Name:		fermilab-conf_ssh-server
Obsoletes:	zz_fermi_sshd_config
Conflicts:	openssh-server < 6.1
Version:	1.0
Release:	4
Summary:	Change sshd_config to meet Fermilab's standards

Group:		Fermilab
License:	GPL
URL:		http://helpdesk.fnal.gov
Source0:	fermi-conf_ssh-server.sh

BuildRequires:	bash coreutils
BuildArch:	noarch
Requires:	xorg-x11-xauth
Requires(post):	augeas >= 0.9.0 policycoreutils coreutils systemd

%description
The default configuration for openssh-server is not suitable for Fermilab.
This RPM will update %{_sysconfdir}/ssh/sshd_config to meet Fermilab standards.

Requirement from: CS-doc-1186

%prep


%build


%install
rm -rf %{buildroot}
%{__install} -D %{SOURCE0} %{buildroot}/%{_libexecdir}/%{name}/%{name}.sh

%clean
rm -rf %{buildroot}

%check
bash -n %{buildroot}/%{_libexecdir}/%{name}/%{name}.sh

#####################################################################
%triggerin -p /bin/bash -- openssh-server

##################### BEGIN Trigger Snippet #########################
set -u
TRIGGER_ON_PACKAGE_NAME='openssh-server'
# The following script snippet attempts to classify why we were called:
#  - on first install of either package, RUN_TRIGGER == "Initial"
#  - on upgrade of _THIS_ package, RUN_TRIGGER == "UpgradeSELF"
#  - on upgrade of the TRIGGERON package, RUN_TRIGGER == "UpgradeTRIGGERON"
#  - on upgrade of the TRIGGERON package but initial install of _THIS_ package, RUN_TRIGGER == "InitialSELFUpgradeTRIGGERON"
#  - on upgrade of the BOTH packages, RUN_TRIGGER == "UPGRADEALL"

CURRENT_INSTALLS_OF_THIS_PACKAGE=${1:-0}
TRIGGER_ON_PACKAGE=${2:-0}

RUN_TRIGGER="NO"
if [[ ${TRIGGER_ON_PACKAGE} -eq 1 ]]; then
    # We only get here if we are NOT doing an upgrade of the trigger package
    if [[ ${CURRENT_INSTALLS_OF_THIS_PACKAGE} -eq 0 ]]; then
        # We only get here if we are removing _THIS_ package
        RUN_TRIGGER="UninstallSELF"
    elif [[ ${CURRENT_INSTALLS_OF_THIS_PACKAGE} -eq 1 ]]; then
        # We only get here if we are NOT doing an upgrade of the trigger package
        #                and we are installing _THIS_ package for the first time
        RUN_TRIGGER="Initial"
    elif [[ ${CURRENT_INSTALLS_OF_THIS_PACKAGE} -gt 1 ]]; then
        # We only get here if we are NOT doing an upgrade of the trigger package
        #                and we are upgrading _THIS_ package
        RUN_TRIGGER="UpgradeSELF"
    fi
elif [[ ${TRIGGER_ON_PACKAGE} -gt 1 ]]; then
    # We only get here if we are doing an upgrade of the trigger package
    if [[ ${CURRENT_INSTALLS_OF_THIS_PACKAGE} -eq 1 ]]; then
        # We get here if we are doing an upgrade of the trigger package
        #                     and we are NOT upgrading _THIS_ package
        RUN_TRIGGER="UpgradeTRIGGERON"

