CI: Use noble image for QA tests

.github/workflows/auto-updates.yaml

@@ -12,29 +12,26 @@ permissions:
   contents: write
 
 # Jobs in this action must not run concurrently, as they modify the repository.
-# When adding more jobs, make sure to use the "needs:" atribute to make sure they run sequentially.
+# When adding more jobs, make sure to use the "needs:" attribute to make sure they run sequentially.
 jobs:
   update-rust-packaging:
     name: Update packaging related Rust files
-    runs-on: ubuntu-latest
-    # Right now, ubuntu 22.04 does not have the dh-cargo-vendored-sources script that is needed to
-    # run this job, so we need to run it inside a rolling container to get the latest version possible.
-    # This should be updated as soon as the dh-cargo version with the mentioned script gets ported to
-    # 22.04 or ubuntu-latest changes to a more recent version.
-    container:
-      image: ubuntu:rolling
+    runs-on: ubuntu-24.04 # ubuntu-latest-runner
     steps:
       - name: Install dependencies
+        env:
+          DEBIAN_FRONTEND: noninteractive
         run: |
-          DEBIAN_FRONTEND=noninteractive apt update
-          DEBIAN_FRONTEND=noninteractive apt install -y cargo dh-cargo git jq
+          sudo apt update
+          sudo apt install cargo dh-cargo git jq
       - uses: actions/checkout@v4
         with:
           ref: main
       - name: Vendor the dependencies
         run: |
           cargo vendor vendor_rust/
       - name: Update XS-Vendored-Sources-Rust
+        shell: bash
         run: |
           set -eu
 
@@ -48,12 +45,6 @@ jobs:
           sed -i "s/^XS-Vendored-Sources-Rust:.*/$OUTPUT/" debian/control
 
           echo "modified=true" >> $GITHUB_ENV
-        shell: bash
-      # Since we run this job in a container, we need to manually add the safe directory due to some
-      # issues between actions/checkout and actions/runner, which seem to be triggered by multiple
-      # causes (e.g. https://github.com/actions/runner-images/issues/6775, https://github.com/actions/checkout/issues/1048#issuecomment-1356485556).
-      - name: work around permission issue with git vulnerability (we are local here). TO REMOVE
-        run: git config --global --add safe.directory "$PWD"
       - name: Create Pull Request
         if: ${{ env.modified == 'true' }}
         uses: peter-evans/create-pull-request@v7

.github/workflows/qa.yaml

@@ -30,7 +30,7 @@ env:
 jobs:
   go-sanity:
     name: "Go: Code sanity"
-    runs-on: ubuntu-latest
+    runs-on: ubuntu-24.04 # ubuntu-latest-runner
     steps:
       - name: Install dependencies
         run: |
@@ -67,7 +67,7 @@ jobs:
 
   rust-sanity:
     name: "Rust: Code sanity"
-    runs-on: ubuntu-latest
+    runs-on: ubuntu-24.04 # ubuntu-latest-runner
     steps:
       - name: Install dependencies
         run: |
@@ -81,7 +81,7 @@ jobs:
 
   c-sanity:
     name: "C Code sanity"
-    runs-on: ubuntu-latest
+    runs-on: ubuntu-24.04 # ubuntu-latest-runner
     env:
       CFLAGS: "-Werror"
     steps:
@@ -122,7 +122,7 @@ jobs:
 
   go-tests:
     name: "Go: Tests"
-    runs-on: ubuntu-latest
+    runs-on: ubuntu-24.04 # ubuntu-latest-runner
     strategy:
       fail-fast: false
       matrix:
@@ -170,6 +170,10 @@ jobs:
           chmod +x ttyd.x86_64
           sudo mv ttyd.x86_64 /usr/bin/ttyd
 
+      - name: Install Chromium for VHS tests
+        # It's used by vhs, installing it once speeds up tests.
+        uses: browser-actions/setup-chrome@v1
+
       - name: Install rust
         if: matrix.test != 'asan'
         uses: actions-rs/toolchain@v1
@@ -195,6 +199,7 @@ jobs:
         if: matrix.test == 'coverage'
         env:
           G_DEBUG: "fatal-criticals"
+          VHS_NO_SANDBOX: 1
         run: |
           set -euo pipefail
 
