limit child allocation depth to MAX_TLV_STACK #7737
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
name: CI | |
on: | |
push: | |
branches-ignore: | |
- coverity_scan | |
- run-fuzzer** | |
- debug-fuzzer-** | |
pull_request: | |
env: | |
ASAN_OPTIONS: symbolize=1 detect_leaks=1 detect_stack_use_after_return=1 | |
LSAN_OPTIONS: fast_unwind_on_malloc=0:malloc_context_size=50 | |
UBSAN_OPTIONS: print_stacktrace=1 | |
M_PERTURB: "0x42" | |
PANIC_ACTION: "gdb -batch -x raddb/panic.gdb %e %p 1>&0 2>&0" | |
# Stops the utilities forking on every call to check if they're running under GDB/LLDB | |
DEBUGGER_ATTACHED: no | |
ANALYZE_C_DUMP: 1 | |
FR_GLOBAL_POOL: 4M | |
TEST_CERTS: yes | |
NO_PERFORMANCE_TESTS: yes | |
DO_BUILD: yes | |
HOSTAPD_BUILD_DIR: eapol_test.ci | |
HOSTAPD_GIT_TAG: hostap_2_10 | |
ALT_OPENSSL: "3.0.2" | |
DEBIAN_FRONTEND: noninteractive | |
CI: 1 | |
GH_ACTIONS: 1 | |
jobs: | |
pre-ci: | |
runs-on: ubuntu-latest | |
# Map a step output to a job output | |
outputs: | |
should_skip: ${{ steps.skip_check.outputs.should_skip }} | |
selfhosted: ${{ github.repository_owner == 'FreeRADIUS' && '1' || '0' }} | |
docker_prefix: ${{ github.repository_owner == 'FreeRADIUS' && 'docker.internal.networkradius.com/' || '' }} | |
steps: | |
- id: skip_check | |
uses: fkirc/skip-duplicate-actions@master | |
ci: | |
timeout-minutes: 150 | |
needs: pre-ci | |
if: ${{ needs.pre-ci.outputs.should_skip != 'true' }} | |
runs-on: ${{ matrix.os.runs_on }} | |
container: | |
image: ${{ matrix.os.docker }} | |
# "privileged" is needed for Samba install | |
# "memory-swap -1" enables full use of host swap and may help | |
# with containers randomly quitting with "The operation was | |
# canceled" | |
options: >- | |
--privileged | |
--memory-swap -1 | |
strategy: | |
fail-fast: false | |
matrix: | |
# runs_on - where GitHub will spin up the runner, either | |
# "self-hosted", or the name of a GitHub VM image | |
# e.g. ubuntu-20.04 or ubuntu-latest | |
# see: https://github.com/actions/runner-images | |
# code - the name/version of the OS (for step evaluations below) | |
# docker - the docker image name, if containers are being used | |
# name - used in the job name only | |
os: | |
- runs_on: "${{ needs.pre-ci.outputs.selfhosted == '1' && 'self-hosted' || 'ubuntu-20.04' }}" | |
docker: "${{ needs.pre-ci.outputs.selfhosted == '1' && 'docker.internal.networkradius.com/self-hosted' || 'ubuntu:20.04' }}" | |
name: "${{ needs.pre-ci.outputs.selfhosted == '1' && 'self' || 'gh' }}-ubuntu20" | |
code: "ubuntu2004" | |
imageos: "ubuntu20" | |
env: | |
- { CC: gcc, BUILD_CFLAGS: "-DWITH_EVAL_DEBUG", LIBS_OPTIONAL: no, LIBS_ALT: no, TEST_TYPE: fixtures, NAME: linux-gcc-lean } | |
- { CC: gcc, BUILD_CFLAGS: "-DWITH_EVAL_DEBUG", LIBS_OPTIONAL: yes, LIBS_ALT: no, TEST_TYPE: fixtures, NAME: linux-gcc } | |
- { CC: gcc, BUILD_CFLAGS: "-DWITH_EVAL_DEBUG -O2 -g3", LIBS_OPTIONAL: yes, LIBS_ALT: no, TEST_TYPE: fixtures, NAME: linux-gcc-O2-g3 } | |
- { CC: gcc, BUILD_CFLAGS: "-DNDEBUG", LIBS_OPTIONAL: yes, LIBS_ALT: no, TEST_TYPE: fixtures, NAME: linux-gcc-ndebug } | |
- { CC: clang, BUILD_CFLAGS: "-DWITH_EVAL_DEBUG", LIBS_OPTIONAL: no, LIBS_ALT: no, TEST_TYPE: fixtures, NAME: linux-clang-lean } | |
