# Generated by rust2rpm and modified for RVPS
# Follows Fedora Rust Packaging Guidelines
# Uses system-packaged Rust crates (no vendoring, no network downloads)

# Disable debuginfo generation for now since we build in isolated directory
%global debug_package %{nil}

Name:           trustee-rvps
Version:        0.1.0
Release:        1%{?dist}
Summary:        Reference Value Provider Service for Trustee

License:        Apache-2.0
URL:            https://github.com/confidential-containers/trustee
Source0:        https://github.com/confidential-containers/trustee/archive/refs/heads/main.tar.gz#/trustee-%{version}.tar.gz

# Build dependencies - system tools
BuildRequires:  rust-packaging >= 25
BuildRequires:  gcc
BuildRequires:  protobuf-compiler >= 3.15
BuildRequires:  git
BuildRequires:  systemd-rpm-macros

# Test dependencies
BuildRequires:  rust-assert-json-diff-devel >= 2.0.2
BuildRequires:  rust-futures-macro-devel
BuildRequires:  rust-futures-timer-devel
BuildRequires:  rust-proc-macro-crate-devel
BuildRequires:  rust-rstest-devel >= 0.18.1
BuildRequires:  rust-serial_test+async-devel >= 3.2.0
BuildRequires:  rust-tokio+full-devel >= 1.0
BuildRequires:  rust-walkdir-devel >= 2.3.2

# Runtime dependencies
Requires:       glibc
Requires(pre):  shadow-utils
Requires(post): systemd
Requires(preun): systemd
Requires(postun): systemd

%description
RVPS (Reference Value Provider Service) receives software supply chain
provenances, verifies them, and provides reference values to the
Attestation Service for confidential computing attestation workflows.

RVPS runs as a standalone gRPC service (port 50003) that processes
different provenance types and stores reference values in persistent
storage (LocalFs or LocalJson).

%prep
%autosetup -n trustee-main

# CRITICAL FIX: Extract rvps completely outside the workspace directory
# The problem: KBS has a path dependency on rvps, so Cargo workspace detection
# will find the parent workspace and try to resolve all workspace dependencies.
# Solution: Copy rvps to a completely separate directory OUTSIDE the workspace.

# First, go UP to BUILD directory, then copy rvps from there
# This ensures we're not inside the workspace when working with the isolated copy
cd ..
cp -r trustee-main/rvps rvps-isolated

# Navigate to isolated directory and prepare it
cd rvps-isolated

# Remove workspace references - Cargo.lock may contain workspace info
rm -f Cargo.lock

# Convert workspace dependencies to direct dependencies
sed -i 's/^anyhow\.workspace = true$/anyhow = "1.0"/' Cargo.toml
sed -i 's/^async-trait\.workspace = true$/async-trait = "0.1.88"/' Cargo.toml
sed -i 's/^base64\.workspace = true$/base64 = "0.22.1"/' Cargo.toml
sed -i 's/^cfg-if\.workspace = true$/cfg-if = "1.0.0"/' Cargo.toml
sed -i 's/^log\.workspace = true$/log = "0.4.28"/' Cargo.toml
sed -i 's/^serde\.workspace = true$/serde = { version = "1.0", features = ["derive"] }/' Cargo.toml
sed -i 's/^serde_json\.workspace = true$/serde_json = "1.0.143"/' Cargo.toml
sed -i 's/^strum\.workspace = true$/strum = { version = "0.27", features = ["derive"] }/' Cargo.toml
sed -i 's/^tempfile\.workspace = true$/tempfile = "3.20.0"/' Cargo.toml
sed -i 's/chrono = { workspace = true, features/chrono = { version = "0.4.41", features/' Cargo.toml
sed -i 's/clap = { workspace = true, optional/clap = { version = "4", features = ["derive"], optional/' Cargo.toml
sed -i 's/config = { workspace = true, optional/config = { version = "0.15", default-features = false, optional/' Cargo.toml
sed -i 's/env_logger = { workspace = true, optional/env_logger = { version = "0.10.0", optional/' Cargo.toml
sed -i 's/prost = { workspace = true, optional/prost = { version = "0.13", optional/' Cargo.toml
sed -i 's/sha2 = { workspace = true, optional/sha2 = { version = "0.10", optional/' Cargo.toml
sed -i 's/shadow-rs = { workspace = true, optional/shadow-rs = { version = "0.8.1", optional/' Cargo.toml
sed -i 's/tokio = { workspace = true, optional/tokio = { version = "1", features = ["full"], default-features = false, optional/' Cargo.toml
sed -i 's/tonic = { workspace = true, optional/tonic = { version = "0.12", optional/' Cargo.toml
sed -i 's/^shadow-rs\.workspace = true$/shadow-rs = "0.8.1"/' Cargo.toml
sed -i 's/^tonic-build\.workspace = true$/tonic-build = "0.12"/' Cargo.toml
sed -i 's/^assert-json-diff\.workspace = true$/assert-json-diff = ">=2.0, <3"/' Cargo.toml
sed -i 's/^rstest\.workspace = true$/rstest = ">=0.18, <1"/' Cargo.toml
sed -i 's/^serial_test\.workspace = true$/serial_test = { version = ">=3.2, <4", features = ["async"] }/' Cargo.toml
sed -i 's/^tokio\.workspace = true$/tokio = { version = "1", features = ["full"], default-features = false }/' Cargo.toml

