diff --git a/.github/workflows/auto-updates.yaml b/.github/workflows/auto-updates.yaml new file mode 100644 index 0000000000..ae37fd27fe --- /dev/null +++ b/.github/workflows/auto-updates.yaml @@ -0,0 +1,65 @@ +name: Update translations and Rust packaging related files in main +on: + push: + branches: + - main + paths-ignore: + - debian/control +concurrency: auto-update + +jobs: + update-rust-packaging: + name: Update packaging related Rust files + needs: update-po + runs-on: ubuntu-latest + # Right now, ubuntu 22.04 does not have the dh-cargo-vendored-sources script that is needed to + # run this job, so we need to run it inside a rolling container to get the latest version possible. + # This should be updated as soon as the dh-cargo version with the mentioned script gets ported to + # 22.04 or ubuntu-latest changes to a more recent version. + container: + image: ubuntu:rolling + steps: + - name: Install dependencies + run: | + DEBIAN_FRONTEND=noninteractive apt update + DEBIAN_FRONTEND=noninteractive apt install -y cargo dh-cargo git jq + - uses: actions/checkout@v4 + with: + ref: main + - name: Vendor the dependencies + run: | + cargo vendor vendor_rust/ + - name: Update XS-Vendored-Sources-Rust + run: | + set -eu + + export CARGO_VENDOR_DIR=vendor_rust/ + VENDORED_SOURCES=$(/usr/share/cargo/bin/dh-cargo-vendored-sources 2>&1 || true) + OUTPUT=$(echo "$VENDORED_SOURCES" | grep ^XS-Vendored-Sources-Rust: || true) + if [ -z "$OUTPUT" ]; then + echo "XS-Vendored-Sources-Rust is up to date. No change is needed."; + exit 0 + fi + sed -i "s/^XS-Vendored-Sources-Rust:.*/$OUTPUT/" debian/control + + echo "modified=true" >> $GITHUB_ENV + shell: bash + # Since we run this job in a container, we need to manually add the safe directory due to some + # issues between actions/checkout and actions/runner, which seem to be triggered by multiple + # causes (e.g. https://github.com/actions/runner-images/issues/6775, https://github.com/actions/checkout/issues/1048#issuecomment-1356485556). + - name: work around permission issue with git vulnerability (we are local here). TO REMOVE + run: git config --global --add safe.directory "$PWD" + - name: Create Pull Request + if: ${{ env.modified == 'true' }} + uses: peter-evans/create-pull-request@v5 + with: + commit-message: Auto update packaging related Rust files + title: Auto update packaging related Rust files + labels: control, automated pr + branch: auto-update-rust-packaging + delete-branch: true + token: ${{ secrets.GITHUB_TOKEN }} + - name: Push branch + if: ${{ env.modified == 'true' }} + run: | + git push origin auto-update-rust-packaging:main diff --git a/debian/apport b/debian/apport new file mode 100644 index 0000000000..8a38bbe109 --- /dev/null +++ b/debian/apport @@ -0,0 +1,12 @@ +'''apport package hook for authd + +(c) 2023 Canonical Ltd. +''' + +import apport.hookutils + +def add_info(report): + apport.hookutils.attach_related_packages(report, ["libpam-runtime", "libpam0g"]) + apport.hookutils.attach_conffiles(report, 'authd') + apport.hookutils.attach_file_if_exists(report, '/etc/pam.d/common-auth') + apport.hookutils.attach_file_if_exists(report, '/etc/nsswitch.conf') diff --git a/debian/changelog b/debian/changelog new file mode 100644 index 0000000000..80f99f3742 --- /dev/null +++ b/debian/changelog @@ -0,0 +1,5 @@ +authd (0.1) UNRELEASED; urgency=medium + + * Initial release + + -- Gabriel Nagy Thu, 30 Nov 2023 00:12:07 +0200 diff --git a/debian/control b/debian/control new file mode 100644 index 0000000000..93b78c11fa --- /dev/null +++ b/debian/control @@ -0,0 +1,35 @@ +Source: authd +Section: admin +Priority: optional +Maintainer: Ubuntu Developers +Build-Depends: debhelper-compat (= 13), + dbus, + dh-apport, + dh-cargo, + dh-golang, + golang-go (>= 2:1.21~), + jq, + libpam0g-dev, + libc6-dev (>= 2.35), + libpam0g-dev, + pkg-config, + protobuf-compiler, +Standards-Version: 4.6.2 +XS-Go-Import-Path: github.com/ubuntu/authd +XS-Vendored-Sources-Rust: