net-proxy/squid: add 5.8, minor fixes

Added SQUID_FAST_SHUTDOWN support, require USE=ssl when USE=ssl-crtd

Closes: https://bugs.gentoo.org/890913
Closes: https://bugs.gentoo.org/835088
Signed-off-by: Hank Leininger <hlein@korelogic.com>
Closes: https://github.com/gentoo/gentoo/pull/30313
Signed-off-by: Sam James <sam@gentoo.org>

3 files changed, 510 insertions, 0 deletions

diff --git a/net-proxy/squid/Manifest b/net-proxy/squid/Manifest
index 53c02583c2f1..ccff7de79245 100644
--- a/net-proxy/squid/Manifest
+++ b/net-proxy/squid/Manifest
@@ -1,2 +1,3 @@
 DIST squid-4.17.tar.xz 2464204 BLAKE2B e227dfbac846dff66f04c6c72d81d667076107653721d14804f079518cef68efc53f5404fbe3306efb0c775a10638661c300a8e7cd3d7ab43c0e57a344387674 SHA512 cea36de10f128f5beb51bdc89604c16af3a820a5ac27284b2aa181ac87144930489688e1d85ce357fe1ed8a4e96e300277b95034a2475cbf86c9d6923ddf7c0a
 DIST squid-5.7.tar.xz 2566560 BLAKE2B 4a403ca4f94034356922ea1a4feffd5f5289e2aadbe1585bd04e83ee89712227ce04c53f7e05c10f7c8ac6be67a265a32b47032e7b56e929a172772fa41d5299 SHA512 624a39041a6ceda6c470dc0937616f1aa67200f3db02b4d74095d8d706ed31d6df5e0417dcacde45f6be40b617bee018849793d52c96a626aab32a2b182972aa
+DIST squid-5.8.tar.xz 2447560 BLAKE2B c9d1ae9464e68beabdf7ae1641a70d6c614bc4d4f4bae3fc5946c2bf61510634992cbd5abe63f071104edb2fa487a6c5c7fb8fbf8f06ac723a6522ec9ade8b68 SHA512 81a9a7d1dfcb58476369e08e99feb76411dd3242a3374feb175408fa0dc8161545a9a903603219c6fa2bcfb615461901e093428e97ac74cf4c596a7065d3247d
diff --git a/net-proxy/squid/files/squid.initd-r6 b/net-proxy/squid/files/squid.initd-r6
new file mode 100644
index 000000000000..775ccbaddbb1
--- /dev/null
+++ b/net-proxy/squid/files/squid.initd-r6
@@ -0,0 +1,129 @@
+#!/sbin/openrc-run
+# Copyright 1999-2019 Gentoo Authors
+# Distributed under the terms of the GNU General Public License v2
+
+SQUID_SVCNAME=$( echo "${RC_SVCNAME}" | tr -cd '[a-zA-Z0-9]' )
+
+extra_started_commands="reload rotate"
+
+depend() {
+	use dns net
+}
+
+checkconfig() {
+	local CONFFILES="/etc/squid/${RC_SVCNAME}.conf /etc/squid/${RC_SVCNAME}.include /etc/squid/${RC_SVCNAME}.include.*"
+	if [ ! -f /etc/squid/${RC_SVCNAME}.conf ]; then
+		eerror "You need to create /etc/squid/${RC_SVCNAME}.conf first."
+		eerror "The main configuration file and all included file names should have the following format:"
+		eerror "${CONFFILES}"
+		eerror "An example can be found in /etc/squid/squid.conf.default"
+		return 1
+	fi
+
+	local PIDFILE=$(cat ${CONFFILES} 2>/dev/null 3>/dev/null | awk '/^[ \t]*pid_filename[ \t]+/ { print $2 }')
+	[ -z ${PIDFILE} ] && PIDFILE=/run/squid.pid
+	if [ /run/${RC_SVCNAME}.pid != ${PIDFILE} ]; then
+		eerror "/etc/squid/${RC_SVCNAME}.conf must set pid_filename to"
+		eerror "   /run/${RC_SVCNAME}.pid"
+		eerror "CAUTION: http_port, cache_dir and *_log parameters must be different than"
+		eerror "         in any other instance of squid."
