FROM debian:bullseye-slim AS builder

ENV LD_LIBRARY_PATH=/usr/local/lib64:/usr/local/lib
ENV SSL_CERT_DIR=/etc/ssl/certs/

COPY openssl1.1.0-*.patch /tmp/

RUN apt-get update \
 && apt-get install -y build-essential zlib1g-dev libbz2-dev libreadline-dev libsqlite3-dev curl llvm libncursesw5-dev xz-utils libxml2-dev libffi-dev liblzma-dev \
 && rm -rf /var/lib/apt/lists/*

ARG OPENSSL_VERSION=3.0.7
ARG OPENSSL_SHA256=missing

# OpenSSL 1.0.2 must be compiled with -fPIC and does not support parallel builds (make -j)
RUN mkdir -p /tmp/src \
 && cd /tmp/src \
 && curl -sSL https://www.openssl.org/source/openssl-${OPENSSL_VERSION}.tar.gz -o openssl.tar.gz \
 && if [ "${OPENSSL_SHA256}" = "missing" ]; then \
	if [ "${OPENSSL_VERSION}" = "1.0.2u" ]; then OPENSSL_SHA256=ecd0c6ffb493dd06707d38b14bb4d8c2288bb7033735606569d8f90f89669d16; \
	elif [ "${OPENSSL_VERSION}" = "1.1.0l" ]; then OPENSSL_SHA256=74a2f756c64fd7386a29184dc0344f4831192d61dc2481a93a4c5dd727f41148; \
	elif [ "${OPENSSL_VERSION}" = "1.1.1q" ]; then OPENSSL_SHA256=d7939ce614029cdff0b6c20f0e2e5703158a489a72b2507b8bd51bf8c8fd10ca; \
	elif [ "${OPENSSL_VERSION}" = "3.0.7" ]; then OPENSSL_SHA256=83049d042a260e696f62406ac5c08bf706fd84383f945cf21bd61e9ed95c396e; \
	else echo "Error: OPENSSL_SHA256 missing and OPENSSL_VERSION is not one of the built-in versions" && exit 1; \
	fi \
    fi \
 && echo "${OPENSSL_SHA256}  openssl.tar.gz" | sha256sum -c \
 && tar -xvf openssl.tar.gz \
 && rm openssl.tar.gz \
 && cd openssl-${OPENSSL_VERSION} \
 && case "${OPENSSL_VERSION}" in 1.1.0*) patch -p1 </tmp/openssl1.1.0-test-certs.patch; patch -p1 </tmp/openssl1.1.0-test-fuzz.patch ;; 1.0.2*) extrasslconfig=-fPIC ;; esac \
 && ./config ${extrasslconfig} --prefix=/usr/local --openssldir=/usr/local \
 && case "${OPENSSL_VERSION}" in 1.0.2*) ;; *) extrasslmake=-j ;; esac \
 && make ${extrasslmake} \
 && make test \
 && make install \
 && rm -rf /tmp/src \
 && rm -rf /usr/local/share/doc /usr/local/share/man

ARG PYTHON_VERSION=3.11.1
ARG PYTHON_SHA256=missing

RUN mkdir -p /tmp/src \
 && cd /tmp/src \
 && LD_LIBRARY_PATH= curl -sSL https://www.python.org/ftp/python/${PYTHON_VERSION}/Python-${PYTHON_VERSION}.tar.xz -o Python.tar.xz \
 && if [ "${PYTHON_SHA256}" = "missing" ]; then \
	if [ "${PYTHON_VERSION}" = "3.7.16" ]; then PYTHON_SHA256=8338f0c2222d847e904c955369155dc1beeeed806e8d5ef04b00ef4787238bfd; \
	elif [ "${PYTHON_VERSION}" = "3.8.16" ]; then PYTHON_SHA256=d85dbb3774132473d8081dcb158f34a10ccad7a90b96c7e50ea4bb61f5ce4562; \
	elif [ "${PYTHON_VERSION}" = "3.9.16" ]; then PYTHON_SHA256=22dddc099246dd2760665561e8adb7394ea0cc43a72684c6480f9380f7786439; \
	elif [ "${PYTHON_VERSION}" = "3.10.9" ]; then PYTHON_SHA256=5ae03e308260164baba39921fdb4dbf8e6d03d8235a939d4582b33f0b5e46a83; \
	elif [ "${PYTHON_VERSION}" = "3.11.1" ]; then PYTHON_SHA256=85879192f2cffd56cb16c092905949ebf3e5e394b7f764723529637901dfb58f; \
	else echo "Error: PYTHON_SHA256 missing and PYTHON_VERSION is not one of the built-in versions" && exit 1; \
	fi \
    fi \
 && echo "${PYTHON_SHA256}  Python.tar.xz" | sha256sum -c \
 && tar -xvf Python.tar.xz \
 && rm Python.tar.xz \
 && cd Python-${PYTHON_VERSION} \
 && case "${PYTHON_VERSION}" in 3.1[01].*) extrapyconfig=--disable-test-modules ;; esac \
 && ./configure ${extrapyconfig} --prefix=/usr/local --with-openssl=/usr/local CFLAGS="-I/usr/local/include" LDFLAGS="-L/usr/local" \
 && make -j \
 && make install \
 && rm -rf /tmp/src \
 && rm -rf /usr/local/share/doc /usr/local/share/man \
 && case "${PYTHON_VERSION}" in 3.[789].*) find /usr/local/lib/ -depth -type d -a \( -name test -o -name tests -o -name idle_test \) -exec rm -rf '{}' + ;; esac

FROM debian:bullseye-slim

RUN apt-get update \
 && apt-get install -y zlib1g libbz2-1.0 libreadline8 libsqlite3-0 libncurses6 libncursesw6 libtinfo6 libxml2 libffi7 liblzma5 ca-certificates \
 && rm -rf /var/lib/apt/lists/*
COPY --from=builder /usr/local/ /usr/local/

ENV LD_LIBRARY_PATH=/usr/local/lib64:/usr/local/lib
ENV SSL_CERT_DIR=/etc/ssl/certs/

CMD ["python3"]