diff options
| author | Russ Allbery <rra@cpan.org> | 2021-12-25 17:14:56 -0800 |
|---|---|---|
| committer | Russ Allbery <rra@cpan.org> | 2021-12-25 17:14:56 -0800 |
| commit | d49f4587924e350998178e517b800b7268fa6345 (patch) | |
| tree | 1d26849d3f9031428c387384be14dfd5477ac0f1 /t | |
| parent | 553010fbf8facfc349a4b48b6aa7837ad006013b (diff) | |
| parent | d47e0c931855cf0efbe72291f67ebbbd964f096f (diff) | |
New upstream version 6.00
Diffstat (limited to 't')
53 files changed, 808 insertions, 547 deletions
diff --git a/t/cli/generate.t b/t/cli/generate.t index 38c8b2e..87c8f68 100755 --- a/t/cli/generate.t +++ b/t/cli/generate.t @@ -39,7 +39,7 @@ my $tempdir = File::Temp->newdir(); # generate/self.t test, but via the command-line parser. Do this in a # separate block so that $tempfile goes out of scope and will be cleaned up. { - my $tempfile = File::Temp->new(DIR => $tempdir); + my $tempfile = File::Temp->new(DIR => $tempdir); my $output_path = $tempfile->filename; $docknot->run('generate', 'readme', $output_path); my $output = slurp($output_path); @@ -48,7 +48,7 @@ my $tempdir = File::Temp->newdir(); # Do the same thing again, but using arguments from @ARGV. { - my $tempfile = File::Temp->new(DIR => $tempdir); + my $tempfile = File::Temp->new(DIR => $tempdir); my $output_path = $tempfile->filename; local @ARGV = ('generate', 'readme-md', "$output_path"); $docknot->run(); @@ -57,9 +57,9 @@ my $tempdir = File::Temp->newdir(); } # Save the paths to various files in the source directory. -my $readme_path = File::Spec->catfile(getcwd(), 'README'); +my $readme_path = File::Spec->catfile(getcwd(), 'README'); my $readme_md_path = File::Spec->catfile(getcwd(), 'README.md'); -my $metadata_path = File::Spec->catfile(getcwd(), 'docs', 'docknot.yaml'); +my $metadata_path = File::Spec->catfile(getcwd(), 'docs', 'docknot.yaml'); # Generate all of the files using generate-all in a new temporary directory. my $tmpdir = File::Temp->newdir(); diff --git a/t/cli/spin.t b/t/cli/spin.t index 434cbb5..ac7894f 100755 --- a/t/cli/spin.t +++ b/t/cli/spin.t @@ -17,13 +17,22 @@ use Cwd qw(getcwd realpath); use File::Copy::Recursive qw(dircopy); use File::Spec (); use File::Temp (); +use POSIX qw(LC_ALL setlocale); use Test::RRA qw(is_file_contents); use Test::DocKnot::Spin qw(is_spin_output is_spin_output_tree); use Test::More; -# Load the module. -BEGIN { use_ok('App::DocKnot::Command') } +# Load the modules. +BEGIN { + use_ok('App::DocKnot::Command'); + use_ok('App::DocKnot::Util', qw(print_fh)); +} + +# Force the C locale because some of the output intentionally uses localized +# month names and we have to force those to English for comparison of test +# results. +setlocale(LC_ALL, 'C'); # Create the command-line parser. my $docknot = App::DocKnot::Command->new(); @@ -33,10 +42,10 @@ isa_ok($docknot, 'App::DocKnot::Command'); my $tempdir = File::Temp->newdir(); # Spin a single file. -my $datadir = File::Spec->catfile('t', 'data', 'spin'); -my $input = File::Spec->catfile($datadir, 'input', 'index.th'); +my $datadir = File::Spec->catfile('t', 'data', 'spin'); +my $input = File::Spec->catfile($datadir, 'input', 'index.th'); my $expected = File::Spec->catfile($datadir, 'output', 'index.html'); -my $output = File::Spec->catfile($tempdir->dirname, 'index.html'); +my $output = File::Spec->catfile($tempdir->dirname, 'index.html'); $docknot->run('spin-thread', '-s', '/~eagle/styles', $input, $output); is_spin_output($output, $expected, 'spin-thread (output specified)'); @@ -50,20 +59,21 @@ close($output_fh); is_spin_output($output, $expected, 'spin-thread (standard output)'); # Copy the input tree to a new temporary directory since .rss files generate -# additional thread files. Replace the rpod pointer since it points to a +# additional thread files. Replace the .spin pointer since it points to a # relative path in the source tree. my $indir = File::Temp->newdir(); $input = File::Spec->catfile($datadir, 'input'); dircopy($input, $indir->dirname) or die "Cannot copy $input to $indir: $!\n"; -my $rpod_source = File::Spec->catfile(getcwd(), 'lib', 'App', 'DocKnot.pm'); -my $rpod_path = File::Spec->catfile( +my $pod_source = File::Spec->catfile(getcwd(), 'lib', 'App', 'DocKnot.pm'); +my $pointer_path = File::Spec->catfile( $indir->dirname, 'software', 'docknot', 'api', - 'app-docknot.rpod', + 'app-docknot.spin', ); -chmod(0644, $rpod_path); -open(my $fh, '>', $rpod_path); -print {$fh} "$rpod_source\n" or die "Cannot write to $rpod_path: $!\n"; +chmod(0644, $pointer_path); +open(my $fh, '>', $pointer_path); +print_fh($fh, $pointer_path, "format: pod\n"); +print_fh($fh, $pointer_path, "path: $pod_source\n"); close($fh); # Spin a tree of files. @@ -89,4 +99,4 @@ like( ); # Report the end of testing. -done_testing($count + 5); +done_testing($count + 6); diff --git a/t/config/basic.t b/t/config/basic.t index 018ece6..87cd0c5 100755 --- a/t/config/basic.t +++ b/t/config/basic.t @@ -35,8 +35,8 @@ my $data_ref = $config->config(); ok($data_ref->{build}{install}, 'build/install defaults to true'); # Check that the license data is expanded correctly. -my $licenses_path = module_file('App::DocKnot', 'licenses.yaml'); -my $licenses_ref = YAML::XS::LoadFile($licenses_path); +my $licenses_path = module_file('App::DocKnot', 'licenses.yaml'); +my $licenses_ref = YAML::XS::LoadFile($licenses_path); my $perl_license_ref = $licenses_ref->{Perl}; is($data_ref->{license}{summary}, $perl_license_ref->{summary}, 'summary'); -is($data_ref->{license}{text}, $perl_license_ref->{text}, 'text'); +is($data_ref->{license}{text}, $perl_license_ref->{text}, 'text'); diff --git a/t/data/dist/package/Build.PL b/t/data/dist/package/Build.PL index b50f458..84edf47 100755 --- a/t/data/dist/package/Build.PL +++ b/t/data/dist/package/Build.PL @@ -14,6 +14,7 @@ use warnings; use Module::Build; +#<<< my $build = Module::Build->new( dist_abstract => 'Empty test module', dist_author => 'Russ Allbery <rra@cpan.org>', @@ -23,4 +24,5 @@ my $build = Module::Build->new( add_to_cleanup => [qw(MANIFEST.bak MYMETA.json.lock cover_db)], configure_requires => { 'Module::Build' => 0.36 }, ); +#>>> $build->create_build_script; diff --git a/t/data/generate/docknot/output/thread b/t/data/generate/docknot/output/thread index f2044cd..63e79c3 100644 --- a/t/data/generate/docknot/output/thread +++ b/t/data/generate/docknot/output/thread @@ -104,6 +104,7 @@ for your own purposes. Perl 5.24 or later and Module::Build are required to build this module. The following additional Perl modules are required to use it: +\bullet(packed)[Date::Language (part of TimeDate)] \bullet(packed)[Date::Parse (part of TimeDate)] \bullet(packed)[File::BaseDir] \bullet(packed)[File::ShareDir] @@ -116,6 +117,7 @@ The following additional Perl modules are required to use it: \bullet(packed)[JSON::MaybeXS] \bullet(packed)[Kwalify] \bullet(packed)[List::SomeUtils 0.07 or later] +\bullet(packed)[Path::Tiny] \bullet(packed)[Perl6::Slurp] \bullet(packed)[Pod::Thread 3.00 or later] \bullet(packed)[Template (part of Template Toolkit)] @@ -179,11 +181,13 @@ development source]. \doc[api/app-docknot-dist.html][App::DocKnot::Dist] \doc[api/app-docknot-generate.html][App::DocKnot::Generate] \doc[api/app-docknot-spin.html][App::DocKnot::Spin] + \doc[api/app-docknot-spin-pointer.html][App::DocKnot::Spin::Pointer] \doc[api/app-docknot-spin-rss.html][App::DocKnot::Spin::RSS] \doc[api/app-docknot-spin-sitemap.html][App::DocKnot::Spin::Sitemap] \doc[api/app-docknot-spin-thread.html][App::DocKnot::Spin::Thread] \doc[api/app-docknot-spin-versions.html][App::DocKnot::Spin::Versions] \doc[api/app-docknot-update.html][App::DocKnot::Update] + \doc[api/app-docknot-util.html][App::DocKnot::Util] ] \h2(after)[License] diff --git a/t/data/generate/pam-krb5/docknot.yaml b/t/data/generate/pam-krb5/docknot.yaml index cf4ce0b..2fd2dfd 100644 --- a/t/data/generate/pam-krb5/docknot.yaml +++ b/t/data/generate/pam-krb5/docknot.yaml @@ -1,15 +1,28 @@ +# Package metadata for pam-krb5. +# +# This file contains configuration for DocKnot used to generate +# documentation files (like README.md) and web pages. Other documentation +# in this package is generated automatically from these files as part of +# the release process. For more information, see DocKnot's documentation. +# +# DocKnot is available from <https://www.eyrie.org/~eagle/software/docknot/>. +# +# Copyright 2017, 2020-2021 Russ Allbery <eagle@eyrie.org> +# +# SPDX-License-Identifier: BSD-3-clause or GPL-1+ + format: v1 name: pam-krb5 maintainer: Russ Allbery <eagle@eyrie.org> -version: '4.8' +version: '4.11' synopsis: PAM module for Kerberos authentication license: name: BSD-3-clause-or-GPL-1+ copyrights: - holder: Russ Allbery <eagle@eyrie.org> - years: 2005-2010, 2014-2015, 2017 + years: 2005-2010, 2014-2015, 2017, 2020-2021 - holder: The Board of Trustees of the Leland Stanford Junior University years: 2009-2011 - holder: Andres Salomon <dilinger@debian.org> @@ -24,25 +37,26 @@ build: kerberos: true manpages: true middle: | - The module will be installed in `/usr/local/lib/security` by default, - except on 64-bit versions of Linux which will use - `/usr/local/lib64/security` to match the default PAM configuration. You - can change the installation locations with the `--prefix`, `--mandir`, and - `--libdir` options to configure. The module will always be installed in a - subdirectory named `security` under the specified libdir. On Linux, use - `--prefix=/usr` to install the man page into `/usr/share/man` and the PAM - module in `/lib/security` or `/lib64/security`. + The module will be installed in `/usr/local/lib/security` by default, but + expect to have to override this using `--libdir`. The correct + installation path for PAM modules varies considerably between systems. + The module will always be installed in a subdirectory named `security` + under the specified value of `--libdir`. On Red Hat Linux, for example, + `--libdir=/usr/lib64` is appropriate to install the module into the system + PAM directory. On Debian's amd64 architecture, + `--libdir=/usr/lib/x86_64-linux-gnu` would be correct. reduced_depends: true type: Autoconf + valgrind: true distribution: packaging: debian: package: libpam-krb5 summary: | Debian packages are available from Debian in Debian 4.0 (etch) and - later releases as libpam-krb5 and libpam-heimdal. The former - packages are built against the MIT Kerberos libraries and the - latter against the Heimdal libraries. + later releases as libpam-krb5 and libpam-heimdal. The former packages + are built against the MIT Kerberos libraries and the latter against + the Heimdal libraries. section: kerberos tarname: pam-krb5 version: pam-krb5 @@ -54,6 +68,8 @@ vcs: browse: https://git.eyrie.org/?p=kerberos/pam-krb5.git github: rra/pam-krb5 openhub: https://www.openhub.net/p/pamkrb5 + status: + workflow: build type: Git url: https://git.eyrie.org/git/kerberos/pam-krb5.git @@ -66,6 +82,9 @@ quote: title: '"Look, ma, no hands!"' work: Salon advisories: + - date: 2020-03-30 + threshold: '4.9' + versions: 4.8 and earlier - date: 2009-02-11 threshold: '3.13' versions: 3.12 and earlier @@ -73,6 +92,9 @@ docs: user: - name: pam-krb5 title: Manual page + developer: + - name: todo + title: To-do list blurb: | pam-krb5 is a Kerberos PAM module for either MIT Kerberos or Heimdal. It @@ -88,33 +110,104 @@ blurb: | description: | pam-krb5 provides a Kerberos PAM module that supports authentication, user ticket cache handling, simple authorization (via .k5login or checking - Kerberos principals against local usernames), and password changing. It - can be configured through either options in the PAM configuration itself - or through entries in the system krb5.conf file, and it tries to work - around PAM implementation flaws in commonly-used PAM-enabled applications - such as OpenSSH and xdm. It supports both PKINIT and FAST to the extent - that the underlying Kerberos libraries support these features. + Kerberos principals against local usernames), and password changing. It can + be configured through either options in the PAM configuration itself or + through entries in the system krb5.conf file, and it tries to work around + PAM implementation flaws in commonly-used PAM-enabled applications such as + OpenSSH and xdm. It supports both PKINIT and FAST to the extent that the + underlying Kerberos libraries support these features. This is not the Kerberos PAM module maintained on Sourceforge and used on Red Hat systems. It is an independent implementation that, if it ever shared any common code, diverged long ago. It supports some features that the Sourceforge module does not (particularly around authorization), and does not support some options (particularly ones not directly related to - Kerberos) that it does. This module will never support Kerberos v4 or - AFS. For an AFS session module that works with this module (or any other - Kerberos PAM module), see + Kerberos) that it does. This module will never support Kerberos v4 or AFS. + For an AFS session module that works with this module (or any other Kerberos + PAM module), see [pam-afs-session](https://www.eyrie.org/~eagle/software/pam-afs-session/). If there are other options besides AFS and Kerberos v4 support from the Sourceforge PAM module that you're missing in this module, please let me know. +requirements: | + Either MIT Kerberos (or Kerberos implementations based on it) or Heimdal are + supported. MIT Keberos 1.3 or later may be required; this module has not + been tested with earlier versions. + + For PKINIT support, Heimdal 0.8rc1 or later or MIT Kerberos 1.6.3 or later + are required. Earlier