tpm2-pkcs11: enable integration tests

h/t @illdefined for the work on these; see: #378737 (comment) Only difference is a nixfmt pass.
NixOS · Feb 22, 2025 · 1488556 · 1488556
1 parent de85fc8
commit 1488556
Show file tree

Hide file tree

Showing 2 changed files with 150 additions and 18 deletions.
diff --git a/pkgs/by-name/tp/tpm2-pkcs11/disable-java-integration.patch b/pkgs/by-name/tp/tpm2-pkcs11/disable-java-integration.patch
@@ -0,0 +1,58 @@
+diff --git a/Makefile-integration.am b/Makefile-integration.am
+index e2255de..3cea1d8 100644
+--- a/Makefile-integration.am
++++ b/Makefile-integration.am
+@@ -7,7 +7,6 @@ integration_scripts = \
+     test/integration/pkcs11-dbup.sh.nosetup \
+     test/integration/tls-tests.sh \
+     test/integration/openssl.sh \
+-    test/integration/pkcs11-javarunner.sh.java \
+     test/integration/nss-tests.sh \
+     test/integration/ptool-link.sh.nosetup \
+     test/integration/python-pkcs11.sh
+@@ -110,13 +109,5 @@ test_integration_pkcs_lockout_int_CFLAGS  = $(AM_CFLAGS) $(TESTS_CFLAGS)
+ test_integration_pkcs_lockout_int_LDADD   = $(TESTS_LDADD)  $(SQLITE3_LIBS)
+ test_integration_pkcs_lockout_int_SOURCES = test/integration/pkcs-lockout.int.c test/integration/test.c
+
+-#
+-# Java Tests
+-#
+-AM_JAVA_LOG_FLAGS = --tabrmd-tcti=$(TABRMD_TCTI) --tsetup-script=$(top_srcdir)/test/integration/scripts/create_pkcs_store.sh
+-JAVA_LOG_COMPILER=$(LOG_COMPILER)
+-dist_noinst_JAVA = test/integration/PKCS11JavaTests.java
+-CLEANFILES += test/integration/PKCS11JavaTests.class
+-
+ endif
+ # END INTEGRATION
+diff --git a/configure.ac b/configure.ac
+index 1ec6eb4..7a0a8ee 100644
+--- a/configure.ac
++++ b/configure.ac
+@@ -258,13 +258,6 @@ AC_ARG_ENABLE(
+     [build and execute integration tests])],,
+   [enable_integration=no])
+
+-# Test for Java compiler and interpreter without throwing fatal errors (since
+-# these macros are defined using AC_DEFUN they cannot be called conditionally)
+-m4_pushdef([AC_MSG_ERROR], [have_javac=no])
+-AX_PROG_JAVAC()
+-AX_PROG_JAVA()
+-m4_popdef([AC_MSG_ERROR])
+-
+ AC_DEFUN([integration_test_checks], [
+
+   AC_CHECK_PROG([tpm2_createprimary], [tpm2_createprimary], [yes], [no])
+@@ -382,13 +375,6 @@ AC_DEFUN([integration_test_checks], [
+         [AC_MSG_ERROR([Integration tests enabled but tss2_provision executable not found.])])
+   ])
+
+-  AS_IF([test "x$have_javac" = "xno"],
+-    [AC_MSG_ERROR([Integration tests enabled but no Java compiler was found])])
+-  AX_CHECK_CLASS([org.junit.Assert], ,
+-    [AC_MSG_ERROR([Integration tests enabled but JUnit not found, try setting CLASSPATH])])
+-  AX_CHECK_CLASS([org.hamcrest.SelfDescribing], ,
+-    [AC_MSG_ERROR([Integration tests enabled but Hamcrest not found, try setting CLASSPATH])])
+-
+   AC_SUBST([ENABLE_INTEGRATION], [$enable_integration])
+ ]) # end function integration_test_checks
+
diff --git a/pkgs/by-name/tp/tpm2-pkcs11/package.nix b/pkgs/by-name/tp/tpm2-pkcs11/package.nix
@@ -1,24 +1,36 @@
 {
   autoconf-archive,
   autoreconfHook,
+  buildEnv,
   clangStdenv,
   cmocka,
+  dbus,
+  expect,
   fetchFromGitHub,
   glibc,
+  gnutls,
+  iproute2,
   lib,
   libyaml,
   makeWrapper,
   opensc,
+  openssh,
   openssl,
+  nss,
+  p11-kit,
   patchelf,
   pkg-config,
   python3,
   stdenv,
   sqlite,
+  swtpm,
   tpm2-abrmd,
+  tpm2-openssl,
   tpm2-pkcs11, # for passthru abrmd tests
   tpm2-tools,
   tpm2-tss,
+  which,
+  xxd,
   abrmdSupport ? false,
   fapiSupport ? true,
   enableFuzzing ? false,
@@ -38,25 +50,37 @@ chosenStdenv.mkDerivation (finalAttrs: {
     hash = "sha256-W74ckrpK7ypny1L3Gn7nNbOVh8zbHavIk/TX3b8XbI8=";
   };
 
