krb5 1.21.1-7

- Use TMT for gating tests
- Add dedicated tests sub-package

Signed-off-by: Michal Polovka <mpolovka@redhat.com>
Co-authored-by: Julien Rische <jrische@redhat.com>

.fmf/version

@@ -0,0 +1 @@
+1

gating.yaml

@@ -4,3 +4,4 @@ product_versions:
 decision_context: osci_compose_gate
 rules:
   - !PassingTestCaseRule {test_case_name: baseos-ci.brew-build.tier1.functional}
+  - !PassingTestCaseRule {test_case_name: baseos-ci.brew-build./plans/tests.functional}

krb5-tests

@@ -0,0 +1,18 @@
+#!/bin/sh
+set -e
+
+export RPM_PACKAGE_NAME={{ name }}
+export RPM_PACKAGE_VERSION={{ version }}
+export RPM_PACKAGE_RELEASE={{ release }}
+export RPM_ARCH={{ arch }}
+export RPM_BUILD_NCPUS="$(getconf _NPROCESSORS_ONLN)"
+
+testdir="$(mktemp -d)"
+trap "rm -rf ${testdir}" EXIT
+
+build_flags="$(eval "echo $(rpm --eval '%{_smp_mflags}')")"
+
+mkdir "${testdir}/{{ name }}-tests"
+cp -rp /usr/share/{{ name }}-tests/{{ arch }} "${testdir}/{{ name }}-tests/"
+make -C "${testdir}/{{ name }}-tests/{{ arch }}/" $build_flags
+keyctl session - make -C "${testdir}/{{ name }}-tests/{{ arch }}/" check

krb5.spec

@@ -1,27 +1,3 @@
-%bcond_without check
-%if %{without check}
-%global skipcheck 1
-%endif
-
-# COPR doesn't work right with the tests.  I suspect keyring issues,
-# but can't actually debug, so...
-%if 0%{?copr_username:1}
-%global skipcheck 1
-%endif
-
-# There are 0 test machines for this architecture, very few builders, and
-# they're not very well provisioned / maintained.  I can't support it.
-# Patches welcome, but there's nothing I can do - it fails more than half the
-# for "infrastructure issues" that I can't hope to debug.
-%ifarch s390x
-%global skipcheck 1
-%endif
-
-# RHEL runs upstream's test suite in a separate pass after build.
-%if 0%{?rhel}
-%global skipcheck 1
-%endif
-
 # Set this so that find-lang.sh will recognize the .po files.
 %global gettext_domain mit-krb5
 # Guess where the -libs subpackage's docs are going to go.
@@ -34,7 +10,7 @@
 #
 # baserelease is what we have standardized across Fedora and what
 # rpmdev-bumpspec knows how to handle.
-%global baserelease 6
+%global baserelease 7
 
 # This should be e.g. beta1 or %%nil
 %global pre_release %nil
@@ -82,6 +58,7 @@ Source11: ksu.pamd
 Source12: krb5kdc.logrotate
 Source13: kadmind.logrotate
 Source14: krb5-krb5kdc.conf
+Source15: %{name}-tests
 
 Patch0001: 0001-downstream-Revert-Don-t-issue-session-keys-with-depr.patch
 Patch0002: 0002-downstream-ksu-pam-integration.patch
@@ -121,43 +98,97 @@ Patch0035: 0035-Prevent-overflow-when-calculating-ulog-block-size.patch
 
 License: MIT
 URL: https://web.mit.edu/kerberos/www/
-BuildRequires: autoconf, bison, make, flex, gawk, gettext, pkgconfig, sed
-BuildRequires: gcc, gcc-c++
-BuildRequires: libcom_err-devel, libedit-devel, libss-devel
-BuildRequires: gzip, ncurses-devel
-BuildRequires: python3, python3-sphinx
-BuildRequires: keyutils, keyutils-libs-devel >= 1.5.8
-BuildRequires: libselinux-devel
-BuildRequires: pam-devel
-BuildRequires: systemd-units
-BuildRequires: tcl-devel
-BuildRequires: libverto-devel
-BuildRequires: openldap-devel
-BuildRequires: lmdb-devel
-BuildRequires: perl-interpreter
+
+%global common_dependencies() %{expand:
+%1: autoconf
+%1: bison
+%1: coreutils
+%1: flex
+%1: gawk
+%1: gcc
+%1: gcc-c++
+%1: gettext
+%1: gzip
+%1: keyutils-libs-devel >= 1.5.8
+%1: libcom_err-devel
+%1: libedit-devel
+%1: libselinux-devel
+%1: libss-devel
+%1: libverto-devel
+%1: lmdb-devel
+%1: make
+%1: ncurses-devel
+%1: openldap-devel
+%1: openssl-devel >= 1:3.0.0
+%1: pam-devel
+%1: perl-interpreter
+%1: pkgconfig
+%1: python3
+%1: python3-sphinx
+%1: sed
+%1: systemd-units
+%1: tcl-devel
+
+# Enable compilation of optional tests
+%1: libcmocka-devel
+%1: opensc
+%1: softhsm
+}
+
+%{common_dependencies BuildRequires}
 
