Merge authd-oidc-brokers repo

.github/dependabot.yml

@@ -20,7 +20,7 @@ updates:
     commit-message:
       prefix: "deps(ci)"
 
-  # Codebase
+  # authd codebase
   ## Go dependencies
   - package-ecosystem: "gomod"
     directory: "/" # Location of package manifests
@@ -61,3 +61,40 @@ updates:
         update-types: ["minor", "patch"]
     commit-message:
       prefix: "deps(rust)"
+
+  ## git submodules
+  - package-ecosystem: "gitsubmodule"
+    directory: "/" # Directory containing .gitmodules
+    schedule:
+      interval: "weekly"
+    commit-message:
+      prefix: "deps(submodule)"
+
+  # authd-oidc-brokers codebase
+  ## Go dependencies
+  - package-ecosystem: "gomod"
+    directory: "/authd-oidc-brokers" # Location of package manifests
+    schedule:
+      interval: "weekly"
+    groups:
+      minor-updates:
+        update-types: [ "minor", "patch" ]
+    commit-message:
+      prefix: "deps(go)"
+
+  - package-ecosystem: "gomod"
+    directory: "/authd-oidc-brokers/tools"
+    schedule:
+      interval: "weekly"
+    groups:
+      minor-updates:
+        update-types: [ "minor", "patch" ]
+    commit-message:
+      prefix: "deps(go-tools)"
+  ## rust-toolchain.toml
+  - package-ecosystem: "cargo"
+    directory: "/authd-oidc-brokers"
+    schedule:
+      interval: "weekly"
+    commit-message:
+      prefix: "deps(rust)"

.github/workflows/brokers-qa.yml

@@ -0,0 +1,196 @@
+name: Brokers QA & sanity checks
+on:
+  push:
+    branches:
+      - main
+    tags:
+      - "*"
+    paths:
+      - "authd-oidc-brokers/**"
+
+  pull_request:
+    paths:
+      - "authd-oidc-brokers/**"
+
+concurrency:
+  group: ${{ github.workflow }}-${{ github.ref }}
+  cancel-in-progress: true
+
+defaults:
+  run:
+    working-directory: ./authd-oidc-brokers
+
+jobs:
+  go-sanity:
+    name: "Go: Code sanity"
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v6
+        with:
+          submodules: recursive
+
+      - name: Build libhimmelblau
+        # The code sanity check fails if himmelblau.h does not exist, so we generate it first.
+        run: go generate --tags withmsentraid ./internal/providers/msentraid/...
+
+      - name: Go code sanity check
+        uses: canonical/desktop-engineering/gh-actions/go/code-sanity@v2
+        with:
+          golangci-lint-configfile: ".golangci.yaml"
+          working-directory: "./authd-oidc-brokers"
+          tools-directory: "./authd-oidc-brokers/tools"
+          go-tags: "withmsentraid"
+
+  shell-sanity:
+    name: "Shell: Code sanity"
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v6
+      - name: Run ShellCheck
+        uses: ludeeus/action-shellcheck@master
+
+  go-tests:
+    name: "Go: Tests"
+    runs-on: ubuntu-24.04 # ubuntu-latest-runner
+    strategy:
+      fail-fast: false
+      matrix:
+        test: [ "coverage", "asan" ]
+    steps:
+      - uses: actions/checkout@v6
+        with:
+          submodules: recursive
+      - uses: actions/setup-go@v6
+        with:
+          go-version-file: go.mod
+
+      - uses: canonical/desktop-engineering/gh-actions/common/dpkg-install-speedup@main
+      - name: Install dependencies
+        run: |
+          set -eu
+          sudo apt-get update
+          sudo apt-get install -y git-delta
+
+      - name: Install coverage collection dependencies
+        if: matrix.test == 'coverage'
+        run: |
+          set -eu
+
+          go install github.com/AlekSi/gocov-xml@latest
+          go install github.com/adombeck/gocov/gocov@latest
+          dotnet tool install -g dotnet-reportgenerator-globaltool
+
+      - name: Build libhimmelblau
+        run: go generate --tags withmsentraid ./internal/providers/msentraid/...
+
+      - name: Prepare tests artifacts path
+        run: |
+          set -eu
+
+          artifacts_dir=$(mktemp -d --tmpdir authd-test-artifacts-XXXXXX)
+          echo AUTHD_TEST_ARTIFACTS_DIR="${artifacts_dir}" >> $GITHUB_ENV
+
+      - name: Install gotestfmt and our wrapper script
+        uses: canonical/desktop-engineering/gh-actions/go/gotestfmt@main
+
+      - name: Run tests (with coverage collection)
+        if: matrix.test == 'coverage'
+        run: |
+          set -euo pipefail
+
+          # The coverage is not written if the output directory does not exist, so we need to create it.
+          cov_dir=${PWD}/coverage
+          raw_cov_dir=${cov_dir}/raw_files
+          codecov_dir=${cov_dir}/codecov
+
+          mkdir -p "${raw_cov_dir}" "${codecov_dir}"
+
+          # Print executed commands to ease debugging
+          set -x
+
+          # Overriding the default coverage directory is not an exported flag of go test (yet), so
+          # we need to override it using the test.gocoverdir flag instead.
+          #TODO: Update when https://go-review.googlesource.com/c/go/+/456595 is merged.
+          go test -tags withmsentraid -json -cover -covermode=set ./... -shuffle=on -args -test.gocoverdir="${raw_cov_dir}" 2>&1 | \
+            gotestfmt --logfile "${AUTHD_TEST_ARTIFACTS_DIR}/gotestfmt.cover.log"
+
+          # Convert the raw coverage data into textfmt so we can merge the Rust one into it
+          go tool covdata textfmt -i="${raw_cov_dir}" -o="${cov_dir}/coverage.out"
+
+          # Filter out the testutils package
+          grep -v -e "testutils" "${cov_dir}/coverage.out" >"${cov_dir}/coverage.out.filtered"
+
+          # Generate the Cobertura report for Go
+          gocov convert "${cov_dir}/coverage.out.filtered" | gocov-xml > "${cov_dir}/coverage.xml"
+          reportgenerator -reports:"${cov_dir}/coverage.xml" -targetdir:"${codecov_dir}" -reporttypes:Cobertura
+
+          # Store the coverage directory for the next steps
+          echo COVERAGE_DIR="${codecov_dir}" >> ${GITHUB_ENV}
+
+      - name: Run msentraid tests (with Address Sanitizer)
+        if: matrix.test == 'asan'
+        env:
+          # Do not optimize, keep debug symbols and frame pointer for better
+          # stack trace information in case of ASAN errors.
+          CGO_CFLAGS: "-O0 -g3 -fno-omit-frame-pointer"
+          GO_TESTS_TIMEOUT: 30m
+          # Use these flags to give ASAN a better time to unwind the stack trace
+          GO_GC_FLAGS: -N -l
+        run: |
+          # Print executed commands to ease debugging
+          set -x
+
+          # For llvm-symbolizer
+          sudo apt-get install -y llvm
+
+          # We only run the msentraid tests with ASAN because only these use cgo.
+          pushd ./internal/providers/msentraid
+          go test -asan -gcflags=all="${GO_GC_FLAGS}" -c
+          go tool test2json -p internal/providers/msentraid ./msentraid.test \
+            -test.v=test2json \
+            -test.failfast \
+            -test.timeout ${GO_TESTS_TIMEOUT} | \
+          gotestfmt --logfile "${AUTHD_TEST_ARTIFACTS_DIR}/gotestfmt.asan.log" || \
+          exit_code=$?
+          popd
+
+          # We don't need the xtrace output after this point
+          set +x
+
+          # We're logging to a file, and this is useful for having artifacts, but we still may want to see it in logs:
+          for f in "${AUTHD_TEST_ARTIFACTS_DIR}"/*asan.log*; do
+            if ! [ -e "${f}" ]; then
+              continue
+            fi
+            if [ -s "${f}" ]; then
+              echo "::group::${f} ($(wc -l < "${f}") lines)"
+              cat "${f}"
+              echo "::endgroup::"
+            else
+              echo "${f}: empty"
+            fi
+          done
+
+          exit ${exit_code}
+
+      - name: Upload coverage to Codecov
+        if: matrix.test == 'coverage'
+        uses: codecov/codecov-action@v5
+        with:
+          directory: ${{ env.COVERAGE_DIR }}
+          files: ${{ env.COVERAGE_DIR }}/Cobertura.xml
+          token: ${{ secrets.CODECOV_TOKEN }}
+
+      - name: Upload coverage report as artifact
+        if: matrix.test == 'coverage' && github.ref == 'refs/heads/main'
+        uses: actions/upload-artifact@v6
+        with:
+          name: coverage
+          path: ${{ env.COVERAGE_DIR }}
+
+      - name: Upload test artifacts
+        if: failure()
+        uses: actions/upload-artifact@v6
+        with:
+          name: authd-${{ github.job }}-artifacts-${{ github.run_attempt }}
+          path: ${{ env.AUTHD_TEST_ARTIFACTS_DIR }}

.github/workflows/qa.yaml

@@ -1,18 +1,20 @@
-name: QA & sanity checks
+name: authd QA & sanity checks
 on:
   push:
     branches:
       - main
     paths-ignore:
       - '.github/workflows/automatic-doc-checks.yml'
       - '.readthedocs.yaml'
+      - "authd-oidc-brokers/**"
       - 'docs/**'
     tags:
       - "*"
   pull_request:
     paths-ignore:
       - '.github/workflows/automatic-doc-checks.yml'
       - '.readthedocs.yaml'
+      - "authd-oidc-brokers/**"
       - 'docs/**'
 
 concurrency:

.github/workflows/tics-run.yaml

@@ -75,5 +75,8 @@ jobs:
                 find pam -name '*.so' -print -delete
                 go generate -C pam -x
                 go build ./cmd/authd
+                go -C ./authd-oidc-brokers build -o authd-vanilla ./cmd/authd-oidc
+                go -C ./authd-oidc-brokers build -tags=withmsentraid -o authd-msentraid ./cmd/authd-oidc
+                go -C ./authd-oidc-brokers build -tags=withgoogle -o authd-google ./cmd/authd-oidc
 
                 TICSQServer -project authd -tmpdir /tmp/tics -branchdir .

.github/workflows/update-broker-variant-branches.yml

@@ -0,0 +1,119 @@
+name: Auto update broker variant branches
+on:
+  push:
+    branches:
+      - main
+    paths:
+      - "authd-oidc-brokers/**"
+  workflow_dispatch:
+concurrency: auto-update-broker-variants
+
+permissions:
+    pull-requests: write
+    contents: write
+
+defaults:
+  run:
+    working-directory: ./authd-oidc-brokers
+
+env:
+    DEBIAN_FRONTEND: noninteractive
+
+jobs:
+  update-snap-branches:
+    name: Update snap branches
+    strategy:
+      matrix:
+        branch_name: ["google","msentraid"]
+    runs-on: ubuntu-latest
+    steps:
+        - uses: canonical/desktop-engineering/gh-actions/common/dpkg-install-speedup@main
+        - name: Install dependencies
+          run: |
+            set -eu
+            sudo apt-get update
+            sudo apt-get install -y git
+        - uses: actions/checkout@v6
+          with:
+            ref: main
+            fetch-depth: 0
+        - name: Merge main into branches
+          id: merge
+          run: |
+            set -eux
+            git config user.name "github-actions[bot]"
+            git config user.email "github-actions[bot]@users.noreply.github.com"
+            git fetch
+            git checkout ${{ matrix.branch_name }}
+
+            # First, assume that we will have conflicts due to the merge command
+            # failing the action if there's any.
+            echo "has_conflicts=true" >> $GITHUB_OUTPUT
+            has_conflicts=true
+            if git merge main --commit; then
+              has_conflicts=false
+            fi
+
+            echo "has_conflicts=${has_conflicts}" >> $GITHUB_OUTPUT
+
+        - uses: actions/setup-go@v6
+          if: ${{ steps.merge.outputs.has_conflicts == 'false' }}
+          with:
+            go-version-file: go.mod
+        - name: Regenerate consts for this broker
+          if: ${{ steps.merge.outputs.has_conflicts == 'false' }}
+          run: |
+            set -eux
+            # Regenerate the consts for the broker
+            go generate ./internal/consts/
+        - name: Find generated changes
+          if: ${{ steps.merge.outputs.has_conflicts == 'false' }}
+          id: check-diff
+          uses: canonical/desktop-engineering/gh-actions/common/has-diff@main
+          with:
+            working-directory: ./authd-oidc-brokers/internal/consts/
+            fail-on-diff: false
+        - name: Commit generated changes
+          if: ${{ steps.merge.outputs.has_conflicts == 'false' && steps.check-diff.outputs.diff == 'true' }}
+          run: |
+            set -eux
+            git add ./internal/consts/
+            git commit -m "Regenerate consts for ${{ matrix.branch_name }}"
+        - name: Create Pull Request
+          if: ${{ steps.merge.outputs.has_conflicts == 'false' }}
+          uses: peter-evans/create-pull-request@v8
+          with:
+            commit-message: Auto update ${{ matrix.branch_name }} branch
+            title: Auto update ${{ matrix.branch_name }} branch
+            body: |
+              Automated merge from main of ${{ matrix.branch_name }}.
+            branch: update-${{ matrix.branch_name }}
+            delete-branch: true
+            token: ${{ secrets.GITHUB_TOKEN }}
+        - name: Push branch
+          if: ${{ steps.merge.outputs.has_conflicts == 'false' }}
+          run: |
+            set -eux
+            git push origin update-${{ matrix.branch_name }}:${{ matrix.branch_name }}
+
+        - name: Restore and prepare branch
+          if: ${{ steps.merge.outputs.has_conflicts == 'true' }}
+          run: |
+            set -eux
+            # Reset the state of the current destination
+            git merge --abort
+            # Apply the changes we want to merge (which is the content of main)
+            git reset --hard main
+        - name: Create Pull Request
+          if: ${{ steps.merge.outputs.has_conflicts == 'true' }}
+          uses: peter-evans/create-pull-request@v8
+          with:
+            commit-message: Auto update ${{ matrix.branch_name }} branch
+            title: Auto update ${{ matrix.branch_name }} branch
+            body: |
+              Pull request created due to conflicts found when merging main into ${{ matrix.branch_name }}.
+
+              Remember to run go -C authd-oidc-brokers generate ./internal/consts/ and committing those changes before merging this PR.
+            branch: update-${{ matrix.branch_name }}
+            delete-branch: true
+            token: ${{ secrets.GITHUB_TOKEN }}