# Version macro must be defined BEFORE it's used in Version: field
# Override from command line: rpmbuild --define "build_version X.Y.Z"
%if %{defined build_version}
%define spec_version %{build_version}
%else
%define spec_version 1.0.5
%endif

Name:           ja4sentinel
Version:        %{spec_version}
Release:        1%{?dist}
Summary:        JA4 TLS fingerprinting daemon for network monitoring
License:        MIT
URL:            https://github.com/your-repo/ja4sentinel
BuildArch:      x86_64

# Distribution-agnostic dependencies
# systemd is available on all target distros (Rocky 8/9/10, AlmaLinux)
Requires:       systemd
# libpcap is required for packet capture (dynamically linked)
# Version varies by distro: Rocky 8/9/10 (1.9.0+)
Requires:       libpcap >= 1.9.0

%description
JA4Sentinel is a Go-based tool for capturing network traffic on Linux servers,
extracting client-side TLS handshakes, generating JA4 signatures, enriching
with IP/TCP metadata, and logging results to configurable outputs.

Features:
- Network packet capture with BPF filters
- TLS ClientHello extraction
- JA4/JA3 fingerprint generation
- IP/TCP metadata enrichment
- Multiple output formats (stdout, file, UNIX socket)
- Structured JSON logging for systemd/journald
- Compatible with Rocky Linux 8/9/10, RHEL, AlmaLinux

%prep
# No source to unpack, binary is pre-built

%build
# No build needed, binary is pre-built

%install
mkdir -p %{buildroot}/usr/bin
mkdir -p %{buildroot}/etc/ja4sentinel
mkdir -p %{buildroot}/var/lib/ja4sentinel
mkdir -p %{buildroot}/var/log/ja4sentinel
mkdir -p %{buildroot}/var/run/ja4sentinel
mkdir -p %{buildroot}/usr/lib/systemd/system
mkdir -p %{buildroot}/usr/share/ja4sentinel

# Install binary
install -m 755 %{_sourcedir}/ja4sentinel %{buildroot}/usr/bin/ja4sentinel

# Install systemd service
install -m 644 %{_sourcedir}/ja4sentinel.service %{buildroot}/usr/lib/systemd/system/ja4sentinel.service

# Install default config
install -m 640 %{_sourcedir}/config.yml %{buildroot}/etc/ja4sentinel/config.yml.default
install -m 640 %{_sourcedir}/config.yml %{buildroot}/usr/share/ja4sentinel/config.yml

%pre
# No user creation needed - service runs as root for packet capture
exit 0

%post
# Set proper ownership (root:root for packet capture)
chown -R root:root /var/lib/ja4sentinel 2>/dev/null || true
chown -R root:root /var/run/ja4sentinel 2>/dev/null || true
chown -R root:root /var/log/ja4sentinel 2>/dev/null || true
chown -R root:root /etc/ja4sentinel 2>/dev/null || true

# Set proper permissions
chmod 750 /var/lib/ja4sentinel 2>/dev/null || true
chmod 750 /var/log/ja4sentinel 2>/dev/null || true
chmod 750 /etc/ja4sentinel 2>/dev/null || true

# Install config if not exists
if [ ! -f /etc/ja4sentinel/config.yml ]; then
    cp /usr/share/ja4sentinel/config.yml /etc/ja4sentinel/config.yml
    chmod 640 /etc/ja4sentinel/config.yml
fi

# Reload systemd and enable service (only if systemd is running)
if [ -x /bin/systemctl ] && [ -d /run/systemd/system ]; then
    /bin/systemctl daemon-reload
    /bin/systemctl enable ja4sentinel.service 2>/dev/null || :
    /bin/systemctl start ja4sentinel.service 2>/dev/null || :
fi

%preun
if [ $1 -eq 0 ]; then
    # Package removal, stop and disable service
    if [ -x /bin/systemctl ]; then
        /bin/systemctl stop ja4sentinel.service >/dev/null 2>&1 || :
        /bin/systemctl disable ja4sentinel.service >/dev/null 2>&1 || :
    fi
fi

%postun
if [ $1 -eq 0 ]; then
    # Package removal, reload systemd
    if [ -x /bin/systemctl ]; then
        /bin/systemctl daemon-reload
    fi
fi

%files
/usr/bin/ja4sentinel
/usr/lib/systemd/system/ja4sentinel.service
/usr/share/ja4sentinel/config.yml
%config(noreplace) /etc/ja4sentinel/config.yml.default
%dir /etc/ja4sentinel
%dir /var/lib/ja4sentinel
%dir /var/log/ja4sentinel
%dir /var/run/ja4sentinel

%changelog
* Sat Feb 28 2026 Jacquin Antoine <rpm@arkel.fr> - 1.0.4-1
- Add systemd sdnotify support (READY, WATCHDOG, STOPPING signals)
- Enable systemd watchdog with 30s timeout
- Update service unit to Type=notify
- Document sdnotify integration in architecture.yml

* Sat Feb 28 2026 JA4Sentinel Team <team@example.com> - 1.0.2-1
- BREAKING: Drop CentOS 7 support (EOL June 2024), minimum Rocky Linux 8
- Fix race condition in TLS parser with per-ConnectionFlow mutex
- Fix memory leak in fragmented ClientHello buffer accumulation
- Add log file rotation (100MB, 3 backups)
- Improve UNIX socket reconnection with async queue and exponential backoff
- Add BPF filter validation (characters, length, balanced parentheses)
- Secure file permissions (0600 instead of 0644)
- Add 46 unit tests (capture, output, logging)
- Enable race detection in test pipeline (go test -race)
- Increase pcap snaplen from 1600 to 65535 bytes for large TLS handshakes
- Increase socket timeouts (2s to 5s) with configurable backoff
- Add named constants for configuration values

* Sat Feb 28 2026 JA4Sentinel Team <team@example.com> - 1.0.1-1
- Add configurable packet channel buffer size for high-throughput capture
- Add timestamp field to LogRecord for precise event tracking
- Fix race condition: close packetChan after capture goroutine finishes
- Strengthen TLS limits and socket timeouts for robustness
- Improve configuration validation with stricter checks
- Include systemd service file in RPM packages
- Unified Docker-based packaging for CentOS 7, Rocky Linux 8/9/10
- Add comprehensive unit tests for API and cmd packages
- Add Godoc documentation for all public interfaces

* Wed Feb 25 2026 JA4Sentinel Team <team@example.com> - 1.0.0-1
- Initial package release for CentOS 7, Rocky Linux 8/9/10