From 719ff225294bb273ae66f924da36f31e56fa7f2e Mon Sep 17 00:00:00 2001 From: Gabriel Nagy Date: Mon, 27 Nov 2023 18:29:07 +0200 Subject: [PATCH 1/6] Add workflow to auto-update Rust vendored sources Similar to what we have in aad-auth, this helps keep the XS-Vendored-Sources-Rust field in debian/changelog up-to-date. --- .github/workflows/auto-updates.yaml | 65 +++++++++++++++++++++++++++++ 1 file changed, 65 insertions(+) create mode 100644 .github/workflows/auto-updates.yaml diff --git a/.github/workflows/auto-updates.yaml b/.github/workflows/auto-updates.yaml new file mode 100644 index 0000000000..ae37fd27fe --- /dev/null +++ b/.github/workflows/auto-updates.yaml @@ -0,0 +1,65 @@ +name: Update translations and Rust packaging related files in main +on: + push: + branches: + - main + paths-ignore: + - debian/control +concurrency: auto-update + +jobs: + update-rust-packaging: + name: Update packaging related Rust files + needs: update-po + runs-on: ubuntu-latest + # Right now, ubuntu 22.04 does not have the dh-cargo-vendored-sources script that is needed to + # run this job, so we need to run it inside a rolling container to get the latest version possible. + # This should be updated as soon as the dh-cargo version with the mentioned script gets ported to + # 22.04 or ubuntu-latest changes to a more recent version. + container: + image: ubuntu:rolling + steps: + - name: Install dependencies + run: | + DEBIAN_FRONTEND=noninteractive apt update + DEBIAN_FRONTEND=noninteractive apt install -y cargo dh-cargo git jq + - uses: actions/checkout@v4 + with: + ref: main + - name: Vendor the dependencies + run: | + cargo vendor vendor_rust/ + - name: Update XS-Vendored-Sources-Rust + run: | + set -eu + + export CARGO_VENDOR_DIR=vendor_rust/ + VENDORED_SOURCES=$(/usr/share/cargo/bin/dh-cargo-vendored-sources 2>&1 || true) + OUTPUT=$(echo "$VENDORED_SOURCES" | grep ^XS-Vendored-Sources-Rust: || true) + if [ -z "$OUTPUT" ]; then + echo "XS-Vendored-Sources-Rust is up to date. No change is needed."; + exit 0 + fi + sed -i "s/^XS-Vendored-Sources-Rust:.*/$OUTPUT/" debian/control + + echo "modified=true" >> $GITHUB_ENV + shell: bash + # Since we run this job in a container, we need to manually add the safe directory due to some + # issues between actions/checkout and actions/runner, which seem to be triggered by multiple + # causes (e.g. https://github.com/actions/runner-images/issues/6775, https://github.com/actions/checkout/issues/1048#issuecomment-1356485556). + - name: work around permission issue with git vulnerability (we are local here). TO REMOVE + run: git config --global --add safe.directory "$PWD" + - name: Create Pull Request + if: ${{ env.modified == 'true' }} + uses: peter-evans/create-pull-request@v5 + with: + commit-message: Auto update packaging related Rust files + title: Auto update packaging related Rust files + labels: control, automated pr + branch: auto-update-rust-packaging + delete-branch: true + token: ${{ secrets.GITHUB_TOKEN }} + - name: Push branch + if: ${{ env.modified == 'true' }} + run: | + git push origin auto-update-rust-packaging:main From fcf3b71e3de32b4f4019db7fe490c3267815f1e5 Mon Sep 17 00:00:00 2001 From: Gabriel Nagy Date: Mon, 27 Nov 2023 18:30:21 +0200 Subject: [PATCH 2/6] Add Debian packaging Build the authd package in a single binary package containing the daemon, PAM & NSS modules. Add hooks to ensure PAM & NSS are properly configured and un-configured. Most of this was inspired by adsys and aad-auth packaging where we also ship PAM (and NSS) modules. Fixes UDENG-1781 --- debian/apport | 12 + debian/changelog | 5 + debian/control | 34 ++ debian/copyright | 561 ++++++++++++++++++ debian/docs | 2 + debian/gbp.conf | 9 + debian/lintian-overrides | 9 + .../pam-configs/authd | 0 debian/postinst | 42 ++ debian/postrm | 40 ++ debian/prerm | 8 + debian/rules | 86 +++ debian/source/format | 1 + debian/source/lintian-overrides | 2 + debian/tests/control | 3 + debian/vendor-rust.sh | 20 + 16 files changed, 834 insertions(+) create mode 100644 debian/apport create mode 100644 debian/changelog create mode 100644 debian/control create mode 100644 debian/copyright create mode 100644 debian/docs create mode 100644 debian/gbp.conf create mode 100644 debian/lintian-overrides rename pam/go-loader/libpam-authd.pam-auth-update => debian/pam-configs/authd (100%) create mode 100644 debian/postinst create mode 100644 debian/postrm create mode 100644 debian/prerm create mode 100755 debian/rules create mode 100644 debian/source/format create mode 100644 debian/source/lintian-overrides create mode 100644 debian/tests/control create mode 100755 debian/vendor-rust.sh diff --git a/debian/apport b/debian/apport new file mode 100644 index 0000000000..8a38bbe109 --- /dev/null +++ b/debian/apport @@ -0,0 +1,12 @@ +'''apport package hook for authd + +(c) 2023 Canonical Ltd. +''' + +import apport.hookutils + +def add_info(report): + apport.hookutils.attach_related_packages(report, ["libpam-runtime", "libpam0g"]) + apport.hookutils.attach_conffiles(report, 'authd') + apport.hookutils.attach_file_if_exists(report, '/etc/pam.d/common-auth') + apport.hookutils.attach_file_if_exists(report, '/etc/nsswitch.conf') diff --git a/debian/changelog b/debian/changelog new file mode 100644 index 0000000000..80f99f3742 --- /dev/null +++ b/debian/changelog @@ -0,0 +1,5 @@ +authd (0.1) UNRELEASED; urgency=medium + + * Initial release + + -- Gabriel Nagy Thu, 30 Nov 2023 00:12:07 +0200 diff --git a/debian/control b/debian/control new file mode 100644 index 0000000000..a803d571c0 --- /dev/null +++ b/debian/control @@ -0,0 +1,34 @@ +Source: authd +Section: admin +Priority: optional +Maintainer: Ubuntu Developers +Build-Depends: debhelper-compat (= 13), + dbus, + dh-apport, + dh-cargo, + dh-golang, + golang-go (>= 2:1.21~), + libpam0g-dev, + libc6-dev (>= 2.35), + libpam0g-dev, + pkg-config, + protobuf-compiler, +Standards-Version: 4.6.2 +XS-Go-Import-Path: github.com/ubuntu/authd +XS-Vendored-Sources-Rust: addr2line@0.21.0, adler@1.0.2, aho-corasick@1.0.5, anyhow@1.0.75, async-stream-impl@0.3.5, async-stream@0.3.5, async-trait@0.1.73, autocfg@1.1.0, axum-core@0.3.4, axum@0.6.20, backtrace@0.3.69, base64@0.21.3, bitflags@1.3.2, bitflags@2.4.0, bytes@1.5.0, cc@1.0.84, cfg-if@1.0.0, colored@2.0.4, ctor@0.2.5, deranged@0.3.8, either@1.9.0, equivalent@1.0.1, errno-dragonfly@0.1.2, errno@0.3.3, error-chain@0.12.4, fastrand@2.0.0, fixedbitset@0.4.2, fnv@1.0.7, futures-channel@0.3.28, futures-core@0.3.28, futures-sink@0.3.28, futures-task@0.3.28, futures-util@0.3.28, getrandom@0.2.10, gimli@0.28.0, h2@0.3.21, hashbrown@0.12.3, hashbrown@0.14.0, heck@0.4.1, hermit-abi@0.3.2, home@0.5.5, hostname@0.3.1, http-body@0.4.5, http@0.2.9, httparse@1.8.0, httpdate@1.0.3, hyper-timeout@0.4.1, hyper@0.14.27, indexmap@1.9.3, indexmap@2.0.0, is-terminal@0.4.9, itertools@0.11.0, itoa@1.0.9, lazy_static@1.4.0, libc@0.2.150, libnss@0.5.0, linux-raw-sys@0.4.5, log@0.4.20, match_cfg@0.1.0, matchit@0.7.2, memchr@2.6.3, mime@0.3.17, miniz_oxide@0.7.1, mio@0.8.9, multimap@0.8.3, num_cpus@1.16.0, num_threads@0.1.6, object@0.32.1, once_cell@1.18.0, paste@1.0.14, percent-encoding@2.3.0, petgraph@0.6.4, pin-project-internal@1.1.3, pin-project-lite@0.2.13, pin-project@1.1.3, pin-utils@0.1.0, ppv-lite86@0.2.17, prettyplease@0.2.14, proc-macro2@1.0.66, prost-build@0.12.0, prost-derive@0.12.3, prost-types@0.12.0, prost@0.12.3, quote@1.0.33, rand@0.8.5, rand_chacha@0.3.1, rand_core@0.6.4, redox_syscall@0.3.5, regex-automata@0.3.8, regex-syntax@0.7.5, regex@1.9.5, rustc-demangle@0.1.23, rustix@0.38.11, rustversion@1.0.14, serde@1.0.188, serde_derive@1.0.188, simple_logger@4.3.0, slab@0.4.9, socket2@0.4.9, socket2@0.5.5, syn@2.0.31, sync_wrapper@0.1.2, syslog@6.1.0, tempfile@3.8.0, time-core@0.1.1, time-macros@0.2.14, time@0.3.28, tokio-io-timeout@1.2.0, tokio-macros@2.2.0, tokio-stream@0.1.14, tokio-util@0.7.8, tokio@1.34.0, tonic-build@0.10.2, tonic@0.10.2, tower-layer@0.3.2, tower-service@0.3.2, tower@0.4.13, tracing-attributes@0.1.26, tracing-core@0.1.31, tracing@0.1.37, try-lock@0.2.4, unicode-ident@1.0.11, version_check@0.9.4, want@0.3.1, wasi@0.11.0+wasi-snapshot-preview1, which@4.4.2, winapi-i686-pc-windows-gnu@0.4.0, winapi-x86_64-pc-windows-gnu@0.4.0, winapi@0.3.9, windows-sys@0.48.0, windows-targets@0.48.5, windows_aarch64_gnullvm@0.48.5, windows_aarch64_msvc@0.48.5, windows_i686_gnu@0.48.5, windows_i686_msvc@0.48.5, windows_x86_64_gnu@0.48.5, windows_x86_64_gnullvm@0.48.5, windows_x86_64_msvc@0.48.5 +Homepage: https://github.com/ubuntu/authd +Vcs-Browser: https://github.com/ubuntu/authd +Vcs-Git: https://github.com/ubuntu/authd.git +Description: Authentication daemon for external Broker + Authd enables system authentication through external brokers. + +Package: authd +Architecture: any +Built-Using: ${misc:Built-Using}, +Depends: ${shlibs:Depends}, + ${misc:Depends}, +Description: ${source:Synopsis} + ${source:Extended-Description} + . + This package contains the authentication daemon together with the PAM & NSS + modules. diff --git a/debian/copyright b/debian/copyright new file mode 100644 index 0000000000..304fbc1882 --- /dev/null +++ b/debian/copyright @@ -0,0 +1,561 @@ +Format: https://www.debian.org/doc/packaging-manuals/copyright-format/1.0/ +Upstream-Name: authd +Source: https://github.com/ubuntu/authd + +Files: * +Copyright: 2023 Canonical Ltd. +License: LGPL-3 + This library is free software; you can redistribute it and/or + modify it under the terms of the GNU Lesser General Public + License as published by the Free Software Foundation; either + version 3 of the License, or (at your option) any later version. + . + This library is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU + Lesser General Public License for more details. + . + You