ARG RUST_VERSION

## GIT2 ###################################################################

# git2 packages are not available on ARM64, so we need to build it from source.
FROM centos:7 AS git2

ARG DEVTOOLSET

RUN yum groupinstall -y 'Development Tools' && \
    yum install -y \
    ca-certificates  \
    curl-devel  \
    expat-devel  \
    gettext-devel  \
    openssl-devel  \
    zlib-devel  \
    perl-CPAN  \
    perl-devel wget && \
    yum update -y && \
    yum -y install centos-release-scl-rh && \
    yum install -y \
    centos-release-scl \
    ${DEVTOOLSET}-gcc* \
    ${DEVTOOLSET}-make && \
    yum clean all

RUN wget https://github.com/git/git/archive/refs/tags/v2.39.1.tar.gz && \
    tar xf v2.39.1.tar.gz && \
    cd git-2.39.1/ && \
    scl enable ${DEVTOOLSET} "make configure && \
    ./configure --prefix=/usr/local && \
    make -j6 all && \
    DESTDIR=/opt/git make install"

# Create an alias to the assets image. Ref: https://github.com/docker/for-mac/issues/2155
ARG BUILDARCH
FROM ghcr.io/gravitational/teleport-buildbox-centos7-assets:teleport14-${BUILDARCH} AS teleport-buildbox-centos7-assets

## LIBFIDO2 ###################################################################

# Build libfido2 separately for isolation, speed and flexibility.
FROM centos:7 AS libfido2

ARG DEVTOOLSET

RUN yum groupinstall -y 'Development Tools' && \
    yum install -y epel-release && \
    yum install -y centos-release-scl-rh && \
    yum update -y && \
    yum install -y \
        cmake3 \
        ${DEVTOOLSET}-gcc* \
        git \
        libudev-devel \
        perl-IPC-Cmd \
        zlib-devel && \
    yum clean all

# Install libudev-zero.
# libudev-zero replaces systemd's libudev.
RUN git clone --depth=1 https://github.com/illiliti/libudev-zero.git -b 1.0.2 && \
    cd libudev-zero && \
    [ "$(git rev-parse HEAD)" = '04a727df50fde3f69127aed4bc48e6cff5430175' ] && \
    make install-static LIBDIR='$(PREFIX)/lib64'

# Install libcbor.
RUN git clone --depth=1 https://github.com/PJK/libcbor.git -b v0.10.2 && \
    cd libcbor && \
    [ "$(git rev-parse HEAD)" = 'efa6c0886bae46bdaef9b679f61f4b9d8bc296ae' ] && \
    cmake3 \
        -DCMAKE_BUILD_TYPE=Release \
        -DCMAKE_POSITION_INDEPENDENT_CODE=ON \
        -DWITH_EXAMPLES=OFF . && \
    make && \
    make install

# Install openssl.
# install_sw install only binaries, skips docs.
RUN git clone --depth=1 https://github.com/openssl/openssl.git -b openssl-3.0.9 && \
    cd openssl && \
    [ "$(git rev-parse HEAD)" = 'de90e54bbe82e5be4fb9608b6f5c308bb837d355' ] && \
    ./config --release --libdir=/usr/local/lib64 && \
    make -j"$(nproc)" && \
    make install_sw
# Necessary for libfido2 to find the correct libcrypto.
ENV PKG_CONFIG_PATH="/usr/local/lib64/pkgconfig"

# Install libfido2.
# Depends on libcbor, libcrypto (OpenSSL 3.x), libudev and zlib-devel.
# Linked so `make build/tsh` finds the library where it expects it.
RUN git clone --depth=1 https://github.com/Yubico/libfido2.git -b 1.13.0 && \
    cd libfido2 && \
    [ "$(git rev-parse HEAD)" = '486a8f8667e42f55cee2bba301b41433cacec830' ] && \
    scl enable ${DEVTOOLSET} "\
      CFLAGS=-pthread cmake3 \
          -DBUILD_EXAMPLES=OFF \
          -DBUILD_MANPAGES=OFF \
          -DBUILD_TOOLS=OFF \
          -DCMAKE_BUILD_TYPE=Release . && \
      grep 'CRYPTO_VERSION:INTERNAL=3\.0\.' CMakeCache.txt && \
      make" && \
    make install && \
    make clean

