#!/bin/bash
# License: GNU GPLv2
#
# This program is free software; you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation; version 2 of the License.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
# GNU General Public License for more details.

#!/hint/bash
# This may be included with or without `set -euE`

# License: Unspecified

[[ -z ${_INCLUDE_COMMON_SH:-} ]] || return 0
_INCLUDE_COMMON_SH="$(set +o|grep nounset)"

set +u +o posix
# shellcheck disable=1091
. /usr/share/makepkg/util.sh
$_INCLUDE_COMMON_SH

# Avoid any encoding problems
export LANG=C

shopt -s extglob

# check if messages are to be printed using color
if [[ -t 2 ]]; then
	colorize
else
	# shellcheck disable=2034
	declare -gr ALL_OFF='' BOLD='' BLUE='' GREEN='' RED='' YELLOW=''
fi

stat_busy() {
	local mesg=$1; shift
	# shellcheck disable=2059
	printf "${GREEN}==>${ALL_OFF}${BOLD} ${mesg}...${ALL_OFF}" "$@" >&2
}

stat_done() {
	# shellcheck disable=2059
	printf "${BOLD}done${ALL_OFF}\n" >&2
}

_setup_workdir=false
setup_workdir() {
	[[ -z ${WORKDIR:-} ]] && WORKDIR=$(mktemp -d --tmpdir "${0##*/}.XXXXXXXXXX")
	_setup_workdir=true
	trap 'trap_abort' INT QUIT TERM HUP
	trap 'trap_exit' EXIT
}

cleanup() {
	if [[ -n ${WORKDIR:-} ]] && $_setup_workdir; then
		rm -rf "$WORKDIR"
	fi
	exit "${1:-0}"
}

abort() {
	error 'Aborting...'
	cleanup 255
}

trap_abort() {
	trap - EXIT INT QUIT TERM HUP
	abort
}

trap_exit() {
	local r=$?
	trap - EXIT INT QUIT TERM HUP
	cleanup $r
}

die() {
	(( $# )) && error "$@"
	cleanup 255
}

##
#  usage : lock( $fd, $file, $message, [ $message_arguments... ] )
##
lock() {
	# Only reopen the FD if it wasn't handed to us
	if ! [[ "/dev/fd/$1" -ef "$2" ]]; then
		mkdir -p -- "$(dirname -- "$2")"
		eval "exec $1>"'"$2"'
	fi

	if ! flock -n "$1"; then
		stat_busy "${@:3}"
		flock "$1"
		stat_done
	fi
}

##
#  usage : slock( $fd, $file, $message, [ $message_arguments... ] )
##
slock() {
	# Only reopen the FD if it wasn't handed to us
	if ! [[ "/dev/fd/$1" -ef "$2" ]]; then
		mkdir -p -- "$(dirname -- "$2")"
		eval "exec $1>"'"$2"'
	fi

	if ! flock -sn "$1"; then
		stat_busy "${@:3}"
		flock -s "$1"
		stat_done
	fi
}

##
#  usage : lock_close( $fd )
##
lock_close() {
	local fd=$1
	# https://github.com/koalaman/shellcheck/issues/862
	# shellcheck disable=2034
	exec {fd}>&-
}

##
# usage: pkgver_equal( $pkgver1, $pkgver2 )
##
pkgver_equal() {
	if [[ $1 = *-* && $2 = *-* ]]; then
		# if both versions have a pkgrel, then they must be an exact match
		[[ $1 = "$2" ]]
	else
		# otherwise, trim any pkgrel and compare the bare version.
		[[ ${1%%-*} = "${2%%-*}" ]]
	fi
}

##
#  usage: find_cached_package( $pkgname, $pkgver, $arch )
#
#    $pkgver can be supplied with or without a pkgrel appended.
#    If not supplied, any pkgrel will be matched.
##
find_cached_package() {
	local searchdirs=("$PWD" "$PKGDEST") results=()
	local targetname=$1 targetver=$2 targetarch=$3
	local dir pkg pkgbasename name ver rel arch r results

	for dir in "${searchdirs[@]}"; do
		[[ -d $dir ]] || continue

		for pkg in "$dir"/*.pkg.tar?(.?z); do
			[[ -f $pkg ]] || continue

			# avoid adding duplicates of the same inode
			for r in "${results[@]}"; do
				[[ $r -ef $pkg ]] && continue 2
			done

			# split apart package filename into parts
			pkgbasename=${pkg##*/}
			pkgbasename=${pkgbasename%.pkg.tar?(.?z)}

			arch=${pkgbasename##*-}
			pkgbasename=${pkgbasename%-"$arch"}

			rel=${pkgbasename##*-}
			pkgbasename=${pkgbasename%-"$rel"}

			ver=${pkgbasename##*-}
			name=${pkgbasename%-"$ver"}

			if [[ $targetname = "$name" && $targetarch = "$arch" ]] &&
					pkgver_equal "$targetver" "$ver-$rel"; then
				results+=("$pkg")
			fi
		done
	done

	case ${#results[*]} in
		0)
			return 1
			;;
		1)
			printf '%s\n' "${results[0]}"
			return 0
			;;
		*)
			error 'Multiple packages found:'
			printf '\t%s\n' "${results[@]}" >&2
			return 1
	esac
}

#!/hint/bash
# License: Unspecified
:

# shellcheck disable=2034
CHROOT_VERSION='v4'

##
#  usage : check_root $keepenv
##
orig_argv=("$0" "$@")
check_root() {
	local keepenv=$1

	(( EUID == 0 )) && return
	if type -P sudo >/dev/null; then
		exec sudo --preserve-env=$keepenv -- "${orig_argv[@]}"
	else
		exec su root -c "$(printf ' %q' "${orig_argv[@]}")"
	fi
}

##
#  usage : is_btrfs( $path )
# return : whether $path is on a btrfs
##
is_btrfs() {
	[[ -e "$1" && "$(stat -f -c %T "$1")" == btrfs ]]
}

##
#  usage : is_subvolume( $path )
# return : whether $path is a the root of a btrfs subvolume (including
#          the top-level subvolume).
##
is_subvolume() {
	[[ -e "$1" && "$(stat -f -c %T "$1")" == btrfs && "$(stat -c %i "$1")" == 256 ]]
}

##
#  usage : is_same_fs( $path_a, $path_b )
# return : whether $path_a and $path_b are on the same filesystem
##
is_same_fs() {
	[[ "$(stat -c %d "$1")" == "$(stat -c %d "$1")" ]]
}

##
#  usage : subvolume_delete_recursive( $path )
#
#    Find all btrfs subvolumes under and including $path and delete them.
##
subvolume_delete_recursive() {
	local subvol

	is_subvolume "$1" || return 0

	while IFS= read -d $'\0' -r subvol; do
		if ! subvolume_delete_recursive "$subvol"; then
			return 1
		fi
	done < <(find "$1" -mindepth 1 -xdev -depth -inum 256 -print0)
	if ! btrfs subvolume delete "$1" &>/dev/null; then
		error "Unable to delete subvolume %s" "$subvol"
		return 1
	fi

