name: Checks

permissions:
  id-token: write
  contents: read

env:
  VAULT_NAME: bvdbkeyweavetweukvt{0}

on:
  push:
    branches: [ main ]
  pull_request:
    branches: [ main ]

jobs:
  build:
    name: Build Keyweave
    runs-on: ubuntu-latest
    steps:
    - uses: actions/checkout@v4
    - uses: dtolnay/rust-toolchain@stable
    - name: Build project
      run: cargo build --all --release
    - uses: actions/upload-artifact@v3.1.3
      with:
        path: target/release/keyweave

  bicep:
    name: Deploy Azure resources
    environment: bicep
    runs-on: ubuntu-latest
    env:
      LOCATION: eastus
      DEPLOYMENT_NAME: keyweave-${{ github.run_id }}
    steps:
    - uses: actions/checkout@v3
    - uses: azure/login@v1
      with:
        client-id: ${{ secrets.AZURE_CLIENT_ID }}
        tenant-id: ${{ secrets.AZURE_TENANT_ID }}
        subscription-id: ${{ secrets.AZURE_SUBSCRIPTION_ID }}
    - name: Deploy Bicep template
      uses: azure/arm-deploy@v1
      with:
        scope: subscription
        region: ${{ env.LOCATION }}
        template: bicep/main.bicep
        deploymentName: ${{ env.DEPLOYMENT_NAME }}

  none-test:
    name: Tests without access
    needs: [build, bicep]
    runs-on: ubuntu-latest
    environment: none
    steps:
    - uses: actions/download-artifact@v3.0.2
    - uses: azure/login@v1
      with:
        client-id: ${{ secrets.AZURE_CLIENT_ID }}
        tenant-id: ${{ secrets.AZURE_TENANT_ID }}
        subscription-id: ${{ secrets.AZURE_SUBSCRIPTION_ID }}
    - name: Use Keyweave with No Access Policies
      run: |
        chmod +x ./artifact/keyweave
        ./artifact/keyweave --vault-name ${{ format(env.VAULT_NAME, '1') }}

  get-test:
    name: Tests with Get access
    needs: [build, bicep]
    runs-on: ubuntu-latest
    environment: get
    steps:
    - uses: actions/download-artifact@v3.0.2
    - uses: azure/login@v1
      with:
        client-id: ${{ secrets.AZURE_CLIENT_ID }}
        tenant-id: ${{ secrets.AZURE_TENANT_ID }}
        subscription-id: ${{ secrets.AZURE_SUBSCRIPTION_ID }}
    - name: Use Keyweave with Only Get Access Policy
      run: |
        chmod +x ./artifact/keyweave
        ./artifact/keyweave --vault-name ${{ format(env.VAULT_NAME, '1') }}

  list-test:
    name: Tests with List access
    needs: [build, bicep]
    runs-on: ubuntu-latest
    environment: list
    steps:
    - uses: actions/download-artifact@v3.0.2
    - uses: azure/login@v1
      with:
        client-id: ${{ secrets.AZURE_CLIENT_ID }}
        tenant-id: ${{ secrets.AZURE_TENANT_ID }}
        subscription-id: ${{ secrets.AZURE_SUBSCRIPTION_ID }}
    - name: Use Keyweave with Only List Access Policy
      run: |
        chmod +x ./artifact/keyweave
        ./artifact/keyweave --vault-name ${{ format(env.VAULT_NAME, '1') }}

  get-list-test:
    name: Tests with Get and List access
    needs: [build, bicep]
    runs-on: ubuntu-latest
    environment: getlist
    steps:
    - uses: actions/download-artifact@v3.0.2
    - uses: azure/login@v1
      with:
        client-id: ${{ secrets.AZURE_CLIENT_ID }}
        tenant-id: ${{ secrets.AZURE_TENANT_ID }}
        subscription-id: ${{ secrets.AZURE_SUBSCRIPTION_ID }}
    - name: Use Keyweave with both Get and List Access Policies
      run: |
        chmod +x ./artifact/keyweave
        ./artifact/keyweave --vault-name ${{ format(env.VAULT_NAME, '1') }}

    - name: Use Keyweave with a filter
      run: |
        ./artifact/keyweave --vault-name ${{ format(env.VAULT_NAME, '1') }} --filter "filter"

    - name: Use Keyweave with a complex file path
      run: |
        mkdir -p "user/projects/project 1/src/lib"
        ./artifact/keyweave --vault-name ${{ format(env.VAULT_NAME, '1') }} --output "user/projects/project 1/src/lib/.env"

    - name: Use Keyweave with a non-existent Key Vault
      run: ./artifact/keyweave --vault-name ${{ format(env.VAULT_NAME, '1') }}1234

    - name: Use Keyweave with a firewalled Key Vault
      run: ./artifact/keyweave --vault-name ${{ format(env.VAULT_NAME, '2') }}

    - name: Use Keyweave with a no permissions
      run: |
        mkdir -p "user/projects/project 1/src/lib"
        ./artifact/keyweave --vault-name ${{ format(env.VAULT_NAME, '1') }} --output "/.env"

    - uses: azure/login@v1
      with:
        client-id: ${{ secrets.AZURE_CLIENT_ID }}
        tenant-id: ${{ secrets.AZURE_TENANT_ID }}
        subscription-id: ${{ secrets.OTHER_SUBSCRIPTION_ID }}
    - name: Use Keyweave while logged into other Subscription
      run: ./artifact/keyweave --vault-name ${{ format(env.VAULT_NAME, '1') }}

    # - uses: azure/login@v1
    #   with:
    #     client-id: ${{ secrets.AZURE_CLIENT_ID }}
    #     tenant-id: ${{ secrets.OTHER_TENANT_ID }}
    #     subscription-id: ${{ secrets.AZURE_SUBSCRIPTION_ID }}
    # - name: Use Keyweave while logged into other Azure Tenant
    #   run: ./artifact/keyweave --vault-name ${{ format(env.VAULT_NAME, '1') }}