should have received a copy of the GNU Lesser General Public + License along with this library; if not, see . + . + On Debian systems, the complete text of the GNU Lesser General + Public License version 3 can be found in "/usr/share/common-licenses/LGPL-3". + +Files: vendor/go.etcd.io/bbolt/* +Copyright: 2013 Ben Johnson +License: MIT + +Files: vendor/go.uber.org/* +Copyright: 2016-2021 Uber Technologies, Inc. +License: MIT + +Files: vendor/gopkg.in/ini.v1/* +Copyright: 2014-2019 Unknwon. +License: Apache-2.0 + +Files: vendor/gopkg.in/yaml.v3/* +Copyright: 2011-2019 Canonical Ltd. +License: Apache-2.0 + +Files: vendor/gopkg.in/yaml.v3/apic.go + vendor/gopkg.in/yaml.v3/emitterc.go + vendor/gopkg.in/yaml.v3/parserc.go + vendor/gopkg.in/yaml.v3/readerc.go + vendor/gopkg.in/yaml.v3/scannerc.go + vendor/gopkg.in/yaml.v3/writerc.go + vendor/gopkg.in/yaml.v3/yamlh.go + vendor/gopkg.in/yaml.v3/yamlprivateh.go +Copyright: 2011-2019 Canonical Ltd. + 2006-2011 Kirill Simonov +License: MIT + +Files: vendor/github.com/atotto/clipboard/* +Copyright: 2013 Ato Araki. +License: BSD-3 + +Files: vendor/github.com/aymanbagabas/go-osc52/* +Copyright: 2022 Ayman Bagabas +License: MIT + +Files: vendor/github.com/charmbracelet/* +Copyright: 2019-2023 Charmbracelet, Inc +License: MIT + +Files: vendor/github.com/containerd/console/* +Copyright: The containerd Authors. +License: Apache-2.0 + +Files: vendor/github.com/coreos/* +Copyright: 2015-2018 CoreOS, Inc. / 2014 Docker, Inc. +License: Apache-2.0 + +Files: vendor/github.com/davecgh/* +Copyright: 2012-2016 Dave Collins +License: ISC + +Files: vendor/github.com/fsnotify/* +Copyright: 2010-2015 fsnotify Authors. / The Go Authors. +License: BSD-3 + +Files: vendor/github.com/godbus/* +Copyright: 2013 Georg Reinke (), Google +License: BSD-2 + +Files: vendor/github.com/golang/protobuf/* +Copyright: Copyright: 2010 The Go Authors. +License: BSD-3 + +Files: vendor/github.com/google/uuid/* +Copyright: 2009, 2014-2017, 2021 Google Inc. +License: BSD-3 + +Files: vendor/github.com/hashicorp/* +Copyright: HashiCorp +License: MPL-2.0 + +Files: vendor/github.com/inconshreveable/* +Copyright: 2014 Alan Shreve +License: Apache-2.0 + +Files: vendor/github.com/lucasb-eyer/go-colorful/* +Copyright: 2013 Lucas Beyer +License: MIT + +Files: vendor/github.com/magiconair/* +Copyright: 2013-2022 Frank Schroeder. +License: BSD-2 + +Files: vendor/github.com/mattn/* +Copyright: 2016 Yasuhiro MATSUMOTO +License: MIT + +Files: vendor/github.com/mitchellh/* +Copyright: 2013 Mitchell Hashimoto +License: MIT + +Files: vendor/github.com/msteinert/pam/* +Copyright: 2015 Michael Steinert / 2011 krockot +License: BSD-2 + +Files: vendor/github.com/muesli/* +Copyright: 2019, 2021 Christian Muehlhaeuser +License: MIT + +Files: vendor/github.com/pelletier/* +Copyright: 2013-2023 Thomas Pelletier, Eric Anderton +License: MIT + +Files: vendor/github.com/pmezard/* +Copyright: 2013 Patrick Mezard +License: BSD-3 + +Files: vendor/github.com/rivo/uniseg/* +Copyright: 2019 Oliver Kuederle +License: MIT + +Files: vendor/github.com/sagikazarmark/locafero/* +Copyright: 2023 Márk Sági-Kazár +License: MIT + +Files: vendor/github.com/sagikazarmark/slog-shim/* +Copyright: 2022 The Go Authors. +License: BSD-3 + +Files: vendor/github.com/sahilm/fuzzy/* +Copyright: 2017 Sahil Muthoo +License: MIT + +Files: vendor/github.com/sirupsen/logrus/* +Copyright: 2014 Simon Eskildsen +License: MIT + +Files: vendor/github.com/sirupsen/logrus/alt_exit.go +Copyright: 2012 Miki Tebeka . +License: MIT + +Files: vendor/github.com/skip2/go-qrcode/* +Copyright: 2014 Tom Harwood +License: MIT + +Files: vendor/github.com/sourcegraph/conc/* +Copyright: 2023 Sourcegraph +License: MIT + +Files: vendor/github.com/spf13/afero/* +Copyright: 2014-2016 Steve Francia . + 2015 The Hugo Authors + 2016-present Bjørn Erik Pedersen + 2009-2015 The Go Authors. +License: Apache-2.0 + +Files: vendor/github.com/spf13/cast/* +Copyright: 2014 Steve Francia . +License: MIT + +Files: vendor/github.com/spf13/cobra/* +Copyright: 2013 Steve Francia . + 2015 Red Hat Inc. + 2016 French Ben. +License: Apache-2.0 + +Files: vendor/github.com/spf13/pflag/* +Copyright: 2012 The Go Authors. / 2012 Alex Ogier. +License: BSD-3 + +Files: vendor/github.com/spf13/viper/* +Copyright: 2014 Steve Francia . +License: MIT + +Files: vendor/github.com/stretchr/* +Copyright: 2012-2020 Mat Ryer + Tyler Bunnell and contributors. +License: MIT + +Files: vendor/github.com/subosito/* +Copyright: 2013 Alif Rachmawadi +License: MIT + +Files: vendor/github.com/ubuntu/* +Copyright: Canonical +License: MIT + +Files: vendor/*golang.org/* +Copyright: 2009-2020 The Go Authors. +License: BSD-3 + +Files: vendor_rust/addr2line/* + vendor_rust/object/* +Copyright: 2016-2018 The gimli Developers +License: MIT + +Files: vendor_rust/adler/* +Copyright: Jonas Schievink +License: MIT + +Files: