diff options
author | Russ Allbery <eagle@eyrie.org> | 2020-08-08 18:16:50 -0700 |
---|---|---|
committer | Russ Allbery <eagle@eyrie.org> | 2020-08-08 19:18:23 -0700 |
commit | 85a8058469ebf79726a0cace90ff2e83614ec92e (patch) | |
tree | 82102e26d4e74deb9da9687254a86d3d8b2fc45e | |
parent | cae3c1c58e519607656be34a4f1011c80b349326 (diff) |
Switch to GitHub Actions for CI tests
Install a full KDC for both MIT Kerberos and Heimdal and run a
matrix of tests using it. Enable anonymous PKINIT on the KDC so
that remctl anonymous support can be tested.
-rw-r--r-- | .github/workflows/build.yaml | 49 | ||||
-rw-r--r-- | .travis.yml | 29 | ||||
-rw-r--r-- | ci/files/heimdal/heimdal-kdc | 9 | ||||
-rw-r--r-- | ci/files/heimdal/kadmind.acl | 1 | ||||
-rw-r--r-- | ci/files/heimdal/kdc.conf | 27 | ||||
-rw-r--r-- | ci/files/heimdal/krb5.conf | 19 | ||||
-rw-r--r-- | ci/files/mit/extensions.client | 19 | ||||
-rw-r--r-- | ci/files/mit/extensions.kdc | 20 | ||||
-rw-r--r-- | ci/files/mit/kadm5.acl | 1 | ||||
-rw-r--r-- | ci/files/mit/kdc.conf | 19 | ||||
-rw-r--r-- | ci/files/mit/krb5.conf | 19 | ||||
-rwxr-xr-x | ci/install | 11 | ||||
-rwxr-xr-x | ci/kdc-setup-heimdal | 77 | ||||
-rwxr-xr-x | ci/kdc-setup-mit | 74 | ||||
-rwxr-xr-x | ci/test | 26 |
15 files changed, 362 insertions, 38 deletions
diff --git a/.github/workflows/build.yaml b/.github/workflows/build.yaml new file mode 100644 index 0000000..5f96eaf --- /dev/null +++ b/.github/workflows/build.yaml @@ -0,0 +1,49 @@ +name: build + +on: + push: + branches-ignore: + - "debian/**" + - "pristine-tar" + - "ubuntu/**" + - "upstream/**" + tags: + - "release/*" + pull_request: + branches: + - master + +jobs: + build: + runs-on: ubuntu-latest + + env: + AUTHOR_TESTING: 1 + C_TAP_VERBOSE: 1 + REMCTL_PYTHON_VERSIONS: "python2 python3" + + strategy: + fail-fast: false + matrix: + compiler: + - "gcc" + - "clang" + kerberos: + - "mit" + - "heimdal" + + steps: + - uses: actions/checkout@v2 + - name: install + run: sudo ci/install + - name: kdc-setup-mit + run: sudo ci/kdc-setup-mit + if: matrix.kerberos == 'mit' + - name: kdc-setup-heimdal + run: sudo ci/kdc-setup-heimdal + if: matrix.kerberos == 'heimdal' + - name: test + run: ci/test + env: + COMPILER: ${{ matrix.compiler }} + KERBEROS: ${{ matrix.kerberos }} diff --git a/.travis.yml b/.travis.yml deleted file mode 100644 index 3501e0c..0000000 --- a/.travis.yml +++ /dev/null @@ -1,29 +0,0 @@ -# Configuration for Travis-CI continuous integration. -# -# Copyright 2016, 2018-2019 Russ Allbery <eagle@eyrie.org> -# -# SPDX-License-Identifier: MIT - -sudo: required -dist: bionic - -cache: - directories: - - $HOME/.cache/pip - -language: c -compiler: - - gcc - - clang - -before_install: sudo ci/install -script: ci/test - -branches: - except: - - /^archive\/debian\/.*/ - - /^debian\/.*/ - - java - - pristine-tar - - /^ubuntu\/.*/ - - /^upstream\/.