Merge branch 'nixos-unstable-small' of https://github.com/NixOS/nixpkgs

Conflicts:
	nixpkgs/pkgs/build-support/rust/build-rust-package/default.nix

2 files changed, 124 insertions, 56 deletions

diff --git a/nixpkgs/pkgs/development/libraries/kerberos/heimdal-make-missing-headers.patch b/nixpkgs/pkgs/development/libraries/kerberos/heimdal-make-missing-headers.patch
deleted file mode 100644
index a0fa625538b7..000000000000
--- a/nixpkgs/pkgs/development/libraries/kerberos/heimdal-make-missing-headers.patch
+++ /dev/null
@@ -1,10 +0,0 @@
---- a/lib/hx509/Makefile.am 2018-03-21 15:41:38.622968809 +0100
-+++ b/lib/hx509/Makefile.am 2018-03-21 15:41:32.655162197 +0100
-@@ -9,6 +9,8 @@
-	sel-gram.h			\
-	$(gen_files_ocsp:.x=.c)		\
-	$(gen_files_pkcs10:.x=.c)	\
-+	ocsp_asn1.h			\
-+	pkcs10_asn1.h			\
-	hx509_err.c			\
-	hx509_err.h
diff --git a/nixpkgs/pkgs/development/libraries/kerberos/heimdal.nix b/nixpkgs/pkgs/development/libraries/kerberos/heimdal.nix
index e4a61a3c0731..ff211b6b9c34 100644
--- a/nixpkgs/pkgs/development/libraries/kerberos/heimdal.nix
+++ b/nixpkgs/pkgs/development/libraries/kerberos/heimdal.nix
@@ -1,63 +1,138 @@
-{ lib, stdenv, fetchFromGitHub, autoreconfHook, pkg-config, python3, perl, bison, flex
-, texinfo, perlPackages
-, openldap, libcap_ng, sqlite, openssl, db, libedit, pam
-, CoreFoundation, Security, SystemConfiguration
+{ lib
+, stdenv
+, fetchFromGitHub
+, autoreconfHook
+, pkg-config
+, python3
+, perl
+, bison
+, flex
+, texinfo
+, perlPackages
+
+, openldap
+, libcap_ng
+, sqlite
+, openssl
+, db
+, libedit
+, pam
+, krb5
+, libmicrohttpd
+, cjson
+
+, CoreFoundation
+, Security
+, SystemConfiguration
+
+, curl
+, jdk
+, unzip
+, which
+
+, nixosTests
+
+, withCJSON ? true
+, withCapNG ? stdenv.isLinux
+# libmicrohttpd should theoretically work for darwin as well, but something is broken.
+# It affects tests check-bx509d and check-httpkadmind.
+, withMicroHTTPD ? stdenv.isLinux
+, withOpenLDAP ? true
+, withOpenLDAPAsHDBModule ? false
+, withOpenSSL ? true
+, withSQLite3 ? true
 }:
 
-stdenv.mkDerivation rec {
+assert lib.assertMsg (withOpenLDAPAsHDBModule -> withOpenLDAP) ''
+  OpenLDAP needs to be enabled in order to build the OpenLDAP HDB Module.
+'';
+
+stdenv.mkDerivation {
   pname = "heimdal";
-  version = "7.8.0";
+  version = "7.8.0-unstable-2023-11-29";
 
   src = fetchFromGitHub {
     owner = "heimdal";
     repo = "heimdal";
-    rev = "heimdal-${version}";
-    sha256 = "sha256-iXOaar1S3y0xHdL0S+vS0uxoFQjy43kABxqE+KEhxjU=";
+    rev = "3253c49544eacb33d5ad2f6f919b0696e5aab794";
+    hash = "sha256-uljzQBzXrZCZjcIWfioqHN8YsbUUNy14Vo+A3vZIXzM=";
   };
 
   outputs = [ "out" "dev" "man" "info" ];
 
-  patches = [ ./heimdal-make-missing-headers.patch ];
-
-  nativeBuildInputs = [ autoreconfHook pkg-config python3 perl bison flex texinfo ]
-    ++ (with perlPackages; [ JSON ]);
-  buildInputs = lib.optionals (stdenv.isLinux) [ libcap_ng ]
-    ++ [ db sqlite openssl libedit openldap pam]
-    ++ lib.optionals (stdenv.isDarwin) [ CoreFoundation Security SystemConfiguration ];
+  nativeBuildInputs = [
+    autoreconfHook
+    pkg-config
+    python3
+    perl
+    bison
+    flex
+    texinfo
+  ]
+  ++ (with perlPackages; [ JSON ]);
+
+  buildInputs = [ db libedit pam ]
+    ++ lib.optionals (stdenv.isDarwin) [ CoreFoundation Security SystemConfiguration ]
+    ++ lib.optionals (withCJSON) [ cjson ]
+    ++ lib.optionals (withCapNG) [ libcap_ng ]
+    ++ lib.optionals (withMicroHTTPD) [ libmicrohttpd ]
+    ++ lib.optionals (withOpenLDAP) [ openldap ]
+    ++ lib.optionals (withOpenSSL) [ openssl ]
+    ++ lib.optionals (withSQLite3) [ sqlite ];
+
+  doCheck = true;
+  nativeCheckInputs = [
+    curl
+    jdk
+    unzip
+    which
+  ];
 
