diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml new file mode 100644 index 0000000..a98be51 --- /dev/null +++ b/.github/workflows/build.yml @@ -0,0 +1,129 @@ +name: Build +on: + push: + branches: + - main + pull_request: + branches: + - main + workflow_dispatch: + schedule: + - cron: 0 0 * * 1 + +jobs: + test: + name: Build and Test + runs-on: ubuntu-latest + strategy: + fail-fast: false + matrix: + go: + - '1.19' + - '1.20' + + env: + DNS_HOST: ns.example.com + DNS_PORT: 8053 + DNS_REALM: EXAMPLE.COM + DNS_USERNAME: test + DNS_PASSWORD: password + DNS_KEYTAB: ${{ github.workspace }}/testdata/test.keytab + KRB5_CONFIG: ${{ github.workspace }}/testdata/krb5.conf + KRB5_KTNAME: ${{ github.workspace }}/testdata/dns.keytab + + steps: + - name: Checkout + uses: actions/checkout@v4 + + - name: Set up Go + uses: actions/setup-go@v4 + with: + go-version: ${{ matrix.go }} + + #- name: golangci-lint + # uses: golangci/golangci-lint-action@v3 + # if: github.event_name == 'pull_request' + # with: + # only-new-issues: true + + - name: Install Kerberos client + run: | + sudo DEBIAN_FRONTEND=noninteractive apt-get install -yq libkrb5-dev krb5-user + + - name: Set up Docker Buildx + uses: docker/setup-buildx-action@v3 + + - name: Build KDC image + uses: docker/build-push-action@v5 + with: + context: "{{defaultContext}}:testdata" + load: true + tags: kdc + target: kdc + cache-from: type=gha + cache-to: type=gha,mode=max + + - name: Build DNS image + uses: docker/build-push-action@v5 + with: + context: "{{defaultContext}}:testdata" + load: true + tags: ns + target: ns + cache-from: type=gha + cache-to: type=gha,mode=max + + - name: Extract keytab + uses: docker/build-push-action@v5 + with: + context: "{{defaultContext}}:testdata" + outputs: type=local,dest=testdata + target: keytab + + - name: Pull containers into Podman + run: | + podman pull docker-daemon:kdc:latest + podman pull docker-daemon:ns:latest + + - name: Create infrastructure + run: | + podman run -d \ + -v /etc/localtime:/etc/localtime:ro \ + -p 127.0.0.1:8088:8088 \ + -p 127.0.0.1:8088:8088/udp \ + -p 127.0.0.1:8464:8464 \ + -p 127.0.0.1:8464:8464/udp \ + --name kdc kdc + podman run -d \ + -v /etc/localtime:/etc/localtime:ro \ + -p 127.0.0.1:${DNS_PORT}:${DNS_PORT} \ + --name ns --hostname $DNS_HOST ns + echo 127.0.0.1 $DNS_HOST | sudo tee -a /etc/hosts + echo $DNS_PASSWORD | KRB5_TRACE=/dev/stdout kinit ${DNS_USERNAME}@${DNS_REALM} + + - name: Test (gokrb5) + run: go test -v -coverprofile=gokrb5.out ./... + + - name: Test (apcera) + run: go test -v -coverprofile=apcera.out -tags apcera ./... + + - name: Build (SSPI) + run: go build ./... + env: + GOARCH: amd64 + GOOS: windows + + - name: Install coverage tools + run: | + go get github.com/wadey/gocovmerge + go get github.com/mattn/goveralls + env: + GO111MODULE: off + + - name: Merge coverage reports + run: gocovmerge gokrb5.out apcera.out >cover.out + + - name: Send coverage + run: goveralls -coverprofile=cover.out -service=github + env: + COVERALLS_TOKEN: ${{ secrets.GITHUB_TOKEN }} diff --git a/.github/workflows/cleanup.yml b/.github/workflows/cleanup.yml new file mode 100644 index 0000000..cbd397c --- /dev/null +++ b/.github/workflows/cleanup.yml @@ -0,0 +1,37 @@ +name: Clean up per-branch caches + +on: + pull_request: + types: + - closed + workflow_dispatch: + +jobs: + cleanup: + runs-on: ubuntu-latest + + permissions: + actions: write + contents: read + + steps: + - name: Checkout + uses: actions/checkout@v4 + + - name: Cleanup + run: | + gh extension install actions/gh-actions-cache + + BRANCH=refs/pull/${{ github.event.pull_request.number }}/merge + + echo "Fetching list of cache keys" + keys=$(gh actions-cache list -R $GITHUB_REPOSITORY -B $BRANCH -L 100 | cut -f 1) + + set +e + echo "Deleting caches..." + for key in $keys ; do + gh actions-cache delete $key -R $GITHUB_REPOSITORY -B $BRANCH --confirm + done + echo "Done" + env: + GH_TOKEN: ${{ secrets.GITHUB_TOKEN }} diff --git a/.github/workflows/main.yml b/.github/workflows/main.yml deleted file mode 100644 index 327a50e..0000000 --- a/.github/workflows/main.yml +++ /dev/null @@ -1,93 +0,0 @@ ---- -name: build -on: - push: - tags: - - v* - branches: - - main - - master - pull_request: -permissions: - contents: write - pull-requests: read -jobs: - build: - name: Build and Test - runs-on: ubuntu-20.04 - strategy: - fail-fast: false - matrix: - go: - - '1.18' - - '1.19' - env: - DNS_HOST: ns.example.com - DNS_REALM: EXAMPLE.COM - DNS_USERNAME: test - DNS_PASSWORD: password - DNS_KEYTAB: /home/runner/work/tsig/tsig/testdata/test.keytab - KRB5_CONFIG: /home/runner/work/tsig/tsig/testdata/docker/krb5.conf - steps: - - name: Checkout - uses: actions/checkout@v4 - - name: Set up Go - uses: actions/setup-go@v4 - with: - go-version: ${{ matrix.go }} - - name: Create infrastructure - run: | - sudo DEBIAN_FRONTEND=noninteractive apt-get install -yq libkrb5-dev krb5-user - sudo docker buildx build --target kdc --tag kdc testdata/docker/ - sudo docker buildx build --target ns --tag ns testdata/docker/ - sudo docker buildx build --target keytab --output type=local,dest=testdata/ testdata/docker/ - sudo docker run -d --tmpfs /tmp --tmpfs /run -v /sys/fs/cgroup:/sys/fs/cgroup:ro -v /etc/localtime:/etc/localtime:ro -p 127.0.0.1:88:88 -p 127.0.0.1:88:88/udp -p 127.0.0.1:464:464 -p 127.0.0.1:464:464/udp --rm --name kdc kdc - sudo docker run -d --tmpfs /tmp --tmpfs /run -v /sys/fs/cgroup:/sys/fs/cgroup:ro -v /etc/localtime:/etc/localtime:ro -p 127.0.0.1:53:53 -p 127.0.0.1:53:53/udp --rm --name ns --hostname $DNS_HOST ns - echo 127.0.0.1 $DNS_HOST | sudo tee -a /etc/hosts - sudo chmod 644 $DNS_KEYTAB - echo $DNS_PASSWORD | kinit $DNS_USERNAME@$DNS_REALM - - name: Test (gokrb5) - run: go test -v -coverprofile=gokrb5.out ./... - - name: Test (apcera) - run: go test -v -coverprofile=apcera.out -tags apcera ./... - - name: Build (SSPI) - run: go build ./... - env: - GOOS: windows - - name: Install coverage tools - run: | - go get github.com/wadey/gocovmerge - go get github.com/mattn/goveralls - env: - GO111MODULE: off - - name: Merge coverage reports - run: gocovmerge gokrb5.out apcera.out >cover.out - - name: Send coverage - uses: shogo82148/actions-goveralls@v1 - with: - path-to-profile: cover.out - flag-name: Go-${{ matrix.go }} - parallel: true - finish: - needs: build - runs-on: ubuntu-latest - steps: - - uses: shogo82148/actions-goveralls@v1 - with: - parallel-finished: true - - name: Checkout - uses: actions/checkout@v4 - with: - fetch-depth: 0 - - name: Set up Go - uses: actions/setup-go@v4 - with: - go-version: '1.19' - - name: Run GoReleaser - uses: goreleaser/goreleaser-action@v5.0.0 - if: startsWith(github.ref, 'refs/tags/') - with: - version: latest - args: release --rm-dist - env: - GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} diff --git a/.github/workflows/pr-lint.yml b/.github/workflows/pr-lint.yml new file mode 100644 index 0000000..d6bc667 --- /dev/null +++ b/.github/workflows/pr-lint.yml @@ -0,0 +1,43 @@ +name: Lint pull request + +on: + pull_request: + types: + - opened + - edited + - synchronize + +jobs: + main: + name: Validate PR title + runs-on: ubuntu-latest + + permissions: + pull-requests: write + + steps: + - uses: amannn/action-semantic-pull-request@v5 + id: lint_pr_title + env: + GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} + + - uses: marocchino/sticky-pull-request-comment@v2 + if: always() && steps.lint_pr_title.outputs.error_message != null + with: + header: pr-title-lint-error + message: | + Hey there and thank you for opening this pull request! 👋🏼 + + We require pull request titles to follow the [Conventional Commits specification](https://www.conventionalcommits.org/en/v1.0.0/) and it looks like your proposed title needs to be adjusted. + + Details: + + ``` + ${{ steps.lint_pr_title.outputs.error_message }} + ``` + + - uses: marocchino/sticky-pull-request-comment@v2 + if: steps.lint_pr_title.outputs.error_message == null + with: + header: pr-title-lint-error + delete: true diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml new file mode 100644 index 0000000..b835e88 --- /dev/null +++ b/.github/workflows/release.yml @@ -0,0 +1,17 @@ +name: Track releases + +on: + push: + branches: + - main + +jobs: + release-please: + runs-on: ubuntu-latest + + steps: + - name: Run release-please + uses: google-github-actions/release-please-action@v3 + with: + command: manifest + token: ${{ secrets.RELEASE_TOKEN }} diff --git a/.goreleaser.yml b/.goreleaser.yml deleted file mode 100644 index 3241acf..0000000 --- a/.goreleaser.yml +++ /dev/null @@ -1,10 +0,0 @@ ---- -before: - hooks: - - go mod tidy -builds: - - skip: true -release: - prerelease: auto -changelog: - use: github-native diff --git a/.release-please-manifest.json b/.release-please-manifest.json new file mode 100644 index 0000000..f6a9e15 --- /dev/null +++ b/.release-please-manifest.json @@ -0,0 +1,3 @@ +{ + ".": "1.2.2" +} diff --git a/README.md b/README.md index 3e7d699..5e2807e 100644 --- a/README.md +++ b/README.md @@ -3,8 +3,8 @@ [![Coverage Status](https://coveralls.io/repos/github/bodgit/tsig/badge.svg?branch=master)](https://coveralls.io/github/bodgit/tsig?branch=master) [![Go Report Card](https://goreportcard.com/badge/github.com/bodgit/tsig)](https://goreportcard.com/report/github.com/bodgit/tsig) [![GoDoc](https://godoc.org/github.com/bodgit/tsig?status.svg)](https://godoc.org/github.com/bodgit/tsig) +![Go version](https://img.shields.io/badge/Go-1.20-brightgreen.svg) ![Go version](https://img.shields.io/badge/Go-1.19-brightgreen.svg) -![Go version](https://img.shields.io/badge/Go-1.18-brightgreen.svg) # Additional TSIG methods diff --git a/release-please-config.json b/release-please-config.json new file mode 100644 index 0000000..cb96721 --- /dev/null +++ b/release-please-config.json @@ -0,0 +1,6 @@ +{ + "packages": { + ".": {} + }, + "release-type": "go" +} diff --git a/testdata/docker/Dockerfile b/testdata/Dockerfile similarity index 78% rename from testdata/docker/Dockerfile rename to testdata/Dockerfile index 796b9af..efbb7fd 100644 --- a/testdata/docker/Dockerfile +++ b/testdata/Dockerfile @@ -1,9 +1,7 @@ -FROM centos/systemd:latest as kdc +FROM