*/ diff --git a/ci/files/heimdal/heimdal-kdc b/ci/files/heimdal/heimdal-kdc new file mode 100644 index 0000000..d781463 --- /dev/null +++ b/ci/files/heimdal/heimdal-kdc @@ -0,0 +1,9 @@ +# Heimdal KDC init script setup. -*- sh -*- + +# KDC configuration. +KDC_ENABLED=yes +KDC_PARAMS='--config-file=/etc/heimdal-kdc/kdc.conf' + +# kpasswdd configuration. +KPASSWDD_ENABLED=yes +KPASSWDD_PARAMS='-r HEIMDAL.TEST' diff --git a/ci/files/heimdal/kadmind.acl b/ci/files/heimdal/kadmind.acl new file mode 100644 index 0000000..2f4a084 --- /dev/null +++ b/ci/files/heimdal/kadmind.acl @@ -0,0 +1 @@ +test/wallet@HEIMDAL.TEST all,get-keys wallet/*@HEIMDAL.TEST diff --git a/ci/files/heimdal/kdc.conf b/ci/files/heimdal/kdc.conf new file mode 100644 index 0000000..6e755a3 --- /dev/null +++ b/ci/files/heimdal/kdc.conf @@ -0,0 +1,27 @@ +# Heimdal KDC configuration. -*- conf -*- + +[kadmin] + default_keys = aes256-cts-hmac-sha1-96:pw-salt + +[kdc] + acl_file = /etc/heimdal-kdc/kadmind.acl + check-ticket-addresses = false + logging = SYSLOG:NOTICE + ports = 88 + + # PKINIT configuration. + enable-pkinit = yes + pkinit_identity = FILE:/etc/heimdal-kdc/kdc.pem + pkinit_anchors = FILE:/etc/heimdal-kdc/ca/ca.pem + +[libdefaults] + default_realm = HEIMDAL.TEST + dns_lookup_kdc = false + dns_lookup_realm = false + +[realms] + HEIMDAL.TEST.EYRIE.ORG = { + kdc = 127.0.0.1 + master_kdc = 127.0.0.1 + admin_server = 127.0.0.1 + } diff --git a/ci/files/heimdal/krb5.conf b/ci/files/heimdal/krb5.conf new file mode 100644 index 0000000..a2b22c2 --- /dev/null +++ b/ci/files/heimdal/krb5.conf @@ -0,0 +1,19 @@ +[libdefaults] + default_realm = HEIMDAL.TEST + dns_lookup_kdc = false + dns_lookup_realm = false + rdns = false + renew_lifetime = 7d + ticket_lifetime = 25h + +[realms] + HEIMDAL.TEST = { + kdc = 127.0.0.1 + master_kdc = 127.0.0.1 + admin_server = 127.0.0.1 + pkinit_anchors = FILE:/etc/heimdal-kdc/ca/ca.pem + } + +[logging] + kdc = SYSLOG:NOTICE + default = SYSLOG:NOTICE diff --git a/ci/files/mit/extensions.client b/ci/files/mit/extensions.client new file mode 100644 index 0000000..5a1bbc2 --- /dev/null +++ b/ci/files/mit/extensions.client @@ -0,0 +1,19 @@ +[client_cert] +basicConstraints=CA:FALSE +keyUsage=digitalSignature,keyEncipherment,keyAgreement +extendedKeyUsage=1.3.6.1.5.2.3.4 +subjectKeyIdentifier=hash +authorityKeyIdentifier=keyid,issuer +issuerAltName=issuer:copy +subjectAltName=otherName:1.3.6.1.5.2.2;SEQUENCE:princ_name + +[princ_name] +realm=EXP:0,GeneralString:${ENV::REALM} +principal_name=EXP:1,SEQUENCE:principal_seq + +[principal_seq] +name_type=EXP:0,INTEGER:1 +name_string=EXP:1,SEQUENCE:principals + +[principals] +princ1=GeneralString:${ENV::CLIENT} diff --git a/ci/files/mit/extensions.kdc b/ci/files/mit/extensions.kdc new file mode 100644 index 0000000..cbff73b --- /dev/null +++ b/ci/files/mit/extensions.kdc @@ -0,0 +1,20 @@ +[kdc_cert] +basicConstraints=CA:FALSE +keyUsage=nonRepudiation,digitalSignature,keyEncipherment,keyAgreement +extendedKeyUsage=1.3.6.1.5.2.3.5 +subjectKeyIdentifier=hash +authorityKeyIdentifier=keyid,issuer +issuerAltName=issuer:copy +subjectAltName=otherName:1.3.6.1.5.2.2;SEQUENCE:kdc_princ_name + +[kdc_princ_name] +realm=EXP:0,GeneralString:${ENV::REALM} +principal_name=EXP:1,SEQUENCE:kdc_principal_seq + +[kdc_principal_seq] +name_type=EXP:0,INTEGER:1 +name_string=EXP:1,SEQUENCE:kdc_principals + +[kdc_principals] +princ1=GeneralString:krbtgt +princ2=GeneralString:${ENV::REALM} diff --git a/ci/files/mit/kadm5.acl b/ci/files/mit/kadm5.acl new file mode 100644 index 0000000..ace748f --- /dev/null +++ b/ci/files/mit/kadm5.acl @@ -0,0 +1 @@ +test/wallet@MIT.TEST admci wallet/*@MIT.TEST diff --git a/ci/files/mit/kdc.conf b/ci/files/mit/kdc.conf new file mode 100644 index 0000000..2d32f29 --- /dev/null +++ b/ci/files/mit/kdc.conf @@ -0,0 +1,19 @@ +[kdcdefaults] + kdc_ports = 88 + kdc_tcp_ports = 88 + restrict_anonymous_to_tgt = false + +[realms] + MIT.TEST = { + database_name = /var/lib/krb5kdc/principal + admin_keytab = /var/lib/krb5kdc/kadm5.keytab + acl_file = /etc/krb5kdc/kadm5.acl + key_stash_file = /var/lib/krb5kdc/stash + max_life = 1d 1h 0m 0s + max_renewable_life = 7d 0h 0m 0s + master_key_type = aes256-cts + supported_enctypes = aes256-cts:normal + default_principal_flags = +preauth + pkinit_identity = FILE:/var/lib/krb5kdc/kdc.pem,/var/lib/krb5kdc/kdckey.pem + pkinit_anchors = FILE:/etc/krb5kdc/cacert.pem + } diff --git a/ci/files/mit/krb5.conf b/ci/files/mit/krb5.conf new file mode 100644 index 0000000..9b0d5ab --- /dev/null +++ b/ci/files/mit/krb5.conf @@ -0,0 +1,19 @@ +[libdefaults] + default_realm = MIT.TEST + dns_lookup_kdc = false + dns_lookup_realm = false + rdns = false + renew_lifetime = 7d + ticket_lifetime = 25h + +[realms] + MIT.TEST = { + kdc = 127.0.0.1 + master_kdc = 127.0.0.1 + admin_server = 127.0.0.1 + pkinit_anchors = FILE:/etc/krb5kdc/cacert.pem + } + +[logging] + kdc = SYSLOG:NOTICE + default = SYSLOG:NOTICE @@ -14,6 +14,11 @@ set -eux +# Normally, COMPILER and KERBEROS are set based on the CI matrix, but provide +# a default in case someone runs this test by hand. +COMPILER="${COMPILER:-gcc}" +KERBEROS="${KERBEROS:-mit}" + # Install packages. apt-get update -qq apt-get install -y cpanminus krb5-config libevent-dev libkrb5-dev \ @@ -22,7 +27,7 @@ apt-get install -y cpanminus krb5-config libevent-dev libkrb5-dev \ perl php-cli php-dev pkg-config python3-all-dev python3-pip \ python3-pytest python3-pytest-runner python3-setuptools \ python-all-dev python-pytest python-pytest-runner python-setuptools \ - python-typing ruby-all-dev + python-typing ruby-all-dev valgrind # Dependencies for Perl bindings and Perl tests. # @@ -36,7 +41,7 @@ cpanm Test::MinimumVersion || true cpanm Test::Perl::Critic || true # Dependencies for additional style checks for the Python bindings. These are -# only run as part of the GCC build. -if [ "$TRAVIS_COMPILER" = "gcc" ]; then +# only run as part of the GCC build and MIT Kerberos test. +if [ "$COMPILER" = "gcc" ] && [ "$KERBEROS" = "mit" ]; then pip3 install -r python/requirements-dev.txt fi diff --git a/ci/kdc-setup-heimdal b/ci/kdc-setup-heimdal new file mode 100755 index 0000000..975ee2e --- /dev/null +++ b/ci/kdc-setup-heimdal @@ -0,0 +1,77 @@ +#!/bin/sh +# +# Build a Kerberos test realm for Heimdal. +# +# This script automates the process of setting up a Kerberos test realm from +# scratch suitable for testing pam-krb5. It is primarily intended to be run +# from inside CI in a VM or container from the top of the wallet source tree, +# and must be run as root. It expects to be operating on the Debian Heimdal +# package. +# +# Copyright 2014, 2020 Russ Allbery <eagle@eyrie.org> +# +# SPDX-License-Identifier: MIT + +set -eux + +# Install the KDC. +apt-get install heimdal-kdc + +# Install its configuration