#!/bin/bash -x

# source the debconf library
if [ -e "/usr/share/debconf/confmodule" ]; then
    . /usr/share/debconf/confmodule
else
    echo "debconf must be installed. Exiting."
    exit 1
fi

# Reminder: don't echo to stdout, it messes up debconf

D1_LOG_DIR=/var/log/dataone
if [ ! -e ${D1_LOG_DIR} ]; then
    mkdir -p ${D1_LOG_DIR}
fi
chown -R tomcat8:tomcat8 ${D1_LOG_DIR}

# functions to echo to STDERR or the install log instead of STDOUT
logError () {
    echo -e "$@" 1>&2
}

log () {
    now=$(date "+%Y-%m-%d %H:%M:%S %Z: ")
    echo -e "${now}$@" >> ${D1_LOG_DIR}/dataone-cn-os-core.install.log
}

LONG_DATE=`date +%Y%m%d%H%M%S`

TOMCAT=tomcat8
TOMCAT_USER=tomcat8
TOMCAT_HOME=/var/lib/tomcat8
APACHE_CONF=/etc/apache2
JK_CONF=portal_jk.conf

PG=postgresql
PG_USER=postgres
if [ -e "/etc/postgresql/10/main" ]; then
    PG_CONF=/etc/postgresql/10/main
    PG_DATA=/var/lib/postgresql/10/main
else
    PG_CONF=/etc/postgresql/9.3/main
    PG_DATA=/var/lib/postgresql/9.3/main
fi
PG_USER=postgres
DB_NAME=oauth
DB_USER=oa4mp
DB_PASS=oa4mp

db_get dataone-cn-os-core/cn.router.hostname
HOST_NAME=${RET}
KEY_DIR=/etc/letsencrypt/live/${HOST_NAME}
CERT_DIR=/etc/letsencrypt/live/${HOST_NAME}

HAZELCAST_PORT=5703

SOURCE_DIR=/usr/share/portal
SCRIPT_DIR=${SOURCE_DIR}/debian

D1_CONF=/etc/dataone

VAR_DATAONE=/var/dataone


###############################################################################
# Set up hazelcast configuration
###############################################################################

HAZELCAST_INTERFACE=""
SPACER="        "
db_get dataone-cn-os-core/cn.iplist
IPLIST=(${RET})
for ip in ${IPLIST[@]}
do
    IP_XML_NODE="<interface>${ip}<\/interface>"
    HAZELCAST_INTERFACE=${HAZELCAST_INTERFACE}${IP_XML_NODE}'\n'${SPACER}
done

## replace the string <interface>127.0.0.1</interface> with the environment's iplist
## <interface>127.0.0.1</interface>
sed -i.bak --regexp-extended "s/<interface>127\.0\.0\.1<\/interface>/${HAZELCAST_INTERFACE}/;" ${D1_CONF}/portal/hazelcast.xml

## open up the correct port for hazelcast
for ip in ${IPLIST[@]}
do
    log "Adding 'ufw allow to any port ${HAZELCAST_PORT} from ${IP_ADDRESS}' rule"
    ufw allow to any port ${HAZELCAST_PORT} from ${ip}
	# open postgres port for this IP
	log "Adding 'ufw allow to any port 5432 from ${ip}' rule"	  
	ufw allow to any port 5432 from ${ip}
done

###############################################################################
# Install portal war file
###############################################################################

## Stop tomcat
log "Stopping Tomcat"
/etc/init.d/${TOMCAT} stop

## backup the old war file
if [ -e ${TOMCAT_HOME}/webapps/portal.war.current ]
then
  log "Backing up ${TOMCAT_HOME}/webapps/portal.war.current to ${TOMCAT_HOME}/webapps/portal.war.${LONG_DATE}"
  mv ${TOMCAT_HOME}/webapps/portal.war.current ${TOMCAT_HOME}/webapps/portal.war.${LONG_DATE}
fi  

## remove the portal application directory
if [ -d ${TOMCAT_HOME}/webapps/portal ]
then
  log "Removing the old portal application directories"
  rm -rf ${TOMCAT_HOME}/webapps/portal
fi 

## copy the new war file into the webapps directory
log copying new portal.war file to ${TOMCAT_HOME}/webapps/portal.war
cp ${SOURCE_DIR}/portal.war ${TOMCAT_HOME}/webapps/portal.war

