Use TMT for gating tests

Signed-off-by: Julien Rische <jrische@redhat.com>

.fmf/version

@@ -0,0 +1 @@
+1

gating.yaml

@@ -0,0 +1,8 @@
+--- !Policy
+product_versions:
+- fedora-*
+decision_contexts:
+- bodhi_update_push_stable
+subject_type: koji_build
+rules:
+- !PassingTestCaseRule {test_case_name: fedora-ci.koji-build./plans/tests.functional}

krb5-tests

@@ -0,0 +1,14 @@
+#!/bin/sh
+set -e
+
+export RPM_PACKAGE_NAME={{ name }}
+export RPM_PACKAGE_VERSION={{ version }}
+export RPM_PACKAGE_RELEASE={{ release }}
+export RPM_ARCH={{ arch }}
+
+testdir="$(mktemp -d)"
+trap "rm -rf ${testdir}" EXIT
+
+cp -rp /usr/share/{{ name }}-tests "${testdir}/"
+make -C "${testdir}/{{ name }}-tests" $(rpm --eval '%{_smp_mflags}')
+keyctl session - make -C "${testdir}/{{ name }}-tests" check

krb5.spec

@@ -1,27 +1,3 @@
-%bcond_without check
-%if %{without check}
-%global skipcheck 1
-%endif
-
-# COPR doesn't work right with the tests.  I suspect keyring issues,
-# but can't actually debug, so...
-%if 0%{?copr_username:1}
-%global skipcheck 1
-%endif
-
-# There are 0 test machines for this architecture, very few builders, and
-# they're not very well provisioned / maintained.  I can't support it.
-# Patches welcome, but there's nothing I can do - it fails more than half the
-# for "infrastructure issues" that I can't hope to debug.
-%ifarch s390x
-%global skipcheck 1
-%endif
-
-# RHEL runs upstream's test suite in a separate pass after build.
-%if 0%{?rhel}
-%global skipcheck 1
-%endif
-
 # Set this so that find-lang.sh will recognize the .po files.
 %global gettext_domain mit-krb5
 # Guess where the -libs subpackage's docs are going to go.
@@ -81,6 +57,7 @@ Source11: ksu.pamd
 Source12: krb5kdc.logrotate
 Source13: kadmind.logrotate
 Source14: krb5-krb5kdc.conf
+Source15: %{name}-tests
 
 Patch1:  0001-downstream-ksu-pam-integration.patch
 Patch2:  0002-downstream-SELinux-integration.patch
@@ -115,17 +92,6 @@ BuildRequires: perl-interpreter
 # For autosetup
 BuildRequires: git
 
-%if 0%{?skipcheck}
-%else
-BuildRequires: dejagnu
-BuildRequires: net-tools, rpcbind
-BuildRequires: hostname
-BuildRequires: iproute
-BuildRequires: python3-pyrad
-BuildRequires: procps-ng
-BuildRequires: resolv_wrapper
-%endif
-
 %if 0%{?fedora} > 35
 # Need KDFs.  This is the "real" version
 BuildRequires: openssl-devel => 1:3.0.0
@@ -135,6 +101,10 @@ BuildRequires: openssl-devel >= 1:1.1.1d-4
 BuildRequires: openssl-devel < 1:3.0.0
 %endif
 
+# Enable compilation of optional tests
+BuildRequires: resolv_wrapper
+BuildRequires: libcmocka-devel
+
 %description
 Kerberos V5 is a trusted-third-party network authentication system,
 which can improve your network's security by eliminating the insecure
@@ -244,6 +214,53 @@ Kerberos is a network authentication system. The libkadm5 package
 contains only the libkadm5clnt and libkadm5serv shared objects. This
 interface is not considered stable.
 
+%package tests
+Summary: Test sources for krb5 build
+
+# Build dependencies
+Requires: coreutils, gawk, sed
+Requires: gcc-c++
+Requires: gettext
+Requires: libcom_err-devel
+Requires: libselinux-devel
+Requires: libss-devel
+Requires: libverto-devel
+Requires: lmdb-devel
+Requires: openldap-devel
+Requires: pam-devel
+Requires: redhat-rpm-config
+%if 0%{?fedora} > 35
+Requires: openssl-devel => 1:3.0.0
+%else
+Requires: openssl-devel >= 1:1.1.1d-4
+Requires: openssl-devel < 1:3.0.0
+%endif
+
+# Test dependencies
+Requires: dejagnu
+Requires: hostname
+Requires: iproute
+Requires: keyutils, keyutils-libs-devel >= 1.5.8
+Requires: libcmocka-devel
+Requires: libverto-module-base
+Requires: logrotate
+Requires: net-tools, rpcbind
+Requires: perl-interpreter
+Requires: procps-ng
+Requires: python3-kdcproxy
+Requires: python3-pyrad
+Requires: resolv_wrapper
+Requires: /etc/crypto-policies/back-ends/krb5.config
+Requires: /usr/share/dict/words
+#Requires: openldap-servers, openldap-clients
+
+# sssd_krb5_locator_plugin.so conflicts with t_discover_uri.py
+Conflicts: sssd-client
+
+%description tests
+FOR TESTING PURPOSE ONLY
+Test sources for krb5 build, with pre-defined compilation parameters
+
 %prep
 %autosetup -S git_am -n %{name}-%{version}%{?dashpre}
 ln NOTICE LICENSE
@@ -354,17 +371,6 @@ sphinx-build -a -b man   -t pathsubs doc build-man
 sphinx-build -a -b html  -t pathsubs doc build-html
 rm -fr build-html/_sources
 
