Release 0.6.0

.github/ISSUE_TEMPLATE/bug_report.yml

@@ -26,7 +26,7 @@ body:
 
         **Troubleshooting**
 
-        Please read our [Troubleshooting wiki page](https://github.com/ubuntu/authd/wiki/06--Troubleshooting)
+        Please read our [Troubleshooting wiki page](https://documentation.ubuntu.com/authd/stable-docs/reference/troubleshooting/#common-issues-and-limitations)
         and see if you can find a solution to your problem there.
   - type: checkboxes
     attributes:
@@ -92,12 +92,17 @@ body:
 
         #### Logs
         \`\`\`
-        $(sudo journalctl -o short-monotonic --lines 500  _SYSTEMD_UNIT=authd.service \+ UNIT=authd.service \+ \
+        $(sudo journalctl -o short-monotonic --lines 500  \
+          _SYSTEMD_UNIT=authd.service \+ UNIT=authd.service \+ \
           _SYSTEMD_UNIT=snap.authd-msentraid.authd-msentraid.service \+ UNIT=snap.authd-msentraid.authd-msentraid.service \+ SYSLOG_IDENTIFIER=authd-msentraid \+ \
           _SYSTEMD_UNIT=snap.authd-google.authd-google.service \+ UNIT=snap.authd-google.authd-google.service \+ SYSLOG_IDENTIFIER=authd-google \+ \
-          '_CMDLINE="gdm-session-worker [pam/gdm-authd]"' | sed -E -e 's/[0-9a-fA-F]{8}-[0-9a-fA-F]{4}-[0-9a-fA-F]{4}-[0-9a-fA-F]{4}-[0-9a-fA-F]{12}/<UUID redacted>/g' \
+          _SYSTEMD_UNIT=snap.authd-oidc.authd-oidc.service \+ UNIT=snap.authd-oidc.authd-oidc.service \+ SYSLOG_IDENTIFIER=authd-oidc \+ \
+          _COMM=authd-pam \+ \
+          '_CMDLINE="gdm-session-worker [pam/gdm-authd]"' \
+          | sed -E -e 's/[0-9a-fA-F]{8}-[0-9a-fA-F]{4}-[0-9a-fA-F]{4}-[0-9a-fA-F]{4}-[0-9a-fA-F]{12}/<UUID redacted>/g' \
             -e 's/GOCSPX-[0-9a-zA-Z_-]+/<redacted>/g' \
-            -e 's/[0-9a-zA-Z_-]+\.apps\.googleusercontent\.com/<redacted>/g')
+            -e 's/[0-9a-zA-Z_-]+\.apps\.googleusercontent\.com/<redacted>/g' \
+            -e 's/(client_secret = )\S+.*/\1<redacted>/g')
         \`\`\`
 
         #### authd apt history
@@ -106,7 +111,7 @@ body:
         \`\`\`
 
         #### authd broker configuration
-        $(sudo sh -c 'if ! find /etc/authd/brokers.d -name \*.conf | grep -q .; then echo ":warning: No config files in /etc/authd/brokers.d/"; else for f in /etc/authd/brokers.d/*.conf; do echo "#### $f"; echo "\`\`\`";  cat $f; echo "\`\`\`"; done; fi')
+        $(sudo sh -c 'if ! find /etc/authd/brokers.d -name \*.conf | grep -q .; then echo ":warning: No config files in /etc/authd/brokers.d/"; else for f in /etc/authd/brokers.d/*.conf; do echo "#### $f"; echo "\`\`\`";  cat $f; echo "\`\`\`"; done; fi' | sed -E 's/client_secret = .*/client_secret = <redacted>/g')
 