MIT Kerberos 1.6 releases have a bug in their + handling of PKINIT options. MIT Kerberos 1.12 or later is required to use + the use_pkinit PAM option. + + For FAST (Flexible Authentication Secure Tunneling) support, MIT Kerberos + 1.7 or higher is required. For anonymous FAST support, anonymous + authentication (generally anonymous PKINIT) support is required in both the + Kerberos libraries and in the local KDC. + + This module should work on Linux and build with gcc or clang. It may still + work on Solaris and build with the Sun C compiler, but I have only tested it + on Linux recently. There is beta-quality support for the AIX NAS Kerberos + implementation that has not been tested in years. Other PAM implementations + will probably require some porting, although untested build system support + is present for FreeBSD, Mac OS X, and HP-UX. I personally can only test on + Linux and rely on others to report problems on other operating systems. + + Old versions of OpenSSH are known to call `pam_authenticate` followed by + `pam_setcred(PAM_REINITIALIZE_CRED)` without first calling + `pam_open_session`, thereby requesting that an existing ticket cache be + renewed (similar to what a screensaver would want) rather than requesting a + new ticket cache be created. Since this behavior is indistinguishable at + the PAM level from a screensaver, pam-krb5 when used with these old versions + of OpenSSH will refresh the ticket cache of the OpenSSH daemon rather than + setting up a new ticket cache for the user. The resulting ticket cache will + have the correct permissions (this is not a security concern), but will not + be named correctly or referenced in the user's environment and will be + overwritten by the next user login. The best solution to this problem is to + upgrade OpenSSH. I'm not sure exactly when this problem was fixed, but at + the very least OpenSSH 4.3 and later do not exhibit it. + +test: + lancaster: true + prefix: | + pam-krb5 comes with a comprehensive test suite, but it requires some + configuration in order to test anything other than low-level utility + functions. For the full test suite, you will need to have a running KDC + in which you can create two test accounts, one with admin access to the + other. Using a test KDC environment, if you have one, is recommended. + + Follow the instructions in `tests/config/README` to configure the test + suite. + + Now, you can run the test suite with: + suffix: | + The default libkadm5clnt library on the system must match the + implementation of your KDC for the module/expired test to work, since the + two kadmin protocols are not compatible. If you use the MIT library + against a Heimdal server, the test will be skipped; if you use the Heimdal + library against an MIT server, the test suite may hang. + + Several `module/expired` tests are expected to fail with Heimdal 1.5 due + to a bug in Heimdal with reauthenticating immediately after a + library-mediated password change of an expired password. This is fixed in + later releases of Heimdal. + + To run the full test suite, Perl 5.10 or later is required. The following + additional Perl modules will be used if present: + + * Test::Pod + * Test::Spelling + + All are available on CPAN. Those tests will be skipped if the modules are + not available. + sections: - title: Configuring body: | - Just installing the module does not enable it or change anything - about your system authentication configuration. To use the module - for all system authentication on Debian systems, put something like: + Just installing the module does not enable it or change anything about + your system authentication configuration. To use the module for all + system authentication on Debian systems, put something like: ``` auth sufficient pam_krb5.so minimum_uid=1000 @@ -135,42 +228,42 @@ sections: account required pam_unix.so ``` - in `/etc/pam.d/common-account`. The `minimum_uid` setting tells the - PAM module to pass on any users with a UID lower than 1000, thereby - bypassing Kerberos authentication for the root account and any - system accounts. You normally want to do this since otherwise, if - the network is down, the Kerberos authentication can time out and - make it difficult to log in as root and fix matters. This also - avoids problems with Kerberos principals that happen to match system - accounts accidentally getting access to those accounts. + in `/etc/pam.d/common-account`. The `minimum_uid` setting tells the PAM + module to pass on any users with a UID lower than 1000, thereby + bypassing Kerberos authentication for the root account and any system + accounts. You normally want to do this since otherwise, if the network + is down, the Kerberos authentication can time out and make it difficult + to log in as root and fix matters. This also avoids problems with + Kerberos principals that happen to match system accounts accidentally + getting access to those accounts. - Be sure to include the module in the session group as well as the - auth group. Without the session entry, the user's ticket cache will - not be created properly for ssh logins (among possibly others). + Be sure to include the module in the session group as well as the auth + group. Without the session entry, the user's ticket cache will not be + created properly for ssh logins (among possibly others). - If your users should normally all use Kerberos passwords - exclusively, putting something like: + If your users should normally all use Kerberos passwords exclusively, + putting something like: ``` password sufficient pam_krb5.so minimum_uid=1000 password required pam_unix.so try_first_pass obscure md5 ``` - in `/etc/pam.d/common-password` will change users' passwords in - Kerberos by default and then only fall back on Unix if that doesn't - work. (You can make this tighter by using the more complex - new-style PAM configuration.) If you instead want to synchronize - local and Kerberos passwords and change them both at the same time, - you can do something like: + in `/etc/pam.d/common-password` will change users' passwords in Kerberos + by default and then only fall back on Unix if that doesn't work. (You + can make this tighter by using the more complex new-style PAM + configuration.) If you instead want to synchronize local and Kerberos + passwords and change them both at the same time, you can do something + like: ``` password required pam_unix.so obscure sha512 password required pam_krb5.so use_authtok minimum_uid=1000 ``` - If you have multiple environments that you want to synchronize and - you don't want password changes to continue if the Kerberos password - change fails, use the `clear_on_fail` option. For example: + If you have multiple environments that you want to synchronize and you + don't want password changes to continue if the Kerberos password change + fails, use the `clear_on_fail` option. For example: ``` password required pam_krb5.so clear_on_fail minimum_uid=1000 @@ -178,19 +271,19 @@ sections: password required pam_smbpass.so use_authtok ``` - In this case, if `pam_krb5` cannot change the password (due to - password strength rules on the KDC, for example), it will clear the - stored password (because of the `clear_on_fail` option), and since - `pam_unix` and `pam_smbpass` are both configured with `use_authtok`, - they will both fail. `clear_on_fail` is not the default because it - would interfere with the more common pattern of falling back to - local passwords if the user doesn't exist in Kerberos. + In this case, if `pam_krb5` cannot change the password (due to password + strength rules on the KDC, for example), it will clear the stored + password (because of the `clear_on_fail` option), and since `pam_unix` + and `pam_smbpass` are both configured with `use_authtok`, they will both + fail. `clear_on_fail` is not the default because it would interfere + with the more common pattern of falling back to local passwords if the + user doesn't exist in Kerberos. - If you use a more complex configuration with the Linux PAM `[]` - syntax for the session and account groups, note that `pam_krb5` - returns a status of ignore, not success, if the user didn't log on - with Kerberos. You may need to handle that explicitly with - `ignore=ignore` in your action list. + If you use a more complex configuration with the Linux PAM `[]` syntax + for the session and account groups, note that `pam_krb5` returns a + status of ignore, not success, if the user didn't log on with Kerberos. + You may need to handle that explicitly with `ignore=ignore` in your + action list. There are many, many other possibilities. See the Linux PAM documentation for all the configuration options. @@ -200,19 +293,17 @@ sections: You can also use pam-krb5 only for specific services. In that case, modify the files in `/etc/pam.d` for that particular service to use - `pam_krb5.so` for authentication. For services that are using - passwords over TLS to authenticate users, you may want to use the - `ignore_k5login` and `no_ccache` options to the authenticate module. - `.k5login` authorization is only meaningful for local accounts and - ticket caches are usually (although not always) only useful for - interactive sessions. - - Configuring the module for Solaris is both simpler and less - flexible, since Solaris (at least Solaris 8 and 9, which are the - last versions of Solaris with which this module was extensively - tested) use a single `/etc/pam.conf` file that contains - configuration for all programs. For console login on Solaris, try - something like: + `pam_krb5.so` for authentication. For services that are using passwords + over TLS to authenticate users, you may want to use the `ignore_k5login` + and `no_ccache` options to the authenticate module. `.k5login` + authorization is only meaningful for local accounts and ticket caches + are usually (although not always) only useful for interactive sessions. + + Configuring the module for Solaris is both simpler and less flexible, + since Solaris (at least Solaris 8 and 9, which are the last versions of + Solaris with which this module was extensively tested) use a single + `/etc/pam.conf` file that contains configuration for all programs. For + console login on Solaris, try something like: ``` login auth sufficient /usr/local/lib/security/pam_krb5.so minimum_uid=100 @@ -223,70 +314,66 @@ sections: login session required /usr/lib/security/pam_unix_session.so.1 ``` - A similar configuration could be used for other services, such as - ssh. See the pam.conf(5) man page for more information. When using - this module with Solaris login (at least on Solaris 8 and 9), you - will probably also need to add `retain_after_close` to the PAM - configuration to avoid having the user's credentials deleted before - they are logged in. - - The Solaris Kerberos library reportedly does not support prompting - for a password change of an expired account during authentication. - Supporting password change for expired accounts on Solaris with - native Kerberos may therefore require setting the `defer_pwchange` - or `force_pwchange` option for selected login applications. See the - description and warnings about that option in the pam_krb5(5) man - page. - - Some configuration options may be put in the `krb5.conf` file used - by your Kerberos libraries (usually `/etc/krb5.conf` or + A similar configuration could be used for other services, such as ssh. + See the pam.conf(5) man page for more information. When using this + module with Solaris login (at least on Solaris 8 and 9), you will + probably also need to add `retain_after_close` to the PAM configuration + to avoid having the user's credentials deleted before they are logged + in. + + The Solaris Kerberos library reportedly does not support prompting for a + password change of an expired account during authentication. Supporting + password change for expired accounts on Solaris with native Kerberos may + therefore require setting the `defer_pwchange` or `force_pwchange` + option for selected login applications. See the description and + warnings about that option in the pam_krb5(5) man page. + + Some configuration options may be put in the `krb5.conf` file used by + your Kerberos libraries (usually `/etc/krb5.conf` or `/usr/local/etc/krb5.conf`) instead or in addition to the PAM configuration. See the man page for more details. - The Kerberos library, via pam-krb5, will prompt the user to change - their password if their password is expired, but when using OpenSSH, - this will only work when `ChallengeResponseAuthentication` is - enabled. Unless this option is enabled, OpenSSH doesn't pass PAM - messages to the user and can only respond to a simple password - prompt. - - If you are using MIT Kerberos, be aware that users whose passwords - are expired will not be prompted to change their password unless the - KDC configuration for your realm in `[realms]` in `krb5.conf` - contains a `master_kdc` setting or, if using DNS SRV records, you - have a DNS entry for `_kerberos-master` as well as `_kerberos`. + The Kerberos library, via pam-krb5, will prompt the user to change their + password if their password is expired, but when using OpenSSH, this will + only work when `ChallengeResponseAuthentication` is enabled. Unless + this option is enabled, OpenSSH doesn't pass PAM messages to the user + and can only respond to a simple password prompt. + + If you are using MIT Kerberos, be aware that users whose passwords are + expired will not be prompted to change their password unless the KDC + configuration for your realm in `[realms]` in `krb5.conf` contains a + `master_kdc` setting or, if using DNS SRV records, you have a DNS entry + for `_kerberos-master` as well as `_kerberos`. - title: Debugging body: | - The first step when debugging any problems with this module is to - add `debug` to the PAM options for the module (either in the PAM - configuration or in `krb5.conf`). This will significantly increase - the logging from the module and should provide a trace of exactly - what failed and any available error information. - - Many Kerberos authentication problems are due to configuration - issues in `krb5.conf`. If pam-krb5 doesn't work, first check that - `kinit` works on the same system. That will test your basic - Kerberos configuration. If the system has a keytab file installed - that's readable by the process doing authentication via PAM, make - sure that the keytab is current and contains a key for - `host/<system>` where <system> is the fully-qualified hostname. - pam-krb5 prevents KDC spoofing by checking the user's credentials - when possible, but this means that if a keytab is present it must be - correct or authentication will fail. You can check the keytab with - `klist -k` and `kinit -k`. - - Be sure that all libraries and modules, including PAM modules, - loaded by a program use the same Kerberos libraries. Sometimes - programs that use PAM, such as current versions of OpenSSH, also - link against Kerberos directly. If your sshd is linked against one - set of Kerberos libraries and pam-krb5 is linked against a different - set of Kerberos libraries, this will often cause problems (such as - segmentation faults, bus errors, assertions, or other strange - behavior). Similar issues apply to the com_err library or any other - library used by both modules and shared libraries and by the - application that loads them. If your OS ships Kerberos libraries, - it's usually best if possible to build all Kerberos software on the - system against those libraries. + The first step when debugging any problems with this module is to add + `debug` to the PAM options for the module (either in the PAM + configuration or in `krb5.conf`). This will significantly increase the + logging from the module and should provide a trace of exactly what + failed and any available error information. + + Many Kerberos authentication problems are due to configuration issues in + `krb5.conf`. If pam-krb5 doesn't work, first check that `kinit` works + on the same system. That will test your basic Kerberos configuration. + If the system has a keytab file installed that's readable by the process + doing authentication via PAM, make sure that the keytab is current and + contains a key for `host/<system>` where <system> is the fully-qualified + hostname. pam-krb5 prevents KDC spoofing by checking the user's + credentials when possible, but this means that if a keytab is present it + must be correct or authentication will fail. You can check the keytab + with `klist -k` and `kinit -k`. + + Be sure that all libraries and modules, including PAM modules, loaded by + a program use the same Kerberos libraries. Sometimes programs that use + PAM, such as current versions of OpenSSH, also link against Kerberos + directly. If your sshd is linked against one set of Kerberos libraries + and pam-krb5 is linked against a different set of Kerberos libraries, + this will often cause problems (such as segmentation faults, bus errors, + assertions, or other strange behavior). Similar issues apply to the + com_err library or any other library used by both modules and shared + libraries and by the application that loads them. If your OS ships + Kerberos libraries, it's usually best if possible to build all Kerberos + software on the system against those libraries. - title: Implementation Notes body: | The normal sequence of actions taken for a user login is: @@ -304,60 +391,56 @@ sections: pam_close_session ``` - followed by closing the open PAM session. The corresponding - `pam_sm_*` functions in this module are called when an application - calls those public interface functions. Not all applications call - all of those functions, or in particularly that order, although - `pam_authenticate` is always first and has to be. - - When `pam_authenticate` is called, pam-krb5 creates a temporary - ticket cache in `/tmp` and sets the PAM environment variable - `PAM_KRB5CCNAME` to point to it. This ticket cache will be - automatically destroyed when the PAM session is closed and is there - only to pass the initial credentials to the call to `pam_setcred`. - The module would use a memory cache, but memory caches will only - work if the application preserves the PAM environment between the - calls to `pam_authenticate` and `pam_setcred`. Most do, but OpenSSH - notoriously does not and calls `pam_authenticate` in a subprocess, - so this method is used to pass the tickets to the `pam_setcred` call - in a different process. - - `pam_authenticate` does a complete authentication, including - checking the resulting TGT by obtaining a service ticket for the - local host if possible, but this requires read access to the system - keytab. If the keytab doesn't exist, can't be read, or doesn't - include the appropriate credentials, the default is to accept the - authentication. This can be controlled by setting - `verify_ap_req_nofail` to true in `[libdefaults]` in - `/etc/krb5.conf`. `pam_authenticate` also does a basic - authorization check, by default calling `krb5_kuserok` (which uses - `~/.k5login` if available and falls back to checking that the - principal corresponds to the account name). This can be customized - with several options documented in the pam_krb5(5) man page. - - pam-krb5 treats `pam_open_session` and - `pam_setcred(PAM_ESTABLISH_CRED)` as synonymous, as some - applications call one and some call the other. Both copy the - initial credentials from the temporary cache into a permanent cache - for this session and set `KRB5CCNAME` in the environment. It will - remember when the credential cache has been established and then - avoid doing any duplicate work afterwards, since some applications - call `pam_setcred` or `pam_open_session` multiple times (most - notably X.Org 7 and earlier xdm, which also throws away the module - settings the last time it calls them). + followed by closing the open PAM session. The corresponding `pam_sm_*` + functions in this module are called when an application calls those + public interface functions. Not all applications call all of those + functions, or in particularly that order, although `pam_authenticate` is + always first and has to be. + + When `pam_authenticate` is called, pam-krb5 creates a temporary ticket + cache in `/tmp` and sets the PAM environment variable `PAM_KRB5CCNAME` + to point to it. This ticket cache will be automatically destroyed when + the PAM session is closed and is there only to pass the initial + credentials to the call to `pam_setcred`. The module would use a memory + cache, but memory caches will only work if the application preserves the + PAM environment between the calls to `pam_authenticate` and + `pam_setcred`. Most do, but OpenSSH notoriously does not and calls + `pam_authenticate` in a subprocess, so this method is used to pass the + tickets to the `pam_setcred` call in a different process. + + `pam_authenticate` does a complete authentication, including checking + the resulting TGT by obtaining a service ticket for the local host if + possible, but this requires read access to the system keytab. If the + keytab doesn't exist, can't be read, or doesn't include the appropriate + credentials, the default is to accept the authentication. This can be + controlled by setting `verify_ap_req_nofail` to true in `[libdefaults]` + in `/etc/krb5.conf`. `pam_authenticate` also does a basic authorization + check, by default calling `krb5_kuserok` (which uses `~/.k5login` if + available and falls back to checking that the principal corresponds to + the account name). This can be customized with several options + documented in the pam_krb5(5) man page. + + pam-krb5 treats `pam_open_session` and `pam_setcred(PAM_ESTABLISH_CRED)` + as synonymous, as some applications call one and some call the other. + Both copy the initial credentials from the temporary cache into a + permanent cache for this session and set `KRB5CCNAME` in the + environment. It will remember when the credential cache has been + established and then avoid doing any duplicate work afterwards, since + some applications call `pam_setcred` or `pam_open_session` multiple + times (most notably X.Org 7 and earlier xdm, which also throws away the + module settings the last time it calls them). `pam_acct_mgmt` finds the ticket cache, reads it in to obtain the - authenticated principal, and then does is another authorization - check against `.k5login` or the local account name as described - above. + authenticated principal, and then does is another authorization check + against `.k5login` or the local account name as described above. - After the call to `pam_setcred` or `pam_open_session`, the ticket - cache will be destroyed whenever the calling application either - destroys the PAM environment or calls `pam_close_session`, which it - should do on user logout. + After the call to `pam_setcred` or `pam_open_session`, the ticket cache + will be destroyed whenever the calling application either destroys the + PAM environment or calls `pam_close_session`, which it should do on user + logout. - The normal sequence of events when refreshing a ticket cache (such - as inside a screensaver) is: + The normal sequence of events when refreshing a ticket cache (such as + inside a screensaver) is: ``` pam_authenticate @@ -365,36 +448,36 @@ sections: pam_acct_mgmt ``` - (`PAM_REFRESH_CRED` may be used instead.) Authentication proceeds - as above. At the `pam_setcred` stage, rather than creating a new - ticket cache, the module instead finds the current ticket cache - (from the `KRB5CCNAME` environment variable or the default ticket - cache location from the Kerberos library) and then reinitializes it - with the credentials from the temporary `pam_authenticate` ticket - cache. When refreshing a ticket cache, the application should not - open a session. Calling `pam_acct_mgmt` is optional; pam-krb5 - doesn't do anything different when it's called in this case. - - If `pam_authenticate` apparently didn't succeed, or if an account - was configured to be ignored via `ignore_root` or `minimum_uid`, + (`PAM_REFRESH_CRED` may be used instead.) Authentication proceeds as + above. At the `pam_setcred` stage, rather than creating a new ticket + cache, the module instead finds the current ticket cache (from the + `KRB5CCNAME` environment variable or the default ticket cache location + from the Kerberos library) and then reinitializes it with the + credentials from the temporary `pam_authenticate` ticket cache. When + refreshing a ticket cache, the application should not open a session. + Calling `pam_acct_mgmt` is optional; pam-krb5 doesn't do anything + different when it's called in this case. + + If `pam_authenticate` apparently didn't succeed, or if an account was + configured to be ignored via `ignore_root` or `minimum_uid`, `pam_setcred` (and therefore `pam_open_session`) and `pam_acct_mgmt` - return `PAM_IGNORE`, which tells the PAM library to proceed as if - that module wasn't listed in the PAM configuration at all. - `pam_authenticate`, however, returns failure in the ignored user - case by default, since otherwise a configuration using `ignore_root` - with pam-krb5 as the only PAM module would allow anyone to log in as - root without a password. There doesn't appear to be a case where - returning `PAM_IGNORE` instead would improve the module's behavior, - but if you know of a case, please let me know. + return `PAM_IGNORE`, which tells the PAM library to proceed as if that + module wasn't listed in the PAM configuration at all. + `pam_authenticate`, however, returns failure in the ignored user case by + default, since otherwise a configuration using `ignore_root` with + pam-krb5 as the only PAM module would allow anyone to log in as root + without a password. There doesn't appear to be a case where returning + `PAM_IGNORE` instead would improve the module's behavior, but if you + know of a case, please let me know. By default, `pam_authenticate` intentionally does not follow the PAM - standard for handling expired accounts and instead returns failure - from `pam_authenticate` unless the Kerberos libraries are able to - change the account password during authentication. Too many - applications either do not call `pam_acct_mgmt` or ignore its exit - status. The fully correct PAM behavior (returning success from - `pam_authenticate` and `PAM_NEW_AUTHTOK_REQD` from `pam_acct_mgmt`) - can be enabled with the `defer_pwchange` option. + standard for handling expired accounts and instead returns failure from + `pam_authenticate` unless the Kerberos libraries are able to change the + account password during authentication. Too many applications either do + not call `pam_acct_mgmt` or ignore its exit status. The fully correct + PAM behavior (returning success from `pam_authenticate` and + `PAM_NEW_AUTHTOK_REQD` from `pam_acct_mgmt`) can be enabled with the + `defer_pwchange` option. The `defer_pwchange` option is unfortunately somewhat tricky to implement. In this case, the calling sequence is: @@ -410,124 +493,62 @@ sections: During the first `pam_authenticate`, we can't obtain credentials and therefore a ticket cache since the password is expired. But `pam_authenticate` isn't called again