@@ -229,6 +234,7 @@ jobs:
         if: matrix.test == 'race'
         env:
           GO_TESTS_TIMEOUT: 35m
+          VHS_NO_SANDBOX: 1
         run: |
           go test -json -timeout ${GO_TESTS_TIMEOUT} -race ./... | \
             gotestfmt --logfile "${AUTHD_TEST_ARTIFACTS_PATH}/gotestfmt.race.log"
@@ -243,6 +249,7 @@ jobs:
           GO_TESTS_TIMEOUT: 30m
           # Use these flags to give ASAN a better time to unwind the stack trace
           GO_GC_FLAGS: -N -l
+          VHS_NO_SANDBOX: 1
         run: |
           # Print executed commands to ease debugging
           set -x
@@ -257,13 +264,11 @@ jobs:
           echo "Running PAM integration tests"
           pushd ./pam/integration-tests
           go test -asan -gcflags=all="${GO_GC_FLAGS}" -c
-          # FIXME: Suppression may be removed with newer libpam, as the one we ship in ubuntu as some leaks
-          LSAN_OPTIONS=suppressions=$(pwd)/lsan.supp \
-            go tool test2json -p pam/integrations-test ./integration-tests.test \
-              -test.v=test2json \
-              -test.timeout ${GO_TESTS_TIMEOUT} | \
-            gotestfmt --logfile "${AUTHD_TEST_ARTIFACTS_PATH}/gotestfmt.pam-integration-tests-asan.log" || \
-            exit_code=$?
+          go tool test2json -p pam/integrations-test ./integration-tests.test \
+            -test.v=test2json \
+            -test.timeout ${GO_TESTS_TIMEOUT} | \
+          gotestfmt --logfile "${AUTHD_TEST_ARTIFACTS_PATH}/gotestfmt.pam-integration-tests-asan.log" || \
+          exit_code=$?
           popd
 
           # We don't need the xtrace output after this point

pam/integration-tests/cli_test.go

@@ -9,6 +9,7 @@ import (
 
 	"github.com/msteinert/pam/v2"
 	"github.com/stretchr/testify/require"
+	"github.com/ubuntu/authd"
 	"github.com/ubuntu/authd/internal/testutils"
 	localgroupstestutils "github.com/ubuntu/authd/internal/users/localgroups/testutils"
 	"github.com/ubuntu/authd/pam/internal/pam_test"
@@ -57,31 +58,31 @@ func TestCLIAuthenticate(t *testing.T) {
 		},
 		"Authenticate user with qr code in a TTY": {
 			tape:         "qr_code",
-			tapeSettings: []tapeSetting{{vhsHeight, 650}},
+			tapeSettings: []tapeSetting{{vhsHeight, 800}},
 			clientOptions: clientOptions{
 				PamUser: "user-integration-qr-code-tty",
 				Term:    "linux",
 			},
 		},
 		"Authenticate user with qr code in a TTY session": {
 			tape:         "qr_code",
-			tapeSettings: []tapeSetting{{vhsHeight, 650}},
+			tapeSettings: []tapeSetting{{vhsHeight, 800}},
 			clientOptions: clientOptions{
 				PamUser: "user-integration-qr-code-tty-session",
 				Term:    "xterm-256color", SessionType: "tty",
 			},
 		},
 		"Authenticate user with qr code in screen": {
 			tape:         "qr_code",
-			tapeSettings: []tapeSetting{{vhsHeight, 650}},
+			tapeSettings: []tapeSetting{{vhsHeight, 800}},
 			clientOptions: clientOptions{
 				PamUser: "user-integration-qr-code-screen",
 				Term:    "screen",
 			},
 		},
 		"Authenticate user with qr code after many regenerations": {
 			tape:         "qr_code_quick_regenerate",
-			tapeSettings: []tapeSetting{{vhsHeight, 650}},
+			tapeSettings: []tapeSetting{{vhsHeight, 800}},
 		},
 		"Authenticate user and reset password while enforcing policy": {
 			tape: "mandatory_password_reset",
@@ -177,6 +178,8 @@ func TestCLIAuthenticate(t *testing.T) {
 			require.Equal(t, want, got, "Output of tape %q does not match golden file", tc.tape)
 
 			localgroupstestutils.RequireGPasswdOutput(t, gpasswdOutput, testutils.GoldenPath(t)+".gpasswd_out")
+
+			requireRunnerResultForUser(t, authd.SessionMode_AUTH, tc.clientOptions.PamUser, got)
 		})
 	}
 }
@@ -260,6 +263,8 @@ func TestCLIChangeAuthTok(t *testing.T) {
 			got := td.ExpectedOutput(t, outDir)
 			want := testutils.LoadWithUpdateFromGolden(t, got)
 			require.Equal(t, want, got, "Output of tape %q does not match golden file", tc.tape)
+
+			requireRunnerResult(t, authd.SessionMode_PASSWD, got)
 		})
 	}
 }

pam/integration-tests/native_test.go

@@ -8,6 +8,7 @@ import (
 	"testing"
 