         #### authd-msentraid configuration
         \`\`\`

.github/actions/e2e-tests/set-up-ssh-keys/action.yml

@@ -0,0 +1,42 @@
+name: Set up SSH keys for VM provisioning
+description: "Sets up SSH keys for VM provisioning"
+inputs:
+  E2E_VM_SSH_PRIV_KEY:
+    description: "Private SSH key for VM provisioning"
+    required: true
+  E2E_VM_SSH_PUB_KEY:
+    description: "Public SSH key for VM provisioning"
+    required: true
+outputs:
+  keys-path:
+    description: "Path to the SSH keys"
+    value: "${{ steps.set-ssh-keys.outputs.keys-path }}"
+runs:
+  using: "composite"
+  steps:
+    - name: Set GitHub Path
+      run: echo "$GITHUB_ACTION_PATH" >> $GITHUB_PATH
+      shell: bash
+      env:
+        GITHUB_ACTION_PATH: ${{ github.action_path }}
+
+    - name: Set up SSH keys for the VM provisioning
+      id: set-ssh-keys
+      shell: bash
+      run: |
+        set -eu
+
+        mkdir -p "${HOME}/.ssh"
+        chmod 700 "${HOME}/.ssh"
+
+        echo "${{ inputs.E2E_VM_SSH_PRIV_KEY }}" > "${HOME}/.ssh/id_rsa"
+        chmod 600 "${HOME}/.ssh/id_rsa"
+
+        echo "${{ inputs.E2E_VM_SSH_PUB_KEY }}" > "${HOME}/.ssh/id_rsa.pub"
+        chmod 644 "${HOME}/.ssh/id_rsa.pub"
+
+        eval "$(ssh-agent -s)"
+
+        ssh-add "${HOME}/.ssh/id_rsa"
+
+        echo "keys-path=${HOME}/.ssh" >> "$GITHUB_OUTPUT"

.github/actions/generate-coverage-report/action.yaml

@@ -0,0 +1,49 @@
+name: 'Generate and upload coverage report'
+description: 'Generates and uploads the coverage report for Go tests'
+inputs:
+  codecov-token:
+    description: 'Codecov token for uploading coverage'
+    required: true
+runs:
+  using: 'composite'
+  steps:
+    - name: Generate coverage report
+      shell: bash
+      run: |
+        # Generate coverage report
+        set -eu
+
+        tmp_dir=$(mktemp -d)
+
+        # Convert the raw coverage data into textfmt so we can merge the Rust one into it
+        go tool covdata textfmt -i="${RAW_COVERAGE_DIR}" -o="${tmp_dir}/coverage.out"
+
+        # Append the Rust coverage data to the Go one
+        cat "${RAW_COVERAGE_DIR}/rust-cov/rust2go_coverage" >>"${tmp_dir}/coverage.out"
+
+        # Filter out the testutils package and the pb.go file
+        grep -v -e "testutils" -e "pb.go" -e "testsdetection" "${tmp_dir}/coverage.out" >"${tmp_dir}/coverage.out.filtered"
+
+        # Generate the Cobertura report for Go and Rust
+        gocov convert "${tmp_dir}/coverage.out.filtered" | gocov-xml > "${tmp_dir}/coverage.xml"
+        reportgenerator -reports:"${tmp_dir}/coverage.xml" -targetdir:"${tmp_dir}" -reporttypes:Cobertura
+
+        # Generate the Cobertura report for C
+        gcovr --cobertura "${tmp_dir}/Cobertura_C.xml" "${RAW_COVERAGE_DIR}"
+
+        # Merge Cobertura reports into a single one
+        reportgenerator -reports:"${tmp_dir}/Cobertura.xml;${tmp_dir}/Cobertura_C.xml" \
+          -targetdir:"${COVERAGE_DIR}" -reporttypes:Cobertura
+
+    - name: Upload coverage to Codecov
+      uses: codecov/codecov-action@v5
+      with:
+        directory: ${{ env.COVERAGE_DIR }}
+        files: ${{ env.COVERAGE_DIR }}/Cobertura.xml
+        token: ${{ inputs.codecov-token }}
+
+    - name: Upload coverage artifacts
+      uses: actions/upload-artifact@v5
+      with:
+        name: coverage
+        path: ${{ env.COVERAGE_DIR }}

.github/actions/install-debug-symbols/action.yaml

@@ -0,0 +1,30 @@
+name: 'Install debug symbols for glibc, PAM and GLib'
+description: 'Installs debug symbols for glibc, PAM and GLib for better stack traces'
+runs:
+  using: 'composite'
+  steps:
+    - uses: canonical/desktop-engineering/gh-actions/common/dpkg-install-speedup@main
+
+    - name: Install glibc, PAM and GLib debug symbols
+      shell: bash
+      run: |
+        # Install glibc, PAM and GLib debug symbols
+        set -eu
+
+        sudo apt-get install -y ubuntu-dbgsym-keyring libc6-dbg
+        echo "deb http://ddebs.ubuntu.com $(lsb_release -cs) main restricted universe multiverse
+        deb http://ddebs.ubuntu.com $(lsb_release -cs)-updates main restricted universe multiverse
+        deb http://ddebs.ubuntu.com $(lsb_release -cs)-proposed main restricted universe multiverse" | \
+        sudo tee -a /etc/apt/sources.list.d/ddebs.list
+        # Sometimes ddebs archive is stuck, so in case of failure we need to go manual
+        sudo apt-get update -y || true
+        if ! sudo apt-get install -y libpam-modules-dbgsym libpam0*-dbgsym libglib2.0-0*-dbgsym; then
+          sudo apt-get install -y ubuntu-dev-tools
+          for pkg in pam glib2.0; do
+            pull-lp-debs "${pkg}" $(lsb_release -cs)
+            pull-lp-ddebs "${pkg}" $(lsb_release -cs)
+          done
+          sudo apt-get install -y ./libpam0*.*deb ./libpam-modules*.*deb ./libglib2.0-0*-dbgsym*.ddeb
+          sudo apt-get remove -y ubuntu-dev-tools
+          sudo apt-get autoremove -y
+        fi