# Prepare cargo environment for the isolated rvps
%cargo_prep

# Patch build.rs for shadow-rs 0.8.1 compatibility (Fedora has 0.8.1, upstream uses 1.3.0)
# The older API is simpler: just shadow_rs::new() instead of ShadowBuilder
cat > build.rs << 'EOF'
use std::process::exit;

fn real_main() -> Result<(), String> {
    let out_dir = std::env::var("OUT_DIR").unwrap();
    println!("cargo:rerun-if-changed={out_dir}");
    println!("cargo:rustc-link-search=native={out_dir}");

    #[cfg(feature = "in-toto")]
    {
        println!("cargo:rustc-link-lib=static=cgo");

        let cgo_dir = "./cgo".to_string();
        let cgo = std::process::Command::new("go")
            .args([
                "build",
                "-o",
                &format!("{out_dir}/libcgo.a"),
                "-buildmode=c-archive",
                "intoto.go",
            ])
            .current_dir(cgo_dir)
            .output()
            .expect("failed to launch opa compile process");
        if !cgo.status.success() {
            return Err(std::str::from_utf8(&cgo.stderr.to_vec())
                .unwrap()
                .to_string());
        }
    }

    #[cfg(feature = "rebuild-grpc-protos")]
    tonic_build::configure()
        .out_dir("src/rvps_api")
        .compile_protos(&["../protos/reference.proto"], &["../protos"])
        .map_err(|e| format!("Failed to build gRPC protos: {e}"))?;

    Ok(())
}

fn main() -> shadow_rs::SdResult<()> {
    if let Err(e) = real_main() {
        eprintln!("ERROR: {e}");
        exit(1);
    }

    // shadow-rs 0.8.1 API (Fedora version)
    shadow_rs::new()?;
    Ok(())
}
EOF

%generate_buildrequires
# CRITICAL: Must also isolate rvps here since %generate_buildrequires runs separately from %prep
# The working directory will be /builddir/build/BUILD/trustee-rvps-0.1.0-build/trustee-main
# We need to go UP and then work with the isolated copy

cd ..

# Check if rvps-isolated already exists from %prep, if not create it
if [ ! -d rvps-isolated ]; then
    cp -r trustee-main/rvps rvps-isolated
    cd rvps-isolated

    # Remove workspace references
    rm -f Cargo.lock

    # Convert workspace dependencies to direct dependencies
    sed -i 's/^anyhow\.workspace = true$/anyhow = "1.0"/' Cargo.toml
    sed -i 's/^async-trait\.workspace = true$/async-trait = "0.1.88"/' Cargo.toml
    sed -i 's/^base64\.workspace = true$/base64 = "0.22.1"/' Cargo.toml
    sed -i 's/^cfg-if\.workspace = true$/cfg-if = "1.0.0"/' Cargo.toml
    sed -i 's/^log\.workspace = true$/log = "0.4.28"/' Cargo.toml
    sed -i 's/^serde\.workspace = true$/serde = { version = "1.0", features = ["derive"] }/' Cargo.toml
    sed -i 's/^serde_json\.workspace = true$/serde_json = "1.0.143"/' Cargo.toml
    sed -i 's/^strum\.workspace = true$/strum = { version = "0.27", features = ["derive"] }/' Cargo.toml
    sed -i 's/^tempfile\.workspace = true$/tempfile = "3.20.0"/' Cargo.toml
    sed -i 's/chrono = { workspace = true, features/chrono = { version = "0.4.41", features/' Cargo.toml
    sed -i 's/clap = { workspace = true, optional/clap = { version = "4", features = ["derive"], optional/' Cargo.toml
    sed -i 's/config = { workspace = true, optional/config = { version = "0.15", default-features = false, optional/' Cargo.toml
    sed -i 's/env_logger = { workspace = true, optional/env_logger = { version = "0.10.0", optional/' Cargo.toml
    sed -i 's/prost = { workspace = true, optional/prost = { version = "0.13", optional/' Cargo.toml
    sed -i 's/sha2 = { workspace = true, optional/sha2 = { version = "0.10", optional/' Cargo.toml
    sed -i 's/shadow-rs = { workspace = true, optional/shadow-rs = { version = "0.8.1", optional/' Cargo.toml
    sed -i 's/tokio = { workspace = true, optional/tokio = { version = "1", features = ["full"], default-features = false, optional/' Cargo.toml
    sed -i 's/tonic = { workspace = true, optional/tonic = { version = "0.12", optional/' Cargo.toml
    sed -i 's/^shadow-rs\.workspace = true$/shadow-rs = "0.8.1"/' Cargo.toml
    sed -i 's/^tonic-build\.workspace = true$/tonic-build = "0.12"/' Cargo.toml
    sed -i 's/^assert-json-diff\.workspace = true$/assert-json-diff = ">=2.0, <3"/' Cargo.toml
    sed -i 's/^rstest\.workspace = true$/rstest = ">=0.18, <1"/' Cargo.toml
    sed -i 's/^serial_test\.workspace = true$/serial_test = { version = ">=3.2, <4", features = ["async"] }/' Cargo.toml
    sed -i 's/^tokio\.workspace = true$/tokio = { version = "1", features = ["full"], default-features = false }/' Cargo.toml