-%if 0%{?skipcheck}
-%else
-%check
-pushd src
-
-# The build system may give us a revoked session keyring, so run affected
-# tests with a new one.
-keyctl session - make check OFFLINE=yes TMPDIR=%{_tmppath}
-popd
-%endif
-
 %install
 [ "$RPM_BUILD_ROOT" != '/' ] && rm -rf -- "$RPM_BUILD_ROOT"
 
@@ -481,6 +487,39 @@ rm -- "$RPM_BUILD_ROOT/%{_docdir}/krb5-libs/examples/services.append"
 # This is only needed for tests
 rm -- "$RPM_BUILD_ROOT/%{_libdir}/krb5/plugins/preauth/test.so"
 
+# Generate tests launching script
+sed -e 's/{{ name }}/%{name}/' \
+    -e 's/{{ version }}/%{krb5_version}/' \
+    -e 's/{{ release }}/%{krb5_release}/' \
+    -e 's/{{ arch }}/%{_arch}/' \
+    -i %{SOURCE15}
+mkdir -p $RPM_BUILD_ROOT%{_libexecdir}
+install -pm 755 %{SOURCE15} $RPM_BUILD_ROOT%{_libexecdir}/
+
+# Copy source files from build folder to system data folder
+install -pdm 755 $RPM_BUILD_ROOT%{_datarootdir}/%{name}-tests
+pushd src
+cp -p --parents -t "$RPM_BUILD_ROOT%{_datarootdir}/%{name}-tests/" \
+    $(find . -type f -exec file -i "{}" + \
+          | sed -ne 's|^\./\([^:]\+\): \+text/.\+$|\1|p')
+popd
+
+# Copy binary test files
+install -pm 644 src/tests/pkinit-certs/*.p12 \
+    "$RPM_BUILD_ROOT%{_datarootdir}/%{name}-tests/tests/pkinit-certs/"
+install -pm 644 src/tests/au_dict.json \
+    "$RPM_BUILD_ROOT%{_datarootdir}/%{name}-tests/tests/"
+
+# Unset executable bit if no shebang in script
+for f in $(find "$RPM_BUILD_ROOT%{_datarootdir}/%{name}-tests/" -type f -executable)
+do
+    head -n1 "$f" | grep -Eq '^#!' || chmod a-x "$f"
+done
+
+# Remove broken shebang Perl scripts
+rm -- "$RPM_BUILD_ROOT%{_datarootdir}/%{name}-tests/config/wconfig.pl"
+rm -- "$RPM_BUILD_ROOT%{_datarootdir}/%{name}-tests/kadmin/kdbkeys/do-test.pl"
+
 %find_lang %{gettext_domain}
 
 %ldconfig_scriptlets libs
@@ -666,6 +705,10 @@ exit 0
 %{_libdir}/libkadm5clnt_mit.so.*
 %{_libdir}/libkadm5srv_mit.so.*
 
+%files tests
+%{_libexecdir}/%{name}-tests
+%{_datarootdir}/%{name}-tests/
+
 %changelog
 * Wed Nov 23 2022 Julien Rische <jrische@redhat.com> - 1.20.1-1
 - New upstream version (1.20.1)

plans/tests.fmf

@@ -0,0 +1,9 @@
+summary: Tests
+discover:
+  how: fmf
+prepare:
+- how: shell
+  script:
+  - dnf remove -y sssd-client
+execute:
+  how: tmt

tests/inplace-upgrade-sanity/TC#0378369.fmf

@@ -0,0 +1,21 @@
+tag:
+  - CI-Tier-1
+  - CI-Tier-1-krb5
+  - Fedora 31
+  - Fedora 32
+  - FedoraReady
+  - IDM-CI-gating
+  - NoRHEL4
+  - NoRHEL5
+  - TIPpass
+  - TIPpass_Security
+  - Tier1
+  - Tier1security
+  - rhel_upgrade
+tier: '1'
+adjust:
+  - enabled: false
+    when: distro == rhel-4, rhel-5
+    continue: false
+extra-nitrate: TC#0378369
+extra-summary: /CoreOS/krb5/Sanity/inplace-upgrade-sanity-test