vendor_rust/aho-corasick/* + vendor_rust/memchr/* + vendor_rust/regex-automata/* +Copyright: 2015-2019 Andrew Gallant +License: MIT + +Files: vendor_rust/anyhow/* + vendor_rust/async-trait/* + vendor_rust/either/* + vendor_rust/equivalent/* + vendor_rust/fastrand/* + vendor_rust/fixedbitset/* + vendor_rust/hermit-abi/* + vendor_rust/home/* + vendor_rust/indexmap/* + vendor_rust/itertools/* + vendor_rust/itoa/* + vendor_rust/linux-raw-sys/* + vendor_rust/num_cpus/* + vendor_rust/once_cell/* + vendor_rust/paste/* + vendor_rust/petgraph/* + vendor_rust/pin-project/* + vendor_rust/pin-project-internal/* + vendor_rust/pin-project-lite/* + vendor_rust/prettyplease/* + vendor_rust/proc-macro2/* + vendor_rust/quote/* + vendor_rust/regex/* + vendor_rust/regex-syntax/* + vendor_rust/rustix/* + vendor_rust/rustversion/* + vendor_rust/serde/* + vendor_rust/serde_derive/* + vendor_rust/syn/* + vendor_rust/unicode-ident/* + vendor_rust/wasi/* +Copyright: *No copyright* +License: MIT + +Files: vendor_rust/async-stream*/* + vendor_rust/bytes/* + vendor_rust/mio/* + vendor_rust/slab/* +Copyright: 2018, 2019 Carl Lerche + 2014 Carl Lerche and other MIO contributors +License: MIT + +Files: vendor_rust/autocfg/* +Copyright: 2018 Josh Stone +License: MIT + +Files: vendor_rust/axum*/* +Copyright: 2021 Axum Contributors + 2014-2021 Sean McArthur +License: MIT + +Files: vendor_rust/backtrace/* + vendor_rust/cc/* + vendor_rust/cfg-if/* + vendor_rust/match_cfg/* + vendor_rust/rustc-demangle/* + vendor_rust/socket2/* +Copyright: 2014 Alex Crichton +License: MIT + +Files: vendor_rust/base64/* +Copyright: 2015 Alice Maz +License: MIT + +Files: vendor_rust/bitflags/* + vendor_rust/lazy_static/* + vendor_rust/libc/* + vendor_rust/log/* +Copyright: 2010-2020 The Rust Project Developers +License: MIT + +Files: vendor_rust/colored/* + vendor_rust/ctor/* +Copyright: *No copyright* +License: MPL-2.0 + +Files: vendor_rust/deranged/* +Copyright: 2022 Jacob Pratt et al. +License: Apache-2.0 + +Files: vendor_rust/errno/* +Copyright: 2014 Chris Wong +License: MIT + +Files: vendor_rust/errno-dragonfly/* +Copyright: 2017 Michael Neumann +License: MIT + +Files: vendor_rust/error-chain/* +Copyright: 2017 The Error-Chain Project Developers +License: MIT + +Files: vendor_rust/fnv/* +Copyright: 2017 Contributors +License: MIT + +Files: vendor_rust/futures-*/* +Copyright: 2017 The Tokio Authors / 2016 Alex Crichton +License: MIT + +Files: vendor_rust/getrandom/* +Copyright: 2018 Developers of the Rand project + 2014 The Rust Project Developers +License: MIT + +Files: vendor_rust/gimli/* +Copyright: 2015 The Rust Project Developers +License: MIT + +Files: vendor_rust/h2/* +Copyright: 2017 h2 authors +License: MIT + +Files: vendor_rust/hashbrown/* +Copyright: 2016 Amanieu d'Antras +License: MIT + +Files: vendor_rust/heck/* +Copyright: 2015 The Rust Project Developers +License: MIT + +Files: vendor_rust/hostname/* +Copyright: 2019 svartalf / 2016 fengcen +License: MIT + +Files: vendor_rust/httparse/* + vendor_rust/hyper/* + vendor_rust/want/* +Copyright: 2014-2021 Sean McArthur +License: MIT + +Files: vendor_rust/httpdate/* +Copyright: 2016 Pyfisch +License: MIT + +Files: vendor_rust/http-body/* +Copyright: 2019 Hyper Contributors +License: MIT + +Files: vendor_rust/http/* +Copyright: 2017 http-rs authors +License: MIT + +Files: vendor_rust/hyper-timeout/* +Copyright: 2016 The weldr Project Developers +License: MIT + +Files: vendor_rust/is-terminal/* +Copyright: 2015-2019 Doug Tangren +License: MIT + +Files: vendor_rust/matchit/* +Copyright: 2022 Ibraheem Ahmed +License: MIT + +Files: vendor_rust/multimap/* +Copyright: 2016 multimap developers +License: MIT + +Files: vendor_rust/num_threads/* +Copyright: 2021 Jacob Pratt +License: MIT + +Files: vendor_rust/percent-encoding/* +Copyright: 2013-2022 The rust-url developers +License: MIT + +Files: vendor_rust/pin-utils/* +Copyright: 2018 The pin-utils authors +License: MIT + +Files: vendor_rust/ppv-lite86/* +Copyright: 2019 The CryptoCorrosion Contributors +License: MIT + +Files: vendor_rust/prost/* + vendor_rust/prost-build/* + vendor_rust/prost-derive/* + vendor_rust/prost-types/* +Copyright: 2022 Dan Burkert & Tokio Contributors +License: Apache-2.0 + +Files: vendor_rust/rand/* + vendor_rust/rand_chacha/* + vendor_rust/rand_core/* +Copyright: 2018 Developers of the Rand project / 2014 The Rust Project Developers +License: MIT + +Files: vendor_rust/redox_syscall/* +Copyright: 2017 Redox OS Developers +License: MIT + +Files: vendor_rust/simple_logger/* +Copyright: 2015-2021 Sam Clements +License: MIT + +Files: vendor_rust/sync_wrapper/* +Copyright: 2020 Actyx AG +License: Apache-2.0 + +Files: vendor_rust/syslog/* +Copyright: 2014-2018 Geoffroy Couprie +License: MIT + +Files: vendor_rust/tempfile/* +Copyright: 2015 Steven Allen +License: MIT + +Files: vendor_rust/time/* + vendor_rust/time-core/* + vendor_rust/time-macros/* +Copyright: 