heimdal: clean up package

- Make inputs more diff friendly - Add flags for enabling certain libraries - Disable LDAP support as HDB module by default - Add support for CJSON - Flatten contents of `$out/libexec`, which earlier had an `heimdal/heimdal` directory - Use SRI hash - Enable package tests - Add `passthru.tests.nixos` - Add `meta.homepage` and `meta.changelog` Co-authored-by: Felix Albrigtsen <felix@albrigtsen.it>
NixOS · Jan 14, 2024 · c71fa4b · c71fa4b
1 parent 068372e
commit c71fa4b
Show file tree

Hide file tree

Showing 3 changed files with 123 additions and 51 deletions.
diff --git a/nixos/modules/services/system/kerberos/heimdal.nix b/nixos/modules/services/system/kerberos/heimdal.nix
@@ -35,7 +35,7 @@ in
         mkdir -m 0755 -p ${stateDir}
       '';
       serviceConfig.ExecStart =
-        "${kerberos}/libexec/heimdal/kadmind --config-file=/etc/heimdal-kdc/kdc.conf";
+        "${kerberos}/libexec/kadmind --config-file=/etc/heimdal-kdc/kdc.conf";
       restartTriggers = [ kdcConfFile ];
     };
 
@@ -46,7 +46,7 @@ in
         mkdir -m 0755 -p ${stateDir}
       '';
       serviceConfig.ExecStart =
-        "${kerberos}/libexec/heimdal/kdc --config-file=/etc/heimdal-kdc/kdc.conf";
+        "${kerberos}/libexec/kdc --config-file=/etc/heimdal-kdc/kdc.conf";
       restartTriggers = [ kdcConfFile ];
     };
 
@@ -56,7 +56,7 @@ in
       preStart = ''
         mkdir -m 0755 -p ${stateDir}
       '';
-      serviceConfig.ExecStart = "${kerberos}/libexec/heimdal/kpasswdd";
+      serviceConfig.ExecStart = "${kerberos}/libexec/kpasswdd";
       restartTriggers = [ kdcConfFile ];
     };
 

diff --git a/pkgs/development/libraries/kerberos/heimdal-make-missing-headers.patch b/pkgs/development/libraries/kerberos/heimdal-make-missing-headers.patch
diff --git a/pkgs/development/libraries/kerberos/heimdal.nix b/pkgs/development/libraries/kerberos/heimdal.nix
@@ -1,9 +1,52 @@
-{ lib, stdenv, fetchFromGitHub, autoreconfHook, pkg-config, python3, perl, bison, flex
-, texinfo, perlPackages
-, openldap, libcap_ng, sqlite, openssl, db, libedit, pam
-, CoreFoundation, Security, SystemConfiguration
+{ lib
+, stdenv
+, fetchFromGitHub
+, autoreconfHook
+, pkg-config
+, python3
+, perl
+, bison
+, flex
+, texinfo
+, perlPackages
+
+, openldap
+, libcap_ng
+, sqlite
+, openssl
+, db
+, libedit
+, pam
+, krb5
+, libmicrohttpd
+, cjson
+
+, CoreFoundation
+, Security
+, SystemConfiguration
+
+, curl
+, jdk
+, unzip
+, which
+
+, nixosTests
+
+, withCJSON ? true
+, withCapNG ? stdenv.isLinux
+# libmicrohttpd should theoretically work for darwin as well, but something is broken.
+# It affects tests check-bx509d and check-httpkadmind.
+, withMicroHTTPD ? stdenv.isLinux
+, withOpenLDAP ? true
+, withOpenLDAPAsHDBModule ? false
+, withOpenSSL ? true
+, withSQLite3 ? true
 }:
 
+assert lib.assertMsg (withOpenLDAPAsHDBModule -> withOpenLDAP) ''
+  OpenLDAP needs to be enabled in order to build the OpenLDAP HDB Module.
+'';
+
 stdenv.mkDerivation {
   pname = "heimdal";
   version = "7.8.0-unstable-2023-11-29";
@@ -12,50 +55,84 @@ stdenv.mkDerivation {
     owner = "heimdal";
     repo = "heimdal";
     rev = "3253c49544eacb33d5ad2f6f919b0696e5aab794";
-    sha256 = "sha256-uljzQBzXrZCZjcIWfioqHN8YsbUUNy14Vo+A3vZIXzM=";
+    hash = "sha256-uljzQBzXrZCZjcIWfioqHN8YsbUUNy14Vo+A3vZIXzM=";
   };
 
   outputs = [ "out" "dev" "man" "info" ];
 
-  nativeBuildInputs = [ autoreconfHook pkg-config python3 perl bison flex texinfo ]
-    ++ (with perlPackages; [ JSON ]);
-  buildInputs = lib.optionals (stdenv.isLinux) [ libcap_ng ]
-    ++ [ db sqlite openssl libedit openldap pam]
-    ++ lib.optionals (stdenv.isDarwin) [ CoreFoundation Security SystemConfiguration ];
+  nativeBuildInputs = [
+    autoreconfHook
+    pkg-config
+    python3
+    perl
+    bison
+    flex
+    texinfo
+  ]
+  ++ (with perlPackages; [ JSON ]);
+
+  buildInputs = [ db libedit pam ]
+    ++ lib.optionals (stdenv.isDarwin) [ CoreFoundation Security SystemConfiguration ]
+    ++ lib.optionals (withCJSON) [ cjson ]
+    ++ lib.optionals (withCapNG) [ libcap_ng ]
+    ++ lib.optionals (withMicroHTTPD) [ libmicrohttpd ]
+    ++ lib.optionals (withOpenLDAP) [ openldap ]
+    ++ lib.optionals (withOpenSSL) [ openssl ]
+    ++ lib.optionals (withSQLite3) [ sqlite ];
+
+  doCheck = true;
+  nativeCheckInputs = [
+    curl
+    jdk
+    unzip
+    which
+  ];
 