- { CC: clang, BUILD_CFLAGS: "-DWITH_EVAL_DEBUG", LIBS_OPTIONAL: yes, LIBS_ALT: no, TEST_TYPE: fixtures, NAME: linux-clang } | |
- { CC: clang, BUILD_CFLAGS: "-DWITH_EVAL_DEBUG -O2 -g3", LIBS_OPTIONAL: yes, LIBS_ALT: no, TEST_TYPE: fixtures, NAME: linux-clang-O2-g3 } | |
- { CC: clang, BUILD_CFLAGS: "-DNDEBUG", LIBS_OPTIONAL: yes, LIBS_ALT: no, TEST_TYPE: fixtures, NAME: linux-clang-ndebug } | |
- { CC: clang, BUILD_CFLAGS: "-DWITH_EVAL_DEBUG", LIBS_OPTIONAL: yes, LIBS_ALT: yes, TEST_TYPE: fixtures, NAME: linux-clang-altlibs } | |
- { CC: clang, BUILD_CFLAGS: "-DWITH_EVAL_DEBUG -O2 -g3", LIBS_OPTIONAL: yes, LIBS_ALT: no, TEST_TYPE: fuzzing, NAME: linux-fuzzer } | |
env: ${{ matrix.env }} | |
# If branch protection is in place with status checks enabled, ensure | |
# names are updated if new matrix entries are added or the name format | |
# changes. | |
name: "master-${{ matrix.os.name }}-${{ matrix.env.NAME}}" | |
# The standard GitHub environment contains PostgreSQL and | |
# MySQL already. However when running on hosted GitHub runners | |
# we need to run separate database containers to provide these. | |
services: | |
mariadb: | |
image: ${{ needs.pre-ci.outputs.docker_prefix }}mariadb | |
env: | |
MARIADB_ALLOW_EMPTY_ROOT_PASSWORD: yes | |
ports: | |
- 3306:3306 | |
options: >- | |
--health-cmd="mariadb-admin ping" | |
--health-interval 10s | |
--health-timeout 5s | |
--health-retries 10 | |
postgres: | |
image: ${{ needs.pre-ci.outputs.docker_prefix }}postgres | |
env: | |
POSTGRES_HOST_AUTH_METHOD: trust | |
ports: | |
- 5432:5432 | |
options: >- | |
--health-cmd pg_isready | |
--health-interval 10s | |
--health-timeout 5s | |
--health-retries 5 | |
threeds: | |
image: ${{ needs.pre-ci.outputs.docker_prefix }}4teamwork/389ds | |
ports: | |
- 3389:3389 | |
- 3636:3636 | |
options: >- | |
-e SUFFIX_NAME=dc=example,dc=com | |
-e DS_DM_PASSWORD=secret123 | |
--health-cmd "dsctl localhost healthcheck --check backends:localhost:search" | |
--health-interval 10s | |
--health-timeout 5s | |
--health-retries 5 | |
steps: | |
# Need git installed for checkout to behave normally | |
- name: Install checkout prerequisites | |
run: apt-get update && apt-get install -y --no-install-recommends git git-lfs ca-certificates | |
# Checkout, but defer pulling LFS objects until we've restored the cache | |
- uses: actions/checkout@v3 | |
with: | |
lfs: false | |
# Docker image does not have same environment as the | |
# standard GitHub actions image, so use this to bring them | |
# more in line. | |
- name: Prepare Docker environment | |
uses: ./.github/actions/docker-prep | |
- name: Install build dependencies | |
uses: ./.github/actions/freeradius-deps | |
with: | |
use_docker: true | |
cc: ${{ matrix.env.CC }} | |
- name: Install alternative dependencies | |
if: ${{ matrix.env.LIBS_ALT == 'yes' }} | |
uses: ./.github/actions/freeradius-alt-deps | |
- name: Build FreeRADIUS | |
uses: ./.github/actions/build-freeradius | |
with: | |
use_sanitizers: false | |
cc: ${{ matrix.env.CC }} | |
test_type: ${{ matrix.env.TEST_TYPE }} | |
- name: Run main CI tests | |
uses: ./.github/actions/ci-tests | |
