push sheeet

pkgs/development/libraries/kerberos/0001-Define-HAVE_DB_185_H.patch

@@ -0,0 +1,26 @@
+From 08d719e96214f648ae95043acc308deca36e1f7a Mon Sep 17 00:00:00 2001
+From: Ihar Hrachyshka <ihar.hrachyshka@gmail.com>
+Date: Tue, 15 Oct 2024 13:52:39 -0400
+Subject: [PATCH] Define HAVE_DB_185_H
+
+---
+ cf/db.m4 | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/cf/db.m4 b/cf/db.m4
+index c0b4510b6..c95a9dee9 100644
+--- a/cf/db.m4
++++ b/cf/db.m4
+@@ -57,6 +57,9 @@ AS_IF([test "x$with_berkeley_db" != xno],
+ 	           db.h					\
+     ])])
+ 
++dnl detect if compat db_185.h is present
++AC_CHECK_HEADERS([db_185.h])
++
+ dnl db_create is used by db3 and db4 and db5 and db6
+ 
+   AC_FIND_FUNC_NO_LIBS(db_create, [$dbheader] db-6 db-5 db4 db3 db, [
+-- 
+2.46.0
+

pkgs/development/libraries/kerberos/0001-Include-db.h-for-nbdb-compat-mode.patch

@@ -0,0 +1,25 @@
+From 749d9451293f9d9f8a3f506401cae369003aeebf Mon Sep 17 00:00:00 2001
+From: Ihar Hrachyshka <ihar.hrachyshka@gmail.com>
+Date: Sun, 13 Oct 2024 17:16:13 -0400
+Subject: [PATCH] Include db.h for nbdb compat mode
+
+---
+ lib/otp/otp_db.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/lib/otp/otp_db.c b/lib/otp/otp_db.c
+index 036359c1d..32c04bc8c 100644
+--- a/lib/otp/otp_db.c
++++ b/lib/otp/otp_db.c
+@@ -39,7 +39,7 @@ RCSID("$Id$");
+ #include "otp_locl.h"
+ 
+ #if defined(HAVE_DB_NDBM)
+-# include <ndbm.h>
++# include <db.h>
+ #elif !defined(HAVE_NDBM)
+ # include "ndbm_wrap.h"
+ #endif
+-- 
+2.46.0
+

pkgs/development/libraries/kerberos/0001-Link-tests-with-libresolv.patch

@@ -0,0 +1,51 @@
+From 862900febaec4a2c70257a39374b81138ee9f168 Mon Sep 17 00:00:00 2001
+From: Ihar Hrachyshka <ihar.hrachyshka@gmail.com>
+Date: Tue, 15 Oct 2024 16:06:33 -0400
+Subject: [PATCH] Link tests with libresolv
+
+---
+ lib/gssapi/Makefile.am | 1 +
+ lib/krb5/Makefile.am   | 2 ++
+ lib/roken/Makefile.am  | 1 +
+ 3 files changed, 4 insertions(+)
+
+diff --git a/lib/gssapi/Makefile.am b/lib/gssapi/Makefile.am
+index 3254866dc..db967e586 100644
+--- a/lib/gssapi/Makefile.am
++++ b/lib/gssapi/Makefile.am
+@@ -403,6 +403,7 @@ LDADD = libgssapi.la \
+ 	$(top_builddir)/lib/krb5/libkrb5.la \
+ 	$(LIB_roken)
+ 
++test_names_LDFLAGS = -lresolv
+ test_names_LDADD = $(LDADD) $(top_builddir)/lib/asn1/libasn1.la
+ test_context_LDADD = $(LDADD) $(top_builddir)/lib/asn1/libasn1.la $(top_builddir)/lib/wind/libwind.la
+ 
+diff --git a/lib/krb5/Makefile.am b/lib/krb5/Makefile.am
+index ecce461dd..e22cfe87c 100644
+--- a/lib/krb5/Makefile.am
++++ b/lib/krb5/Makefile.am
+@@ -330,6 +330,8 @@ test_rfc3961_LDADD = 				\
+ 	$(LIB_hcrypto)				\
+ 	$(LIB_roken)
+ 
++test_plugin_LDFLAGS = -lresolv
++
+ if DEVELOPER_MODE
+ headerdeps = $(dist_libkrb5_la_SOURCES)
+ endif
+diff --git a/lib/roken/Makefile.am b/lib/roken/Makefile.am
+index 1f530c7ae..8350d7034 100644
+--- a/lib/roken/Makefile.am
++++ b/lib/roken/Makefile.am
+@@ -54,6 +54,7 @@ libtest_la_CFLAGS = -DTEST_SNPRINTF -DTEST_STRPFTIME
+ 
+ parse_reply_test_SOURCES = parse_reply-test.c resolve.c
+ parse_reply_test_CFLAGS  = -DTEST_RESOLVE
++parse_reply_test_LDFLAGS = -lresolv
+ 
+ test_readenv_SOURCES = test-readenv.c test-mem.c
+ test_auxval_SOURCES = test-auxval.c
+-- 
+2.46.0
+

pkgs/development/libraries/kerberos/heimdal.nix

@@ -0,0 +1,199 @@
+{
+  lib,
+  stdenv,
+  fetchFromGitHub,
+  autoreconfHook,
+  pkg-config,
+  python3,
+  perl,
+  bison,
+  flex,
+  texinfo,
+  perlPackages,
+
+  openldap,
+  libcap_ng,
+  sqlite,
+  openssl,
+  db,
+  libedit,
+  pam,
+  libmicrohttpd,
+  cjson,
+
+  curl,
+  jdk_headless,
+  unzip,
+  which,
+
+  nixosTests,
+
+  withCJSON ? true,
+  withCapNG ? stdenv.hostPlatform.isLinux,
+  # libmicrohttpd should theoretically work for darwin as well, but something is broken.
+  # It affects tests check-bx509d and check-httpkadmind.
+  withMicroHTTPD ? stdenv.hostPlatform.isLinux,
+  withOpenLDAP ? true,
+  withOpenLDAPAsHDBModule ? false,
+  withOpenSSL ? true,
+  withSQLite3 ? true,
+}:
+
+assert lib.assertMsg (withOpenLDAPAsHDBModule -> withOpenLDAP) ''
+  OpenLDAP needs to be enabled in order to build the OpenLDAP HDB Module.
+'';
+
+stdenv.mkDerivation {
+  pname = "heimdal";
+  version = "7.8.0-unstable-2024-09-10";
+
+  src = fetchFromGitHub {
+    owner = "heimdal";
+    repo = "heimdal";
+    rev = "fd2d434dd375c402d803e6f948cfc6e257d3facc";
+    hash = "sha256-WA3lo3eD05l7zKuKEVxudMmiG7OvjK/calaUzPQ2pWs=";
+  };
+
+  outputs = [
+    "out"
+    "dev"
+    "man"
+    "info"
+  ];
+
+  nativeBuildInputs = [
+    autoreconfHook
+    pkg-config
+    python3
+    perl
+    bison
+    flex
+    perlPackages.JSON
+    texinfo
+  ];
+
+  buildInputs = [
+    db
+    libedit
+    pam
+  ]
+  ++ lib.optionals withCJSON [ cjson ]
+  ++ lib.optionals withCapNG [ libcap_ng ]
+  ++ lib.optionals withMicroHTTPD [ libmicrohttpd ]
+  ++ lib.optionals withOpenLDAP [ openldap ]
+  ++ lib.optionals withOpenSSL [ openssl ]
+  ++ lib.optionals withSQLite3 [ sqlite ];
+
+  doCheck = true;
+  nativeCheckInputs = [
+    curl
+    jdk_headless
+    unzip
+    which
+  ];
+
+  configureFlags = [
+    "--with-hdbdir=/var/lib/heimdal"
+
+    "--with-libedit-include=${libedit.dev}/include"
+    "--with-libedit-lib=${libedit}/lib"
+    "--with-berkeley-db-include=${db.dev}/include"
+    "--with-berkeley-db"
+
+    "--without-x"
+    "--disable-afs-string-to-key"
+  ]
+  ++ lib.optionals withCapNG [
+    "--with-capng"
+  ]
+  ++ lib.optionals withCJSON [
+    "--with-cjson=${cjson}"
+  ]
+  ++ lib.optionals withOpenLDAP [
+    "--with-openldap=${openldap.dev}"
+  ]
+  ++ lib.optionals withOpenLDAPAsHDBModule [
+    "--enable-hdb-openldap-module"
+  ]
+  ++ lib.optionals withSQLite3 [
+    "--with-sqlite3=${sqlite.dev}"
+  ];
+
+  patches = [
+    # Proposed @ https://github.com/heimdal/heimdal/pull/1262
+    ./0001-Include-db.h-for-nbdb-compat-mode.patch
+    # Proposed @ https://github.com/heimdal/heimdal/pull/1264
+    ./0001-Define-HAVE_DB_185_H.patch
+    # Proposed @ https://github.com/heimdal/heimdal/pull/1265
+    ./0001-Link-tests-with-libresolv.patch
+  ];
+
+  # (check-ldap) slapd resides within ${openldap}/libexec,
+  #              which is not part of $PATH by default.
+  # (check-ldap) prepending ${openldap}/bin to the path to avoid
+  #              using the default installation of openldap on unsandboxed darwin systems,
+  #              which does not support the new mdb backend at the moment (2024-01-13).
+  # (check-ldap) the bdb backend got deprecated in favour of mdb in openldap 2.5.0,
+  #              but the heimdal tests still seem to expect bdb as the openldap backend.
+  #              This might be fixed upstream in a future update.
+  postPatch = ''
+    substituteInPlace tests/ldap/slapd-init.in \
+      --replace-fail 'SCHEMA_PATHS="' 'SCHEMA_PATHS="${openldap}/etc/schema '
+    substituteInPlace tests/ldap/check-ldap.in \
+      --replace-fail 'PATH=' 'PATH=${openldap}/libexec:${openldap}/bin:'
+    substituteInPlace tests/ldap/slapd.conf \
+      --replace-fail 'database	bdb' 'database mdb'
+    substituteInPlace tests/kdc/check-iprop.in \
+      --replace-fail '/bin/pwd' 'pwd'
+  '';
+
+  # (test_cc) heimdal uses librokens implementation of `secure_getenv` on darwin,
+  #           which expects either USER or LOGNAME to be set.
+  preCheck = lib.optionalString (stdenv.hostPlatform.isDarwin) ''
+    export USER=nix-builder
+  '';
+
+  # We need to build hcrypt for applications like samba
+  postBuild = ''
+    (cd include/hcrypto; make -j $NIX_BUILD_CORES)
+    (cd lib/hcrypto; make -j $NIX_BUILD_CORES)
+  '';
+
+  postInstall = ''
+    # Install hcrypto
+    (cd include/hcrypto; make -j $NIX_BUILD_CORES install)
+    (cd lib/hcrypto; make -j $NIX_BUILD_CORES install)
+
+    mkdir -p $dev/bin
+    mv $out/bin/krb5-config $dev/bin/
+
+    # asn1 compilers, move them to $dev
+    mv $out/libexec/heimdal/* $dev/bin
+    rmdir $out/libexec/heimdal
+
+    # compile_et is needed for cross-compiling this package and samba
+    mv lib/com_err/.libs/compile_et $dev/bin
+  '';
+
+  # Issues with hydra
+  #  In file included from hxtool.c:34:0:
+  #  hx_locl.h:67:25: fatal error: pkcs10_asn1.h: No such file or directory
+  #enableParallelBuilding = true;
+
+  passthru = {
+    implementation = "heimdal";
+    tests.nixos = nixosTests.kerberos.heimdal;
+  };
+
+  meta = with lib; {
+    homepage = "https://www.heimdal.software";
+    changelog = "https://github.com/heimdal/heimdal/releases";
+    description = "Implementation of Kerberos 5 (and some more stuff)";
+    license = licenses.bsd3;
+    platforms = platforms.unix;
+    maintainers = with maintainers; [
+      h7x4
+      dblsaiko
+    ];
+  };
+}

