Switch to GitHub Actions for CI tests

Install a full KDC for both MIT Kerberos and Heimdal and run a
matrix of tests using it.  Enable anonymous PKINIT on the KDC so
that remctl anonymous support can be tested.

15 files changed, 362 insertions, 38 deletions

diff --git a/.github/workflows/build.yaml b/.github/workflows/build.yaml
new file mode 100644
index 0000000..5f96eaf
--- /dev/null
+++ b/.github/workflows/build.yaml
@@ -0,0 +1,49 @@
+name: build
+
+on:
+  push:
+    branches-ignore:
+      - "debian/**"
+      - "pristine-tar"
+      - "ubuntu/**"
+      - "upstream/**"
+    tags:
+      - "release/*"
+  pull_request:
+    branches:
+      - master
+
+jobs:
+  build:
+    runs-on: ubuntu-latest
+
+    env:
+      AUTHOR_TESTING: 1
+      C_TAP_VERBOSE: 1
+      REMCTL_PYTHON_VERSIONS: "python2 python3"
+
+    strategy:
+      fail-fast: false
+      matrix:
+        compiler:
+          - "gcc"
+          - "clang"
+        kerberos:
+          - "mit"
+          - "heimdal"
+
+    steps:
+      - uses: actions/checkout@v2
+      - name: install
+        run: sudo ci/install
+      - name: kdc-setup-mit
+        run: sudo ci/kdc-setup-mit
+        if: matrix.kerberos == 'mit'
+      - name: kdc-setup-heimdal
+        run: sudo ci/kdc-setup-heimdal
+        if: matrix.kerberos == 'heimdal'
+      - name: test
+        run: ci/test
+        env:
+          COMPILER: ${{ matrix.compiler }}
+          KERBEROS: ${{ matrix.kerberos }}
diff --git a/.travis.yml b/.travis.yml
deleted file mode 100644
index 3501e0c..0000000
--- a/.travis.yml
+++ /dev/null
@@ -1,29 +0,0 @@
-# Configuration for Travis-CI continuous integration.
-#
-# Copyright 2016, 2018-2019 Russ Allbery <eagle@eyrie.org>
-#
-# SPDX-License-Identifier: MIT
-
-sudo: required
-dist: bionic
-
-cache:
-  directories:
-    - $HOME/.cache/pip
-
-language: c
-compiler:
-  - gcc
-  - clang
-
-before_install: sudo ci/install
-script: ci/test
-
-branches:
-  except:
-    - /^archive\/debian\/.*/
-    - /^debian\/.*/
-    - java
-    - pristine-tar
-    - /^ubuntu\/.*/
-    - /^upstream\/.*/
diff --git a/ci/files/heimdal/heimdal-kdc b/ci/files/heimdal/heimdal-kdc
new file mode 100644
index 0000000..d781463
--- /dev/null
+++ b/ci/files/heimdal/heimdal-kdc
@@ -0,0 +1,9 @@
+# Heimdal KDC init script setup.  -*- sh -*-
+
+# KDC configuration.
+KDC_ENABLED=yes
+KDC_PARAMS='--config-file=/etc/heimdal-kdc/kdc.conf'
+
+# kpasswdd configuration.
+KPASSWDD_ENABLED=yes
+KPASSWDD_PARAMS='-r HEIMDAL.TEST'
diff --git a/ci/files/heimdal/kadmind.acl b/ci/files/heimdal/kadmind.acl
new file mode 100644
index 0000000..2f4a084
--- /dev/null
+++ b/ci/files/heimdal/kadmind.acl
@@ -0,0 +1 @@
+test/wallet@HEIMDAL.TEST  all,get-keys  wallet/*@HEIMDAL.TEST
diff --git a/ci/files/heimdal/kdc.conf b/ci/files/heimdal/kdc.conf
new file mode 100644
index 0000000..6e755a3
--- /dev/null
+++ b/ci/files/heimdal/kdc.conf
@@ -0,0 +1,27 @@
+# Heimdal KDC configuration.  -*- conf -*-
+
+[kadmin]
+    default_keys           = aes256-cts-hmac-sha1-96:pw-salt
+
+[kdc]
+    acl_file               = /etc/heimdal-kdc/kadmind.acl
+    check-ticket-addresses = false
+    logging                = SYSLOG:NOTICE
+    ports                  = 88
+
+    # PKINIT configuration.
+    enable-pkinit          = yes
+    pkinit_identity        = FILE:/etc/heimdal-kdc/kdc.pem
+    pkinit_anchors         = FILE:/etc/heimdal-kdc/ca/ca.pem
+
+[libdefaults]
+    default_realm          = HEIMDAL.TEST
+    dns_lookup_kdc         = false
+    dns_lookup_realm       = false
+
+[realms]
+    HEIMDAL.TEST.EYRIE.ORG = {
+        kdc            = 127.0.0.1
+        master_kdc     = 127.0.0.1
+        admin_server   = 127.0.0.1
+    }
diff --git a/ci/files/heimdal/krb5.conf b/ci/files/heimdal/krb5.conf
new file mode 100644
index 0000000..a2b22c2
--- /dev/null
+++ b/ci/files/heimdal/krb5.conf
@@ -0,0 +1,19 @@
+[libdefaults]
+    default_realm         = HEIMDAL.TEST
+    dns_lookup_kdc        = false
