2 files changed, 308 insertions, 0 deletions
diff --git a/nixpkgs/pkgs/development/libraries/kerberos/heimdal.nix b/nixpkgs/pkgs/development/libraries/kerberos/heimdal.nix
new file mode 100644
index 000000000000..ff211b6b9c34
--- /dev/null
+++ b/nixpkgs/pkgs/development/libraries/kerberos/heimdal.nix
@@ -0,0 +1,178 @@
+{ lib
+, stdenv
+, fetchFromGitHub
+, autoreconfHook
+, pkg-config
+, python3
+, perl
+, bison
+, flex
+, texinfo
+, perlPackages
+
+, openldap
+, libcap_ng
+, sqlite
+, openssl
+, db
+, libedit
+, pam
+, krb5
+, libmicrohttpd
+, cjson
+
+, CoreFoundation
+, Security
+, SystemConfiguration
+
+, curl
+, jdk
+, unzip
+, which
+
+, nixosTests
+
+, withCJSON ? true
+, withCapNG ? stdenv.isLinux
+# libmicrohttpd should theoretically work for darwin as well, but something is broken.
+# It affects tests check-bx509d and check-httpkadmind.
+, withMicroHTTPD ? stdenv.isLinux
+, withOpenLDAP ? true
+, withOpenLDAPAsHDBModule ? false
+, withOpenSSL ? true
+, withSQLite3 ? true
+}:
+
+assert lib.assertMsg (withOpenLDAPAsHDBModule -> withOpenLDAP) ''
+  OpenLDAP needs to be enabled in order to build the OpenLDAP HDB Module.
+'';
+
+stdenv.mkDerivation {
+  pname = "heimdal";
+  version = "7.8.0-unstable-2023-11-29";
+
+  src = fetchFromGitHub {
+    owner = "heimdal";
+    repo = "heimdal";
+    rev = "3253c49544eacb33d5ad2f6f919b0696e5aab794";
+    hash = "sha256-uljzQBzXrZCZjcIWfioqHN8YsbUUNy14Vo+A3vZIXzM=";
+  };
+
+  outputs = [ "out" "dev" "man" "info" ];
+
+  nativeBuildInputs = [
+    autoreconfHook
+    pkg-config
+    python3
+    perl
+    bison
+    flex
+    texinfo
+  ]
+  ++ (with perlPackages; [ JSON ]);
+
+  buildInputs = [ db libedit pam ]
+    ++ lib.optionals (stdenv.isDarwin) [ CoreFoundation Security SystemConfiguration ]
+    ++ lib.optionals (withCJSON) [ cjson ]
+    ++ lib.optionals (withCapNG) [ libcap_ng ]
+    ++ lib.optionals (withMicroHTTPD) [ libmicrohttpd ]
+    ++ lib.optionals (withOpenLDAP) [ openldap ]
+    ++ lib.optionals (withOpenSSL) [ openssl ]
+    ++ lib.optionals (withSQLite3) [ sqlite ];
+
+  doCheck = true;
+  nativeCheckInputs = [
+    curl
+    jdk
+    unzip
+    which
+  ];
+
+  configureFlags = [
+    "--with-libedit-include=${libedit.dev}/include"
+    "--with-libedit-lib=${libedit}/lib"
+    "--with-berkeley-db-include=${db.dev}/include"
+    "--with-berkeley-db"
+
+    "--without-x"
+    "--disable-afs-string-to-key"
+  ] ++ lib.optionals (withCapNG) [
+    "--with-capng"
+  ] ++ lib.optionals (withCJSON) [
+    "--with-cjson=${cjson}"
+  ] ++ lib.optionals (withOpenLDAP) [
+    "--with-openldap=${openldap.dev}"
+  ] ++ lib.optionals (withOpenLDAPAsHDBModule) [
+    "--enable-hdb-openldap-module"
+  ] ++ lib.optionals (withSQLite3) [
+    "--with-sqlite3=${sqlite.dev}"
+  ];
+
+  # (check-ldap) slapd resides within ${openldap}/libexec,
+  #              which is not part of $PATH by default.