## expand the war file
CURR_DIR=`pwd`

## make portal directory and extract portal.war into it.
log "Making portal application directory: ${TOMCAT_HOME}/webapps/portal"
mkdir ${TOMCAT_HOME}/webapps/portal
cd ${TOMCAT_HOME}/webapps/portal

log "extracting portal.war into ${TOMCAT_HOME}/webapps/portal"
jar -xvf ${TOMCAT_HOME}/webapps/portal.war > /dev/null

mv ${TOMCAT_HOME}/webapps/portal.war ${TOMCAT_HOME}/webapps/portal.war.current

cp ${SOURCE_DIR}/debian/log4j.properties ${TOMCAT_HOME}/webapps/portal/WEB-INF/classes
chown -R ${TOMCAT_USER}:${TOMCAT_USER} ${TOMCAT_HOME}/webapps/portal
log cd to $CURR_DIR
cd $CURR_DIR

## replace the CN URL in the web.xml file to use a hostname as found by issuing a hostname -f
## replace the CILogon callback URLs for the portal in the config file

db_get dataone-cn-os-core/cn.router.hostname
HOSTNAME=$RET

if [ "$HOSTNAME" != "" ]
then
	sed -i.bak  's/\(<param-value>https:\/\/\)cn\.dataone\.org/\1'${HOSTNAME}'/;' ${TOMCAT_HOME}/webapps/portal/WEB-INF/web.xml
	sed -i.bak  's/\(<callbackUri>https:\/\/\)cn\.dataone\.org/\1'${HOSTNAME}'/;' ${TOMCAT_HOME}/webapps/portal/WEB-INF/client.xml
else
	log "HOSTNAME (cn.router.hostname) cannot be set in ${TOMCAT_HOME}/webapps/portal/WEB-INF/web.xml or ${TOMCAT_HOME}/webapps/portal/WEB-INF/client.xml"
fi

############# replace the java key store password in the client.xml file ######################

#first we will try to read it from the dataone-cn-os-core/cn.keystore.password
db_get dataone-cn-os-core/cn.keystore.password

#if it is blank, we will read it from the input form from the template
JAVA_KEYSTORE_PASSWORD=$RET
if [ "$JAVA_KEYSTORE_PASSWORD" = "" ] ;then
    db_get dataone-cn-portal/cn.keystore.password
    JAVA_KEYSTORE_PASSWORD=$RET
    db_reset dataone-cn-portal/cn.keystore.password
fi
sed -i.bak  's/\(password=\"\)JAVA_KEYSTORE_PASSWORD/\1'${JAVA_KEYSTORE_PASSWORD}'/;' ${TOMCAT_HOME}/webapps/portal/WEB-INF/client.xml



###########replace the "tomcat7" by "tomcat8" on the web.xml, client.xml and portal.properties###################
sed -i.bak  's/\(<param-value>\/var\/lib\/\)tomcat7/\1'tomcat8'/;' ${TOMCAT_HOME}/webapps/portal/WEB-INF/web.xml
sed -i.bak  's/\(\/var\/log\/\)tomcat7/\1'tomcat8'/;' ${TOMCAT_HOME}/webapps/portal/WEB-INF/client.xml
sed -i.bak  's/\(\/var\/lib\/\)tomcat7/\1'tomcat8'/;' ${TOMCAT_HOME}/webapps/portal/WEB-INF/portal.properties

## switched postgresql host property to localhost (redmine 7943) so this config is not needed anymore
## configure to hit only a single PG instance - defualt to first in ip list
#for ip in ${IPLIST[@]}
#do
#    PG_HOST=${ip}
#   	sed -i.bak  's/\(host="\)cn\.dataone\.org/\1'${PG_HOST}'/;' ${TOMCAT_HOME}/webapps/portal/WEB-INF/client.xml
#    break # just use the first
#done