 	"github.com/stretchr/testify/require"
+	"github.com/ubuntu/authd"
 	"github.com/ubuntu/authd/internal/testutils"
 	localgroupstestutils "github.com/ubuntu/authd/internal/users/localgroups/testutils"
 	"github.com/ubuntu/authd/pam/internal/pam_test"
@@ -34,6 +35,7 @@ func TestNativeAuthenticate(t *testing.T) {
 		clientOptions      clientOptions
 		currentUserNotRoot bool
 		wantLocalGroups    bool
+		skipRunnerCheck    bool
 	}{
 		"Authenticate user successfully": {
 			tape:          "simple_auth",
@@ -44,17 +46,17 @@ func TestNativeAuthenticate(t *testing.T) {
 		},
 		"Authenticate user with mfa": {
 			tape:          "mfa_auth",
-			tapeSettings:  []tapeSetting{{vhsHeight, 800}},
+			tapeSettings:  []tapeSetting{{vhsHeight, 1000}},
 			clientOptions: clientOptions{PamUser: "user-mfa-integration-auth"},
 		},
 		"Authenticate user with form mode with button": {
 			tape:          "form_with_button",
-			tapeSettings:  []tapeSetting{{vhsHeight, 600}},
+			tapeSettings:  []tapeSetting{{vhsHeight, 700}},
 			clientOptions: clientOptions{PamUser: "user-integration-form-w-button"},
 		},
 		"Authenticate user with qr code": {
 			tape:          "qr_code",
-			tapeSettings:  []tapeSetting{{vhsHeight, 2300}},
+			tapeSettings:  []tapeSetting{{vhsHeight, 3000}},
 			tapeVariables: map[string]string{"AUTHD_QRCODE_TAPE_ITEM": "7"},
 			clientOptions: clientOptions{PamUser: "user-integration-qr-code"},
 		},
@@ -236,8 +238,9 @@ func TestNativeAuthenticate(t *testing.T) {
 		},
 		// FIXME: While this works now, it requires proper handling via signal_fd
 		"Exit authd if user sigints": {
-			tape:          "sigint",
-			clientOptions: clientOptions{PamUser: "user-integration-sigint"},
+			tape:            "sigint",
+			clientOptions:   clientOptions{PamUser: "user-integration-sigint"},
+			skipRunnerCheck: true,
 		},
 	}
 	for name, tc := range tests {
@@ -277,6 +280,10 @@ func TestNativeAuthenticate(t *testing.T) {
 			require.Equal(t, want, got, "Output of tape %q does not match golden file", tc.tape)
 
 			localgroupstestutils.RequireGPasswdOutput(t, gpasswdOutput, testutils.GoldenPath(t)+".gpasswd_out")
+
+			if !tc.skipRunnerCheck {
+				requireRunnerResultForUser(t, authd.SessionMode_AUTH, tc.clientOptions.PamUser, got)
+			}
 		})
 	}
 }
@@ -298,6 +305,7 @@ func TestNativeChangeAuthTok(t *testing.T) {
 		tapeVariables map[string]string
 
 		currentUserNotRoot bool
+		skipRunnerCheck    bool
 	}{
 		"Change password successfully and authenticate with new one": {
 			tape: "passwd_simple",
@@ -341,7 +349,8 @@ func TestNativeChangeAuthTok(t *testing.T) {
 		},
 		// FIXME: While this works now, it requires proper handling via signal_fd
 		"Exit authd if user sigints": {
-			tape: "passwd_sigint",
+			tape:            "passwd_sigint",
+			skipRunnerCheck: true,
 		},
 	}
 	for name, tc := range tests {
@@ -365,6 +374,10 @@ func TestNativeChangeAuthTok(t *testing.T) {
 			got := td.ExpectedOutput(t, outDir)
 			want := testutils.LoadWithUpdateFromGolden(t, got)
 			require.Equal(t, want, got, "Output of tape %q does not match golden file", tc.tape)
+
+			if !tc.skipRunnerCheck {
+				requireRunnerResult(t, authd.SessionMode_PASSWD, got)
+			}
 		})
 	}
 }

pam/integration-tests/ssh_test.go

@@ -48,7 +48,7 @@ func testSSHAuthenticate(t *testing.T, sharedSSHd bool) {
 		t.Skip("Skipping tests with external dependencies as requested")
 	}
 
-	if uv := getUbuntuVersion(t); uv == 0 || uv >= 2404 {
+	if uv := getUbuntuVersion(t); uv == 0 || uv < 2404 {
 		require.Empty(t, os.Getenv("GITHUB_REPOSITORY"),
 			"Golden files needs to be updated to ensure CI runs on Ubuntu %v")
 		t.Skipf("Skipping SSH tests since they require new golden files for Ubuntu %v", uv)

pam/integration-tests/testdata/TestCLIAuthenticate/golden/authenticate_user_with_qr_code_in_a_tty

