pkgs: Add a wrapped browser for Santander HBCI

I didn't get the starcoscard to run with aqbanking so far and the bank
itself is very uncooperative if it comes to giving specific details
about their implementation of FinTS 3.00, so in the end I'm going to
move away from the bank.

But during transition this will work much better than running a Windows
VM (which I didn't have access to in the meantime, so I *had* to get
this running somehow), especially because we can wrap this plugin in
*any* browser that supports NPAPI.

Also, there seems to be some work implementing PPAPI support for
pipelight, but the branch is stale since quite a while:

https://bitbucket.org/mmueller2012/pipelight/branch/ppapi

Going back to the pesky Santander plugin:

In order to support PC/SC-Lite, we need to patch Wine to get support for
the winscard API. We also patch out unixfs, so while there definitely
are better sandboxing options this should suffice so that the plugin
doesn't write garbage on any location of the system (basically it works
entirely read-only).

So in the end we get a nice and small dwb browser, which directly opens
up the login page along with the plugin. The browser is wrapped so that
it only writes to a temporary location, so as soon as it is closed all
the cruft is cleaned up afterwards.

Signed-off-by: aszlig <aszlig@redmoonstudios.org>

1 files changed, 144 insertions, 0 deletions

diff --git a/pkgs/santander/default.nix b/pkgs/santander/default.nix
new file mode 100644
index 00000000..27fd6f6a
--- /dev/null
+++ b/pkgs/santander/default.nix
@@ -0,0 +1,144 @@
+{ stdenv, pkgsi686Linux, fetchurl, fetchgit, fetchFromBitbucket
+, runCommand, writeScript, writeScriptBin, writeText
+, xvfb_run, xdotool, coreutils, wineStaging, pipelight, dwb
+}:
+
+let
+  name = "SecurityPluginHBCIChipcard";
+  version = "2.9.8.0";
+  dllName = "NP_${name}.dll";
+
+  pluginInstaller = fetchurl {
+    url = "https://service.santanderbank.de/special/banking/files/"
+        + "SecurityPluginHBCIChipcard-${version}-Installer.exe";
+    sha256 = "0xnfb730mwxdx83dnqyplp4bxwx6g01wc87xa4dl1spxia9kjmmh";
+  };
+
+  patchedWine = let
+    libpcsclite = "${pkgsi686Linux.pcsclite}/lib/libpcsclite.so";
+  in (wineStaging.override {
+    wineBuild = "wine32";
+  }).overrideDerivation (drv: {
+    scard4wine = fetchgit {
+      url = "git://git.code.sf.net/p/scard4wine/code";
+      rev = "c14c02c80bf1f2bb4cedd1f53a3a2ab9c48bed76";
+      sha256 = "0ffmbl9mdnaih4h3ggpnzqbih3kgbwl3wv6j1ag5s4czn8gcpdq3";
+    };
+
+    prePatch = (drv.prePatch or "") + ''
+      cp -t dlls/winscard "$scard4wine/src/"*
+      sed -i -re 's,"libpcsclite\.so(\.[0-9]+)*","${libpcsclite}",' \
+        dlls/winscard/winscard.c
+    '';
+
+    patches = (drv.patches or []) ++ [ ./winscard.patch ];
+
+    postPatch = (drv.postPatch or "") + ''
+      sed -i -e '/not owned by you/d' libs/wine/config.c
+      # Modified patch from https://bugs.winehq.org/show_bug.cgi?id=22450
+      patch -p1 < "${./wine-no-unixfs.patch}"
+    '';
+  });
+
+  installPath = [ "Program Files" "ppi" "SecurityPluginHBCIChipcard" ];
+
+  scard4wine = stdenv.mkDerivation rec {
+    name = "scard4wine-${version}";
+    version = "1.2.0-2016-06-05";
+
+    src = fetchgit {