2022 Jacob Pratt et al. +License: MIT + +Files: vendor_rust/tokio/* + vendor_rust/tokio-macros/* + vendor_rust/tokio-stream/* + vendor_rust/tokio-util/* + vendor_rust/tracing/* + vendor_rust/tracing-attributes/* + vendor_rust/tracing-core/* +Copyright: 2019, 2023 Tokio Contributors +License: MIT + +Files: vendor_rust/tokio-io-timeout/* +Copyright: 2017 The tokio-io-timeout Developers +License: MIT + +Files: vendor_rust/tonic/* + vendor_rust/tonic-build/* +Copyright: 2020 Lucio Franco +License: MIT + +Files: vendor_rust/tower/* + vendor_rust/tower-layer/* + vendor_rust/tower-service/* +Copyright: 2019 Tower Contributors +License: MIT + +Files: vendor_rust/try-lock/* +Copyright: 2018 Sean McArthur / 2016 Alex Crichton +License: MIT + +Files: vendor_rust/version_check/* +Copyright: 2017-2018 Sergio Benitez +License: MIT + +Files: vendor_rust/which/* +Copyright: 2015 fangyuanziti +License: MIT + +Files: vendor_rust/winapi*/* +Copyright: 2015-2018 The winapi-rs Developers +License: MIT + +Files: vendor_rust/windows*/* +Copyright: Microsoft Corporation. +License: MIT + +License: Apache-2.0 + Unless required by applicable law or agreed to in writing, software + distributed under the License is distributed on an "AS IS" BASIS, + WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + See the License for the specific language governing permissions and + limitations under the License. + +License: BSD-2 + Redistribution and use in source and binary forms, with or without + modification, are permitted provided that the following conditions + are met: + . + 1. Redistributions of source code must retain the above copyright notice, + this list of conditions and the following disclaimer. + 2. Redistributions in binary form must reproduce the above copyright + notice, this list of conditions and the following disclaimer in the + documentation and/or other materials provided with the distribution. + +License: BSD-3 + Redistribution and use in source and binary forms, with or without + modification, are permitted provided that the following conditions are + met: + * Redistributions of source code must retain the above copyright + notice, this list of conditions and the following disclaimer. + * Redistributions in binary form must reproduce the above + copyright notice, this list of conditions and the following disclaimer + in the documentation and/or other materials provided with the + distribution. + * Neither the name of Google Inc., Jonas Obrist nor the names of its + contributors may be used to endorse or promote products derived from + this software without specific prior written permission. + +License: LGPL-3+ + This library is free software; you can redistribute it and/or + modify it under the terms of the GNU Lesser General Public + License as published by the Free Software Foundation; either + version 3 of the License, or (at your option) any later version. + . + This library is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU + Lesser General Public License for more details. + +License: ISC + Permission to use, copy, modify, and/or distribute this software for any + purpose with or without fee is hereby granted, provided that the above + copyright notice and this permission notice appear in all copies. + . + THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES + WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF + MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR + ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES + WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN + ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF + OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. + +License: MIT + Permission is hereby granted, free of charge, to any person obtaining a copy + of this software and associated documentation files (the "Software"), to deal + in the Software without restriction, including without limitation the rights + to use, copy, modify, merge, publish, distribute, sublicense, and/or sell + copies of the Software, and to permit persons to whom the Software is + furnished to do so, subject to the following conditions: + . + The above copyright notice and this permission notice shall be included in + all copies or substantial portions of the Software. + . + THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR + IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, + FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE + AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER + LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, + OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN + THE SOFTWARE. + +License: MPL-2.0 + This Source Code Form is subject to the terms of the Mozilla Public + License, v. 2.0. If a copy of the MPL was not distributed with this + file, You can obtain one at http://mozilla.org/MPL/2.0/. + Comment: + On Debian systems, the