mirror of
https://github.com/samba-team/samba.git
synced 2025-01-03 01:18:10 +03:00
b896da351c
This is the version we test with in CI after the image update in the next commit. This addresses the issues that were fixed in CVE-2022-37967 (KrbtgtFullPacSignature) and ensures that Samba builds against the MIT version that allows us to avoid that attack. The hooks to allow these expectations to be disabled in the tests are kept for now, to allow this to be reverted or to test older servers. With MIT 1.21 as the new test standard for the MIT KDC build we update the knownfail_mit_kdc - this was required regadless after the CI image update. Any update to the CI image, even an unrelated one, brings in a new MIT Krb5, version 1.21-3 in this case. This has new behaviour that needs to be noted in the knownfail files or else the tests, which haven't changed, will fail and pipelines won't pass. (The image generated by the earlier bootstrap commit brought in krb5-1.21-2 which was buggy with CVE-2023-39975) Further tweaks to tests or the server should reduce the number of knownfail entries, but this keeps the pipelines passing for now. BUG: https://bugzilla.samba.org/show_bug.cgi?id=15231 Signed-off-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Joseph Sutton <josephsutton@catalyst.net.nz>
399 lines
17 KiB
Python
399 lines
17 KiB
Python
#!/usr/bin/env python
|
|
# vim: expandtab ft=python
|
|
|
|
# selftest main code.
|
|
|
|
import sys
|
|
import os
|
|
import optparse
|
|
from waflib import Scripting, Options, Utils
|
|
from waflib.ConfigSet import ConfigSet as Environment
|
|
|
|
from samba_utils import *
|
|
from samba_autoconf import *
|
|
import types
|
|
|
|
DEFAULT_SELFTEST_PREFIX="./st"
|
|
|
|
def options(opt):
|
|
|
|
opt.add_option('--enable-selftest',
|
|
help=("enable options necessary for selftest (default=no)"),
|
|
action="store_true", dest='enable_selftest', default=False)
|
|
opt.add_option('--with-selftest-prefix',
|
|
help=("specify location of selftest directory "
|
|
"(default=%s)" % DEFAULT_SELFTEST_PREFIX),
|
|
action="store", dest='SELFTEST_PREFIX', default=DEFAULT_SELFTEST_PREFIX)
|
|
|
|
opt.ADD_COMMAND('test', cmd_test)
|
|
opt.ADD_COMMAND('testonly', cmd_testonly)
|
|
|
|
gr = opt.add_option_group('test options')
|
|
|
|
gr.add_option('--load-list',
|
|
help=("Load a test id list from a text file"),
|
|
action="store", dest='LOAD_LIST', default=None)
|
|
gr.add_option('--list',
|
|
help=("List available tests"),
|
|
action="store_true", dest='LIST', default=False)
|
|
gr.add_option('--tests',
|
|
help=("wildcard pattern of tests to run"),
|
|
action="store", dest='TESTS', default='')
|
|
gr.add_option('--filtered-subunit',
|
|
help=("output (xfail) filtered subunit"),
|
|
action="store_true", dest='FILTERED_SUBUNIT', default=False)
|
|
gr.add_option('--quick',
|
|
help=("enable only quick tests"),
|
|
action="store_true", dest='QUICKTEST', default=False)
|
|
gr.add_option('--slow',
|
|
help=("enable the really slow tests"),
|