if: ${{ matrix.env.TEST_TYPE == 'fixtures' }} | |
with: | |
use_docker: true | |
sql_mysql_test_server: mariadb | |
sql_postgresql_test_server: postgres | |
redis_test_server: 127.0.0.1 | |
ldap_test_server: 127.0.0.1 | |
ldap_test_server_port: 3890 | |
ldaps_test_server_port: 6361 | |
ldap389_test_server: threeds | |
ldap389_test_server_port: 3389 | |
active_directory_test_server: 127.0.0.1 | |
rest_test_server: 127.0.0.1 | |
rest_test_port: 8080 | |
rest_test_ssl_port: 8443 | |
imap_test_server: 127.0.0.1 | |
imap_test_server_port: 1430 | |
imap_test_server_ssl_port: 1432 | |
smtp_test_server: 127.0.0.1 | |
smtp_test_server_port: 2525 | |
- name: Run fuzzer | |
uses: ./.github/actions/fuzzer | |
# | |
# If the CI has failed and the branch is ci-debug then we start a tmate | |
# session to provide interactive shell access to the session. | |
# | |
# The SSH rendezvous point will be emited continuously in the job output, | |
# which will look something like: | |
# | |
# SSH: ssh VfuX8SrNuU5pGPMyZcz7TpJTa@sfo2.tmate.io | |
# | |
# For example: | |
# | |
# git push origin ci-debug --force | |
# | |
# Look at the job output in: https://github.com/FreeRADIUS/freeradius-server/actions | |
# | |
# ssh VfuX8SrNuU5pGPMyZcz7TpJTa@sfo2.tmate.io | |
# | |
# Access requires that you have the private key corresponding to the | |
# public key of the GitHub user that initiated the job. | |
# | |
- name: "Debug: Start tmate" | |
uses: mxschmitt/action-tmate@v3 | |
with: | |
limit-access-to-actor: true | |
if: ${{ github.ref == 'refs/heads/ci-debug' && failure() }} | |
########################################################################################## | |
# FREERADIUS CORE DEVELOPERS ONLY | |
########################################################################################## | |
# | |
# Direct push access to the main freeradius-server repo will be disabled in an attempt | |
# to keep CI passing reliably. | |
# | |
# If the above CI checks pass then we auto-merge into the same upstream branch | |
# (only on push) if a PERSONAL_ACCESS_TOKEN secret is defined, i.e. when | |
# the actor claims to be a FreeRADIUS developer with push access. | |
# | |
# Personal access tokens can be generated via the GitHub website: | |
# | |
# - Click on the Profile menu (top right) | |
# > Settings | |
# > Developer settings | |
# > Personal access tokens | |
# > Generate New Token | |
# - Next, add the following settings and scopes: | |
# Note: FreeRADIUS CI Push | |
# repo (checked) | |
# workflow (checked) | |
# | |
# This will allow any git operations using this PERSONAL_ACCESS_TOKEN to commit code to any | |
# public repository you have access to. | |
# | |
# As this PERSONAL_ACCESS_TOKEN will only ever be accessible from GitHub actions when they are | |
# running from your fork of the FreeRADIUS repo, this shouldn't be a security issue. | |
# | |
# After generating your PERSONAL_ACCESS_TOKEN you will need to add it as a secret to your | |
# repository. | |
# | |
# - Copy your new token | |
# - Click on the Profile menu (top right) | |
# > Your repositories | |
# - Search for freeradius-server | |
# > Click freeradius-server | |
# - Click settings in