@@ -149,6 +149,7 @@ Scan the qrcode or enter the code in the login page
 ────────────────────────────────────────────────────────────────────────────────
 > if [ -v AUTHD_PAM_CLI_TERM ]; then export TERM=${AUTHD_PAM_CLI_TERM}; fi
 > ./pam_authd login socket=${AUTHD_TESTS_CLI_AUTHENTICATE_TESTS_SOCK}
+Scan the qrcode or enter the code in the login page
 
 ██████████████████████████████████████████████████████████████████████████
 ██████████████████████████████████████████████████████████████████████████
@@ -189,6 +190,8 @@ Scan the qrcode or enter the code in the login page
 ██████████████████████████████████████████████████████████████████████████
                        https://ubuntuforum-br.org/
                                    1339
+
+                            [ Regenerate code ]
 ────────────────────────────────────────────────────────────────────────────────
 > if [ -v AUTHD_PAM_CLI_TERM ]; then export TERM=${AUTHD_PAM_CLI_TERM}; fi
 > ./pam_authd login socket=${AUTHD_TESTS_CLI_AUTHENTICATE_TESTS_SOCK}

pam/integration-tests/testdata/TestCLIAuthenticate/golden/authenticate_user_with_qr_code_in_a_tty_session

@@ -149,6 +149,7 @@ Scan the qrcode or enter the code in the login page
 ────────────────────────────────────────────────────────────────────────────────
 > if [ -v AUTHD_PAM_CLI_TERM ]; then export TERM=${AUTHD_PAM_CLI_TERM}; fi
 > ./pam_authd login socket=${AUTHD_TESTS_CLI_AUTHENTICATE_TESTS_SOCK}
+Scan the qrcode or enter the code in the login page
 
 ██████████████████████████████████████████████████████████████████████████
 ██████████████████████████████████████████████████████████████████████████
@@ -189,6 +190,8 @@ Scan the qrcode or enter the code in the login page
 ██████████████████████████████████████████████████████████████████████████
                        https://ubuntuforum-br.org/
                                    1339
+
+                            [ Regenerate code ]
 ────────────────────────────────────────────────────────────────────────────────
 > if [ -v AUTHD_PAM_CLI_TERM ]; then export TERM=${AUTHD_PAM_CLI_TERM}; fi
 > ./pam_authd login socket=${AUTHD_TESTS_CLI_AUTHENTICATE_TESTS_SOCK}

pam/integration-tests/testdata/TestCLIAuthenticate/golden/authenticate_user_with_qr_code_in_screen

@@ -149,6 +149,7 @@ Scan the qrcode or enter the code in the login page
 ────────────────────────────────────────────────────────────────────────────────
 > if [ -v AUTHD_PAM_CLI_TERM ]; then export TERM=${AUTHD_PAM_CLI_TERM}; fi
 > ./pam_authd login socket=${AUTHD_TESTS_CLI_AUTHENTICATE_TESTS_SOCK}
+Scan the qrcode or enter the code in the login page
 
 ██████████████████████████████████████████████████████████████████████████
 ██████████████████████████████████████████████████████████████████████████
@@ -189,6 +190,8 @@ Scan the qrcode or enter the code in the login page
 ██████████████████████████████████████████████████████████████████████████
                        https://ubuntuforum-br.org/
                                    1339
+
+                            [ Regenerate code ]
 ────────────────────────────────────────────────────────────────────────────────
 > if [ -v AUTHD_PAM_CLI_TERM ]; then export TERM=${AUTHD_PAM_CLI_TERM}; fi
 > ./pam_authd login socket=${AUTHD_TESTS_CLI_AUTHENTICATE_TESTS_SOCK}

pam/integration-tests/testdata/TestNativeAuthenticate/golden/authenticate_user_with_form_mode_with_button

@@ -181,6 +181,8 @@ Enter 'r' to cancel the request and go back to select the authentication method
 Enter your one time credential:
 > temporary pass00
 PAM Authenticate() for user "user-integration-form-w-button" exited with success
+PAM AcctMgmt() exited with success
+>
 ────────────────────────────────────────────────────────────────────────────────
 > ./pam_authd login socket=${AUTHD_TESTS_CLI_AUTHENTICATE_TESTS_SOCK} force_native_client=true
 == Provider selection ==
@@ -221,4 +223,6 @@ Enter 'r' to cancel the request and go back to select the authentication method
 Enter your one time credential:
 > temporary pass00
 PAM Authenticate() for user "user-integration-form-w-button" exited with success
+PAM AcctMgmt() exited with success
+>
 ────────────────────────────────────────────────────────────────────────────────