|
action="store_true", dest='SLOWTEST', default=False)
|
|
gr.add_option('--nb-slowest',
|
|
help=("Show the n slowest tests (default=10)"),
|
|
type=int, default=10, dest='NB_SLOWEST')
|
|
gr.add_option('--testenv',
|
|
help=("start a terminal with the test environment setup"),
|
|
action="store_true", dest='TESTENV', default=False)
|
|
gr.add_option('--valgrind',
|
|
help=("use valgrind on client programs in the tests"),
|
|
action="store_true", dest='VALGRIND', default=False)
|
|
gr.add_option('--valgrind-log',
|
|
help=("where to put the valgrind log"),
|
|
action="store", dest='VALGRINDLOG', default=None)
|
|
gr.add_option('--valgrind-server',
|
|
help=("use valgrind on the server in the tests (opens an xterm)"),
|
|
action="store_true", dest='VALGRIND_SERVER', default=False)
|
|
gr.add_option('--screen',
|
|
help=("run the samba servers in screen sessions"),
|
|
action="store_true", dest='SCREEN', default=False)
|
|
gr.add_option('--gdbtest',
|
|
help=("run the servers within a gdb window"),
|
|
action="store_true", dest='GDBTEST', default=False)
|
|
gr.add_option('--fail-immediately',
|
|
help=("stop tests on first failure"),
|
|
action="store_true", dest='FAIL_IMMEDIATELY', default=False)
|
|
gr.add_option('--socket-wrapper-pcap',
|
|
help=("create a pcap file for each failing test"),
|
|
action="store_true", dest='SOCKET_WRAPPER_PCAP', default=False)
|
|
gr.add_option('--socket-wrapper-keep-pcap',
|
|
help=("create a pcap file for all individual test"),
|
|
action="store_true", dest='SOCKET_WRAPPER_KEEP_PCAP', default=False)
|
|
gr.add_option('--random-order', dest='RANDOM_ORDER', default=False,
|
|
action="store_true", help="Run testsuites in random order")
|
|
gr.add_option('--perf-test', dest='PERF_TEST', default=False,
|
|
action="store_true", help="run performance tests only")
|
|
gr.add_option('--test-list', dest='TEST_LIST', default='',
|
|
help=("use tests listed here, not defaults "
|
|
"(--test-list='FOO|' will execute FOO; "
|
|
"--test-list='FOO' will read it)"))
|
|
gr.add_option('--no-subunit-filter',
|
|
help=("no (xfail) subunit filtering"),
|
|
action="store_true", dest='NO_SUBUNIT_FILTER', default=False)
|
|
|
|
|
|
def configure(conf):
|
|
conf.env.SELFTEST_PREFIX = Options.options.SELFTEST_PREFIX
|
|
if Options.options.enable_selftest or Options.options.developer:
|
|
conf.DEFINE('ENABLE_SELFTEST', 1)
|
|
|
|
|
|
def cmd_testonly(opt):
|
|
'''run tests without doing a build first'''
|
|
env = LOAD_ENVIRONMENT()
|
|
opt.env = env
|
|
|
|
if Options.options.SELFTEST_PREFIX != DEFAULT_SELFTEST_PREFIX:
|
|
env.SELFTEST_PREFIX = Options.options.SELFTEST_PREFIX
|
|
|
|
if (not CONFIG_SET(opt, 'NSS_WRAPPER') or
|
|
not CONFIG_SET(opt, 'UID_WRAPPER') or
|
|
not CONFIG_SET(opt, 'SOCKET_WRAPPER')):
|
|
print("ERROR: You must use --enable-selftest to enable selftest")
|
|
sys.exit(1)
|
|
|
|
os.environ['SAMBA_SELFTEST'] = '1'
|
|
|
|
env.TESTS = Options.options.TESTS
|
|
|
|
env.SUBUNIT_FORMATTER = os.getenv('SUBUNIT_FORMATTER')