        #  But, are we installing _THIS_ package as a part of a dependency
        #       resolution chain?
        _THIS_TID=$(rpm -q --qf "%{INSTALLTID}\n" %{NAME})
        # Find the last installed (ie the current) TRIGGER_ON_PACKAGE_NAME's transaction
        TID=$(rpm -q --qf "%{INSTALLTID}\n" ${TRIGGER_ON_PACKAGE_NAME} --last |grep -v ${TRIGGER_ON_PACKAGE_NAME} | head -1)
        if [[ "${_THIS_TID}" == "${TID}" ]]; then
            # if the transaction ID of _THIS_ package is identical to the
            #  transaction ID of an installed TRIGGER_ON_PACKAGE_NAME
            # then, we must be upgrading the trigger package and
            # installing _THIS_ package
            RUN_TRIGGER="InitialSELFUpgradeTRIGGERON"
        fi
    elif [[ ${CURRENT_INSTALLS_OF_THIS_PACKAGE} -gt 1 ]]; then
        # We only get here if we are doing an upgrade of the trigger package
        #                     and we are upgrading _THIS_ package
        RUN_TRIGGER="UpgradeALL"
    fi
elif [[ ${TRIGGER_ON_PACKAGE} -eq 0 ]]; then
    # We only get here if we are removing the trigger package
    RUN_TRIGGER="UninstallTRIGGERON"
fi

if [[ "${RUN_TRIGGER}" == "NO" ]]; then
    # If we got here if:
    #  some kind of edge case appeared......
    echo "##################################" >&2
    echo "%{NAME}: Not sure what this means"  >&2
    echo "CURRENT_INSTALLS_OF_THIS_PACKAGE = ${CURRENT_INSTALLS_OF_THIS_PACKAGE}"  >&2
    echo "TRIGGER_ON_PACKAGE (${TRIGGER_ON_PACKAGE_NAME}) = ${TRIGGER_ON_PACKAGE}" >&2
    echo "##################################" >&2
    exit 1
fi

##################### End of Trigger Snippet ########################

if [[ "${RUN_TRIGGER}" == "UpgradeTRIGGERON" ]]; then
    # If we got here if:
    #  a) we are upgrading the trigger package, but not _THIS_ package
    #       so we've already run this once and will not run it again.

    # If the user changed the config themselves, we shouldn't undo their work
    #  if we decide we need to, we can always alter the behavior in the next
    #  version of this package.
    exit 0
fi


# # #
# This way external scripts/config tools can call these changes if they want
%{_libexecdir}/%{name}/%{name}.sh
systemctl condrestart sshd.service

#####################################################################
%triggerun -p /bin/bash -- openssh-server

##################### BEGIN Trigger Snippet #########################
set -u
TRIGGER_ON_PACKAGE_NAME='openssh-server'
# The following script snippet attempts to classify why we were called:
#  - on first install of either package, RUN_TRIGGER == "Initial"
#  - on upgrade of _THIS_ package, RUN_TRIGGER == "UpgradeSELF"
#  - on upgrade of the TRIGGERON package, RUN_TRIGGER == "UpgradeTRIGGERON"
#  - on upgrade of the TRIGGERON package but initial install of _THIS_ package, RUN_TRIGGER == "InitialSELFUpgradeTRIGGERON"
#  - on upgrade of the BOTH packages, RUN_TRIGGER == "UPGRADEALL"

CURRENT_INSTALLS_OF_THIS_PACKAGE=${1:-0}
TRIGGER_ON_PACKAGE=${2:-0}

RUN_TRIGGER="NO"
if [[ ${TRIGGER_ON_PACKAGE} -eq 1 ]]; then
    # We only get here if we are NOT doing an upgrade of the trigger package
    if [[ ${CURRENT_INSTALLS_OF_THIS_PACKAGE} -eq 0 ]]; then
        # We only get here if we are removing _THIS_ package
        RUN_TRIGGER="UninstallSELF"
    elif [[ ${CURRENT_INSTALLS_OF_THIS_PACKAGE} -eq 1 ]]; then
        # We only get here if we are NOT doing an upgrade of the trigger package
        #                and we are installing _THIS_ package for the first time
        RUN_TRIGGER="Initial"
    elif [[ ${CURRENT_INSTALLS_OF_THIS_PACKAGE} -gt 1 ]]; then
        # We only get here if we are NOT doing an upgrade of the trigger package
        #                and we are upgrading _THIS_ package
        RUN_TRIGGER="UpgradeSELF"
    fi
elif [[ ${TRIGGER_ON_PACKAGE} -gt 1 ]]; then
    # We only get here if we are doing an upgrade of the trigger package
    if [[ ${CURRENT_INSTALLS_OF_THIS_PACKAGE} -eq 1 ]]; then
        # We get here if we are doing an upgrade of the trigger package
        #                     and we are NOT upgrading _THIS_ package
        RUN_TRIGGER="UpgradeTRIGGERON"

