feat(services/pam): Do not expose internal errors to client #1660

Workflow file for this run

	name: QA & sanity checks
	on:
	push:
	branches:
	- main
	tags:
	- "*"
	pull_request:

	env:
	DEBIAN_FRONTEND: noninteractive
	apt_deps: >-
	libpam-dev
	libglib2.0-dev
	libpwquality-dev

	test_apt_deps: >-
	ffmpeg
	# In Rust the grpc stubs are generated at build time
	# so we always need to install the protobuf compilers
	# when building the NSS crate.
	protobuf_compilers: >-
	protobuf-compiler

	jobs:
	go-sanity:
	name: "Go: Code sanity"
	runs-on: ubuntu-latest
	steps:
	- name: Install dependencies
	run: \|
	sudo apt update
	sudo apt install -y ${{ env.apt_deps }}
	- uses: actions/checkout@v4
	- name: Go code sanity check
	uses: canonical/desktop-engineering/gh-actions/go/code-sanity@main
	with:
	golangci-lint-configfile: ".golangci.yaml"
	tools-directory: "tools"
	- name: Build cmd/authd with withexamplebroker tag
	run: \|
	set -eu
	go build -tags withexamplebroker ./cmd/authd
	- name: Run PAM client for interactive testing purposes
	run: \|
	set -eu
	go run -tags pam_binary_cli ./pam login --exec-debug
	- name: Generate PAM module
	run: \|
	set -eu
	find pam -name '*.so' -print -delete
	go generate -C pam -x
	test -e pam/pam_authd.so
	test -e pam/go-exec/pam_authd_exec.so
	- name: Generate PAM module with pam_debug tag
	run: \|
	set -eu
	find pam -name '*.so' -print -delete
	go generate -C pam -x -tags pam_debug
	test -e pam/pam_authd.so
	test -e pam/go-exec/pam_authd_exec.so

	rust-sanity:
	name: "Rust: Code sanity"
	runs-on: ubuntu-latest
	steps:
	- name: Install dependencies
	run: \|
	sudo apt update
	sudo apt install -y ${{ env.apt_deps }} ${{ env.protobuf_compilers}}
	- uses: actions/checkout@v4
	- name: Rust code sanity check
	uses: canonical/desktop-engineering/gh-actions/rust/code-sanity@main
	with:
	token: ${{ secrets.GITHUB_TOKEN }}

	c-sanity:
	name: "C Code sanity"
	runs-on: ubuntu-latest
	env:
	CFLAGS: "-Werror"
	steps:
	- name: Install dependencies
	run: \|
	set -eu

	sudo apt update
	sudo apt install -y ${{ env.apt_deps }} clang-tools clang
	- name: Prepare report dir
	run: \|
	set -eu

	scan_build_dir=$(mktemp -d --tmpdir scan-build-dir-XXXXXX)
	echo SCAN_BUILD_REPORTS_PATH="${scan_build_dir}" >> $GITHUB_ENV
	- uses: actions/checkout@v4
	- name: Run scan build on GDM extensions
	run: \|
	set -eu

	scan-build -v -o "${SCAN_BUILD_REPORTS_PATH}" clang ${CFLAGS} \
	-Wno-gnu-variable-sized-type-not-at-end \
	pam/internal/gdm/extension.h
	- name: Run scan build on go-exec module
	run: \|
	set -eu

	scan-build -v -o "${SCAN_BUILD_REPORTS_PATH}" clang ${CFLAGS} \
	-DAUTHD_TEST_MODULE=1 \
	$(pkg-config --cflags --libs gio-unix-2.0 gio-2.0) \
	-lpam -shared -fPIC \
	pam/go-exec/module.c
	- name: Upload scan build reports
	uses: actions/upload-artifact@v4
	with:
	name: authd-${{ github.job }}-artifacts-${{ github.run_attempt }}
	path: ${{ env.SCAN_BUILD_REPORTS_PATH }}

	go-tests:
	name: "Go: Tests"
	runs-on: ubuntu-latest
	steps:
	- name: Install dependencies
	run: \|
	sudo apt update

	# The integration tests build the NSS crate, so we need the cargo build dependencies in order to run them.
	sudo apt install -y ${{ env.apt_deps }} ${{ env.protobuf_compilers}} ${{ env.test_apt_deps }}
	- name: Install PAM and GLib debug symbols
	run: \|
	set -eu
	sudo apt-get install ubuntu-dbgsym-keyring -y
	echo "deb http://ddebs.ubuntu.com $(lsb_release -cs) main restricted universe multiverse
	deb http://ddebs.ubuntu.com $(lsb_release -cs)-updates main restricted universe multiverse
	deb http://ddebs.ubuntu.com $(lsb_release -cs)-proposed main restricted universe multiverse" \| \
	sudo tee -a /etc/apt/sources.list.d/ddebs.list
	# Sometimes ddebs archive is stuck, so in case of failure we need to go manual
	sudo apt update -y \|\| true
	if ! sudo apt install -y libpam-modules-dbgsym libpam0*-dbgsym libglib2.0-0-dbgsym; then
	sudo apt install -y ubuntu-dev-tools
	pull-lp-ddebs pam $(lsb_release -cs)
	pull-lp-ddebs libglib2.0-0 $(lsb_release -cs)
	sudo apt install -y ./libpam0.ddeb ./libpam-modules.ddeb ./libglib2.0-0-dbgsym*.ddeb
	sudo apt remove -y ubuntu-dev-tools
	sudo apt autoremove -y
	fi
	- uses: actions/checkout@v4
	- uses: actions/setup-go@v5
	with:
	go-version-file: go.mod
	- name: Install VHS and ttyd for integration tests
	run: \|
	set -eu
	go install github.com/charmbracelet/vhs@latest