the tabs on the left | |
# - Click secrets in the menu items on the left | |
# - Click New repository secret | |
# - Name: PERSONAL_ACCESS_TOKEN | |
# Value: <value you copied> | |
# - Click Add secret | |
# | |
# You may also wish to set a different pushurl for your local repository to make integration | |
# more seamless: | |
# | |
# git config remote.origin.pushurl git@github.com:<github_user>/freeradius-server.git | |
# | |
# git pull will then pull from the upstream repo, whilst git push will be directed to your fork. | |
# | |
# | |
# Needed because secrets are not available for evaluation in if conditions | |
# at the job level, so we evaluate the existence of the PERSONAL_ACCESS_TOKEN secret | |
# within a step and export the result instead. We also extract the short | |
# branch name here because it's convenient to do so. | |
# | |
merge-preflight: | |
needs: | |
- ci | |
if: ( github.event_name == 'push' ) && ( github.repository_owner != 'FreeRADIUS' ) && ( github.ref == 'refs/heads/master' || github.ref == 'refs/heads/v3.0.x' ) | |
name: "Merge preflight" | |
runs-on: ubuntu-latest | |
steps: | |
- name: "Report whether PERSONAL_ACCESS_TOKEN secret exists" | |
id: merge-preflight | |
run: | | |
if [ -n "$PERSONAL_ACCESS_TOKEN" ]; then echo "PERSONAL_ACCESS_TOKEN_EXISTS=1" >> $GITHUB_OUTPUT; fi | |
env: | |
PERSONAL_ACCESS_TOKEN: ${{ secrets.PERSONAL_ACCESS_TOKEN }} | |
outputs: | |
PERSONAL_ACCESS_TOKEN_EXISTS: ${{ steps.merge-preflight.outputs.PERSONAL_ACCESS_TOKEN_EXISTS }} | |
merge-upstream: | |
needs: | |
- ci | |
- merge-preflight | |
if: needs.merge-preflight.outputs.PERSONAL_ACCESS_TOKEN_EXISTS == '1' | |
runs-on: ubuntu-latest | |
name: "Merge into upstream" | |
steps: | |
- uses: actions/checkout@v3 | |
with: | |
fetch-depth: 0 | |
lfs: false | |
persist-credentials: false | |
# Note: This also opportunistically updates the developer's branch with commits from | |
# the main repository. | |
# This update may fail if the developer has pushed additional commits since the | |
# workflow started. This is normal, and we ignore the failure. | |
# | |
# We fixup the origin URL as the default remote fails on push with: | |
# fatal: could not read Username for 'https://github.com': No such device or address | |
- name: "Merge into upstream dev branch and update local branch" | |
run: | | |
BRANCH=${GITHUB_REF#refs/heads/} | |
git config --local user.name "github-actions[bot]" | |
git config --local user.email "41898282+github-actions[bot]@users.noreply.github.com" | |
git remote add upstream https://$USERNAME:$REPO_KEY@github.com/FreeRADIUS/freeradius-server.git | |
git remote set-url origin https://$USERNAME:$REPO_KEY@github.com/$REPO_NAME | |
git fetch --no-recurse-submodules upstream +refs/heads/*:refs/remotes/upstream/* +refs/tags/*:refs/tags/upstream/* | |
git checkout --progress --force -B upstream-branch "refs/remotes/upstream/$BRANCH" | |
git merge "$BRANCH" --ff-only | |
git push upstream "upstream-branch:$BRANCH" | |
git push origin "upstream-branch:$BRANCH" || true | |
env: | |
USERNAME: ${{ github.repository_owner }} | |
REPO_NAME: ${{ github.repository }} | |
REPO_KEY: ${{ secrets.PERSONAL_ACCESS_TOKEN }} |