Add pki tps-client

The pki tps-client has been added to replace tpsclient to make
it easier to maintain TPS client code and to troubleshoot TPS
issues. Currently it will simply reuse libpki-tps.so but in the
future the native code will gradually be converted to Java.

The tpsclient has been deprecated and will be removed in the
future.

The basic TPS test has been updated to test both pki tps-client
and tpsclient.

.github/workflows/tps-basic-test.yml

@@ -33,20 +33,18 @@ jobs:
           tests/bin/ds-create.sh \
               --image=${{ env.DS_IMAGE }} \
               --hostname=ds.example.com \
+              --network=example \
+              --network-alias=ds.example.com \
               --password=Secret.123 \
               ds
 
-      - name: Connect DS container to network
-        run: docker network connect example ds --alias ds.example.com
-
       - name: Set up PKI container
         run: |
-          tests/bin/runner-init.sh pki
-        env:
-          HOSTNAME: pki.example.com
-
-      - name: Connect PKI container to network
-        run: docker network connect example pki --alias pki.example.com
+          tests/bin/runner-init.sh \
+              --hostname=pki.example.com \
+              --network=example \
+              --network-alias=pki.example.com \
+              pki
 
       - name: Install CA
         run: |
@@ -304,7 +302,7 @@ jobs:
           # restart TPS subsystem
           docker exec pki pki-server tps-redeploy --wait
 
-      - name: Add token
+      - name: Add token for testuser1
         run: |
           hexdump -v -n "10" -e '1/1 "%02x"' /dev/urandom > cuid
           CUID=$(cat cuid)
@@ -316,11 +314,11 @@ jobs:
 
           docker exec pki pki -n caadmin tps-cert-find --token $CUID
 
-      - name: Format token
+      - name: Format testuser1 token using pki tps-client
         run: |
           CUID=$(cat cuid)
           docker exec pki /usr/share/pki/tps/bin/pki-tps-format \
-              --user=testuser \
+              --user=testuser1 \
               --password=Secret.123 \
               $CUID
 
@@ -331,11 +329,11 @@ jobs:
 
           docker exec pki pki -n caadmin tps-cert-find --token $CUID
 
-      - name: Enroll token
+      - name: Enroll testuser1 token using pki tps-client
         run: |
           CUID=$(cat cuid)
           docker exec pki /usr/share/pki/tps/bin/pki-tps-enroll \
-              --user=testuser \
+              --user=testuser1 \
               --password=Secret.123 \
               $CUID
 
@@ -346,21 +344,67 @@ jobs:
           
           docker exec pki pki -n caadmin tps-cert-find --token $CUID
 
-      - name: KRA key find
+      - name: Find testuser1 key in KRA
         run: |          
           CUID=$(cat cuid | tr [:lower:] [:upper:])
-          USER="testuser"
+          USER="testuser1"
           echo $CUID:$USER > expected
           docker exec pki pki -n caadmin kra-key-find --owner $CUID:$USER | tee output
           sed -n 's/\s*Owner:\s\+\(\S\+\)\s*/\1/p' output > actual
           diff expected actual
 
-      - name: Gather artifacts
-        if: always()
+      - name: Add token for testuser2
+        run: |
+          hexdump -v -n "10" -e '1/1 "%02x"' /dev/urandom > cuid
+          CUID=$(cat cuid)
+          docker exec pki pki -n caadmin tps-token-add $CUID | tee output
+
+          echo "UNFORMATTED" > expected
+          sed -n 's/\s*Status:\s\+\(\S\+\)\s*/\1/p' output > actual
+          diff expected actual
+
+          docker exec pki pki -n caadmin tps-cert-find --token $CUID
+
+      - name: Format testuser2 token using tpsclient
+        run: |
+          CUID=$(cat cuid)
+          docker exec pki /usr/share/pki/tps/bin/pki-tps-format \
+              --client=tpsclient \
+              --user=testuser2 \
+              --password=Secret.123 \
+              $CUID
+
+          echo "FORMATTED" > expected
+          docker exec pki pki -n caadmin tps-token-show $CUID | tee output
+          sed -n 's/\s*Status:\s\+\(\S\+\)\s*/\1/p' output > actual
+          diff expected actual
+
+          docker exec pki pki -n caadmin tps-cert-find --token $CUID
+
+      - name: Enroll testuser2 token using tpsclient
+        run: |
+          CUID=$(cat cuid)
+          docker exec pki /usr/share/pki/tps/bin/pki-tps-enroll \
+              --client=tpsclient \
+              --user=testuser2 \
+              --password=Secret.123 \
+              $CUID
+
+          echo "ACTIVE" > expected
+          docker exec pki pki -n caadmin tps-token-show $CUID | tee output
+          sed -n 's/\s*Status:\s\+\(\S\+\)\s*/\1/p' output > actual
+          diff expected actual
+
+          docker exec pki pki -n caadmin tps-cert-find --token $CUID
+
+      - name: Find testuser2 key in KRA
         run: |
-          tests/bin/ds-artifacts-save.sh ds
-          tests/bin/pki-artifacts-save.sh pki
-        continue-on-error: true
+          CUID=$(cat cuid | tr [:lower:] [:upper:])
+          USER="testuser2"
+          echo $CUID:$USER > expected
+          docker exec pki pki -n caadmin kra-key-find --owner $CUID:$USER | tee output
+          sed -n 's/\s*Owner:\s\+\(\S\+\)\s*/\1/p' output > actual
+          diff expected actual
 