+    dns_lookup_realm      = false
+    rdns                  = false
+    renew_lifetime        = 7d
+    ticket_lifetime       = 25h
+
+[realms]
+    HEIMDAL.TEST = {
+        kdc               = 127.0.0.1
+        master_kdc        = 127.0.0.1
+        admin_server      = 127.0.0.1
+        pkinit_anchors    = FILE:/etc/heimdal-kdc/ca/ca.pem
+    }
+
+[logging]
+    kdc                   = SYSLOG:NOTICE
+    default               = SYSLOG:NOTICE
diff --git a/ci/files/mit/extensions.client b/ci/files/mit/extensions.client
new file mode 100644
index 0000000..5a1bbc2
--- /dev/null
+++ b/ci/files/mit/extensions.client
@@ -0,0 +1,19 @@
+[client_cert]
+basicConstraints=CA:FALSE
+keyUsage=digitalSignature,keyEncipherment,keyAgreement
+extendedKeyUsage=1.3.6.1.5.2.3.4
+subjectKeyIdentifier=hash
+authorityKeyIdentifier=keyid,issuer
+issuerAltName=issuer:copy
+subjectAltName=otherName:1.3.6.1.5.2.2;SEQUENCE:princ_name
+
+[princ_name]
+realm=EXP:0,GeneralString:${ENV::REALM}
+principal_name=EXP:1,SEQUENCE:principal_seq
+
+[principal_seq]
+name_type=EXP:0,INTEGER:1
+name_string=EXP:1,SEQUENCE:principals
+
+[principals]
+princ1=GeneralString:${ENV::CLIENT}
diff --git a/ci/files/mit/extensions.kdc b/ci/files/mit/extensions.kdc
new file mode 100644
index 0000000..cbff73b
--- /dev/null
+++ b/ci/files/mit/extensions.kdc
@@ -0,0 +1,20 @@
+[kdc_cert]
+basicConstraints=CA:FALSE
+keyUsage=nonRepudiation,digitalSignature,keyEncipherment,keyAgreement
+extendedKeyUsage=1.3.6.1.5.2.3.5
+subjectKeyIdentifier=hash
+authorityKeyIdentifier=keyid,issuer
+issuerAltName=issuer:copy
+subjectAltName=otherName:1.3.6.1.5.2.2;SEQUENCE:kdc_princ_name
+
+[kdc_princ_name]
+realm=EXP:0,GeneralString:${ENV::REALM}
+principal_name=EXP:1,SEQUENCE:kdc_principal_seq
+
+[kdc_principal_seq]
+name_type=EXP:0,INTEGER:1
+name_string=EXP:1,SEQUENCE:kdc_principals
+
+[kdc_principals]
+princ1=GeneralString:krbtgt
+princ2=GeneralString:${ENV::REALM}
diff --git a/ci/files/mit/kadm5.acl b/ci/files/mit/kadm5.acl
new file mode 100644
index 0000000..ace748f
--- /dev/null
+++ b/ci/files/mit/kadm5.acl
@@ -0,0 +1 @@
+test/wallet@MIT.TEST  admci  wallet/*@MIT.TEST
diff --git a/ci/files/mit/kdc.conf b/ci/files/mit/kdc.conf
new file mode 100644
index 0000000..2d32f29
--- /dev/null
+++ b/ci/files/mit/kdc.conf
@@ -0,0 +1,19 @@
+[kdcdefaults]
+    kdc_ports                 = 88
+    kdc_tcp_ports             = 88
+    restrict_anonymous_to_tgt = false
+
+[realms]
+    MIT.TEST = {
+        database_name           = /var/lib/krb5kdc/principal
+        admin_keytab            = /var/lib/krb5kdc/kadm5.keytab
+        acl_file                = /etc/krb5kdc/kadm5.acl
+        key_stash_file          = /var/lib/krb5kdc/stash
+        max_life                = 1d 1h 0m 0s
+        max_renewable_life      = 7d 0h 0m 0s
+        master_key_type         = aes256-cts
+        supported_enctypes      = aes256-cts:normal
+        default_principal_flags = +preauth
+        pkinit_identity         = FILE:/var/lib/krb5kdc/kdc.pem,/var/lib/krb5kdc/kdckey.pem
+        pkinit_anchors          = FILE:/etc/krb5kdc/cacert.pem
+    }
diff --git a/ci/files/mit/krb5.conf b/ci/files/mit/krb5.conf
new file mode 100644
index 0000000..9b0d5ab
--- /dev/null
+++ b/ci/files/mit/krb5.conf
@@ -0,0 +1,19 @@
+[libdefaults]
+    default_realm         = MIT.TEST
+    dns_lookup_kdc        = false
+    dns_lookup_realm      = false
+    rdns                  = false
+    renew_lifetime        = 7d
+    ticket_lifetime       = 25h
+
+[realms]
+    MIT.TEST = {
+        kdc               = 127.0.0.1
+        master_kdc        = 127.0.0.1
+        admin_server      = 127.0.0.1
+        pkinit_anchors    = FILE:/etc/krb5kdc/cacert.pem
+    }
+
+[logging]
+    kdc                   = SYSLOG:NOTICE
+    default               = SYSLOG:NOTICE
diff --git a/ci/install b/ci/install
index 9a4feea..56e8df0 100755
--- a/ci/install
+++ b/ci/install
@@ -14,6 +14,11 @@
 