files. +cp ci/files/heimdal/heimdal-kdc /etc/default/heimdal-kdc +cp ci/files/heimdal/kadmind.acl /etc/heimdal-kdc/kadmind.acl +cp ci/files/heimdal/kdc.conf /etc/heimdal-kdc/kdc.conf +cp ci/files/heimdal/krb5.conf /etc/krb5.conf + +# Some versions of heimdal-kdc require this. +ln -s /etc/heimdal-kdc/kadmind.acl /var/lib/heimdal-kdc/kadmind.acl + +# Add domain-realm mappings for the local host, since otherwise Heimdal and +# MIT Kerberos may attempt to discover the realm of the local domain, and the +# DNS server for GitHub Actions has a habit of just not responding and causing +# the test to hang. +cat <<EOF >>/etc/krb5.conf +[domain_realm] + $(hostname -f) = HEIMDAL.TEST +EOF +cat <<EOF >>/etc/heimdal-kdc/kdc.conf +[domain_realm] + $(hostname -f) = HEIMDAL.TEST +EOF + +# Create the basic KDC. +kstash --random-key +kadmin -l init --realm-max-ticket-life='1 day 1 hour' \ + --realm-max-renewable-life='1 week' HEIMDAL.TEST + +# Set default principal policies. +kadmin -l modify --attributes=requires-pre-auth,disallow-svr \ + default@HEIMDAL.TEST + +# Create and store the keytab. +kadmin -l add -r --use-defaults --attributes=requires-pre-auth \ + test/keytab@HEIMDAL.TEST +kadmin -l ext_keytab -k tests/config/keytab test/keytab@HEIMDAL.TEST +echo 'test/keytab@HEIMDAL.TEST' >tests/config/principal + +# Create the root CA for PKINIT. +mkdir -p /etc/heimdal-kdc/ca +hxtool issue-certificate --self-signed --issue-ca --generate-key=rsa \ + --subject=CN=CA,DC=HEIMDAL,DC=TEST --lifetime=10years \ + --certificate=FILE:/etc/heimdal-kdc/ca/ca.pem +chmod 644 /etc/heimdal-kdc/ca/ca.pem + +# Create the certificate for the Heimdal Kerberos KDC. +hxtool issue-certificate --ca-certificate=FILE:/etc/heimdal-kdc/ca/ca.pem \ + --generate-key=rsa --type=pkinit-kdc \ + --pk-init-principal=krbtgt/HEIMDAL.TEST@HEIMDAL.TEST \ + --subject=uid=kdc,DC=HEIMDAL,DC=TEST \ + --certificate=FILE:/etc/heimdal-kdc/kdc.pem +chmod 644 /etc/heimdal-kdc/kdc.pem + +# Fix permissions on all the newly-created files. +chmod 644 tests/config/* + +# Restart the Heimdal KDC and services. +systemctl stop heimdal-kdc +systemctl start heimdal-kdc diff --git a/ci/kdc-setup-mit b/ci/kdc-setup-mit new file mode 100755 index 0000000..349407d --- /dev/null +++ b/ci/kdc-setup-mit @@ -0,0 +1,74 @@ +#!/bin/sh +# +# Build a Kerberos test realm for MIT Kerberos +# +# This script automates the process of setting up a Kerberos test realm from +# scratch suitable for testing pam-krb5. It is primarily intended to be run +# from inside CI in a VM or container from the top of the wallet source tree, +# and must be run as root. It expects to be operating on the Debian MIT +# Kerberos package. +# +# Copyright 2014, 2020 Russ Allbery <eagle@eyrie.org> +# +# SPDX-License-Identifier: MIT + +set -eux + +# Install the KDC and the OpenSSL command-line tool. +apt-get install krb5-admin-server krb5-kdc krb5-pkinit openssl + +# Install its configuration files. +cp ci/files/mit/extensions.client /etc/krb5kdc/extensions.client +cp ci/files/mit/extensions.kdc /etc/krb5kdc/extensions.kdc +cp ci/files/mit/kadm5.acl /etc/krb5kdc/kadm5.acl +cp ci/files/mit/kdc.conf /etc/krb5kdc/kdc.conf +cp ci/files/mit/krb5.conf /etc/krb5.conf + +# Add domain-realm