#
# spec file for package apache2-mod_nss
#
# Copyright (c) 2016 SUSE LINUX GmbH, Nuernberg, Germany.
#
# All modifications and additions to the file contributed by third parties
# remain the property of their copyright owners, unless otherwise agreed
# upon. The license for this file, and modifications and additions to the
# file, is the same license as for the pristine package itself (unless the
# license for the pristine package is not an Open Source License, in which
# case the license is the MIT License). An "Open Source License" is a
# license that conforms to the Open Source Definition (Version 1.9)
# published by the Open Source Initiative.

# Please submit bugfixes or comments via http://bugs.opensuse.org/
#


Name:           apache2-mod_nss
Summary:        SSL/TLS module for the Apache HTTP server
License:        Apache-2.0
Group:          Productivity/Networking/Web/Servers
Version:        1.0.14
Release:        0.4.8
Url:            https://fedorahosted.org/mod_nss
Source:         https://fedorahosted.org/released/mod_nss/mod_nss-%{version}.tar.gz
Source1:        mod_nss.conf.in
Source2:        listen_nss.conf
Source4:        README-SUSE.txt
Source5:        vhost-nss.template
Provides:       mod_nss
Requires:       %{apache_mmn}
Requires:       %{apache_suse_maintenance_mmn}
Requires:       apache2 >= 2.2.12
Requires:       findutils
Requires:       mozilla-nss >= 3.15.1
PreReq:         mozilla-nss-tools
BuildRequires:  apache-rpm-macros
BuildRequires:  apache2-devel >= 2.2.12
BuildRequires:  automake
BuildRequires:  bison
BuildRequires:  curl
BuildRequires:  findutils
BuildRequires:  flex
BuildRequires:  gcc-c++
BuildRequires:  libapr-util1-devel
BuildRequires:  libapr1-devel
BuildRequires:  libtool
BuildRequires:  mozilla-nspr-devel >= 4.6.3
BuildRequires:  mozilla-nss-devel >= 3.15.1
BuildRequires:  mozilla-nss-tools
BuildRequires:  pkgconfig

Patch0:         mod_nss-bnc863518-reopen_dev_tty.diff
Patch1:         mod_nss-migrate.patch

BuildRoot:      %{_tmppath}/%{name}-%{version}-build
%define    apxs /usr/sbin/apxs2
%define    apache apache2
%define    apache_libexecdir %(%{apxs} -q LIBEXECDIR)
%define    apache_sysconfdir %(%{apxs} -q SYSCONFDIR)
%define    apache_includedir %(%{apxs} -q INCLUDEDIR)
%define    apache_serverroot %(%{apxs} -q PREFIX)
%define    apache_mmn        %(MMN=$(%{apxs} -q LIBEXECDIR)_MMN; test -x $MMN && $MMN)
%define    apache_sysconf_nssdir %{apache_sysconfdir}/mod_nss.d

%description
The mod_nss module provides strong cryptography for the Apache Web
server via the Secure Sockets Layer (SSL) and Transport Layer
Security (TLS) protocols using the Network Security Services (NSS)
security library.

%prep
%setup -q -n mod_nss-%{version}
%patch0 -p0 -b .mod_nss-bnc863518-reopen_dev_tty.rpmpatch
%patch1 -p1

# Touch expression parser sources to prevent regenerating it
touch nss_expr_*.[chyl]

%build
CFLAGS="$RPM_OPT_FLAGS"
export CFLAGS
NSPR_INCLUDE_DIR=`/usr/bin/pkg-config --variable=includedir nspr`
NSPR_LIB_DIR=`/usr/bin/pkg-config --variable=libdir nspr`
NSS_INCLUDE_DIR=`/usr/bin/pkg-config --variable=includedir nss`
NSS_LIB_DIR=`/usr/bin/pkg-config --variable=libdir nss`
NSS_BIN=`/usr/bin/pkg-config --variable=exec_prefix nss`
# For some reason mod_nss can't find nss on SUSE unless we do the following
C_INCLUDE_PATH="/usr/include/nss3:/usr/include/nspr4:/usr/include/apache2-prefork/"
export C_INCLUDE_PATH
# no more patching a config file...
cp -a %{SOURCE1} ./nss.conf.in
cp -a %{SOURCE4} .
chmod 644 ./nss.conf.in
autoreconf -fvi
%configure \
    --with-nss-lib=$NSS_LIB_DIR \
    --with-nss-inc=$NSS_INCLUDE_DIR \
    --with-nspr-lib=$NSPR_LIB_DIR \
    --with-nspr-inc=$NSPR_INCLUDE_DIR \
    --with-apxs=%{apxs} \
    --enable-ecc \
    --with-apr-config
make %{?_smp_mflags} all

