File weakforced.spec of Package weakforced
#
# spec file for package weakforced
#
# Copyright (c) 2017 SUSE LINUX Products GmbH, Nuernberg, Germany.
#
# All modifications and additions to the file contributed by third parties
# remain the property of their copyright owners, unless otherwise agreed
# upon. The license for this file, and modifications and additions to the
# file, is the same license as for the pristine package itself (unless the
# license for the pristine package is not an Open Source License, in which
# case the license is the MIT License). An "Open Source License" is a
# license that conforms to the Open Source Definition (Version 1.9)
# published by the Open Source Initiative.
# Please submit bugfixes or comments via http://bugs.opensuse.org/
#
%if 0%{?suse_version} >= 1550
%define use_python python38
%else
%define use_python python3
%endif
%if 0%{?fedora_version} >= 24 || 0%{?fc24}%{?fc25} || 0%{?suse_version} > 1320
%bcond_with systemd_separatedlibs
%else
%bcond_without systemd_separatedlibs
%endif
%if 0%{?suse_version}
%bcond_without apparmor
%else
%bcond_with apparmor
%endif
%bcond_with report_api
Name: weakforced
Version: 2.8.0
Release: 0
License: GPL-3.0
Summary: Distributed detection of brute forcing of passwords
Url: https://github.com/PowerDNS/weakforced
Group: System/Daemons
Source: %{name}-%{version}.tar.gz
Source2: usr.sbin.wforce
Source3: local.usr.sbin.wforce
Source4: https://raw.githubusercontent.com/ua-parser/uap-core/master/regexes.yaml
Source5: wforce-firewalld.xml
Patch1: weakforced-2.0.0-no-termcap.patch
Patch2: weakforced-2.0.0-no-download.patch
Patch3: weakforced-2.0.1-shebang.patch
Patch4: weakforced-2.8.0-cstdint.patch
%if %{with apparmor}
BuildRequires: apparmor-profiles
%endif
BuildRequires: autoconf
BuildRequires: automake
BuildRequires: curl-devel
%if 0%{?suse_version} <= 1320
BuildRequires: gcc5-c++
BuildRequires: boost-devel >= 1.42
%else
BuildRequires: gcc-c++ >= 5.0
BuildRequires: libboost_date_time-devel
BuildRequires: libboost_regex-devel
BuildRequires: libboost_system-devel
BuildRequires: libboost_filesystem-devel
%endif
BuildRequires: firewall-macros
%if 0%{?suse_version} < 1550
BuildRequires: GeoIP-devel
%endif
BuildRequires: cmake(Drogon)
BuildRequires: getdns-devel
BuildRequires: hiredis-devel
BuildRequires: prometheus-cpp-devel
BuildRequires: libsodium-devel
BuildRequires: libtool
BuildRequires: pandoc
BuildRequires: pkgconfig
BuildRequires: protobuf-devel
BuildRequires: openssl-devel
BuildRequires: readline-devel
BuildRequires: yaml-cpp-devel
BuildRequires: pkgconfig(luajit)
BuildRequires: pkgconfig(libmaxminddb)
%if %{with report_api}
BuildRequires: %{use_python}-pip
# for report-api subpackage. keep in sync with the
# requires_ list in the subpackage
# BuildRequires: %{use_python}-click >= 6.7
# BuildRequires: %{use_python}-coverage >= 4.4.1
# BuildRequires: %{use_python}-elasticsearch
# BuildRequires: %{use_python}-Flask >= 1.0.4
# BuildRequires: %{use_python}-Flask-Elastic >= 0.2
# BuildRequires: %{use_python}-Flask-HTTPAuth >= 3.2.3
# BuildRequires: %{use_python}-itsdangerous >= 0.24
# BuildRequires: %{use_python}-Jinja2 >= 2.10.1
# BuildRequires: %{use_python}-MarkupSafe >= 1.0
# BuildRequires: %{use_python}-pytz >= 2017.2
# BuildRequires: %{use_python}-urllib3 >= 1.24.2
# BuildRequires: %{use_python}-Werkzeug >= 0.15.3
# BuildRequires: %{use_python}-requests >= 2.20
# BuildRequires: %{use_python}-gunicorn >= 19.9.0
# BuildRequires: %{use_python}-wheel
%endif
%if 0%{?suse_version}
Requires(post): %fillup_prereq
%endif
BuildRequires: pkgconfig(systemd)
%if %{with systemd_separatedlibs}
BuildRequires: pkgconfig(libsystemd-daemon)
%else
BuildRequires: pkgconfig(libsystemd)
%endif
%{?systemd_requires}
%define service_name wforce
%define home %{_var}/lib/%{service_name}
Provides: wforce = %{version}-%{release}
%description
The goal of 'wforce' is to detect brute forcing of passwords across many
servers, services and instances. In order to support the real world, brute
force detection policy can be tailored to deal with "bulk, but legitimate"
users of your service, as well as botnet-wide slowscans of passwords.
The aim is to support the largest of installations, providing services to
hundreds of millions of users. The current version of weakforced is not quit
there yet.
%package trackalert
Summary: Longterm abuse data reporting and alerter
Group: System/Daemons
Requires: weakforced
Provides: weakforced:%{_sbindir}/trackalert
%description trackalert
Trackalert is designed to be an optional service to complement
wforce. Whereas wforce provides a toolkit to combat abuse of
logins such as password brute forcing in realtime, trackalert is
designed to look at abuse asynchronously, using long-term report data
stored in an external DB such as elasticsearch, and to send alerts on
potential login abuse.
%if %{with report_api}
%package report-api
Summary: Enable access to the report information stored in Elasticsearch
Group: System/Daemons
%requires_ge %{use_python}-click
%requires_ge %{use_python}-coverage
%requires_ge %{use_python}-elasticsearch
%requires_ge %{use_python}-Flask
%requires_ge %{use_python}-Flask-Elastic
%requires_ge %{use_python}-Flask-HTTPAuth
%requires_ge %{use_python}-itsdangerous
%requires_ge %{use_python}-Jinja2
%requires_ge %{use_python}-MarkupSafe
%requires_ge %{use_python}-pytz
%requires_ge %{use_python}-urllib3
%requires_ge %{use_python}-Werkzeug
%requires_ge %{use_python}-requests
%requires_ge %{use_python}-gunicorn
%requires_ge %{use_python}-wheel
%description report-api
The Report API is provided to enable access to the report information stored in Elasticsearch.
It provides REST API endpoints to retrieve data about logins and devices, as well as
endpoints to "forget" devices and logins.
%endif
%prep
%autosetup -p1
%build
%if 0%{?suse_version} <= 1320
export CC=gcc-5
export CXX=g++-5
%endif
cp %{S:4} wforce/
autoreconf -fi
%configure \
--disable-dependency-tracking \
--disable-silent-rules \
--bindir=%{_sbindir} \
--sysconfdir=%{_sysconfdir}/%{service_name}/ \
--enable-systemd \
--with-luajit \
--enable-trackalert
# currently does not build parallel
make # %{?_smp_mflags}
%if %{with report_api}
pushd report_api
python3 setup.py build
popd
%endif
%install
make install DESTDIR=%{buildroot} %{?_smp_mflags}
mkdir -p %{buildroot}%{_datadir}/%{service_name}
%if %{with report_api}
mkdir -p %{buildroot}%{_datadir}/wforce-report-api/
%endif
# trackalert
%if 0%{?suse_version}
ln -sf %{_sbindir}/service %{buildroot}%{_sbindir}/rc%{service_name}
ln -sf %{_sbindir}/service %{buildroot}%{_sbindir}/rctrackalert
%if %{with report_api}
ln -sf %{_sbindir}/service %{buildroot}%{_sbindir}/rcwforce-report-api
%endif
%endif
# firewalld
install -D -m 644 %{SOURCE5} %{buildroot}%{_libexecdir}/firewalld/services/%{service_name}.xml
# apparmor
%if %{with apparmor}
install -D -m 0644 %{S:2} %{buildroot}%{_sysconfdir}/apparmor.d/usr.sbin.wforce
install -D -m 0644 %{S:3} %{buildroot}%{_sysconfdir}/apparmor.d/local/usr.sbin.wforce
%endif
install -Dd -m 0750 %{buildroot}%{home}/
rm -rf %{buildroot}%{_includedir}/yahttp/
%if %{with report_api}
# wforce-report-api
pushd report_api
# TODO strange python build
python3 setup.py install --root=%{buildroot}
popd
install -D -m 755 report_api/helpers/wforce-report-api-webserver %{buildroot}%{_bindir}/wforce-report-api-webserver
install -D -m 644 report_api/helpers/wforce-report-api.conf %{buildroot}%{_sysconfdir}/wforce-report-api/wforce-report-api-web.conf
install -D -m 644 report_api/instance/report.cfg %{buildroot}%{_sysconfdir}/wforce-report-api/wforce-report-api-instance.conf
install -D -m 644 report_api/helpers/wforce-report-api.service %{buildroot}%{_unitdir}/wforce-report-api.service
%endif
# remove specific items for doc packaging
rm -f docker/.gitignore docker/logstash/geoip/.gitignore docker/Makefile* docs/swagger/set-version
%pre
/usr/sbin/groupadd -r wforce >/dev/null 2>&1 || :
/usr/sbin/useradd -g wforce -s /bin/false -r -c "wforce" -d %{home} wforce >/dev/null 2>&1 || :
%if 0%{?suse_version}
%service_add_pre %{service_name}.service
%endif
%pre trackalert
%if 0%{?suse_version}
%service_add_pre trackalert.service
%endif
%if %{with report_api}
%pre report-api
/usr/sbin/groupadd -r wforce-report-api >/dev/null 2>&1 || :
/usr/sbin/useradd -g wforce-report-api -s /bin/false -r -c "wforce-report-api" -d %{home} wforce-report-api >/dev/null 2>&1 || :
%if 0%{?suse_version}
%service_add_pre wforce-report-api.service
%endif
%endif
%preun
%if 0%{?suse_version}
%service_del_preun %{service_name}.service
%else
%systemd_preun %{service_name}.service
%endif
%preun trackalert
%if 0%{?suse_version}
%service_del_preun trackalert.service
%else
%systemd_preun trackalert.service
%endif
%if %{with report_api}
%preun report-api
%if 0%{?suse_version}
%service_del_preun wforce-report-api.service
%else
%systemd_preun wforce-report-api.service
%endif
%endif
%post
%if 0%{?suse_version}
%fillup_only %{service_name}
%service_add_post %{service_name}.service
%else
%systemd_post %{service_name}.service
%endif
if [ $1 -eq 1 ]; then
WFORCECONF=/etc/%{service_name}/%{service_name}.conf
echo -n "Modifying %{service_name}.conf to replace password and key..."