addr2line@0.21.0, adler@1.0.2, aho-corasick@1.0.5, anyhow@1.0.75, async-stream-impl@0.3.5, async-stream@0.3.5, async-trait@0.1.73, autocfg@1.1.0, axum-core@0.3.4, axum@0.6.20, backtrace@0.3.69, base64@0.21.3, bitflags@1.3.2, bitflags@2.4.0, bytes@1.5.0, cc@1.0.84, cfg-if@1.0.0, colored@2.0.4, ctor@0.2.5, deranged@0.3.8, either@1.9.0, equivalent@1.0.1, errno-dragonfly@0.1.2, errno@0.3.3, error-chain@0.12.4, fastrand@2.0.0, fixedbitset@0.4.2, fnv@1.0.7, futures-channel@0.3.28, futures-core@0.3.28, futures-sink@0.3.28, futures-task@0.3.28, futures-util@0.3.28, getrandom@0.2.10, gimli@0.28.0, h2@0.3.21, hashbrown@0.12.3, hashbrown@0.14.0, heck@0.4.1, hermit-abi@0.3.2, home@0.5.5, hostname@0.3.1, http-body@0.4.5, http@0.2.9, httparse@1.8.0, httpdate@1.0.3, hyper-timeout@0.4.1, hyper@0.14.27, indexmap@1.9.3, indexmap@2.0.0, is-terminal@0.4.9, itertools@0.11.0, itoa@1.0.9, lazy_static@1.4.0, libc@0.2.150, libnss@0.5.0, linux-raw-sys@0.4.5, log@0.4.20, match_cfg@0.1.0, matchit@0.7.2, memchr@2.6.3, mime@0.3.17, miniz_oxide@0.7.1, mio@0.8.9, multimap@0.8.3, num_cpus@1.16.0, num_threads@0.1.6, object@0.32.1, once_cell@1.18.0, paste@1.0.14, percent-encoding@2.3.0, petgraph@0.6.4, pin-project-internal@1.1.3, pin-project-lite@0.2.13, pin-project@1.1.3, pin-utils@0.1.0, ppv-lite86@0.2.17, prettyplease@0.2.14, proc-macro2@1.0.66, prost-build@0.12.0, prost-derive@0.12.3, prost-types@0.12.0, prost@0.12.3, quote@1.0.33, rand@0.8.5, rand_chacha@0.3.1, rand_core@0.6.4, redox_syscall@0.3.5, regex-automata@0.3.8, regex-syntax@0.7.5, regex@1.9.5, rustc-demangle@0.1.23, rustix@0.38.11, rustversion@1.0.14, serde@1.0.188, serde_derive@1.0.188, simple_logger@4.3.0, slab@0.4.9, socket2@0.4.9, socket2@0.5.5, syn@2.0.31, sync_wrapper@0.1.2, syslog@6.1.0, tempfile@3.8.0, time-core@0.1.1, time-macros@0.2.14, time@0.3.28, tokio-io-timeout@1.2.0, tokio-macros@2.2.0, tokio-stream@0.1.14, tokio-util@0.7.8, tokio@1.34.0, tonic-build@0.10.2, tonic@0.10.2, tower-layer@0.3.2, tower-service@0.3.2, tower@0.4.13, tracing-attributes@0.1.26, tracing-core@0.1.31, tracing@0.1.37, try-lock@0.2.4, unicode-ident@1.0.11, version_check@0.9.4, want@0.3.1, wasi@0.11.0+wasi-snapshot-preview1, which@4.4.2, winapi-i686-pc-windows-gnu@0.4.0, winapi-x86_64-pc-windows-gnu@0.4.0, winapi@0.3.9, windows-sys@0.48.0, windows-targets@0.48.5, windows_aarch64_gnullvm@0.48.5, windows_aarch64_msvc@0.48.5, windows_i686_gnu@0.48.5, windows_i686_msvc@0.48.5, windows_x86_64_gnu@0.48.5, windows_x86_64_gnullvm@0.48.5, windows_x86_64_msvc@0.48.5 +Homepage: https://github.com/ubuntu/authd +Vcs-Browser: https://github.com/ubuntu/authd +Vcs-Git: https://github.com/ubuntu/authd.git +Description: Authentication daemon for external Broker + Authd enables system authentication through external brokers. + +Package: authd +Architecture: any +Built-Using: ${misc:Built-Using}, +Depends: ${shlibs:Depends}, + ${misc:Depends}, +Description: ${source:Synopsis} + ${source:Extended-Description} + . + This package contains the authentication daemon together with the PAM & NSS + modules. diff --git a/debian/copyright b/debian/copyright new file mode 100644 index 0000000000..304fbc1882 --- /dev/null +++ b/debian/copyright @@ -0,0 +1,561 @@ +Format: https://www.debian.org/doc/packaging-manuals/copyright-format/1.0/ +Upstream-Name: authd +Source: https://github.com/ubuntu/authd + +Files: * +Copyright: 2023 Canonical Ltd. +License: LGPL-3 + This library is free software; you can redistribute it and/or + modify it under the terms of the GNU Lesser General Public + License as published by the Free Software Foundation; either + version 3 of the License, or (at your option) any later version. + . + This library is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU + Lesser General Public License for more details. + . + You should have received a copy of the GNU Lesser General Public + License along with this library; if not, see . + . + On Debian systems, the complete text of the GNU Lesser General + Public License version 3 can be found in "/usr/share/common-licenses/LGPL-3". + +Files: vendor/go.etcd.io/bbolt/* +Copyright: 2013 Ben Johnson +License: MIT + +Files: vendor/go.uber.org/* +Copyright: 