	return 0
}


shopt -s nullglob

usage() {
	echo "Usage: ${0##*/} [options] -r <chrootdir> [--] [makepkg args]"
	echo ' Run this script in a PKGBUILD dir to build a package inside a'
	echo ' clean chroot. Arguments passed to this script after the'
	echo ' end-of-options marker (--) will be passed to makepkg.'
	echo ''
	echo ' The chroot dir consists of the following directories:'
	echo ' <chrootdir>/{root, copy} but only "root" is required'
	echo ' by default. The working copy will be created as needed'
	echo ''
	echo 'The chroot "root" directory must be created via the following'
	echo 'command:'
	echo '    mkarchroot <chrootdir>/root base-devel'
	echo ''
	echo 'This script reads {SRC,SRCPKG,PKG,LOG}DEST, MAKEFLAGS and PACKAGER'
	echo 'from makepkg.conf(5), if those variables are not part of the'
	echo 'environment.'
	echo ''
	echo "Default makepkg args: ${default_makepkg_args[*]}"
	echo ''
	echo 'Flags:'
	echo '-h         This help'
	echo '-c         Clean the chroot before building'
	echo '-C <dir>   Set pacman cache to pass to arch-nspawn'
	echo '-d <dir>   Bind directory into build chroot as read-write'
	echo '-D <dir>   Bind directory into build chroot as read-only'
	echo '-u         Update the working copy of the chroot before building'
	echo '           This is useful for rebuilds without dirtying the pristine'
	echo '           chroot'
	echo '-r <dir>   The chroot dir to use'
	echo '-I <pkg>   Install a package into the working copy of the chroot'
	echo '-l <copy>  The directory to use as the working copy of the chroot'
	echo '           Useful for maintaining multiple copies'
	echo "           Default: $copy"
	echo '-n         Run namcap on the package'
	echo '-T         Build in a temporary directory'
	echo '-U         Run makepkg as a specified user'
	exit 1
}

# {{{ functions
# Usage: load_vars $makepkg_conf
# Globals:
#  - SRCDEST
#  - SRCPKGDEST
#  - PKGDEST
#  - LOGDEST
#  - MAKEFLAGS
#  - PACKAGER
load_vars() {
	local makepkg_conf="$1" var

	[[ -f $makepkg_conf ]] || return 1

	for var in {SRC,SRCPKG,PKG,LOG}DEST MAKEFLAGS PACKAGER; do
		[[ -z ${!var:-} ]] && eval "$(grep -a "^${var}=" "$makepkg_conf")"
	done

	return 0
}

# Usage: sync_chroot $rootdir $copydir [$copy]
sync_chroot() {
	local rootdir=$1
	local copydir=$2
	local copy=${3:-$2}

	if [[ "$rootdir" -ef "$copydir" ]]; then
		error 'Cannot sync copy with itself: %s' "$copydir"
		return 1
	fi

	# Get a read lock on the root chroot to make
	# sure we don't clone a half-updated chroot
	slock 8 "$rootdir.lock" \
		"Locking clean chroot [%s]" "$rootdir"

	stat_busy "Synchronizing chroot copy [%s] -> [%s]" "$rootdir" "$copy"
	if is_subvolume "$rootdir" && is_same_fs "$rootdir" "$(dirname -- "$copydir")" && ! mountpoint -q "$copydir"; then
		if is_subvolume "$copydir"; then
			subvolume_delete_recursive "$copydir" ||
				die "Unable to delete subvolume %s" "$copydir"
		else
			# avoid change of filesystem in case of an umount failure
			rm --recursive --force --one-file-system "$copydir" ||
				die "Unable to delete %s" "$copydir"
		fi
		btrfs subvolume snapshot "$rootdir" "$copydir" >/dev/null ||
			die "Unable to create subvolume %s" "$copydir"
	else
		mkdir -p "$copydir"
		rsync -a --delete -q -W -x "$rootdir/" "$copydir"
	fi
	stat_done

	# Drop the read lock again
	lock_close 8

	# Update mtime
	touch "$copydir"
}

# Usage: delete_chroot $copydir [$copy]
delete_chroot() {
	local copydir=$1
	local copy=${1:-$2}

	stat_busy "Removing chroot copy [%s]" "$copy"
	if is_subvolume "$copydir" && ! mountpoint -q "$copydir"; then
		subvolume_delete_recursive "$copydir" ||
			die "Unable to delete subvolume %s" "$copydir"
	else
		# avoid change of filesystem in case of an umount failure
		rm --recursive --force --one-file-system "$copydir" ||
			die "Unable to delete %s" "$copydir"
	fi

