From 11323fa1ed396e3e16f4df327911bc9c60cc6e01 Mon Sep 17 00:00:00 2001
From: Jan-Simon Moeller <jsmoeller@linuxfoundation.org>
Date: Fri, 31 Mar 2023 15:36:25 +0200
Subject: [PATCH] Rework nss-agl-driver-db to be a systemd unit at runtime

This avoids the issues seen with access rights changes on /home/agl-driver
and will replace https://gerrit.automotivelinux.org/gerrit/c/AGL/meta-agl-demo/+/28587

Bug-AGL: SPEC-4599
Change-Id: If01ffc9623208edd7a7705739465fa8fca764b74
Signed-off-by: Jan-Simon Moeller <jsmoeller@linuxfoundation.org>
---
 recipes-connectivity/kuksa-val/kuksa-val_git.bb    |  9 ++------
 .../nss-agl-driver-db/nss-agl-driver-db.service    | 12 ++++++++++
 .../nss/nss-agl-driver-db/nss-agl-driver-db.sh     | 19 ++++++++++++++++
 recipes-core/nss/nss-agl-driver-db_git.bb          | 26 +++++++++++++++-------
 .../packagegroup-agl-demo-platform-html5.bb        |  4 ++++
 5 files changed, 55 insertions(+), 15 deletions(-)
 create mode 100644 recipes-core/nss/nss-agl-driver-db/nss-agl-driver-db.service
 create mode 100755 recipes-core/nss/nss-agl-driver-db/nss-agl-driver-db.sh

diff --git a/recipes-connectivity/kuksa-val/kuksa-val_git.bb b/recipes-connectivity/kuksa-val/kuksa-val_git.bb
index 48cda1081..04f6f4f64 100644
--- a/recipes-connectivity/kuksa-val/kuksa-val_git.bb
+++ b/recipes-connectivity/kuksa-val/kuksa-val_git.bb
@@ -9,7 +9,7 @@ LIC_FILES_CHKSUM = "file://../LICENSE;md5=2b42edef8fa55315f34f2370b4715ca9 \
                     file://3rd-party-libs/turtle/LICENSE_1_0.txt;md5=e4224ccaecb14d942c71d31bef20d78c \
                     file://3rd-party-libs/jwt-cpp/LICENSE;md5=8325a5ce4414c65ffdda392e0d96a9ff"
 
-DEPENDS = "boost openssl mosquitto nss protobuf-native grpc-native grpc"
+DEPENDS = "boost openssl mosquitto protobuf-native grpc-native grpc"
 
 require kuksa-val.inc
 
@@ -77,11 +77,6 @@ do_install:append() {
     chgrp 900 ${D}${sysconfdir}/kuksa-val/Server.pem
 }
 
-pkg_postinst_ontarget:${PN}-client-certificates () {
-    certutil -A -d /home/agl-driver/.pki/nssdb -n "KuksaRootCA" -t "pC,," -i ${sysconfdir}/kuksa-val/CA.pem
-    chown agl-driver:agl-driver -R /home/agl-driver/
-}
-
 # Put client certificates into their own package so we can avoid
 # duplicates of them for e.g. cluster clients.  Longer term this
 # will need to be revisited.
@@ -95,4 +90,4 @@ FILES:${PN}-client-certificates = " \
 
 FILES:${PN} += "${systemd_system_unitdir} ${datadir}"
 