2016-2021 Uber Technologies, Inc. +License: MIT + +Files: vendor/gopkg.in/ini.v1/* +Copyright: 2014-2019 Unknwon. +License: Apache-2.0 + +Files: vendor/gopkg.in/yaml.v3/* +Copyright: 2011-2019 Canonical Ltd. +License: Apache-2.0 + +Files: vendor/gopkg.in/yaml.v3/apic.go + vendor/gopkg.in/yaml.v3/emitterc.go + vendor/gopkg.in/yaml.v3/parserc.go + vendor/gopkg.in/yaml.v3/readerc.go + vendor/gopkg.in/yaml.v3/scannerc.go + vendor/gopkg.in/yaml.v3/writerc.go + vendor/gopkg.in/yaml.v3/yamlh.go + vendor/gopkg.in/yaml.v3/yamlprivateh.go +Copyright: 2011-2019 Canonical Ltd. + 2006-2011 Kirill Simonov +License: MIT + +Files: vendor/github.com/atotto/clipboard/* +Copyright: 2013 Ato Araki. +License: BSD-3 + +Files: vendor/github.com/aymanbagabas/go-osc52/* +Copyright: 2022 Ayman Bagabas +License: MIT + +Files: vendor/github.com/charmbracelet/* +Copyright: 2019-2023 Charmbracelet, Inc +License: MIT + +Files: vendor/github.com/containerd/console/* +Copyright: The containerd Authors. +License: Apache-2.0 + +Files: vendor/github.com/coreos/* +Copyright: 2015-2018 CoreOS, Inc. / 2014 Docker, Inc. +License: Apache-2.0 + +Files: vendor/github.com/davecgh/* +Copyright: 2012-2016 Dave Collins +License: ISC + +Files: vendor/github.com/fsnotify/* +Copyright: 2010-2015 fsnotify Authors. / The Go Authors. +License: BSD-3 + +Files: vendor/github.com/godbus/* +Copyright: 2013 Georg Reinke (), Google +License: BSD-2 + +Files: vendor/github.com/golang/protobuf/* +Copyright: Copyright: 2010 The Go Authors. +License: BSD-3 + +Files: vendor/github.com/google/uuid/* +Copyright: 2009, 2014-2017, 2021 Google Inc. +License: BSD-3 + +Files: vendor/github.com/hashicorp/* +Copyright: HashiCorp +License: MPL-2.0 + +Files: vendor/github.com/inconshreveable/* +Copyright: 2014 Alan Shreve +License: Apache-2.0 + +Files: vendor/github.com/lucasb-eyer/go-colorful/* +Copyright: 2013 Lucas Beyer +License: MIT + +Files: vendor/github.com/magiconair/* +Copyright: 2013-2022 Frank Schroeder. +License: BSD-2 + +Files: vendor/github.com/mattn/* +Copyright: 2016 Yasuhiro MATSUMOTO +License: MIT + +Files: vendor/github.com/mitchellh/* +Copyright: 2013 Mitchell Hashimoto +License: MIT + +Files: vendor/github.com/msteinert/pam/* +Copyright: 2015 Michael Steinert / 2011 krockot +License: BSD-2 + +Files: vendor/github.com/muesli/* +Copyright: 2019, 2021 Christian Muehlhaeuser +License: MIT + +Files: vendor/github.com/pelletier/* +Copyright: 2013-2023 Thomas Pelletier, Eric Anderton +License: MIT + +Files: vendor/github.com/pmezard/* +Copyright: 2013 Patrick Mezard +License: BSD-3 + +Files: vendor/github.com/rivo/uniseg/* +Copyright: 2019 Oliver Kuederle +License: MIT + +Files: vendor/github.com/sagikazarmark/locafero/* +Copyright: 2023 Márk Sági-Kazár +License: MIT + +Files: vendor/github.com/sagikazarmark/slog-shim/* +Copyright: 2022 The Go Authors. +License: BSD-3 + +Files: vendor/github.com/sahilm/fuzzy/* +Copyright: 2017 Sahil Muthoo +License: MIT + +Files: vendor/github.com/sirupsen/logrus/* +Copyright: 2014 Simon Eskildsen +License: MIT + +Files: vendor/github.com/sirupsen/logrus/alt_exit.go +Copyright: 2012 Miki Tebeka . +License: MIT + +Files: vendor/github.com/skip2/go-qrcode/* +Copyright: 2014 Tom Harwood +License: MIT + +Files: vendor/github.com/sourcegraph/conc/* +Copyright: 2023 Sourcegraph +License: MIT + +Files: vendor/github.com/spf13/afero/* +Copyright: 2014-2016 Steve Francia . + 2015 The Hugo Authors + 2016-present Bjørn Erik Pedersen + 2009-2015 The Go Authors. +License: Apache-2.0 + +Files: vendor/github.com/spf13/cast/* +Copyright: 2014 Steve Francia . +License: MIT + +Files: vendor/github.com/spf13/cobra/* +Copyright: 2013 Steve Francia . + 2015 Red Hat Inc. + 2016 French Ben. +License: Apache-2.0 + +Files: vendor/github.com/spf13/pflag/* +Copyright: 2012 The Go Authors. / 2012 Alex Ogier. +License: BSD-3 + +Files: vendor/github.com/spf13/viper/* +Copyright: 2014 Steve Francia . +License: MIT + +Files: vendor/github.com/stretchr/* +Copyright: 2012-2020 Mat Ryer + Tyler Bunnell and contributors. +License: MIT + +Files: vendor/github.com/subosito/* +Copyright: 2013 Alif Rachmawadi +License: MIT + +Files: vendor/github.com/ubuntu/* +Copyright: Canonical +License: MIT + +Files: vendor/*golang.org/* +Copyright: 2009-2020 The Go Authors. +License: BSD-3 + +Files: vendor_rust/addr2line/* + vendor_rust/object/* +Copyright: 2016-2018 The gimli Developers +License: MIT + +Files: vendor_rust/adler/* +Copyright: Jonas Schievink +License: MIT + +Files: vendor_rust/aho-corasick/* + vendor_rust/memchr/* + vendor_rust/regex-automata/* +Copyright: 2015-2019 Andrew Gallant +License: MIT + +Files: vendor_rust/anyhow/* + vendor_rust/async-trait/* + vendor_rust/either/* + vendor_rust/equivalent/* + vendor_rust/fastrand/* + vendor_rust/fixedbitset/* + vendor_rust/hermit-abi/* + vendor_rust/home/* + vendor_rust/indexmap/* + vendor_rust/itertools/* + vendor_rust/itoa/* + vendor_rust/linux-raw-sys/* + vendor_rust/num_cpus/* + vendor_rust/once_cell/* + vendor_rust/paste/* + vendor_rust/petgraph/* + vendor_rust/pin-project/* + vendor_rust/pin-project-internal/* + vendor_rust/pin-project-lite/* + vendor_rust/prettyplease/* + vendor_rust/proc-macro2/* + vendor_rust/quote/* + vendor_rust/regex/* + vendor_rust/regex-syntax/* + vendor_rust/rustix/* + vendor_rust/rustversion/* + vendor_rust/serde/* + vendor_rust/serde_derive/* + vendor_rust/syn/* + vendor_rust/unicode-ident/* + vendor_rust/wasi/* +Copyright: *No copyright* +License: MIT + +Files: vendor_rust/async-stream*/* + vendor_rust/bytes/* + vendor_rust/mio/* + vendor_rust/slab/* +Copyright: 2018, 2019 Carl Lerche + 2014 Carl Lerche and other MIO contributors +License: MIT + +Files: vendor_rust/autocfg/* +Copyright: 2018 Josh Stone +License: MIT + +Files: vendor_rust/axum*/* +Copyright: 2021 Axum Contributors + 2014-2021 Sean McArthur +License: MIT + +Files: vendor_rust/backtrace/* + vendor_rust/cc/* + vendor_rust/cfg-if/* + vendor_rust/match_cfg/* + vendor_rust/rustc-demangle/* + vendor_rust/socket2/* +Copyright: 2014 Alex Crichton +License: MIT + +Files: vendor_rust/base64/* +Copyright: 2015 Alice Maz +License: MIT + +Files: vendor_rust/bitflags/* + vendor_rust/lazy_static/* + vendor_rust/libc/* + vendor_rust/log/* +Copyright: 2010-2020 The Rust Project Developers +License: MIT + +Files: vendor_rust/colored/* + vendor_rust/ctor/* +Copyright: *No copyright* +License: MPL-2.0 + +Files: vendor_rust/deranged/* +Copyright: 2022 Jacob Pratt et al. +License: Apache-2.0 + +Files: vendor_rust/errno/* +Copyright: 2014 Chris Wong +License: MIT + +Files: vendor_rust/errno-dragonfly/* +Copyright: 2017 Michael Neumann +License: MIT + +Files: vendor_rust/error-chain/* +Copyright: 2017 The Error-Chain Project Developers +License: MIT + +Files: vendor_rust/fnv/* +Copyright: 2017 Contributors +License: MIT + +Files: vendor_rust/futures-*/* +Copyright: 2017 The Tokio Authors / 2016 Alex Crichton +License: MIT + +Files: vendor_rust/getrandom/* +Copyright: 2018 Developers of the Rand project + 2014 The Rust Project Developers +License: MIT + +Files: vendor_rust/gimli/* +Copyright: 2015 The Rust Project Developers +License: MIT + +Files: vendor_rust/h2/* +Copyright: 2017 h2 authors +License: MIT + +Files: vendor_rust/hashbrown/* +Copyright: 2016 Amanieu d'Antras +License: MIT + +Files: vendor_rust/heck/* +Copyright: 2015 The Rust Project Developers +License: MIT + +Files: vendor_rust/hostname/* +Copyright: 2019 svartalf / 2016 fengcen +License: MIT + +Files: vendor_rust/httparse/* + vendor_rust/hyper/* + vendor_rust/want/* +Copyright: 2014-2021 Sean McArthur +License: MIT + +Files: vendor_rust/httpdate/* +Copyright: 2016 Pyfisch +License: MIT + +Files: vendor_rust/http-body/* +Copyright: 2019 Hyper Contributors +License: MIT + +Files: vendor_rust/http/* +Copyright: 2017 http-rs authors +License: MIT + +Files: vendor_rust/hyper-timeout/* +Copyright: 2016 The weldr Project Developers +License: MIT + +Files: vendor_rust/is-terminal/* +Copyright: 2015-2019 Doug Tangren +License: MIT + +Files: vendor_rust/matchit/* +Copyright: 2022 Ibraheem Ahmed +License: MIT + +Files: vendor_rust/multimap/* +Copyright: 