5 files changed, 175 insertions, 35 deletions
diff --git a/pkgs/athena-bccr/LaunchGaudi.java b/pkgs/athena-bccr/LaunchGaudi.java
index 5457086..e4bcdbf 100644
--- a/pkgs/athena-bccr/LaunchGaudi.java
+++ b/pkgs/athena-bccr/LaunchGaudi.java
@@ -5,14 +5,8 @@
 // demasiada pereza arreglarlo, así que en su lugar usamos este stub para
 // launchear Gaudi.
 
-import InicializadorCliente.Inicializador;
-
 public class LaunchGaudi {
 	public static void main(String[] args) {
-		// new Inicializador(0);
-
-		j.e log = new j.e();
-		System.setProperty("log_dir", log.a());
-		Tray.ConsolaControlador.Instancia().run();
+		new InicializadorCliente.Inicializador("");
 	}
 }
diff --git a/pkgs/athena-bccr/default.nix b/pkgs/athena-bccr/default.nix
index 16e2e36..cda0b62 100644
--- a/pkgs/athena-bccr/default.nix
+++ b/pkgs/athena-bccr/default.nix
@@ -5,18 +5,26 @@ let
   latest = "deb64-rev26";
 
   releases = lib.mapAttrs (name: release: release // { name = name; }) (import ./releases.nix);
-  unwrappedFor = release: lib.mapAttrs (_: pkg: callPackage pkg { }) (callPackage ./unwrapped.nix { inherit release; });
+
+  overrideUnwrapped = default: new:
+    let
+      args = default // new;
+      unwrappedPkgs = lib.filterAttrs (name: _: ! lib.elem name [ "override" "overrideDerivation" ]) (callPackage ./unwrapped.nix args);
+    in
+    lib.fix (unwrapped: lib.mapAttrs (_: pkg: callPackage pkg unwrapped) unwrappedPkgs) // {
+      override = overrideUnwrapped args;
+    };
 
   pkgsForRelease = release:
     let
       libasep11 = "${unwrapped.ase-idprotect}/lib/x64-athena/libASEP11.so";
-      unwrapped = unwrappedFor release;
+      unwrapped = overrideUnwrapped { inherit release; } { };
     in
     {
       inherit libasep11;
-      inherit (unwrapped) ase-idprotect;
+      inherit (unwrapped) ase-idprotect bccr-cacerts;
 