%install
# The install target of the Makefile isn't used because that uses apxs
# which tries to enable the module in the build host httpd instead of in
# the build root.
mkdir -p $RPM_BUILD_ROOT/%{apache_libexecdir}
mkdir -p $RPM_BUILD_ROOT%{apache_sysconfdir}/conf.d
mkdir -p $RPM_BUILD_ROOT%{apache_sysconfdir}/vhosts.d
mkdir -p $RPM_BUILD_ROOT%{_sbindir}
mkdir -p $RPM_BUILD_ROOT%{apache_sysconf_nssdir}

%if 0%{?suse_version}
perl -pi -e "s|\@apache_lib\@|%{_libdir}\/apache2|g" nss.conf
%endif

install -m 644 nss.conf $RPM_BUILD_ROOT%{apache_sysconfdir}/conf.d/mod_nss.conf
install -m 644 %{SOURCE5} $RPM_BUILD_ROOT%{apache_sysconfdir}/vhosts.d/vhost-nss.template
install -m 644 %{SOURCE2} $RPM_BUILD_ROOT%{apache_sysconfdir}/listen_nss.conf
install -m 755 .libs/libmodnss.so $RPM_BUILD_ROOT%{apache_libexecdir}/mod_nss.so
install -m 755 nss_pcache $RPM_BUILD_ROOT%{_sbindir}/
install -m 755 gencert $RPM_BUILD_ROOT%{_sbindir}/
install -m 755 migrate.pl $RPM_BUILD_ROOT%{_sbindir}/mod_nss_migrate.pl

#ln -s $RPM_BUILD_ROOT/%%{apache_libexecdir}/libnssckbi.so $RPM_BUILD_ROOT%%{apache_sysconf_nssdir}/
touch $RPM_BUILD_ROOT%{apache_sysconf_nssdir}/secmod.db
touch $RPM_BUILD_ROOT%{apache_sysconf_nssdir}/cert8.db
touch $RPM_BUILD_ROOT%{apache_sysconf_nssdir}/key3.db
touch $RPM_BUILD_ROOT%{apache_sysconf_nssdir}/install.log
perl -pi -e "s:$NSS_LIB_DIR:$NSS_BIN:" $RPM_BUILD_ROOT%{_sbindir}/gencert

%check
set +x
mkdir -p %{apache_test_module_dir}
# create password file including internal token to suppress 
# apache 'builtin dialog', see NSSPassPhraseDialog below
# (http://mcs.une.edu.au/doc/mod_nss/mod_nss.html)
cat << EOF > %{apache_test_module_dir}/password.conf
internal:httptest
EOF
# create test configuration
cat << EOF > %{apache_test_module_dir}/mod_nss-test.conf
NSSEngine on
NSSNickname Server-Cert
NSSCertificateDatabase %{apache_test_module_dir}/mod_nss.d
NSSPassPhraseDialog file:%{apache_test_module_dir}/password.conf
NSSPassPhraseHelper %{buildroot}/usr/sbin/nss_pcache
NSSCipherSuite +ecdhe_ecdsa_aes_128_gcm_sha,+ecdh_ecdsa_aes_128_gcm_sha,+ecdhe_rsa_aes_256_sha,+ecdh_rsa_aes_256_sha,+ecdhe_rsa_aes_128_gcm_sha,+ecdh_rsa_aes_128_gcm_sha,+ecdhe_rsa_aes_128_sha,+ecdh_rsa_aes_128_sha,+rsa_aes_128_gcm_sha,+rsa_aes_256_sha,+rsa_aes_128_sha,+rsa_aes_128_sha256,+rsa_aes_256_sha256
NSSProtocol TLSv1.0,TLSv1.1,TLSv1.2
<Directory /tmp/apache2-mod_nss_test/htdocs>
%if 0%{?apache_branch} >= 204
  Require local
%else
  Allow from localhost
%endif
</Directory>
EOF
# create test certificate
mkdir -p %{apache_test_module_dir}/mod_nss.d
#   bend gencert to use ServerName of apache test instance
cp %{buildroot}%{_sbindir}/gencert .
sed -i 's:FQDN=`getFQDN`:FQDN=test:' gencert
./gencert  %{apache_test_module_dir}/mod_nss.d > %{apache_test_module_dir}/mod_nss.d/LOG 2>&1
# create test document
mkdir -p %{apache_test_module_dir}/htdocs
cat << EOF > %{apache_test_module_dir}/htdocs/index.html
HTTPS HELLO
EOF
exit_code=0
# run apache test instance
%apache_test_module_start_apache -m nss -i mod_nss-test.conf
# get test document 
%apache_test_module_curl -r https -d /index.html -o %{apache_test_module_dir}/output.txt
echo
echo 'Testing /index.html output'
grep 'HTTPS HELLO' %{apache_test_module_dir}/output.txt || exit_code=1
if [ $exit_code -eq 0 ]; then
  echo 'SUCCESS'
else
  echo 'FAILED, error_log:'
  cat %{apache_test_module_dir}/error_log
fi
echo
# stop apache test instance
%apache_test_module_stop_apache
set -x
exit $exit_code