+		eerror "Make sure the main configuration file and all included file names have the following format:"
+		eerror "${CONFFILES}"
+		return 1
+	fi
+
+	# Maximum file descriptors squid can open is determined by:
+	# a basic default of N=1024
+	#  ... altered by ./configure --with-filedescriptors=N
+	#  ... overridden on production by squid.conf max_filedescriptors (if,
+	#  and only if, setrlimit() RLIMIT_NOFILE is able to be built+used).
+	# Since we do not configure hard coded # of filedescriptors anymore,
+	# there is no need for ulimit calls in the init script.
+	# Use max_filedescriptors in squid.conf instead.
+
+	local CACHE_SWAP=$(cat ${CONFFILES} 2>/dev/null 3>/dev/null | awk '/^[ \t]*cache_dir[ \t]+/ { if ( $2 == "rock" ) printf "%s/rock ", $3; else if ( $2 == "coss" ) printf "%s/stripe ", $3; else printf "%s/00 ", $3; }')
+	[ -z "$CACHE_SWAP" ] && CACHE_SWAP="/var/cache/squid/00"
+
+	local x
+	for x in $CACHE_SWAP ; do
+		if [ ! -e $x ] ; then
+			ebegin "Initializing cache directory ${x%/*}"
+			local ORIG_UMASK=$(umask)
+			umask 027
+
+			if ! (mkdir -p ${x%/*} && chown squid ${x%/*}) ; then
+				eend 1
+				return 1
+			fi
+
+			local INIT_CACHE_RESPONSE="$(/usr/sbin/squid -z -N -f /etc/squid/${RC_SVCNAME}.conf -n ${SQUID_SVCNAME} 2>&1)"
+			if [ $? != 0 ] || echo "$INIT_CACHE_RESPONSE" | grep -q "erminated abnormally" ; then
+				umask $ORIG_UMASK
+				eend 1
+				echo "$INIT_CACHE_RESPONSE"
+				return 1
+			fi
+
+			umask $ORIG_UMASK
+			eend 0
+			break
+		fi
+	done
+
+	return 0
+}
+
+start() {
+	checkconfig || return 1
+	checkpath -d -q -m 0750 -o squid:squid /run/${RC_SVCNAME}
+
+	# see https://wiki.squid-cache.org/MultipleInstances
+	ebegin "Starting ${RC_SVCNAME} (service name ${SQUID_SVCNAME}) with KRB5_KTNAME=\"${SQUID_KEYTAB}\" /usr/sbin/squid ${SQUID_OPTS} -f /etc/squid/${RC_SVCNAME}.conf -n ${SQUID_SVCNAME}"
+	KRB5_KTNAME="${SQUID_KEYTAB}" /usr/sbin/squid ${SQUID_OPTS} -f /etc/squid/${RC_SVCNAME}.conf -n ${SQUID_SVCNAME}
+	eend $? && sleep 1
+}
+
+stop() {
+	ebegin "Stopping ${RC_SVCNAME} with /usr/sbin/squid -k shutdown -f /etc/squid/${RC_SVCNAME}.conf -n ${SQUID_SVCNAME}"
+	if /usr/sbin/squid -k shutdown -f /etc/squid/${RC_SVCNAME}.conf -n ${SQUID_SVCNAME} ; then
+		if [ "x${SQUID_FAST_SHUTDOWN}" = "xyes" ]; then
+			einfo "Attempting fast shutdown."
+			/usr/sbin/squid -k shutdown -f /etc/squid/${RC_SVCNAME}.conf -n ${SQUID_SVCNAME}
+		fi
+		# Now we have to wait until squid has _really_ stopped.