## configure the CILogon skin, default to PRODUCTION
MYPROXY_ID=myproxy:oa4mp,2012:/client/42afd3477fac2eb9bfe99d0b409f6cc6
CILOGON_SKIN=DataONE
db_get dataone-cn-os-core/cn.context.label
CONTEXT_LABEL=$RET
if [[ "${CONTEXT_LABEL}" == "DEV" ]]; then
	CILOGON_SKIN=DataONEDev
	MYPROXY_ID=myproxy:oa4mp,2012:/client/24a10c2cd8bda4e6b5cf244ab7532b2
fi
if [[ "${CONTEXT_LABEL}" == "DEV2" ]]; then
	CILOGON_SKIN=DataONEDev2
	MYPROXY_ID=myproxy:oa4mp,2012:/client/24a10c2cd8bda4e6b5cf244ab7532b2
fi
if [[ "${CONTEXT_LABEL}" == "STAGE" ]]; then
	CILOGON_SKIN=DataONEStage
	MYPROXY_ID=myproxy:oa4mp,2012:/client/7a4c0539fc9eb5c066f1619d73f35c37
fi
if [[ "${CONTEXT_LABEL}" == "STAGE2" ]]; then
	CILOGON_SKIN=DataONEStage2
	MYPROXY_ID=myproxy:oa4mp,2012:/client/3f5b88459d880f550e31f485458fc459
fi
if [[ "${CONTEXT_LABEL}" == "SANDBOX" ]]; then
	CILOGON_SKIN=DataONESandbox
	MYPROXY_ID=myproxy:oa4mp,2012:/client/2f533133f3e70b26e60492479aa8f0ef
fi
if [[ "${CONTEXT_LABEL}" == "SANDBOX2" ]]; then
	CILOGON_SKIN=DataONESandbox2
	MYPROXY_ID=myproxy:oa4mp,2012:/client/66a303882b6e4bec1e91cbf2ccda1e86
fi

## replace in the config file
sed -i.bak  's/\(<skin>\)DataONE/\1'${CILOGON_SKIN}'/;' ${TOMCAT_HOME}/webapps/portal/WEB-INF/client.xml

## set MyProxy id in the config file
MYPROXY_ID=${MYPROXY_ID//\//\\\/}
sed -i.bak  's/\(<id>\)MYPROXY_ID/\1'${MYPROXY_ID}'/;' ${TOMCAT_HOME}/webapps/portal/WEB-INF/client.xml

## set the CILogon server correctly (they only have production now)
CILOGON_SERVER=cilogon.org
if [[ "${CONTEXT_LABEL}" == "PRODUCTION" ]]; then
	CILOGON_SERVER=cilogon.org
fi
sed -i.bak  's/\(<serviceUri>https:\/\/\)cilogon\.org/\1'${CILOGON_SERVER}'/;' ${TOMCAT_HOME}/webapps/portal/WEB-INF/client.xml

## set up the MyProxy certificates
# get the private key
db_get dataone-cn-os-core/cn.server.privatekey.filename
KEY_FILENAME=${RET}
KEY_FILE=${KEY_DIR}'/'${KEY_FILENAME}

PK8_KEY_FILE=${KEY_FILE}.pk8
# make PK8 format for private key
openssl pkcs8 -topk8 -in ${KEY_FILE} -nocrypt -out ${PK8_KEY_FILE}
chown tomcat8:ssl-cert ${PK8_KEY_FILE}
chmod 0650 ${PK8_KEY_FILE}

# get the correct public key (NOT the cert) for the env
db_get dataone-cn-os-core/cn.server.publiccert.filename
SERVER_CERT_FILENAME=${RET}
PUBLIC_SERVER_CERT=${CERT_DIR}'/'${SERVER_CERT_FILENAME}

PUBLIC_KEY_FILE=${PUBLIC_SERVER_CERT}.pk8publickey
openssl x509 -in ${PUBLIC_SERVER_CERT} -pubkey -noout > ${PUBLIC_KEY_FILE}
# set these in the configuration
PK8_KEY_FILE=${PK8_KEY_FILE//\//\\\/}
sed -i.bak  's/\(<privateKeyFile>\)PRIVATE_KEY_PATH/\1'${PK8_KEY_FILE}'/;' ${TOMCAT_HOME}/webapps/portal/WEB-INF/client.xml
PUBLIC_KEY_FILE=${PUBLIC_KEY_FILE//\//\\\/}
sed -i.bak  's/\(<publicKeyFile>\)PUBLIC_KEY_PATH/\1'${PUBLIC_KEY_FILE}'/;' ${TOMCAT_HOME}/webapps/portal/WEB-INF/client.xml