-  ## ugly, X should be made an option
   configureFlags = [
-    "--sysconfdir=/etc"
-    "--localstatedir=/var"
-    "--infodir=$info/share/info"
-    "--enable-hdb-openldap-module"
-    "--with-sqlite3=${sqlite.dev}"
-
-  # ugly, --with-libedit is not enought, it fall back to bundled libedit
     "--with-libedit-include=${libedit.dev}/include"
     "--with-libedit-lib=${libedit}/lib"
-    "--with-openssl=${openssl.dev}"
-    "--without-x"
-    "--with-berkeley-db"
     "--with-berkeley-db-include=${db.dev}/include"
-    "--with-openldap=${openldap.dev}"
-  ] ++ lib.optionals (stdenv.isLinux) [
+    "--with-berkeley-db"
+
+    "--without-x"
+    "--disable-afs-string-to-key"
+  ] ++ lib.optionals (withCapNG) [
     "--with-capng"
+  ] ++ lib.optionals (withCJSON) [
+    "--with-cjson=${cjson}"
+  ] ++ lib.optionals (withOpenLDAP) [
+    "--with-openldap=${openldap.dev}"
+  ] ++ lib.optionals (withOpenLDAPAsHDBModule) [
+    "--enable-hdb-openldap-module"
+  ] ++ lib.optionals (withSQLite3) [
+    "--with-sqlite3=${sqlite.dev}"
   ];
 
-  postUnpack = ''
-    sed -i '/^DEFAULT_INCLUDES/ s,$, -I..,' source/cf/Makefile.am.common
-    sed -i -e 's/date/date --date="@$SOURCE_DATE_EPOCH"/' source/configure.ac
+  # (check-ldap) slapd resides within ${openldap}/libexec,
+  #              which is not part of $PATH by default.
+  # (check-ldap) prepending ${openldap}/bin to the path to avoid
+  #              using the default installation of openldap on unsandboxed darwin systems,
+  #              which does not support the new mdb backend at the moment (2024-01-13).
+  # (check-ldap) the bdb backend got deprecated in favour of mdb in openldap 2.5.0,
+  #              but the heimdal tests still seem to expect bdb as the openldap backend.
+  #              This might be fixed upstream in a future update.
+  patchPhase = ''
+    runHook prePatch
+
+    substituteInPlace tests/ldap/slapd-init.in \
+      --replace 'SCHEMA_PATHS="' 'SCHEMA_PATHS="${openldap}/etc/schema '
+    substituteInPlace tests/ldap/check-ldap.in \
+      --replace 'PATH=' 'PATH=${openldap}/libexec:${openldap}/bin:'
+    substituteInPlace tests/ldap/slapd.conf \
+      --replace 'database	bdb' 'database mdb'
+
+    runHook postPatch
   '';
 
-  preConfigure = ''
-    configureFlagsArray+=(
-      "--bindir=$out/bin"
-      "--sbindir=$out/sbin"
-      "--libexecdir=$out/libexec/heimdal"
-      "--mandir=$man/share/man"
-      "--infodir=$man/share/info"
-      "--includedir=$dev/include")
+  # (test_cc) heimdal uses librokens implementation of `secure_getenv` on darwin,
+  #           which expects either USER or LOGNAME to be set.
+  preCheck = lib.optionalString (stdenv.isDarwin) ''
+    export USER=nix-builder
   '';
 
   # We need to build hcrypt for applications like samba
@@ -73,8 +150,8 @@ stdenv.mkDerivation {
     mv $out/bin/krb5-config $dev/bin/
 
     # asn1 compilers, move them to $dev
-    mv $out/libexec/heimdal/heimdal/* $dev/bin
-    rmdir $out/libexec/heimdal/heimdal
+    mv $out/libexec/heimdal/* $dev/bin
+    rmdir $out/libexec/heimdal
 
     # compile_et is needed for cross-compiling this package and samba
     mv lib/com_err/.libs/compile_et $dev/bin
@@ -85,11 +162,16 @@ stdenv.mkDerivation {
   #  hx_locl.h:67:25: fatal error: pkcs10_asn1.h: No such file or directory
   #enableParallelBuilding = true;
 
+  passthru = {
+    implementation = "heimdal";
+    tests.nixos = nixosTests.kerberos.heimdal;
+  };
+
   meta = with lib; {
+    homepage = "https://www.heimdal.software";
+    changelog = "https://github.com/heimdal/heimdal/releases";
     description = "An implementation of Kerberos 5 (and some more stuff)";
     license = licenses.bsd3;
     platforms = platforms.unix;
   };
-
-  passthru.implementation = "heimdal";
 }