openpkg-packages/opa/opa.spec

##
##  opa.spec -- OpenPKG RPM Package Specification
##  Copyright (c) 2000-2020 OpenPKG Project <http://openpkg.org/>
##
##  Permission to use, copy, modify, and distribute this software for
##  any purpose with or without fee is hereby granted, provided that
##  the above copyright notice and this permission notice appear in all
##  copies.
##
##  THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESSED OR IMPLIED
##  WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF
##  MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
##  IN NO EVENT SHALL THE AUTHORS AND COPYRIGHT HOLDERS AND THEIR
##  CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
##  SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT
##  LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF
##  USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND
##  ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY,
##  OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT
##  OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
##  SUCH DAMAGE.
##

#   package version
%define       V_opa_base 0.16.0
%define       V_opa_snap 20191219

#   package information
Name:         opa
Summary:      Open Policy Agent
URL:          https://www.openpolicyagent.org/
Vendor:       Tim Hinrichs, Torin Sandall
Packager:     OpenPKG Project
Distribution: OpenPKG Community
Class:        EVAL
Group:        Networking
License:      Apache
Version:      %{V_opa_base}.%{V_opa_snap}
Release:      20191219

#   list of sources
Source0:      http://download.openpkg.org/components/versioned/opa/opa-%{V_opa_snap}.tar.xz
Source1:      rc.opa
Source2:      opa-tls.sh
Source3:      opa.txt
Patch0:       opa.patch

#   build information
BuildPreReq:  OpenPKG, openpkg >= 20160101, go
PreReq:       OpenPKG, openpkg >= 20160101, cfssl

%description
    The Open Policy Agent (OPA) is an open source, general-purpose
    policy engine that enables unified, context-aware policy enforcement
    across the entire stack. OPA provides greater flexibility
    and expressiveness than hard-coded service logic or ad-hoc
    domain-specific languages and comes with powerful tooling to help
    anyone get started.

%track
    prog opa:release = {
        version   = %{V_opa_base}
        url       = https://github.com/open-policy-agent/opa/releases
        regex     = v(\d+\.\d+\.\d+)\.tar\.gz
    }
    prog opa:snapshot = {
        version   = %{V_opa_snap}
        url       = http://download.openpkg.org/components/versioned/opa/
        regex     = opa-(\d+)\.tar\.xz
    }

%prep
    %setup -q -n opa
    %patch -p0

%build
    #   build program
    export GOPATH=`pwd`
    PATH=$GOPATH/bin:$PATH
    cd src/github.com/open-policy-agent/opa
    %{l_make} %{l_mflags} build

%install
    #   create directory hierarchy
    %{l_shtool} mkdir -f -p -m 755 \
        $RPM_BUILD_ROOT%{l_prefix}/sbin \
        $RPM_BUILD_ROOT%{l_prefix}/etc/rc.d \
        $RPM_BUILD_ROOT%{l_prefix}/etc/opa/conf.d \
        $RPM_BUILD_ROOT%{l_prefix}/var/opa/log \
        $RPM_BUILD_ROOT%{l_prefix}/var/opa/run

    #   install program
    %{l_shtool} install -c -s -m 755 \
        src/github.com/open-policy-agent/opa/opa* \
        $RPM_BUILD_ROOT%{l_prefix}/sbin/opa

    #   install utility
    %{l_shtool} install -c -m 755 %{l_value -s -a} \
        -e 's;@l_bash@;%{l_bash};g' \
        %{SOURCE opa-tls.sh} $RPM_BUILD_ROOT%{l_prefix}/sbin/opa-tls

    #   install run-command script
    %{l_shtool} install -c -m 755 %{l_value -s -a} \
        %{SOURCE rc.opa} $RPM_BUILD_ROOT%{l_prefix}/etc/rc.d/

    #   install default configuration
    for name in `grep "^<file" %{SOURCE opa.txt} | sed -e 's;^.*name=";;' -e 's;".*$;;'`; do
        name_escaped=`echo "$name" | sed -e 's;/;\\\\/;g'`
        (echo ""; cat %{SOURCE opa.txt}; echo "") |\
            sed -e "1,/^<file name=\"$name_escaped\">/d" -e "/<\/file>/,\$d" >tmp.txt
        %{l_shtool} install -c -m 644 %{l_value -s -a} \
            tmp.txt $RPM_BUILD_ROOT%{l_prefix}/etc/opa/conf.d/$name
    done

    #   determine installation files
    %{l_rpmtool} files -v -ofiles -r$RPM_BUILD_ROOT \
        %{l_files_std} \
        '%config %{l_prefix}/etc/opa/conf.d/*' \
        '%attr(-,%{l_rusr},%{l_rgrp}) %{l_prefix}/var/opa/*'

%files -f files

%clean

%post
    if [ $1 -eq 1 ]; then
        #   on initial installation, generate TLS certificate/key pair
        echo "Generating TLS Certificates/Keys" | %{l_rpmtool} msg -b -t notice
        $RPM_INSTALL_PREFIX/sbin/opa-tls localhost 127.0.0.1
        ( echo "OPA was configured with a standard TLS certificate/key pair."
          echo "for \"localhost\" and \"127.0.0.1\". For production use, you usually let"
          echo "OPA listen on an external IP address. For this the TLS"
          echo "certificate/key pair has to be regenerated with for instance:"
          echo "    \$ $RPM_INSTALL_PREFIX/sbin/opa-tls www.example.com 192.168.0.1"
        ) | %{l_rpmtool} msg -b -t notice
    elif [ $1 -eq 2 ]; then
        #   after upgrade, restart service
        eval `%{l_rc} opa status 2>/dev/null`
        [ ".$opa_active" = .yes ] && %{l_rc} opa restart
    fi
    exit 0

%preun
    if [ $1 -eq 0 ]; then
        #   before erase, stop service and remove log files
        %{l_rc} opa stop 2>/dev/null
        rm -f  $RPM_INSTALL_PREFIX/etc/opa/ca.*     >/dev/null 2>&1 || true
        rm -f  $RPM_INSTALL_PREFIX/etc/opa/server.* >/dev/null 2>&1 || true
        rm -rf $RPM_INSTALL_PREFIX/var/opa/log/*    >/dev/null 2>&1 || true
        rm -rf $RPM_INSTALL_PREFIX/var/opa/run/*    >/dev/null 2>&1 || true
    fi
    exit 0