## configure the portal to use public cert and private key for token generation/verification
PUBLIC_SERVER_CERT_ESC=${PUBLIC_SERVER_CERT//\//\\\/}
KEY_FILE_ESC=${KEY_FILE//\//\\\/}
sed -i.bak --regexp-extended  "s/(cn\.server\.publiccert\.filename=).*/\1${PUBLIC_SERVER_CERT_ESC}/;" ${TOMCAT_HOME}/webapps/portal/WEB-INF/portal.properties
sed -i.bak --regexp-extended  "s/(cn\.server\.privatekey\.filename=).*/\1${KEY_FILE_ESC}/;" ${TOMCAT_HOME}/webapps/portal/WEB-INF/portal.properties

## configure the portal to use ORCID API credentials
db_get dataone-cn-portal/orcid.client.id
ORCID_CLIENT_ID=${RET}
ORCID_CLIENT_ID_ESC=${ORCID_CLIENT_ID//\//\\\/}
sed -i.bak --regexp-extended  "s/(orcid\.client\.id=).*/\1${ORCID_CLIENT_ID_ESC}/;" ${TOMCAT_HOME}/webapps/portal/WEB-INF/portal.properties

db_get dataone-cn-portal/orcid.client.secret
ORCID_CLIENT_SECRET=${RET}
ORCID_CLIENT_SECRET_ESC=${ORCID_CLIENT_SECRET//\//\\\/}
sed -i.bak --regexp-extended  "s/(orcid\.client\.secret=).*/\1${ORCID_CLIENT_SECRET_ESC}/;" ${TOMCAT_HOME}/webapps/portal/WEB-INF/portal.properties

db_reset dataone-cn-portal/orcid.client.id  # clear the cached orcid id
db_reset dataone-cn-portal/orcid.client.secret  # clear the cached orcid secret

## make client.xml and portal.property and backup file only readable by the owner
chmod 600 ${TOMCAT_HOME}/webapps/portal/WEB-INF/client.xml*
chmod 600 ${TOMCAT_HOME}/webapps/portal/WEB-INF/portal.properties*

####################################################################################
# Create the /var/dataone/portal/storage directory as the asset file system storage
####################################################################################
if [ ! -d ${VAR_DATAONE} ]; then
	mkdir ${VAR_DATAONE}
fi 

if [ ! -d ${VAR_DATAONE}/portal ]; then
  mkdir ${VAR_DATAONE}/portal
  chown ${TOMCAT_USER}:${TOMCAT_USER} ${VAR_DATAONE}/portal
else 
  chown -R ${TOMCAT_USER}:${TOMCAT_USER} ${VAR_DATAONE}/portal
fi 

if [ ! -d ${VAR_DATAONE}/portal/storage ]; then
  mkdir ${VAR_DATAONE}/portal/storage
  chown ${TOMCAT_USER}:${TOMCAT_USER} ${VAR_DATAONE}/portal/storage
  chmod 700 ${VAR_DATAONE}/portal/storage
  setfacl -d -m u::rwx ${VAR_DATAONE}/portal/storage
fi

###############################################################################
# Configure Tomcat
###############################################################################

# Configure the context file
log "Copying ${SCRIPT_DIR}/portal.xml to ${TOMCAT_HOME}/conf/Catalina/localhost/"
cp ${SCRIPT_DIR}/portal.xml ${TOMCAT_HOME}/conf/Catalina/localhost/

# Add permissions needed by portal
log "Copying ${SCRIPT_DIR}/56portal.policy to ${TOMCAT_HOME}/conf/policy.d/"
cp ${SCRIPT_DIR}/56portal.policy ${TOMCAT_HOME}/conf/policy.d/

###############################################################################
# Configure Apache
###############################################################################

## Stop apache
log "Stopping Apache"
/etc/init.d/apache2 stop

## copy in jk mount configuration file
if [ -e ${APACHE_CONF}/jk_mount/${JK_CONF} ]
then 
  JK_DIFF=`diff ${SCRIPT_DIR}/${JK_CONF} ${APACHE_CONF}/jk_mount/${JK_CONF}`
  if [ "${JK_DIFF}" != "" ]
  then
    log "Backing up ${APACHE_CONF}/jk_mount/${JK_CONF} to ${APACHE_CONF}/jk_mount/${JK_CONF}.${LONG_DATE}"
    mv ${APACHE_CONF}/jk_mount/${JK_CONF} ${APACHE_CONF}/jk_mount/${JK_CONF}.${LONG_DATE}
  fi
fi
log "Copying ${JK_CONF} site file to ${APACHE_CONF}/jk_mount/"
cp ${SCRIPT_DIR}/${JK_CONF} ${APACHE_CONF}/jk_mount/

