ubuntu · denisonbarbosa · Feb 14, 2023 · Feb 9, 2023 · Feb 9, 2023 · Feb 9, 2023
diff --git a/.github/workflows/auto-updates.yaml b/.github/workflows/auto-updates.yaml
@@ -1,8 +1,9 @@
 name: Update translations in main branch automatically
 on:
   push:
-    branches:
-      - main
+    # TODO: UNCOMMENT WHEN MERGING RUST-NSS TO MAIN
+    # branches:
+    #   - main
     paths-ignore:
       - po/*
 
@@ -52,3 +53,112 @@ jobs:
         if: ${{ env.modified == 'true' }}
         run: |
           git push origin auto-update-po:main
+
+  update-rust-vendored-sources:
+    name: Update XS-Vendored-Sources-Rust on debian/control
+    needs: update-po
+    runs-on: ubuntu-latest
+    container:
+      image: ubuntu:rolling
+    steps:
+      - name: Install dependencies
+        run: |
+          DEBIAN_FRONTEND=noninteractive apt update
+          DEBIAN_FRONTEND=noninteractive apt install -y cargo dh-cargo git
+      - uses: actions/checkout@v3
+      - name: Vendoring the dependencies
+        run: |
+          cargo vendor vendor_rust/
+      - name: Update XS-Vendored-Sources-Rust
+        run: |
+          set -eu
+
+          export CARGO_VENDOR_DIR=vendor_rust/
+          VENDORED_SOURCES=$(/usr/share/cargo/bin/dh-cargo-vendored-sources 2>&1 || true)
+          OUTPUT=$(echo "$VENDORED_SOURCES" | grep ^XS-Vendored-Sources-Rust: || true)
+          if [ -z "$OUTPUT" ]; then
+            exit 0
+          fi
+          sed -i "s/^XS-Vendored-Sources-Rust:.*/$OUTPUT/" debian/control
+
+          echo "modified=true" >> $GITHUB_ENV
+        shell: bash
+
+      - name: Create Pull Request
+        if: ${{ env.modified == 'true' }}
+        # V5 Beta needed because of https://github.com/peter-evans/create-pull-request/issues/1170
+        uses: peter-evans/create-pull-request@v5-beta
+        with:
+          commit-message: Auto update Rust vendored sources in debian/control
+          title: Auto update Rust vendored sources in debian/control
+          labels: control, automated pr
+          branch: auto-update-rust-vendored-sources
+          token: ${{ secrets.GITHUB_TOKEN }}
+      - name: Push branch
+        if: ${{ env.modified == 'true' }}
+        # TODO: FIX TARGET WHEN MERGING TO MAIN
+        run: |
+          git push origin auto-update-rust-vendored-sources:rust-nss
+
+  update-fake-checksum-file:
+    name: 'Update the fake checksum file at d/cargo-checksum.json'
+    needs: update-rust-vendored-sources
+    runs-on: ubuntu-latest
+    steps:
+      - name: Install dependencies
+        run: |
+          sudo DEBIAN_FRONTEND=noninteractive apt update
+          sudo DEBIAN_FRONTEND=noninteractive apt install -y git nodejs
+      - uses: actions/checkout@v3
+      - name: 'Install GitHub script dependencies'
+        run: npm install -D toml @types/node
+      - name: 'Update the checksum file'
+        uses: actions/github-script@v6
+        id: update-checksum
+        with:
+          script: |
+            const toml = require("toml");
+            const fs = require("fs");
+            const checksum_path = "./debian/cargo-checksum.json";
+            /** @typedef LockEntry @prop {string} name @prop {string} checksum @prop {string} version */
+            /** Read and parse the lock file
+            * @param {string} path
+            * @returns {any} */
+            function readLock(path) {
+              const lock = fs.readFileSync(path, { encoding: "utf-8" });
+              return toml.parse(lock);
+            }
+            const lockfile = readLock("./Cargo.lock");
+            /** @type {LockEntry?} */ const sd_block = lockfile.package.find(
+              (/** @type {LockEntry} */ x) => x.name === "vcpkg"
+            );
+            if (!sd_block) throw new Error("vcpkg not found in the lock file");
+            const old_cksum_file = require(checksum_path);
+            if (old_cksum_file.package === sd_block.checksum) {
+                console.info("Checksum is up-to-date. No update needed.");
+                return false;
+            }
+            const new_cksum_file =
+              JSON.stringify({
+                package: sd_block.checksum,
+                files: {},
+              }) + "\n";
+            fs.writeFileSync(checksum_path, new_cksum_file);
+            console.info("Checksum file updated.");
+            return true;
+      - name: Create Pull Request
+        if: ${{ steps.update-checksum.outputs.result == 'true' }}
+        # V5 Beta needed because of https://github.com/peter-evans/create-pull-request/issues/1170
+        uses: peter-evans/create-pull-request@v5-beta
+        with:
+          commit-message: Auto update Rust vendored sources checksums
+          title: Auto update Rust vendored sources checksums
+          labels: control, automated pr
+          body: "[Auto-generated pull request](https://github.com/ubuntu/adsys/actions/workflows/auto-updates.yaml) by GitHub Action"
+          branch: auto-update-rust-checksum
+          token: ${{ secrets.GITHUB_TOKEN }}
+      - name: Push branch
+        if: ${{ steps.update-checksum.outputs.result == 'true' }}
+        # TODO: FIX TARGET WHEN MERGING TO MAIN
+        run: |
+          git push origin auto-update-rust-checksum:rust-nss
diff --git a/.gitignore b/.gitignore
@@ -7,6 +7,7 @@
 *.so.*
 *.dylib
 target/
+obj-x86_64-linux-gnu/
 