    # Prepare cargo environment for the isolated rvps
    %cargo_prep
else
    cd rvps-isolated
fi

%cargo_generate_buildrequires

%build
# Navigate to the isolated rvps directory (created in %prep)
# We start in trustee-main, go up to BUILD directory, then into rvps-isolated
cd ../rvps-isolated
# Build using system crates (no --offline needed, no network access)
%cargo_build

%install
# Install binaries (from the isolated rvps build directory)
install -D -m 0755 ../rvps-isolated/target/rpm/rvps %{buildroot}%{_bindir}/rvps
install -D -m 0755 ../rvps-isolated/target/rpm/rvps-tool %{buildroot}%{_bindir}/rvps-tool

# Install systemd unit
install -d -m 0755 %{buildroot}%{_unitdir}
cat >%{buildroot}%{_unitdir}/trustee-rvps.service <<EOF
[Unit]
Description=Trustee Reference Value Provider Service (RVPS)
Documentation=https://github.com/confidential-containers/trustee/tree/main/rvps
After=network-online.target
Wants=network-online.target

[Service]
Type=simple
User=trustee
Group=trustee
ExecStart=/usr/bin/rvps --config /etc/trustee/rvps.json --address 0.0.0.0:50003
Restart=on-failure
RestartSec=5s

# Security hardening
NoNewPrivileges=true
PrivateTmp=true
ProtectSystem=strict
ProtectHome=true
ReadWritePaths=/var/lib/trustee/rvps
ProtectKernelTunables=true
ProtectKernelModules=true
ProtectControlGroups=true
RestrictRealtime=true
RestrictNamespaces=true
LockPersonality=true
MemoryDenyWriteExecute=true
RestrictAddressFamilies=AF_UNIX AF_INET AF_INET6

# Logging
StandardOutput=journal
StandardError=journal
SyslogIdentifier=rvps

[Install]
WantedBy=multi-user.target
EOF

# Install default config
install -d -m 0755 %{buildroot}%{_sysconfdir}/trustee
cat >%{buildroot}%{_sysconfdir}/trustee/rvps.json <<EOF
{
    "storage": {
        "type": "LocalFs",
        "file_path": "/var/lib/trustee/rvps/reference_values"
    }
}
EOF

# Create data directory
install -d -m 0750 %{buildroot}%{_sharedstatedir}/trustee/rvps

%check
# Run tests in the isolated rvps directory
cd ../rvps-isolated
%cargo_test

%pre
getent group trustee >/dev/null || groupadd -r trustee
getent passwd trustee >/dev/null || \
    useradd -r -g trustee -d %{_sharedstatedir}/trustee -s /sbin/nologin \
    -c "Trustee service account" trustee
exit 0

%post
%systemd_post trustee-rvps.service

%preun
%systemd_preun trustee-rvps.service

%postun
%systemd_postun_with_restart trustee-rvps.service

%files
%license LICENSE
%doc ../rvps-isolated/README.md
%{_bindir}/rvps
%{_bindir}/rvps-tool
%{_unitdir}/trustee-rvps.service
%config(noreplace) %{_sysconfdir}/trustee/rvps.json
%dir %attr(0755,root,root) %{_sysconfdir}/trustee
%dir %attr(0750,root,root) %{_sharedstatedir}/trustee
%dir %attr(0750,trustee,trustee) %{_sharedstatedir}/trustee/rvps

%changelog
* Wed Oct 15 2025 Your Name <your.email@example.com> - 0.1.0-1
- Initial package for Fedora 42
- Uses system-packaged Rust crates (follows Fedora Rust guidelines)
- Based on main branch from upstream
- Standalone RVPS service with gRPC API (port 50003)