm+BoJle3jQ5
      D+jrlgk7d5JKY2mylAC5sB00mSaDrm5nrrrQO8Pkw5oMGw+qUO38kFBDga0NKb7A
      AWlkdW2+C4gU3/HPUIhOc0zi6dfmwTYQRh6v8X9sbPpl3dkiAevQrFM+uLelW0+6
      WqEzG8IaiwY0S8mKYzsOKSeMzTI1ITk9Uwl3EXlgNpZFIqeW25DLmfa28F9Lmgay
      zhhVtfk6U1pMHlAeSg==
      -----END CERTIFICATE-----
      "
  artifacts:
    name: browser-screenshots
    paths:
      - Screenshots/
    when: on_failure
    reports:
      junit: linotp/tests/integration/e2e-*.xml
  script:
    - cd linotp/tests/integration
    - >
        /usr/local/bin/dockerfy
        --template docker_cfg.ini.tmpl:/tmp/server_cfg.ini
        --wait tcp://$SELENIUM_HOST:$SELENIUM_PORT
        --timeout 60m
        --wait tcp://$LINOTP_HOST:$LINOTP_PORT
        --timeout 60m
    - *pytest-args
    - make integrationtests TCFILE=/tmp/server_cfg.ini PYTESTARGS="$PYTESTARGS"
  after_script:
    - mv linotp/tests/integration/Screenshots .

e2e-test-mariadb:
  extends:
    - .e2e-test
    - .mariadb-database
  parallel: 2
  services:
    - name: "${CI_IMAGE_PREFIX}/${DEBIAN_RELEASE_NAME}/${LINOTP_IMAGE}:${CI_PIPELINE_ID}"
      alias: test-linotp
    - name: ${DB}
      alias: db
    - name: selenium/standalone-chrome-debug:latest
      alias: test-chrome

# End to end test using Soft HSM image
e2e-test-softhsm:
  extends:
    - .e2e-test
    - .mariadb-database
    - .only-nightly
  variables:
    ALL_JOB_ARGS: "-m smoketest -v"
    LINOTP_IMAGE: "linotp-softhsm"
  services:
    - name: "${CI_IMAGE_PREFIX}/${DEBIAN_RELEASE_NAME}/${LINOTP_IMAGE}:${CI_PIPELINE_ID}"
      alias: test-linotp
    - name: ${DB}
      alias: db
    - name: selenium/standalone-chrome-debug:latest
      alias: test-chrome
  allow_failure: true

# Auto-generate API docs using Sphinx.
apidocs:
  stage: apidocs
  image: $CI_IMAGE_PREFIX/buster/linotp:${CI_PIPELINE_ID}
  needs: ["build:debian-buster"]
  script:
    - python3 --version
    - pip3 install -e ".[apidocs]"
    - cd ${CI_PROJECT_DIR}/api-doc
    - make apidocs
    - make html
    - cp -a build/html/. ${CI_PROJECT_DIR}/api-doc
  artifacts:
    name: "linotp-apidocs"
    paths:
      - api-doc
    expire_in: 2 weeks

.before_upload: &before_upload
  before_script:
    # Ensure required variables have been set
    - test -n "${DEV_REPO_HOST}"
    - test -n "${DEV_REPO_KNOWN_HOSTS}"
    - test -n "${DEV_REPO_SSH_SUBMIT_KEY}"
    # Install dependencies
    - apt-get update && apt-get install -y --no-install-recommends devscripts openssh-client
    # Configure ssh
    - eval $(ssh-agent -s)
    - echo "$DEV_REPO_SSH_SUBMIT_KEY" | tr -d '\r' | ssh-add - >/dev/null
    - mkdir -p ~/.ssh
    - chmod 700 ~/.ssh
    - echo "CheckHostIP no" >>~/.ssh/config
    - echo "$DEV_REPO_KNOWN_HOSTS" >~/.ssh/known_hosts
    - chmod 644 ~/.ssh/known_hosts
    - export BUILD_JOB_ID=$(cat apt/"$DEBIAN_RELEASE_NAME"_build_job_id.txt)

# Upload deb packages to development repository.
upload-debs:buster:
  stage: upload-debian-packages
  image: debian:latest
  rules:
    - if: $CI_PIPELINE_SOURCE == 'schedule'                # Nightly jobs do not upload
      when: never
    - if: '$CI_COMMIT_TAG && $CI_COMMIT_TAG =~ /^release/' # Auto upload if tagged
      when: never
    - if: '$CI_COMMIT_BRANCH =~ /^(branch-v|master)/'      # Auto upload if merged to stable or master
      when: always
    - when: manual                                         # Otherwise allow manual upload from branch
      allow_failure: true
  <<: *before_upload
  script:
    - find apt/* -ls
    - ssh debs@$DEV_REPO_HOST repo-tool gpull linotp3 "$CI_PROJECT_PATH" --jobid "$BUILD_JOB_ID"
  variables:
    DEBIAN_RELEASE_NAME: buster


# Upload packages to `buster-golden` if we are on a `release` tag.
upload-golden-debs:buster:
  stage: upload-debian-packages
  image: debian:latest
  rules:
    - if: '$CI_COMMIT_TAG && $CI_COMMIT_TAG =~ /^release/'
      when: always
  <<: *before_upload
  script:
    - ssh debs@$DEV_REPO_HOST repo-tool gpull linotp3-golden "$CI_PROJECT_PATH" --jobid "$BUILD_JOB_ID"
  variables:
    DEBIAN_RELEASE_NAME: buster