|
|
|
|
# Lots of test scripts need to run with the correct version
|
|
# of python. With the correct shebang the script should run with the
|
|
# correct version, the problem is that not all scripts are part
|
|
# of the installation, some scripts are part of the source code,
|
|
# and the shebang is not dynamically generated as yet.
|
|
# It is safer if we are somewhat version neutral at the moment and
|
|
# ignore the shebang and always run scripts from the test environment
|
|
# with the python version (determined by PYTHON env variable) If this
|
|
# env variable isn't set then set it according to the python version
|
|
# that is running the tests
|
|
if not os.getenv('PYTHON', None):
|
|
from sys import executable as exe
|
|
os.environ['PYTHON'] = os.path.basename(exe)
|
|
|
|
if not env.SUBUNIT_FORMATTER:
|
|
if Options.options.PERF_TEST:
|
|
env.SUBUNIT_FORMATTER = '${PYTHON} -u ${srcdir}/selftest/format-subunit-json --prefix=${SELFTEST_PREFIX}'
|
|
else:
|
|
env.SUBUNIT_FORMATTER = '${PYTHON} -u ${srcdir}/selftest/format-subunit --prefix=${SELFTEST_PREFIX} --immediate'
|
|
env.FILTER_XFAIL = ('${PYTHON} -u ${srcdir}/selftest/filter-subunit '
|
|
'--expected-failures=${srcdir}/selftest/knownfail '
|
|
'--expected-failures=${srcdir}/selftest/knownfail.d '
|
|
'--flapping=${srcdir}/selftest/flapping '
|
|
'--flapping=${srcdir}/selftest/flapping.d')
|
|
|
|
if Options.options.FAIL_IMMEDIATELY:
|
|
env.FILTER_XFAIL += ' --fail-immediately'
|
|
|
|
env.FORMAT_TEST_OUTPUT = '${SUBUNIT_FORMATTER}'
|
|
|
|
# clean any previous temporary files
|
|
os.system("rm -rf %s/tmp" % env.SELFTEST_PREFIX);
|
|
|
|
# put all command line options in the environment as TESTENV_*=*
|
|
for o in dir(Options.options):
|
|
if o[0:1] != '_':
|
|
val = getattr(Options.options, o, '')
|
|
if not issubclass(type(val), types.FunctionType) \
|
|
and not issubclass(type(val), types.MethodType):
|
|
os.environ['TESTENV_%s' % o.upper()] = str(getattr(Options.options, o, ''))
|
|
|
|
env.OPTIONS = ''
|
|
if not Options.options.SLOWTEST:
|
|
env.OPTIONS += ' --exclude=${srcdir}/selftest/slow'
|
|
if Options.options.QUICKTEST:
|
|
env.OPTIONS += ' --quick --include=${srcdir}/selftest/quick'
|
|
if Options.options.LOAD_LIST:
|
|
env.OPTIONS += ' --load-list=%s' % Options.options.LOAD_LIST
|
|
if Options.options.TESTENV:
|
|
env.OPTIONS += ' --testenv'
|
|
if Options.options.SOCKET_WRAPPER_PCAP:
|
|
env.OPTIONS += ' --socket-wrapper-pcap'
|
|
if Options.options.SOCKET_WRAPPER_KEEP_PCAP:
|
|
env.OPTIONS += ' --socket-wrapper-keep-pcap'
|
|
if Options.options.RANDOM_ORDER:
|
|
env.OPTIONS += ' --random-order'
|
|
if Options.options.PERF_TEST:
|
|
env.FILTER_OPTIONS = ('${PYTHON} -u ${srcdir}/selftest/filter-subunit '
|
|
'--perf-test-output')
|
|
else:
|
|
env.FILTER_OPTIONS = '${FILTER_XFAIL}'
|
|
|
|
if Options.options.VALGRIND:
|
|
os.environ['VALGRIND'] = 'valgrind -q --num-callers=30'
|
|
if Options.options.VALGRINDLOG is not None:
|
|
os.environ['VALGRIND'] += ' --log-file=%s' % Options.options.VALGRINDLOG
|
|
|
|
server_wrapper=''
|
|
|
|
if Options.options.VALGRIND_SERVER:
|
|
server_wrapper = '${srcdir}/selftest/valgrind_run _DUMMY=X'
|
|
elif Options.options.GDBTEST:
|
|
server_wrapper = '${srcdir}/selftest/gdb_run _DUMMY=X'
|
|
|
|
if Options.options.SCREEN:
|
|
server_wrapper = '${srcdir}/selftest/in_screen %s' % server_wrapper
|
|
os.environ['TERMINAL'] = EXPAND_VARIABLES(opt, '${srcdir}/selftest/in_screen')
|
|
elif server_wrapper != '':
|
|
server_wrapper = 'xterm -n server -l -e %s' % server_wrapper
|
|
|
|
if server_wrapper != '':
|
|
os.environ['SAMBA_VALGRIND'] = EXPAND_VARIABLES(opt, server_wrapper)
|
|
os.environ['NMBD_VALGRIND'] = EXPAND_VARIABLES(opt, server_wrapper)
|
|
os.environ['WINBINDD_VALGRIND'] = EXPAND_VARIABLES(opt, server_wrapper)
|
|
os.environ['SMBD_VALGRIND'] = EXPAND_VARIABLES(opt, server_wrapper)
|
|
os.environ['SAMBA_DCERPCD_VALGRIND'] = EXPAND_VARIABLES(opt, server_wrapper)
|
|
|
|
# this is needed for systems without rpath, or with rpath disabled
|
|
ADD_LD_LIBRARY_PATH('bin/shared')
|
|
ADD_LD_LIBRARY_PATH('bin/shared/private')
|
|
|
|
# if we are using a system version of ldb then we need to tell it to
|
|
# load modules from our modules path
|
|
if env.USING_SYSTEM_LDB:
|
|
os.environ['LDB_MODULES_PATH'] = os.path.abspath(
|
|
os.path.join(*(env.cwd + ['bin/modules/ldb'])))
|
|
|
|
# tell build system where to find config.h
|
|
os.environ['CONFIG_H'] = 'bin/default/include/config.h'
|
|
|
|
# tell the test system where perl is
|
|
if isinstance(env.PERL, list):
|
|
perl = ' '.join(env.PERL)
|
|
else:
|
|
perl = env.PERL
|
|
os.environ['PERL'] = perl
|
|
|
|
st_done = os.path.join(env.SELFTEST_PREFIX, 'st_done')
|
|
if os.path.exists(st_done):
|
|
os.unlink(st_done)
|
|
|
|
if not os.path.isdir(env.SELFTEST_PREFIX):
|
|
os.makedirs(env.SELFTEST_PREFIX, int('755', 8))
|
|
|
|
if Options.options.TEST_LIST:
|
|
env.TESTLISTS = '--testlist=%r' % Options.options.TEST_LIST
|
|
elif Options.options.PERF_TEST:
|
|
env.TESTLISTS = '--testlist="${PYTHON} ${srcdir}/selftest/perf_tests.py|" '
|
|
else:
|
|
env.TESTLISTS = ('--testlist="${PYTHON} ${srcdir}/selftest/tests.py|" ' +
|
|
'--testlist="${PYTHON} ${srcdir}/source3/selftest/tests.py|" ' +
|
|
'--testlist="${PYTHON} ${srcdir}/source4/selftest/tests.py|"')
|
|
|
|
if CONFIG_SET(opt, 'AD_DC_BUILD_IS_ENABLED'):
|
|
env.SELFTEST_TARGET = "samba"
|
|
else:
|
|
env.SELFTEST_TARGET = "samba3"
|
|
|
|
env.OPTIONS += " --nss_wrapper_so_path=" + CONFIG_GET(opt, 'LIBNSS_WRAPPER_SO_PATH')
|
|
env.OPTIONS += " --resolv_wrapper_so_path=" + CONFIG_GET(opt, 'LIBRESOLV_WRAPPER_SO_PATH')
|
|
env.OPTIONS += " --uid_wrapper_so_path=" + CONFIG_GET(opt, 'LIBUID_WRAPPER_SO_PATH')
|
|
|
|
# selftest can optionally use kernel namespaces instead of socket-wrapper
|
|
if os.environ.get('USE_NAMESPACES') is None:
|
|
env.OPTIONS += " --socket_wrapper_so_path=" + CONFIG_GET(opt, 'LIBSOCKET_WRAPPER_SO_PATH')
|
|
|
|
if not CONFIG_SET(opt, 'HAVE_RESOLV_CONF_SUPPORT'):
|
|
env.OPTIONS += " --use-dns-faking"
|
|
|
|
if CONFIG_GET(opt, 'USING_SYSTEM_KRB5'):
|
|
env.OPTIONS += " --mitkrb5"
|
|
|
|