mappings for the local host, since otherwise Heimdal and +# MIT Kerberos may attempt to discover the realm of the local domain, and the +# DNS server for GitHub Actions has a habit of just not responding and causing +# the test to hang. +cat <<EOF >>/etc/krb5.conf +[domain_realm] + $(hostname -f) = MIT.TEST +EOF + +# Create the basic KDC. +kdb5_util create -s -P 'this is a test master database password' + +# Create and store the keytab. +kadmin.local -q 'add_principal +requires_preauth -randkey test/keytab@MIT.TEST' +kadmin.local -q 'ktadd -k tests/config/keytab test/keytab@MIT.TEST' +echo 'test/keytab@MIT.TEST' >tests/config/principal + +# Enable anonymous PKINIT. +kadmin.local -q 'addprinc -randkey WELLKNOWN/ANONYMOUS' + +# Create the root CA for PKINIT. +openssl genrsa -out /etc/krb5kdc/cakey.pem 2048 +openssl req -key /etc/krb5kdc/cakey.pem -new -x509 \ + -out /etc/krb5kdc/cacert.pem -subj "/CN=MIT.TEST CA" -days 3650 +chmod 755 /etc/krb5kdc +chmod 644 /etc/krb5kdc/cacert.pem + +# Create the certificate for the MIT Kerberos KDC. +openssl genrsa -out /var/lib/krb5kdc/kdckey.pem 2048 +openssl req -new -out /var/lib/krb5kdc/kdc.req \ + -key /var/lib/krb5kdc/kdckey.pem -subj "/CN=MIT.TEST" +REALM=MIT.TEST openssl x509 -req -in /var/lib/krb5kdc/kdc.req \ + -CAkey /etc/krb5kdc/cakey.pem -CA /etc/krb5kdc/cacert.pem \ + -out /var/lib/krb5kdc/kdc.pem -days 365 \ + -extfile /etc/krb5kdc/extensions.kdc -extensions kdc_cert \ + -CAcreateserial +rm /var/lib/krb5kdc/kdc.req + +# Fix permissions on all the newly-created files. +chmod 644 tests/config/* + +# Restart the MIT Kerberos KDC and services. +systemctl stop krb5-kdc krb5-admin-server +systemctl start krb5-kdc krb5-admin-server + +# Ensure that the KDC is running. +kinit -n @MIT.TEST +kdestroy @@ -8,6 +8,11 @@ set -eux +# Normally, COMPILER and KERBEROS are set based on the CI matrix, but provide +# a default in case someone runs this test by hand. +COMPILER="${COMPILER:-gcc}" +KERBEROS="${KERBEROS:-mit}" + # Configure the build. export AUTHOR_TESTING=1 export C_TAP_VERBOSE=1 @@ -17,18 +22,27 @@ export REMCTL_PYTHON_VERSIONS="python2 python3" # GCC (such as what's installed on Travis-CI) uses asm goto, which isn't # supported by Clang. ./bootstrap -if [ "$TRAVIS_COMPILER" = "gcc" ]; then - ./configure --enable-perl --enable-php --enable-python --enable-ruby +if [ "$KERBEROS" = 'heimdal' ]; then + ./configure CC="$COMPILER" PATH_KRB5_CONFIG=/usr/bin/krb5-config.heimdal \ + --enable-perl --enable-php --enable-python --enable-ruby else - ./configure --enable-perl --enable-python --enable-ruby + ./configure CC="$COMPILER" \ + --enable-perl --enable-php --enable-python --enable-ruby fi make warnings -# Run the regular tests. -make check +# Run the regular tests with valgrind for one of the compilers. Arbitrarily +# pick the GCC build. (The assumption here is that other compilers won't +# produce sufficiently different code as to create memory management +# problems.) +if [ "$COMPILER" = 'gcc' ]; then + make check-valgrind +else + make check +fi # Run additional Python coding style tests, but only in the non-Clang build. -if [ "$TRAVIS_COMPILER" = "gcc" ]; then +if [ "$COMPILER" = "gcc" ]; then cd python mypy . mypy --py2 . |