# A resource for managing SE modules

property :module_name, String, name_property: true
property :force, [true, false], default: false
property :directory, String, default: lazy { "#{Chef::Config[:file_cache_path]}/#{module_name}" } # content to work with. Defaults to autogenerated name in the Chef cache. Can be provided and pre-populated
# Content options:
property :content, String # provide a 'te' file directly. Optional
property :directory_source, String # Source directory for module source code. If specified, will use "remote_directory" on the directory specified as `directory`
property :cookbook, String # Related to directory
property :allow_disabled, [true, false], default: true

action :deploy do
  run_action(:fetch)
  run_action(:compile)
  run_action(:install)
end

# Get all the components in the right place
action :fetch do
  directory new_resource.directory do
    only_if { use_selinux(new_resource.allow_disabled) }
  end

  raise 'dont specify both directory_source and content' if new_resource.directory_source && new_resource.content

  if new_resource.directory_source
    remote_directory new_resource.directory do
      source new_resource.directory_source
      cookbook new_resource.cookbook
      only_if { use_selinux(new_resource.allow_disabled) }
    end
  end

  if new_resource.content
    file "#{new_resource.directory}/#{new_resource.module_name}.te" do
      content new_resource.content
      only_if { use_selinux(new_resource.allow_disabled) }
    end
  end
end

action :compile do
  make_command = "/usr/bin/make -f /usr/share/selinux/devel/Makefile #{new_resource.module_name}.pp"
  execute "semodule-compile-#{new_resource.module_name}" do
    command make_command
    not_if "#{make_command} -q", cwd: new_resource.directory # $? = 1 means make wants to execute http://www.gnu.org/software/make/manual/html_node/Running.html
    only_if { use_selinux(new_resource.allow_disabled) }
    cwd new_resource.directory
  end
end

# deploy / upgrade module
# XXX this looks ugly because CentOS 6.X doesn't support extracting
# SELinux modules from the current policy, which I planned on comparing
# to my compiled file. I'll be happy to see anything else (that works).
action :install do
  filename = "#{new_resource.directory}/#{new_resource.module_name}.pp"
  execute "semodule-install-#{new_resource.module_name}" do
    command "#{semodule_cmd} -i #{filename}"
    only_if "#{shell_boolean(new_resource.updated_by_last_action? || new_resource.force)} || ! (#{module_defined(new_resource.module_name)}) "
    only_if { use_selinux(new_resource.allow_disabled) }
  end
end

action :remove do
  execute "semodule-remove-#{new_resource.module_name}" do
    command "#{semodule_cmd} -r #{new_resource.module_name}"
    only_if module_defined(new_resource.module_name)
    only_if { use_selinux(new_resource.allow_disabled) }
  end
end

action_class do
  include Chef::SELinuxPolicy::Helpers
end