about
aboutsummaryrefslogtreecommitdiff
path: root/gnu/services/security-token.scm
blob: 2356273398d620c6b8027d4932b535004cc985d0 (about) (plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
;;; GNU Guix --- Functional package management for GNU
;;; Copyright © 2018, 2022 Arun Isaac <arunisaac@systemreboot.net>
;;; Copyright © 2020 Tobias Geerinckx-Rice <me@tobias.gr>
;;; Copyright © 2021 Brice Waegeneire <brice@waegenei.re>
;;;
;;; This file is part of GNU Guix.
;;;
;;; GNU Guix is free software; you can redistribute it and/or modify it
;;; under the terms of the GNU General Public License as published by
;;; the Free Software Foundation; either version 3 of the License, or (at
;;; your option) any later version.
;;;
;;; GNU Guix is distributed in the hope that it will be useful, but
;;; WITHOUT ANY WARRANTY; without even the implied warranty of
;;; MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
;;; GNU General Public License for more details.
;;;
;;; You should have received a copy of the GNU General Public License
;;; along with GNU Guix.  If not, see <http://www.gnu.org/licenses/>.

(define-module (gnu services security-token)
  #:use-module (gnu services)
  #:use-module (gnu services shepherd)
  #:use-module (gnu packages admin)
  #:use-module (gnu packages base)
  #:use-module (gnu packages security-token)
  #:use-module (gnu system shadow)
  #:use-module (guix gexp)
  #:use-module (guix modules)
  #:use-module (guix records)
  #:use-module (ice-9 match)
  #:use-module (srfi srfi-26)
  #:export (pcscd-configuration
            pcscd-configuration?
            pcscd-configuration-pcsc-lite
            pcscd-configuration-usb-drivers
            pcscd-service-type))

;;;
;;; PC/SC Smart Card Daemon
;;;

(define-record-type* <pcscd-configuration>
  pcscd-configuration make-pcscd-configuration pcscd-configuration?
  (pcsc-lite pcscd-configuration-pcsc-lite
             (default pcsc-lite))
  (usb-drivers pcscd-configuration-usb-drivers
               (default (list ccid))))

(define pcscd-shepherd-service
  (match-lambda
    (($ <pcscd-configuration> pcsc-lite)
     (with-imported-modules (source-module-closure
                             '((gnu build shepherd)))
       (shepherd-service
        (documentation "PC/SC Smart Card Daemon")
        (provision '(pcscd))
        (requirement '(syslogd))
        (modules '((gnu build shepherd)))
        (start #~(lambda _
                   (let ((socket "/run/pcscd/pcscd.comm"))
                     (when (file-exists? socket)
                       (delete-file socket)))
                   (fork+exec-command
                    (list #$(file-append pcsc-lite "/sbin/pcscd")
                          "--foreground")
                    #:log-file "/var/log/pcscd.log")))
        (stop #~(make-kill-destructor)))))))

(define pcscd-activation
  (match-lambda
    (($ <pcscd-configuration> pcsc-lite usb-drivers)
     (with-imported-modules (source-module-closure
                             '((guix build utils)))
       #~(begin
           (use-modules (guix build utils))

           (mkdir-p "/var/lib")
           (switch-symlinks "/var/lib/pcsc"
                            #$(directory-union
                               "pcsc"
                               (map (cut file-append <> "/pcsc")
                                    usb-drivers))))))))

(define pcscd-service-type
  (service-type
   (name 'pcscd)
   (description
    "Run @command{pcscd}, the PC/SC smart card daemon.")
   (extensions
    (list (service-extension shepherd-root-service-type
                             (compose list pcscd-shepherd-service))
          (service-extension activation-service-type
                             pcscd-activation)))
   (default-value (pcscd-configuration))))
) dnl GUIX_CHECK_GUILE_GIT dnl dnl Check whether a recent-enough Guile-Git is available. AC_DEFUN([GUIX_CHECK_GUILE_GIT], [ dnl Check whether we're using Guile-Git 0.3.0 or later. 0.3.0 dnl introduced SSH authentication support and more. AC_CACHE_CHECK([whether Guile-Git is available and recent enough], [guix_cv_have_recent_guile_git], [GUILE_CHECK([retval], [(use-modules (git) (git auth) (git submodule)) (let ((auth (%make-auth-ssh-agent))) repository-close! object-lookup-prefix (make-clone-options #:fetch-options (make-fetch-options auth)))]) if test "$retval" = 0; then guix_cv_have_recent_guile_git="yes" else guix_cv_have_recent_guile_git="no" fi]) ]) dnl GUIX_CHECK_GUILE_ZLIB dnl dnl Check whether a recent-enough Guile-zlib is available. AC_DEFUN([GUIX_CHECK_GUILE_ZLIB], [ dnl Check whether we're using Guile-zlib 0.1.0 or later. dnl 0.1.0 introduced the 'make-zlib-input-port' and related code. AC_CACHE_CHECK([whether Guile-zlib is available and recent enough], [guix_cv_have_recent_guile_zlib], [GUILE_CHECK([retval], [(use-modules (zlib)) make-zlib-input-port]) if test "$retval" = 0; then guix_cv_have_recent_guile_zlib="yes" else guix_cv_have_recent_guile_zlib="no" fi]) ]) dnl GUIX_TEST_ROOT_DIRECTORY AC_DEFUN([GUIX_TEST_ROOT_DIRECTORY], [ AC_CACHE_CHECK([for unit test root directory], [ac_cv_guix_test_root], [ac_cv_guix_test_root="`pwd`/test-tmp"]) ]) dnl 'BINPRM_BUF_SIZE' constant in Linux (we leave room for the trailing zero.) dnl The Hurd has a limit of about a page (see exec/hashexec.c.) m4_define([LINUX_HASH_BANG_LIMIT], 127) dnl Hardcoded 'sun_path' length in <sys/un.h>. m4_define([SOCKET_FILE_NAME_LIMIT], 108) dnl GUIX_SOCKET_FILE_NAME_LENGTH AC_DEFUN([GUIX_SOCKET_FILE_NAME_LENGTH], [ AC_CACHE_CHECK([the length of the installed socket file name], [ac_cv_guix_socket_file_name_length], [ac_cv_guix_socket_file_name_length="`echo -n "$guix_localstatedir/guix/daemon-socket/socket" | wc -c`"]) ]) dnl GUIX_TEST_SOCKET_FILE_NAME_LENGTH AC_DEFUN([GUIX_TEST_SOCKET_FILE_NAME_LENGTH], [ AC_REQUIRE([GUIX_TEST_ROOT_DIRECTORY]) AC_CACHE_CHECK([the length of the socket file name used in tests], [ac_cv_guix_test_socket_file_name_length], [ac_cv_guix_test_socket_file_name_length="`echo -n "$ac_cv_guix_test_root/var/123456/daemon-socket/socket" | wc -c`"]) ]) dnl GUIX_HASH_BANG_LENGTH AC_DEFUN([GUIX_HASH_BANG_LENGTH], [ AC_CACHE_CHECK([the length of a typical hash bang line], [ac_cv_guix_hash_bang_length], [ac_cv_guix_hash_bang_length=`echo -n "$storedir/aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa-bootstrap-binaries-0/bin/bash" | wc -c`]) ]) dnl GUIX_TEST_HASH_BANG_LENGTH AC_DEFUN([GUIX_TEST_HASH_BANG_LENGTH], [ AC_REQUIRE([GUIX_TEST_ROOT_DIRECTORY]) AC_CACHE_CHECK([the length of a hash bang line used in tests], [ac_cv_guix_test_hash_bang_length], [ac_cv_guix_test_hash_bang_length=`echo -n "$ac_cv_guix_test_root/store/aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa-bootstrap-binaries-0/bin/bash" | wc -c`]) ]) dnl GUIX_CHECK_FILE_NAME_LIMITS dnl dnl GNU/Linux has a couple of silly limits that we can easily run into. dnl Make sure everything is fine with the current settings. Set $1 to dnl 'yes' if tests can run, 'no' otherwise. AC_DEFUN([GUIX_CHECK_FILE_NAME_LIMITS], [ AC_REQUIRE([GUIX_SOCKET_FILE_NAME_LENGTH]) AC_REQUIRE([GUIX_TEST_SOCKET_FILE_NAME_LENGTH]) AC_REQUIRE([GUIX_HASH_BANG_LENGTH]) AC_REQUIRE([GUIX_TEST_HASH_BANG_LENGTH]) if test "$ac_cv_guix_socket_file_name_length" -ge ]SOCKET_FILE_NAME_LIMIT[; then AC_MSG_ERROR([socket file name would exceed the maximum allowed length]) fi if test "$ac_cv_guix_test_socket_file_name_length" -ge ]SOCKET_FILE_NAME_LIMIT[; then AC_MSG_WARN([socket file name limit may be exceeded when running tests]) fi $1=yes if test "$ac_cv_guix_hash_bang_length" -ge ]LINUX_HASH_BANG_LIMIT[; then $1=no AC_MSG_ERROR([store directory '$storedir' would lead to overly long hash-bang lines]) fi if test "$ac_cv_guix_test_hash_bang_length" -ge ]LINUX_HASH_BANG_LIMIT[; then $1=no AC_MSG_WARN([test directory '$ac_cv_guix_test_root' may lead to overly long hash-bang lines]) fi ]) dnl GUIX_CHECK_CXX11 dnl dnl Check whether the C++ compiler can compile a typical C++11 program. AC_DEFUN([GUIX_CHECK_CXX11], [ AC_REQUIRE([AC_PROG_CXX]) AC_CACHE_CHECK([whether $CXX supports C++11], [ac_cv_guix_cxx11_support], [save_CXXFLAGS="$CXXFLAGS" CXXFLAGS="-std=c++11 $CXXFLAGS" AC_COMPILE_IFELSE([ AC_LANG_SOURCE([ #include <functional> std::function<int(int)> return_plus_lambda (int x) { auto result = [[&]](int y) { return x + y; }; return result; } ])], [ac_cv_guix_cxx11_support=yes], [ac_cv_guix_cxx11_support=no]) CXXFLAGS="$save_CXXFLAGS" ]) ]) dnl GUIX_ASSERT_CXX11 dnl dnl Error out if the C++ compiler cannot compile C++11 code. AC_DEFUN([GUIX_ASSERT_CXX11], [ GUIX_CHECK_CXX11 if test "x$ac_cv_guix_cxx11_support" != "xyes"; then AC_MSG_ERROR([C++ compiler '$CXX' does not support the C++11 standard]) fi ]) dnl GUIX_LIBGCRYPT_LIBDIR VAR dnl dnl Attempt to determine libgcrypt's LIBDIR; store the result in VAR. AC_DEFUN([GUIX_LIBGCRYPT_LIBDIR], [ AC_PATH_PROG([LIBGCRYPT_CONFIG], [libgcrypt-config]) AC_CACHE_CHECK([libgcrypt's library directory], [guix_cv_libgcrypt_libdir], [if test "x$LIBGCRYPT_CONFIG" != "x"; then guix_cv_libgcrypt_libdir=`$LIBGCRYPT_CONFIG --libs | grep -e -L | sed -e "s/.*-L\([[^ ]]\+\)[[[:blank:]]]\+-lgcrypt.