complete text of the Mozilla Public License can + be found in "/usr/share/common-licenses/MPL-2.0". diff --git a/debian/docs b/debian/docs new file mode 100644 index 0000000000..103c946dbb --- /dev/null +++ b/debian/docs @@ -0,0 +1,2 @@ +# Vendored dependency contains an Apache NOTICE +vendor/gopkg.in/yaml.v3/NOTICE diff --git a/debian/gbp.conf b/debian/gbp.conf new file mode 100644 index 0000000000..455c4e5201 --- /dev/null +++ b/debian/gbp.conf @@ -0,0 +1,9 @@ +[DEFAULT] +debian-tag=v%(version)s +debian-branch=main + +[buildpackage] +export=INDEX + +[dch] +multimaint-merge=True diff --git a/debian/lintian-overrides b/debian/lintian-overrides new file mode 100644 index 0000000000..4109146d2e --- /dev/null +++ b/debian/lintian-overrides @@ -0,0 +1,9 @@ +# NSS libraries don't provide symlinks to the versioned library +authd: lacks-versioned-link-to-shared-library usr/lib/*/libnss_authd.so [usr/lib/*/libnss_authd.so.2] + +# cargo build currently does not support changing the output name of libraries and the functionality +# is still being tracked at https://github.com/rust-lang/cargo/issues/9778. Therefore, we must build +# it with the base name (i.e. libnss_authd.so) and then manually rename it to contain the version, as +# done in the dh_auto_install step. +# With this approach, libnss is not using soname to track compatibility, so this override is safe. +authd: shared-library-lacks-version usr/lib/*/libnss_authd.so.2 libnss_authd.so diff --git a/pam/go-loader/libpam-authd.pam-auth-update b/debian/pam-configs/authd similarity index 100% rename from pam/go-loader/libpam-authd.pam-auth-update rename to debian/pam-configs/authd diff --git a/debian/postinst b/debian/postinst new file mode 100644 index 0000000000..2d72f7a43c --- /dev/null +++ b/debian/postinst @@ -0,0 +1,42 @@ +#!/bin/sh +set -e + +#DEBHELPER# + +# This code was taken from libnss-sss, which got it from libnss-myhostname, which got it from nss-mdns: + +log() { + echo "$*" +} + +# try to insert authd entries to the passwd, group and shadow +# lines in /etc/nsswitch.conf to automatically enable libnss-authd +# support; do not change the configuration if the lines already +# reference some authd lookups +insert_nss_entry() { + log "Checking NSS setup..." + # abort if /etc/nsswitch.conf does not exist + if ! [ -e /etc/nsswitch.conf ]; then + log "Could not find /etc/nsswitch.conf." + return + fi + # append 'authd' to the end of the line if it's not found already + sed -i --regexp-extended ' + /^(passwd|group|shadow):/ { + /\bauthd\b/! s/$/ authd/ + } + ' /etc/nsswitch.conf +} + +action="$1" + +if [ configure = "$action" ]; then + pam-auth-update --package + + if [ -z "$2" ]; then + log "First installation detected..." + # first install: setup the recommended configuration (unless + # nsswitch.conf already contains authd entries) + insert_nss_entry + fi +fi diff --git a/debian/postrm b/debian/postrm new file mode 100644 index 0000000000..99c4a5aefb --- /dev/null +++ b/debian/postrm @@ -0,0 +1,40 @@ +#!/bin/sh +set -e + +#DEBHELPER# + +# This code was taken from libnss-sss, which got it from libnss-myhostname, which got it from nss-mdns: + +log() { + echo "$*" +} + +remove_nss_entry() { + log "Checking NSS setup..." + # abort if /etc/nsswitch.conf does not exist + if ! [ -e /etc/nsswitch.conf ]; then + log "Could not find /etc/nsswitch.conf." + return + fi + sed -i --regexp-extended ' + /^(passwd|group|shadow):/ { + s/\s?\bauthd\b\s?/ /g + s/[[:space:]]+$// + } + ' /etc/nsswitch.conf +} + +case "$1" in + remove|purge) + if [ "${DPKG_MAINTSCRIPT_PACKAGE_REFCOUNT:-1}" = 1 ]; then + remove_nss_entry + fi + ;; + upgrade|failed-upgrade|abort-install|abort-upgrade|disappear) + ;; + + *) + echo "postrm called with unknown argument \`$1'" >&2 + exit 1 + ;; +esac diff --git a/debian/prerm b/debian/prerm new file mode 100644 index 0000000000..8c4a0f1b88 --- /dev/null +++ b/debian/prerm @@ -0,0 +1,8 @@ +#!/bin/sh +set -e + +if [ "$1" = remove ] && [ "${DPKG_MAINTSCRIPT_PACKAGE_REFCOUNT:-1}" = 1 ]; then + pam-auth-update --package --remove authd +fi + +#DEBHELPER# diff --git a/debian/rules b/debian/rules new file mode 100755 index 0000000000..7bddf07ff4 --- /dev/null +++ b/debian/rules @@ -0,0 +1,86 @@ +#!