after `pam_chauthtok`, so - `pam_chauthtok` has to create a ticket cache. We however don't want - it to do this for the normal password change (`passwd`) case. + `pam_chauthtok` has to create a ticket cache. We however don't want it + to do this for the normal password change (`passwd`) case. What we do is set a flag in our PAM data structure saying that we're processing an expired password, and `pam_chauthtok`, if it sees that - flag, redoes the authentication with password prompting disabled - after it finishes changing the password. - - Unfortunately, when handling password changes this way, - `pam_chauthtok` will always have to prompt the user for their - current password again even though they just typed it. This is - because the saved authentication tokens are cleared after - `pam_authenticate` returns, for security reasons. We could hack - around this by saving the password in our PAM data structure, but - this would let the application gain access to it (exactly what the - clearing is intended to prevent) and breaks a PAM library guarantee. - We could also work around this by having `pam_authenticate` get the - `kadmin/changepw` authenticator in the expired password case and - store it for `pam_chauthtok`, but it doesn't seem worth the hassle. + flag, redoes the authentication with password prompting disabled after + it finishes changing the password. + + Unfortunately, when handling password changes this way, `pam_chauthtok` + will always have to prompt the user for their current password again + even though they just typed it. This is because the saved + authentication tokens are cleared after `pam_authenticate` returns, for + security reasons. We could hack around this by saving the password in + our PAM data structure, but this would let the application gain access + to it (exactly what the clearing is intended to prevent) and breaks a + PAM library guarantee. We could also work around this by having + `pam_authenticate` get the `kadmin/changepw` authenticator in the + expired password case and store it for `pam_chauthtok`, but it doesn't + seem worth the hassle. - title: History and Acknowledgements body: | Originally written by Frank Cusack <fcusack@fcusack.com>, with the following acknowledgement: > Thanks to Naomaru Itoi <itoi@eecs.umich.edu>, Curtis King - > <curtis.king@cul.ca>, and Derrick Brashear <shadow@dementia.org>, - > all of whom have written and made available Kerberos 4/5 modules. + > <curtis.king@cul.ca>, and Derrick Brashear <shadow@dementia.org>, all + > of whom have written and made available Kerberos 4/5 modules. > Although no code in this module is directly from these author's > modules, (except the get_user_info() routine in support.c; derived - > from whichever of these authors originally wrote the first module - > the other 2 copied from), it was extremely helpful to look over - > their code which aided in my design. + > from whichever of these authors originally wrote the first module the + > other 2 copied from), it was extremely helpful to look over their code + > which aided in my design. The module was then patched for the FreeBSD ports collection with - additional modifications by unknown maintainers and then was - modified by Joel Kociolek <joko@logidee.com> to be usable with - Debian GNU/Linux. - - It was packaged by Sam Hartman as the Kerberos v5 PAM module for - Debian and improved and modified by him and later by Russ Allbery to - fix bugs and add additional features. It was then adopted by Andres - Salomon, who added support for refreshing credentials. - - The current distribution is maintained by Russ Allbery, who also - added support for reading configuration from `krb5.conf`, added many - features for compatibility with the Sourceforge module, commented - and standardized the formatting of the code, and overhauled the + additional modifications by unknown maintainers and then was modified by + Joel Kociolek <joko@logidee.com> to be usable with Debian GNU/Linux. + + It was packaged by Sam Hartman as the Kerberos v5 PAM module for Debian + and improved and modified by him and later by Russ Allbery to fix bugs + and add additional features. It was then adopted by Andres Salomon, who + added support for refreshing credentials. + + The current distribution is maintained by Russ Allbery, who also added + support for reading configuration from `krb5.conf`, added many features + for compatibility with the Sourceforge module, commented and + standardized the formatting of the code, and overhauled the documentation. Thanks to Douglas E. Engert for the initial implementation of PKINIT - support. I have since modified and reworked it extensively, so any - bugs or compilation problems are my fault. + support. I have since modified and reworked it extensively, so any bugs + or compilation problems are my fault. - Thanks to Markus Moeller for lots of debugging and multiple patches - and suggestions for improved portability. + Thanks to Markus Moeller for lots of debugging and multiple patches and + suggestions for improved portability. Thanks to Booker Bense for the implementation of the `alt_auth_map` option. Thanks to Sam Hartman for the FAST support implementation. - -requirements: | - Either MIT Kerberos (or Kerberos implementations based on it) or Heimdal - are supported. MIT Keberos 1.3 or later may be required; this module has - not been tested with earlier versions. - - For PKINIT support, Heimdal 0.8rc1 or later or MIT Kerberos 1.6.3 or later - are required. Earlier MIT Kerberos 1.6 releases have a bug in their - handling of PKINIT options. - - For FAST (Flexible Authentication Secure Tunneling) support, MIT Kerberos - 1.7 or higher is required. For anonymous FAST support, anonymous - authentication (generally anonymous PKINIT) support is required in both - the Kerberos libraries and in the local KDC. - - This module should work on Linux and Solaris (and build with gcc, clang, - or the Sun C compiler), but has been far more heavily tested on Linux. - There is beta-quality support for the AIX NAS Kerberos implementation. - Other PAM implementations will probably require some porting, although - untested build system support is present for FreeBSD, Mac OS X, and HP-UX. - I personally can only test on Linux and rely on others to report problems - on other operating systems. - - Old versions of OpenSSH are known to call `pam_authenticate` followed by - `pam_setcred(PAM_REINITIALIZE_CRED)` without first calling - `pam_open_session`, thereby requesting that an existing ticket cache be - renewed (similar to what a screensaver would want) rather than requesting - a new ticket cache be created. Since this behavior is indistinguishable - at the PAM level from a screensaver, pam-krb5 when used with these old - versions of OpenSSH will refresh the ticket cache of the OpenSSH daemon - rather than setting up a new ticket cache for the user. The resulting - ticket cache will have the correct permissions (this is not a security - concern), but will not be named correctly or referenced in the user's - environment and will be overwritten by the next user login. The best - solution to this problem is to upgrade OpenSSH. I'm not sure exactly when - this problem was fixed, but at the very least OpenSSH 4.3 and later do not - exhibit it. - -test: - prefix: | - pam-krb5 comes with a comprehensive test suite, but it requires some - configuration in order to test anything other than low-level utility - functions. For the full test suite, you will need to have a running KDC - in which you can create two test accounts, one with admin access to the - other. Using a test KDC environment, if you have one, is recommended. - - Follow the instructions in `tests/config/README` to configure the test - suite. - - Now, you can run the test suite with: - suffix: | - The default libkadm5clnt library on the system must match the - implementation of your KDC for the module/expired test to work, since the - two kadmin protocols are not compatible. If you use the MIT library - against a Heimdal server, the test will be skipped; if you use the Heimdal - library against an MIT server, the test suite may hang. - - Several `module/expired` tests are expected to fail with Heimdal 1.5 due - to a bug in Heimdal with reauthenticating immediately after a - library-mediated password change of an expired password. This is fixed in - later releases of Heimdal. diff --git a/t/data/generate/pam-krb5/output/readme b/t/data/generate/pam-krb5/output/readme index 5d6e7a0..3b7cb5c 100644 --- a/t/data/generate/pam-krb5/output/readme +++ b/t/data/generate/pam-krb5/output/readme @@ -1,13 +1,13 @@ - pam-krb5 4.8 + pam-krb5 4.11 (PAM module for Kerberos authentication) Maintained by Russ Allbery <eagle@eyrie.org> - Copyright 2005-2010, 2014-2015, 2017 Russ Allbery <eagle@eyrie.org>. - Copyright 2009-2011 The Board of Trustees of the Leland Stanford Junior - University. Copyright 2005 Andres Salomon <dilinger@debian.org>. - Copyright 1999-2000 Frank Cusack <fcusack@fcusack.com>. This software - is distributed under a BSD-style license. Please see the section - LICENSE below for more information. + Copyright 2005-2010, 2014-2015, 2017, 2020-2021 Russ Allbery + <eagle@eyrie.org>. Copyright 2009-2011 The Board of Trustees of the + Leland Stanford Junior University. Copyright 2005 Andres Salomon + <dilinger@debian.org>. Copyright 1999-2000 Frank Cusack + <fcusack@fcusack.com>. This software is distributed under a BSD-style + license. Please see the section LICENSE below for more information. BLURB @@ -56,17 +56,19 @@ REQUIREMENTS For PKINIT support, Heimdal 0.8rc1 or later or MIT Kerberos 1.6.3 or later are required. Earlier MIT Kerberos 1.6 releases have a bug in - their handling of PKINIT options. + their handling of PKINIT options. MIT Kerberos 1.12 or later is + required to use the use_pkinit PAM option. For FAST (Flexible Authentication Secure Tunneling) support, MIT Kerberos 1.7 or higher is required. For anonymous FAST support, anonymous authentication (generally anonymous PKINIT) support is required in both the Kerberos libraries and in the local KDC. - This module should work on Linux and Solaris (and build with gcc, clang, - or the Sun C compiler), but has been far more heavily tested on Linux. - There is beta-quality support for the AIX NAS Kerberos implementation. - Other PAM implementations will probably require some porting, although + This module should work on Linux and build with gcc or clang. It may + still work on Solaris and build with the Sun C compiler, but I have only + tested it on Linux recently. There is beta-quality support for the AIX + NAS Kerberos implementation that has not been tested in years. Other + PAM implementations will probably require some porting, although untested build system support is present for FreeBSD, Mac OS X, and HP-UX. I personally can only test on Linux and rely on others to report problems on other operating systems. @@ -107,14 +109,14 @@ BUILDING AND INSTALLATION directory is also supported, if you wish, by creating an empty directory and then running configure with the correct relative path. - The module will be installed in /usr/local/lib/security by default, - except on 64-bit versions of Linux which will use - /usr/local/lib64/security to match the default PAM configuration. You - can change the installation locations with the --prefix, --mandir, and - --libdir options to configure. The module will always be installed in a - subdirectory named security under the specified libdir. On Linux, use - --prefix=/usr to install the man page into /usr/share/man and the PAM - module in /lib/security or /lib64/security. + The module will be installed in /usr/local/lib/security by default, but + expect to have to override this using --libdir. The correct + installation path for PAM modules varies considerably between systems. + The module will always be installed in a subdirectory named security + under the specified value of --libdir. On Red Hat Linux, for example, + --libdir=/usr/lib64 is appropriate to install the module into the system + PAM directory. On Debian's amd64 architecture, + --libdir=/usr/lib/x86_64-linux-gnu would be correct. Normally, configure will use krb5-config to determine the flags to use to compile with your Kerberos libraries. To specify a particular @@ -197,6 +199,22 @@ TESTING library-mediated password change of an expired password. This is fixed in later releases of Heimdal. + To run the full test suite, Perl 5.10 or later is required. The + following additional Perl modules will be used if present: + + * Test::Pod + * Test::Spelling + + All are available on CPAN. Those tests will be skipped if the modules + are not available. + + To enable tests that don't detect functionality problems but are used to + sanity-check the release, set the environment variable RELEASE_TESTING + to a true value. To enable tests that may be sensitive to the local + environment or that produce a lot of false positives without uncovering + many problems, set the environment variable AUTHOR_TESTING to a true + value. + CONFIGURING Just installing the module does not enable it or change anything about @@ -566,7 +584,8 @@ LICENSE The pam-krb5 package as a whole is covered by the following copyright statement and license: - Copyright 2005-2010, 2014-2015, 2017 Russ Allbery <eagle@eyrie.org> + Copyright 2005-2010, 2014-2015, 2017, 2020-2021 + Russ Allbery <eagle@eyrie.org> Copyright 2009-2011 The Board of Trustees of the Leland Stanford Junior University Copyright 2005 Andres Salomon <dilinger@debian.org> diff --git a/t/data/generate/pam-krb5/output/readme-md