include:
  - remote: https://open.greenhost.net/openappstack/openappstack/raw/master/.gitlab/ci_templates/kaniko.yml

stages:
  - build
  - build-test-images
  - application-test
  - integration-test

consent_provider:
  stage: build
  variables:
    KANIKO_CONTEXT: "consent_provider"
    KANIKO_BUILD_IMAGENAME: $CI_JOB_NAME
  extends: .kaniko_build
  only:
    changes:
      - consent_provider/**/*
      - .gitlab-ci.yml

login_provider:
  stage: build
  variables:
    KANIKO_CONTEXT: "login_provider"
    KANIKO_BUILD_IMAGENAME: $CI_JOB_NAME
  extends: .kaniko_build
  only:
    changes:
      - login_provider/**/*
      - .gitlab-ci.yml

login_logout:
  stage: build-test-images
  variables:
    KANIKO_CONTEXT: "test/login_logout"
    KANIKO_BUILD_IMAGENAME: $CI_JOB_NAME
  extends: .kaniko_build
  only:
    changes:
      - ./test/login_logout/**/*
      - .gitlab-ci.yml

integration_test:
  stage: build-test-images
  variables:
    KANIKO_CONTEXT: "test/login_logout/test"
    KANIKO_BUILD_IMAGENAME: $CI_JOB_NAME
  extends: .kaniko_build
  only:
    changes:
      - ./test/login_logout/test/**/*
      - .gitlab-ci.yml


behave-integration:
  stage: integration-test
  services:
    - name: postgres:latest
      alias: postgres
    - name: ${CI_REGISTRY_IMAGE}/login_provider:${CI_COMMIT_REF_NAME}
      alias: login
    - name: ${CI_REGISTRY_IMAGE}/consent_provider:${CI_COMMIT_REF_NAME}
      alias: consent
    - name: oryd/hydra:latest
      alias: hydra
      command:
        - serve
        - all
        - --dangerous-force-http
        - --dangerous-allow-insecure-redirect-urls
        - http://oauth:5000/callback
    - name: open.greenhost.net:4567/openappstack/user-panel/backend:master
      alias: backend
    - name: ${CI_REGISTRY_IMAGE}/login_logout:${CI_COMMIT_REF_NAME}
      alias: oauth
  variables:
    # Gitlab CI does not propagate service names to service containers
    # it assigns addresses incrementally starting from 172.17.0.2
    # in the order that the services are started which is the order of
    # the services listed in the job configuration
    DATABASE_HOST: "172.17.0.2" # 172.17.0.2 -> postgres
    URLS_LOGIN: "http://172.17.0.3:5000/login" # 172.17.0.3 -> login
    URLS_LOGOUT: "http://172.17.0.3:5000/logout"
    LOGOUT_URL: "http://172.17.0.3:5000/logout"
    URLS_POST_LOGOUT_REDIRECT: "http://172.17.0.3:5000/"
    URLS_CONSENT: "http://172.17.0.4:5001/consent" # 172.17.0.4 -> consent
    URLS_SELF_ISSUER: "http://172.17.0.5:4444/" # 172.17.0.5 -> hydra
    BASE_URL: "http://172.17.0.5:4444/"
    HYDRA_ADMIN_URL: "http://172.17.0.5:4445"
    ACCESS_TOKEN_URL: "http://172.17.0.5:4444/oauth2/token"
    AUTHORIZE_URL: "http://172.17.0.5:4444/oauth2/auth"
    USERINFO_URL: "http://172.17.0.5:4444/userinfo"
    GRAPHQL_URL: "http://172.17.0.6:5000/graphql" # 172.17.0.6 -> backend
    GIT_SUBMODULE_STRATEGY: "recursive"
    TESTUSER_USERNAME: "testuser"
    TESTUSER_USERNAME2: "testuser2"
    TESTUSER_PASSWORD: "password"
    TESTUSER_EMAIL: "testuser@example.net"
    TESTUSER_EMAIL2: "testuser2@example.net"
    ROLE: "admin"
    DSN: "memory"
    SECRETS_SYSTEM: "youReallyNeedToChangeThis"
    OIDC_SUBJECT_TYPES_SUPPORTED: "public,pairwise"
    OIDC_SUBJECT_TYPE_PAIRWISE_SALT: "youReallyNeedToChangeThis"
    DATABASE_USER: postgres
    DATABASE_PASSWORD: secret
    DATABASE_NAME: postgres
    POSTGRES_PASSWORD: secret
    POSTGRES_USER: postgres
    POSTGRES_DB: postgres
    OAUTHLIB_INSECURE_TRANSPORT: "true"
    KEY: "testapp"
    SECRET: "secret"
    DEBUG: "true"
    FLASK_ENV: "development"
  image: ${CI_REGISTRY_IMAGE}/integration_test:${CI_COMMIT_REF_NAME}
  script:
    - echo "WAIT FOR SERVICES TO INITIALIZE" && sleep 20
    - /bin/bash user-panel/backend/utils/create-user.bash ${TESTUSER_USERNAME} ${TESTUSER_PASSWORD} ${TESTUSER_EMAIL} backend:5000
    - /bin/bash user-panel/backend/utils/create-user.bash ${TESTUSER_USERNAME2} ${TESTUSER_PASSWORD} ${TESTUSER_EMAIL2} backend:5000
    - /bin/bash user-panel/backend/utils/create-application.bash ${KEY} backend:5000
    - /bin/bash user-panel/backend/utils/create-role.bash ${ROLE} backend:5000
    - /bin/bash user-panel/backend/utils/grant-access.bash ${TESTUSER_USERNAME} ${KEY} backend:5000
    - /bin/bash user-panel/backend/utils/assign-role.bash ${TESTUSER_USERNAME} ${ROLE} backend:5000
    - /bin/bash test/create-hydra-client.bash ${KEY} ${SECRET} http://hydra:4445 http://oauth:5000/callback
    - cd test/login_logout/test/behave/
    - >
        python3 -m behave
        -D headless=True
        -D url=http://oauth:5000
        -D username=${TESTUSER_USERNAME}
        -D username2=${TESTUSER_USERNAME2}
        -D password=${TESTUSER_PASSWORD}
        -D email=${TESTUSER_EMAIL}
        -D role=${ROLE}
  artifacts:
    paths:
      - test/login_logout/test/behave/screenshots/
    expire_in: 1 month
    when: on_failure