 set -eux
 
+# Normally, COMPILER and KERBEROS are set based on the CI matrix, but provide
+# a default in case someone runs this test by hand.
+COMPILER="${COMPILER:-gcc}"
+KERBEROS="${KERBEROS:-mit}"
+
 # Install packages.
 apt-get update -qq
 apt-get install -y cpanminus krb5-config libevent-dev libkrb5-dev           \
@@ -22,7 +27,7 @@ apt-get install -y cpanminus krb5-config libevent-dev libkrb5-dev           \
         perl php-cli php-dev pkg-config python3-all-dev python3-pip         \
         python3-pytest python3-pytest-runner python3-setuptools             \
         python-all-dev python-pytest python-pytest-runner python-setuptools \
-        python-typing ruby-all-dev
+        python-typing ruby-all-dev valgrind
 
 # Dependencies for Perl bindings and Perl tests.
 #
@@ -36,7 +41,7 @@ cpanm Test::MinimumVersion   || true
 cpanm Test::Perl::Critic     || true
 
 # Dependencies for additional style checks for the Python bindings.  These are
-# only run as part of the GCC build.
-if [ "$TRAVIS_COMPILER" = "gcc" ]; then
+# only run as part of the GCC build and MIT Kerberos test.
+if [ "$COMPILER" = "gcc" ] && [ "$KERBEROS" = "mit" ]; then
     pip3 install -r python/requirements-dev.txt
 fi
diff --git a/ci/kdc-setup-heimdal b/ci/kdc-setup-heimdal
new file mode 100755
index 0000000..975ee2e
--- /dev/null
+++ b/ci/kdc-setup-heimdal
@@ -0,0 +1,77 @@
+#!/bin/sh
+#
+# Build a Kerberos test realm for Heimdal.
+#
+# This script automates the process of setting up a Kerberos test realm from
+# scratch suitable for testing pam-krb5.  It is primarily intended to be run
+# from inside CI in a VM or container from the top of the wallet source tree,
+# and must be run as root.  It expects to be operating on the Debian Heimdal
+# package.
+#
+# Copyright 2014, 2020 Russ Allbery <eagle@eyrie.org>
+#
+# SPDX-License-Identifier: MIT
+
+set -eux
+
+# Install the KDC.
+apt-get install heimdal-kdc
+
+# Install its configuration files.
+cp ci/files/heimdal/heimdal-kdc /etc/default/heimdal-kdc
+cp ci/files/heimdal/kadmind.acl /etc/heimdal-kdc/kadmind.acl
+cp ci/files/heimdal/kdc.conf /etc/heimdal-kdc/kdc.conf
+cp ci/files/heimdal/krb5.conf /etc/krb5.conf
+
+# Some versions of heimdal-kdc require this.
+ln -s /etc/heimdal-kdc/kadmind.acl /var/lib/heimdal-kdc/kadmind.acl
+
+# Add domain-realm mappings for the local host, since otherwise Heimdal and
+# MIT Kerberos may attempt to discover the realm of the local domain, and the
+# DNS server for GitHub Actions has a habit of just not responding and causing
+# the test to hang.
+cat <<EOF >>/etc/krb5.conf
+[domain_realm]
+    $(hostname -f) = HEIMDAL.TEST
+EOF
+cat <<EOF >>/etc/heimdal-kdc/kdc.conf
+[domain_realm]
+    $(hostname -f) = HEIMDAL.TEST
+EOF
+
+# Create the basic KDC.
+kstash --random-key
+kadmin -l init --realm-max-ticket-life='1 day 1 hour' \
+    --realm-max-renewable-life='1 week' HEIMDAL.TEST
+
+# Set default principal policies.
+kadmin -l modify --attributes=requires-pre-auth,disallow-svr \
+    default@HEIMDAL.TEST
+
+# Create and store the keytab.
+kadmin -l add -r --use-defaults --attributes=requires-pre-auth \
+    test/keytab@HEIMDAL.TEST
+kadmin -l ext_keytab -k tests/config/keytab test/keytab@HEIMDAL.TEST
+echo 'test/keytab@HEIMDAL.TEST' >tests/config/principal
+
+# Create the root CA for PKINIT.
+mkdir -p /etc/heimdal-kdc/ca
+hxtool issue-certificate --self-signed --issue-ca --generate-key=rsa    \
+    --subject=CN=CA,DC=HEIMDAL,DC=TEST --lifetime=10years               \
+    --certificate=FILE:/etc/heimdal-kdc/ca/ca.pem
+chmod 644 /etc/heimdal-kdc/ca/ca.pem
+
+# Create the certificate for the Heimdal Kerberos KDC.