-      shell = callPackage ./fhs-env.nix { inherit unwrapped; };
+      gaudi = callPackage ./gaudi-env.nix { inherit unwrapped; };
       firmador = callPackage ./firmador.nix { inherit libasep11; };
     };
 in
diff --git a/pkgs/athena-bccr/fhs-env.nix b/pkgs/athena-bccr/fhs-env.nix
deleted file mode 100644
index a9bbf90..0000000
--- a/pkgs/athena-bccr/fhs-env.nix
+++ /dev/null
@@ -1,12 +0,0 @@
-{ buildFHSEnv
-
-, unwrapped
-}:
-buildFHSEnv {
-  name = "athena-bccr";
-
-  targetPkgs = pkgs: [
-    unwrapped.ase-idprotect
-    unwrapped.gaudi
-  ];
-}
diff --git a/pkgs/athena-bccr/gaudi-env.nix b/pkgs/athena-bccr/gaudi-env.nix
new file mode 100644
index 0000000..0b98e08
--- /dev/null
+++ b/pkgs/athena-bccr/gaudi-env.nix
@@ -0,0 +1,63 @@
+{ buildFHSEnv
+, curl
+, lib
+, writeShellScriptBin
+
+, gaudiHash ? null
+, unwrapped
+}:
+let
+  unwrappedWithGaudi = unwrapped.override { inherit gaudiHash; };
+in
+buildFHSEnv {
+  name = "gaudi";
+
+  targetPkgs = pkgs: [
+    unwrappedWithGaudi.ase-idprotect
+    unwrappedWithGaudi.gaudi
+
+    (writeShellScriptBin "launch-gaudi" ''
+      set -o errexit
+      set -o pipefail
+      set -o nounset
+
+      PATH="${lib.makeBinPath [ curl ]}:$PATH"
+
+      echo "$0: testing for incompatible releases..." >&2
+
+      jar_name=bccr-firma-fva-clienteMultiplataforma.jar
+      url="https://www.firmadigital.go.cr/Bccr.Firma.Fva.Actualizador.ClienteFirmadorJava//recursosLiberica17/actualizador/$jar_name"
+      ca_file="${unwrappedWithGaudi.bccr-cacerts}/root-ca.pem"
+      url_hash=$(curl -sS --cacert "$ca_file" "$url" | sha256sum | cut -d' ' -f1)
+      jar_path="${unwrappedWithGaudi.gaudi}/share/java/$jar_name"
+      jar_hash=$(sha256sum "$jar_path" | cut -d' ' -f1)
+
+      if [ "$url_hash" != "$jar_hash" ]; then
+        last_modified=$(curl -sS --head --cacert "$ca_file" "$url" | grep -i '^last-modified:' | head -1)
+
+        echo "$0: sha256 mismatch for $jar_path due to server-side update" >&2
+        echo "$0:   expected:      $url_hash" >&2
+        echo "$0:   actual:        $jar_hash" >&2
+        echo "$0:   $last_modified" >&2
+        echo "$0: run the following to download the new client JAR, then update your derivation:" >&2
+        echo "$0: \$ ${unwrappedWithGaudi.update-gaudi}" >&2
+
+        exit 1
+      fi
+
+      cache_path_1="''${XDG_CACHE_HOME:-$HOME/.cache}/Agente-GAUDI"
+      cache_path_2="''${XDG_CACHE_HOME:-$HOME/.cache}/Firmador-BCCR"
+
+      for cache_path in "$cache_path_1" "$cache_path_2"; do
+        mkdir -p "$cache_path"
+        ln -sf -- ${unwrappedWithGaudi.gaudi}/share/java/bccr-firma-fva-clienteMultiplataforma.jar "$cache_path"
+      done
+
+      cp -f --no-preserve=mode -t "$cache_path_1" -- "${unwrappedWithGaudi.gaudi}/share/java/config.properties"
+
+      exec gaudi
+    '')
+  ];
+
+  runScript = "launch-gaudi";
+}
diff --git a/pkgs/athena-bccr/unwrapped.nix b/pkgs/athena-bccr/unwrapped.nix
index 244bebc..200e998 100644
--- a/pkgs/athena-bccr/unwrapped.nix
+++ b/pkgs/athena-bccr/unwrapped.nix
@@ -1,28 +1,40 @@
 { lib
+, requireFile
 
 , release
+, gaudiHash ? null
+, ...
 }:
 let
   inherit (release) srcPaths;
 
-  moduleFromDeb = name: args@{ stdenv, dpkg, requireFile, unzip, srcPath, ... }:
+  src = requireFile {
+    url = "https://soportefirmadigital.com";
+    name = "${release.basename}.zip";
+
+    inherit (release) hash;
+  };
+
+  gaudiUpdateSrc = { update-gaudi }: requireFile {
+    url = "${update-gaudi}";
+    name = "gaudi-update-${release.name}.zip";
+
+    hash = gaudiHash;
+  };
+
+  moduleFromDeb = name: args@{ stdenv, dpkg, unzip, srcPath, ... }:
     stdenv.mkDerivation ({
       pname = "${name}-unwrapped";
       version = release.name;
 
-      src = requireFile {
-        url = "https://soportefirmadigital.com";
-        name = "${release.basename}.zip";
-
-        inherit (release) hash;
-      };
+      inherit src;
 
       nativeBuildInputs = [ dpkg unzip ] ++ (args.nativeBuildInputs or [ ]);
 
       postUnpack = ''
         dpkg -x ${lib.escapeShellArg "${release.basename}/${srcPath}"} ${lib.escapeShellArg release.basename}
       '';
-    } // lib.removeAttrs args [ "stdenv" "dpkg" "requireFile" "unzip" "srcPath" "nativeBuildInputs" ]);
+    } // lib.removeAttrs args [ "stdenv" "dpkg" "unzip" "srcPath" "nativeBuildInputs" ]);
 in
 {
   ase-idprotect =
@@ -31,14 +43,14 @@ in
     , fontconfig
     , freetype
     , pcsclite
-    , requireFile
     , stdenv
     , unzip
     , xorg
     , zlib
+    , ...
     }:
     moduleFromDeb "ase-idprotect" {
-      inherit dpkg requireFile stdenv unzip;
+      inherit dpkg stdenv unzip;
       srcPath = srcPaths.idprotect;
 