        #  But, are we installing _THIS_ package as a part of a dependency
        #       resolution chain?
        _THIS_TID=$(rpm -q --qf "%{INSTALLTID}\n" %{NAME})
        # Find the last installed (ie the current) TRIGGER_ON_PACKAGE_NAME's transaction
        TID=$(rpm -q --qf "%{INSTALLTID}\n" ${TRIGGER_ON_PACKAGE_NAME} --last |grep -v ${TRIGGER_ON_PACKAGE_NAME} | head -1)
        if [[ "${_THIS_TID}" == "${TID}" ]]; then
            # if the transaction ID of _THIS_ package is identical to the
            #  transaction ID of an installed TRIGGER_ON_PACKAGE_NAME
            # then, we must be upgrading the trigger package and
            # installing _THIS_ package
            RUN_TRIGGER="InitialSELFUpgradeTRIGGERON"
        fi
    elif [[ ${CURRENT_INSTALLS_OF_THIS_PACKAGE} -gt 1 ]]; then
        # We only get here if we are doing an upgrade of the trigger package
        #                     and we are upgrading _THIS_ package
        RUN_TRIGGER="UpgradeALL"
    fi
elif [[ ${TRIGGER_ON_PACKAGE} -eq 0 ]]; then
    # We only get here if we are removing the trigger package
    RUN_TRIGGER="UninstallTRIGGERON"
fi

if [[ "${RUN_TRIGGER}" == "NO" ]]; then
    # If we got here if:
    #  some kind of edge case appeared......
    echo "##################################" >&2
    echo "%{NAME}: Not sure what this means"  >&2
    echo "CURRENT_INSTALLS_OF_THIS_PACKAGE = ${CURRENT_INSTALLS_OF_THIS_PACKAGE}"  >&2
    echo "TRIGGER_ON_PACKAGE (${TRIGGER_ON_PACKAGE_NAME}) = ${TRIGGER_ON_PACKAGE}" >&2
    echo "##################################" >&2
    exit 1
fi

##################### End of Trigger Snippet ########################
if [[ "${RUN_TRIGGER}" != "UninstallSELF" ]]; then
    # If we got here if:
    #  we are not uninstalling _THIS_ package
    exit 0
fi


# # #
# This way external scripts/config tools can call these changes if they want
%{_libexecdir}/%{name}/%{name}.sh -r
systemctl condrestart sshd.service
#####################################################################


#####################################################################
#####################################################################
%files
%defattr(0644,root,root,0755)
%doc
%attr(0750,root,root) %{_libexecdir}/%{name}/%{name}.sh

#####################################################################
%changelog
* Mon Nov 2 2015 Pat Riehecky <riehecky@fnal.gov> 1.0-4
- remove config on uninstall

* Fri Oct 16 2015 Pat Riehecky <riehecky@fnal.gov> 1.0-3.4
- Include link-local addresses in the restricted list
-- This way IPv6 link local is protected even on site

* Fri Oct 9 2015 Pat Riehecky <riehecky@fnal.gov> 1.0-3.3
- Better use of augeas node defaults

* Mon Oct 5 2015 Pat Riehecky <riehecky@fnal.gov> 1.0-3.2
- Much more flexible scripting, better accounting for edge cases

* Thu Sep 24 2015 Pat Riehecky <riehecky@fnal.gov> 1.0-3.1
- Better use of restorecon

* Wed Sep 9 2015 Pat Riehecky <riehecky@fnal.gov> 1.0-3
- Script is more declaritive and less "tricky"

* Tue Sep 8 2015 Pat Riehecky <riehecky@fnal.gov> 1.0-2.1
- fix typo

* Fri Sep 4 2015 Pat Riehecky <riehecky@fnal.gov> 1.0-2
- updated requires list

* Fri Aug 7 2015 Pat Riehecky <riehecky@fnal.gov> 1.0-1
- Initial build for EL7