+hxtool issue-certificate --ca-certificate=FILE:/etc/heimdal-kdc/ca/ca.pem \
+    --generate-key=rsa --type=pkinit-kdc                                  \
+    --pk-init-principal=krbtgt/HEIMDAL.TEST@HEIMDAL.TEST                  \
+    --subject=uid=kdc,DC=HEIMDAL,DC=TEST                                  \
+    --certificate=FILE:/etc/heimdal-kdc/kdc.pem
+chmod 644 /etc/heimdal-kdc/kdc.pem
+
+# Fix permissions on all the newly-created files.
+chmod 644 tests/config/*
+
+# Restart the Heimdal KDC and services.
+systemctl stop heimdal-kdc
+systemctl start heimdal-kdc
diff --git a/ci/kdc-setup-mit b/ci/kdc-setup-mit
new file mode 100755
index 0000000..349407d
--- /dev/null
+++ b/ci/kdc-setup-mit
@@ -0,0 +1,74 @@
+#!/bin/sh
+#
+# Build a Kerberos test realm for MIT Kerberos
+#
+# This script automates the process of setting up a Kerberos test realm from
+# scratch suitable for testing pam-krb5.  It is primarily intended to be run
+# from inside CI in a VM or container from the top of the wallet source tree,
+# and must be run as root.  It expects to be operating on the Debian MIT
+# Kerberos package.
+#
+# Copyright 2014, 2020 Russ Allbery <eagle@eyrie.org>
+#
+# SPDX-License-Identifier: MIT
+
+set -eux
+
+# Install the KDC and the OpenSSL command-line tool.
+apt-get install krb5-admin-server krb5-kdc krb5-pkinit openssl
+
+# Install its configuration files.
+cp ci/files/mit/extensions.client /etc/krb5kdc/extensions.client
+cp ci/files/mit/extensions.kdc /etc/krb5kdc/extensions.kdc
+cp ci/files/mit/kadm5.acl /etc/krb5kdc/kadm5.acl
+cp ci/files/mit/kdc.conf /etc/krb5kdc/kdc.conf
+cp ci/files/mit/krb5.conf /etc/krb5.conf
+
+# Add domain-realm mappings for the local host, since otherwise Heimdal and
+# MIT Kerberos may attempt to discover the realm of the local domain, and the
+# DNS server for GitHub Actions has a habit of just not responding and causing
+# the test to hang.
+cat <<EOF >>/etc/krb5.conf
+[domain_realm]
+    $(hostname -f) = MIT.TEST
+EOF
+
+# Create the basic KDC.
+kdb5_util create -s -P 'this is a test master database password'
+
+# Create and store the keytab.
+kadmin.local -q 'add_principal +requires_preauth -randkey test/keytab@MIT.TEST'
+kadmin.local -q 'ktadd -k tests/config/keytab test/keytab@MIT.TEST'
+echo 'test/keytab@MIT.TEST' >tests/config/principal
+
+# Enable anonymous PKINIT.
+kadmin.local -q 'addprinc -randkey WELLKNOWN/ANONYMOUS'
+
+# Create the root CA for PKINIT.
+openssl genrsa -out /etc/krb5kdc/cakey.pem 2048
+openssl req -key /etc/krb5kdc/cakey.pem -new -x509 \
+    -out /etc/krb5kdc/cacert.pem -subj "/CN=MIT.TEST CA" -days 3650
+chmod 755 /etc/krb5kdc
+chmod 644 /etc/krb5kdc/cacert.pem
+
+# Create the certificate for the MIT Kerberos KDC.
+openssl genrsa -out /var/lib/krb5kdc/kdckey.pem 2048
+openssl req -new -out /var/lib/krb5kdc/kdc.req \
+    -key /var/lib/krb5kdc/kdckey.pem -subj "/CN=MIT.TEST"
+REALM=MIT.TEST openssl x509 -req -in /var/lib/krb5kdc/kdc.req   \
+    -CAkey /etc/krb5kdc/cakey.pem -CA /etc/krb5kdc/cacert.pem   \
+    -out /var/lib/krb5kdc/kdc.pem -days 365                     \
+    -extfile /etc/krb5kdc/extensions.kdc -extensions kdc_cert   \
+    -CAcreateserial
+rm /var/lib/krb5kdc/kdc.req
+
+# Fix permissions on all the newly-created files.
+chmod 644 tests/config/*
+
+# Restart the MIT Kerberos KDC and services.
+systemctl stop krb5-kdc krb5-admin-server
+systemctl start krb5-kdc krb5-admin-server
+
+# Ensure that the KDC is running.
+kinit -n @MIT.TEST
+kdestroy
diff --git a/ci/test b/ci/test
index ab44c31..64f8eb5 100755
--- a/ci/test
+++ b/ci/test
@@ -8,6 +8,11 @@
 