	# VHS requires ttyd >= 1.7.2 to work properly.
	wget https://github.com/tsl0922/ttyd/releases/download/1.7.4/ttyd.x86_64
	chmod +x ttyd.x86_64
	sudo mv ttyd.x86_64 /usr/bin/ttyd

	- uses: actions-rs/toolchain@v1
	with:
	profile: minimal
	toolchain: nightly # We need nightly to enable instrumentation for coverage.
	override: true
	components: llvm-tools-preview
	- name: Install grcov
	run: \|
	set -eu
	cargo install grcov
	- name: Prepare tests artifacts path
	run: \|
	set -eu

	artifacts_dir=$(mktemp -d --tmpdir authd-test-artifacts-XXXXXX)
	echo AUTHD_TEST_ARTIFACTS_PATH="${artifacts_dir}" >> $GITHUB_ENV

	echo ASAN_OPTIONS="log_path=${artifacts_dir}/asan.log:print_stats=true" >> $GITHUB_ENV
	- name: Run tests (with coverage collection)
	env:
	G_DEBUG: "fatal-criticals"
	run: \|
	set -eu

	# The coverage is not written if the output directory does not exist, so we need to create it.
	cov_dir="$(pwd)/coverage"
	cod_cov_dir="$(pwd)/coverage/codecov"
	raw_cov_dir="${cov_dir}/raw"
	mkdir -p "${raw_cov_dir}" "${cod_cov_dir}"

	# Overriding the default coverage directory is not an exported flag of go test (yet), so
	# we need to override it using the test.gocoverdir flag instead.
	#TODO: Update when https://go-review.googlesource.com/c/go/+/456595 is merged.
	go test -cover -covermode=set ./... -coverpkg=./... -shuffle=on -args -test.gocoverdir="${raw_cov_dir}"

	# Convert the raw coverage data into textfmt so we can merge the Rust one into it
	go tool covdata textfmt -i="${raw_cov_dir}" -o="${cov_dir}/coverage.out"

	# Append the Rust coverage data to the Go one
	cat "${raw_cov_dir}/rust-cov/rust2go_coverage" >>"${cov_dir}/coverage.out"

	# Filter out the testutils package and the pb.go file
	grep -v -e "testutils" -e "pb.go" "${cov_dir}/coverage.out" >"${cod_cov_dir}/coverage.out.filtered"

	# Move gcov output to coverage dir
	mv "${raw_cov_dir}"/*.gcov "${cod_cov_dir}"

	- name: Run tests (with race detector)
	run: \|
	go test -race ./...

	- name: Run PAM tests (with Address Sanitizer)
	env:
	# Do not optimize, keep debug symbols and frame pointer for better
	# stack trace information in case of ASAN errors.
	CGO_CFLAGS: "-O0 -g3 -fno-omit-frame-pointer"
	G_DEBUG: "fatal-criticals"
	run: \|
	# Use `-dwarflocationlists` to give ASAN a better time to unwind the stack trace
	go test -C ./pam/internal -asan -gcflags="-dwarflocationlists=true" ./...

	pushd ./pam/integration-tests
	go test -asan -gcflags="-dwarflocationlists=true" -c
	# FIXME: Suppression may be removed with newer libpam, as the one we ship in ubuntu as some leaks
	env LSAN_OPTIONS=suppressions=$(pwd)/lsan.supp \
	./integration-tests.test \
	\|\| exit_code=$?
	popd

	# We're logging to a file, and this is useful for having artifacts, but we still may want to see it in logs:
	cat "${AUTHD_TEST_ARTIFACTS_PATH}"/asan.log* \|\| true

	exit ${exit_code}

	- name: Upload coverage to Codecov
	uses: codecov/codecov-action@v4
	with:
	directory: ./coverage/codecov
	token: ${{ secrets.CODECOV_TOKEN }}

	- name: Upload test failures artifacts
	if: failure()
	uses: actions/upload-artifact@v4
	with:
	name: authd-${{ github.job }}-artifacts-${{ github.run_attempt }}
	path: ${{ env.AUTHD_TEST_ARTIFACTS_PATH }}

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

feat(services/pam): Do not expose internal errors to client #1660

Workflow file

feat(services/pam): Do not expose internal errors to client #1660

Jobs

Run details

Workflow file for this run