# Copyright 1999-2024 Gentoo Authors
# Distributed under the terms of the GNU General Public License v2

EAPI=8

PYTHON_COMPAT=( python3_{10..13} )
VERIFY_SIG_OPENPGP_KEY_PATH=/usr/share/openpgp-keys/torproject.org.asc
inherit edo python-any-r1 readme.gentoo-r1 systemd verify-sig

MY_PV="$(ver_rs 4 -)"
MY_PF="${PN}-${MY_PV}"
DESCRIPTION="Anonymizing overlay network for TCP"
HOMEPAGE="https://www.torproject.org/ https://gitlab.torproject.org/tpo/core/tor/"

if [[ ${PV} == 9999 ]] ; then
	EGIT_REPO_URI="https://gitlab.torproject.org/tpo/core/tor"
	inherit autotools git-r3
else
	SRC_URI="
		https://www.torproject.org/dist/${MY_PF}.tar.gz
		https://archive.torproject.org/tor-package-archive/${MY_PF}.tar.gz
		verify-sig? (
			https://dist.torproject.org/${MY_PF}.tar.gz.sha256sum
			https://dist.torproject.org/${MY_PF}.tar.gz.sha256sum.asc
		)
	"

	S="${WORKDIR}/${MY_PF}"

	if [[ ${PV} != *_alpha* && ${PV} != *_beta* && ${PV} != *_rc* ]]; then
		KEYWORDS="~amd64 arm arm64 ~hppa ~mips ppc ppc64 ~riscv ~sparc ~x86 ~ppc-macos"
	fi

	BDEPEND="verify-sig? ( >=sec-keys/openpgp-keys-tor-20230727 )"
fi

# BSD in general, but for PoW, needs --enable-gpl (GPL-3 per --version)
# We also already had GPL-2 listed here for the init script, but obviously
# that's different from the actual binary.
LICENSE="BSD GPL-2 GPL-3"
SLOT="0"
IUSE="caps doc lzma +man scrypt seccomp selinux +server systemd tor-hardening test zstd"
RESTRICT="!test? ( test )"

DEPEND="
	acct-user/tor
	acct-group/tor
	>=dev-libs/libevent-2.1.12-r1:=[ssl]
	dev-libs/openssl:=[-bindist(-)]
	sys-libs/zlib
	caps? ( sys-libs/libcap )
	man? ( app-text/asciidoc )
	lzma? ( app-arch/xz-utils )
	scrypt? ( app-crypt/libscrypt )
	seccomp? ( >=sys-libs/libseccomp-2.4.1 )
	systemd? ( sys-apps/systemd:= )
	zstd? ( app-arch/zstd:= )
"
RDEPEND="
	${DEPEND}
	selinux? ( sec-policy/selinux-tor )
"
DEPEND+="
	test? (
		${DEPEND}
		${PYTHON_DEPS}
	)
"

DOCS=()

PATCHES=(
	"${FILESDIR}"/${PN}-0.2.7.4-torrc.sample.patch
)

QA_CONFIG_IMPL_DECL_SKIP=(
	# test correctly fails because -lnacl fails if not available
	# https://bugs.gentoo.org/900092
	crypto_scalarmult_curve25519
)

pkg_setup() {
	use test && python-any-r1_pkg_setup
}

src_unpack() {
	if [[ ${PV} == 9999 ]] ; then
		git-r3_src_unpack
	else
		if use verify-sig; then
			cd "${DISTDIR}" || die
			verify-sig_verify_detached ${MY_PF}.tar.gz.sha256sum{,.asc}
			verify-sig_verify_unsigned_checksums \
				${MY_PF}.tar.gz.sha256sum sha256 ${MY_PF}.tar.gz
			cd "${WORKDIR}" || die
		fi

		default
	fi
}

src_prepare() {
	default

	# Running shellcheck automagically isn't useful for ebuild testing.
	echo "exit 0" > scripts/maint/checkShellScripts.sh || die

	if [[ ${PV} == 9999 ]] ; then
		eautoreconf
	fi
}

src_configure() {
	use doc && DOCS+=( README.md ChangeLog ReleaseNotes doc/HACKING )

	export ac_cv_lib_cap_cap_init=$(usex caps)
	export tor_cv_PYTHON="${EPYTHON}"

	local myeconfargs=(
		--localstatedir="${EPREFIX}/var"
		--disable-all-bugs-are-fatal
		--enable-system-torrc
		--disable-android
		--disable-coverage
		--disable-html-manual
		--disable-libfuzzer
		--enable-missing-doc-warnings
		--disable-module-dirauth
		--enable-pic
		--disable-restart-debugging

		# Unless someone asks & has a compelling reason, just always
		# build in GPL mode for pow, given we don't want yet another USE
		# flag combination to have to test just for the sake of it.
		# (PoW requires GPL.)
		--enable-gpl
		--enable-module-pow

		$(use_enable man asciidoc)
		$(use_enable man manpage)
		$(use_enable lzma)
		$(use_enable scrypt libscrypt)
		$(use_enable seccomp)
		$(use_enable server module-relay)
		$(use_enable systemd)
		$(use_enable tor-hardening gcc-hardening)
		$(use_enable tor-hardening linker-hardening)
		$(use_enable test unittests)
		$(use_enable zstd)
	)

	econf "${myeconfargs[@]}"
}

src_test() {
	local skip_tests=(
		# Fails in sandbox
		:sandbox/open_filename
		:sandbox/openat_filename
	)

	if use arm ; then
		skip_tests+=(
			# bug #920905
			# https://gitlab.torproject.org/tpo/core/tor/-/issues/40912
			:sandbox/opendir_dirname
			:sandbox/openat_filename
			:sandbox/chmod_filename
			:sandbox/chown_filename
			:sandbox/rename_filename
		)
	fi

	# The makefile runs these by parallel by chunking them with a script
	# but that means we lose verbosity and can't skip individual tests easily
	# either.
	edo ./src/test/test --verbose "${skip_tests[@]}"
}

src_install() {
	default
	readme.gentoo_create_doc

	newconfd "${FILESDIR}"/tor.confd tor
	newinitd "${FILESDIR}"/tor.initd-r9 tor
	systemd_dounit "${FILESDIR}"/tor.service

	keepdir /var/lib/tor

	fperms 750 /var/lib/tor
	fowners tor:tor /var/lib/tor

	insinto /etc/tor/
	newins "${FILESDIR}"/torrc-r2 torrc
}