if CONFIG_GET(opt, 'USING_SYSTEM_KRB5') and CONFIG_GET(opt, 'MIT_KDC_PATH'):
|
|
env.OPTIONS += " --exclude=${srcdir}/selftest/skip_mit_kdc"
|
|
env.FILTER_XFAIL += " --expected-failures=${srcdir}/selftest/"\
|
|
"knownfail_mit_kdc"
|
|
|
|
env.FILTER_XFAIL += ' --expected-failures=${srcdir}/selftest/knownfail_mit_kdc_1_20'
|
|
else:
|
|
env.FILTER_XFAIL += " --expected-failures=${srcdir}/selftest/"\
|
|
"knownfail_heimdal_kdc"
|
|
|
|
if CONFIG_GET(opt, 'SIZEOF_VOID_P') == 4:
|
|
env.FILTER_XFAIL += " --expected-failures=${srcdir}/selftest/knownfail-32bit"
|
|
env.OPTIONS += " --default-ldb-backend=tdb --exclude=${srcdir}/selftest/skip-32bit"
|
|
|
|
if not CONFIG_GET(opt, 'HAVE_GSS_KRB5_CRED_NO_CI_FLAGS_X'):
|
|
# older MIT krb5 libraries (< 1.14) don't have
|
|
# GSS_KRB5_CRED_NO_CI_FLAGS_X
|
|
env.OPTIONS += " --exclude=${srcdir}/selftest/skip.no-GSS_KRB5_CRED_NO_CI_FLAGS_X"
|
|
|
|
if os.environ.get('DISABLE_OPATH'):
|
|
env.OPTIONS += " --exclude=${srcdir}/selftest/skip.opath-required"
|
|
|
|
libasan = None
|
|
if env.ADDRESS_SANITIZER:
|
|
# We try to find the correct libasan automatically
|
|
libasan = Utils.cmd_output(
|
|
r'ldd bin/texpect | grep libasan| cut -f 3 -d \ ',
|
|
silent=True).strip()
|
|
libasan = libasan.decode('utf8')
|
|
|
|
# Have the selftest.pl LD_PRELOAD libasan in the right spot
|
|
env.OPTIONS += " --asan_so_path=" + libasan
|
|
|
|
if CONFIG_SET(opt, 'HAVE_CRYPT_R'):
|
|
# We try to find the correct libcrypt automatically
|
|
libcrypt = Utils.cmd_output(
|
|
'ldd bin/modules/ldb/password_hash.so | awk \'/libcrypt.so/ { print $3 }\'',
|
|
silent=True).strip()
|
|
libcrypt = libcrypt.decode('utf8')
|
|
env.OPTIONS += " --crypt_so_path=" + libcrypt
|
|
|
|
subunit_cache = None
|
|
# We use the full path rather than relative path to avoid problems on some platforms (ie. solaris 8).
|
|
env.CORE_COMMAND = '${PERL} ${srcdir}/selftest/selftest.pl --target=${SELFTEST_TARGET} --prefix=${SELFTEST_PREFIX} --srcdir=${srcdir} --exclude=${srcdir}/selftest/skip ${TESTLISTS} ${OPTIONS} ${TESTS}'
|
|
|
|
# If using namespaces (rather than socket-wrapper), run the selftest script
|
|
# in its own network namespace (by doing an 'unshare'). (To create a new
|
|
# namespace as a non-root user, we have to also unshare the current user
|
|
# namespace, and remap ourself as root in the namespace created)
|
|
if os.environ.get('USE_NAMESPACES') is not None:
|
|
env.CORE_COMMAND = 'unshare --net --user --map-root-user ' + env.CORE_COMMAND
|
|
|
|
if env.ADDRESS_SANITIZER and libasan:
|
|
# For now we cannot run with leak and odr detection
|
|
asan_options = "ASAN_OPTIONS=detect_leaks=0"
|
|
asan_options += ":detect_odr_violation=0"
|
|
# uncomment if you need asan logs
|
|
# asan_options += ":verbosity=111"
|
|
asan_options += ":suppressions=${srcdir}/selftest/sanitizer/asan.supp"
|
|
asan_options += " "
|
|
|
|
# And we need to disable RTLD_DEEPBIND in ldb and socket wrapper
|
|
no_leak_check = "LDB_MODULES_DISABLE_DEEPBIND=1 "
|
|
no_leak_check += "SOCKET_WRAPPER_DISABLE_DEEP_BIND=1"
|
|
no_leak_check += " "