	# remove lock file
	rm -f "$copydir.lock"
	stat_done
}

# Usage: install_packages $copydir $pkgs...
install_packages() {
	local copydir=$1
	local install_pkgs=("${@:2}")

	local -a pkgnames
	local ret

	pkgnames=("${install_pkgs[@]##*/}")

	cp -- "${install_pkgs[@]}" "$copydir/root/"
	arch-nspawn "$copydir" "${bindmounts_ro[@]}" "${bindmounts_rw[@]}" \
		pacman -U --noconfirm -- "${pkgnames[@]/#//root/}"
	ret=$?
	rm -- "${pkgnames[@]/#/$copydir/root/}"

	return $ret
}

# Usage: prepare_chroot $copydir $HOME $keepbuilddir $run_namcap
# Globals:
#  - MAKEFLAGS
#  - PACKAGER
prepare_chroot() {
	local copydir=$1
	local USER_HOME=$2
	local keepbuilddir=$3
	local run_namcap=$4

	[[ $keepbuilddir = true ]] || rm -rf "$copydir/build"

	local builduser_uid builduser_gid
	builduser_uid="${SUDO_UID:-$UID}"
	builduser_gid="$(id -g "$builduser_uid")"
	local install="install -o $builduser_uid -g $builduser_gid"
	local x

	# We can't use useradd without chrooting, otherwise it invokes PAM modules
	# which we might not be able to load (i.e. when building i686 packages on
	# an x86_64 host).
	sed -e '/^builduser:/d' -i "$copydir"/etc/{passwd,shadow,group}
	printf >>"$copydir/etc/group"  'builduser:x:%d:\n' "$builduser_gid"
	printf >>"$copydir/etc/passwd" 'builduser:x:%d:%d:builduser:/build:/bin/bash\n' "$builduser_uid" "$builduser_gid"
	printf >>"$copydir/etc/shadow" 'builduser:!!:%d::::::\n' "$(( $(date -u +%s) / 86400 ))"

	$install -d "$copydir"/{build,startdir,{pkg,srcpkg,src,log}dest}

	for x in BUILDDIR=/build PKGDEST=/pkgdest SRCPKGDEST=/srcpkgdest SRCDEST=/srcdest LOGDEST=/logdest
	do
		grep -q "^$x" "$copydir/etc/makepkg.conf" && continue
		echo "$x" >>"$copydir/etc/makepkg.conf"
	done

	cat > "$copydir/etc/sudoers.d/builduser-pacman" <<EOF
builduser ALL = NOPASSWD: /usr/bin/pacman
EOF
	chmod 440 "$copydir/etc/sudoers.d/builduser-pacman"

	# This is a little gross, but this way the script is recreated every time in the
	# working copy
	{
		printf '#!/bin/bash\n'
		declare -f _chrootbuild
		declare -p SOURCE_DATE_EPOCH 2>/dev/null || true
		printf '_chrootbuild "$@" || exit\n'

		if [[ $run_namcap = true ]]; then
			declare -f _chrootnamcap
			printf '_chrootnamcap || exit\n'
		fi
	} >"$copydir/chrootbuild"
	chmod +x "$copydir/chrootbuild"
}

# These functions aren't run in makechrootpkg,
# so no global variables
_chrootbuild() {
	# No coredumps
	ulimit -c 0

	# shellcheck source=/dev/null
	. /etc/profile

	# Beware, there are some stupid arbitrary rules on how you can
	# use "$" in arguments to commands with "sudo -i".  ${foo} or
	# ${1} is OK, but $foo or $1 isn't.
	# https://bugzilla.sudo.ws/show_bug.cgi?id=765
	mkdir /build/.distcc
	chown builduser /build/.distcc
	sudo --preserve-env=SOURCE_DATE_EPOCH -iu builduser DISTCC_IO_TIMEOUT=1200 DISTCC_DIR='/build/.distcc' bash -c 'cd /startdir; makepkg "$@"' -bash "$@"
	ret=$?
	case $ret in
		0|14)
			return 0;;
		*)
			return $ret;;
	esac
}

