# Generated by go2rpm 1.18.0
%bcond check 1

%global selinuxtype targeted
%global modulename opkssh

# https://github.com/openpubkey/opkssh
%global goipath         github.com/openpubkey/opkssh
Version:                0.12.0

%gometa -L -f


Name:           opkssh
Release:        %autorelease
Summary:        OpenPubkey SSH

# Generated by go-vendor-tools
License:        Apache-2.0 AND BSD-2-Clause AND BSD-3-Clause AND ISC AND MIT AND Unlicense
URL:            %{gourl}
Source0:        %{gosource}
# Generated by go-vendor-tools
#Source1:        %{archivename}-vendor.tar.bz2
Source1:        https://thofmann.fedorapeople.org/opkssh/opkssh-0.12.0-vendor.tar.bz2
Source2:        go-vendor-tools.toml
# The config files are not part of the package source, but created by the install script, hence we provide separate sources.
# They are taken from:
# https://github.com/openpubkey/opkssh/blob/main/scripts/installing.md
Source3:        opkssh-providers
Source4:        opkssh-auth_id
Source5:        ssh-opkssh.conf
Source6:        sudoers-opkssh
Source7:        sysuser-opkssh.conf

BuildRequires:  bzip2
BuildRequires:  go-vendor-tools
BuildRequires:  selinux-policy-devel

BuildRequires:  systemd-rpm-macros
%{?sysusers_requires_compat}

%description
OpenPubkey SSH is a tool which enables ssh to be used with OpenID Connect
allowing SSH access to be managed via identities like alice@example.com instead
of long-lived SSH keys.

# Split the server into a separate package to avoid opkssh authentication available
# on client-only systems. This improves security by reducing the attack surface.
%package server
Summary:        Server configuration for OpenPubkey SSH
BuildArch:      noarch
Requires:       %{name} = %{version}-%{release}
Requires:       (opkssh-server-selinux if selinux-policy-%{selinuxtype})

%description server
Server configuration for opkssh (OpenPubkey SSH).

%package server-selinux
Summary:        SELinux policy for OpenPubkey SSH
BuildArch:      noarch
Requires(post): selinux-policy-%{selinuxtype}

%description server-selinux
SELinux policy for opkssh (OpenPubkey SSH).

%package doc
Summary:        Documentation for OpenPubkey SSH
BuildArch:      noarch

%description doc
Documentation for opkssh (OpenPubkey SSH).

%prep
%goprep -A
%setup -q -T -D -a1 %{forgesetupargs}
%autopatch -p1

%generate_buildrequires
%go_vendor_license_buildrequires -c %{S:2}

%build
%global gomodulesmode GO111MODULE=on
%gobuild -o %{gobuilddir}/bin/opkssh %{goipath}
# In Fedora >= 43, the sshd server has been split into a listener binary and a per-session binary.
# The SELinux type for the per-session binary is sshd_session_t.
# https://github.com/fedora-selinux/selinux-policy/commit/efa131d050dd69a07f030c3dc5c8e189bdc49fd3
%if 0%{?fedora} >= 43
sed -i "s/sshd_t/sshd_session_t/g" opkssh.te
%endif
make -f %{_datadir}/selinux/devel/Makefile opkssh.pp
bzip2 -9 opkssh.pp

%install
%go_vendor_license_install -c %{S:2}
install -m 0755 -vd                     %{buildroot}%{_bindir}
install -m 0755 -vp %{gobuilddir}/bin/* %{buildroot}%{_bindir}/
install -m 0640 -vp -D %{SOURCE3} %{buildroot}%{_sysconfdir}/opk/providers
install -m 0640 -vp -D %{SOURCE4} %{buildroot}%{_sysconfdir}/opk/auth_id
install -m 0600 -vp -D %{SOURCE5} %{buildroot}%{_sysconfdir}/ssh/sshd_config.d/60-opkssh.conf
install -m 0440 -vp -D %{SOURCE6} %{buildroot}%{_sysconfdir}/sudoers.d/opkssh
install -m 0644 -vp -D %{SOURCE7} %{buildroot}%{_sysusersdir}/opkssh.conf
install -m 0644 -vp -D opkssh.pp.bz2 %{buildroot}%{_datadir}/selinux/packages/targeted/opkssh.pp.bz2

%check
%go_vendor_license_check -c %{S:2}
%if %{with check}
%gotest ./...
%endif

%pre server
%sysusers_create_compat %{SOURCE6}

%pre server-selinux
%selinux_relabel_pre -s %{selinuxtype}

%post server-selinux
%selinux_modules_install -s %{selinuxtype} %{_datadir}/selinux/packages/%{selinuxtype}/%{modulename}.pp.bz2

%postun server-selinux
if [ $1 -eq 0 ]; then
    %selinux_modules_uninstall -s %{selinuxtype} %{modulename}
fi

%posttrans server-selinux
%selinux_relabel_post -s %{selinuxtype}

%files -f %{go_vendor_license_filelist}
%license vendor/modules.txt
%{_bindir}/opkssh

%files server
%attr(-, root, opkssh) %config(noreplace) %{_sysconfdir}/opk/providers
%attr(-, root, opkssh) %config(noreplace) %{_sysconfdir}/opk/auth_id

# These files should not be modified by the user, so we do not use 'noreplace' here.
%config %{_sysconfdir}/ssh/sshd_config.d/60-opkssh.conf
%config %{_sysconfdir}/sudoers.d/opkssh

# User configuration
%{_sysusersdir}/opkssh.conf

%files server-selinux
%{_datadir}/selinux/packages/targeted/%{modulename}.pp.bz2
%ghost %verify(not md5 size mode mtime) %{_sharedstatedir}/selinux/%{selinuxtype}/active/modules/200/%{modulename}

%files doc
%doc docs README.md SECURITY.md

%changelog
%autochangelog