b/t/data/generate/pam-krb5/output/readme-md index 9834f04..e74b675 100644 --- a/t/data/generate/pam-krb5/output/readme-md +++ b/t/data/generate/pam-krb5/output/readme-md @@ -1,14 +1,17 @@ # pam-krb5 +[](https://github.com/rra/pam-krb5/actions) [](https://tracker.debian.org/pkg/libpam-krb5) -Copyright 2005-2010, 2014-2015, 2017 Russ Allbery <eagle@eyrie.org>. -Copyright 2009-2011 The Board of Trustees of the Leland Stanford Junior -University. Copyright 2005 Andres Salomon <dilinger@debian.org>. -Copyright 1999-2000 Frank Cusack <fcusack@fcusack.com>. This software is -distributed under a BSD-style license. Please see the section -[License](#license) below for more information. +Copyright 2005-2010, 2014-2015, 2017, 2020-2021 Russ Allbery +<eagle@eyrie.org>. Copyright 2009-2011 The Board of Trustees of the +Leland Stanford Junior University. Copyright 2005 Andres Salomon +<dilinger@debian.org>. Copyright 1999-2000 Frank Cusack +<fcusack@fcusack.com>. This software is distributed under a BSD-style +license. Please see the section [License](#license) below for more +information. ## Blurb @@ -55,20 +58,22 @@ not been tested with earlier versions. For PKINIT support, Heimdal 0.8rc1 or later or MIT Kerberos 1.6.3 or later are required. Earlier MIT Kerberos 1.6 releases have a bug in their -handling of PKINIT options. +handling of PKINIT options. MIT Kerberos 1.12 or later is required to use +the use_pkinit PAM option. For FAST (Flexible Authentication Secure Tunneling) support, MIT Kerberos 1.7 or higher is required. For anonymous FAST support, anonymous authentication (generally anonymous PKINIT) support is required in both the Kerberos libraries and in the local KDC. -This module should work on Linux and Solaris (and build with gcc, clang, -or the Sun C compiler), but has been far more heavily tested on Linux. -There is beta-quality support for the AIX NAS Kerberos implementation. -Other PAM implementations will probably require some porting, although -untested build system support is present for FreeBSD, Mac OS X, and HP-UX. -I personally can only test on Linux and rely on others to report problems -on other operating systems. +This module should work on Linux and build with gcc or clang. It may +still work on Solaris and build with the Sun C compiler, but I have only +tested it on Linux recently. There is beta-quality support for the AIX +NAS Kerberos implementation that has not been tested in years. Other PAM +implementations will probably require some porting, although untested +build system support is present for FreeBSD, Mac OS X, and HP-UX. I +personally can only test on Linux and rely on others to report problems on +other operating systems. Old versions of OpenSSH are known to call `pam_authenticate` followed by `pam_setcred(PAM_REINITIALIZE_CRED)` without first calling @@ -108,14 +113,14 @@ probably have to be done as root. Building outside of the source directory is also supported, if you wish, by creating an empty directory and then running configure with the correct relative path. -The module will be installed in `/usr/local/lib/security` by default, -except on 64-bit versions of Linux which will use -`/usr/local/lib64/security` to match the default PAM configuration. You -can change the installation locations with the `--prefix`, `--mandir`, and -`--libdir` options to configure. The module will always be installed in a -subdirectory named `security` under the specified libdir. On Linux, use -`--prefix=/usr` to install the man page into `/usr/share/man` and the PAM -module in `/lib/security` or `/lib64/security`. +The module will be installed in `/usr/local/lib/security` by default, but +expect to have to override this using `--libdir`. The correct +installation path for PAM modules varies considerably between systems. +The module will always be installed in a subdirectory named `security` +under the specified value of `--libdir`. On Red Hat Linux, for example, +`--libdir=/usr/lib64` is appropriate to install the module into the system +PAM directory. On Debian's amd64 architecture, +`--libdir=/usr/lib/x86_64-linux-gnu` would be correct. Normally, configure will use `krb5-config` to determine the flags to use to compile with your Kerberos libraries. To specify a particular @@ -208,6 +213,22 @@ to a bug in Heimdal with reauthenticating immediately after a library-mediated password change of an expired password. This is fixed in later releases of Heimdal. +To run the full test suite, Perl 5.10 or later is required. The following +additional Perl modules will be used if present: + +* Test::Pod +* Test::Spelling + +All are available on CPAN. Those tests will be skipped if the modules are +not available. + +To enable tests that don't detect functionality problems but are used to +sanity-check the release, set the environment variable `RELEASE_TESTING` +to a true value. To enable tests that may be sensitive to the local +environment or that produce a lot of false positives without uncovering +many problems, set the environment variable `AUTHOR_TESTING` to a true +value. + ## Configuring Just installing the module does not enable it or change anything about @@ -586,7 +607,7 @@ requests are gratefully reviewed and normally accepted. The pam-krb5 package as a whole is covered by the following copyright statement and license: -> Copyright 2005-2010, 2014-2015, 2017 +> Copyright 2005-2010, 2014-2015, 2017, 2020-2021 > Russ Allbery <eagle@eyrie.org> > > Copyright 2009-2011 diff --git a/t/data/generate/pam-krb5/output/thread b/t/data/generate/pam-krb5/output/thread index e8ac73e..a370131 100644 --- a/t/data/generate/pam-krb5/output/thread +++ b/t/data/generate/pam-krb5/output/thread @@ -48,11 +48,14 @@ \h2[Security Advisories] + \link[security/2020-03-30.html] + [2020-03-30]: pam-krb5 4.8 and earlier \break \link[security/2009-02-11.html] - [2009-02-11]: pam-krb5 3.12 and earlier\break + [2009-02-11]: pam-krb5 3.12 and earlier \break \h2[Development] + \link[todo.html][To-do list] \break \link[https://github.com/rra/pam-krb5] [GitHub] \break \link[https://github.com/rra/pam-krb5/issues] @@ -110,20 +113,22 @@ not been tested with earlier versions. For PKINIT support, Heimdal 0.8rc1 or later or MIT Kerberos 1.6.3 or later are required. Earlier MIT Kerberos 1.6 releases have a bug in their -handling of PKINIT options. +handling of PKINIT options. MIT Kerberos 1.12 or later is required to use +the use_pkinit PAM option. For FAST (Flexible Authentication Secure Tunneling) support, MIT Kerberos 1.7 or higher is required. For anonymous FAST support, anonymous authentication (generally anonymous PKINIT) support is required in both the Kerberos libraries and in the local KDC. -This module should work on Linux and Solaris (and build with gcc, clang, -or the Sun C compiler), but has been far more heavily tested on Linux. -There is beta-quality support for the AIX NAS Kerberos implementation. -Other PAM implementations will probably require some porting, although -untested build system support is present for FreeBSD, Mac OS X, and HP-UX. -I personally can only test on Linux and rely on others to report problems -on other operating systems. +This module should work on Linux and build with gcc or clang. It may +still work on Solaris and build with the Sun C compiler, but I have only +tested it on Linux recently. There is beta-quality support for the AIX +NAS Kerberos implementation that has not been tested in years. Other PAM +implementations will probably require some porting, although untested +build system support is present for FreeBSD, Mac OS X, and HP-UX. I +personally can only test on Linux and rely on others to report problems on +other operating systems. Old versions of OpenSSH are known to call \code[pam_authenticate] followed by \code[pam_setcred(PAM_REINITIALIZE_CRED)] without first calling @@ -158,7 +163,7 @@ The distribution: An \link[https://archives.eyrie.org/software/ARCHIVE/pam-krb5/] [archive of older releases] is also available. \class(alert)[Versions older than -3.13 have known security vulnerabilities and should not be used.] +4.9 have known security vulnerabilities and should not be used.] Debian packages are available from Debian in Debian 4.0 (etch) and later releases as libpam-krb5 and libpam-heimdal. The former packages are built @@ -188,11 +193,14 @@ User documentation: Security advisories: +\doc[security/2020-03-30.html] + [2020-03-30: 4.8 and earlier] \doc[security/2009-02-11.html] [2009-02-11: 3.12 and earlier] Developer documentation: +\doc[todo.html][To-do list] \doc[https://github.com/rra/pam-krb5] [GitHub] \doc[https://github.com/rra/pam-krb5/issues] @@ -207,7 +215,7 @@ license: \block[ - Copyright 2005-2010, 2014-2015, 2017 + Copyright 2005-2010, 2014-2015, 2017, 2020-2021 Russ Allbery <eagle@eyrie.org> Copyright 2009-2011 diff --git a/t/data/generate/remctl/output/thread b/t/data/generate/remctl/output/thread index 615ed8f..3ecd5f8 100644 --- a/t/data/generate/remctl/output/thread +++ b/t/data/generate/remctl/output/thread @@ -54,7 +54,7 @@ \h2[Security Advisories] \link[security/2018-04-01.html] - [2018-04-01]: remctl 3.12 and 3.13\break + [2018-04-01]: remctl 3.12 and 3.13 \break \h2[Development] diff --git a/t/data/perlcriticrc b/t/data/perlcriticrc index ff23461..88b3619 100644 --- a/t/data/perlcriticrc +++ b/t/data/perlcriticrc @@ -93,6 +93,12 @@ allow = unless # Perl 5.20). See https://github.com/Perl-Critic/Perl-Critic/issues/578. [-References::ProhibitDoubleSigils] +# Five arguments to a method has seemed reasonable at least once: a pair of +# input file data and path, a pair of output file descriptor and path, and +# a dict of additional arguments. +[Subroutines::ProhibitManyArgs] +skip_object = 1 + # I generally don't want to require Readonly as a prerequisite for all my Perl # modules. [-ValuesAndExpressions::ProhibitConstantPragma] diff --git a/t/data/perltidyrc b/t/data/perltidyrc index f5a08b5..431c311 100644 --- a/t/data/perltidyrc +++ b/t/data/perltidyrc @@ -18,11 +18,12 @@ # SPDX-License-Identifier: FSFAP -bbao # put line breaks before any operator --boc # do not re-break lists, since perltidy is awful at this -nbbc # don't force blank lines before comments (bad for else blocks) +-boc # do not re-break lists, since perltidy is awful at this -ce # cuddle braces around else -l=79 # usually use 78, but don't want 79-long lines reformatted -pt=2 # don't add extra whitespace around parentheses -sbt=2 # ...or square brackets -sfs # no space before semicolon in for (not that I use this form) +-nvc # disable vertical alignment of = and similar symbols -xci # improve indentation of nested structures diff --git a/t/data/regenerate-data b/t/data/regenerate-data index 9037170..87ee82d 100755 --- a/t/data/regenerate-data +++ b/t/data/regenerate-data @@ -51,9 +51,9 @@ for my $package (@packages) { # The test of spinning a tree of files uses a reference to App::DocKnot's own # POD documentation. Regenerate the expected output in case the POD has # changed. -my $source = File::Spec->catdir('lib', 'App', 'DocKnot.pm'); +my $source = File::Spec->catdir('lib', 'App', 'DocKnot.pm'); my $podthread = Pod::Thread->new(navbar => 1); -my $spin = App::DocKnot::Spin::Thread->new(); +my $spin = App::DocKnot::Spin::Thread->new(); my $thread; $podthread->output_string(\$thread); $podthread->parse_file($source); @@ -67,8 +67,8 @@ my $links = <<'EOD'; <link rel="up" href="../" title="DocKnot" /> <link rel="top" href="../../../" /> EOD -my $comment = '<!-- Spun by DocKnot %VERSION% on %DATE% -->'; -my $navbar = <<'EOD'; +my $comment = '<!-- Spun from DocKnot.pm by DocKnot %VERSION% on %DATE% -->'; +my $navbar = <<'EOD'; <table class="navbar"><tr> <td class="navleft"></td> <td> @@ -78,7 +78,6 @@ my $navbar = <<'EOD'; </td> <td class="navright"><a href="app-docknot-command.html">App::DocKnot::Command</a> ></td> </tr></table> - EOD my $address = <<'EOD'; <address> @@ -89,11 +88,11 @@ EOD $html =~ s{ (</head>) }{$links$1}xms; $html =~ s{ <!-- [ ] Spun .*? [ ] --> }{$comment}xms; $html =~ s{ (<body> \n) }{$1$navbar}xms; -$html =~ s{ (</body>) }{$navbar$address$1}xms; +$html =~ s{ (</body>) }{$navbar\n$address$1}xms; # Replace the expected data file. my $output = File::Spec->catdir( - 't', 'data', 'spin', 'output', 'software', 'docknot', + 't', 'data', 'spin', 'output', 'software', 'docknot', 'api', 'app-docknot.html', ); open(my $fh, '>', $output); diff --git a/t/data/spin/input/software/docknot/api/app-docknot.rpod b/t/data/spin/input/software/docknot/api/app-docknot.rpod deleted file mode 100644 index 5075ec0..0000000 --- a/t/data/spin/input/software/docknot/api/app-docknot.rpod +++ /dev/null @@ -1 +0,0 @@ -../../../../../../../lib/App/DocKnot.pm diff --git a/t/data/spin/input/software/docknot/api/app-docknot.spin b/t/data/spin/input/software/docknot/api/app-docknot.spin new file mode 100644 index 0000000..a3ea9e8 --- /dev/null +++ b/t/data/spin/input/software/docknot/api/app-docknot.spin @@ -0,0 +1,2 @@ +format: pod +path: ../../../../../../../lib/App/DocKnot.pm diff --git a/t/data/spin/markdown/input/.sitemap b/t/data/spin/markdown/input/.sitemap new file mode 100644 index 0000000..8c523a1 --- /dev/null +++ b/t/data/spin/markdown/input/.sitemap @@ -0,0 +1,4 @@ +/: Test Root + /foo.html: Some document + /other.html: Other test Markdown + /test.html: Test Markdown diff --git a/t/data/spin/markdown/input/other.spin b/t/data/spin/markdown/input/other.spin new file mode 100644 index 0000000..000cefe --- /dev/null +++ b/t/data/spin/markdown/input/other.spin @@ -0,0 +1,3 @@ +format: markdown +path: ../test.md +title: Other test Markdown diff --git a/t/data/spin/markdown/input/test.spin b/t/data/spin/markdown/input/test.spin new file mode 100644 index 0000000..7927ae8 --- /dev/null +++ b/t/data/spin/markdown/input/test.spin @@ -0,0 +1,3 @@ +format: markdown +path: ../test.md +style: markdown.css diff --git a/t/data/spin/markdown/output/other.html b/t/data/spin/markdown/output/other.html new file mode 100644 index 0000000..8948c0b --- /dev/null +++ b/t/data/spin/markdown/output/other.html @@ -0,0 +1,42 @@ +<!DOCTYPE html + PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" + "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> + +<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"> +<head> + <title>Other test Markdown</title> + <meta http-equiv="Content-Type" content="text/html; charset=utf-8" /> + <link rel="previous" href="foo.html" title="Some document" /> + <link rel="next" href="test.html" title="Test Markdown" /> + <link rel="up" href="./" title="Test Root" /> + <link rel="top" href="./" /> +</head> + +<body> +<table class="navbar"><tr> + <td class="navleft">< <a href="foo.html">Some document</a></td> + <td> + <a href="./">Test Root</a> + </td> + <td class="navright"><a href="test.html">Test Markdown</a> ></td> +</tr></table> + +<h1 id="test-markdown">Test Markdown</h1> +<p>This is a test Markdown document.