###############################################################################
# Configure Postgres
###############################################################################
## create portal database and user
log "Creating ${DB_NAME} database schema"
su ${PG_USER} -c "dropdb ${DB_NAME}"
su ${PG_USER} -c "createdb ${DB_NAME}"

log "Creating ${DB_USER} user" 
su ${PG_USER} -c "dropuser ${DB_USER}"
su ${PG_USER} -c "psql -c \"CREATE USER ${DB_USER} WITH PASSWORD '${DB_PASS}'\""

# run the script to create user and tables
su ${PG_USER} -c "psql -f ${SCRIPT_DIR}/portal-tables.sql ${DB_NAME}"

## modify pg_hba.conf to allow traffic from each CN
IP_ADDRESS=127.0.0.1
for ip in ${IPLIST[@]}
do
    IP_ADDRESS=${ip}
    PG_HBA_IS_MODIFIED=`grep "${DB_NAME} ${DB_USER} ${IP_ADDRESS} 255.255.255.255 password" ${PG_CONF}/pg_hba.conf`
	if [ "${PG_HBA_IS_MODIFIED}" == "" ]
	then
	  log "backing up ${PG_CONF}/pg_hba.conf to ${PG_CONF}/pg_hba.conf.bak"
	  cp ${PG_CONF}/pg_hba.conf ${PG_CONF}/pg_hba.conf.bak
	  chown postgres ${PG_CONF}/pg_hba.conf
	  chgrp postgres ${PG_CONF}/pg_hba.conf
	
	  log "appending 'host ${DB_NAME} ${DB_USER} ${IP_ADDRESS} 255.255.255.255 password' to ${PG_CONF}/pg_hba.conf"
	  echo "host ${DB_NAME} ${DB_USER} ${IP_ADDRESS} 255.255.255.255 password" >> ${PG_CONF}/pg_hba.conf
	  
	fi
done

## modify /etc/postgresql/10/main/postgresql.conf to listen on more than 'localhost'
## original line looks like this:
## #listen_addresses = 'localhost'
## we want this:
## listen_addresses = '*'

PG_LISTEN_IS_MODIFIED=`egrep "listen_addresses *= *'\*'" ${PG_CONF}/postgresql.conf`
if [ "${PG_LISTEN_IS_MODIFIED}" == "" ]
then
	sed -i.bak  "s/\(listen_addresses\s*\=\s*\)'localhost'/\1 '*'/;" ${PG_CONF}/postgresql.conf
fi
# make sure it is not commented out
sed -i.bak  "s/#\(listen_addresses\)/\1 /;" ${PG_CONF}/postgresql.conf

# enable SSL access for the server
PG_SSL_IS_MODIFIED=`grep -P "ssl *= *(?:false|off|no|0)" ${PG_CONF}/postgresql.conf`
if [ "${PG_SSL_IS_MODIFIED}" == "" ]
then
	sed -i.bak  "s/\(ssl\s*\=\s*\).\+/\1true/;" ${PG_CONF}/postgresql.conf
fi
# make sure it is not commented out
sed -i.bak  "s/#\(ssl\s*\=.\)/\1/;" ${PG_CONF}/postgresql.conf

# edit the postgresql.conf to use the given certificate/key
sed -i.bak --regexp-extended  "s/(ssl_cert_file\s*=).*/\1 \'${PUBLIC_SERVER_CERT_ESC}\'/;" ${PG_CONF}/postgresql.conf
sed -i.bak --regexp-extended  "s/(ssl_key_file\s*=).*/\1 \'${KEY_FILE_ESC}\'/;" ${PG_CONF}/postgresql.conf
# make sure it is not commented out
sed -i.bak  "s/#\(ssl_cert_file\)/\1 /;" ${PG_CONF}/postgresql.conf
sed -i.bak  "s/#\(ssl_key_file\)/\1 /;" ${PG_CONF}/postgresql.conf

## Restart the postgres db
log "Restarting postgres database"
/etc/init.d/${PG} restart

###############################################################################
# Start Apache and Tomcat
###############################################################################

## Start Apache
/etc/init.d/apache2 start

## Start Tomcat
log "starting Tomcat server"
/etc/init.d/${TOMCAT} start

## