#!/bin/bash

set -e

FIRST_INSTALL="$1"
APACHE="$2"
APACHE_USER="$3"
APACHE_GROUP="$4"
APACHE_VHOSTDIR="$5"
SELINUX="$6"

BACKUP_DIR="/var/backups/rudder/"
LOG_FILE="/var/log/rudder/install/rudder-relay-$(date +%Y%m%d%H%M%S).log"

echo "$(date) - Starting rudder-relay post installation script" >> ${LOG_FILE}

# Cleanup misplaced and useless backup files
# created between 7.2 and <8.3
rm -f /rudder-apache-*.conf

# Create groups ans users before managing the services
if ! getent group rudder > /dev/null; then
  groupadd --system rudder >> ${LOG_FILE}
fi

if ! getent group rudder-policy-reader > /dev/null; then
  groupadd --system rudder-policy-reader >> ${LOG_FILE}
  usermod -a -G rudder-policy-reader "${APACHE_USER}" >> ${LOG_FILE}
fi

if ! getent passwd rudder-relayd >/dev/null; then
  useradd --system --shell /bin/false --gid rudder --home-dir /var/rudder --comment "Rudder relayd,,," rudder-relayd >> ${LOG_FILE}
fi

if ! getent passwd rudder >/dev/null; then
  useradd --system --shell /bin/false --gid rudder --home-dir /var/rudder --comment "Rudder,,," rudder >> ${LOG_FILE}
fi

# Always reload systemd (in case we changed the unit file)
systemctl daemon-reload >> ${LOG_FILE}
if [ "${FIRST_INSTALL}" -eq 1 ]; then
  systemctl enable rudder-relayd.service rudder-package.timer >> ${LOG_FILE} 2>&1
fi

systemctl stop "${APACHE}" >> ${LOG_FILE} || true
systemctl stop rudder-relayd.service >> ${LOG_FILE} || true

# share directory with rudder-policy-reader
chgrp rudder-policy-reader /var/rudder/share
chmod g+s-w /var/rudder/share

# change some directory to rudder owner
mkdir -p /var/rudder/configuration-repository/shared-files
chown -R root:rudder /var/rudder/configuration-repository/shared-files
chmod 2750 /var/rudder/configuration-repository/shared-files
chmod -R u+rwX,g+rX /var/rudder/configuration-repository/shared-files
chown -R rudder-relayd:rudder /var/rudder/shared-files
chmod 770 /var/rudder/shared-files
chmod 755 /var/rudder/inventories

# Make conf readable by relayd
chgrp -R rudder /opt/rudder/etc/relayd
chmod 750 /opt/rudder/etc/relayd
chmod 640 /opt/rudder/etc/relayd/main.conf
chmod 640 /opt/rudder/etc/relayd/logging.conf

# Ensure that backup folder exists
mkdir -p ${BACKUP_DIR}

for dir in /var/rudder/inventories/incoming /var/rudder/inventories/failed /var/rudder/inventories/accepted-nodes-updates /var/rudder/reports/incoming /var/rudder/reports/failed
do
  chmod 770 ${dir}
  chown ${APACHE_USER}:rudder ${dir}
done

# Setup password files for inventory reception WebDAV access
for passwdfile in /opt/rudder/etc/htpasswd-webdav-initial /opt/rudder/etc/htpasswd-webdav
do
  htpasswd -bc ${passwdfile} rudder rudder >> ${LOG_FILE} 2>&1
done

# Remove old completion
rm -f /etc/bash_completion.d/rudder-pkg.sh

# Previous HTTPS key and cert
if [ -f /opt/rudder/etc/ssl/rudder.crt ]; then
  mv /opt/rudder/etc/ssl/rudder.crt "${BACKUP_DIR}/rudder-`date +%Y%m%d`.crt"
fi
if [ -f /opt/rudder/etc/ssl/rudder.key ]; then
  mv /opt/rudder/etc/ssl/rudder.key "${BACKUP_DIR}/rudder-`date +%Y%m%d`.key"
fi

# Update the certificate locations if needed
sed -i '/SSLCertificateFile.*\/opt\/rudder\/etc\/ssl\/rudder.crt/d' /etc/${APACHE_VHOSTDIR}/rudder.conf
sed -i '/SSLCertificateKeyFile.*\/opt\/rudder\/etc\/ssl\/rudder.key/d' /etc/${APACHE_VHOSTDIR}/rudder.conf