rockylinux/rockylinux:9-ubi-init as kdc -EXPOSE 88 -EXPOSE 464 - -STOPSIGNAL SIGRTMIN+3 +EXPOSE 8088 +EXPOSE 8464 RUN yum install -y krb5-workstation && yum update -y && yum clean all COPY --chown=root:root krb5.conf /etc/krb5.conf @@ -21,21 +19,19 @@ RUN kdb5_util create -s -r EXAMPLE.COM -P $(echo ${RANDOM}${RANDOM}${RANDOM} | m RUN kadmin.local addprinc -pw password test RUN kadmin.local ktadd -norandkey -k /etc/test.keytab test RUN kadmin.local addprinc -randkey DNS/ns.example.com -RUN kadmin.local ktadd -k /etc/named.keytab DNS/ns.example.com - -FROM centos/systemd:latest as ns +RUN kadmin.local ktadd -k /etc/dns.keytab DNS/ns.example.com -EXPOSE 53 +FROM rockylinux/rockylinux:9-ubi-init as ns -STOPSIGNAL SIGRTMIN+3 +EXPOSE 8053 RUN yum install -y krb5-workstation && yum update -y && yum clean all COPY --chown=root:root krb5.conf /etc/krb5.conf RUN chmod 644 /etc/krb5.conf RUN yum install -y bind bind-utils && yum clean all -COPY --from=kdc --chown=root:named /etc/named.keytab /etc/named.keytab -RUN chmod 640 /etc/named.keytab +COPY --from=kdc --chown=root:named /etc/dns.keytab /etc/dns.keytab +RUN chmod 640 /etc/dns.keytab RUN systemctl enable named.service @@ -46,3 +42,4 @@ RUN chmod 644 /var/named/dynamic/db.* FROM scratch as keytab COPY --from=kdc /etc/test.keytab /test.keytab +COPY --from=kdc /etc/dns.keytab /dns.keytab diff --git a/testdata/docker/db.10.168.192.in-addr.arpa b/testdata/db.10.168.192.in-addr.arpa similarity index 100% rename from testdata/docker/db.10.168.192.in-addr.arpa rename to testdata/db.10.168.192.in-addr.arpa diff --git a/testdata/docker/db.example.com b/testdata/db.example.com similarity index 100% rename from testdata/docker/db.example.com rename to testdata/db.example.com diff --git a/testdata/docker/kadm5.acl b/testdata/kadm5.acl similarity index 100% rename from testdata/docker/kadm5.acl rename to testdata/kadm5.acl diff --git a/testdata/docker/kdc.conf b/testdata/kdc.conf similarity index 83% rename from testdata/docker/kdc.conf rename to testdata/kdc.conf index e99219a..7998c9a 100644 --- a/testdata/docker/kdc.conf +++ b/testdata/kdc.conf @@ -1,6 +1,8 @@ [kdcdefaults] - kdc_ports = 88 - kdc_tcp_ports = 88 + kadmind_port = 8749 + kdc_ports = 8088 + kdc_tcp_ports = 8088 + kpasswd_port = 8464 [realms] EXAMPLE.COM = { diff --git a/testdata/docker/krb5.conf b/testdata/krb5.conf similarity index 89% rename from testdata/docker/krb5.conf rename to testdata/krb5.conf index ac7c75f..3d9834d 100644 --- a/testdata/docker/krb5.conf +++ b/testdata/krb5.conf @@ -16,8 +16,8 @@ [realms] EXAMPLE.COM = { - kdc = 127.0.0.1:88 - admin_server = 127.0.0.1:749 + kdc = 127.0.0.1:8088 + admin_server = 127.0.0.1:8749 } [domain_realm] diff --git a/testdata/docker/named.conf b/testdata/named.conf similarity index 96% rename from testdata/docker/named.conf rename to testdata/named.conf index edbacf8..f5ee0f3 100644 --- a/testdata/docker/named.conf +++ b/testdata/named.conf @@ -10,7 +10,7 @@ // configuration located in /usr/share/doc/bind-{version}/Bv9ARM.html options { - // listen-on port 53 { 127.0.0.1; }; + listen-on port 8053 { 0.0.0.0/0; }; // listen-on-v6 port 53 { ::1; }; directory "/var/named"; dump-file "/var/named/data/cache_dump.db"; @@ -43,7 +43,7 @@ options { pid-file "/run/named/named.pid"; session-keyfile "/run/named/session.key"; - tkey-gssapi-keytab "/etc/named.keytab"; + tkey-gssapi-keytab "/etc/dns.keytab"; }; logging {