Pierre Warnier
04427511e1
docker: install cargo-deny as a pinned prebuilt binary ( #175 )
...
The dev images built cargo-deny from source via `cargo install cargo-deny`.
That compiled cargo-deny on every image build (multi-minute) and surfaced
cargo-deny's own `profile.dev.package.{insta,similar}` warnings, which look
like our config but are not.
Install the pinned (0.19.8), checksum-verified prebuilt binary instead. The
static musl build runs on glibc too, so all three images share one asset.
Result: no source compile, no spurious warnings, and a reproducible,
sha256-verified install (vs the previous unpinned `cargo install`). Each
build self-checks with `cargo-deny --version`.
Version/checksum are ARGs so they can be bumped (and tracked by Renovate).
2026-06-10 15:06:33 +02:00
Pierre Warnier
e29b06c461
e2e: add end-to-end deployment tests ( #102 )
...
Add automated deployment testing in Docker that simulates a real
system-wide installation: build from source, install replacing GNU
shadow-utils, then run 97 assertions covering:
- Symlink dispatch and multicall dispatch (all 14 tools)
- Setuid bits and non-root privilege enforcement
- Full user lifecycle (useradd → chpasswd → usermod → pwck → userdel)
- Full group lifecycle (groupadd → groupmod → groupdel → grpck)
- Individual tool tests (chage, chfn, chsh, passwd -l/-u)
- PAM authentication (su with known password via expect)
- nscd cache invalidation
- Landlock sandboxing (when kernel supports it)
- Ansible integration (user/group modules as real-world consumer)
New files:
- docker/Dockerfile.e2e — multi-stage build + debian:trixie runtime
- tests/e2e/deploy-test.sh — bash test harness with 97 assertions
- tests/e2e/ansible-test.yml — Ansible playbook integration test
- .dockerignore — prevent sending target/ and .git/ to Docker
Modified:
- docker-compose.yml — add e2e service (no changes to existing services)
- Cargo.toml — add pam feature forwarding to root package
- shadow-core/pam.rs — add #[link(name = "pam")] for linker
Closes #109 , closes #110 , closes #111 , closes #112 , closes #113
Refs #102
2026-04-03 13:22:55 +02:00
Pierre Warnier
97130fea20
scaffold: workspace, shadow-core, passwd tool, Docker test matrix
...
Cargo workspace with three-layer architecture mirroring uutils conventions:
- shadow-core: /etc/passwd and /etc/shadow parsers, atomic file writes,
username validation, error types, feature-gated module stubs (PAM,
SELinux, group, gshadow, login.defs, subid, nscd, lock, uid_alloc)
- uu_passwd: tool skeleton with clap CLI, uumain/uu_app pattern
- multicall binary: argv[0] dispatch with --list support
Docker test matrix (Debian Trixie, Alpine musl, Fedora SELinux):
all three pass clippy -D warnings, 21 tests, and cargo fmt --check.
21 unit tests covering:
- passwd/shadow file parsing and roundtrip serialization
- atomic file write with fsync + rename + failure rollback
- username validation rules (length, charset, edge cases)
- clap command definition
2026-03-23 11:57:10 +01:00