</p> +<h2 id="another-header">Another header</h2> +<p>Another section.</p> +<p>Some Üniçodé¡</p> + +<table class="navbar"><tr> + <td class="navleft">< <a href="foo.html">Some document</a></td> + <td> + <a href="./">Test Root</a> + </td> + <td class="navright"><a href="test.html">Test Markdown</a> ></td> +</tr></table> + +<address> + Last <a href="https://www.eyrie.org/~eagle/software/web/">spun</a> + %DATE% from thread modified %DATE% +</body> +</html> diff --git a/t/data/spin/markdown/output/test.html b/t/data/spin/markdown/output/test.html new file mode 100644 index 0000000..2e9178d --- /dev/null +++ b/t/data/spin/markdown/output/test.html @@ -0,0 +1,42 @@ +<!DOCTYPE html + PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" + "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> + +<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"> +<head> + <title>Test Markdown</title> + <meta http-equiv="Content-Type" content="text/html; charset=utf-8" /> + <link rel="stylesheet" href="/~eagle/styles/markdown.css" type="text/css" /> + <link rel="previous" href="other.html" title="Other test Markdown" /> + <link rel="up" href="./" title="Test Root" /> + <link rel="top" href="./" /> +</head> + +<body> +<table class="navbar"><tr> + <td class="navleft">< <a href="other.html">Other test Markdown</a></td> + <td> + <a href="./">Test Root</a> + </td> + <td class="navright"></td> +</tr></table> + +<h1 id="test-markdown">Test Markdown</h1> +<p>This is a test Markdown document.</p> +<h2 id="another-header">Another header</h2> +<p>Another section.</p> +<p>Some Üniçodé¡</p> + +<table class="navbar"><tr> + <td class="navleft">< <a href="other.html">Other test Markdown</a></td> + <td> + <a href="./">Test Root</a> + </td> + <td class="navright"></td> +</tr></table> + +<address> + Last <a href="https://www.eyrie.org/~eagle/software/web/">spun</a> + %DATE% from thread modified %DATE% +</body> +</html> diff --git a/t/data/spin/markdown/test.md b/t/data/spin/markdown/test.md new file mode 100644 index 0000000..4d00f0f --- /dev/null +++ b/t/data/spin/markdown/test.md @@ -0,0 +1,9 @@ +# Test Markdown + +This is a test Markdown document. + +## Another header + +Another section. + +Some Üniçodé¡ diff --git a/t/data/spin/output/software/docknot/api/app-docknot.html b/t/data/spin/output/software/docknot/api/app-docknot.html index 5076e73..85f242f 100644 --- a/t/data/spin/output/software/docknot/api/app-docknot.html +++ b/t/data/spin/output/software/docknot/api/app-docknot.html @@ -14,7 +14,7 @@ <link rel="top" href="../../../" /> </head> -<!-- Spun by DocKnot %VERSION% on %DATE% --> +<!-- Spun from DocKnot.pm by DocKnot %VERSION% on %DATE% --> <body> <table class="navbar"><tr> @@ -27,7 +27,6 @@ <td class="navright"><a href="app-docknot-command.html">App::DocKnot::Command</a> ></td> </tr></table> - <h1>App::DocKnot</h1> <p class="subhead">(Documentation and software release management)</p> @@ -45,8 +44,8 @@ <h2 id="S1"><a name="S1">REQUIREMENTS</a></h2> <p> -Perl 5.24 or later and the modules File::BaseDir and File::ShareDir, both of -which are available from CPAN. +Perl 5.24 or later and the modules File::BaseDir, File::ShareDir, Kwalify, and +YAML::XS, all of which are available from CPAN. </p> <h2 id="S2"><a name="S2">DESCRIPTION</a></h2> @@ -77,6 +76,14 @@ overridden by the user via files in <i class="file">$HOME/.config/docknot</i> or <i class="file">/etc/xdg/docknot</i> (or whatever $XDG_CONFIG_HOME and $XDG_CONFIG_DIRS are set to). Raises a text exception if the desired file could not be located. </p></dd> + +<dt>load_yaml_file(PATH, SCHEMA)</dt> +<dd><p> +Load a YAML file with schema checking. PATH is the path to the file. +SCHEMA is the name of the schema, which will be loaded from the <i class="file">schema</i> +directory using appdata_path(). See the description of that method for the +paths that are searched. +</p></dd> </dl> <h2 id="S4"><a name="S4">AUTHOR</a></h2> diff --git a/t/data/spin/output/software/docknot/index.html b/t/data/spin/output/software/docknot/index.html index aed23d8..b0352b3 100644 --- a/t/data/spin/output/software/docknot/index.html +++ b/t/data/spin/output/software/docknot/index.html @@ -26,7 +26,6 @@ <td class="navright"><a href="../rra-c-util/">rra-c-util></a> ></td> </tr></table> - <h1>DocKnot</h1> <div class="sidebar"> diff --git a/t/data/spin/output/software/index.html b/t/data/spin/output/software/index.html index 630b839..00a8f2d 100644 --- a/t/data/spin/output/software/index.html +++ b/t/data/spin/output/software/index.html @@ -26,7 +26,6 @@ <td class="navright"><a href="../faqs/">FAQs and Documentation</a> ></td> </tr></table> - <h1>Software</h1> <p class="sections"> diff --git a/t/data/spin/output/usefor/index.html b/t/data/spin/output/usefor/index.html index 216f66e..964c216 100644 --- a/t/data/spin/output/usefor/index.html +++ b/t/data/spin/output/usefor/index.html @@ -25,7 +25,6 @@ <td class="navright"><a href="../nntp/">NNTP</a> ></td> </tr></table> - <h1>The Usenet Article Format and Protocols</h1> <blockquote class="quote"><p class="short"> diff --git a/t/dist/basic.t b/t/dist/basic.t index 95a6986..6fcf2bc 100755 --- a/t/dist/basic.t +++ b/t/dist/basic.t @@ -17,6 +17,7 @@ use Cwd qw(getcwd); use File::Copy::Recursive qw(dircopy); use File::Spec; use File::Temp; +use Git::Repository; use IPC::Run qw(run); use IPC::System::Simple qw(capturex systemx); @@ -27,53 +28,45 @@ local $ENV{XDG_CONFIG_HOME} = '/nonexistent'; local $ENV{XDG_CONFIG_DIRS} = '/nonexistent'; # Find the full path to the test data. -my $cwd = getcwd() or die "$0: cannot get working directory: $!\n"; +my $cwd = getcwd() or die "$0: cannot get working directory: $!\n"; my $dataroot = File::Spec->catfile($cwd, 't', 'data', 'dist', 'package'); my $gpg_path = File::Spec->catfile($cwd, 't', 'data', 'dist', 'fake-gpg'); # Set up a temporary directory. -my $dir = File::Temp->newdir(); +my $dir = File::Temp->newdir(); my $sourcedir = File::Spec->catfile($dir, 'source'); -my $distdir = File::Spec->catfile($dir, 'dist'); +my $distdir = File::Spec->catfile($dir, 'dist'); -# Check whether git is available and can be used to initialize a repository. -eval { - systemx( - 'git', 'init', '-b', 'master', '-q', - File::Spec->catfile($dir, 'source'), - ); -}; -if ($@) { - plan skip_all => 'git init failed (possibly no git binary)'; -} - -# Copy all files from the data directory, and commit them. We have to rename -# the test while we copy it to avoid having it picked up by the main package -# test suite. +# Create a new repository, copy all files from the data directory, and commit +# them. We have to rename the test while we copy it to avoid having it picked +# up by the main package test suite. dircopy($dataroot, $sourcedir) or die "$0: cannot copy $dataroot to $sourcedir: $!\n"; my $testpath = File::Spec->catfile($sourcedir, 't', 'api', 'empty.t'); rename($testpath . '.in', $testpath); -chdir($sourcedir); -systemx(qw(git config --add user.name Test)); -systemx(qw(git config --add user.email test@example.com)); -systemx(qw(git add -A .)); -systemx(qw(git commit -q -m Initial)); +Git::Repository->run('init', { cwd => $sourcedir, quiet => 1 }); +my $repo = Git::Repository->new(work_tree => $sourcedir); +$repo->run(config => '--add', 'user.name', 'Test'); +$repo->run(config => '--add', 'user.email', 'test@example.com'); +$repo->run(add => '-A', q{.}); +$repo->run(commit => '-q', '-m', 'Initial commit'); # Check whether we have all the necessary tools to run the test. -my $out; -my $result - = eval { run(['git', 'archive', 'HEAD'], q{|}, ['tar', 'tf', q{-}], \$out) }; +my $result; +eval { + my $archive = $repo->command(archive => 'HEAD'); + my $out; + $result = run([qw(tar tf -)], '<', $archive->stdout, '>', \$out); + $archive->close(); + $result &&= $archive->exit == 0; +}; if ($@ || !$result) { - chdir($cwd); plan skip_all => 'git and tar not available'; } else { plan tests => 20; } -# Load the module. Change back to the starting directory for this so that -# coverage analysis works. -chdir($cwd); +# Load the module now that we're sure we can run tests. require_ok('App::DocKnot::Dist'); # Put some existing files in the directory that are marked read-only. These @@ -90,9 +83,9 @@ my $dist = App::DocKnot::Dist->new({ distdir => $distdir, perl => $^X }); capture_stdout { eval { $dist->make_distribution() }; }; -ok(-e File::Spec->catfile($distdir, 'Empty-1.00.tar.gz'), 'dist exists'); -ok(-e File::Spec->catfile($distdir, 'Empty-1.00.tar.xz'), 'xz dist exists'); -ok(!-e File::Spec->catfile($distdir, 'Empty-1.00.tar'), 'tarball missing'); +ok(-e File::Spec->catfile($distdir, 'Empty-1.00.tar.gz'), 'dist exists'); +ok(-e File::Spec->catfile($distdir, 'Empty-1.00.tar.xz'), 'xz dist exists'); +ok(!-e File::Spec->catfile($distdir, 'Empty-1.00.tar'), 'tarball missing'); ok(!-e File::Spec->catfile($distdir, 'Empty-1.00.tar.gz.asc'), 'no signature'); ok(!-e File::Spec->catfile($distdir, 'Empty-1.00.tar.xz.asc'), 'no signature'); is($@, q{}, 'no errors'); @@ -152,7 +145,7 @@ $stdout = capture_stdout { eval { $dist->make_distribution() }; }; is($@, "2 files missing from distribution\n", 'correct error for two files'); -like($stdout, qr{ some-file }xms, 'output mentions the first file'); +like($stdout, qr{ some-file }xms, 'output mentions the first file'); like($stdout, qr{ another-file }xms, 'output mentions the other file'); @missing = $dist->check_dist($sourcedir, $tarball); is_deeply(['another-file', 'some-file'], \@missing, 'check_dist matches'); diff --git a/t/dist/commands.t b/t/dist/commands.t index cbd29c3..9ca697c 100755 --- a/t/dist/commands.t +++ b/t/dist/commands.t @@ -119,5 +119,5 @@ $metadata_path $docknot = App::DocKnot::Dist->new({ distdir => q{.}, metadata => $metadata_path }); @expected = (['make', 'dist']); -@seen = $docknot->commands(); +@seen = $docknot->commands(); is_deeply(\@seen, \@expected, 'make'); diff --git a/t/docs/changes.t b/t/docs/changes.t index 16bf212..94b8000 100755 --- a/t/docs/changes.t +++ b/t/docs/changes.t @@ -27,7 +27,7 @@ # # SPDX-License-Identifier: MIT -use 5.008; +use 5.010; use strict; use warnings; diff --git a/t/docs/pod-coverage.t b/t/docs/pod-coverage.t index 198f4e7..c499af3 100755 --- a/t/docs/pod-coverage.t +++ b/t/docs/pod-coverage.t @@ -6,7 +6,7 @@ # which can be found at <https://www.eyrie.org/~eagle/software/rra-c-util/>. # # Written by Russ Allbery <eagle@eyrie.org> -# Copyright 2019 Russ Allbery <eagle@eyrie.org> +# Copyright 2019, 2021 Russ Allbery <eagle@eyrie.org> # Copyright 2013-2014 # The Board of Trustees of the Leland Stanford Junior University # @@ -30,7 +30,7 @@ # # SPDX-License-Identifier: MIT -use 5.008; +use 5.010; use strict; use warnings; diff --git a/t/docs/pod-spelling.t b/t/docs/pod-spelling.t index 491f932..497dce3 100755 --- a/t/docs/pod-spelling.t +++ b/t/docs/pod-spelling.t @@ -30,7 +30,7 @@ # # SPDX-License-Identifier: MIT -use 5.008; +use 5.010; use strict; use warnings; diff --git a/t/docs/pod.t b/t/docs/pod.t index 1c88ed1..85974d8 100755 --- a/t/docs/pod.t +++ b/t/docs/pod.t @@ -30,7 +30,7 @@ # # SPDX-License-Identifier: MIT -use 5.008; +use 5.010; use strict; use warnings; diff --git a/t/docs/spdx-license.t b/t/docs/spdx-license.t index 4e5b7f9..15ee7e0 100755 --- a/t/docs/spdx-license.t +++ b/t/docs/spdx-license.t @@ -45,8 +45,9 @@ use Test::More; # File name (the file without any directory component) and path patterns to # skip for this check. ## no critic (RegularExpressions::ProhibitFixedStringMatches) +#<<< my @IGNORE = ( - qr{ \A Build ( [.] (?!PL) .* )? \z }ixms, # Generated file from Build.PL + qr{ \A Build ( [.] (?!PL) .* )? \z }ixms, # Generated file from Build.PL qr{ \A LICENSE \z }xms, # Generated file, no license itself qr{ \A (Changes|NEWS|THANKS) \z }xms, # Package license should be fine qr{ \A TODO \z }xms, # Package license should be fine @@ -58,20 +59,21 @@ my @IGNORE = ( qr{ ~ \z }xms, # Backup files ); my @IGNORE_PATHS = ( - qr{ \A [.] / [.] git/ }xms, # Version control files - qr{ \A [.] / [.] pc/ }xms, # quilt metadata files - qr{ \A [.] /_build/ }xms, # Module::Build metadata - qr{ \A [.] /blib/ }xms, # Perl build system artifacts - qr{ \A [.] /cover_db/ }xms, # Artifacts from coverage testing - qr{ \A [.] /debian/ }xms, # Found in debian/* branches - qr{ \A [.] /docs/metadata/ }xms, # Package license should be fine - qr{ \A [.] /README ( [.] .