+      url = "git://git.code.sf.net/p/scard4wine/code";
+      rev = "c14c02c80bf1f2bb4cedd1f53a3a2ab9c48bed76";
+      sha256 = "0ffmbl9mdnaih4h3ggpnzqbih3kgbwl3wv6j1ag5s4czn8gcpdq3";
+    };
+  };
+
+  winePrefix = runCommand "santander-wineprefix" {
+    installPath = stdenv.lib.concatStringsSep "/" (installPath ++ [ dllName ]);
+  } ''
+    export WINEPREFIX="$out"
+    mkdir -p "$out"
+    ${patchedWine}/bin/wine wineboot.exe
+    ${xvfb_run}/bin/xvfb-run "${writeScript "install-santander-wine" ''
+      ${patchedWine}/bin/wine "${pluginInstaller}" &
+      while [ "$(jobs -r | wc -l)" -gt 0 ]; do
+        ${xdotool}/bin/xdotool \
+          search --sync --onlyvisible \
+          --name 'Security-Plugin-HBCI-Chipcard ${version}' \
+          key Return &> /dev/null || :
+        sleep 1
+      done
+      wait
+    ''}"
+    if [ ! -e "$out/drive_c/$installPath" ]; then
+      echo "Unable to find plugin in $installPath." >&2
+      exit 1
+    fi
+    ln -sf -T "${builtins.storeDir}" "$WINEPREFIX/dosdevices/z:"
+    echo disable > "$WINEPREFIX/.update-timestamp"
+  '';
+
+  pluginConfig = {
+    winePath = "$share/wine";
+    inherit winePrefix dllName;
+    wineArch = "win32";
+    pluginLoaderPath = "$share/pluginloader.exe";
+    dllPath = "c:\\${stdenv.lib.concatStringsSep "\\" installPath}";
+  };
+
+  pipelightConfigFile = let
+    mkVal = val: if val == true then "true"
+            else if val == false then "false"
+            else toString val;
+    mkCfgLine = key: val: "# ${key} = ${mkVal val}";
+  in with stdenv.lib; writeText "pipelight-santander.config" ''
+    # ---BEGIN CONFIG---
+    ${concatStringsSep "\n" (mapAttrsToList mkCfgLine pluginConfig)}
+    # ---END CONFIG---
+  '';
+
+  finalPlugin = runCommand "santander-plugin" {
+    pipelight = (pipelight.override {
+      wineStaging = patchedWine;
+    }).overrideDerivation (drv: {
+      src = fetchFromBitbucket {
+        repo = "pipelight";
+        owner = "mmueller2012";
+        rev = "181bab804f80b99cb46f63f9ed36e4fdf12ca319";
+        sha256 = "0ydivpxayzs5aklf0x5vl5bl4issz10k7zl3cv76649kxxhxkh1z";
+      };
+
+      patches = [ ./pipelight.patch ];
+
+      postPatch = (drv.postPatch or "") + ''
+        sed -i -e '/static \+bool \+openConfig.*{$/,/}/ {
+          /getConfigNameFromLibrary/a \
+            configFile.open("${pipelightConfigFile}"); \
+            if (configFile.is_open()) return true;
+        }' src/linux/libpipelight/configloader.c
+      '';
+    });
+  } ''
+    install -vD "$pipelight/lib/pipelight/libpipelight.so" \
+      "$out/lib/pipelight/libpipelight-santander.so"
+  '';
+
+  dwbWithPlugin = stdenv.lib.overrideDerivation dwb (wrapperDrv: {
+    plugins = [ "${finalPlugin}/lib/pipelight" ];
+  });
+
+in writeScriptBin "santander" ''
+  #!${stdenv.shell}
+  if tmpdir="$("${coreutils}/bin/mktemp" -d)"; then
+    trap "rm -rf '$tmpdir'" EXIT
+    export XDG_RUNTIME_DIR="$tmpdir"
+    export XDG_CONFIG_HOME="$tmpdir"
+    export XDG_DATA_HOME="$tmpdir"
+    export XDG_CACHE_HOME="$tmpdir"
+    "${dwbWithPlugin}/bin/dwb" -t https://karte.santanderbank.de/
+    exit $?
+  else
+    echo "Unable to create temporary profile directory." >&2
+    exit 1
+  fi
+''