## START: Set by rpmautospec
## (rpmautospec version 0.8.1)
## RPMAUTOSPEC: autorelease, autochangelog
%define autorelease(e:s:pb:n) %{?-p:0.}%{lua:
    release_number = 7;
    base_release_number = tonumber(rpm.expand("%{?-b*}%{!?-b:1}"));
    print(release_number + base_release_number - 1);
}%{?-e:.%{-e*}}%{?-s:.%{-s*}}%{!?-n:%{?dist}}
## END: Set by rpmautospec

#controls whether or not cracklib will be used during the build of the package
#building without cracklib will result in the package not having the
#deny_easy_pass functionality (checking for easily crackable passwords
#using cracklib and dictionaries)
%bcond_without cracklib
#holds the selinux type of targeted for ease of access and modification
#if the selinux policy changes
%global selinuxtype targeted
%global with_selinux 1

#postgresql version and majorversion to build with
%global postgres_major_version 16
%global postgres_version %{postgres_major_version}.8

#postgresql conditions for easy handling of %%configure
#during the build of postgresql
%{!?upgrade:%global upgrade 1}
%{!?plpython3:%global plpython3 1}
%{!?pltcl:%global pltcl 1}
%{!?plperl:%global plperl 1}
%{!?ssl:%global ssl 1}
%{!?icu:%global icu 1}
%{!?kerberos:%global kerberos 1}
%{!?ldap:%global ldap 1}
%{!?nls:%global nls 1}
%{!?uuid:%global uuid 1}
%{!?xml:%global xml 1}
%{!?pam:%global pam 1}
%{!?selinux:%global selinux 1}

%global upstream_name credcheck

Name: %{upstream_name}
Version: 3.0
Release: %autorelease 
Summary: PostgreSQL extension for credential checking
License: PostgreSQL
URL: https://github.com/HexaCluster/%{upstream_name}
Source0: https://github.com/HexaCluster/%{upstream_name}/archive/refs/tags/v%{version}.tar.gz
Source2: https://ftp.postgresql.org/pub/source/v%{postgres_version}/postgresql-%{postgres_version}.tar.bz2
%if %{with cracklib}
#a SELinux rule template to enable reading of the dictionaries
#provided by the cracklib-dict package
#an augmented version of the rule used by cracklib-password-check-plugin
#for mariadb: https://mariadb.com/kb/en/cracklib-password-check-plugin/
Source1: %{upstream_name}.cil
#patch containing the changes to the Makefile necessary to compile the package
#to use the cracklib package as mentioned in README.md on lines 42 and 43
#https://github.com/HexaCluster/credcheck/blob/master/README.md
Patch0: enable_cracklib.patch
%endif
#patch containing the latest license change taken from commit:
#https://github.com/HexaCluster/credcheck/commit/db7c811a02f286b9ba3e81a219826bf47eca6d4e
Patch1: upstream_db7c811a02f286b9ba3e81a219826bf47eca6d4e.patch
#patch conatining the extra flag for the make process to include link
#time optimization to make sure the code is optimized during linking
#https://en.wikipedia.org/wiki/Interprocedural_optimization#WPO_and_LTO
Patch2: lto_optimization.patch

%package -n postgresql%{postgres_major_version}-%{upstream_name}
Summary: PostgreSQL extension for credential checking

#BuildRequires for postgresql
BuildRequires: lz4-devel
BuildRequires: perl(ExtUtils::MakeMaker) glibc-devel bison flex gawk
BuildRequires: perl(ExtUtils::Embed), perl-devel
BuildRequires: perl(Opcode)
BuildRequires: perl-generators
BuildRequires: readline-devel zlib-devel
BuildRequires: multilib-rpm-config
BuildRequires: docbook-style-xsl

#aditional BuildRequires for postgresql that can be
#turned off using the vars above
%if %plpython3
BuildRequires: python3-devel
%endif

%if %pltcl
BuildRequires: tcl-devel
%endif

%if %ssl
BuildRequires: openssl-devel
%endif

%if %kerberos
BuildRequires: krb5-devel
%endif

%if %ldap
BuildRequires: openldap-devel
%endif

%if %nls
BuildRequires: gettext >= 0.10.35
%endif

%if %uuid
BuildRequires: uuid-devel
%endif

%if %xml
BuildRequires: libxml2-devel libxslt-devel
%endif

%if %pam
BuildRequires: pam-devel
%endif

%if %selinux
BuildRequires: libselinux-devel
%endif

%if %icu
BuildRequires:	libicu-devel
%endif

BuildRequires: make gcc
%if %{with cracklib}
BuildRequires: cracklib-devel cracklib-dicts
%endif

Requires: postgresql-server > 15 postgresql-server < 17
%if %{with cracklib}
Requires: cracklib-dicts
%if 0%{?with_selinux}
Requires: (postgresql%{postgres_major_version}-%{upstream_name}-selinux if selinux-policy-%{selinuxtype})
%endif
%endif