pkgs/development/libraries/kerberos/krb5.nix

@@ -0,0 +1,180 @@
+{
+  lib,
+  stdenv,
+  fetchurl,
+  bootstrap_cmds,
+  byacc, # can also use bison, but byacc has fewer dependencies
+  keyutils,
+  openssl,
+  bashNonInteractive,
+  perl,
+  pkg-config,
+
+  # for passthru.tests
+  bind,
+  curl,
+  nixosTests,
+  openssh,
+  postgresql,
+  python3,
+
+  # Extra Arguments
+  withLdap ? false,
+  openldap,
+  withLibedit ? true,
+  libedit,
+  withVerto ? false,
+  libverto,
+
+  # This is called "staticOnly" because krb5 does not support
+  # builting both static and shared, see below.
+  staticOnly ? false,
+}:
+
+stdenv.mkDerivation rec {
+  pname = "krb5";
+  version = "1.22.1";
+
+  __structuredAttrs = true;
+
+  src = fetchurl {
+    url = "https://kerberos.org/dist/krb5/${lib.versions.majorMinor version}/krb5-${version}.tar.gz";
+    hash = "sha256-GogyuMrZI+u/E5T2fi789B46SfRgKFpm41reyPoAU68=";
+  };
+
+  outputs = [
+    "out"
+    "lib"
+    "dev"
+  ];
+
+  # While "out" acts as the bin output, most packages only care about the lib output.
+  # We set prefix such that all the pkg-config configuration stays inside the dev and lib outputs.
+  # stdenv will take care of overriding bindir, sbindir, etc. such that "out" contains the binaries.
+  prefix = placeholder "lib";
+
+  env = {
+    # The release 1.21.3 is not compatible with c23, which changed the meaning of
+    #
+    #     void foo();
+    #
+    # declaration.
+    NIX_CFLAGS_COMPILE = "-std=gnu17" + lib.optionalString stdenv.hostPlatform.isStatic " -fcommon";
+  };
+
+  configureFlags = [
+    "--localstatedir=/var/lib"
+    (lib.withFeature withLdap "ldap")
+    (lib.withFeature withLibedit "libedit")
+    (lib.withFeature withVerto "system-verto")
+  ]
+  # krb5's ./configure does not allow passing --enable-shared and --enable-static at the same time.
+  # See https://bbs.archlinux.org/viewtopic.php?pid=1576737#p1576737
+  ++ lib.optionals staticOnly [
+    "--enable-static"
+    "--disable-shared"
+  ]
+  ++ lib.optional stdenv.hostPlatform.isFreeBSD ''WARN_CFLAGS=''
+  ++ lib.optionals (stdenv.buildPlatform != stdenv.hostPlatform) [
+    "krb5_cv_attr_constructor_destructor=yes,yes"
+    "ac_cv_func_regcomp=yes"
+    "ac_cv_printf_positional=yes"
+  ];
+
+  strictDeps = true;
+
+  nativeBuildInputs = [
+    byacc
+    perl
+    pkg-config
+  ]
+  # Provides the mig command used by the build scripts
+  ++ lib.optional stdenv.hostPlatform.isDarwin bootstrap_cmds;
+
+  buildInputs = [
+    openssl
+    bashNonInteractive # cannot use bashInteractive because of a dependency cycle
+  ]
+  ++ lib.optionals (
+    stdenv.hostPlatform.isLinux
+    && stdenv.hostPlatform.libc != "bionic"
+    && !(stdenv.hostPlatform.useLLVM or false)
+  ) [ keyutils ]
+  ++ lib.optionals withLdap [ openldap ]
+  ++ lib.optionals withLibedit [ libedit ]
+  ++ lib.optionals withVerto [ libverto ];
+
+  sourceRoot = "krb5-${version}/src";
+
+  postPatch = ''
+    substituteInPlace config/shlib.conf \
+      --replace "'ld " "'${stdenv.cc.targetPrefix}ld "
+  ''
+  # this could be accomplished by updateAutotoolsGnuConfigScriptsHook, but that causes infinite recursion
+  # necessary for FreeBSD code path in configure
+  + ''
+    substituteInPlace ./config/config.guess --replace-fail /usr/bin/uname uname
+  '';
+
+  libFolders = [
+    "util"
+    "include"
+    "lib"
+    "build-tools"
+  ];
+
+  # To avoid cyclic outputs, we can't let lib depend on out in any way. Unfortunately, the configure
+  # options don't give us enough granularity to specify that, so we have to override the generated
+  # Makefiles manually.
+  postConfigure = ''
+    find "''${libFolders[@]}" -type f -name Makefile -print0 | while IFS= read -rd "" f; do
+      substituteInPlace "$f" --replace-fail "$out" "$lib"
+    done
+  '';
+
+  preInstall = ''
+    mkdir -p "$lib"/{bin,sbin,lib/pkgconfig,share/{et,man/man1}}
+  '';
+
+  postInstall = ''
+    # not via outputBin, due to reference from libkrb5.so
+    moveToOutput bin/krb5-config "$dev"
+    moveToOutput sbin/krb5-send-pr "$out"
+    moveToOutput bin/compile_et "$out"
+  '';
+
+  # Disable _multioutDocs in stdenv by overriding it to be a no-op.
+  # We do this because $lib has its own docs and we don't want to squash them into $out.
+  preFixup = ''
+    _multioutDocs() {
+      echo Skipping multioutDocs
+    }
+  '';
+
+  enableParallelBuilding = true;
+  doCheck = false; # fails with "No suitable file for testing purposes"
+
+  outputChecks.lib.disallowedRequisites = [
+    # bash cannot be here because of a dependency cycle
+    bashNonInteractive
+  ];
+
+  meta = with lib; {
+    description = "MIT Kerberos 5";
+    homepage = "http://web.mit.edu/kerberos/";
+    license = licenses.mit;
+    platforms = platforms.unix ++ platforms.windows;
+  };
+
+  passthru = {
+    implementation = "krb5";
+    tests = {
+      inherit (nixosTests) kerberos;
+      inherit (python3.pkgs) requests-credssp;
+      bind = bind.override { enableGSSAPI = true; };
+      curl = curl.override { gssSupport = true; };
+      openssh = openssh.override { withKerberos = true; };
+      postgresql = postgresql.override { gssSupport = true; };
+    };
+  };
+}