tests/inplace-upgrade-sanity/TC#0552039.fmf

@@ -0,0 +1,17 @@
+link:
+  - relates: https://bugzilla.redhat.com/show_bug.cgi?id=1394908
+tag:
+  - NoRHEL4
+  - NoRHEL5
+  - TIPpass
+  - TIPpass_Security
+  - Tier2
+tier: '2'
+adjust:
+  - enabled: false
+    when: distro == rhel-4, rhel-5, rhel-6
+    continue: false
+environment:
+    TEST_ENTROPY_SOURCE: yes
+extra-nitrate: TC#0552039
+extra-summary: 'BZ#1394908: Enable faster getrandom-based entropy system'

tests/inplace-upgrade-sanity/TC#0608992.fmf

@@ -0,0 +1,14 @@
+tag:
+  - Fedora 31
+  - Fedora 32
+  - FedoraReady
+  - NoRHEL4
+  - NoRHEL5
+  - rhel_upgrade
+adjust:
+  - enabled: false
+    when: distro == rhel-4, rhel-5
+    continue: false
+manual: true
+extra-nitrate: TC#0608992
+extra-summary: /CoreOS/krb5/Sanity/inplace-upgrade-sanity-test-manual

tests/inplace-upgrade-sanity/main.fmf

@@ -0,0 +1,19 @@
+summary: Verifies basic scenarios which should work after inplace upgrade.
+enabled: true
+contact: Filip Dvorak <fdvorak@redhat.com>
+component:
+- krb5
+test: ./runtest.sh
+path: /tests/inplace-upgrade-sanity
+framework: beakerlib
+require:
+- expect
+- krb5-server
+- krb5-workstation
+- openssh-clients
+- openssh-server
+- rng-tools
+- setools-console
+duration: 20m
+extra-summary: /CoreOS/krb5/Sanity/inplace-upgrade-sanity-test
+extra-task: /CoreOS/krb5/Sanity/inplace-upgrade-sanity-test

tests/inplace-upgrade-sanity/runtest.sh

@@ -27,7 +27,6 @@
 # ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
 
 # Include Beaker environment
-. /usr/bin/rhts-environment.sh
 . /usr/share/beakerlib/beakerlib.sh || exit 1
 
 PACKAGE="krb5"
@@ -89,11 +88,17 @@ rlJournalStart
         if rlIsRHEL 6; then
             rlRun "sed -i \"s/EXAMPLE.COM/$krb5REALM1/\" $krb5conf"
             rlRun "sed -i \"s/kerberos.example.com/$krb5HostName/\" $krb5conf"
-            rlRun "sed -i \"s/example.com/$krb5DomainName/\" $krb5conf"
+            if [ "$krb5DomainName" ]; then
+                rlRun "sed -i \"s/example.com/$krb5DomainName/\" $krb5conf"
+            fi
         else
             rlRun "sed -i \"s/\[libdefaults\]/[libdefaults]\n default_realm = $krb5REALM1/\" $krb5conf"
             rlRun "sed -i \"s/\[realms\]/[realms]\n $krb5REALM1 = {\n  kdc = $krb5HostName\n  admin_server = $krb5HostName\n }/\" $krb5conf"
-            rlRun "sed -i \"s/\[domain_realm\]/[domain_realm]\n .$krb5DomainName = $krb5REALM1\n $krb5DomainName = $krb5REALM1/\" $krb5conf"
+            if [ "$krb5DomainName" ]; then
+                rlRun "sed -i \"s/\[domain_realm\]/[domain_realm]\n .$krb5DomainName = $krb5REALM1\n $krb5DomainName = $krb5REALM1/\" $krb5conf"
+            else
+                rlRun "sed -i \"s/\[domain_realm\]/[domain_realm]\n $krb5HostName = $krb5REALM1/\" $krb5conf"
+            fi
         fi
         rlRun "sed -i s/EXAMPLE.COM/$krb5REALM1/ $krb5kdcconf"
         # Configure the kadmin ACL
@@ -368,4 +373,4 @@ _EOF
         rlRun "rm -r $TmpDir"
     rlPhaseEnd
 rlJournalPrintText
-rlJournalEnd
+rlJournalEnd

tests/tests.yml

@@ -1,16 +0,0 @@
----
-# This first play always runs on the local staging system
-- hosts: localhost
-  roles:
-  - role: standard-test-beakerlib
-    tags:
-    - classic
-    tests:
-    - inplace-upgrade-sanity-test
-    required_packages:
-    - expect            # Required for inplace-upgrade-sanity-test
-    - krb5-server       # Required for inplace-upgrade-sanity-test
-    - krb5-workstation  # Required for inplace-upgrade-sanity-test
-    - openssh-clients   # Required for inplace-upgrade-sanity-test
-    - openssh-server    # Required for inplace-upgrade-sanity-test
-    - rng-tools         # Required for inplace-upgrade-sanity-test

tests/upstream/main.fmf

@@ -0,0 +1,7 @@
+summary: Run upstream tests
+test: ./test.sh
+enabled: true
+path: /tests/upstream
+require:
+- krb5-tests
+duration: 20m

tests/upstream/test.sh

@@ -0,0 +1,2 @@
+#!/bin/sh -eux
+/usr/libexec/krb5-tests