+  # (check-ldap) prepending ${openldap}/bin to the path to avoid
+  #              using the default installation of openldap on unsandboxed darwin systems,
+  #              which does not support the new mdb backend at the moment (2024-01-13).
+  # (check-ldap) the bdb backend got deprecated in favour of mdb in openldap 2.5.0,
+  #              but the heimdal tests still seem to expect bdb as the openldap backend.
+  #              This might be fixed upstream in a future update.
+  patchPhase = ''
+    runHook prePatch
+
+    substituteInPlace tests/ldap/slapd-init.in \
+      --replace 'SCHEMA_PATHS="' 'SCHEMA_PATHS="${openldap}/etc/schema '
+    substituteInPlace tests/ldap/check-ldap.in \
+      --replace 'PATH=' 'PATH=${openldap}/libexec:${openldap}/bin:'
+    substituteInPlace tests/ldap/slapd.conf \
+      --replace 'database	bdb' 'database mdb'
+
+    runHook postPatch
+  '';
+
+  # (test_cc) heimdal uses librokens implementation of `secure_getenv` on darwin,
+  #           which expects either USER or LOGNAME to be set.
+  preCheck = lib.optionalString (stdenv.isDarwin) ''
+    export USER=nix-builder
+  '';
+
+  # We need to build hcrypt for applications like samba
+  postBuild = ''
+    (cd include/hcrypto; make -j $NIX_BUILD_CORES)
+    (cd lib/hcrypto; make -j $NIX_BUILD_CORES)
+  '';
+
+  postInstall = ''
+    # Install hcrypto
+    (cd include/hcrypto; make -j $NIX_BUILD_CORES install)
+    (cd lib/hcrypto; make -j $NIX_BUILD_CORES install)
+
+    mkdir -p $dev/bin
+    mv $out/bin/krb5-config $dev/bin/
+
+    # asn1 compilers, move them to $dev
+    mv $out/libexec/heimdal/* $dev/bin
+    rmdir $out/libexec/heimdal
+
+    # compile_et is needed for cross-compiling this package and samba
+    mv lib/com_err/.libs/compile_et $dev/bin
+  '';
+
+  # Issues with hydra
+  #  In file included from hxtool.c:34:0:
+  #  hx_locl.h:67:25: fatal error: pkcs10_asn1.h: No such file or directory
+  #enableParallelBuilding = true;
+
+  passthru = {
+    implementation = "heimdal";
+    tests.nixos = nixosTests.kerberos.heimdal;
+  };
+
+  meta = with lib; {
+    homepage = "https://www.heimdal.software";
+    changelog = "https://github.com/heimdal/heimdal/releases";
+    description = "An implementation of Kerberos 5 (and some more stuff)";
+    license = licenses.bsd3;
+    platforms = platforms.unix;
+    maintainers = with maintainers; [ h7x4 ];
+  };
+}
diff --git a/nixpkgs/pkgs/development/libraries/kerberos/krb5.nix b/nixpkgs/pkgs/development/libraries/kerberos/krb5.nix
new file mode 100644
index 000000000000..bfa2974bdc5b
--- /dev/null
+++ b/nixpkgs/pkgs/development/libraries/kerberos/krb5.nix
@@ -0,0 +1,130 @@
+{ lib, stdenv, fetchurl, pkg-config, perl, bison, bootstrap_cmds
+, openssl, openldap, libedit, keyutils, libverto, darwin
+
+# for passthru.tests
+, bind
+, curl
+, nixosTests
+, openssh
+, postgresql
+, python3
+
+# Extra Arguments
+, type ? ""
+# This is called "staticOnly" because krb5 does not support
+# builting both static and shared, see below.
+, staticOnly ? false
+, withLdap ? false
+, withVerto ? false
+}:
+
+# Note: this package is used for bootstrapping fetchurl, and thus
+# cannot use fetchpatch! All mutable patches (generated by GitHub or
+# cgit) that are needed here should be included directly in Nixpkgs as
+# files.