2016 multimap developers +License: MIT + +Files: vendor_rust/num_threads/* +Copyright: 2021 Jacob Pratt +License: MIT + +Files: vendor_rust/percent-encoding/* +Copyright: 2013-2022 The rust-url developers +License: MIT + +Files: vendor_rust/pin-utils/* +Copyright: 2018 The pin-utils authors +License: MIT + +Files: vendor_rust/ppv-lite86/* +Copyright: 2019 The CryptoCorrosion Contributors +License: MIT + +Files: vendor_rust/prost/* + vendor_rust/prost-build/* + vendor_rust/prost-derive/* + vendor_rust/prost-types/* +Copyright: 2022 Dan Burkert & Tokio Contributors +License: Apache-2.0 + +Files: vendor_rust/rand/* + vendor_rust/rand_chacha/* + vendor_rust/rand_core/* +Copyright: 2018 Developers of the Rand project / 2014 The Rust Project Developers +License: MIT + +Files: vendor_rust/redox_syscall/* +Copyright: 2017 Redox OS Developers +License: MIT + +Files: vendor_rust/simple_logger/* +Copyright: 2015-2021 Sam Clements +License: MIT + +Files: vendor_rust/sync_wrapper/* +Copyright: 2020 Actyx AG +License: Apache-2.0 + +Files: vendor_rust/syslog/* +Copyright: 2014-2018 Geoffroy Couprie +License: MIT + +Files: vendor_rust/tempfile/* +Copyright: 2015 Steven Allen +License: MIT + +Files: vendor_rust/time/* + vendor_rust/time-core/* + vendor_rust/time-macros/* +Copyright: 2022 Jacob Pratt et al. +License: MIT + +Files: vendor_rust/tokio/* + vendor_rust/tokio-macros/* + vendor_rust/tokio-stream/* + vendor_rust/tokio-util/* + vendor_rust/tracing/* + vendor_rust/tracing-attributes/* + vendor_rust/tracing-core/* +Copyright: 2019, 2023 Tokio Contributors +License: MIT + +Files: vendor_rust/tokio-io-timeout/* +Copyright: 2017 The tokio-io-timeout Developers +License: MIT + +Files: vendor_rust/tonic/* + vendor_rust/tonic-build/* +Copyright: 2020 Lucio Franco +License: MIT + +Files: vendor_rust/tower/* + vendor_rust/tower-layer/* + vendor_rust/tower-service/* +Copyright: 2019 Tower Contributors +License: MIT + +Files: vendor_rust/try-lock/* +Copyright: 2018 Sean McArthur / 2016 Alex Crichton +License: MIT + +Files: vendor_rust/version_check/* +Copyright: 2017-2018 Sergio Benitez +License: MIT + +Files: vendor_rust/which/* +Copyright: 2015 fangyuanziti +License: MIT + +Files: vendor_rust/winapi*/* +Copyright: 2015-2018 The winapi-rs Developers +License: MIT + +Files: vendor_rust/windows*/* +Copyright: Microsoft Corporation. +License: MIT + +License: Apache-2.0 + Unless required by applicable law or agreed to in writing, software + distributed under the License is distributed on an "AS IS" BASIS, + WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + See the License for the specific language governing permissions and + limitations under the License. + +License: BSD-2 + Redistribution and use in source and binary forms, with or without + modification, are permitted provided that the following conditions + are met: + . + 1. Redistributions of source code must retain the above copyright notice, + this list of conditions and the following disclaimer. + 2. Redistributions in binary form must reproduce the above copyright + notice, this list of conditions and the following disclaimer in the + documentation and/or other materials provided with the distribution. + +License: BSD-3 + Redistribution and use in source and binary forms, with or without + modification, are permitted provided that the following conditions are + met: + * Redistributions of source code must retain the above copyright + notice, this list of conditions and the following disclaimer. + * Redistributions in binary form must reproduce the above + copyright notice, this list of conditions and the following disclaimer + in the documentation and/or other materials provided with the + distribution. + * Neither the name of Google Inc., Jonas Obrist nor the names of its + contributors may be used to endorse or promote products derived from + this software without specific prior written permission. + +License: LGPL-3+ + This library is free software; you can redistribute it and/or + modify it under the terms of the GNU Lesser General Public + License as