## LIBBPF #####################################################################

FROM centos:7 AS libbpf

ARG DEVTOOLSET

# Install required dependencies.
RUN yum groupinstall -y 'Development Tools' && \
    yum install -y epel-release && \
    yum update -y && \
    yum -y install centos-release-scl-rh && \
    yum install -y \
        centos-release-scl \
        ${DEVTOOLSET}-gcc* \
        ${DEVTOOLSET}-make \
        elfutils-libelf-devel-static \
        scl-utils && \
    yum clean all

# Install libbpf - compile with a newer GCC. The one installed by default is not able to compile it.
# BUILD_STATIC_ONLY disables libbpf.so build as we don't need it.
ARG LIBBPF_VERSION
RUN mkdir -p /opt && cd /opt && \
    curl -fsSL https://github.com/libbpf/libbpf/archive/refs/tags/v${LIBBPF_VERSION}.tar.gz | tar xz && \
    cd /opt/libbpf-${LIBBPF_VERSION}/src && \
    scl enable ${DEVTOOLSET} "make && BUILD_STATIC_ONLY=y DESTDIR=/opt/libbpf make install"

## LIBPCSCLITE #####################################################################

FROM centos:7 AS libpcsclite

ARG DEVTOOLSET

# Install required dependencies.
RUN yum groupinstall -y 'Development Tools' && \
    yum update -y && \
    yum -y install centos-release-scl-rh && \
    yum install -y \
        autoconf-archive \
        libudev-devel \
        scl-utils \
        centos-release-scl \
        ${DEVTOOLSET}-gcc* && \
    yum clean all

# Install libpcsclite - compile with a newer GCC. The one installed by default is not able to compile it.
ARG LIBPCSCLITE_VERSION
RUN git clone --depth=1 https://github.com/gravitational/PCSC.git -b ${LIBPCSCLITE_VERSION} && \
    cd PCSC && \
    ./bootstrap && \
    ./configure --enable-static --with-pic --disable-libsystemd && \
    scl enable ${DEVTOOLSET} "make" && \
    make install

## BUILDBOX ###################################################################

FROM centos:7 AS buildbox

ENV LANGUAGE=en_US.UTF-8 \
    LANG=en_US.UTF-8 \
    LC_ALL=en_US.UTF-8 \
    LC_CTYPE=en_US.UTF-8

ARG GOLANG_VERSION
ARG RUST_VERSION
ARG DEVTOOLSET

ARG UID
ARG GID
RUN (groupadd ci --gid=$GID -o && useradd ci --uid=$UID --gid=$GID --create-home --shell=/bin/sh && \
     mkdir -p -m0700 /var/lib/teleport && chown -R ci /var/lib/teleport)

RUN yum groupinstall -y 'Development Tools' && \
    yum install -y epel-release && \
    yum update -y && \
    yum -y install centos-release-scl-rh && \
    yum install -y \
    #required by libbpf
    centos-release-scl \
    # required by libbpf
    ${DEVTOOLSET}-* \
    # required by libbpf
    elfutils-libelf-devel-static \
    net-tools \
    # required by Teleport PAM support
    pam-devel \
    perl-IPC-Cmd \
    tree \
    # used by our Makefile
    which \
    zip \
    # required by libbpf
    zlib-static && \
    yum clean all && \
    localedef -c -i en_US -f UTF-8 en_US.UTF-8

# Override the old git installed by yum. We need git 2+ on GitHub Actions.
COPY --from=git2 /opt/git /usr/local

ARG BUILDARCH

# Install etcd.
RUN (curl -fsSL https://github.com/coreos/etcd/releases/download/v3.3.9/etcd-v3.3.9-linux-${BUILDARCH}.tar.gz | tar -xz && \
     cp etcd-v3.3.9-linux-${BUILDARCH}/etcd* /bin/ && \
     rm -rf etcd-v3.3.9-linux-${BUILDARCH})

# Install Go.
RUN mkdir -p /opt && cd /opt && curl -fsSL https://storage.googleapis.com/golang/$GOLANG_VERSION.linux-${BUILDARCH}.tar.gz | tar xz && \
    mkdir -p /go/src/github.com/gravitational/teleport && \
    chmod a+w /go && \
    chmod a+w /var/lib && \
    /opt/go/bin/go version
ENV GOPATH="/go" \
    GOROOT="/opt/go" \
    PATH="/opt/llvm/bin:$PATH:/opt/go/bin:/go/bin:/go/src/github.com/gravitational/teleport/build"

# Install node.
RUN yum install -y python3
ARG NODE_VERSION
ENV NODE_URL="https://nodejs.org/dist/v${NODE_VERSION}/node-v${NODE_VERSION}-linux-${BUILDARCH}.tar.xz"
ENV NODE_PATH="/usr/local/lib/nodejs-linux"
ENV PATH="$PATH:${NODE_PATH}/bin"
RUN export NODE_ARCH=$(if [ "$BUILDARCH" = "amd64" ]; then echo "x64"; else echo "arm64"; fi) && \
     export NODE_URL="https://nodejs.org/dist/v${NODE_VERSION}/node-v${NODE_VERSION}-linux-${NODE_ARCH}.tar.xz" && \
     mkdir -p ${NODE_PATH} && \
     curl -o /tmp/nodejs.tar.xz -fsSL ${NODE_URL} && \
     tar -xJf /tmp/nodejs.tar.xz -C /usr/local/lib/nodejs-linux --strip-components=1
RUN node --version
RUN corepack enable yarn

# Install PAM module and policies for testing.
COPY pam/ /opt/pam_teleport/
RUN make -C /opt/pam_teleport install

# Install Rust.
ENV RUSTUP_HOME=/usr/local/rustup \
    CARGO_HOME=/usr/local/cargo \
    PATH=/usr/local/cargo/bin:$PATH \
    RUST_VERSION=$RUST_VERSION

RUN mkdir -p $RUSTUP_HOME && chmod a+w $RUSTUP_HOME && \
    mkdir -p $CARGO_HOME/registry && chmod -R a+w $CARGO_HOME

RUN chmod a-w /

USER ci
RUN curl --proto '=https' --tlsv1.2 -fsSL https://sh.rustup.rs | sh -s -- -y --profile minimal --default-toolchain $RUST_VERSION && \
    rustup --version && \
    cargo --version && \
    rustc --version

# Do a quick switch back to root and copy/setup libfido2 and libpcsclite binaries.
# Do this last to take better advantage of the multi-stage build.
USER root
COPY --from=libfido2 /usr/local/include/ /usr/local/include/
COPY --from=libfido2 /usr/local/lib64/engines-3/ /usr/local/lib64/engines-3/
COPY --from=libfido2 /usr/local/lib64/ossl-modules/ /usr/local/lib64/ossl-modules/
COPY --from=libfido2 /usr/local/lib64/pkgconfig/ /usr/local/lib64/pkgconfig/
COPY --from=libfido2 \
    /usr/local/lib64/libcbor.a \
    /usr/local/lib64/libcrypto.a \
    /usr/local/lib64/libcrypto.so.3 \
    /usr/local/lib64/libfido2.a \
    /usr/local/lib64/libfido2.so.1.13.0 \
    /usr/local/lib64/libssl.a \
    /usr/local/lib64/libssl.so.3 \
    /usr/local/lib64/libudev.a \
    /usr/local/lib64/
# Re-create usual lib64 links.
RUN cd /usr/local/lib64 && \
    ln -s libcrypto.so.3 libcrypto.so && \
    ln -s libfido2.so.1.13.0 libfido2.so.1 && \
    ln -s libfido2.so.1 libfido2.so && \
    ln -s libssl.so.3 libssl.so && \
# Update ld.
    echo /usr/local/lib64 > /etc/ld.so.conf.d/libfido2.conf && \
    ldconfig
# Configure pkg-config.
COPY pkgconfig/centos7/ /
ENV PKG_CONFIG_PATH="/usr/local/lib64/pkgconfig"

COPY --from=libpcsclite /usr/local/include/ /usr/local/include/
COPY --from=libpcsclite /usr/local/lib/pkgconfig/ /usr/local/lib64/pkgconfig/
COPY --from=libpcsclite \
    /usr/local/lib/libpcsclite.a \
    /usr/local/lib/

# Copy libbpf into the final image.
ARG LIBBPF_VERSION
COPY --from=libbpf /opt/libbpf/usr /usr/libbpf-${LIBBPF_VERSION}

# Download pre-built CentOS 7 assets with clang needed to build BPF tools.
ARG BUILDARCH
COPY --from=teleport-buildbox-centos7-assets /opt/llvm /opt/llvm

VOLUME ["/go/src/github.com/gravitational/teleport"]
EXPOSE 6600 2379 2380