%post
umask 077
if [ "$1" -eq 1 ] ; then
    # this is first time installation.
    if [ ! -e %{apache_sysconf_nssdir}/key3.db ]; then
        %{_sbindir}/gencert %{apache_sysconf_nssdir} > %{apache_sysconf_nssdir}/install.log 2>&1
        echo ""
        echo "%{name} certificate database generated."
        echo ""
    fi
    # Make sure that the database ownership is setup properly.
    find %{apache_sysconf_nssdir} -user root -name "*.db" -exec /bin/chgrp www {} \;
    find %{apache_sysconf_nssdir} -user root -name "*.db" -exec /bin/chmod 640 {} \;
fi
if [ "$1" -eq 2 ]; then
    # this is the upgrade case for this %post:
    if [ -d %{apache_sysconfdir}/alias ]; then
	copied_files=""
	for dbfile in *.db; do
	    if [ ! -f %{apache_sysconf_nssdir}/"$dbfile" -a -f "$dbfile" ]; then
		cp -a "$dbfile" %{apache_sysconf_nssdir}/"$dbfile"
		copied_files="$copied_files $dbfile"
	    fi
	done
	if [ "$copied_files" != "" ]; then
		{
		echo "This notice was written by the post-install script of the package"
		echo "%{name}."
		echo ""
		echo "The files $copied_files"
		echo "have been copied to the directory %{apache_sysconf_nssdir},"
		echo "as this directory is not referenced by the default configuration any longer,"
		echo "and because these files did not exist in %{apache_sysconf_nssdir}."
		echo "Existing files have not been modified."
		echo ""
		echo "Please check your configuration and remove or move your certificate and"
		echo "key storage to your desired place, and adjust your module configuration"
		echo "accordingly."
		echo ""
		echo "Thank you."
		} > %{apache_sysconfdir}/alias/README-dbfiles.txt
	fi
    fi
fi

%files
%defattr(-,root,root,-)
%doc README LICENSE docs/mod_nss.html README-SUSE.txt
%config(noreplace) %{apache_sysconfdir}/conf.d/mod_nss.conf
%config(noreplace) %{apache_sysconfdir}/vhosts.d/vhost-nss.template
%config(noreplace) %{apache_sysconfdir}/listen_nss.conf
%dir %{apache_libexecdir}
%{apache_libexecdir}/mod_nss.so
%dir %{apache_sysconf_nssdir}/
%ghost %attr(0640,root,www) %config(noreplace) %{apache_sysconf_nssdir}/secmod.db
%ghost %attr(0640,root,www) %config(noreplace) %{apache_sysconf_nssdir}/cert8.db
%ghost %attr(0640,root,www) %config(noreplace) %{apache_sysconf_nssdir}/key3.db
%ghost %config(noreplace) %{apache_sysconf_nssdir}/install.log
#%%{apache_sysconf_nssdir}/libnssckbi.so
%{_sbindir}/nss_pcache
%{_sbindir}/gencert
%{_sbindir}/mod_nss_migrate.pl

%changelog