+
+let
+  libOnly = type == "lib";
+in
+
+assert withLdap -> !libOnly;
+
+stdenv.mkDerivation rec {
+  pname = "${type}krb5";
+  version = "1.21.2";
+
+  src = fetchurl {
+    url = "https://kerberos.org/dist/krb5/${lib.versions.majorMinor version}/krb5-${version}.tar.gz";
+    hash = "sha256-lWCUGp2EPAJDpxsXp6xv4xx867W845g9t55Srn6FBJE=";
+  };
+
+  outputs = [ "out" "dev" ];
+
+  configureFlags = [ "--localstatedir=/var/lib" ]
+    # krb5's ./configure does not allow passing --enable-shared and --enable-static at the same time.
+    # See https://bbs.archlinux.org/viewtopic.php?pid=1576737#p1576737
+    ++ lib.optionals staticOnly [ "--enable-static" "--disable-shared" ]
+    ++ lib.optional withLdap "--with-ldap"
+    ++ lib.optional withVerto "--with-system-verto"
+    ++ lib.optional stdenv.isFreeBSD ''WARN_CFLAGS=""''
+    ++ lib.optionals (stdenv.buildPlatform != stdenv.hostPlatform)
+       [ "krb5_cv_attr_constructor_destructor=yes,yes"
+         "ac_cv_func_regcomp=yes"
+         "ac_cv_printf_positional=yes"
+       ];
+
+  nativeBuildInputs = [ pkg-config perl ]
+    ++ lib.optional (!libOnly) bison
+    # Provides the mig command used by the build scripts
+    ++ lib.optional stdenv.isDarwin bootstrap_cmds;
+
+  buildInputs = [ openssl ]
+    ++ lib.optionals (stdenv.hostPlatform.isLinux && stdenv.hostPlatform.libc != "bionic" && !(stdenv.hostPlatform.useLLVM or false)) [ keyutils ]
+    ++ lib.optionals (!libOnly) [ libedit ]
+    ++ lib.optionals withLdap [ openldap ]
+    ++ lib.optionals withVerto [ libverto ];
+
+  propagatedBuildInputs = lib.optionals stdenv.isDarwin (with darwin.apple_sdk; [
+    libs.xpc
+    frameworks.Kerberos
+  ]);
+
+  sourceRoot = "krb5-${version}/src";
+
+  postPatch = ''
+    substituteInPlace config/shlib.conf \
+        --replace "'ld " "'${stdenv.cc.targetPrefix}ld "
+  '';
+
+  libFolders = [ "util" "include" "lib" "build-tools" ];
+
+  buildPhase = lib.optionalString libOnly ''
+    runHook preBuild
+
+    MAKE="make -j $NIX_BUILD_CORES"
+    for folder in $libFolders; do
+      $MAKE -C $folder
+    done
+
+    runHook postBuild
+  '';
+
+  installPhase = lib.optionalString libOnly ''
+    runHook preInstall
+
+    mkdir -p "$out"/{bin,sbin,lib/pkgconfig,share/{et,man/man1}} \
+      "$dev"/include/{gssapi,gssrpc,kadm5,krb5}
+    for folder in $libFolders; do
+      $MAKE -C $folder install
+    done
+
+    runHook postInstall
+  '';
+
+  # not via outputBin, due to reference from libkrb5.so
+  postInstall = ''
+    moveToOutput bin/krb5-config "$dev"
+  '';
+
+  enableParallelBuilding = true;
+  doCheck = false; # fails with "No suitable file for testing purposes"
+
+  meta = with lib; {
+    description = "MIT Kerberos 5";
+    homepage = "http://web.mit.edu/kerberos/";
+    license = licenses.mit;
+    platforms = platforms.unix ++ platforms.windows;
+  };
+
+  passthru = {
+    implementation = "krb5";
+    tests = {
+      inherit (nixosTests) kerberos;
+      inherit (python3.pkgs) requests-credssp;
+      bind = bind.override { enableGSSAPI = true; };
+      curl = curl.override { gssSupport = true; };
+      openssh = openssh.override { withKerberos = true; };
+      postgresql = postgresql.override { gssSupport = true; };
+    };
+  };
+}