       - name: Remove TPS
         run: docker exec pki pkidestroy -s TPS -v
@@ -484,10 +528,3 @@ jobs:
         if: always()
         run: |
           docker exec pki find /var/lib/pki/pki-tomcat/logs/tps -name "debug.*" -exec cat {} \;
-
-      - name: Upload artifacts
-        if: always()
-        uses: actions/upload-artifact@v4
-        with:
-          name: tps-basic
-          path: /tmp/artifacts

base/tools/src/main/java/com/netscape/cmstools/tps/TPSCLI.java

@@ -58,6 +58,7 @@ public TPSCLI(MainCLI mainCLI) {
         addModule(new SelfTestCLI(this));
         addModule(new TokenCLI(this));
         addModule(new UserCLI(this));
+        addModule(new TPSClientCLI(this));
     }
 
     @Override

base/tools/src/main/java/com/netscape/cmstools/tps/TPSClientCLI.java

@@ -0,0 +1,46 @@
+//
+// Copyright Red Hat, Inc.
+//
+// SPDX-License-Identifier: GPL-2.0-or-later
+//
+package com.netscape.cmstools.tps;
+
+import org.apache.commons.cli.CommandLine;
+import org.dogtagpki.cli.CommandCLI;
+
+import com.netscape.cmstools.cli.MainCLI;
+
+/**
+ * @author Endi S. Dewata
+ */
+public class TPSClientCLI extends CommandCLI {
+
+    public static org.slf4j.Logger logger = org.slf4j.LoggerFactory.getLogger(TPSClientCLI.class);
+
+    static {
+        System.loadLibrary("pki-tps");
+    }
+
+    public TPSCLI tpsCLI;
+
+    public TPSClientCLI(TPSCLI tpsCLI) {
+        super("client", "TPS client", tpsCLI);
+        this.tpsCLI = tpsCLI;
+    }
+
+    @Override
+    public void printHelp() {
+        formatter.printHelp(getFullName() + " [OPTIONS...]", options);
+    }
+
+    public native void execute() throws Exception;
+
+    @Override
+    public void execute(CommandLine cmd) throws Exception {
+
+        MainCLI mainCLI = (MainCLI) getRoot();
+        mainCLI.init();
+
+        execute();
+    }
+}

base/tools/src/main/native/tpsclient/src/main/RA_Client.cpp

@@ -21,6 +21,7 @@
 #include <stdio.h>
 #include <string.h>
 #include <stdarg.h>
+#include <jni.h>
 
 #include "prinrval.h"
 #include "prmem.h"
@@ -1631,3 +1632,11 @@ RA_Client::Execute ()
 	}
     }
 }				/* Execute */
+
+extern "C" JNIEXPORT void JNICALL
+Java_com_netscape_cmstools_tps_TPSClientCLI_execute
+(JNIEnv* env, jclass clazz)
+{
+    RA_Client client;
+    client.Execute();
+}

base/tools/src/main/native/tpsclient/tools/raclient/tpsclient.cpp

@@ -45,6 +45,8 @@ main (int argc, char *argv[])
   PK11SlotInfo *slot = NULL;
   PRUint32 flags = 0;
 
+  fprintf(stderr, "WARNING: tpsclient has been deprecated. Use pki tps-client instead.\n");
+
   /* Initialize NSPR & NSS */
   PR_Init (PR_SYSTEM_THREAD, PR_PRIORITY_NORMAL, 1);
   PK11_SetPasswordFunc (ownPasswd);

base/tps/auth/ds/example.ldif

@@ -8,3 +8,25 @@ cn: Test User
 sn: User
 givenName: Test
 userPassword: Secret.123
+
+dn: uid=testuser1,ou=people,dc=example,dc=com
+objectClass: top
+objectClass: person
+objectClass: organizationalPerson
+objectClass: inetOrgPerson
+uid: testuser1
+cn: Test User 1
+sn: User 1
+givenName: Test
+userPassword: Secret.123
+
+dn: uid=testuser2,ou=people,dc=example,dc=com
+objectClass: top
+objectClass: person
+objectClass: organizationalPerson
+objectClass: inetOrgPerson
+uid: testuser2
+cn: Test User 2
+sn: User 2
+givenName: Test
+userPassword: Secret.123

base/tps/bin/pki-tps-enroll

@@ -1,5 +1,6 @@
 #!/bin/bash
 
+TPS_CLIENT="pki tps-client"
 TPS_HOSTNAME=$HOSTNAME
 TPS_PORT=8080
 TPS_PATH=/tps/tps
@@ -28,6 +29,9 @@ while getopts v-: arg ; do
         LONG_OPTARG="${OPTARG#*=}"
 
         case $OPTARG in
+        client=?*)
+            TPS_CLIENT="$LONG_OPTARG"
+            ;;
         hostname=?*)
             TPS_HOSTNAME="$LONG_OPTARG"
             ;;
@@ -43,7 +47,7 @@ while getopts v-: arg ; do
         '')
             break # "--" terminates argument processing
             ;;
-        hostname* | port* | user* | password*)
+        client* | hostname* | port* | user* | password*)
             echo "ERROR: Missing argument for --$OPTARG option" >&2
             exit 1
             ;;
@@ -64,7 +68,7 @@ shift $((OPTIND-1))
 
 CUID=$1
 
-tpsclient << EOF
+$TPS_CLIENT << EOF
 op=var_set name=ra_host value=$TPS_HOSTNAME
 op=var_set name=ra_port value=$TPS_PORT
 op=var_set name=ra_uri value=$TPS_PATH
@@ -80,11 +84,17 @@ op=ra_enroll uid=$USERNAME pwd=$PASSWORD num_threads=$THREADS extensions=$EXTENS
 op=exit
 EOF
 
-# tpsclient returns 1 on success and 0 on failure,
-# so the return code needs to be inverted
+rc=$?
+
+if [ "$TPS_CLIENT" == "tpsclient" ]; then
+    # tpsclient returns 1 on success and 0 on failure,
+    # so the return code needs to be inverted
+
+    if [ "$rc" == "0" ]; then
+        exit 1
+    fi
 
-if [ "$?" == "0" ]; then
-    exit 1
+    exit 0
 fi
 
-exit 0
+exit $rc

base/tps/bin/pki-tps-format

@@ -1,5 +1,6 @@
 #!/bin/bash
 
+TPS_CLIENT="pki tps-client"
 TPS_HOSTNAME=$HOSTNAME
 TPS_PORT=8080
 TPS_PATH=/tps/tps
@@ -26,6 +27,9 @@ while getopts v-: arg ; do
         LONG_OPTARG="${OPTARG#*=}"
 
         case $OPTARG in
+        client=?*)
+            TPS_CLIENT="$LONG_OPTARG"
+            ;;
         hostname=?*)
             TPS_HOSTNAME="$LONG_OPTARG"
             ;;
@@ -41,7 +45,7 @@ while getopts v-: arg ; do
         '')
             break # "--" terminates argument processing
             ;;
-        hostname* | port* | user* | password*)
+        client* | hostname* | port* | user* | password*)
             echo "ERROR: Missing argument for --$OPTARG option" >&2
             exit 1
             ;;
@@ -62,7 +66,7 @@ shift $((OPTIND-1))
 
 CUID=$1
 
-tpsclient << EOF
+$TPS_CLIENT << EOF
 op=var_set name=ra_host value=$TPS_HOSTNAME
 op=var_set name=ra_port value=$TPS_PORT
 op=var_set name=ra_uri value=$TPS_PATH
@@ -78,11 +82,17 @@ op=ra_format uid=$USERNAME pwd=$PASSWORD num_threads=$THREADS extensions=$EXTENS
 op=exit
 EOF
 
-# tpsclient returns 1 on success and 0 on failure,
-# so the return code needs to be inverted
+rc=$?
+
+if [ "$TPS_CLIENT" == "tpsclient" ]; then
+    # tpsclient returns 1 on success and 0 on failure,
+    # so the return code needs to be inverted
+
+    if [ "$rc" == "0" ]; then
+        exit 1
+    fi
 
-if [ "$?" == "0" ]; then
-    exit 1
+    exit 0
 fi
 
-exit 0
+exit $rc

docs/changes/v11.7.0/Tools-Changes.adoc

@@ -0,0 +1,5 @@
+= Tools Changes =
+
+== Deprecate tpsclient ==
+
+`tpsclient` has been deprecated. Use `pki tps-client` instead.