+		sleep 1
+		if [ -f /run/${RC_SVCNAME}.pid ] ; then
+			einfon "Waiting for squid to shutdown ."
+			cnt=0
+			while [ -f /run/${RC_SVCNAME}.pid ] ; do
+				cnt=$(expr $cnt + 1)
+				if [ $cnt -gt 60 ] ; then
+					# Waited 120 seconds now. Fail.
+					echo
+					eend 1 "Failed."
+					break
+				fi
+				sleep 2
+				printf "."
+			done
+			echo
+		fi
+	else
+		eerror "Squid shutdown failed, probably service is already down."
+	fi
+	eend 0
+}
+
+reload() {
+	checkconfig || return 1
+	ebegin "Reloading ${RC_SVCNAME} with /usr/sbin/squid -k reconfigure -f /etc/squid/${RC_SVCNAME}.conf -n ${SQUID_SVCNAME}"
+	/usr/sbin/squid -k reconfigure -f /etc/squid/${RC_SVCNAME}.conf -n ${SQUID_SVCNAME}
+	eend $?
+}
+
+rotate() {
+	service_started ${RC_SVCNAME} || return 1
+	ebegin "Rotating ${RC_SVCNAME} logs with /usr/sbin/squid -k rotate -f /etc/squid/${RC_SVCNAME}.conf -n ${SQUID_SVCNAME}"
+	/usr/sbin/squid -k rotate -f /etc/squid/${RC_SVCNAME}.conf -n ${SQUID_SVCNAME}
+	eend $?
+}
diff --git a/net-proxy/squid/squid-5.8.ebuild b/net-proxy/squid/squid-5.8.ebuild
new file mode 100644
index 000000000000..91df2c9eb25d
--- /dev/null
+++ b/net-proxy/squid/squid-5.8.ebuild
@@ -0,0 +1,380 @@
+# Copyright 1999-2023 Gentoo Authors
+# Distributed under the terms of the GNU General Public License v2
+
+EAPI="8"
+
+inherit autotools flag-o-matic linux-info pam systemd toolchain-funcs
+
+DESCRIPTION="A full-featured web proxy cache"
+HOMEPAGE="http://www.squid-cache.org/"
+
+MY_PV_MAJOR=$(ver_cut 1)
+# Upstream patch ID for the most recent bug-fixed update to the formal release.
+#r=-20181117-r0022167
+r=
+if [[ -z ${r} ]]; then
+	SRC_URI="http://www.squid-cache.org/Versions/v${MY_PV_MAJOR}/${P}.tar.xz"
+else
+	SRC_URI="http://www.squid-cache.org/Versions/v${MY_PV_MAJOR}/${P}${r}.tar.bz2"
+	S="${S}${r}"
+fi
+
+LICENSE="GPL-2"
+SLOT="0"
+KEYWORDS="~alpha ~amd64 ~arm ~arm64 ~hppa ~ia64 ~mips ~ppc ~ppc64 ~riscv ~sparc ~x86"
+IUSE="caps gnutls pam ldap samba sasl kerberos nis radius ssl snmp selinux logrotate test ecap"
+IUSE+=" esi ssl-crtd mysql postgres sqlite systemd perl qos tproxy +htcp +wccp +wccpv2"
+RESTRICT="!test? ( test )"
+REQUIRED_USE="tproxy? ( caps ) qos? ( caps ) ssl-crtd? ( ssl )"
+
+DEPEND="
+	acct-group/squid
+	acct-user/squid
+	dev-libs/libltdl
+	sys-libs/tdb
+	virtual/libcrypt:=
+	caps? ( >=sys-libs/libcap-2.16 )
+	ecap? ( net-libs/libecap:1 )
+	esi? (
+		dev-libs/expat
+		dev-libs/libxml2
+	)
+	ldap? ( net-nds/openldap:= )
+	gnutls? ( >=net-libs/gnutls-3.1.5:= )
+	logrotate? ( app-admin/logrotate )
+	nis? (
+		net-libs/libtirpc:=
+		net-libs/libnsl:=
+	)
+	kerberos? ( virtual/krb5 )
+	pam? ( sys-libs/pam )
+	qos? ( net-libs/libnetfilter_conntrack )
+	ssl? (
+		dev-libs/nettle:=
+		!gnutls? (
+			dev-libs/openssl:=
+		)
+	)
+	sasl? ( dev-libs/cyrus-sasl )
+	systemd? ( sys-apps/systemd:= )
+"
+RDEPEND="
+	${DEPEND}
+	mysql? ( dev-perl/DBD-mysql )
+	postgres? ( dev-perl/DBD-Pg )
+	perl? ( dev-lang/perl )
+	samba? ( net-fs/samba )
+	selinux? ( sec-policy/selinux-squid )
+	sqlite? ( dev-perl/DBD-SQLite )
+"
+BDEPEND="
+	dev-lang/perl
+	ecap? ( virtual/pkgconfig )
+	test? ( dev-util/cppunit )
+"
+
+PATCHES=(
+	"${FILESDIR}"/${PN}-5.3-gentoo.patch
+	"${FILESDIR}"/${PN}-4.17-use-system-libltdl.patch
+)
+
+pkg_pretend() {
+	if use tproxy; then
+		local CONFIG_CHECK="~NF_CONNTRACK ~NETFILTER_XT_MATCH_SOCKET ~NETFILTER_XT_TARGET_TPROXY"
+		linux-info_pkg_setup
+	fi
+}
+
+src_prepare() {
+	default
+
+	# Fixup various paths
+	sed -i -e 's:/usr/local/squid/etc:/etc/squid:' \
+		INSTALL QUICKSTART \
+		scripts/fileno-to-pathname.pl \
+		scripts/check_cache.pl \
+		tools/cachemgr.cgi.8 \
+		tools/purge/conffile.hh \
+		tools/purge/purge.1 || die
+	sed -i -e 's:/usr/local/squid/sbin:/usr/sbin:' \
+		INSTALL QUICKSTART || die
+	sed -i -e 's:/usr/local/squid/var/cache:/var/cache/squid:' \
+		QUICKSTART || die
+	sed -i -e 's:/usr/local/squid/var/logs:/var/log/squid:' \
+		QUICKSTART \
+		src/log/access_log.cc || die
+	sed -i -e 's:/usr/local/squid/logs:/var/log/squid:' \
+		src/log/access_log.cc || die
+	sed -i -e 's:/usr/local/squid/libexec:/usr/libexec/squid:' \
+		src/acl/external/unix_group/ext_unix_group_acl.8 \
+		src/acl/external/session/ext_session_acl.8 || die
+	sed -i -e 's:/usr/local/squid/cache:/var/cache/squid:' \
+		scripts/check_cache.pl || die
+	# /var/run/squid to /run/squid
+	sed -i -e 's:$(localstatedir)::' \
+		src/ipc/Makefile.am || die
+	sed -i 's:/var/run/:/run/:g' tools/systemd/squid.service || die
+
+	sed -i -e 's:_LTDL_SETUP:LTDL_INIT([installable]):' \
+		libltdl/configure.ac || die
+
+	eautoreconf
+}
+
+src_configure() {
+	local myeconfargs=(
+		--datadir=/usr/share/squid
+		--libexecdir=/usr/libexec/squid
+		--localstatedir=/var
+		--sysconfdir=/etc/squid
+		--with-default-user=squid
+		--with-logdir=/var/log/squid
+		--with-pidfile=/run/squid.pid
+
+		--enable-build-info="Gentoo ${PF} (r: ${r:-NONE})"
+		--enable-log-daemon-helpers
+		--enable-url-rewrite-helpers
+		--enable-cache-digests
+		--enable-delay-pools
+		--enable-disk-io
+		--enable-eui
+		--enable-icmp
+		--enable-ipv6
+		--enable-follow-x-forwarded-for
+		--enable-removal-policies="lru,heap"