* )? \z }xms, # Package license should be fine - qr{ \A [.] /share/ }xms, # Package license should be fine - qr{ \A [.] /t/data/generate/ }xms, # Test metadata - qr{ \A [.] /t/data/spin/ }xms, # Test metadata - qr{ \A [.] /t/data/update/ }xms, # Test output - qr{ \A [.] /t/data .* [.] json \z }xms, # Test metadata + qr{ \A [.] / [.] git/ }xms, # Version control files + qr{ \A [.] / [.] pc/ }xms, # quilt metadata files + qr{ \A [.] /_build/ }xms, # Module::Build metadata + qr{ \A [.] /blib/ }xms, # Perl build system artifacts + qr{ \A [.] /cover_db/ }xms, # Artifacts from coverage testing + qr{ \A [.] /debian/ }xms, # Found in debian/* branches + qr{ \A [.] /docs/metadata/ }xms, # Package license should be fine + qr{ \A [.] /README ( [.] .* )? \z }xms, # Package license should be fine + qr{ \A [.] /share/ }xms, # Package license should be fine + qr{ \A [.] /t/data/generate/ }xms, # Test metadata + qr{ \A [.] /t/data/spin/ }xms, # Test metadata + qr{ \A [.] /t/data/update/ }xms, # Test output + qr{ \A [.] /t/data .* [.] json \z }xms, # Test metadata ); +#>>> ## use critic # Only run this test during automated testing, since failure doesn't indicate @@ -85,7 +87,7 @@ skip_unless_automated('SPDX identifier tests'); # Returns: undef sub check_file { my $filename = $_; - my $path = $File::Find::name; + my $path = $File::Find::name; # Ignore files in the whitelist and binary files. for my $pattern (@IGNORE) { diff --git a/t/docs/synopsis.t b/t/docs/synopsis.t index 1a2fbf1..b19b4dd 100755 --- a/t/docs/synopsis.t +++ b/t/docs/synopsis.t @@ -6,7 +6,7 @@ # which can be found at <https://www.eyrie.org/~eagle/software/rra-c-util/>. # # Written by Russ Allbery <eagle@eyrie.org> -# Copyright 2019 Russ Allbery <eagle@eyrie.org> +# Copyright 2019, 2021 Russ Allbery <eagle@eyrie.org> # Copyright 2013-2014 # The Board of Trustees of the Leland Stanford Junior University # @@ -30,7 +30,7 @@ # # SPDX-License-Identifier: MIT -use 5.008; +use 5.010; use strict; use warnings; diff --git a/t/generate/basic.t b/t/generate/basic.t index f553e20..20af8b0 100755 --- a/t/generate/basic.t +++ b/t/generate/basic.t @@ -43,7 +43,7 @@ for my $test (@tests) { # Loop through the possible templates. for my $template (qw(readme readme-md thread)) { - my $got = encode('utf-8', $docknot->generate($template)); + my $got = encode('utf-8', $docknot->generate($template)); my $path = File::Spec->catfile($dataroot, $test, 'output', $template); is_file_contents($got, $path, "$template for $test"); } diff --git a/t/generate/output.t b/t/generate/output.t index c23538e..2a66451 100755 --- a/t/generate/output.t +++ b/t/generate/output.t @@ -34,11 +34,11 @@ my $docknot = App::DocKnot::Generate->new({ metadata => $metadata_path }); isa_ok($docknot, 'App::DocKnot::Generate'); # Save the paths to the real README and README.md files. -my $readme_path = File::Spec->catfile(getcwd(), 'README'); +my $readme_path = File::Spec->catfile(getcwd(), 'README'); my $readme_md_path = File::Spec->catfile(getcwd(), 'README.md'); # Write the README output for the DocKnot package to a temporary file. -my $tmp = File::Temp->new(); +my $tmp = File::Temp->new(); my $tmpname = $tmp->filename; $docknot->generate_output('readme', $tmpname); my $output = slurp($tmpname); diff --git a/t/lib/Test/DocKnot/Spin.pm b/t/lib/Test/DocKnot/Spin.pm index 74cb592..c7c33b8 100644 --- a/t/lib/Test/DocKnot/Spin.pm +++ b/t/lib/Test/DocKnot/Spin.pm @@ -50,7 +50,7 @@ sub is_spin_output { Last [ ] modified [ ] and \s+ (<a[^>]+>spun</a>) [ ] [%]DATE[%] }{Last $1\n %DATE% from thread modified %DATE%}gxms; $results =~ s{ - %DATE% [ ] from [ ] POD [ ] modified [ ] %DATE% + %DATE% [ ] from [ ] (Markdown|POD) [ ] modified [ ] %DATE% }{%DATE% from thread modified %DATE%}gxms; $results =~ s{ (<guid [ ] isPermaLink="false">) \d+ (</guid>) diff --git a/t/lib/Test/RRA.pm b/t/lib/Test/RRA.pm index 1a3ceab..c432d0c 100644 --- a/t/lib/Test/RRA.pm +++ b/t/lib/Test/RRA.pm @@ -10,7 +10,7 @@ package Test::RRA; -use 5.008; +use 5.010; use base qw(Exporter); use strict; use warnings; @@ -52,7 +52,7 @@ BEGIN { # This version should match the corresponding rra-c-util release, but with # two digits for the minor version, including a leading zero if necessary, # so that it will sort properly. - $VERSION = '9.01'; + $VERSION = '10.01'; } # Compare a string to the contents of a file, similar to the standard is() @@ -83,11 +83,11 @@ sub is_file_contents { eval { require IPC::System::Simple; - my $tmp = File::Temp->new(); + my $tmp = File::Temp->new(); my $tmpname = $tmp->filename; print {$tmp} $got or BAIL_OUT("Cannot write to $tmpname: $!\n"); my @command = ('diff', '-u', $expected, $tmpname); - my $diff = IPC::System::Simple::capturex([0 .. 1], @command); + my $diff = IPC::System::Simple::capturex([0 .. 1], @command); diag($diff); }; if ($@) { @@ -165,15 +165,15 @@ sub use_prereq { ## no critic (ValuesAndExpressions::ProhibitImplicitNewlines) my ($result, $error, $sigdie); { - local $@ = undef; - local $! = undef; + local $@ = undef; + local $! = undef; local $SIG{__DIE__} = undef; $result = eval qq{ package $package; use $module $version \@imports; 1; }; - $error = $@; + $error = $@; $sigdie = $SIG{__DIE__} || undef; } diff --git a/t/lib/Test/RRA/Config.pm b/t/lib/Test/RRA/Config.pm index 0bc1b25..75419ea 100644 --- a/t/lib/Test/RRA/Config.pm +++ b/t/lib/Test/RRA/Config.pm @@ -9,7 +9,7 @@ package Test::RRA::Config; -use 5.008; +use 5.010; use base qw(Exporter); use strict; use warnings; @@ -32,7 +32,7 @@ BEGIN { # This version should match the corresponding rra-c-util release, but with # two digits for the minor version, including a leading zero if necessary, # so that it will sort properly. - $VERSION = '9.01'; + $VERSION = '10.01'; } # If C_TAP_BUILD or C_TAP_SOURCE are set in the environment, look for @@ -58,7 +58,7 @@ our $COVERAGE_LEVEL = 100; our @COVERAGE_SKIP_TESTS; our @CRITIC_IGNORE; our $LIBRARY_PATH; -our $MINIMUM_VERSION = '5.008'; +our $MINIMUM_VERSION = '5.010'; our %MINIMUM_VERSION; our @MODULE_VERSION_IGNORE; our @POD_COVERAGE_EXCLUDE; @@ -135,7 +135,7 @@ that Perl scripts can pass a syntax check. =item $MINIMUM_VERSION Default minimum version requirement for included Perl scripts. If not given, -defaults to 5.008. +defaults to 5.010. =item %MINIMUM_VERSION diff --git a/t/lib/Test/RRA/ModuleVersion.pm b/t/lib/Test/RRA/ModuleVersion.pm index 86bd9f1..d01c14b 100644 --- a/t/lib/Test/RRA/ModuleVersion.pm +++ b/t/lib/Test/RRA/ModuleVersion.pm @@ -29,7 +29,7 @@ BEGIN { # This version should match the corresponding rra-c-util release, but with # two digits for the minor version, including a leading zero if necessary, # so that it will sort properly. - $VERSION = '9.01'; + $VERSION = '10.01'; } # A regular expression matching the version string for a module using the @@ -135,7 +135,7 @@ sub _update_module_version { } # Scan for the version and replace it. - open(my $in, q{<}, $file) or die "$0: cannot open $file: $!\n"; + open(my $in, q{<}, $file) or die "$0: cannot open $file: $!\n"; open(my $out, q{>}, "$file.new") or die "$0: cannot create $file.new: $!\n"; SCAN: @@ -151,8 +151,8 @@ sub _update_module_version { # Copy the rest of the input file to the output file. print {$out} <$in> or die "$0: cannot write to $file.new: $!\n"; - close($out) or die "$0: cannot flush $file.new: $!\n"; - close($in) or die "$0: error reading from $file: $!\n"; + close($out) or die "$0: cannot flush $file.new: $!\n"; + close($in) or die "$0: error reading from $file: $!\n"; # All done. Rename the new file over top of the old file. rename("$file.new", $file) diff --git a/t/metadata/licenses.t b/t/metadata/licenses.t index 422dbd3..94e6c50 100755 --- a/t/metadata/licenses.t +++ b/t/metadata/licenses.t @@ -24,8 +24,8 @@ BEGIN { use_ok('App::DocKnot') } # Check the schema of the licenses.yaml file. my $licenses_path = module_file('App::DocKnot', 'licenses.yaml'); -my $licenses_ref = YAML::XS::LoadFile($licenses_path); -my $schema_path = module_file('App::DocKnot', 'schema/licenses.yaml'); -my $schema_ref = YAML::XS::LoadFile($schema_path); +my $licenses_ref = YAML::XS::LoadFile($licenses_path); +my $schema_path = module_file('App::DocKnot', 'schema/licenses.yaml'); +my $schema_ref = YAML::XS::LoadFile($schema_path); eval { validate($schema_ref, $licenses_ref) }; is($@, q{}, 'licenses.yaml fails schema validation'); diff --git a/t/spin/errors.t b/t/spin/errors.t index ae1c308..d4cc565 100755 --- a/t/spin/errors.t +++ b/t/spin/errors.t @@ -36,7 +36,7 @@ require_ok('App::DocKnot::Spin::Thread'); # Spin the errors file with output captured. my $input = File::Spec->catfile('t', 'data', 'spin', 'errors', 'errors.th'); -my $spin = App::DocKnot::Spin::Thread->new(); +my $spin = App::DocKnot::Spin::Thread->new(); my ($stdout, $stderr) = capture { $spin->spin_thread_file($input); }; diff --git a/t/spin/file.t b/t/spin/file.t index 354ec77..2f645e5 100755 --- a/t/spin/file.t +++ b/t/spin/file.t @@ -26,10 +26,10 @@ require_ok('App::DocKnot::Spin::Thread'); # Spin a single file. my $tempfile = File::Temp->new(); -my $datadir = File::Spec->catfile('t', 'data', 'spin'); -my $inputdir = File::Spec->catfile($datadir, 'input'); -my $input = File::Spec->catfile($inputdir, 'index.th'); -my $expected = File::Spec->catfile($datadir, 'output', 'index.html'); +my $datadir = File::Spec->catfile('t', 'data', 'spin'); +my $inputdir = File::Spec->catfile($datadir, 'input'); +my $input = File::Spec->catfile($inputdir, 'index.th'); +my $expected = File::Spec->catfile($datadir, 'output', 'index.html'); my $spin = App::DocKnot::Spin::Thread->new({ 'style-url' => '/~eagle/styles/' }); $spin->spin_thread_file($input, $tempfile->filename); diff --git a/t/spin/markdown.t b/t/spin/markdown.t new file mode 100755 index 0000000..bf8de61 --- /dev/null +++ b/t/spin/markdown.t @@ -0,0 +1,56 @@ +#!/usr/bin/perl +# +# Test Markdown conversion. +# +# Copyright 2021 Russ Allbery <rra@cpan.org> +# +# SPDX-License-Identifier: MIT + +use 5.024; +use autodie; +use warnings; + +use lib 't/lib'; + +use Capture::Tiny qw(capture_stdout); +use Carp qw(croak); +use Cwd qw(getcwd); +use File::Copy::Recursive qw(dircopy); +use File::Temp (); +use IPC::Cmd qw(can_run); +use Test::DocKnot::Spin qw(is_spin_output_tree); +use Template (); + +use Test::More; + +# This test can only be run if pandoc is available. +if (!can_run('pandoc')) { + plan(skip_all => 'pandoc required for test'); +} + +# Isolate from the environment. +local $ENV{XDG_CONFIG_HOME} = '/nonexistent'; +local $ENV{XDG_CONFIG_DIRS} = '/nonexistent'; + +require_ok('App::DocKnot::Spin'); +require_ok('App::DocKnot::Spin::Pointer'); + +# Ensure Devel::Cover has loaded the HTML template before we start changing +# the working directory with File::Find. (This is a dumb workaround, but I +# can't find a better one; +ignore doesn't work.) +my $pointer = App::DocKnot::Spin::Pointer->new(); +my $template = $pointer->appdata_path('templates', 'html.tmpl'); +my $tt = Template->new({ ABSOLUTE => 1 }) or croak(Template->error()); +$tt->process($template, {}, \my $result); + +# Spin the tree of files and check the result. +my $datadir = File::Spec->catfile('t', 'data', 'spin', 'markdown'); +my $input = File::Spec->catfile($datadir, 'input'); +my $output = File::Temp->newdir(); +my $expected = File::Spec->catfile($datadir, 'output'); +my $spin = App::DocKnot::Spin->new({ 'style-url' => '/~eagle/styles/' }); +my $stdout = capture_stdout { $spin->spin($input, $output->dirname) }; +my $count = is_spin_output_tree($output, $expected, 'spin'); + +# Report the end of testing. +done_testing($count + 2); diff --git a/t/spin/sitemap.t b/t/spin/sitemap.t index 1cac856..59f8fe3 100755 --- a/t/spin/sitemap.t +++ b/t/spin/sitemap.t @@ -21,12 +21,12 @@ require_ok('App::DocKnot::Spin::Sitemap'); # Parse a complex .sitemap file. my $datadir = File::Spec->catfile('t', 'data', 'spin', 'sitemap'); -my $path = File::Spec->catfile($datadir, 'complex'); +my $path = File::Spec->catfile($datadir, 'complex'); my $sitemap = App::DocKnot::Spin::Sitemap->new($path); isa_ok($sitemap, 'App::DocKnot::Spin::Sitemap'); # Check the generated sitemap. -my $output = join(q{}, $sitemap->sitemap()); +my $output = join(q{}, $sitemap->sitemap()); my $expected = File::Spec->catfile($datadir, 'complex.html'); is_file_contents($output, $expected, 'sitemap output'); @@ -46,7 +46,7 @@ my @expected = ( qq{ <link rel="top" href="../" />\n}, ); is_deeply(\@links, \@expected, 'links output'); -@navbar = $sitemap->navbar('/faqs/soundness-inn.html'); +@navbar = $sitemap->navbar('/faqs/soundness-inn.html'); @expected = ( qq{<table class="navbar"><tr>\n}, qq{ <td class="navleft"></td>\n}, @@ -57,12 +57,11 @@ is_deeply(\@links, \@expected, 'links output'); q{ <td class="navright"><a href="soundness-cnews.html">} . qq{Soundness for C News</a> ></td>\n}, qq{</tr></table>\n}, - qq{\n}, ); is_deeply(\@navbar, \@expected, 'navbar output'); # Check links for a page with long adjacent titles to test the wrapping. -@links = $sitemap->links('/notes/cvs/basic-usage.html'); +@links = $sitemap->links('/notes/cvs/basic-usage.html'); @expected = ( qq{ <link rel="previous" href="why.html"\n}, qq{ title="Why put a set of files into CVS?" />\n}, diff --git a/t/spin/thread.t b/t/spin/thread.t index 8373eba..c18a743 100755 --- a/t/spin/thread.t +++ b/t/spin/thread.t @@ -23,16 +23,16 @@ use Test::More tests => 2; require_ok('App::DocKnot::Spin::Thread'); # Test data file paths. -my $datadir = File::Spec->catfile('t', 'data', 'spin'); -my $inputdir = File::Spec->catfile($datadir, 'input'); -my $input = File::Spec->catfile($inputdir, 'index.th'); -my $expected = File::Spec->catfile($datadir, 'output', 'index.html'); +my $datadir = File::Spec->catfile('t', 'data', 'spin'); +my $inputdir = File::Spec->catfile($datadir, 'input'); +my $input = File::Spec->catfile($inputdir, 'index.th'); +my $expected = File::Spec->catfile($datadir, 'output', 'index.html'); # The expected output is a bit different since we won't add timestamp # information or the filename to the comment, so we have to generate our # expected output file. my $tempfile = File::Temp->new(); -my $output = slurp($expected); +my $output = slurp($expected); $output =~ s{ from [ ] index[.]th [ ] }{}xms; $output =~ s{ <address> .