-RDEPENDS:${PN} += "${PN}-client-certificates nss-agl-driver-db"
+RDEPENDS:${PN} += "${PN}-client-certificates"
diff --git a/recipes-core/nss/nss-agl-driver-db/nss-agl-driver-db.service b/recipes-core/nss/nss-agl-driver-db/nss-agl-driver-db.service
new file mode 100644
index 000000000..48eca3921
--- /dev/null
+++ b/recipes-core/nss/nss-agl-driver-db/nss-agl-driver-db.service
@@ -0,0 +1,12 @@
+[Unit]
+Description=Deploy Kuksa certificates to /home/agl-driver/.pki/
+After=local-fs.target
+Before=agl-session@agl-driver.service
+ConditionPathExists=!/home/agl-driver/.pki
+
+[Service]
+User=agl-driver
+ExecStart=/usr/sbin/nss-agl-driver-db.sh
+
+[Install]
+WantedBy=multi-user.target
diff --git a/recipes-core/nss/nss-agl-driver-db/nss-agl-driver-db.sh b/recipes-core/nss/nss-agl-driver-db/nss-agl-driver-db.sh
new file mode 100755
index 000000000..1a8351bf9
--- /dev/null
+++ b/recipes-core/nss/nss-agl-driver-db/nss-agl-driver-db.sh
@@ -0,0 +1,19 @@
+#!/bin/bash
+set -e
+
+# TLDR we need this file for chromium to connect back to kuksa.
+
+# check if directory already exists and bail out
+if test -d /home/agl-driver/.pki/nssdb ; then
+    echo "Directory already exists! Doing nothing."
+    exit 127
+fi
+
+# setup empty db in subfolder
+mkdir -p /home/agl-driver/.pki/nssdb
+certutil -N -d /home/agl-driver/.pki/nssdb --empty-password
+
+# deploy cert into local db
+certutil -A -d /home/agl-driver/.pki/nssdb -n "KuksaRootCA" -t "pC,," -i /etc/kuksa-val/CA.pem
+
+#chown -R agl-driver:agl-driver /home/agl-driver/.pki/nssdb
diff --git a/recipes-core/nss/nss-agl-driver-db_git.bb b/recipes-core/nss/nss-agl-driver-db_git.bb
index 3d8aa5f4b..c32ba71d2 100644
--- a/recipes-core/nss/nss-agl-driver-db_git.bb
+++ b/recipes-core/nss/nss-agl-driver-db_git.bb
@@ -3,20 +3,30 @@ DESCRIPTION = "Custom nss db hosting the kuksa certificates for chromium"
 AUTHOR = "Jan-Simon Moeller <jsmoeller@linuxfoundation.org>"
 HOMEPAGE = "https://git.automotivelinux.org"
 LICENSE = "MIT"
-DEPENDS = " agl-session nss-native"
+LIC_FILES_CHKSUM = "file://${COMMON_LICENSE_DIR}/MIT;md5=0835ade698e0bcf8506ecda2f7b4f302"
+
 PV = "0.1"
 
+SRC_URI = "file://${BPN}.service \
+           file://${BPN}.sh \
+          "
+
+inherit systemd
+
+SYSTEMD_SERVICE:${PN} = "${BPN}.service"
+
 do_configure[noexec] = "1"
 do_compile[noexec] = "1"
 
 do_install() {
-    mkdir -p ${D}/home/agl-driver/.pki/nssdb
-    certutil -N -d ${D}/home/agl-driver/.pki/nssdb --empty-password
-    chown -R 1001:1001 ${D}/home/agl-driver
+    if ${@bb.utils.contains('DISTRO_FEATURES', 'systemd', 'true', 'false', d)}; then
+        install -d ${D}${systemd_system_unitdir}
+        install -d ${D}${sbindir}
+        install -m 0644 ${WORKDIR}/${BPN}.service ${D}${systemd_system_unitdir}
+        install -m 0755 ${WORKDIR}/${BPN}.sh ${D}${sbindir}
+    fi
 }
 
-pkg_postinst_ontarget:${PN} () {
-    chown agl-driver:agl-driver -R /home/agl-driver/
-}
+FILES:${PN} += "${systemd_system_unitdir} ${sbindir}"
 
-FILES:${PN} += "/home/agl-driver/.pki/*"
+RDEPENDS:${PN} += "nss agl-session kuksa-val-client-certificates bash"
diff --git a/recipes-platform/packagegroups/packagegroup-agl-demo-platform-html5.bb b/recipes-platform/packagegroups/packagegroup-agl-demo-platform-html5.bb
index 4ef782215..1f1984d84 100644
--- a/recipes-platform/packagegroups/packagegroup-agl-demo-platform-html5.bb
+++ b/recipes-platform/packagegroups/packagegroup-agl-demo-platform-html5.bb
@@ -38,3 +38,7 @@ RDEPENDS:${PN}:append = " \
     qtquickcontrols2-agl-style \
     ${AGL_APPS} \
     "
+
+# nss-agl-driver-db is required to connect to kuksa
+RDEPENDS:${PN}:append = " nss-agl-driver-db "
+
-- 
2.16.6