dbpulse 0.9.1

---
name: Integration Tests (TLS)

on:
  workflow_call:
  pull_request:
    paths:
      - 'src/**'
      - 'tests/**'
      - 'Cargo.toml'
      - '.github/workflows/integration-test-tls.yml'

env:
  CARGO_TERM_COLOR: always
  RUST_BACKTRACE: 1

jobs:
  integration-test-tls:
    name: TLS Integration Tests
    runs-on: ubuntu-latest
    
    steps:
      - uses: actions/checkout@v6
      - uses: dtolnay/rust-toolchain@stable
      
      - name: Install database clients and OpenSSL
        run: |
          sudo apt-get update
          sudo apt-get install -y postgresql-client mariadb-client openssl
      
      - name: Generate TLS certificates
        run: |
          ./scripts/gen-certs.sh
          
          # Make MariaDB key readable
          chmod 644 .certs/mariadb/server.key
          
          # Show certificate info
          echo "==> PostgreSQL Certificate Info:"
          openssl x509 -in .certs/postgres/server.crt -noout -subject -issuer -dates
          
          echo "==> MariaDB Certificate Info:"
          openssl x509 -in .certs/mariadb/server.crt -noout -subject -issuer -dates
      
      - name: Prepare PostgreSQL with TLS
        run: |
          # Create custom PostgreSQL image with certificates
          cat > Dockerfile.postgres-tls <<EOF
          FROM postgres:18-alpine
          COPY .certs/postgres/server.crt /var/lib/postgresql/server.crt
          COPY .certs/postgres/server.key /var/lib/postgresql/server.key
          COPY .certs/postgres/ca.crt /var/lib/postgresql/ca.crt
          RUN chown postgres:postgres /var/lib/postgresql/server.* /var/lib/postgresql/ca.crt && \
              chmod 600 /var/lib/postgresql/server.key && \
              chmod 644 /var/lib/postgresql/server.crt /var/lib/postgresql/ca.crt
          EOF
          docker build -t postgres-tls:test -f Dockerfile.postgres-tls .
      
      - name: Start PostgreSQL with TLS
        run: |
          docker run -d \
            --name postgres-tls \
            -e POSTGRES_USER=postgres \
            -e POSTGRES_PASSWORD=secret \
            -e POSTGRES_DB=testdb \
            -p 5432:5432 \
            postgres-tls:test \
            -c ssl=on \
            -c ssl_cert_file=/var/lib/postgresql/server.crt \
            -c ssl_key_file=/var/lib/postgresql/server.key \
            -c ssl_ca_file=/var/lib/postgresql/ca.crt \
            -c ssl_min_protocol_version=TLSv1.2
          
          # Wait for PostgreSQL
          for i in {1..30}; do
            if docker exec postgres-tls pg_isready -U postgres 2>/dev/null; then
              echo "PostgreSQL is ready!"
              break
            fi
            echo "Waiting for PostgreSQL... ($i/30)"
            sleep 2
          done
          
          # Verify TLS is enabled
          docker exec postgres-tls psql -U postgres -d testdb -c "SHOW ssl;"
      
      - name: Start MariaDB with TLS
        run: |
          docker run -d \
            --name mariadb-tls \
            -e MARIADB_USER=dbpulse \
            -e MARIADB_PASSWORD=secret \
            -e MARIADB_ROOT_PASSWORD=secret \
            -e MARIADB_DATABASE=testdb \
            -p 3306:3306 \
            -v $PWD/.certs/mariadb/server.crt:/etc/mysql/ssl/server.crt:ro \
            -v $PWD/.certs/mariadb/server.key:/etc/mysql/ssl/server.key:ro \
            -v $PWD/.certs/mariadb/ca.crt:/etc/mysql/ssl/ca.crt:ro \
            mariadb:12 \
            --ssl-cert=/etc/mysql/ssl/server.crt \
            --ssl-key=/etc/mysql/ssl/server.key \
            --ssl-ca=/etc/mysql/ssl/ca.crt \
            --require-secure-transport=OFF \
            --tls-version=TLSv1.2,TLSv1.3
          
          # Wait for MariaDB
          for i in {1..30}; do
            if docker exec mariadb-tls mariadb -u dbpulse -psecret -D testdb -e "SELECT 1" &>/dev/null; then
              echo "MariaDB is ready!"
              break
            fi
            echo "Waiting for MariaDB... ($i/30)"
            sleep 2
          done
          
          # Verify TLS is enabled
          docker exec mariadb-tls mariadb -u root -psecret -e "SHOW VARIABLES LIKE 'have_ssl';"
      
      - name: Test TLS connectivity (PostgreSQL)
        run: |
          # Test that TLS connection works
          PGSSLMODE=require psql "postgresql://postgres:secret@localhost:5432/testdb" -c "SELECT version();"
          
          # Verify we're using TLS
          PGSSLMODE=require psql "postgresql://postgres:secret@localhost:5432/testdb" \
            -c "SELECT ssl, version, cipher FROM pg_stat_ssl WHERE pid = pg_backend_pid();"
      
      - name: Test TLS connectivity (MariaDB)
        run: |
          # Test that TLS connection works
          docker exec mariadb-tls mariadb -h 127.0.0.1 -u dbpulse -psecret -D testdb --ssl -e "SELECT VERSION();"
          
          # Verify we're using TLS
          docker exec mariadb-tls mariadb -h 127.0.0.1 -u dbpulse -psecret -D testdb --ssl \
            -e "SHOW STATUS LIKE 'Ssl_cipher';"
      
      - name: Run PostgreSQL integration tests (basic)
        run: cargo test --test postgres_test -- --ignored --nocapture
        env:
          TEST_POSTGRES_DSN: "postgresql://postgres:secret@tcp(localhost:5432)/testdb?sslmode=require"
      
      - name: Run PostgreSQL TLS-specific tests
        run: cargo test --test postgres_tls_test -- --ignored --nocapture
        env:
          TEST_POSTGRES_DSN: "postgresql://postgres:secret@tcp(localhost:5432)/testdb"
          POSTGRES_CA_CERT: "${{ github.workspace }}/.certs/postgres/ca.crt"
      
      - name: Run MariaDB integration tests (basic)
        run: cargo test --test mariadb_test -- --ignored --nocapture
        env:
          TEST_MARIADB_DSN: "mysql://dbpulse:secret@tcp(localhost:3306)/testdb?ssl-mode=REQUIRED"
      
      - name: Run MariaDB TLS-specific tests
        run: cargo test --test mariadb_tls_test -- --ignored --nocapture
        env:
          TEST_MARIADB_DSN: "mysql://dbpulse:secret@tcp(localhost:3306)/testdb"
          MARIADB_CA_CERT: "${{ github.workspace }}/.certs/mariadb/ca.crt"
      
      - name: Show container logs on failure
        if: failure()
        run: |
          echo "==> PostgreSQL logs:"
          docker logs postgres-tls
          echo ""
          echo "==> MariaDB logs:"
          docker logs mariadb-tls
      
      - name: Cleanup
        if: always()
        run: |
          docker stop postgres-tls mariadb-tls || true
          docker rm postgres-tls mariadb-tls || true