* </address> \n }{}xms; print {$tempfile} $output or die "Cannot write to $tempfile: $!\n"; @@ -43,7 +43,7 @@ $tempfile->flush(); my $spin = App::DocKnot::Spin::Thread->new({ 'style-url' => '/~eagle/styles/' }); my $thread = slurp($input); -my $cwd = getcwd(); +my $cwd = getcwd(); chdir($inputdir); my $html = $spin->spin_thread($thread); chdir($cwd); diff --git a/t/spin/tree.t b/t/spin/tree.t index a88d0d0..d2daab1 100755 --- a/t/spin/tree.t +++ b/t/spin/tree.t @@ -18,11 +18,16 @@ use File::Copy::Recursive qw(dircopy); use File::Spec (); use File::Temp (); use Perl6::Slurp qw(slurp); -use POSIX qw(strftime); +use POSIX qw(LC_ALL setlocale strftime); use Test::DocKnot::Spin qw(is_spin_output_tree); use Test::More; +# Force the C locale because some of the output intentionally uses localized +# month names and we have to force those to English for comparison of test +# results. +setlocale(LC_ALL, 'C'); + # Expected output when spinning our tree of input files. my $EXPECTED_OUTPUT = <<'OUTPUT'; Generating thread file .../changes.th @@ -51,7 +56,7 @@ Spinning .../software/index.html Creating .../software/docknot Spinning .../software/docknot/index.html Creating .../software/docknot/api -Running pod2thread for .../software/docknot/api/app-docknot.html +Converting .../software/docknot/api/app-docknot.html Creating .../usefor Spinning .../usefor/index.html Creating .../usefor/drafts @@ -61,41 +66,44 @@ Updating .../usefor/drafts/draft-ietf-usefor-useage-01.txt Updating .../usefor/drafts/draft-lindsey-usefor-signed-01.txt OUTPUT +BEGIN { use_ok('App::DocKnot::Util', qw(print_fh)) } + require_ok('App::DocKnot::Spin'); # Copy the input tree to a new temporary directory since .rss files generate -# additional thread files. Replace the rpod pointer since it points to a +# additional thread files. Replace the POD pointer since it points to a # relative path in the source tree, but change its modification timestamp to # something in the past. -my $tmpdir = File::Temp->newdir(); +my $tmpdir = File::Temp->newdir(); my $datadir = File::Spec->catfile('t', 'data', 'spin'); -my $input = File::Spec->catfile($datadir, 'input'); +my $input = File::Spec->catfile($datadir, 'input'); dircopy($input, $tmpdir->dirname) or die "Cannot copy $input to $tmpdir: $!\n"; -my $rpod_source = File::Spec->catfile(getcwd(), 'lib', 'App', 'DocKnot.pm'); -my $rpod_path = File::Spec->catfile( +my $pod_source = File::Spec->catfile(getcwd(), 'lib', 'App', 'DocKnot.pm'); +my $pointer_path = File::Spec->catfile( $tmpdir->dirname, 'software', 'docknot', 'api', - 'app-docknot.rpod', + 'app-docknot.spin', ); -chmod(0644, $rpod_path); -open(my $fh, '>', $rpod_path); -print {$fh} "$rpod_source\n" or die "Cannot write to $rpod_path: $!\n"; +chmod(0644, $pointer_path); +open(my $fh, '>', $pointer_path); +print_fh($fh, $pointer_path, "format: pod\n"); +print_fh($fh, $pointer_path, "path: $pod_source\n"); close($fh); my $old_timestamp = time() - 10; # Spin a tree of files. -my $output = File::Temp->newdir(); +my $output = File::Temp->newdir(); my $expected = File::Spec->catfile($datadir, 'output'); -my $spin = App::DocKnot::Spin->new({ 'style-url' => '/~eagle/styles/' }); -my $stdout = capture_stdout { +my $spin = App::DocKnot::Spin->new({ 'style-url' => '/~eagle/styles/' }); +my $stdout = capture_stdout { $spin->spin($tmpdir->dirname, $output->dirname); }; my $count = is_spin_output_tree($output, $expected, 'spin'); is($stdout, $EXPECTED_OUTPUT, 'Expected spin output'); # Create a bogus file in the output tree. -my $bogus = File::Spec->catfile($output->dirname, 'bogus'); -my $bogus_file = File::Spec->catfile($bogus, 'some-file'); +my $bogus = File::Spec->catfile($output->dirname, 'bogus'); +my $bogus_file = File::Spec->catfile($bogus, 'some-file'); mkdir($bogus); open($fh, '>', $bogus_file); print {$fh} "Some stuff\n" or die "Cannot write to $bogus_file: $!\n"; @@ -127,17 +135,20 @@ ok(!-e $bogus, 'Stray file and directory was deleted'); # Override the title of the POD document and request a contents section. Set # the modification timestamp in the future to force a repsin. -open($fh, '>>', $rpod_path); -print {$fh} "-c -t 'New Title'\n" or die "Cannot write to $rpod_path: $!\n"; +open($fh, '>>', $pointer_path); +print_fh($fh, $pointer_path, "format: pod\n"); +print_fh($fh, $pointer_path, "path: $pod_source\n"); +print_fh($fh, $pointer_path, "options:\n contents: true\n navbar: false\n"); +print_fh($fh, $pointer_path, "title: 'New Title'\n"); close($fh); -utime(time() + 5, time() + 5, $rpod_path) - or die "Cannot reset timestamps of $rpod_path: $!\n"; +utime(time() + 5, time() + 5, $pointer_path) + or die "Cannot reset timestamps of $pointer_path: $!\n"; $stdout = capture_stdout { $spin->spin($tmpdir->dirname, $output->dirname); }; is( $stdout, - "Running pod2thread for .../software/docknot/api/app-docknot.html\n", + "Converting .../software/docknot/api/app-docknot.html\n", 'Spinning again regenerates the App::DocKnot page', ); my $output_path = File::Spec->catfile( @@ -149,19 +160,19 @@ like( qr{ <title> New [ ] Title </title> }xms, 'POD title override worked', ); -like($page, qr{ <h1> New [ ] Title </h1> }xms, 'POD h1 override worked'); +like($page, qr{ <h1> New [ ] Title </h1> }xms, 'POD h1 override worked'); like($page, qr{ Table [ ] of [ ] Contents }xms, 'POD table of contents'); # Set the time back so that it won't be generated again. -utime(time() - 5, time() - 5, $rpod_path) - or die "Cannot reset timestamps of $rpod_path: $!\n"; +utime(time() - 5, time() - 5, $pointer_path) + or die "Cannot reset timestamps of $pointer_path: $!\n"; # Now, update the .versions file at the top of the input tree to change the # timestamp to ten seconds into the future. This should force regeneration of # only the software/docknot/index.html file. my $versions_path = File::Spec->catfile($tmpdir->dirname, '.versions'); -my $versions = slurp($versions_path); -my $new_date = strftime('%Y-%m-%d %T', localtime(time() + 10)); +my $versions = slurp($versions_path); +my $new_date = strftime('%Y-%m-%d %T', localtime(time() + 10)); $versions =~ s{ \d{4}-\d\d-\d\d [ ] [\d:]+ }{$new_date}xms; chmod(0644, $versions_path); open(my $versions_fh, '>', $versions_path); @@ -177,4 +188,4 @@ is( ); # Report the end of testing. -done_testing($count + 11); +done_testing($count + 12); diff --git a/t/spin/versions.t b/t/spin/versions.t index 03230c8..640e143 100755 --- a/t/spin/versions.t +++ b/t/spin/versions.t @@ -24,12 +24,12 @@ local $ENV{TZ} = 'America/Los_Angeles'; tzset(); # Parse the file. -my $path = File::Spec->catfile('t', 'data', 'spin', 'input', '.versions'); +my $path = File::Spec->catfile('t', 'data', 'spin', 'input', '.versions'); my $versions = App::DocKnot::Spin::Versions->new($path); isa_ok($versions, 'App::DocKnot::Spin::Versions'); # Check the resulting information. -is($versions->version('docknot'), '4.01', 'docknot version'); +is($versions->version('docknot'), '4.01', 'docknot version'); is($versions->release_date('docknot'), '2021-02-27', 'docknot release date'); is( $versions->latest_release('software/docknot/index.th'), 1614460092, @@ -37,17 +37,17 @@ is( ); # Unknown products or files. -is($versions->version('unknown'), undef, 'unknown version'); -is($versions->release_date('unknown'), undef, 'unknown release date'); -is($versions->latest_release('index.th'), 0, 'unknown file index.th'); +is($versions->version('unknown'), undef, 'unknown version'); +is($versions->release_date('unknown'), undef, 'unknown release date'); +is($versions->latest_release('index.th'), 0, 'unknown file index.th'); # Check continuation handling and a line without dependencies. my $inputdir = File::Spec->catfile('t', 'data', 'spin', 'versions'); -$path = File::Spec->catfile($inputdir, 'continuation'); +$path = File::Spec->catfile($inputdir, 'continuation'); $versions = App::DocKnot::Spin::Versions->new($path); -is($versions->version('docknot'), '4.01', 'docknot version'); -is($versions->release_date('docknot'), '2021-02-27', 'docknot release date'); -is($versions->version('other-package'), '1.00', 'other-package version'); +is($versions->version('docknot'), '4.01', 'docknot version'); +is($versions->release_date('docknot'), '2021-02-27', 'docknot release date'); +is($versions->version('other-package'), '1.00', 'other-package version'); is( $versions->release_date('other-package'), '2021-09-07', 'other-package release date', diff --git a/t/style/coverage.t b/t/style/coverage.t index 5fd6feb..57222d5 100755 --- a/t/style/coverage.t +++ b/t/style/coverage.t @@ -6,7 +6,7 @@ # which can be found at <https://www.eyrie.org/~eagle/software/rra-c-util/>. # # Written by Russ Allbery <eagle@eyrie.org> -# Copyright 2019-2020 Russ Allbery <eagle@eyrie.org> +# Copyright 2019-2021 Russ Allbery <eagle@eyrie.org> # Copyright 2013-2014 # The Board of Trustees of the Leland Stanford Junior University # @@ -30,7 +30,7 @@ # # SPDX-License-Identifier: MIT -use 5.008; +use 5.010; use strict; use warnings; @@ -52,10 +52,11 @@ use_prereq('Devel::Cover'); use_prereq('Test::Strict'); # Build a list of test directories to use for coverage. -my %ignore = map { $_ => 1 } qw(data docs style), @COVERAGE_SKIP_TESTS; -opendir(my $testdir, 't') or BAIL_OUT("cannot open t: $!"); +my %ignore = map { $_ => 1 } qw(config data docs lib style), + @COVERAGE_SKIP_TESTS; +opendir(my $testdir, 't') or BAIL_OUT("cannot open t: $!"); my @t_dirs = readdir($testdir) or BAIL_OUT("cannot read t: $!"); -closedir($testdir) or BAIL_OUT("cannot close t: $!"); +closedir($testdir) or BAIL_OUT("cannot close t: $!"); # Filter out ignored and system directories. @t_dirs = grep { !$ignore{$_} } File::Spec->no_upwards(@t_dirs); diff --git a/t/style/critic.t b/t/style/critic.t index 9794b39..d515221 100755 --- a/t/style/critic.t +++ b/t/style/critic.t @@ -31,7 +31,7 @@ # # SPDX-License-Identifier: MIT -use 5.008; +use 5.010; use strict; use warnings; diff --git a/t/style/minimum-version.t b/t/style/minimum-version.t index 861367d..6a5aa89 100755 --- a/t/style/minimum-version.t +++ b/t/style/minimum-version.t @@ -6,7 +6,7 @@ # which can be found at <https://www.eyrie.org/~eagle/software/rra-c-util/>. # # Written by Russ Allbery <eagle@eyrie.org> -# Copyright 2019 Russ Allbery <eagle@eyrie.org> +# Copyright 2019, 2021 Russ Allbery <eagle@eyrie.org> # Copyright 2013-2014 # The Board of Trustees of the Leland Stanford Junior University # @@ -30,7 +30,7 @@ # # SPDX-License-Identifier: MIT -use 5.008; +use 5.010; use strict; use warnings; diff --git a/t/style/module-version.t b/t/style/module-version.t index 0d78c3d..2601f81 100755 --- a/t/style/module-version.t +++ b/t/style/module-version.t @@ -11,7 +11,7 @@ # # SPDX-License-Identifier: MIT -use 5.008; +use 5.010; use strict; use warnings; @@ -42,9 +42,9 @@ if (@ARGV) { # Throws: Text exception if MYMETA.json is not found or doesn't contain a # version sub dist_version { - my $json = JSON::PP->new->utf8(1); + my $json = JSON::PP->new->utf8(1); my $metadata = $json->decode(scalar(slurp('MYMETA.json'))); - my $version = $metadata->{version}; + my $version = $metadata->{version}; if (!defined($version)) { die "$0: cannot find version number in MYMETA.json\n"; } @@ -121,7 +121,7 @@ Russ Allbery <eagle@eyrie.org> =head1 COPYRIGHT AND LICENSE -Copyright 2014-2016, 2019-2020 Russ Allbery <eagle@eyrie.org> +Copyright 2014-2016, 2019-2021 Russ Allbery <eagle@eyrie.org> Copyright 2013-2014 The Board of Trustees of the Leland Stanford Junior University diff --git a/t/style/strict.t b/t/style/strict.t index b83d348..a2f5b99 100755 --- a/t/style/strict.t +++ b/t/style/strict.t @@ -6,7 +6,7 @@ # which can be found at <https://www.eyrie.org/~eagle/software/rra-c-util/>. # # Written by Russ Allbery <eagle@eyrie.org> -# Copyright 2016, 2018-2020 Russ Allbery <eagle@eyrie.org> +# Copyright 2016, 2018-2021 Russ Allbery <eagle@eyrie.org> # Copyright 2013-2014 # The Board of Trustees of the Leland Stanford Junior University # @@ -30,7 +30,7 @@ # # SPDX-License-Identifier: MIT -use 5.008; +use 5.010; use strict; use warnings; @@ -59,7 +59,7 @@ my %EXCLUDE = map { $_ => 1 } qw(.git blib); # Returns: 1 if it should be checked, undef otherwise. sub should_check { my ($file) = @_; - return if $EXCLUDE{$file}; + return if $EXCLUDE{$file}; return 1 if -d $file; return 1 if $file =~ m{ [.] PL \z }xms; return; diff --git a/t/update/basic.t b/t/update/basic.t index a21343f..5dc2be1 100755 --- a/t/update/basic.t +++ b/t/update/basic.t @@ -39,11 +39,11 @@ my $tempdir = File::Temp->newdir(); for my $test (@tests) { my $metadata_path = File::Spec->catfile($dataroot, $test, 'old'); my $expected_path = File::Spec->catfile($dataroot, $test, 'docknot.yaml'); - my $output_path = File::Spec->catfile($tempdir, "$test.yaml"); - my $docknot = App::DocKnot::Update->new( + my $output_path = File::Spec->catfile($tempdir, "$test.yaml"); + my $docknot = App::DocKnot::Update->new( { metadata => $metadata_path, - output => $output_path, + output => $output_path, }, ); isa_ok($docknot, 'App::DocKnot::Update', "for $test"); |