openpkg-packages/kerberos/kerberos.spec

##
##  kerberos.spec -- OpenPKG RPM Package Specification
##  Copyright (c) 2000-2022 OpenPKG Project <http://openpkg.org/>
##
##  Permission to use, copy, modify, and distribute this software for
##  any purpose with or without fee is hereby granted, provided that
##  the above copyright notice and this permission notice appear in all
##  copies.
##
##  THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESSED OR IMPLIED
##  WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF
##  MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
##  IN NO EVENT SHALL THE AUTHORS AND COPYRIGHT HOLDERS AND THEIR
##  CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
##  SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT
##  LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF
##  USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND
##  ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY,
##  OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT
##  OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
##  SUCH DAMAGE.
##

#   FIXME: rse: with_ldap still defunct

#   package version
%define       V_major  1.6
%define       V_minor  3

#   package information
Name:         kerberos
Summary:      Kerberos Network Authentication System
URL:          http://web.mit.edu/kerberos/
Vendor:       MIT
Packager:     OpenPKG Project
Distribution: OpenPKG Community
Class:        BASE
Group:        Cryptography
License:      MIT subject to US EAR
Version:      %{V_major}.%{V_minor}
Release:      20100227

#   package options
%option       with_fsl     yes
%option       with_server  yes
%option       with_ldap    no

#   list of sources
Source0:      http://web.mit.edu/kerberos/dist/krb5/%{V_major}/krb5-%{version}-signed.tar
Source1:      rc.kerberos
Source2:      fsl.kerberos
Source3:      krb5.conf
Source4:      kdc.conf
Source5:      kerberos-setup.sh
Patch0:       kerberos.patch
Patch1:       http://web.mit.edu/kerberos/advisories/2009-001-patch.txt
Patch2:       http://web.mit.edu/kerberos/advisories/2009-002-patch.txt

#   build information
BuildPreReq:  OpenPKG, openpkg >= 20160101, flex, bison, make, sed, perl
PreReq:       OpenPKG, openpkg >= 20160101
%if "%{with_fsl}" == "yes"
BuildPreReq:  fsl
PreReq:       fsl
%endif
%if "%{with_ldap}" == "yes"
BuildPreReq:  openldap
PreReq:       openldap
%endif
Provides:     KERBEROS
Conflicts:    heimdal

%description
    Kerberos is a network authentication protocol. It is designed to
    provide strong authentication for client/server applications by
    using secret-key cryptography. This is the free implementation of
    this protocol, as available from the Massachusetts Institute of
    Technology (MIT). Kerberos is available in many commercial products
    as well.

%track
    prog kerberos = {
        version   = %{version}
        url       = http://web.mit.edu/kerberos/dist/
        regex     = krb5-(__VER__)-signed\.tar
    }

%prep
    %setup -q -T -c -n krb5-%{version}
    %{l_tar} xf %{SOURCE krb5-%{version}-signed.tar}
    %{l_gzip} -d -c krb5-%{version}.tar.gz | ( cd .. && %{l_tar} xf - ) || exit $?
    %patch -p0
    %patch -p1 -P 1
    %patch -p1 -P 2

%build
    #   configure toolkit
    %{l_shtool} subst \
        -e 's/if test "$enable_static" = yes; then/if false; then/' \
        -e 's/if test "$enable_shared" != yes; then/if false; then/' \
        -e 's/if test "$enable_static" = no && test "$krb5_force_static" != yes; then/if false; then/' \
        `find . -name configure -type f -print | grep -v plugins/kdb/db2 | grep -v plugins/kdb/ldap`
    %{l_shtool} subst \
        -e 's;/etc/krb5\.conf:@SYSCONFDIR/krb5.conf;@SYSCONFDIR/kerberos/krb5.conf;g' \
        -e 's;FILE:/etc/krb5\.keytab;FILE:@SYSCONFDIR/kerberos/krb5.keytab;g' \
        -e 's;DEFAULT_KDC_PROFILE."@LOCALSTATEDIR/krb5kdc;DEFAULT_KDC_PROFILE "@SYSCONFDIR/kerberos;g' \
        -e 's;@LOCALSTATEDIR/krb5kdc;@LOCALSTATEDIR/kerberos/db;g' \
        src/include/stock/osconf.h
    %{l_shtool} subst \
        -e 's;/etc/krb5\.keytab;%{l_prefix}/etc/kerberos/krb5.keytab;' \
        src/kadmin/cli/k5srvutil.sh \
        src/kadmin/cli/kadmin.c
    cd src
    CC="%{l_cc}" \
    CFLAGS="%{l_cflags -O}" \
    CPPFLAGS="%{l_cppflags}" \
    LDFLAGS="%{l_fsl_ldflags}" \
    LIBS="%{l_fsl_libs}" \
    ./configure \
        --prefix=%{l_prefix} \
        --includedir=%{l_prefix}/include/kerberos \
        --libdir=%{l_prefix}/lib/kerberos \
        --enable-dns-for-realm \
        --without-tcl \
        --without-krb4 \
        --enable-static \
        --disable-shared