*/\1/g"` else guix_cv_libgcrypt_libdir="" fi]) $1="$guix_cv_libgcrypt_libdir" ]) dnl GUIX_CURRENT_LOCALSTATEDIR dnl dnl Determine the localstatedir of an existing Guix installation and set dnl 'guix_cv_current_localstatedir' accordingly. Set it to "none" if no dnl existing installation was found. AC_DEFUN([GUIX_CURRENT_LOCALSTATEDIR], [ AC_PATH_PROG([GUILE], [guile]) AC_CACHE_CHECK([the current installation's localstatedir], [guix_cv_current_localstatedir], [dnl Call 'dirname' because (guix config) appends "/guix" to LOCALSTATEDIR. guix_cv_current_localstatedir="`"$GUILE" \ -c '(use-modules (guix config)) (when (string=? %store-directory "'$storedir'") (display (dirname %state-directory)))' \ 2>/dev/null`" if test "x$guix_cv_current_localstatedir" = "x"; then guix_cv_current_localstatedir=none fi])]) dnl GUIX_CHECK_LOCALSTATEDIR dnl dnl Check that the LOCALSTATEDIR value is consistent with that of the existing dnl Guix installation, if any. Error out or warn if they do not match. AC_DEFUN([GUIX_CHECK_LOCALSTATEDIR], [ AC_REQUIRE([GUIX_CURRENT_LOCALSTATEDIR]) if test "x$guix_cv_current_localstatedir" != "xnone"; then if test "$guix_cv_current_localstatedir" != "$guix_localstatedir"; then case "$localstatedir" in NONE|\${prefix}*) # User kept the default value---i.e., did not pass '--localstatedir'. AC_MSG_ERROR([chosen localstatedir '$guix_localstatedir' does not match \ that of the existing installation '$guix_cv_current_localstatedir' Installing may corrupt $storedir! Use './configure --localstatedir=$guix_cv_current_localstatedir'.]) ;; *) # User passed an explicit '--localstatedir'. Assume they know what # they're doing. AC_MSG_WARN([chosen localstatedir '$guix_localstatedir' does not match \ that of the existing installation '$guix_cv_current_localstatedir']) AC_MSG_WARN([installing may corrupt $storedir!]) ;; esac fi fi]) dnl GUIX_CHANNEL_METADATA dnl dnl Provide the channel metadata for this build. This allows 'guix describe' dnl to return meaningful data, as it would for a 'guix pull'-provided 'guix'. dnl The default URL and introduction are taken from (guix channels). AC_DEFUN([GUIX_CHANNEL_METADATA], [ AC_ARG_WITH([channel-url], [AS_HELP_STRING([--with-channel-url=URL], [assert that this is built from the Git repository at URL])], [guix_channel_url="\"$withval\""], [guix_channel_url="\"https://git.savannah.gnu.org/git/guix.git\""]) AC_ARG_WITH([channel-commit], [AS_HELP_STRING([--with-channel-commit=COMMIT], [assert that this is built from COMMIT])], [guix_channel_commit="\"$withval\""], [guix_channel_commit="#f"]) AC_ARG_WITH([channel-introduction], [AS_HELP_STRING([--with-channel-introduction=COMMIT:FINGERPRINT], [specify COMMIT and FINGERPRINT as the introduction of this channel])], [guix_channel_introduction="'(\"`echo $withval | cut -f1 -d:`\" \"`echo $withval | cut -f2 -d:`\")"], [guix_channel_introduction="'(\"9edb3f66fd807b096b48283debdcddccfea34bad\" . \"BBB0 2DDF 2CEA F6A8 0D1D E643 A2A0 6DF2 A33A 54FA\")"]) GUIX_CHANNEL_URL="$guix_channel_url" GUIX_CHANNEL_COMMIT="$guix_channel_commit" GUIX_CHANNEL_INTRODUCTION="$guix_channel_introduction" AC_SUBST([GUIX_CHANNEL_URL]) AC_SUBST([GUIX_CHANNEL_COMMIT]) AC_SUBST([GUIX_CHANNEL_INTRODUCTION]) ])