 # Editor exclusions
 .vsls.json
@@ -25,6 +26,7 @@ generated/
 
 # Dependency directories (remove the comment below to include it)
 vendor/
+vendor_rust/
 
 # Various files
 conf/aad.conf

diff --git a/Cargo.toml b/Cargo.toml
@@ -1,5 +1,14 @@
 [workspace]
 members = ["nss"]
+exclude = ["vendor_rust/"]
 
 [profile.release]
-lto = "fat"
+# According to https://github.com/rust-lang/rust/issues/66118, enabling LTO results in some problems
+# with dwz. Comments in the issue said that setting the LTO to thin didn't result in the same issues
+# and the Cargo reference book https://doc.rust-lang.org/cargo/reference/profiles.html states:
+# '''
+# "thin": Performs "thin" LTO. This is similar to "fat", but takes substantially less time to run
+# while still achieving performance gains similar to "fat".
+# '''
+# So setting LTO to thin seems like a win-win situation.
+lto = "thin"
diff --git a/debian/cargo-checksum.json b/debian/cargo-checksum.json
@@ -0,0 +1,4 @@
+{
+    "package": "accd4ea62f7bb7a82fe23066fb0957d48ef677f6eeb8215f372f52e48bb32426",
+    "files": {}
+}
diff --git a/debian/control b/debian/control
@@ -4,14 +4,17 @@ Priority: optional
 Maintainer: Ubuntu Developers <[email protected]>
 Build-Depends: debhelper-compat (= 13),
                dh-apport,
+               dh-cargo,
                dh-golang,
                golang-go (>= 2:1.18~),
                libpam0g-dev (>= 1.4),
                libc6-dev (>= 2.35),
                libglib2.0-dev (>= 2.72.1),
                pkg-config (>= 0.29.2),
+               libsqlite3-dev (>= 3.37.2)
 Standards-Version: 4.6.0.1
 XS-Go-Import-Path: github.com/ubuntu/aad-auth
+XS-Vendored-Sources-Rust: [email protected], [email protected], [email protected], [email protected], [email protected], [email protected], [email protected], [email protected], [email protected], [email protected], [email protected], [email protected], [email protected], [email protected], [email protected], [email protected], [email protected], [email protected], [email protected], [email protected], [email protected], [email protected], [email protected], [email protected], [email protected], [email protected], [email protected], [email protected], [email protected], [email protected], [email protected], [email protected], [email protected], [email protected], [email protected], [email protected], [email protected], [email protected], [email protected], [email protected]+deprecated, [email protected], [email protected], [email protected], [email protected], [email protected], [email protected], [email protected], [email protected], [email protected], [email protected], [email protected], [email protected], [email protected], [email protected], [email protected], [email protected], [email protected], [email protected], [email protected], [email protected], [email protected], [email protected], [email protected], [email protected], [email protected], [email protected], [email protected], [email protected], [email protected]+wasi-snapshot-preview1, [email protected], [email protected], [email protected], [email protected], [email protected], [email protected], [email protected], [email protected], [email protected], [email protected], [email protected]
 Homepage: https://github.com/ubuntu/aad-auth
 Description: Azure Active Directory Authentication
  Azure Active Directory Authentication enables authentication of Azure Active
@@ -32,6 +35,7 @@ Description: ${source:Synopsis} module for PAM
 
 Package: libnss-aad
 Architecture: any
+Multi-Arch: same
 Built-Using: ${misc:Built-Using},
 Depends: aad-common,
          ${shlibs:Depends},
@@ -43,6 +47,7 @@ Description: ${source:Synopsis} module for NSS
 
 Package: aad-common
 Architecture: all
+Multi-Arch: foreign
 Enhances: libpam-aad, libnss-aad, aad-cli
 Depends: ${misc:Depends}
 Description: ${source:Synopsis} common files

diff --git a/debian/copyright b/debian/copyright
@@ -144,6 +144,93 @@ Files: vendor/github.com/spf13/pflag/*
 Copyright: Copyright: 2012 The Go Authors. / 2012 Alex Ogier.
 License: BSD-3
 