+		--disable-strict-error-checking
+		--disable-arch-native
+
+		--with-large-files
+		--with-build-environment=default
+
+		--with-tdb
+
+		--without-included-ltdl
+		--with-ltdl-include="${ESYSROOT}"/usr/include
+		--with-ltdl-lib="${ESYSROOT}"/usr/$(get_libdir)
+
+		$(use_with caps libcap)
+		$(use_enable snmp)
+		$(use_with ssl openssl)
+		$(use_with ssl nettle)
+		$(use_with gnutls)
+		$(use_enable ssl-crtd)
+		$(use_with systemd)
+		$(use_with test cppunit)
+		$(use_enable ecap)
+		$(use_enable esi)
+		$(use_enable esi expat)
+		$(use_enable esi libxml2)
+		$(use_enable htcp)
+		$(use_enable wccp)
+		$(use_enable wccpv2)
+	)
+
+	# Basic modules
+	local basic_modules=(
+		NCSA
+		POP3
+		getpwnam
+
+		$(usev samba 'SMB')
+		$(usev ldap 'SMB_LM LDAP')
+		$(usev pam 'PAM')
+		$(usev sasl 'SASL')
+		$(usev nis 'NIS')
+		$(usev radius 'RADIUS')
+	)
+
+	use nis && append-cppflags "-I${ESYSROOT}/usr/include/tirpc"
+
+	if use mysql || use postgres || use sqlite; then
+		basic_modules+=( DB )
+	fi
+
+	# Digests
+	local digest_modules=(
+		file
+
+		$(usev ldap 'LDAP eDirectory')
+	)
+
+	# Kerberos
+	local negotiate_modules=( none )
+
+	myeconfargs+=( --without-mit-krb5 --without-heimdal-krb5 )
+
+	if use kerberos; then
+		# We intentionally overwrite negotiate_modules here to lose
+		# the 'none'.
+		negotiate_modules=( kerberos wrapper )
+
+		if has_version app-crypt/heimdal; then
+			myeconfargs+=(
+				--without-mit-krb5
+				--with-heimdal-krb5
+			)
+		else
+			myeconfargs+=(
+				--with-mit-krb5
+				--without-heimdal-krb5
+			)
+		fi
+	fi
+
+	# NTLM modules
+	local ntlm_modules=( none )
+
+	if use samba ; then
+		# We intentionally overwrite ntlm_modules here to lose
+		# the 'none'.
+		ntlm_modules=( SMB_LM )
+	fi
+
+	# External helpers
+	local ext_helpers=(
+		file_userip
+		session
+		unix_group
+		delayer
+		time_quota
+
+		$(usev samba 'wbinfo_group')
+		$(usev ldap 'LDAP_group eDirectory_userip')
+	)
+
+	use ldap && use kerberos && ext_helpers+=( kerberos_ldap_group )
+	if use mysql || use postgres || use sqlite; then
+		ext_helpers+=( SQL_session )
+	fi
+
+	# Storage modules
+	local storeio_modules=(
+		aufs
+		diskd
+		rock
+		ufs
+	)
+
+	#
+	local transparent
+	if use kernel_linux; then
+		myeconfargs+=(
+			--enable-linux-netfilter
+			$(usev qos '--enable-zph-qos --with-netfilter-conntrack')
+		)
+	fi
+
+	tc-export_build_env BUILD_CXX
+	export BUILDCXX="${BUILD_CXX}"
+	export BUILDCXXFLAGS="${BUILD_CXXFLAGS}"
+	tc-export CC AR
+
+	# Should be able to drop this workaround with newer versions.