/usr/bin/make -f +#export DH_VERBOSE = 1 + +export GOCACHE := $(shell mktemp -d /tmp/gocache-XXXX) +export GOFLAGS := -ldflags=-X=github.com/ubuntu/authd/internal/consts.Version=$(shell dpkg-parsechangelog -S Version) --mod=vendor -buildmode=pie + +export DEB_BUILD_MAINT_OPTIONS := optimize=-lto + +# Strict symbols checking +export DPKG_GENSYMBOLS_CHECK_LEVEL := 4 + +# Copy in build directory all content to embed +export DH_GOLANG_INSTALL_ALL := 1 + +# The following definitions are necessary because of the manual steps +# we need to do to work around some issues with either dh-cargo, +# the wrapper, or cargo +include /usr/share/rustc/architecture.mk +CARGO := /usr/share/cargo/bin/cargo + +# Needed for Rust vendored sources tracking +DH_CARGO_VENDORED_SOURCES := /usr/share/cargo/bin/dh-cargo-vendored-sources +export CARGO_VENDOR_DIR = vendor_rust + +%: + dh $@ --buildsystem=golang --with=golang,apport + +override_dh_auto_clean: + dh_auto_clean + dh_auto_clean --buildsystem=cargo + + # Vendor Go dependencies when building the source package + [ -d vendor/ ] || go mod vendor + + # Vendor Rust dependencies when building the source package + [ -d vendor_rust/ ] || \ + CARGO=$(CARGO) DH_CARGO_VENDORED_SOURCES=$(DH_CARGO_VENDORED_SOURCES) \ + CARGO_VENDOR_DIR=$(CARGO_VENDOR_DIR) debian/vendor-rust.sh + +override_dh_auto_configure: + dh_auto_configure + + [ ! -e $(DH_CARGO_VENDORED_SOURCES) ] || $(DH_CARGO_VENDORED_SOURCES) + DEB_HOST_GNU_TYPE=$(DEB_HOST_GNU_TYPE) DEB_HOST_RUST_TYPE=$(DEB_HOST_RUST_TYPE) \ + CARGO_HOME=$(CURDIR)/debian/cargo_home DEB_CARGO_CRATE=nss_$(shell dpkg-parsechangelog --show-field Version) \ + RUSTFLAGS="--cfg=rustix_use_libc" \ + $(CARGO) prepare-debian $(CARGO_VENDOR_DIR) + +override_dh_auto_build: + # Build PAM library & Go loader + go generate -x ./pam + + # Build the NSS library + DEB_HOST_GNU_TYPE=$(DEB_HOST_GNU_TYPE) \ + DEB_HOST_RUST_TYPE=$(DEB_HOST_RUST_TYPE) \ + CARGO_HOME=$(CURDIR)/debian/cargo_home \ + $(CARGO) build --release + + # Build the daemon + DH_GOLANG_BUILDPKG=github.com/ubuntu/authd/cmd/authd dh_auto_build + +override_dh_auto_test: + # We need to specify these Rust related variables to the Go tests in order to build the NSS lib + # with the cargo wrapper in the integration tests in order to force cargo to use vendored deps + # instead of querying crates.io for them. + DEB_HOST_GNU_TYPE=$(DEB_HOST_GNU_TYPE) \ + DEB_HOST_RUST_TYPE=$(DEB_HOST_RUST_TYPE) \ + CARGO_HOME=$(CURDIR)/debian/cargo_home \ + CARGO_PATH=$(CARGO) \ + dh_auto_test + +override_dh_auto_install: + dh_auto_install -- --no-source + + # Install daemon in /sbin + mv debian/authd/usr/bin/ debian/authd/usr/sbin + + # Install PAM module configuration + install -Dm644 debian/pam-configs/authd debian/authd/usr/share/pam-configs/authd + + # Install PAM + install -Dm644 pam/go-loader/pam_go_loader.so debian/authd/usr/lib/$(DEB_TARGET_GNU_TYPE)/security/pam_go_loader.so + install -Dm644 pam/pam_authd.so debian/authd/usr/lib/$(DEB_TARGET_GNU_TYPE)/security/pam_authd.so + + # Install NSS + install -Dm644 target/$(DEB_TARGET_RUST_TYPE)/release/libnss_authd.so debian/authd/usr/lib/$(DEB_TARGET_GNU_TYPE)/libnss_authd.so.2 diff --git a/debian/source/format b/debian/source/format new file mode 100644 index 0000000000..89ae9db8f8 --- /dev/null +++ b/debian/source/format @@ -0,0 +1 @@ +3.0 (native) diff --git a/debian/source/lintian-overrides b/debian/source/lintian-overrides new file mode 100644 index 0000000000..9f2d8b383e --- /dev/null +++ b/debian/source/lintian-overrides @@ -0,0 +1,2 @@ +# We must specify the XS-Vendored-Sources-Rust field in control to use the vendored dependencies. +authd source: unknown-field Vendored-Sources-Rust diff --git a/debian/tests/control b/debian/tests/control new file mode 100644 index 0000000000..f833e8c214 --- /dev/null +++ b/debian/tests/control @@ -0,0 +1,3 @@ +Test-Command: go test -v -mod=vendor ./... +Restrictions: allow-stderr +Depends: @builddeps@ diff --git a/debian/vendor-rust.sh b/debian/vendor-rust.sh new file mode 100755 index 0000000000..28262bf1de --- /dev/null +++ b/debian/vendor-rust.sh @@ -0,0 +1,20 @@ +#!/bin/sh +set -eu + +# Some crates are shipped with .a files, which get removed by the helpers during the package build as a safety measure. +# This results in cargo failing to compile, since the files (which are listed in the checksums) are not there anymore. +# For those crates, we need to replace their checksum with a more general one that only lists the crate checksum, instead of each file. +CARGO_HOME=${HOME}/.cargo ${CARGO} vendor "${CARGO_VENDOR_DIR}" + +[ ! -e "${DH_CARGO_VENDORED_SOURCES}" ] || ${DH_CARGO_VENDORED_SOURCES} +[ -e /usr/bin/jq ] || (echo "jq is required to run this script. Try installing it with 'sudo apt install jq'" && exit 1) + +for dep in vendor_rust/*; do + checksum_file="${dep}/.cargo-checksum.json" + a_files=$(jq '.files | keys | map(select(.