    #   build toolkit
    %{l_make} %{l_mflags}

    #   configure and build database plugin DSO
%if "%{with_server}" == "yes"
    ( cd plugins/kdb/db2
      CC="%{l_cc}" \
      CFLAGS="%{l_cflags -O}" \
      ./configure \
          --prefix=%{l_prefix} \
          --libdir=%{l_prefix}/lib/kerberos \
          --disable-static \
          --enable-shared
      %{l_make} %{l_mflags} db2.so
    ) || exit $?
%endif

    #   configure and build LDAP plugin DSO
%if "%{with_server}" == "yes" && "%{with_ldap}" == "yes"
    ( cd plugins/kdb/ldap/libkdb_ldap
      CC="%{l_cc}" \
      CFLAGS="%{l_cflags -O}" \
      CPPFLAGS="%{l_cppflags}" \
      LDFLAGS="%{l_fsl_ldflags}" \
      LIBS="%{l_fsl_libs} -lldap -llber -lssl -lcrypto" \
      ./configure \
          --prefix=%{l_prefix} \
          --includedir=%{l_prefix}/include/kerberos \
          --libdir=%{l_prefix}/lib/kerberos \
          --enable-dns-for-realm \
          --without-tcl \
          --without-krb4 \
          --with-ldap \
          --disable-static \
          --enable-shared
      ./config.status --file ../Makefile
      ./config.status --file ../ldap_util/Makefile
    ) || exit $?
    ( cd plugins/kdb/ldap
      %{l_make} %{l_mflags} kldap.so
    ) || exit $?
%endif

%install

    #   install toolkit
    ( cd src
      %{l_make} %{l_mflags} install DESTDIR=$RPM_BUILD_ROOT
    ) || exit $?

    #   install database plugin DSO
%if "%{with_server}" == "yes"
    ( cd src/plugins/kdb/db2
      %{l_make} %{l_mflags} install DESTDIR=$RPM_BUILD_ROOT
    ) || exit $?
%endif

    #   create additional directories
    %{l_shtool} mkdir -p -m 755 \
%if "%{with_server}" == "yes"
        $RPM_BUILD_ROOT%{l_prefix}/var/kerberos/log \
        $RPM_BUILD_ROOT%{l_prefix}/var/kerberos/run \
        $RPM_BUILD_ROOT%{l_prefix}/var/kerberos/db \
        $RPM_BUILD_ROOT%{l_prefix}/etc/rc.d \
        $RPM_BUILD_ROOT%{l_prefix}/etc/fsl \
%endif
        $RPM_BUILD_ROOT%{l_prefix}/share/kerberos \
        $RPM_BUILD_ROOT%{l_prefix}/info \
        $RPM_BUILD_ROOT%{l_prefix}/etc/kerberos

    #   strip down installation
    rm -f $RPM_BUILD_ROOT%{l_prefix}/bin/compile_et
    rm -f $RPM_BUILD_ROOT%{l_prefix}/man/man1/compile_et.1
    rm -f $RPM_BUILD_ROOT%{l_prefix}/man/man1/krb5-send-pr.1
    rm -rf $RPM_BUILD_ROOT%{l_prefix}/share/et
    rm -rf $RPM_BUILD_ROOT%{l_prefix}/share/gnats
    rm -rf $RPM_BUILD_ROOT%{l_prefix}/share/examples
    rm -rf $RPM_BUILD_ROOT%{l_prefix}/include/kerberos/kerberosIV
    strip $RPM_BUILD_ROOT%{l_prefix}/bin/* >/dev/null 2>&1 || true
    strip $RPM_BUILD_ROOT%{l_prefix}/sbin/* >/dev/null 2>&1 || true

