kuksa-val: Rework to support updated SSL certificates

[AGL/meta-agl-demo.git] / recipes-connectivity / kuksa-val / kuksa-val_git.bb
diff --git a/recipes-connectivity/kuksa-val/kuksa-val_git.bb b/recipes-connectivity/kuksa-val/kuksa-val_git.bb

index 04f6f4f..a894f01 100644 (file)
--- a/recipes-connectivity/kuksa-val/kuksa-val_git.bb
+++ b/recipes-connectivity/kuksa-val/kuksa-val_git.bb
@@ -14,17 +14,12 @@ DEPENDS = "boost openssl mosquitto protobuf-native grpc-native grpc"
  require kuksa-val.inc
  
  SRC_URI += "file://kuksa-val.service \
-            file://0001-Make-Boost-requirements-more-liberal.patch;striplevel=2 \
-            file://0002-Fix-gRPC-configuration-for-OE-cross-compiling.patch;striplevel=2 \
-            file://0003-Make-install-locations-configurable.patch;striplevel=2 \
-            file://0004-Disable-default-fetch-and-build-of-googletest.patch;striplevel=2 \
-            file://0005-kuksa-val-server-Add-missing-check_git-dependency.patch;striplevel=2 \
-            file://Server.key \
-            file://Server.pem \
+            file://0001-Make-Boost-requirements-more-liberal.patch;patchdir=.. \
+            file://0002-Fix-gRPC-configuration-for-OE-cross-compiling.patch;patchdir=.. \
+            file://0003-Make-install-locations-configurable.patch;patchdir=.. \
+            file://0004-Disable-default-fetch-and-build-of-googletest.patch;patchdir=.. \
+            file://0005-kuksa-val-server-Add-missing-check_git-dependency.patch;patchdir=.. \
  "
-# NOTE: Ideally this would be applied, but our S definition makes it problematic:
-#   file://0001-genCerts.sh-add-Subject-Alt-Name-extension-to-server.patch;striplevel=?
-#
  
  S = "${WORKDIR}/git/kuksa-val-server"
  
@@ -32,10 +27,11 @@ inherit cmake pkgconfig systemd useradd
  
  SYSTEMD_SERVICE:${PN} = "kuksa-val.service"
  
-USERADD_PACKAGES = "${PN}"
+USERADD_PACKAGES = "${PN} ${PN}-server-certificates"
  USERADDEXTENSION = "useradd-staticids"
  GROUPADD_PARAM:${PN} = "-g 900 kuksa ;"
  USERADD_PARAM:${PN} = "--system -g 900 -u 900 -o -d / --shell /bin/nologin kuksa ;"
+GROUPADD_PARAM:${PN}-server-certificates = "-g 900 kuksa ;"
  
  # Configure file locations more along the lines of FHS instead of kuksa.val's
  # default locations.
@@ -55,39 +51,37 @@ do_install:append() {
          install -d ${D}${systemd_system_unitdir}
          install -m 0644 ${WORKDIR}/kuksa-val.service ${D}${systemd_system_unitdir}
      fi
-
-    # Install replacement server key + certificate
-    # These are AGL specific versions generated using a tweaked
-    # genCerts.sh script from the source tree that adds the now
-    # required subjectAltName extension field to make python3-ssl
-    # happy.  This will be addressed with upstream and can hopefully
-    # be dropped in the future.
-    rm -f ${D}${sysconfdir}/kuksa-val/Server.key
-    install ${WORKDIR}/Server.key ${D}${sysconfdir}/kuksa-val/
-    rm -f ${D}${sysconfdir}/kuksa-val/Server.pem
-    install ${WORKDIR}/Server.pem ${D}${sysconfdir}/kuksa-val/
-
-    # Restrict server certificate access
-    # NOTE: The client certificates are left alone here for client
-    #       development convenience for now, but this will need to
-    #       be revisited.
-    chmod 640 ${D}${sysconfdir}/kuksa-val/Server.key
-    chgrp 900 ${D}${sysconfdir}/kuksa-val/Server.key
-    chmod 640 ${D}${sysconfdir}/kuksa-val/Server.pem
-    chgrp 900 ${D}${sysconfdir}/kuksa-val/Server.pem
  }
  
-# Put client certificates into their own package so we can avoid
-# duplicates of them for e.g. cluster clients.  Longer term this
-# will need to be revisited.
-PACKAGE_BEFORE_PN += "${PN}-client-certificates"
+# Put certificates into their own packages so we can avoid duplicates
+# of them for e.g. cluster clients, and so downstream users can
+# replace them with their own certificates.
+#
+# NOTE:
+#   Downstream users can replace these packages with alternates by
+#   having their packages set their RPROVIDES to include the desired
+#   kuksa-val-certificates-* and explicitly adding their package(s)
+#   to an image, they will end up getting priority during rootfs
+#   construction and installed instead of the default ones here.
+
+PACKAGE_BEFORE_PN += "${PN}-certificates-ca ${PN}-certificates-server ${PN}-certificates-client"
+
+FILES:${PN}-certificates-ca = " \
+    ${sysconfdir}/kuksa-val/CA.pem \
+"
  
-FILES:${PN}-client-certificates = " \
+FILES:${PN}-certificates-server = " \
+    ${sysconfdir}/kuksa-val/Server.key \
+    ${sysconfdir}/kuksa-val/Server.pem \
+"
+RDEPENDS:${PN}-certificates-server += "${PN}-certificates-ca"
+
+FILES:${PN}-certificates-client = " \
      ${sysconfdir}/kuksa-val/Client.key \
      ${sysconfdir}/kuksa-val/Client.pem \
-    ${sysconfdir}/kuksa-val/CA.pem \
  "
+RDEPENDS:${PN}-certificate-clients += "${PN}-certificates-ca"
  
  FILES:${PN} += "${systemd_system_unitdir} ${datadir}"
  
-RDEPENDS:${PN} += "${PN}-client-certificates"
+RDEPENDS:${PN} += "${PN}-certificates-server ${PN}-certificates-client"