|test(".a$")))' "${checksum_file}") + if [ "$a_files" = "[]" ]; then + continue + fi + pkg_checksum=$(jq '.package' "${checksum_file}") + echo "{\"files\": {}, \"package\": ${pkg_checksum}}" > "${checksum_file}" +done From 486a1c8fdb05cccf0f10565eb9975182f35988df Mon Sep 17 00:00:00 2001 From: Gabriel Nagy Date: Tue, 5 Dec 2023 21:59:23 +0200 Subject: [PATCH 3/6] Add jq as a build dependency On the account of it being needed when building the source package. --- debian/control | 1 + 1 file changed, 1 insertion(+) diff --git a/debian/control b/debian/control index a803d571c0..93b78c11fa 100644 --- a/debian/control +++ b/debian/control @@ -8,6 +8,7 @@ Build-Depends: debhelper-compat (= 13), dh-cargo, dh-golang, golang-go (>= 2:1.21~), + jq, libpam0g-dev, libc6-dev (>= 2.35), libpam0g-dev, From 559299f44be09a2d5e3d298f6c89e99b27c4727a Mon Sep 17 00:00:00 2001 From: Gabriel Nagy Date: Mon, 4 Dec 2023 13:30:15 +0200 Subject: [PATCH 4/6] Export variables used multiple times --- debian/rules | 21 +++++++++------------ 1 file changed, 9 insertions(+), 12 deletions(-) diff --git a/debian/rules b/debian/rules index 7bddf07ff4..08e85f45e7 100755 --- a/debian/rules +++ b/debian/rules @@ -22,6 +22,10 @@ CARGO := /usr/share/cargo/bin/cargo DH_CARGO_VENDORED_SOURCES := /usr/share/cargo/bin/dh-cargo-vendored-sources export CARGO_VENDOR_DIR = vendor_rust +# Needed for Rust configure/build/test stages +export DEB_HOST_GNU_TYPE DEB_HOST_RUST_TYPE +export CARGO_HOME = $(CURDIR)/debian/cargo_home + %: dh $@ --buildsystem=golang --with=golang,apport @@ -41,8 +45,7 @@ override_dh_auto_configure: dh_auto_configure [ ! -e $(DH_CARGO_VENDORED_SOURCES) ] || $(DH_CARGO_VENDORED_SOURCES) - DEB_HOST_GNU_TYPE=$(DEB_HOST_GNU_TYPE) DEB_HOST_RUST_TYPE=$(DEB_HOST_RUST_TYPE) \ - CARGO_HOME=$(CURDIR)/debian/cargo_home DEB_CARGO_CRATE=nss_$(shell dpkg-parsechangelog --show-field Version) \ + DEB_CARGO_CRATE=nss_$(shell dpkg-parsechangelog --show-field Version) \ RUSTFLAGS="--cfg=rustix_use_libc" \ $(CARGO) prepare-debian $(CARGO_VENDOR_DIR) @@ -51,10 +54,7 @@ override_dh_auto_build: go generate -x ./pam # Build the NSS library - DEB_HOST_GNU_TYPE=$(DEB_HOST_GNU_TYPE) \ - DEB_HOST_RUST_TYPE=$(DEB_HOST_RUST_TYPE) \ - CARGO_HOME=$(CURDIR)/debian/cargo_home \ - $(CARGO) build --release + $(CARGO) build --release # Build the daemon DH_GOLANG_BUILDPKG=github.com/ubuntu/authd/cmd/authd dh_auto_build @@ -63,11 +63,7 @@ override_dh_auto_test: # We need to specify these Rust related variables to the Go tests in order to build the NSS lib # with the cargo wrapper in the integration tests in order to force cargo to use vendored deps # instead of querying crates.io for them. - DEB_HOST_GNU_TYPE=$(DEB_HOST_GNU_TYPE) \ - DEB_HOST_RUST_TYPE=$(DEB_HOST_RUST_TYPE) \ - CARGO_HOME=$(CURDIR)/debian/cargo_home \ - CARGO_PATH=$(CARGO) \ - dh_auto_test + CARGO_PATH=$(CARGO) dh_auto_test override_dh_auto_install: dh_auto_install -- --no-source @@ -83,4 +79,5 @@ override_dh_auto_install: install -Dm644 pam/pam_authd.so debian/authd/usr/lib/$(DEB_TARGET_GNU_TYPE)/security/pam_authd.so # Install NSS - install -Dm644 target/$(DEB_TARGET_RUST_TYPE)/release/libnss_authd.so debian/authd/usr/lib/$(DEB_TARGET_GNU_TYPE)/libnss_authd.so.2 + # In Rust, HOST actually refers to the build target (see README.Debian in rustc) + install -Dm644 target/$(DEB_HOST_RUST_TYPE)/release/libnss_authd.so debian/authd/usr/lib/$(DEB_TARGET_GNU_TYPE)/libnss_authd.so.2 From 36d2ea8a07a43368e7c4a73139fe645a2fa4e38e Mon Sep 17 00:00:00 2001 From: Gabriel Nagy Date: Mon, 4 Dec 2023 18:17:12 +0200 Subject: [PATCH 5/6] Skip pam-moduler call if dependencies are vendored We depend on github.com/msteinert/pam/cmd/pam-moduler to generate the pam_module.go file for the PAM module. This poses an issue if we are trying to run it with vendored dependencies, as we cannot vendor the cmd package. This can be fixed multiple ways, but in the interest of keeping the fix close to the problem, and avoid moving the generate statement to a separate package/file, simply skip the call if we detect a vendor directory at the root of the project. --- pam/pam.go | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/pam/pam.go b/pam/pam.go index f2b404d437..b878089518 100644 --- a/pam/pam.go +++ b/pam/pam.go @@ -1,4 +1,4 @@ -//go:generate go run github.com/msteinert/pam/v2/cmd/pam-moduler -libname "pam_authd.so" -type pamModule -tags !pam_binary_cli +//go:generate sh -c "[ -d ../vendor ] && echo Vendored dependencies detected, not re-generating pam_module.go || go run github.com/msteinert/pam/v2/cmd/pam-moduler -libname pam_authd.so -type pamModule -tags !pam_binary_cli" //go:generate go generate --skip="pam_module.go" //go:generate sh -c "cc -o go-loader/pam_go_loader.so go-loader/module.c -Wl,--as-needed -Wl,--allow-shlib-undefined -shared -fPIC -Wl,--unresolved-symbols=report-all -lpam && chmod 600 go-loader/pam_go_loader.so" From aef2d427244bef1728301bf978c0f2202dbc8631 Mon Sep 17 00:00:00 2001 From: Gabriel Nagy Date: Mon, 4 Dec 2023 23:26:35 +0200 Subject: [PATCH 6/6] Add ldconfig trigger This is not added automatically, presumably because the name of the packge does not contain "lib". Add it using Debian's guidelines[1]. [1] https://www.debian.org/doc/debian-policy/ch-sharedlibs.html#ldconfig --- debian/triggers | 1 + 1 file changed, 1 insertion(+) create mode 100644 debian/triggers diff --git a/debian/triggers b/debian/triggers new file mode 100644 index 0000000000..dd86603678 --- /dev/null +++ b/debian/triggers @@ -0,0 +1 @@ +activate-noawait ldconfig