+Files: vendor_rust/ahash/*
+       vendor_rust/hashbrown/*
+Copyright: 2016 Amanieu d'Antras
+License: MIT
+
+Files: vendor_rust/memchr/*
+       vendor_rust/bstr/*
+       vendor_rust/regex-automata/*
+Copyright: 2015-2019 Andrew Gallant
+License: MIT
+
+Files: vendor_rust/autocfg/*
+Copyright: 2018 Josh Stone
+License: MIT
+
+Files: vendor_rust/bitflags/*
+       vendor_rust/hashlink/*
+       vendor_rust/lazy_static/*
+       vendor_rust/libc/*
+       vendor_rust/log/*
+       vendor_rust/unicode-segmentation/*
+Copyright: 2010-2020 The Rust Project Developers
+License: MIT
+
+Files: vendor_rust/cc/*
+       vendor_rust/cfg-if/*
+       vendor_rust/match_cfg/*
+       vendor_rust/pkg-config/*
+Copyright: 2014 Alex Crichton
+License: MIT
+
+Files: vendor_rust/error-chain/*
+Copyright: 2017 The Error-Chain Project Developers
+License: MIT
+
+Files: vendor_rust/fallible-iterator/*
+Copyright: 2015 The rust-openssl-verify Developers
+License: MIT
+
+Files: vendor_rust/fallible-streaming-iterator/*
+Copyright: 2016 The fallible-streaming-iterator Developers
+License: MIT
+
+Files: vendor_rust/getrandom/*
+Copyright: 2018 Developers of the Rand project
+           2014 The Rust Project Developers
+License: MIT
+
+Files: vendor_rust/num_threads/*
+Copyright: 2021 Jacob Pratt
+License: MIT
+
+Files: vendor_rust/time/*
+       vendor_rust/time-core/*
+       vendor_rust/time-macros/*
+Copyright: 2022 Jacob Pratt et al.
+License: MIT
+
+Files: vendor_rust/proc-macro-error-attr/*
+       vendor_rust/proc-macro-error/*
+Copyright: 2019-2020 CreepySkeleton
+License: MIT
+
+Files: vendor_rust/proc-macro-hack/*
+Copyright: 2018 David Tolnay
+License: MIT
+
+Files: vendor_rust/smallvec/*
+Copyright: 2018 The Servo Project Developers
+License: MIT
+
+Files: vendor_rust/tempfile/*
+Copyright: 2015 Steven Allen
+License: MIT
+
+Files: vendor_rust/vcpkg/*
+Copyright: 2017 Jim McGrath
+License: MIT
+
+Files: vendor_rust/version_check/*
+Copyright: 2017-2018 Sergio Benitez
+License: MIT
+
+Files: vendor_rust/winapi/*
+Copyright: 2015-2018 The winapi-rs Developers
+License: MIT
+
 License: Apache-2.0
  Unless required by applicable law or agreed to in writing, software
  distributed under the License is distributed on an "AS IS" BASIS,

diff --git a/debian/libnss-aad.install b/debian/libnss-aad.install
@@ -1,2 +1 @@
 usr/lib/*/libnss_aad.so.2
-usr/libexec/aad-auth
diff --git a/debian/libnss-aad.lintian-overrides b/debian/libnss-aad.lintian-overrides
@@ -0,0 +1,9 @@
+# The versioned library is the actual library itself, there is no link to it.
+libnss-aad: lacks-versioned-link-to-shared-library
+
+# cargo build currently does not support changing the output name of libraries and the functionality
+# is still being tracked at https://github.com/rust-lang/cargo/issues/9778. Therefore, we must build
+# it with the base name (i.e. libnss_aad.so) and then manually rename it to contain the version, as
+# done in the dh_auto_install step.
+# With this approach, libnss is not using soname to track compatibility, so this override is safe.
+libnss-aad: shared-library-lacks-version
diff --git a/debian/libnss-aad.symbols b/debian/libnss-aad.symbols
@@ -1,4 +1,4 @@
-libnss_aad.so.2 libnss-aad #MINVER#
+libnss_aad.so libnss-aad #MINVER#
  _nss_aad_endgrent@Base 0.1
  _nss_aad_endpwent@Base 0.1
  _nss_aad_endspent@Base 0.1
@@ -13,14 +13,3 @@ libnss_aad.so.2 libnss-aad #MINVER#
  _nss_aad_setgrent@Base 0.1
  _nss_aad_setpwent@Base 0.1
  _nss_aad_setspent@Base 0.1
- all_grp_entries@Base 0.1
- all_grp_entries_index@Base 0.1
- all_pwd_entries@Base 0.1
- all_pwd_entries_index@Base 0.1
- all_spwd_entries@Base 0.1
- all_spwd_entries_index@Base 0.1
- fetch_info@Base 0.1
- grp_search@Base 0.1
- pwd_search@Base 0.1
- run_aad_auth@Base 0.1
- spwd_search@Base 0.1