    #   strip down installation (server-related only)
%if "%{with_server}" != "yes"
    rm -rf $RPM_BUILD_ROOT%{l_prefix}/lib/kerberos/krb5
    rm -f $RPM_BUILD_ROOT%{l_prefix}/lib/kerberos/libkadm5srv.a
    rm -f $RPM_BUILD_ROOT%{l_prefix}/lib/kerberos/libkdb5.a
    rm -f $RPM_BUILD_ROOT%{l_prefix}/man/man5/kdc.conf.5
    rm -f $RPM_BUILD_ROOT%{l_prefix}/man/man8/k5srvutil.8
    rm -f $RPM_BUILD_ROOT%{l_prefix}/man/man8/kadmin.local.8
    rm -f $RPM_BUILD_ROOT%{l_prefix}/man/man8/kadmind.8
    rm -f $RPM_BUILD_ROOT%{l_prefix}/man/man8/kdb5_util.8
    rm -f $RPM_BUILD_ROOT%{l_prefix}/man/man8/kprop.8
    rm -f $RPM_BUILD_ROOT%{l_prefix}/man/man8/kpropd.8
    rm -f $RPM_BUILD_ROOT%{l_prefix}/man/man8/krb5kdc.8
    rm -f $RPM_BUILD_ROOT%{l_prefix}/man/man8/ktutil.8
    rm -f $RPM_BUILD_ROOT%{l_prefix}/sbin/gss-server
    rm -f $RPM_BUILD_ROOT%{l_prefix}/sbin/k5srvutil
    rm -f $RPM_BUILD_ROOT%{l_prefix}/sbin/kadmin.local
    rm -f $RPM_BUILD_ROOT%{l_prefix}/sbin/kadmind
    rm -f $RPM_BUILD_ROOT%{l_prefix}/sbin/kdb5_util
    rm -f $RPM_BUILD_ROOT%{l_prefix}/sbin/kerberos-setup
    rm -f $RPM_BUILD_ROOT%{l_prefix}/sbin/kprop
    rm -f $RPM_BUILD_ROOT%{l_prefix}/sbin/kpropd
    rm -f $RPM_BUILD_ROOT%{l_prefix}/sbin/krb5-send-pr
    rm -f $RPM_BUILD_ROOT%{l_prefix}/sbin/krb5kdc
    rm -f $RPM_BUILD_ROOT%{l_prefix}/sbin/ktutil
%endif

    #   install setup script
%if "%{with_server}" == "yes"
    %{l_shtool} install -c -m 755 %{l_value -s -a} \
        %{SOURCE kerberos-setup.sh} \
        $RPM_BUILD_ROOT%{l_prefix}/sbin/kerberos-setup
%endif

    #   install run-command script
%if "%{with_server}" == "yes"
    %{l_shtool} install -c -m 755 %{l_value -s -a} \
        %{SOURCE rc.kerberos} \
        $RPM_BUILD_ROOT%{l_prefix}/etc/rc.d/
%endif

    #   install default configuration files
    %{l_shtool} install -c -m 644 %{l_value -s -a} \
        %{SOURCE krb5.conf} \
        $RPM_BUILD_ROOT%{l_prefix}/etc/kerberos/
%if "%{with_server}" == "yes"
    %{l_shtool} install -c -m 644 %{l_value -s -a} \
        %{SOURCE kdc.conf} \
        $RPM_BUILD_ROOT%{l_prefix}/etc/kerberos/
%endif
    %{l_shtool} install -c -m 644 \
        /dev/null $RPM_BUILD_ROOT%{l_prefix}/etc/kerberos/krb5.dict

    #   install OSSP fsl configuration
%if "%{with_server}" == "yes"
    %{l_shtool} install -c -m 644 %{l_value -s -a} \
        %{SOURCE fsl.kerberos} \
        $RPM_BUILD_ROOT%{l_prefix}/etc/fsl/
%endif

    #   install documentation
    mv doc/install-guide.ps doc/krb5-install.ps
    mv doc/admin-guide.ps doc/krb5-admin.ps
    mv doc/user-guide.ps doc/krb5-user.ps
%if "%{with_server}" == "yes"
    %{l_shtool} install -c -m 644 \
        doc/krb5-install.html \
        doc/krb5-install.ps \
        doc/krb5-admin.html \
        doc/krb5-admin.ps \
        $RPM_BUILD_ROOT%{l_prefix}/share/kerberos/
    %{l_shtool} install -c -m 644 \
        doc/krb5-install.info* \
        doc/krb5-admin.info* \
        $RPM_BUILD_ROOT%{l_prefix}/info/
%endif
    %{l_shtool} install -c -m 644 \
        doc/krb5-user.html \
        doc/krb5-user.ps \
        $RPM_BUILD_ROOT%{l_prefix}/share/kerberos/
    %{l_shtool} install -c -m 644 \
        doc/krb5-user.info* \
        $RPM_BUILD_ROOT%{l_prefix}/info/

