#!/bin/bash
#
# Build CentOS 6 RPM for newer version of OpenSSH
#
# THIS SCRIPT MUST BE EXECUTED ON A CENTOS 6 MACHINE.
#
# 2022-01-20 jms1 - worked for OpenSSH-8.8p1

set -e

########################################
# The RPM we will be building

RPM_VER="8.8p1"
RPM_REL="1"
RPM_AUTHOR="John Simpson <jms1@voalte.com>"

########################################
# OpenSSH
# Note: MIRROR_URL must end with '/'

OPENSSH_VER="8.8p1"
MIRROR_URL="https://cdn.openbsd.org/pub/OpenBSD/OpenSSH/portable/"

########################################
# Dependency `x11-ssh-askpass`
#
# The original source, http://www.jmknoble.net/software/x11-ssh-askpass/
# is missing or unstable, so we will need to manually specify the URL where
# this file can be downloaded. The version needs to match what's in the
# `%define aversion` line in the OpenSSH spec file.

ASKPASS_VER="1.2.4.1"
ASKPASS_URL="https://mirrors.slackware.com/slackware/slackware-14.2/source/xap/x11-ssh-askpass/x11-ssh-askpass-1.2.4.1.tar.gz"

###############################################################################

function usage {
    cat <<EOF
$0 [options]

Builds RPMs for OpenSSH ${OPENSSH_VER}.

-h      Show this help message.

EOF
    exit 0
}

###############################################################################

function blueline {
    if [[ -t 1 ]]
    then
        printf "\e[0;1;37;44m%s\e[0K\e[0m\n" "$*"
    else
        echo "===== $* ====="
    fi
}

function greenline {
    if [[ -t 1 ]]
    then
        printf "\e[0;1;37;42m%s\e[0K\e[0m\n" "$*"
    else
        echo "----- $* -----"
    fi
}

function redline {
    if [[ -t 1 ]]
    then
        printf "\e[0;1;37;41m%s\e[0K\e[0m\n" "$*"
    else
        echo "***** $* *****"
    fi
}

###############################################################################
###############################################################################
###############################################################################

while getopts ":h" OPT
do
    case $OPT in
        h)  usage
            ;;
        *)  echo "unknown option '-${OPTARG}'"
            exit 1
            ;;
    esac
done

shift $((OPTIND-1))

###############################################################################
#
# Make sure the things we need are present

### if [[ ! -f "${HOME}/.rpmmacros" ]]
### then
###     cat > "${HOME}/.rpmmacros" <<EOF
### %_topdir    ${HOME}/rpm
### %packager   ${RPM_AUTHOR}
### %vendor     Voalte, Inc.
### %dist       .el6
### EOF
### fi

rm -rf "${HOME}/rpm"
mkdir -p rpm/{BUILD,RPMS,SOURCES,SPECS,SRPMS}

FAIL=false
for c in curl gcc git make
do
    if ! type "$c" >/dev/null 2>&1
    then
        redline "Missing: command '$c'"
        FAIL=true
    fi
done

for p in rpm-build openssl-devel pam-devel imake gtk2-devel libXt-devel
do
    if ! rpm -q $p >/dev/null
    then
        redline "Missing: RPM '$p'"
        FAIL=true
    fi
done

if $FAIL
then
    exit 1
fi

########################################
# Create our /etc/pam.d/sshd file
# (copied from what CentOS 6 installs)

cat > "${HOME}/rpm/SOURCES/sshd.pam" <<EOF
#%PAM-1.0
auth	   required	pam_sepermit.so
auth       include      password-auth
account    required     pam_nologin.so
account    include      password-auth
password   include      password-auth
# pam_selinux.so close should be the first session rule
session    required     pam_selinux.so close
session    required     pam_loginuid.so
# pam_selinux.so open should only be followed by sessions to be executed in the user context
session    required     pam_selinux.so open env_params
session    required     pam_namespace.so
session    optional     pam_keyinit.so force revoke
EOF

###############################################################################
#
# Let's do this

########################################
# Download the OpenSSL source

OPENSSL_DOWNLOAD="${HOME}/openssh-${OPENSSH_VER}.tar.gz"
OPENSSL_SRC="${HOME}/rpm/SOURCES/openssh-${OPENSSH_VER}.tar.gz"

if [[ ! -f "${OPENSSL_DOWNLOAD}" ]]
then
    blueline "Downloading openssh-${OPENSSH_VER}.tar.gz"
    curl -L -o "${OPENSSL_DOWNLOAD}" \
        "${MIRROR_URL}openssh-${OPENSSH_VER}.tar.gz"
fi

cp "${OPENSSL_DOWNLOAD}" "${OPENSSL_SRC}"

########################################
# Extract the spec file from the tarball, and make the edits we need

SPEC_FILE="${HOME}/rpm/SPECS/openssh-${RPM_VER}-${RPM_REL}.spec"
blueline "Creating ${SPEC_FILE}"

TODAY="$( date '+%a %b %d %Y' )"

tar xzf "${OPENSSL_SRC}" \
    -O "openssh-${OPENSSH_VER}/contrib/redhat/openssh.spec" \
    | sed 's/^PreReq:/Requires:/' \
    | sed '/^BuildRequires: openssl-devel < 1.1/s/^/#/' \
    | sed '/^Source1:/a Source2: sshd.pam' \
    | sed '/^Source2:/a Source3: sshd_config' \
    | sed 's/contrib\/redhat\/sshd\.pam\(\.old\)\? */%{SOURCE2} /' \
    | sed '/^make install/a \
\
install -m0600 %{SOURCE3} $RPM_BUILD_ROOT%{_sysconfdir}/ssh/sshd_config' \
    | sed "/^%changelog/a \\
* ${TODAY} ${RPM_AUTHOR}\\
- customized for Voalte CentOS 6 machines\\
" \
    > "${SPEC_FILE}"

########################################
# Extract the sshd_config file from the tarball, and make the edits we need

blueline "Creating ${HOME}/rpm/SOURCES/sshd_config"

tar xzf "${OPENSSL_SRC}" \
    -O "openssh-${OPENSSH_VER}/sshd_config" \
    | sed '/^#UsePAM no/i \
#\
# Note: CentOS 6 needs this to be "yes", otherwise password-based login\
# will fail when SELinux is active.\
#' \
    | sed '/^#UsePAM no/a \
UsePAM  yes' \
    > "${HOME}/rpm/SOURCES/sshd_config"

########################################
# Download the x11-ssh-askpass source tarball

AVERSION=$( awk '/^%global aversion /{print $3}' "${SPEC_FILE}" )

if [[ "${AVERSION}" != "${ASKPASS_VER}" ]]
then
    redline "ERROR: x11-ssh-askpass version mismatch"
    echo "openssh spec wants '${AVERSION}'"
    echo "this script  wants '${ASKPASS_VER}'"
    exit 1
fi

if [[ ! -f "${HOME}/rpm/SOURCES/x11-ssh-askpass-${AVERSION}.tar.gz" ]]
then
    blueline "Downloading x11-ssh-askpass-${AVERSION}.tar.gz"
    curl -Lo "${HOME}/rpm/SOURCES/x11-ssh-askpass-${AVERSION}.tar.gz" \
        "${ASKPASS_URL}"
fi

###############################################################################
#
# Build the RPMs

rpmbuild -ba \
    --define "_topdir ${HOME}/rpm" \
    --define "packager ${RPM_AUTHOR}" \
    --define "vendor Voalte, Inc." \
    --define "dist .el6" \
    "${SPEC_FILE}"