published by the Free Software Foundation; either + version 3 of the License, or (at your option) any later version. + . + This library is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU + Lesser General Public License for more details. + +License: ISC + Permission to use, copy, modify, and/or distribute this software for any + purpose with or without fee is hereby granted, provided that the above + copyright notice and this permission notice appear in all copies. + . + THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES + WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF + MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR + ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES + WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN + ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF + OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. + +License: MIT + Permission is hereby granted, free of charge, to any person obtaining a copy + of this software and associated documentation files (the "Software"), to deal + in the Software without restriction, including without limitation the rights + to use, copy, modify, merge, publish, distribute, sublicense, and/or sell + copies of the Software, and to permit persons to whom the Software is + furnished to do so, subject to the following conditions: + . + The above copyright notice and this permission notice shall be included in + all copies or substantial portions of the Software. + . + THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR + IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, + FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE + AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER + LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, + OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN + THE SOFTWARE. + +License: MPL-2.0 + This Source Code Form is subject to the terms of the Mozilla Public + License, v. 2.0. If a copy of the MPL was not distributed with this + file, You can obtain one at http://mozilla.org/MPL/2.0/. + Comment: + On Debian systems, the complete text of the Mozilla Public License can + be found in "/usr/share/common-licenses/MPL-2.0". diff --git a/debian/docs b/debian/docs new file mode 100644 index 0000000000..103c946dbb --- /dev/null +++ b/debian/docs @@ -0,0 +1,2 @@ +# Vendored dependency contains an Apache NOTICE +vendor/gopkg.in/yaml.v3/NOTICE diff --git a/debian/gbp.conf b/debian/gbp.conf new file mode 100644 index 0000000000..455c4e5201 --- /dev/null +++ b/debian/gbp.conf @@ -0,0 +1,9 @@ +[DEFAULT] +debian-tag=v%(version)s +debian-branch=main + +[buildpackage] +export=INDEX + +[dch] +multimaint-merge=True diff --git a/debian/lintian-overrides b/debian/lintian-overrides new file mode 100644 index 0000000000..4109146d2e --- /dev/null +++ b/debian/lintian-overrides @@ -0,0 +1,9 @@ +# NSS libraries don't provide symlinks to the versioned library +authd: lacks-versioned-link-to-shared-library usr/lib/*/libnss_authd.so [usr/lib/*/libnss_authd.so.2] + +# cargo build currently does not support changing the output name of libraries and the functionality +# is still being tracked at https://github.com/rust-lang/cargo/issues/9778. Therefore, we must build +# it with the base name (i.e. libnss_authd.so) and then manually rename it to contain the version, as +# done in the dh_auto_install step. +# With this approach, libnss is not using soname to track compatibility, so this override is safe. +authd: shared-library-lacks-version usr/lib/*/libnss_authd.so.2 libnss_authd.so diff --git a/pam/go-loader/libpam-authd.pam-auth-update b/debian/pam-configs/authd similarity index 100% rename from pam/go-loader/libpam-authd.pam-auth-update rename to debian/pam-configs/authd diff --git a/debian/postinst b/debian/postinst new file mode 100644 index 0000000000..2d72f7a43c --- /dev/null +++ b/debian/postinst @@ -0,0 +1,42 @@ +#!