    #   determine installation files
    %{l_rpmtool} files -v -ofiles -r$RPM_BUILD_ROOT \
        %{l_files_std} \
%if "%{with_server}" == "yes"
        '%config %{l_prefix}/etc/fsl/fsl.kerberos' \
        '%doc %{l_prefix}/share/kerberos/*.ps' \
        '%doc %{l_prefix}/share/kerberos/*.html' \
%endif
        '%config %{l_prefix}/etc/kerberos/*' \
        '%attr(4755,%{l_susr},%{l_mgrp}) %{l_prefix}/bin/ksu'

%files -f files

%clean

%pre
    #   before upgrade, save status and stop service
%if "%{with_server}" == "yes"
    [ $1 -eq 2 ] || exit 0
    eval `%{l_rc} kerberos status 2>/dev/null | tee %{l_tmpfile}`
    %{l_rc} kerberos stop 2>/dev/null
    exit 0
%endif

%post
    #   initial hints
%if "%{with_server}" == "yes"
    if [ $1 -eq 1 ]; then
        #   display information about next steps
        ( echo "Before you can use Kerberos you have to choose the"
          echo "Kerberos realm (e.g. EXAMPLE.COM) and initialize the"
          echo "Kerberos database with the command:"
          echo "  \$ $RPM_INSTALL_PREFIX/sbin/kerberos-setup <realm> <domain>"
          echo "where <domain> is the primary DNS zone of this setup and"
          echo "<realm> by convention is the upper-case version of <domain>."
          echo ""
          echo "After this you should start the Kerberos server with:"
          echo "  \$ $RPM_INSTALL_PREFIX/bin/openpkg rc kerberos start"
          echo ""
          echo "Then you should change the password of the admin/admin user"
          echo "from the default \"admin\" to something secure:"
          echo "  \$ $RPM_INSTALL_PREFIX/sbin/kadmin -p admin/admin -q \\ "
          echo "    \"change_password -pw <new-password> admin/admin\""
          echo ""
          echo "Then you should add and attach all remote hosts to Kerberos"
          echo "by running the following command on each *remote* host:"
          echo "  \$ $RPM_INSTALL_PREFIX/sbin/kadmin -p admin/admin -q \\ "
          echo "    \"add_principal host/<hostname>.<domain>\""
          echo "  \$ $RPM_INSTALL_PREFIX/sbin/kadmin -p admin/admin -q \\ "
          echo "    \"ktadd host/<hostname>.<domain>\""
          echo ""
          echo "Then you should add all your users to Kerberos via:"
          echo "  \$ $RPM_INSTALL_PREFIX/sbin/kadmin -p admin/admin -q \\ "
          echo "    \"add_principal <user>/<user>@<realm>\""
          echo ""
          echo "After this, users can use Kerberos on all attached hosts:"
          echo "  \$ $RPM_INSTALL_PREFIX/bin/kinit <user>/<user>"
          echo "  \$ $RPM_INSTALL_PREFIX/bin/klist"
          echo "  \$ $RPM_INSTALL_PREFIX/bin/kdestroy"
        ) | %{l_rpmtool} msg -b -t notice
    fi
    #   after upgrade, restore status
    [ $1 -eq 2 ] || exit 0
    eval `cat %{l_tmpfile}`; rm -f %{l_tmpfile}
    [ ".$kerberos_active" = .yes ] && %{l_rc} kerberos start
    exit 0
%endif

%preun
    #   before erase, stop service and remove log files
%if "%{with_server}" == "yes"
    [ $1 -eq 0 ] || exit 0
    %{l_rc} kerberos stop 2>/dev/null
    rm -f $RPM_INSTALL_PREFIX/var/kerberos/log/*.log*  >/dev/null 2>&1 || true
    rm -f $RPM_INSTALL_PREFIX/var/kerberos/run/*.pid   >/dev/null 2>&1 || true
    rm -f $RPM_INSTALL_PREFIX/var/kerberos/db/*        >/dev/null 2>&1 || true
    rm -f $RPM_INSTALL_PREFIX/etc/kerberos/krb5.keytab >/dev/null 2>&1 || true
    exit 0
%endif