SETKEY=`echo "makeKey()" | %{service_name} | grep setKey`
WEBPWD=`dd if=/dev/urandom bs=1 count=32 2>/dev/null | base64 | rev | cut -b 2-14 | rev`
sed -e "s#--WEBPWD#$WEBPWD#" -e "s#--SETKEY#$SETKEY#" -i $WFORCECONF
echo "done"
fi
%firewalld_reload
%post trackalert
%if 0%{?suse_version}
%service_add_post trackalert.service
%else
%systemd_post trackalert.service
%endif
if [ $1 -eq 1 ]; then
TRACKALERTCONF=/etc/%{service_name}/trackalert.conf
echo -n "Modifying trackalert.conf to replace password and key..."
SETKEY=`echo "makeKey()" | %{service_name} | grep setKey`
WEBPWD=`dd if=/dev/urandom bs=1 count=32 2>/dev/null | base64 | rev | cut -b 2-14 | rev`
sed -e "s#--WEBPWD#$WEBPWD#" -e "s#--SETKEY#$SETKEY#" -i $TRACKALERTCONF
echo "done"
fi
%if %{with report_api}
%post report-api
%if 0%{?suse_version}
%service_add_post wforce-report-api.service
%else
%systemd_post wforce-report-api.service
%endif
%endif
%postun
%if 0%{?suse_version}
%service_del_postun %{service_name}.service
%else
%systemd_postun_with_restart %{service_name}.service
%endif
%postun trackalert
%if 0%{?suse_version}
%service_del_postun trackalert.service
%else
%systemd_postun_with_restart trackalert.service
%endif
%if %{with report_api}
%postun report-api
%if 0%{?suse_version}
%service_del_postun wforce-report-api.service
%else
%systemd_postun_with_restart wforce-report-api.service
%endif
%endif
%files
%defattr(-,root,root)
%doc README.md CHANGELOG.md
%doc docs/release_notes/ docs/swagger/
%doc docker/
%doc %{_mandir}/man?/*
%exclude %{_mandir}/man?/trackalert*
%exclude %{_mandir}/man?/wforce-report-api*
%license LICENSE
%dir %attr(-,root,%{service_name}) %{_sysconfdir}/%{service_name}/
%config(noreplace) %attr(-,root,%{service_name}) %{_sysconfdir}/%{service_name}/regexes.yaml
%config(noreplace) %attr(-,root,%{service_name}) %{_sysconfdir}/%{service_name}/wforce*
%{_datadir}/%{service_name}/
%{_sbindir}/wforce
%{_sbindir}/wf_dump_entries
%{_unitdir}/%{service_name}.service
%if 0%{?suse_version}
%{_sbindir}/rc%{service_name}
%endif
%if %{with apparmor}
%config(noreplace) %{_sysconfdir}/apparmor.d/usr.sbin.wforce
%config(noreplace) %{_sysconfdir}/apparmor.d/local/usr.sbin.wforce
%endif
%dir %attr(750,%{service_name},%{service_name}) %{home}
%dir %{_libexecdir}/firewalld
%dir %{_libexecdir}/firewalld/services
%{_libexecdir}/firewalld/services/%{service_name}.xml
%files trackalert
%defattr(-,root,root)
%{_unitdir}/trackalert.service
%{_sbindir}/trackalert
%config(noreplace) %attr(-,root,%{service_name}) %{_sysconfdir}/%{service_name}/trackalert.conf
%if 0%{?suse_version}
%{_sbindir}/rctrackalert
%endif
%doc %{_mandir}/man?/trackalert*
%if %{with report_api}
%files report-api
%defattr(-,root,root)
%config(noreplace) %attr(-,root,wforce-report-api) %{_sysconfdir}/wforce-report-api/
%{_bindir}/wforce-report-api-webserver
%{_unitdir}/wforce-report-api.service
%if 0%{?suse_version}
%{_sbindir}/rcwforce-report-api
%endif
%doc %{_mandir}/man?/wforce-report-api*
%{_datadir}/wforce-report-api/
%{_bindir}/runreport.py
%{python3_sitelib}/wforce/
%{python3_sitelib}/wforce_report_api-*.egg*
%endif
%changelog