/bin/sh +set -e + +#DEBHELPER# + +# This code was taken from libnss-sss, which got it from libnss-myhostname, which got it from nss-mdns: + +log() { + echo "$*" +} + +# try to insert authd entries to the passwd, group and shadow +# lines in /etc/nsswitch.conf to automatically enable libnss-authd +# support; do not change the configuration if the lines already +# reference some authd lookups +insert_nss_entry() { + log "Checking NSS setup..." + # abort if /etc/nsswitch.conf does not exist + if ! [ -e /etc/nsswitch.conf ]; then + log "Could not find /etc/nsswitch.conf." + return + fi + # append 'authd' to the end of the line if it's not found already + sed -i --regexp-extended ' + /^(passwd|group|shadow):/ { + /\bauthd\b/! s/$/ authd/ + } + ' /etc/nsswitch.conf +} + +action="$1" + +if [ configure = "$action" ]; then + pam-auth-update --package + + if [ -z "$2" ]; then + log "First installation detected..." + # first install: setup the recommended configuration (unless + # nsswitch.conf already contains authd entries) + insert_nss_entry + fi +fi diff --git a/debian/postrm b/debian/postrm new file mode 100644 index 0000000000..99c4a5aefb --- /dev/null +++ b/debian/postrm @@ -0,0 +1,40 @@ +#!/bin/sh +set -e + +#DEBHELPER# + +# This code was taken from libnss-sss, which got it from libnss-myhostname, which got it from nss-mdns: + +log() { + echo "$*" +} + +remove_nss_entry() { + log "Checking NSS setup..." + # abort if /etc/nsswitch.conf does not exist + if ! [ -e /etc/nsswitch.conf ]; then + log "Could not find /etc/nsswitch.conf." + return + fi + sed -i --regexp-extended ' + /^(passwd|group|shadow):/ { + s/\s?\bauthd\b\s?/ /g + s/[[:space:]]+$// + } + ' /etc/nsswitch.conf +} + +case "$1" in + remove|purge) + if [ "${DPKG_MAINTSCRIPT_PACKAGE_REFCOUNT:-1}" = 1 ]; then + remove_nss_entry + fi + ;; + upgrade|failed-upgrade|abort-install|abort-upgrade|disappear) + ;; + + *) + echo "postrm called with unknown argument \`$1'" >&2 + exit 1 + ;; +esac diff --git a/debian/prerm b/debian/prerm new file mode 100644 index 0000000000..8c4a0f1b88 --- /dev/null +++ b/debian/prerm @@ -0,0 +1,8 @@ +#!/bin/sh +set -e + +if [ "$1" = remove ] && [ "${DPKG_MAINTSCRIPT_PACKAGE_REFCOUNT:-1}" = 1 ]; then + pam-auth-update --package --remove authd +fi + +#DEBHELPER# diff --git a/debian/rules b/debian/rules new file mode 100755 index 0000000000..08e85f45e7 --- /dev/null +++ b/debian/rules @@ -0,0 +1,83 @@ +#!/usr/bin/make -f +#export DH_VERBOSE = 1 + +export GOCACHE := $(shell mktemp -d /tmp/gocache-XXXX) +export GOFLAGS := -ldflags=-X=github.com/ubuntu/authd/internal/consts.Version=$(shell dpkg-parsechangelog -S Version) --mod=vendor -buildmode=pie + +export DEB_BUILD_MAINT_OPTIONS := optimize=-lto + +# Strict symbols checking +export DPKG_GENSYMBOLS_CHECK_LEVEL := 4 + +# Copy in build directory all content to embed +export DH_GOLANG_INSTALL_ALL := 1 + +# The following definitions are necessary because of the manual steps +# we need to do to work around some issues with either dh-cargo, +# the wrapper, or cargo +include /usr/share/rustc/architecture.mk +CARGO := /usr/share/cargo/bin/cargo + +# Needed for Rust vendored sources tracking +DH_CARGO_VENDORED_SOURCES := /usr/share/cargo/bin/dh-cargo-vendored-sources +export CARGO_VENDOR_DIR = vendor_rust + +# Needed for Rust configure/build/test stages +export DEB_HOST_GNU_TYPE DEB_HOST_RUST_TYPE +export CARGO_HOME = $(CURDIR)/debian/cargo_home + +%: + dh $@ --buildsystem=golang --with=golang,apport + +override_dh_auto_clean: + dh_auto_clean + dh_auto_clean --buildsystem=cargo + + # Vendor Go dependencies when building the source package + [ -d vendor/ ] || go mod vendor + + # Vendor Rust dependencies when building the source package + [ -d vendor_rust/ ] || \ + CARGO=$(CARGO) DH_CARGO_VENDORED_SOURCES=$(DH_CARGO_VENDORED_SOURCES) \ + CARGO_VENDOR_DIR=$(CARGO_VENDOR_DIR) debian/vendor-rust.sh + +override_dh_auto_configure: + dh_auto_configure + + [ ! -e $(DH_CARGO_VENDORED_SOURCES) ] || $(DH_CARGO_VENDORED_SOURCES) + DEB_CARGO_CRATE=nss_$(shell dpkg-parsechangelog --show-field Version) \ + RUSTFLAGS="--cfg=rustix_use_libc" \ + $(CARGO) prepare-debian $(CARGO_VENDOR_DIR) + +override_dh_auto_build: + # Build PAM library & Go loader + go generate -x ./pam + + # Build the NSS library + $(CARGO) build --release + + # Build the daemon + DH_GOLANG_BUILDPKG=github.com/ubuntu/authd/cmd/authd dh_auto_build + +override_dh_auto_test: + # We need to specify these Rust related variables to the Go tests in order to build the NSS lib + # with the cargo wrapper in the integration tests in order to force cargo to use vendored deps + # instead of querying crates.io for them. + CARGO_PATH=$(CARGO) dh_auto_test + +override_dh_auto_install: + dh_auto_install -- --no-source + + # Install daemon in /sbin + mv debian/authd/usr/bin/ debian/authd/usr/sbin + + # Install PAM module configuration + install -Dm644 debian/pam-configs/authd debian/authd/usr/share/pam-configs/authd + + # Install PAM + install -Dm644 pam/go-loader/pam_go_loader.so debian/authd/usr/lib/$(DEB_TARGET_GNU_TYPE)/security/pam_go_loader.so + install -Dm644 pam/pam_authd.so debian/authd/usr/lib/$(DEB_TARGET_GNU_TYPE)/security/pam_authd.so + + # Install NSS + # In Rust, HOST actually refers to the build target (see README.Debian in rustc) + install -Dm644 target/$(DEB_HOST_RUST_TYPE)/release/libnss_authd.so debian/authd/usr/lib/$(DEB_TARGET_GNU_TYPE)/libnss_authd.so.2 diff --git a/debian/source/format b/debian/source/format new file mode 100644 index 0000000000..89ae9db8f8 --- /dev/null +++ b/debian/source/format @@ -0,0 +1 @@ +3.0 (native) diff --git a/debian/source/lintian-overrides b/debian/source/lintian-overrides new file mode 100644 index 0000000000..9f2d8b383e --- /dev/null +++ b/debian/source/lintian-overrides @@ -0,0 +1,2 @@ +# We must specify the XS-Vendored-Sources-Rust field in control to use the vendored dependencies. +authd source: unknown-field Vendored-Sources-Rust diff --git a/debian/tests/control b/debian/tests/control new file mode 100644 index 0000000000..f833e8c214 --- /dev/null +++ b/debian/tests/control @@ -0,0 +1,3 @@ +Test-Command: go test -v -mod=vendor ./... +Restrictions: allow-stderr +Depends: @builddeps@ diff --git a/debian/triggers b/debian/triggers new file mode 100644 index 0000000000..dd86603678 --- /dev/null +++ b/debian/triggers @@ -0,0 +1 @@ +activate-noawait ldconfig diff --git a/debian/vendor-rust.sh b/debian/vendor-rust.sh new file mode 100755 index 0000000000..28262bf1de --- /dev/null +++ b/debian/vendor-rust.sh @@ -0,0 +1,20 @@ +#!/bin/sh +set -eu + +# Some crates are shipped with .a files, which get removed by the helpers during the package build as a safety measure. +# This results in cargo failing to compile, since the files (which are listed in the checksums) are not there anymore. +# For those crates, we need to replace their checksum with a more general one that only lists the crate checksum, instead of each file. +CARGO_HOME=${HOME}/.cargo ${CARGO} vendor "${CARGO_VENDOR_DIR}" + +[ ! -e "${DH_CARGO_VENDORED_SOURCES}" ] || ${DH_CARGO_VENDORED_SOURCES} +[ -e /usr/bin/jq ] || (echo "jq is required to run this script. Try installing it with 'sudo apt install jq'" && exit 1) + +for dep in vendor_rust/*; do + checksum_file="${dep}/.cargo-checksum.json" + a_files=$(jq '.files | keys | map(select(.|test(".a$")))' "${checksum_file}") + if [ "$a_files" = "[]" ]; then + continue + fi + pkg_checksum=$(jq '.package' "${checksum_file}") + echo "{\"files\": {}, \"package\": ${pkg_checksum}}" > "${checksum_file}" +done diff --git a/pam/pam.go b/pam/pam.go index f2b404d437..b878089518 100644 --- a/pam/pam.go +++ b/pam/pam.go @@ -1,4 +1,4 @@ -//go:generate go run github.com/msteinert/pam/v2/cmd/pam-moduler -libname "pam_authd.so" -type pamModule -tags !pam_binary_cli +//go:generate sh -c "[ -d ../vendor ] && echo Vendored dependencies detected, not re-generating pam_module.go || go run github.com/msteinert/pam/v2/cmd/pam-moduler -libname pam_authd.so -type pamModule -tags !pam_binary_cli" //go:generate go generate --skip="pam_module.go" //go:generate sh -c "cc -o go-loader/pam_go_loader.so go-loader/module.c -Wl,--as-needed -Wl,--allow-shlib-undefined -shared -fPIC -Wl,--unresolved-symbols=report-all -lpam && chmod 600 go-loader/pam_go_loader.so"