 # For autosetup
 BuildRequires: git
 
-%if 0%{?skipcheck}
-%else
-BuildRequires: dejagnu
-BuildRequires: net-tools, rpcbind
-BuildRequires: hostname
-BuildRequires: iproute
-BuildRequires: python3-pyrad
-BuildRequires: opensc
-BuildRequires: softhsm
-%endif
+# For files install
+BuildRequires: file
 
-# Need KDFs.  This is the "real" version
-BuildRequires: openssl-devel >= 1:3.0.0
+# resolv_wrapper is not available in C9S buildroot repo
+#BuildRequires: resolv_wrapper
 
 %description
 Kerberos V5 is a trusted-third-party network authentication system,
 which can improve your network's security by eliminating the insecure
 practice of sending passwords over the network in unencrypted form.
 
+%package tests
+Summary: Test sources for krb5 build
+
+# Build dependencies
+%{common_dependencies Requires}
+
+# Test dependencies
+Requires: dejagnu
+Requires: hostname
+Requires: iproute
+Requires: keyutils
+Requires: libverto-module-base
+Requires: logrotate
+Requires: net-tools
+Requires: perl-interpreter
+Requires: procps-ng
+Requires: python3-kdcproxy
+Requires: redhat-rpm-config
+Requires: rpcbind
+Requires: words
+Requires: /etc/crypto-policies/back-ends/krb5.config
+
+# resolv_wrapper is not available in C9S buildroot repo
+#Requires: resolv_wrapper
+
+Recommends: openldap-clients
+Recommends: python3-pyrad
+
+# Something blocks the use of DIGEST-MD5 in openldap-servers
+#Recommends: openldap-servers
+
+# sssd_krb5_locator_plugin.so conflicts with t_discover_uri.py
+Conflicts: sssd-client
+
+%description tests
+FOR TESTING PURPOSE ONLY
+Test sources for krb5 build, with pre-defined compilation parameters
+
 %package devel
 Summary: Development files needed to compile Kerberos 5 programs
 Requires: %{name}-libs%{?_isa} = %{version}-%{release}
@@ -196,8 +227,8 @@ Requires(preun): systemd-units
 Requires(postun): systemd-units
 # we drop files in its directory, but we don't want to own that directory
 Requires: logrotate
-# we specify /usr/share/dict/words as the default dict_file in kdc.conf
-Requires: /usr/share/dict/words
+# we specify /usr/share/dict/words (provided by words) as the default dict_file in kdc.conf
+Requires: words
 # for run-time, and for parts of the test suite
 BuildRequires: libverto-module-base
 Requires: libverto-module-base
@@ -366,17 +397,6 @@ sphinx-build -a -b man   -t pathsubs doc build-man
 sphinx-build -a -b html  -t pathsubs doc build-html
 rm -fr build-html/_sources
 
-%if 0%{?skipcheck}
-%else
-%check
-pushd src
-
-# The build system may give us a revoked session keyring, so run affected
-# tests with a new one.
-keyctl session - make check OFFLINE=yes TMPDIR=%{_tmppath}
-popd
-%endif
-
 %install
 [ "$RPM_BUILD_ROOT" != '/' ] && rm -rf -- "$RPM_BUILD_ROOT"
 
@@ -492,6 +512,40 @@ rm -- "$RPM_BUILD_ROOT/%{_docdir}/krb5-libs/examples/services.append"
 # This is only needed for tests
 rm -- "$RPM_BUILD_ROOT/%{_libdir}/krb5/plugins/preauth/test.so"
 
+# Generate tests launching script
+sed -e 's/{{ name }}/%{name}/g' \
+    -e 's/{{ version }}/%{krb5_version}/g' \
+    -e 's/{{ release }}/%{krb5_release}/g' \
+    -e 's/{{ arch }}/%{_arch}/g' \
+    -i %{SOURCE15}
+mkdir -p $RPM_BUILD_ROOT%{_libexecdir}
+install -pm 755 %{SOURCE15} $RPM_BUILD_ROOT%{_libexecdir}/%{name}-tests-%{_arch}
+
+# Copy source files from build folder to system data folder
+install -pdm 755 $RPM_BUILD_ROOT%{_datarootdir}/%{name}-tests/%{_arch}
+pushd src
+cp -p --parents -t "$RPM_BUILD_ROOT%{_datarootdir}/%{name}-tests/%{_arch}/" \
+    $(find . -type f -exec file -i "{}" + \
+          | sed -ne 's|^\./\([^:]\+\): \+text/.\+$|\1|p' | grep -Ev '~$')
+popd
+
+# Copy binary test files
+install -pm 644 src/tests/pkinit-certs/*.p12 \
+    "$RPM_BUILD_ROOT%{_datarootdir}/%{name}-tests/%{_arch}/tests/pkinit-certs/"
+install -pm 644 src/tests/au_dict.json \
+    "$RPM_BUILD_ROOT%{_datarootdir}/%{name}-tests/%{_arch}/tests/"
+
+# Unset executable bit if no shebang in script
+for f in $(find "$RPM_BUILD_ROOT%{_datarootdir}/%{name}-tests/%{_arch}/" -type f -executable)
+do
+    head -n1 "$f" | grep -Eq '^#!' || chmod a-x "$f"
+done
+
+# Remove broken shebang Perl scripts
+rm -- "$RPM_BUILD_ROOT%{_datarootdir}/%{name}-tests/%{_arch}/config/wconfig.pl"
+rm -- "$RPM_BUILD_ROOT%{_datarootdir}/%{name}-tests/%{_arch}/kadmin/kdbkeys/do-test.pl"
+
+
 %find_lang %{gettext_domain}
 