|
|
env.CORE_COMMAND = asan_options + no_leak_check + env.CORE_COMMAND
|
|
|
|
# We need to have the subunit filter and formatter preload
|
|
# libasan otherwise the tests fail at startup.
|
|
#
|
|
# Also, we do not care about leaks in python
|
|
|
|
asan_envs = (asan_options + no_leak_check + "LD_PRELOAD=" + libasan
|
|
+ ' ')
|
|
env.FILTER_OPTIONS = asan_envs + env.FILTER_OPTIONS
|
|
env.SUBUNIT_FORMATTER = asan_envs + env.SUBUNIT_FORMATTER
|
|
|
|
if env.UNDEFINED_SANITIZER:
|
|
# print a stack trace with the error.
|
|
print_stack_trace = "UBSAN_OPTIONS=print_stacktrace=1"
|
|
print_stack_trace += ",suppressions=${srcdir}/selftest/ubsan.supp"
|
|
env.CORE_COMMAND = print_stack_trace + " " + env.CORE_COMMAND
|
|
|
|
if Options.options.LIST:
|
|
cmd = '${CORE_COMMAND} --list'
|
|
else:
|
|
env.OPTIONS += ' --socket-wrapper'
|
|
cmd = '(${CORE_COMMAND} && touch ${SELFTEST_PREFIX}/st_done) | ${FILTER_OPTIONS}'
|
|
|
|
if Options.options.NO_SUBUNIT_FILTER:
|
|
# Skip subunit filtering (i.e. because python is disabled).
|
|
# Use --one to bail out upon any failure
|
|
cmd = '(${CORE_COMMAND} --one && touch ${SELFTEST_PREFIX}/st_done)'
|
|
elif not Options.options.FILTERED_SUBUNIT:
|
|
subunit_cache = os.path.join(env.SELFTEST_PREFIX, "subunit")
|
|
cmd += ' | tee %s | ${FORMAT_TEST_OUTPUT}' % subunit_cache
|
|
else:
|
|
cmd += ' | ${FILTER_OPTIONS}'
|
|
|
|
runcmd = EXPAND_VARIABLES(opt, cmd)
|
|
|
|
print("test: running %s" % runcmd)
|
|
ret = RUN_COMMAND(cmd, env=env)
|
|
|
|
if (os.path.exists(".testrepository") and
|
|
not Options.options.LIST and
|
|
not Options.options.LOAD_LIST and
|
|
subunit_cache is not None):
|
|
testrcmd = 'testr load -q < %s > /dev/null' % subunit_cache
|
|
runcmd = EXPAND_VARIABLES(opt, testrcmd)
|
|
RUN_COMMAND(runcmd, env=env)
|
|
|
|
if subunit_cache is not None:
|
|
nb = Options.options.NB_SLOWEST
|
|
cmd = "./script/show_testsuite_time %s %d" % (subunit_cache, nb)
|
|
runcmd = EXPAND_VARIABLES(opt, cmd)
|
|
RUN_COMMAND(runcmd, env=env)
|
|
|
|
if ret != 0:
|
|
print("ERROR: test failed with exit code %d" % ret)
|
|
sys.exit(ret)
|
|
|
|
if not Options.options.LIST and not os.path.exists(st_done):
|
|
print("ERROR: test command failed to complete")
|
|
sys.exit(1)
|
|
|
|
|
|
########################################################################
|
|
# main test entry point
|
|
def cmd_test(opt):
|
|
'''Run the test suite (see test options below)'''
|
|
|
|
# if running all tests, then force a symbol check
|
|
env = LOAD_ENVIRONMENT()
|
|
CHECK_MAKEFLAGS(env)
|
|
Options.commands.append('build')
|
|
Options.commands.append('testonly')
|