       buildInputs = [
@@ -76,20 +88,25 @@ in
     , dpkg
     , makeWrapper
     , openjdk
-    , requireFile
+    , pkgs
     , stdenv
     , unzip
     , writeShellScriptBin
+
+    , update-gaudi
+    , ...
     }:
     let
       jdk = openjdk.override {
         enableJavaFX = true;
+        openjfx_jdk = pkgs."openjfx${lib.head (lib.splitString "." openjdk.version)}".override { withWebKit = true; };
       };
 
       fakeSudo = writeShellScriptBin "sudo" "";
+      gaudiUpdate = gaudiUpdateSrc { inherit update-gaudi; };
     in
     moduleFromDeb "gaudi" {
-      inherit dpkg requireFile stdenv unzip;
+      inherit dpkg stdenv unzip;
       srcPath = srcPaths.gaudi;
 
       nativeBuildInputs = [
@@ -98,7 +115,13 @@ in
         makeWrapper
       ];
 
+      preBuild = lib.optionalString (gaudiHash != null) ''
+        unzip -o ${gaudiUpdate} -d opt/Agente-GAUDI/lib/app
+      '';
+
       buildPhase = ''
+        runHook preBuild
+
         install -m755 -d $out/{bin,opt/Firmador-BCCR/lib}
         cp -r opt/Agente-GAUDI/lib/app $out/opt/Firmador-BCCR/lib/app
 
@@ -109,6 +132,8 @@ in
           -cp opt/Agente-GAUDI/lib/app/bccr-firma-fva-clienteMultiplataforma.jar \
           -d $out/opt/Firmador-BCCR/lib/app \
           LaunchGaudi.java
+
+        runHook postBuild
       '';
 
       installPhase = ''
@@ -131,4 +156,66 @@ in
         runHook postInstall
       '';
     };
+
+  bccr-cacerts =
+    { openssl
+    , stdenv
+    , unzip
+    , ...
+    }:
+    stdenv.mkDerivation {
+      pname = "bccr-cacerts";
+      version = release.name;
+
+      inherit src;
+
+      nativeBuildInputs = [
+        openssl
+        unzip
+      ];
+
+      installPhase = ''
+        cp -r Firma\ Digital/Certificados $out
+        openssl x509 -in $out/CA\ RAIZ\ NACIONAL\ -\ COSTA\ RICA\ v2.crt -out $out/root-ca.pem -text
+      '';
+    };
+
+  update-gaudi =
+    { wget
+    , writeShellScript
+    , zip
+
+    , bccr-cacerts
+    , ...
+    }:
+    writeShellScript "update-gaudi" ''
+      set -o errexit
+      set -o pipefail
+      set -o nounset
+
+      temp_dir="$(mktemp -d)"
+      trap 'cd / && rm -rf -- "$temp_dir"' EXIT
+      cd "$temp_dir"
+
+      PATH="${lib.makeBinPath [ wget zip ]}:$PATH"
+      ca_cert="${bccr-cacerts}/root-ca.pem"
+      base_url="https://www.firmadigital.go.cr/Bccr.Firma.Fva.Actualizador.ClienteFirmadorJava//recursosLiberica17/actualizador"
+
+      wget --ca-certificate="$ca_cert" "$base_url/bccr.cacerts"
+      wget --ca-certificate="$ca_cert" "$base_url/config.properties"
+      wget --ca-certificate="$ca_cert" "$base_url/bccr-firma-fva-clienteMultiplataforma.jar"
+      wget --ca-certificate="$ca_cert" "$base_url/ServicioActualizadorClienteBCCR.jar"
+
+      # https://gist.github.com/stokito/c588b8d6a6a0aee211393d68eea678f2
+      TZ=UTC find . -exec touch --no-dereference -a -m -t 198002010000.00 {} +
+      zip_path="$PWD/gaudi-update-${release.name}.zip"
+      TZ=UTC zip -q --move --recurse-paths --symlinks -X "$zip_path" .
+      TZ=UTC touch -a -m -t 198002010000.00 "$zip_path"
+
+      set -x
+      nix-store --add-fixed sha256 "$zip_path"
+      set +x
+
+      echo -e "\ngaudiHash: $(nix-hash --to-sri --type sha256 $(sha256sum "$zip_path" | cut -d' ' -f1))"
+    '';
 }