%description
The credcheck PostgreSQL extension provides few general credential checks,
which will be evaluated during the user creation, during the password change
and user renaming. By using this extension, we can define a set of rules:

    allow a specific set of credentials
    reject a certain type of credentials
    deny password that can be easily cracked
    enforce use of an expiration date with a minimum of day for a password
    define a password reuse policy
    define the number of authentication failure allowed before a user is banned

This extension provides all the checks as configurable parameters.
The default configuration settings, will not enforce any complex checks
and will try to allow most of the credentials.
By using SET credcheck.<check-name> TO <some value>; command, enforce new
settings for the credential checks. The settings can only be changed 
by a superuser.

%description -n postgresql%{postgres_major_version}-%{upstream_name}
The credcheck PostgreSQL extension provides few general credential checks,
which will be evaluated during the user creation, during the password change
and user renaming. By using this extension, we can define a set of rules:

    allow a specific set of credentials
    reject a certain type of credentials
    deny password that can be easily cracked
    enforce use of an expiration date with a minimum of day for a password
    define a password reuse policy
    define the number of authentication failure allowed before a user is banned

This extension provides all the checks as configurable parameters.
The default configuration settings, will not enforce any complex checks
and will try to allow most of the credentials.
By using SET credcheck.<check-name> TO <some value>; command, enforce new
settings for the credential checks. The settings can only be changed 
by a superuser.

%if %{with cracklib} && 0%{?with_selinux}
#The SELinux subpackage
%package -n postgresql%{postgres_major_version}-%{upstream_name}-selinux
Summary: %{upstream_name} SELinux policy
BuildArch: noarch
BuildRequires: selinux-policy-%{selinuxtype}
Requires: selinux-policy-%{selinuxtype}
Recommends: postgresql%{postgres_major_version}-%{upstream_name} = %{version}-%{release}
Requires(post): libselinux-utils selinux-policy-%{selinuxtype} policycoreutils

%description -n postgresql%{postgres_major_version}-%{upstream_name}-selinux
SELinux policy for the %{upstream_name} to ensure the dictionaries installed by the
cracklib-dicts package are reachable by this package.
%endif

%prep
%setup -q -n %{upstream_name}-%{version} -a 2
%if %{with cracklib}
%patch -P0 -p1
%endif
%patch -P1 -p1
%patch -P2 -p1

%build
#the build of postgresql
cd postgresql-%{postgres_version}
common_configure_options='
	--disable-rpath
%if %plperl
	--with-perl
%endif
%if %pltcl
	--with-tcl
	--with-tclconfig=/usr/%_lib
%endif
%if %ldap
	--with-ldap
%endif
%if %ssl
	--with-openssl
%endif
%if %pam
	--with-pam
%endif
%if %kerberos
	--with-gssapi
%endif
%if %uuid
	--with-ossp-uuid
%endif
%if %xml
	--with-libxml
	--with-libxslt
%endif
%if %nls
	--enable-nls
%endif
%if %selinux
	--with-selinux
%endif
	--with-system-tzdata=/usr/share/zoneinfo
	--datadir=%_datadir/pgsql
	--with-lz4
%if %icu
	--with-icu
%endif
%if %plpython3
	--with-python
%endif
'

#holds the installed files from postgresql
mkdir /tmp/pgsql

#configures postgresql
%configure $common_configure_options
#builds postgresql
%make_build
#installs the files provided by postgresql into /tmp/pgsql
make install DESTDIR=/tmp/pgsql
cd ..

#the build of credcheck starts here
#this provides the absolute path to pg_config which is required to build credcheck
%make_build PG_CONFIG=/tmp/pgsql%{_bindir}/pg_config

%install
%make_install PG_CONFIG=/tmp/pgsql%{_bindir}/pg_config
#creates the credcheck file to contain the patches
mkdir -p %{buildroot}%{_datadir}/%{upstream_name}
#creates the directories needed for the files of credcheck
mkdir -p %{buildroot}%{_datadir}/pgsql/extension
mkdir -p %{buildroot}%{_libdir}/pgsql
#moves the installed files from the dummy dir containing the local build
#of postgresql into their proper places
mv %{buildroot}/tmp/pgsql%{_datadir}/pgsql/extension/%{upstream_name}--*--*.sql %{buildroot}%{_datadir}/%{upstream_name}
mv %{buildroot}/tmp/pgsql%{_datadir}/pgsql/extension/%{upstream_name}--%{version}.0.sql %{buildroot}%{_datadir}/pgsql/extension
mv %{buildroot}/tmp/pgsql%{_datadir}/pgsql/extension/%{upstream_name}.control %{buildroot}%{_datadir}/pgsql/extension
mv %{buildroot}/tmp/pgsql%{_libdir}/postgresql/%{upstream_name}.so %{buildroot}%{_libdir}/pgsql/
%if %{with cracklib} && 0%{?with_selinux}
install -D -m 0644 %{SOURCE1} %{buildroot}%{_datadir}/selinux/packages/%{selinuxtype}/%{upstream_name}.cil
%endif
#cleans up the local build of postgresql
rm -rf %{buildroot}/tmp