-  # The preConfigure phase doesn't seem to be working here
-  # ./bootstrap MUST be executed as the first step, before all
-  # of the autoreconfHook stuff
+  # Disable Java‐based tests because of missing dependencies
+  patches = [ ./disable-java-integration.patch ];
+
   postPatch = ''
-    echo "$version" > VERSION
+    echo ${lib.escapeShellArg finalAttrs.version} >VERSION
 
     # Don't run git in the bootstrap
     substituteInPlace bootstrap --replace-warn "git" "# git"
 
-    # Don't run tests with dbus
-    substituteInPlace Makefile.am --replace-fail "dbus-run-session" "env"
+    # Provide configuration file for D-Bus
+    substituteInPlace Makefile.am --replace-fail \
+      "dbus-run-session" \
+      "dbus-run-session --config-file=${dbus}/share/dbus-1/session.conf"
+
+    # Disable failing tests
+    sed -E -i '/\<test\/integration\/(pkcs-crypt\.int|pkcs11-tool\.sh)\>/d' \
+      Makefile-integration.am
 
-    patchShebangs test
+    patchShebangs test tools
 
+    # The preConfigure phase doesn't seem to be working here
+    # ./bootstrap MUST be executed as the first step, before all
+    # of the autoreconfHook stuff
     ./bootstrap
   '';
 
   configureFlags =
-    lib.singleton (lib.enableFeature finalAttrs.doCheck "unit")
+    [
+      (lib.enableFeature finalAttrs.doCheck "unit")
+      (lib.enableFeature finalAttrs.doCheck "integration")
+    ]
     ++ lib.optionals enableFuzzing [
       "--enable-fuzzing"
       "--disable-hardening"
@@ -72,15 +96,20 @@ chosenStdenv.mkDerivation (finalAttrs: {
     patchelf
     pkg-config
     (python3.withPackages (
-      ps: with ps; [
+      ps:
+      with ps;
+      [
         packaging
         pyyaml
+        python-pkcs11
         cryptography
         pyasn1-modules
         tpm2-pytss
       ]
+      ++ cryptography.optional-dependencies.ssh
     ))
   ];
+
   buildInputs = [
     libyaml
     opensc
@@ -89,8 +118,28 @@ chosenStdenv.mkDerivation (finalAttrs: {
     tpm2-tools
     tpm2-tss
   ];
+
+  nativeCheckInputs = [
+    dbus
+    expect
+    gnutls
+    iproute2
+    nss.tools
+    opensc
+    openssh
+    openssl
+    p11-kit
+    sqlite
+    swtpm
+    tpm2-abrmd
+    tpm2-tools
+    which
+    xxd
+  ];
+
   checkInputs = [
     cmocka
+    tpm2-abrmd
   ];
 
   enableParallelBuilding = true;
@@ -106,19 +155,51 @@ chosenStdenv.mkDerivation (finalAttrs: {
   dontStrip = true;
   dontPatchELF = true;
 
+  preCheck =
+    let
+      openssl-modules = buildEnv {
+        name = "openssl-modules";
+        pathsToLink = [ "/lib/ossl-modules" ];
+        paths = map lib.getLib [
+          openssl
+          tpm2-openssl
+        ];
+      };
+    in
+    ''
+      # Enable tests to load TCTI modules
+      export LD_LIBRARY_PATH+=":${
+        lib.makeLibraryPath [
+          swtpm
+          tpm2-tools
+          tpm2-abrmd
+        ]
+      }"
+
+      # Enable tests to load TPM2 OpenSSL module
+      export OPENSSL_MODULES="${openssl-modules}/lib/ossl-modules"
+    '';
+
+  postInstall = ''
+    mkdir -p $bin/bin/ $bin/share/tpm2_pkcs11/
+    mv ./tools/* $bin/share/tpm2_pkcs11/
+    makeWrapper $bin/share/tpm2_pkcs11/tpm2_ptool.py $bin/bin/tpm2_ptool \
+      --prefix PATH : ${lib.makeBinPath [ tpm2-tools ]}
+  '';
+
   # To be able to use the userspace resource manager, the RUNPATH must
   # explicitly include the tpm2-abrmd shared libraries.
   preFixup =
     let
       rpath = lib.makeLibraryPath (
-        (lib.optional abrmdSupport tpm2-abrmd)
-        ++ [
+        [
           glibc
           libyaml
           openssl
           sqlite
           tpm2-tss
         ]
+        ++ (lib.optional abrmdSupport tpm2-abrmd)
       );
     in
     ''
@@ -129,13 +210,6 @@ chosenStdenv.mkDerivation (finalAttrs: {
         $out/lib/libtpm2_pkcs11.so.0.0.0
     '';
 
-  postInstall = ''
-    mkdir -p $bin/bin/ $bin/share/tpm2_pkcs11/
-    mv ./tools/* $bin/share/tpm2_pkcs11/
-    makeWrapper $bin/share/tpm2_pkcs11/tpm2_ptool.py $bin/bin/tpm2_ptool \
-      --prefix PATH : ${lib.makeBinPath [ tpm2-tools ]}
-  '';
-
   passthru = {
     tests.tpm2-pkcs11-abrmd = tpm2-pkcs11.override {
       abrmdSupport = true;