-  ## ugly, X should be made an option
   configureFlags = [
-    "--sysconfdir=/etc"
-    "--localstatedir=/var"
-    "--infodir=$info/share/info"
-    "--enable-hdb-openldap-module"
-    "--with-sqlite3=${sqlite.dev}"
-
-  # ugly, --with-libedit is not enought, it fall back to bundled libedit
     "--with-libedit-include=${libedit.dev}/include"
     "--with-libedit-lib=${libedit}/lib"
-    "--with-openssl=${openssl.dev}"
-    "--without-x"
-    "--with-berkeley-db"
     "--with-berkeley-db-include=${db.dev}/include"
-    "--with-openldap=${openldap.dev}"
-  ] ++ lib.optionals (stdenv.isLinux) [
+    "--with-berkeley-db"
+
+    "--without-x"
+    "--disable-afs-string-to-key"
+  ] ++ lib.optionals (withCapNG) [
     "--with-capng"
+  ] ++ lib.optionals (withCJSON) [
+    "--with-cjson=${cjson}"
+  ] ++ lib.optionals (withOpenLDAP) [
+    "--with-openldap=${openldap.dev}"
+  ] ++ lib.optionals (withOpenLDAPAsHDBModule) [
+    "--enable-hdb-openldap-module"
+  ] ++ lib.optionals (withSQLite3) [
+    "--with-sqlite3=${sqlite.dev}"
   ];
 
-  postUnpack = ''
-    sed -i '/^DEFAULT_INCLUDES/ s,$, -I..,' source/cf/Makefile.am.common
-    sed -i -e 's/date/date --date="@$SOURCE_DATE_EPOCH"/' source/configure.ac
+  # (check-ldap) slapd resides within ${openldap}/libexec,
+  #              which is not part of $PATH by default.
+  # (check-ldap) prepending ${openldap}/bin to the path to avoid
+  #              using the default installation of openldap on unsandboxed darwin systems,
+  #              which does not support the new mdb backend at the moment (2024-01-13).
+  # (check-ldap) the bdb backend got deprecated in favour of mdb in openldap 2.5.0,
+  #              but the heimdal tests still seem to expect bdb as the openldap backend.
+  #              This might be fixed upstream in a future update.
+  patchPhase = ''
+    runHook prePatch
+
+    substituteInPlace tests/ldap/slapd-init.in \
+      --replace 'SCHEMA_PATHS="' 'SCHEMA_PATHS="${openldap}/etc/schema '
+    substituteInPlace tests/ldap/check-ldap.in \
+      --replace 'PATH=' 'PATH=${openldap}/libexec:${openldap}/bin:'
+    substituteInPlace tests/ldap/slapd.conf \
+      --replace 'database	bdb' 'database mdb'
+
+    runHook postPatch
   '';
 
-  preConfigure = ''
-    configureFlagsArray+=(
-      "--bindir=$out/bin"
-      "--sbindir=$out/sbin"
-      "--libexecdir=$out/libexec/heimdal"
-      "--mandir=$man/share/man"
-      "--infodir=$man/share/info"
-      "--includedir=$dev/include")
+  # (test_cc) heimdal uses librokens implementation of `secure_getenv` on darwin,
+  #           which expects either USER or LOGNAME to be set.
+  preCheck = lib.optionalString (stdenv.isDarwin) ''
+    export USER=nix-builder
   '';
 
   # We need to build hcrypt for applications like samba
@@ -71,15 +146,12 @@ stdenv.mkDerivation rec {
     (cd include/hcrypto; make -j $NIX_BUILD_CORES install)
     (cd lib/hcrypto; make -j $NIX_BUILD_CORES install)
 
-    # Do we need it?
-    rm $out/bin/su
-
     mkdir -p $dev/bin
     mv $out/bin/krb5-config $dev/bin/
 
     # asn1 compilers, move them to $dev
-    mv $out/libexec/heimdal/heimdal/* $dev/bin
-    rmdir $out/libexec/heimdal/heimdal
+    mv $out/libexec/heimdal/* $dev/bin
+    rmdir $out/libexec/heimdal
 
     # compile_et is needed for cross-compiling this package and samba
     mv lib/com_err/.libs/compile_et $dev/bin
@@ -90,11 +162,17 @@ stdenv.mkDerivation rec {
   #  hx_locl.h:67:25: fatal error: pkcs10_asn1.h: No such file or directory
   #enableParallelBuilding = true;
 
+  passthru = {
+    implementation = "heimdal";
+    tests.nixos = nixosTests.kerberos.heimdal;
+  };
+
   meta = with lib; {
+    homepage = "https://www.heimdal.software";
+    changelog = "https://github.com/heimdal/heimdal/releases";
     description = "An implementation of Kerberos 5 (and some more stuff)";
     license = licenses.bsd3;
     platforms = platforms.unix;
+    maintainers = with maintainers; [ h7x4 ];
   };
-
-  passthru.implementation = "heimdal";
 }