+	# https://bugs.squid-cache.org/show_bug.cgi?id=4224
+	tc-is-cross-compiler && export squid_cv_gnu_atomics=no
+
+	# Bug #719662
+	append-atomic-flags
+
+	print_options_without_comma() {
+		# IFS as ',' will cut off any trailing commas
+		(
+			IFS=','
+			options=( $(printf "%s," "${@}") )
+			echo "${options[*]}"
+		)
+	}
+
+	myeconfargs+=(
+		--enable-storeio=$(print_options_without_comma "${storeio_modules[@]}")
+		--enable-auth-basic=$(print_options_without_comma "${basic_modules[@]}")
+		--enable-auth-digest=$(print_options_without_comma "${digest_modules[@]}")
+		--enable-auth-ntlm=$(print_options_without_comma "${ntlm_modules[@]}")
+		--enable-auth-negotiate=$(print_options_without_comma "${negotiate_modules[@]}")
+		--enable-external-acl-helpers=$(print_options_without_comma "${ext_helpers[@]}")
+	)
+
+	econf "${myeconfargs[@]}"
+}
+
+src_install() {
+	default
+
+	systemd_dounit tools/systemd/squid.service
+
+	# Need suid root for looking into /etc/shadow
+	fowners root:squid /usr/libexec/squid/basic_ncsa_auth
+	fperms 4750 /usr/libexec/squid/basic_ncsa_auth
+
+	if use pam; then
+		fowners root:squid /usr/libexec/squid/basic_pam_auth
+		fperms 4750 /usr/libexec/squid/basic_pam_auth
+	fi
+
+	# Pinger needs suid as well
+	fowners root:squid /usr/libexec/squid/pinger
+	fperms 4750 /usr/libexec/squid/pinger
+
+	# These scripts depend on perl
+	if ! use perl; then
+		local perl_scripts=(
+			basic_pop3_auth ext_delayer_acl helper-mux
+			log_db_daemon security_fake_certverify
+			storeid_file_rewrite url_lfs_rewrite
+		)
+
+		local script
+		for script in "${perl_scripts[@]}"; do
+			rm "${ED}"/usr/libexec/squid/${script} || die
+		done
+	fi
+
+	# Cleanup
+	rm -r "${D}"/run "${D}"/var/cache || die
+
+	dodoc CONTRIBUTORS CREDITS ChangeLog INSTALL QUICKSTART README SPONSORS doc/*.txt
+	newdoc src/auth/negotiate/kerberos/README README.kerberos
+	newdoc src/auth/basic/RADIUS/README README.RADIUS
+	newdoc src/acl/external/kerberos_ldap_group/README README.kerberos_ldap_group
+	dodoc RELEASENOTES.html
+
+	if use pam; then
+		newpamd "${FILESDIR}"/squid.pam squid
+	fi
+
+	newconfd "${FILESDIR}"/squid.confd-r2 squid
+	newinitd "${FILESDIR}"/squid.initd-r6 squid
+
+	if use logrotate ; then
+		insinto /etc/logrotate.d
+		newins "${FILESDIR}"/squid.logrotate squid
+	else
+		exeinto /etc/cron.weekly
+		newexe "${FILESDIR}"/squid.cron squid.cron
+	fi
+
+	diropts -m0750 -o squid -g squid
+	keepdir /var/log/squid /etc/ssl/squid /var/lib/squid
+
+	# Hack for bug #834503 (see also bug #664940)
+	# Please keep this for a few years until it's no longer plausible
+	# someone is upgrading from < squid 5.7.
+	mv "${ED}"/usr/share/squid/errors{,.new} || die
+}
+
+pkg_preinst() {
+	# Remove file in EROOT that the directory collides with.
+	rm -rf "${EROOT}"/usr/share/squid/errors || die
+
+	# Following the collision protection check, reverse
+	# src_install's rename in ED.
+	mv "${ED}"/usr/share/squid/errors{.new,} || die
+}
+
+pkg_postinst() {
+	elog "A good starting point to debug Squid issues is to use 'squidclient mgr:' commands such as 'squidclient mgr:info'."
+
+	if [[ ${#r} -gt 0 ]]; then
+		elog "You are using a release with the official ${r} patch! Make sure you mention that, or send the output of 'squidclient mgr:info' when asking for support."
+	fi
+}