%global         _build_id_links none
%global         debug_package %{nil}
%undefine       source_date_epoch_from_changelog
%global         upstream_version 7.15.3
%global         software_name oauth2-proxy

Name:           %{software_name}
Version:        %{upstream_version}
Release:        1%{?dist}
Summary:        A reverse proxy that provides authentication using providers

License:        Apache-2.0
URL:            https://github.com/oauth2-proxy/oauth2-proxy
Source0:        https://github.com/oauth2-proxy/oauth2-proxy/archive/refs/tags/v%{upstream_version}.tar.gz
# Vendored Go modules for offline/limited-network builds.
Source1:        %{software_name}-%{upstream_version}-vendor.tar.gz
# Systemd service file
Source2:        %{software_name}.service
# Systemd socket file
Source3:        %{software_name}.socket
# Sysusers configuration
Source4:        %{software_name}.sysusers
# SELinux policy
Source5:        %{software_name}.te
Source6:        %{software_name}.fc

BuildRequires:  tar, golang, systemd-rpm-macros, selinux-policy-devel, policycoreutils-devel
%{?systemd_requires}

Requires(pre):    policycoreutils
Requires(post):   policycoreutils, libselinux-utils
Requires(postun): policycoreutils

%description
A reverse proxy that provides authentication using providers (Google, GitHub,
and others) to validate accounts by email, domain or group.

%prep
%autosetup -p1 -n %{software_name}-%{upstream_version}

# Use vendored Go modules to minimize network access during build.
tar -xf %{SOURCE1}
if [ ! -d vendor ]; then
    echo "ERROR: vendor/ directory not found. Provide a vendored modules tarball via Source1." >&2
    exit 1
fi

# Prepare SELinux policy
mkdir -p selinux
cp %{SOURCE5} %{SOURCE6} selinux/

%build
export GOPROXY=off
export GOSUMDB=off
export GOMODCACHE="$PWD/.gomodcache"

CGO_ENABLED=0 go build \
    -v \
    -trimpath \
    -mod=vendor \
    -modcacherw \
    -buildvcs=false \
    -ldflags="-X github.com/oauth2-proxy/oauth2-proxy/v7/pkg/version.VERSION=%{upstream_version}" \
    -o %{software_name} \
    .

# Build SELinux policy module
make -f %{_datadir}/selinux/devel/Makefile %{software_name}.pp

%install
# Install binary
install -Dsm755 %{software_name} -t %{buildroot}%{_bindir}

# Install systemd service files
install -Dm644 %{SOURCE2} -t %{buildroot}%{_unitdir}
install -Dm644 %{SOURCE3} -t %{buildroot}%{_unitdir}

# Install sysusers configuration
install -Dm644 %{SOURCE4} %{buildroot}%{_sysusersdir}/%{software_name}.conf

# Install example configuration
install -Dm644 contrib/%{software_name}.cfg.example \
    %{buildroot}%{_sysconfdir}/%{software_name}/%{software_name}.cfg.example

# Install bash completion
install -Dm644 contrib/%{software_name}_autocomplete.sh \
    %{buildroot}%{_datadir}/bash-completion/completions/%{software_name}

# Install SELinux policy module
install -Dm644 %{software_name}.pp \
    %{buildroot}%{_datadir}/selinux/packages/%{software_name}.pp

%check

%pre
%if 0%{?suse_version}
%service_add_pre %{software_name}.service %{software_name}.socket
%sysusers_create %{SOURCE4}
%else
%sysusers_create_compat %{SOURCE4}
%endif

%post
%if 0%{?suse_version}
%service_add_post %{software_name}.service %{software_name}.socket
%else
%systemd_post %{software_name}.service %{software_name}.socket
%endif

# Load SELinux policy module when SELinux is enabled
if [ -x /usr/sbin/semodule ] && [ -f %{_datadir}/selinux/packages/%{software_name}.pp ]; then
    if [ "$(getenforce 2>/dev/null)" != "Disabled" ]; then
        semodule -i %{_datadir}/selinux/packages/%{software_name}.pp
        restorecon -Rv /run/%{software_name} 2>/dev/null || :
    fi
fi

%preun
%if 0%{?suse_version}
%service_del_preun %{software_name}.service %{software_name}.socket
%else
%systemd_preun %{software_name}.service %{software_name}.socket
%endif

%postun
%if 0%{?suse_version}
%service_del_postun %{software_name}.service %{software_name}.socket
%else
%systemd_postun_with_restart %{software_name}.service
%endif

# Remove SELinux policy module on full package removal
if [ "$1" -eq 0 ] && [ -x /usr/sbin/semodule ]; then
    if [ "$(getenforce 2>/dev/null)" != "Disabled" ]; then
        semodule -r %{software_name} 2>/dev/null || :
    fi
fi

%files
%license LICENSE
%doc contrib/%{software_name}.cfg.example
%{_bindir}/%{software_name}
%{_unitdir}/%{software_name}.service
%{_unitdir}/%{software_name}.socket
%{_sysusersdir}/%{software_name}.conf
%dir %{_sysconfdir}/%{software_name}
%{_sysconfdir}/%{software_name}/%{software_name}.cfg.example
%{_datadir}/bash-completion/completions/%{software_name}
%{_datadir}/selinux/packages/%{software_name}.pp

%changelog