apparmor/.gitlab-ci.yml

---
image: ubuntu:latest

# XXX - add a deploy stage to publish man pages, docs, and coverage
# reports

stages:
  - build
  - test

.ubuntu-before_script:
  before_script:
    - export DEBIAN_FRONTEND=noninteractive
    - apt-get update -qq
    - apt-get install --no-install-recommends -y gcc perl liblocale-gettext-perl linux-libc-dev lsb-release make
    - lsb_release -a
    - uname -a

.install-c-build-deps: &install-c-build-deps
  - apt-get install --no-install-recommends -y build-essential apache2-dev autoconf autoconf-archive automake bison dejagnu flex libpam-dev libtool pkg-config python3-all-dev python3-setuptools ruby-dev swig zlib1g-dev

build-all:
  stage: build
  extends:
    - .ubuntu-before_script
  artifacts:
    name: ${CI_COMMIT_REF_NAME}-${CI_COMMIT_SHA}
    expire_in: 30 days
    untracked: true
    paths:
      - libraries/libapparmor/
      - parser/
      - binutils/
      - utils/
      - changehat/mod_apparmor/
      - changehat/pam_apparmor/
      - profiles/
  script:
    - *install-c-build-deps
    - cd libraries/libapparmor && ./autogen.sh && ./configure --with-perl --with-python --prefix=/usr && make && cd ../.. || { cat config.log ; exit 1 ; }
    - make -C parser
    - make -C binutils
    - make -C utils
    - make -C changehat/mod_apparmor
    - make -C changehat/pam_apparmor
    - make -C profiles

test-libapparmor:
  stage: test
  needs: ["build-all"]
  extends:
    - .ubuntu-before_script
  script:
    - *install-c-build-deps
    - make -C libraries/libapparmor check

test-parser:
  stage: test
  needs: ["build-all"]
  extends:
    - .ubuntu-before_script
  script:
    - *install-c-build-deps
    - make -C parser check

test-binutils:
  stage: test
  needs: ["build-all"]
  extends:
    - .ubuntu-before_script
  script:
    - make -C binutils check

test-utils:
  stage: test
  needs: ["build-all"]
  extends:
    - .ubuntu-before_script
  script:
    - apt-get install --no-install-recommends -y libc6-dev libjs-jquery libjs-jquery-throttle-debounce libjs-jquery-isonscreen libjs-jquery-tablesorter pyflakes3 python3-coverage python3-notify2 python3-psutil python3-setuptools
    # See apparmor/apparmor#221
    - make -C parser/tst gen_dbus
    - make -C parser/tst gen_xtrans
    - make -C utils check
    - make -C utils/test coverage-regression
  artifacts:
    paths:
      - utils/test/htmlcov/
    when: always

test-mod-apparmor:
  stage: test
  needs: ["build-all"]
  extends:
    - .ubuntu-before_script
  script:
    - make -C changehat/mod_apparmor check

test-profiles:
  stage: test
  needs: ["build-all"]
  extends:
    - .ubuntu-before_script
  script:
    - make -C profiles check-parser
    - make -C profiles check-abstractions.d
    - make -C profiles check-extras

shellcheck:
  stage: test
  needs: []
  extends:
    - .ubuntu-before_script
  script:
  - apt-get install --no-install-recommends -y python3-minimal file shellcheck xmlstarlet
  - shellcheck --version
  - './tests/bin/shellcheck-tree --format=checkstyle
       | xmlstarlet tr tests/checkstyle2junit.xslt
       > shellcheck.xml'
  artifacts:
    when: always
    reports:
      junit: shellcheck.xml

# Disabled due to aa-logprof dependency on /sbin/apparmor_parser existing
#   - make -C profiles check-profiles

# test-pam_apparmor:
#  - stage: test
#  - script:
#    - cd changehat/pam_apparmor && make check

include:
  - template: SAST.gitlab-ci.yml
  - template: Secret-Detection.gitlab-ci.yml

variables:
  SAST_EXCLUDED_ANALYZERS: "eslint,flawfinder,semgrep,spotbugs"
  SAST_BANDIT_EXCLUDED_PATHS: "*/tst/*, */test/*"