%if %{with cracklib} && 0%{?with_selinux}
#installing selinux rules
%post -n postgresql%{postgres_major_version}-%{upstream_name}-selinux
%selinux_modules_install -s %{selinuxtype} -p 200 %{_datadir}/selinux/packages/%{selinuxtype}/%{upstream_name}.cil

#removing selinux rules
%postun -n postgresql%{postgres_major_version}-%{upstream_name}-selinux
if [ $1 -eq 0 ]; then
%selinux_modules_uninstall -s %{selinuxtype} %{upstream_name}
fi
%endif

%files -n postgresql%{postgres_major_version}-%{upstream_name}
%doc README.md 
%license LICENSE
%{_libdir}/pgsql/%{upstream_name}.so
%{_datadir}/pgsql/extension/%{upstream_name}--%{version}.0.sql
%{_datadir}/pgsql/extension/%{upstream_name}.control
%{_datadir}/%{upstream_name}/%{upstream_name}--*--*.sql
%dir %{_datadir}/%{upstream_name}

%if %{with cracklib} && 0%{?with_selinux}
%files -n postgresql%{postgres_major_version}-%{upstream_name}-selinux
%{_datadir}/selinux/packages/%{selinuxtype}/%{upstream_name}.cil
%ghost %verify(not md5 size mode mtime) %{_sharedstatedir}/selinux/%{selinuxtype}/active/modules/200/%{upstream_name}
%endif

%changelog
## START: Generated by rpmautospec
* Thu May 22 2025 Pavol Sloboda <psloboda@redhat.com> - 3.0-7
- Updated the Requires and recommends between the main package and the
  selinux subpackage to reflect the rename

* Thu May 22 2025 Pavol Sloboda <psloboda@redhat.com> - 3.0-6
- This is a commit message for the previous commit I have unfortunately
  pushed a commit with an inclomplete commit message into the epel8 branch
  which does not allow force pushing, therefore a rebase is not possible so
  this empty commit only exists to amend that commit message: I have
  renamed the base package back to credcheck to keep the srpms called
  credcheck as well to work around the automatisation used in koji and mock
  builds, I have created a subpackage named
  postgresql%%{postgres_major_version}-credcheck to be able to produce the
  correct output rpms and also renamed the selinux subpackage to
  postgresql%%{postgresq_major_version}-credcheck-selinux to keep the
  naming consistent. This now allows me to build the package using koji
  without raising the "epel8 branch not requested for
  postgresql16-credcheck" error during the builds.

* Wed May 21 2025 Pavol Sloboda <psloboda@redhat.com> - 3.0-5
- Rename fix

* Fri May 16 2025 Pavol Sloboda <psloboda@redhat.com> - 3.0-4
- Renamed the package to postgresql16-credcheck to make handling building
  for other versions of postgresql in the future easier.

* Fri May 16 2025 Pavol Sloboda <psloboda@redhat.com> - 3.0-3
- Added the necessary build for postgresql to acommodate the modularity of
  epel8 This means: * a minimal build of postgresql16 inside the build
  phase * "installation" of said builds files into a temporary dir
  (/tmp/pgsql) to ease it's deletion later * passing the pg_config files
  location as an rgument to the %%make_build and %%make_install of
  credcheck * creation of all the necessary directories since ppostgresql
  is located in a weird spot so they won't be created by it * moving all
  the necessary files of credcheck: - credcheck.control - credcheck.so -
  credcheck--%%{version}.0.sql - credcheck--*--*.sql (the "update" files)
  to their proper place as they will be installed inside the dir that
  postgresql is in, this cannot be overriden using destdir or any other
  means known to me and is caused by the call of pgxs.mk provided by
  postgresql-server-devel inside the makefile of credcheck (the location of
  pgxs.mk can be found using: /usr/bin/pg_config --pgxs) * removing the
  installed files of postgresql16 (as mentioned above they are all in
  /tmp/pgsql)

* Thu May 15 2025 Pavol Sloboda <psloboda@redhat.com> - 3.0-2
- Changed the filepath inside the lto_optimization patch since the target
  file cannot be found without using autosetup inside the spec file.

* Tue May 13 2025 Pavol Sloboda <psloboda@redhat.com> - 3.0-1
- Initial commit conatining the clone of the rwarhide branch with a new
  source of postgresql 16.8 and the removal of Requires and BuildRequires
  of postgresql-server and postgresql-server-devel to get around the
  modularity of epel8 during build
## END: Generated by rpmautospec