 %ldconfig_scriptlets libs
@@ -683,7 +737,14 @@ exit 0
 %{_libdir}/libkadm5clnt_mit.so.*
 %{_libdir}/libkadm5srv_mit.so.*
 
+%files tests
+%{_libexecdir}/%{name}-tests-%{_arch}
+%{_datarootdir}/%{name}-tests/%{_arch}
+
 %changelog
+* Tue Mar 25 2025 Julien Rische <jrische@redhat.com> - 1.21.1-7
+- Add dedicated tests sub-package
+
 * Wed Jan 29 2025 Julien Rische <jrische@redhat.com> - 1.21.1-6
 - Prevent overflow when calculating ulog block size (CVE-2025-24528)
   Resolves: RHEL-76759

plans/tests.fmf

@@ -0,0 +1,5 @@
+summary: Tests
+discover:
+  how: fmf
+execute:
+  how: tmt

tests/inplace-upgrade-sanity/TC#0378369.fmf

@@ -0,0 +1,22 @@
+tag:
+  - CI-Tier-1
+  - CI-Tier-1-krb5
+  - Fedora 31
+  - Fedora 32
+  - FedoraReady
+  - IDM-CI-gating
+  - NoRHEL4
+  - NoRHEL5
+  - TIPpass
+  - TIPpass_Security
+  - Tier1
+  - Tier1security
+  - rhel_upgrade
+tier: '1'
+adjust:
+  - enabled: false
+    when: distro == rhel-4, rhel-5
+    continue: false
+extra-nitrate: TC#0378369
+extra-summary: /CoreOS/krb5/Sanity/inplace-upgrade-sanity-test
+

tests/inplace-upgrade-sanity/TC#0552039.fmf

@@ -0,0 +1,18 @@
+link:
+  - relates: https://bugzilla.redhat.com/show_bug.cgi?id=1394908
+tag:
+  - NoRHEL4
+  - NoRHEL5
+  - TIPpass
+  - TIPpass_Security
+  - Tier2
+tier: '2'
+adjust:
+  - enabled: false
+    when: distro == rhel-4, rhel-5, rhel-6
+    continue: false
+environment:
+    TEST_ENTROPY_SOURCE: yes
+extra-nitrate: TC#0552039
+extra-summary: 'BZ#1394908: Enable faster getrandom-based entropy system'
+

tests/inplace-upgrade-sanity/main.fmf

@@ -0,0 +1,20 @@
+summary: Verifies basic scenarios which should work after inplace upgrade.
+enabled: true
+contact: Michal Polovka <mpolovka@redhat.com>
+component:
+- krb5
+test: ./runtest.sh
+path: /tests/inplace-upgrade-sanity
+framework: beakerlib
+require:
+- expect
+- krb5-server
+- krb5-workstation
+- openssh-clients
+- openssh-server
+- rng-tools
+- setools-console
+duration: 20m
+extra-summary: /CoreOS/krb5/Sanity/inplace-upgrade-sanity-test
+extra-task: /CoreOS/krb5/Sanity/inplace-upgrade-sanity-test
+

tests/tests.yml

@@ -1,18 +0,0 @@
----
-# This first play always runs on the local staging system
-- hosts: localhost
-  roles:
-  - role: standard-test-beakerlib
-    tags:
-    - classic
-    tests:
-    - inplace-upgrade-sanity-test
-    required_packages:
-    - expect            # Required for inplace-upgrade-sanity-test
-    - krb5-server       # Required for inplace-upgrade-sanity-test
-    - krb5-workstation  # Required for inplace-upgrade-sanity-test
-    - openssh-clients   # Required for inplace-upgrade-sanity-test
-    - openssh-server    # Required for inplace-upgrade-sanity-test
-    - rng-tools         # Required for inplace-upgrade-sanity-test
-    - opensc            # Required for inplace-upgrade-sanity-test
-    - softhsm           # Required for inplace-upgrade-sanity-test

tests/upstream/main.fmf

@@ -0,0 +1,8 @@
+summary: Run upstream tests
+test: ./test.sh
+enabled: true
+path: /tests/upstream
+require:
+- krb5-tests
+duration: 20m
+

tests/upstream/test.sh

@@ -0,0 +1,7 @@
+#!/bin/sh -eux
+rc=0
+for test_exec in /usr/libexec/krb5-tests-*
+do
+    "$test_exec" || rc=1
+done
+exit $rc