.github/actions/setup-go-coverage-tests/action.yaml

@@ -0,0 +1,26 @@
+name: 'Setup Go Tests with Coverage Analysis'
+description: 'Additional setup steps for Go tests with coverage analysis'
+runs:
+  using: 'composite'
+  steps:
+    - name: Install grcov
+      uses: baptiste0928/cargo-install@v3
+      with:
+        crate: grcov
+
+    - name: Install coverage collection dependencies
+      shell: bash
+      run: |
+        # Install coverage collection dependencies
+        set -eu
+
+        echo "::group::Install coverage collection dependencies"
+
+        # Dependendencies for C coverage collection
+        sudo apt-get install -y gcovr
+
+        # Dependendencies for Go coverage collection
+        go install github.com/AlekSi/gocov-xml@latest
+        go install github.com/adombeck/gocov/gocov@latest
+        dotnet tool install -g dotnet-reportgenerator-globaltool
+        echo "::endgroup::"

.github/actions/setup-go-tests/action.yaml

@@ -0,0 +1,66 @@
+name: 'Setup Go Tests'
+description: 'Common setup steps for Go tests'
+runs:
+  using: 'composite'
+  steps:
+    - uses: actions/setup-go@v6
+      with:
+        go-version-file: go.mod
+
+    - uses: canonical/desktop-engineering/gh-actions/common/dpkg-install-speedup@main
+
+    - name: Install dependencies
+      shell: bash
+      run: |
+        # Install dependencies
+        set -eu
+        echo "::group::Install dependencies"
+
+        sudo apt-get update
+
+        # Disable the php8.3-fpm.service which is enabled by default on ubuntu-latest-runner
+        # and is restarted when installing the dependencies but times out after 90s.
+        sudo systemctl mask --now php8.3-fpm.service || true
+
+        # The integration tests build the NSS crate, so we need the cargo build dependencies in order to run them.
+        sudo apt-get install -y protobuf-compiler
+
+        sudo apt-get install -y ${{ env.go_build_dependencies }} ${{ env.go_test_dependencies}}
+
+        echo "::endgroup::"
+
+    - name: Install gotestfmt and our wrapper script
+      uses: canonical/desktop-engineering/gh-actions/go/gotestfmt@main
+
+    - name: Install VHS and ttyd for integration tests
+      shell: bash
+      run: |
+        # Install VHS and ttyd for integration tests
+        set -eu
+        echo "::group::Install VHS and ttyd"
+        go install github.com/charmbracelet/vhs@latest
+
+        # VHS requires ttyd >= 1.7.2 to work properly.
+        wget https://github.com/tsl0922/ttyd/releases/download/1.7.7/ttyd.x86_64
+        chmod +x ttyd.x86_64
+        sudo mv ttyd.x86_64 /usr/bin/ttyd
+
+        # VHS doesn't really use ffmpeg anymore now, but it still checks for it.
+        # Drop this when https://github.com/charmbracelet/vhs/pull/591 is released.
+        sudo ln -s /usr/bin/true /usr/local/bin/ffmpeg
+        echo "::endgroup::"
+
+    - name: Install latest Rust version
+      shell: bash
+      run: rustup update stable
+
+    - name: Prepare tests artifacts path
+      shell: bash
+      run: |
+        # Prepare tests artifacts path
+        set -eu
+
+        artifacts_dir=$(mktemp -d --tmpdir authd-test-artifacts-XXXXXX)
+        echo AUTHD_TESTS_ARTIFACTS_PATH="${artifacts_dir}" >> $GITHUB_ENV
+
+        echo ASAN_OPTIONS="log_path=${artifacts_dir}/asan.log:print_stats=true" >> $GITHUB_ENV

