project-lakitu/app-admin/localtoast/localtoast-1.1.7.ebuild

#
# Copyright 2023 Google LLC
#
# This program is free software; you can redistribute it and/or
# modify it under the terms of the GNU General Public License
# version 2 as published by the Free Software Foundation.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#

EAPI=7

inherit go-module systemd

DESCRIPTION="Google CIS Scanner"
HOMEPAGE="https://github.com/google/localtoast"

SRC_URI="https://github.com/google/localtoast/archive/${PV}.tar.gz -> ${P}.tar.gz
	grafeas-0163b5bb2ff5afbf059ddf472fb4d128faae85e3.tar.gz
	${P}-deps.tar.xz"

# In order to list licenses of dependencies, build the package and run
# `go-licenses csv "github.com/google/localtoast"`
LICENSE="Apache-2.0 BSD MPL-2.0"
SLOT="0"
KEYWORDS="*"
IUSE=""
DEPEND=""
RDEPEND="${DEPEND}
	app-admin/cis-compliance
"


src_compile() {
	export GOTRACEBACK="crash"
	GO=$(tc-getGO)
	export GO

	# There is a dependency to download grafeas separately as they don't provide
	# compiled versions to be included in the go.sum. Add the grafeas version
	# found in the localtoast build_protos.sh file to the local mirror and
	# update accrodingly here and in SRC_URI.
	mv "${WORKDIR}"/grafeas-0163b5bb2ff5afbf059ddf472fb4d128faae85e3/proto/v1 scannerlib/proto
	rm -rf "${WORKDIR}"/0163b5bb2ff5afbf059ddf472fb4d128faae85e3
	sed -i 's\option go_package = ".*";\option go_package = "github.com/google/localtoast/scannerlib/proto/compliance_go_proto";\g' scannerlib/proto/v1/compliance.proto
	sed -i 's\option go_package = ".*";\option go_package = "github.com/google/localtoast/scannerlib/proto/severity_go_proto";\g' scannerlib/proto/v1/severity.proto

	# Compile protos.
	protoc -I=scannerlib --go_out=scannerlib/proto scannerlib/proto/*.proto scannerlib/proto/v1/compliance.proto scannerlib/proto/v1/severity.proto

	# Clean up.
	mv scannerlib/proto/github.com/google/localtoast/scannerlib/proto/* scannerlib/proto/
	rm -r scannerlib/proto/github.com

	# Build the CIS Scanner
	CGO_ENABLED=0 ${GO} build localtoast.go || die
}


src_install() {
	ebegin "Installing CIS Scanner"
	newbin localtoast cis_scanner

	# Make the cis scanner config
	# This is needed as the configs are split into general_linux and cos specific
	# benchmarks. This creates the full cos config combining both of those for the
	# specific branch that the config is meant for.
	emake configs
	# Install the cis scanner config
	CONFIG_PATH=/usr/share/google/security/cis-compliance/
	insinto ${CONFIG_PATH}
	# Path uses cos_97 as that is currently the latest
	# May need to be changed when updates occur to the scanner
	newins configs/full/cos_97/instance_scanning.textproto cis_config.textproto

	# Envionment variables used by cis-compliance-scanner services location
	insinto /etc/cis-scanner

	if [ "${ARCH}" = "arm64" ]; then
		newins "${FILESDIR}"/env_vars_arm64 env_vars
		systemd_newunit "${FILESDIR}"/cis-compliance-scanner-arm64.service cis-compliance-scanner.service
		systemd_newunit "${FILESDIR}"/cis-level1-arm64.service cis-level1.service
		systemd_newunit "${FILESDIR}"/cis-level2-arm64.service cis-level2.service
	elif [ "${ARCH}" = "amd64" ]; then
		newins "${FILESDIR}"/env_vars_amd64 env_vars
		systemd_newunit "${FILESDIR}"/cis-compliance-scanner-amd64.service cis-compliance-scanner.service
		systemd_newunit "${FILESDIR}"/cis-level1-amd64.service cis-level1.service
		systemd_newunit "${FILESDIR}"/cis-level2-amd64.service cis-level2.service
	else
		eerror "unsupported architecture: ${ARCH}"
		die
	fi
	systemd_dounit "${FILESDIR}"/cis-compliance-scanner.timer

	# Start cis-level1.service at bootup time
	systemd_enable_service multi-user.target cis-level1.service
}