# we now use agent.cert and localhost.priv for HTTPS too

# not used anymore
if [ -f /opt/rudder/etc/ssl/ca.cert ]; then
  mv /opt/rudder/etc/ssl/ca.cert "${BACKUP_DIR}/ca-`date +%Y%m%d`.cert"
fi

if [ ! -f /var/rudder/lib/ssl/nodescerts.pem ]; then
  # use agent certificate if file doesn't exist (we need a valid cert for httpd to start)
  cp /opt/rudder/etc/ssl/agent.cert /var/rudder/lib/ssl/nodescerts.pem
  touch /var/rudder/lib/ssl/allnodescerts.pem
fi

# Remove wsgi conf from vhost
sed -i '/^Set up a WSGI serving process/d' /etc/${APACHE_VHOSTDIR}/rudder.conf
sed -i '/^WSGI/d' /etc/${APACHE_VHOSTDIR}/rudder.conf

# Remove old cron job
rm -f /etc/cron.d/rudder-relay

# Remove old rudder-pkg files
rm -f /opt/rudder/etc/rudder-pkg/rudder_plugins_key.pub
rm -f /opt/rudder/etc/rudder-pkg/pubring.kbx
rm -f /opt/rudder/etc/rudder-pkg/pubring.kbx~
rm -f /opt/rudder/etc/rudder-pkg/trustdb.gpg
rm -rf /opt/rudder/etc/rudder-pkg/private-keys-v1.d
chmod -x /opt/rudder/etc/rudder-pkg/rudder-pkg.conf

# initialize policy_server.pem if it doesn't exist
if [ ! -f /var/rudder/lib/ssl/policy_server.pem ];
then
  cp /opt/rudder/etc/ssl/agent.cert /var/rudder/lib/ssl/policy_server.pem
fi

# Apply SELinux config before starting the services
if [ "${SELINUX}" = "true" ]; then
  # Check "sestatus" presence, if not there there is not SELinux
  # setup on this system
  if type sestatus >/dev/null 2>&1 && sestatus | grep -q "enabled"; then
    # Add/Update the rudder-relay SELinux policy
    semodule -i /opt/rudder/share/selinux/rudder-relay.pp
    # Ensure inventory directories context is set by resetting
    # their context to the contexts defined in SELinux configuration,
    # including the file contexts defined in the rudder-relay module
    #
    # Test current context for big folders
    if ! ls -Z /var/rudder/inventories/ | head -n1 | grep -q public_content_rw_t; then
      restorecon -R /var/rudder/inventories
    fi
    if ! ls -Z /var/rudder/reports/ | head -n1 | grep -q public_content_rw_t; then
      restorecon -R /var/rudder/reports
    fi
    restorecon -R /var/log/rudder/apache2
    restorecon -R /opt/rudder/etc/relayd
    restorecon /opt/rudder/bin/rudder-relayd
    restorecon -R /var/rudder/lib
    restorecon -R /var/rudder/cfengine-community/ppkeys
    if ! ls -Z /var/rudder/share | head -n1 | grep -q public_content_t; then
      restorecon -R /var/rudder/share
    fi
    if ! ls -Z /var/rudder/shared-files/ | head -n1 | grep -q public_content_rw_t; then
      restorecon -R /var/rudder/shared-files
    fi
    restorecon -R /var/rudder/configuration-repository/shared-files
    # Add 3030 to ports apache can connect to
    semanage port -l | grep ^http_port_t | grep -q 3030 || semanage port -a -t http_port_t -p tcp 3030
    # Allow apache to write to files shared with relayd
    setsebool -P allow_httpd_anon_write 1
  fi
fi

systemctl start rudder-relayd.service rudder-package.timer >> ${LOG_FILE}

# Initialize apache config if needed
A2_CONF="/opt/rudder/etc/rudder-apache-relay-ssl.conf"
TMP_DATA="/var/rudder/tmp/empty-classes.json"
if [ ! -f "${A2_CONF}" ]; then
  echo "Generating initial ${A2_CONF} file" >> ${LOG_FILE}
  cat << 'EOF' > "${TMP_DATA}"
{
  "cert_validation": false,
  "custom_ca": false
}
EOF
  /opt/rudder/bin/rudder-module-template -t "${A2_CONF}.j2" -d "${TMP_DATA}" -o "${A2_CONF}" >> ${LOG_FILE}
  rm -f "${TMP_DATA}"
fi
systemctl start "${APACHE}" >> ${LOG_FILE}

echo "$(date) - Ending rudder-relay post installation script" >> ${LOG_FILE}