.github/actions/setup-oras/action.yaml

@@ -0,0 +1,26 @@
+name: 'Setup oras'
+description: 'Setup oras CLI tool for pushing and pulling OCI artifacts.'
+inputs:
+  version:
+    description: 'Version of oras to install'
+    required: false
+    default: '1.3.0'
+runs:
+  using: 'composite'
+  steps:
+    - name: Install oras
+      shell: bash
+      run: |
+        # Install oras CLI
+        set -eu
+
+        VERSION="${{ inputs.version }}"
+        FILENAME="oras_${VERSION}_linux_$(dpkg --print-architecture).tar.gz"
+        curl -fsSL \
+          -H "Authorization: Bearer ${{ secrets.GITHUB_TOKEN }}" \
+          -o "${FILENAME}" \
+          "https://github.com/oras-project/oras/releases/download/v${VERSION}/${FILENAME}"
+        mkdir -p oras-install/
+        tar -zxf "${FILENAME}" -C oras-install/
+        sudo mv oras-install/oras /usr/local/bin/
+        rm -rf "${FILENAME}" oras-install/

.github/actions/upload-test-artifacts/action.yaml

@@ -0,0 +1,10 @@
+name: 'Upload test artifacts'
+description: 'Uploads test artifacts'
+runs:
+  using: 'composite'
+  steps:
+    - name: Upload test artifacts
+      uses: actions/upload-artifact@v5
+      with:
+        name: authd-${{ github.job }}-artifacts-${{ github.run_attempt }}
+        path: ${{ env.AUTHD_TESTS_ARTIFACTS_PATH }}

.github/dependabot.yml

@@ -20,7 +20,7 @@ updates:
     commit-message:
       prefix: "deps(ci)"
 
-  # Codebase
+  # authd codebase
   ## Go dependencies
   - package-ecosystem: "gomod"
     directory: "/" # Location of package manifests
@@ -61,3 +61,40 @@ updates:
         update-types: ["minor", "patch"]
     commit-message:
       prefix: "deps(rust)"
+
+  ## git submodules
+  - package-ecosystem: "gitsubmodule"
+    directory: "/" # Directory containing .gitmodules
+    schedule:
+      interval: "weekly"
+    commit-message:
+      prefix: "deps(submodule)"
+
+  # authd-oidc-brokers codebase
+  ## Go dependencies
+  - package-ecosystem: "gomod"
+    directory: "/authd-oidc-brokers" # Location of package manifests
+    schedule:
+      interval: "weekly"
+    groups:
+      minor-updates:
+        update-types: [ "minor", "patch" ]
+    commit-message:
+      prefix: "deps(brokers/go)"
+
+  - package-ecosystem: "gomod"
+    directory: "/authd-oidc-brokers/tools"
+    schedule:
+      interval: "weekly"
+    groups:
+      minor-updates:
+        update-types: [ "minor", "patch" ]
+    commit-message:
+      prefix: "deps(brokers/go-tools)"
+  ## rust-toolchain.toml
+  - package-ecosystem: "cargo"
+    directory: "/authd-oidc-brokers"
+    schedule:
+      interval: "weekly"
+    commit-message:
+      prefix: "deps(brokers/rust)"

.github/scripts/compute-deb-build-hash.sh

@@ -0,0 +1,41 @@
+#!/bin/bash
+
+set -euo pipefail
+
+# Add all files in the repo, except for those that we know are not relevant for
+# the build of the Debian package.
+relevant_files=$(git ls-files | grep -v \
+    -e '^\.github/' \
+    -e '^\.gitignore$' \
+    -e '^\.gitmodules$' \
+    -e '^\.golangci\.yaml$' \
+    -e '\.md$' \
+    -e '^COPYING' \
+    -e '^authd-oidc-brokers/' \
+    -e '^docs/' \
+    -e '^e2e-tests/' \
+    -e '^examplebroker/' \
+    -e '^gotestcov$' \
+    -e '^snap/' \
+    -e '_test\.go$' \
+    -e '/testdata/' \
+    -e '/testutils/')
+
+# We excluded the .github directory, so we need to add the workflow file back,
+# since it is relevant for the build of the Debian package.
+relevant_files="${relevant_files}"$'\n'".github/workflows/debian-build.yaml"
+
+# Sort the files
+relevant_files=$(echo "${relevant_files}" | sort -u)
+
+# Print the files for debugging purposes.
+echo >&2 "Build-relevant files: ${relevant_files}"
+
+hash=$(echo "${relevant_files}" |
+    grep -e '.' |
+    xargs git hash-object | sha256sum | cut -d' ' -f1)
+
+# Print the hash for debugging purposes.
+echo >&2 "Hash: ${hash}"
+
+echo "${hash}"