_chrootnamcap() {
	pacman -S --needed --noconfirm namcap
	for pkgfile in /startdir/PKGBUILD /pkgdest/*; do
		echo "Checking ${pkgfile##*/}"
		sudo -u builduser namcap "$pkgfile" 2>&1 | tee "/logdest/${pkgfile##*/}-namcap.log"
	done
}

# Usage: download_sources $copydir $makepkg_user
# Globals:
#  - SRCDEST
download_sources() {
	local copydir=$1
	local makepkg_user=$2

	setup_workdir
	chown "$makepkg_user:" "$WORKDIR"

	# Ensure sources are downloaded
	sudo -u "$makepkg_user" --preserve-env=GNUPGHOME \
		env SRCDEST="$SRCDEST" BUILDDIR="$WORKDIR" \
		makepkg -A --config="$copydir/etc/makepkg.conf" --verifysource -o ||
		die "Could not download sources."
}

# Usage: move_products $copydir $owner
# Globals:
#  - PKGDEST
#  - LOGDEST
#  - SRCPKGDEST
move_products() {
	local copydir=$1
	local src_owner=$2

	local pkgfile
	for pkgfile in "$copydir"/pkgdest/*; do
		chown "$src_owner" "$pkgfile"
		mv "$pkgfile" "$PKGDEST"

		# Fix broken symlink because of temporary chroot PKGDEST /pkgdest
		if [[ "$PWD" != "$PKGDEST" && -L "$PWD/${pkgfile##*/}" ]]; then
			ln -sf "$PKGDEST/${pkgfile##*/}"
		fi
	done

	local l
	for l in "$copydir"/logdest/*; do
		[[ $l == */logpipe.* ]] && continue
		chown "$src_owner" "$l"
		mv "$l" "$LOGDEST"
	done

	for s in "$copydir"/srcpkgdest/*; do
		chown "$src_owner" "$s"
		mv "$s" "$SRCPKGDEST"

		# Fix broken symlink because of temporary chroot SRCPKGDEST /srcpkgdest
		if [[ "$PWD" != "$SRCPKGDEST" && -L "$PWD/${s##*/}" ]]; then
			ln -sf "$SRCPKGDEST/${s##*/}"
		fi
	done
}
# }}}

main() {
	default_makepkg_args=(--syncdeps --noconfirm --holdver --skipinteg)
	makepkg_args=("${default_makepkg_args[@]}")
	keepbuilddir=false
	update_first=false
	clean_first=false
	run_namcap=false
	temp_chroot=false
	chrootdir=
	passeddir=
	makepkg_user=
	declare -a install_pkgs
	declare -i ret=0

	bindmounts_ro=()
	bindmounts_rw=()

	copy=$USER
	[[ -n ${SUDO_USER:-} ]] && copy=$SUDO_USER
	[[ -z "$copy" || $copy = root ]] && copy=copy
	src_owner=${SUDO_USER:-$USER}

	while getopts 'hcuC:r:I:l:nTD:d:U:' arg; do
		case "$arg" in
			c) clean_first=true ;;
			D) bindmounts_ro+=("--bind-ro=$OPTARG") ;;
			d) bindmounts_rw+=("--bind=$OPTARG") ;;
			u) update_first=true ;;
			C) cache_dir="$OPTARG" ;;
			r) passeddir="$OPTARG" ;;
			I) install_pkgs+=("$OPTARG") ;;
			l) copy="$OPTARG" ;;
			n) run_namcap=true; makepkg_args+=(--install) ;;
			T) temp_chroot=true; copy+="-$$" ;;
			U) makepkg_user="$OPTARG" ;;
			h|*) usage ;;
		esac
	done