 set -eux
 
+# Normally, COMPILER and KERBEROS are set based on the CI matrix, but provide
+# a default in case someone runs this test by hand.
+COMPILER="${COMPILER:-gcc}"
+KERBEROS="${KERBEROS:-mit}"
+
 # Configure the build.
 export AUTHOR_TESTING=1
 export C_TAP_VERBOSE=1
@@ -17,18 +22,27 @@ export REMCTL_PYTHON_VERSIONS="python2 python3"
 # GCC (such as what's installed on Travis-CI) uses asm goto, which isn't
 # supported by Clang.
 ./bootstrap
-if [ "$TRAVIS_COMPILER" = "gcc" ]; then
-    ./configure --enable-perl --enable-php --enable-python --enable-ruby
+if [ "$KERBEROS" = 'heimdal' ]; then
+    ./configure CC="$COMPILER" PATH_KRB5_CONFIG=/usr/bin/krb5-config.heimdal \
+        --enable-perl --enable-php --enable-python --enable-ruby
 else
-    ./configure --enable-perl --enable-python --enable-ruby
+    ./configure CC="$COMPILER" \
+        --enable-perl --enable-php --enable-python --enable-ruby
 fi
 make warnings
 
-# Run the regular tests.
-make check
+# Run the regular tests with valgrind for one of the compilers.  Arbitrarily
+# pick the GCC build.  (The assumption here is that other compilers won't
+# produce sufficiently different code as to create memory management
+# problems.)
+if [ "$COMPILER" = 'gcc' ]; then
+    make check-valgrind
+else
+    make check
+fi
 
 # Run additional Python coding style tests, but only in the non-Clang build.
-if [ "$TRAVIS_COMPILER" = "gcc" ]; then
+if [ "$COMPILER" = "gcc" ]; then
     cd python
     mypy .
     mypy --py2 .