pyauth · mathiasertl · Dec 27, 2024 · Dec 27, 2024 · Dec 27, 2024 · Dec 27, 2024
diff --git a/.github/workflows/quality.yml b/.github/workflows/quality.yml
@@ -1,6 +1,8 @@
 name: Code quality
 on:
   push:
+env:
+  UV_PYTHON_PREFERENCE: only-system
 jobs:
   run:
     runs-on: ubuntu-latest
@@ -20,7 +22,7 @@ jobs:
           architecture: x64
 
       - name: Install dev dependencies
-        run: uv sync --python-preference only-system
+        run: uv sync
 
       - name: ruff format
         run: uv run ruff format --diff .

diff --git a/.github/workflows/tests.yml b/.github/workflows/tests.yml
@@ -0,0 +1,57 @@
+name: Tests
+on:
+  push:
+env:
+  UV_PYTHON_PREFERENCE: only-system
+  PKCS11_TOKEN_LABEL: TEST
+  PKCS11_TOKEN_PIN: 1234
+  PKCS11_TOKEN_SO_PIN: 5678
+jobs:
+  run:
+    # Run in Ubuntu 22.04 right now, as oscrypto fails on OpenSSL versions with a
+    # double-digit patch number (such as provided by Ubuntu 24.04):
+    #   https://community.snowflake.com/s/article/Python-Connector-fails-to-connect-with-LibraryNotFoundError-Error-detecting-the-version-of-libcrypto
+    #   https://github.com/wbond/oscrypto/issues/78
+    runs-on: ubuntu-22.04
+    strategy:
+      matrix:
+        python-version:
+          - "3.9"
+          - "3.10"
+          - "3.11"
+          - "3.12"
+          - "3.13"
+
+    steps:
+      - name: Acquire sources
+        uses: actions/checkout@v4.1.1
+
+      - name: Setup Python
+        uses: actions/setup-python@v5.0.0
+        with:
+          python-version: ${{ matrix.python-version }}
+          architecture: x64
+
+      - name: Install uv
+        uses: astral-sh/setup-uv@v4
+        with:
+          enable-cache: true
+          python-version: ${{ matrix.python-version }}
+
+      - name: Install dev dependencies
+        run: uv sync --all-extras
+
+      # Locally compile softhsmv2. For unknown reasons, the version installed by Ubuntu fails on
+      # Github Actions (while working e.g. in Docker).
+      - name: Install Softhsm
+        run: |
+          curl https://dist.opendnssec.org/source/softhsm-2.6.1.tar.gz | tar -zxv
+          (cd softhsm-2.6.1 && ./configure --prefix=$HOME --disable-p11-kit --disable-gost && make all install CC="gcc" CXX="g++")
+          echo "$HOME/bin" >> "$GITHUB_PATH"
+          echo "PKCS11_MODULE=$HOME/lib/softhsm/libsofthsm2.so" >> "$GITHUB_ENV"
+
+      - name: Initialize token
+        run: softhsm2-util --init-token --free --label $PKCS11_TOKEN_LABEL --pin $PKCS11_TOKEN_PIN --so-pin $PKCS11_TOKEN_SO_PIN
+
+      - name: Run tests
+        run: uv run pytest -v
diff --git a/.travis.yml b/.travis.yml
diff --git a/Dockerfile b/Dockerfile
@@ -0,0 +1,27 @@
+ARG IMAGE=debian:stable
+FROM $IMAGE
+
+RUN apt-get update && \
+    DEBIAN_FRONTEND="noninteractive" apt-get install -y gcc python3 python3-dev softhsm2 openssl && \
+    rm -rf /var/lib/apt/lists/*
+
+COPY --from=ghcr.io/astral-sh/uv:latest /uv /uvx /bin/
+
+WORKDIR /test
+
+ADD uv.lock pyproject.toml setup.py .
+ADD pkcs11/ pkcs11/
+ADD extern/ extern/
+
+ENV UV_LINK_MODE=copy
+RUN --mount=type=cache,target=/root/.cache/uv \
+    uv sync --all-extras
+
+ENV PKCS11_MODULE=/usr/lib/softhsm/libsofthsm2.so
+ENV PKCS11_TOKEN_LABEL=TEST
+ENV PKCS11_TOKEN_PIN=1234
+ENV PKCS11_TOKEN_SO_PIN=5678
+RUN softhsm2-util --init-token --free --label TEST --pin 1234 --so-pin 5678
+
+ADD tests/ tests/
+CMD ["uv", "run", "pytest", "-v"]
diff --git a/pyproject.toml b/pyproject.toml
@@ -60,9 +60,11 @@ include = ["pkcs11*"]
 dev = [
     "cryptography>=44.0.0",
     "oscrypto>=1.3.0",
+    "parameterized>=0.9.0",
+    "pytest>=8.3.4",
     "ruff>=0.8.3",
     "setuptools>=75.6.0",
     "setuptools-scm>=8.1.0",
     "sphinx>=7.4.7",
     "sphinx-rtd-theme>=3.0.2",
-]
+]
diff --git a/tests/test_x509.py b/tests/test_x509.py
@@ -5,6 +5,7 @@
 import base64
 import datetime
 import subprocess
+import tempfile
 
 from asn1crypto import pem
 from asn1crypto.csr import CertificationRequest, CertificationRequestInfo
@@ -223,13 +224,21 @@ def test_self_sign_certificate(self):
             }
         )
 
-        # Pipe our certificate to OpenSSL to verify it
-        with subprocess.Popen(
-            (OPENSSL, "verify"), stdin=subprocess.PIPE, stdout=subprocess.DEVNULL
-        ) as proc:
-            proc.stdin.write(pem.armor("CERTIFICATE", cert.dump()))
-            proc.stdin.close()
-            self.assertEqual(proc.wait(), 0)
+        pem_cert = pem.armor("CERTIFICATE", cert.dump())
+
+        with tempfile.NamedTemporaryFile() as pem_file:
+            pem_file.write(pem_cert)
+            pem_file.flush()
+
+            # Pipe our certificate to OpenSSL to verify it
+            with subprocess.Popen(
+                (OPENSSL, "verify", "-CAfile", pem_file.name),
+                stdin=subprocess.PIPE,
+                stdout=subprocess.DEVNULL,
+            ) as proc:
+                proc.stdin.write(pem.armor("CERTIFICATE", cert.dump()))
+                proc.stdin.close()
+                self.assertEqual(proc.wait(), 0)
 
     @Only.openssl
     @requires(Mechanism.RSA_PKCS_KEY_PAIR_GEN, Mechanism.SHA1_RSA_PKCS)

diff --git a/uv.lock b/uv.lock