	[[ ! -f PKGBUILD && -z "${install_pkgs[*]}" ]] && die 'This must be run in a directory containing a PKGBUILD.'
	[[ -n $makepkg_user && -z $(id -u "$makepkg_user") ]] && die 'Invalid makepkg user.'
	makepkg_user=${makepkg_user:-${SUDO_USER:-$USER}}

	check_root SOURCE_DATE_EPOCH,GNUPGHOME,SRCDEST,SRCPKGDEST,PKGDEST,LOGDEST,MAKEFLAGS,PACKAGER

	# Canonicalize chrootdir, getting rid of trailing /
	chrootdir=$(readlink -e "$passeddir")
	[[ ! -d $chrootdir ]] && die "No chroot dir defined, or invalid path '%s'" "$passeddir"
	[[ ! -d $chrootdir/root ]] && die "Missing chroot dir root directory. Try using: mkarchroot %s/root base-devel" "$chrootdir"

	if [ -n "$cache_dir" ]; then
		cache_dir="-c $cache_dir"
	fi

	if [[ ${copy:0:1} = / ]]; then
		copydir=$copy
	else
		copydir="$chrootdir/$copy"
	fi

	# Pass all arguments after -- right to makepkg
	makepkg_args+=("${@:$OPTIND}")

	# See if -R or -e was passed to makepkg
	for arg in "${makepkg_args[@]}"; do
		case ${arg%%=*} in
			--repackage|--noextract) keepbuilddir=true; break ;;
			--repackage|--noextract) keepbuilddir=true; break ;;
			--*) ;;
			-*R*|-*e*) keepbuilddir=true; break ;;
		esac
	done

	if [[ -n $SUDO_USER ]]; then
		eval "USER_HOME=~$SUDO_USER"
	else
		USER_HOME=$HOME
	fi

	umask 0022

	load_vars "${XDG_CONFIG_HOME:-$USER_HOME/.config}/pacman/makepkg.conf" || load_vars "$USER_HOME/.makepkg.conf"
	load_vars /etc/makepkg.conf

	# Use PKGBUILD directory if these don't exist
	[[ -d $PKGDEST ]]    || PKGDEST=$PWD
	[[ -d $SRCDEST ]]    || SRCDEST=$PWD
	[[ -d $SRCPKGDEST ]] || SRCPKGDEST=$PWD
	[[ -d $LOGDEST ]]    || LOGDEST=$PWD

	# Lock the chroot we want to use. We'll keep this lock until we exit.
	lock 9 "$copydir.lock" "Locking chroot copy [%s]" "$copy"

	if [[ ! -d $copydir ]] || $clean_first; then
		sync_chroot "$chrootdir/root" "$copydir" "$copy"
	fi

	$update_first && arch-nspawn "$copydir" \
			"${bindmounts_ro[@]}" "${bindmounts_rw[@]}" \
			pacman -Syu --noconfirm

	if [[ -n ${install_pkgs[*]:-} ]]; then
		install_packages "$copydir" "${install_pkgs[@]}"
		ret=$?
		# If there is no PKGBUILD we have done
		[[ -f PKGBUILD ]] || return $ret
	fi

	if [[ "$(id -u "$makepkg_user")" == 0 ]]; then
		error "Running makepkg as root is not allowed."
		exit 1
	fi

	download_sources "$copydir" "$makepkg_user"

	prepare_chroot "$copydir" "$USER_HOME" "$keepbuilddir" "$run_namcap"

	if arch-nspawn $cache_dir "$copydir" \
		--bind="$PWD:/startdir" \
		--bind="$SRCDEST:/srcdest" \
		"${bindmounts_ro[@]}" "${bindmounts_rw[@]}" \
		/chrootbuild "${makepkg_args[@]}"
	then
		move_products "$copydir" "$src_owner"
	else
		(( ret += 1 ))
	fi

	$temp_chroot && delete_chroot "$copydir" "$copy"

	if (( ret != 0 )); then
		if $temp_chroot; then
			die "Build failed"
		else
			die "Build failed, check %s/build" "$copydir"
		fi
	else
		true
	fi
}

main "$@"
