# Copyright 1999-2024 Gentoo Authors
# Distributed under the terms of the GNU General Public License v2

EAPI=8

DISTUTILS_USE_PEP517=setuptools
PYTHON_COMPAT=( python3_{11..13} )
inherit distutils-r1 go-module linux-info systemd xdg-utils

DESCRIPTION="Desktop application firewall"
HOMEPAGE="https://github.com/evilsocket/opensnitch"

SRC_URI="
	https://github.com/evilsocket/opensnitch/archive/refs/tags/v${PV}.tar.gz -> ${P}.gh.tar.gz
	https://dev.pentoo.ch/~blshkv/distfiles/${P}-deps.tar.xz
	"

LICENSE="GPL-3"
SLOT="0"
KEYWORDS="amd64"
IUSE="+audit bpf +iptables +nftables systemd"
REQUIRED_USE="|| ( iptables nftables )"

DEPEND=">=dev-lang/go-1.19
	net-libs/libnetfilter_queue
	dev-go/protobuf-go
	dev-go/protoc-gen-go-grpc
"
RDEPEND="
	dev-python/grpcio-tools[${PYTHON_USEDEP}]
	dev-python/notify2[${PYTHON_USEDEP}]
	dev-python/python-slugify[${PYTHON_USEDEP}]
	dev-python/pyinotify[${PYTHON_USEDEP}]
	dev-python/pyqt5[network,sql,${PYTHON_USEDEP}]
	bpf? ( ~app-admin/opensnitch-ebpf-module-$PV )
"

RESTRICT+=" test"

pkg_setup() {
	# see https://github.com/evilsocket/opensnitch/discussions/978
	local CONFIG_CHECK="
		INET_TCP_DIAG
		INET_UDP_DIAG
		INET_RAW_DIAG
		INET_DIAG_DESTROY
		NETFILTER_NETLINK_ACCT
		NETFILTER_NETLINK_QUEUE
		NF_CONNTRACK
		NF_CT_NETLINK
		PROC_FS
	"

	# config needed for the audit monitoring method
	use audit && CONFIG_CHECK+="
		AUDIT
	"

	# config needed for using iptables as firewall
	use iptables && CONFIG_CHECK+="
		NETFILTER_XT_MATCH_CONNTRACK
		NETFILTER_XT_TARGET_NFQUEUE
	"

	# config needed for using nftables as firewall
	use nftables && CONFIG_CHECK+="
		NFT_CT
		NFT_QUEUE
	"

	linux-info_pkg_setup
}

PATCHES=(
	"${FILESDIR}/fix-setup.py.patch"
)

src_unpack() {
	unpack ${A} # skip go module verification
}

src_prepare() {
	rm -rf ui/tests || die
	use systemd && eapply "${FILESDIR}/systemd.patch"
	default
}

src_compile() {
	emake protocol || die

	pushd ui || die
	pyrcc5 -o opensnitch/{resources_rc.py,/res/resources.qrc} || die
	# workaround for namespace conflict
	# see https://github.com/evilsocket/opensnitch/issues/496
	# and https://github.com/evilsocket/opensnitch/pull/442
	sed -i 's/^import ui_pb2/from . import ui_pb2/' opensnitch/ui_pb2* || die
	popd > /dev/null || die

	pushd daemon || die
	GOCACHE="${T}/go-cache" \
	GOMODCACHE="${WORKDIR}/${PN}-${PV}/vendor" \
	ego build -v -buildmode=pie -o opensnitchd || die
	popd > /dev/null || die

	pushd ui || die
	distutils-r1_src_compile
	popd > /dev/null || die
}

src_install(){
	pushd ui || die
	distutils-r1_src_install
	popd > /dev/null || die

	pushd daemon || die
	dobin opensnitchd
	keepdir /etc/opensnitchd/rules
	insinto /etc/opensnitchd/
	doins default-config.json
	doins system-fw.json
	popd > /dev/null || die

	if use systemd; then
		pushd daemon || die
		systemd_dounit opensnitchd.service
		popd > /dev/null || die
	else
		newinitd "${FILESDIR}"/opensnitch.initd ${PN}
	fi
}

pkg_postinst() {
	xdg_icon_cache_update

	#FIXME upstream bug: https://github.com/evilsocket/opensnitch/issues/795
	elog "Under regular user, run the following commands to display IP's network name:"
	elog "cd ~/.config/opensnitch/"
	elog "wget https://github.com/hadiasghari/pyasn/blob/master/data/ipasn_20140513_v12.dat.gz?raw=true -O ipasn_db.dat.gz"
	elog  "wget https://github.com/hadiasghari/pyasn/blob/master/data/asnames.json?raw=true"

}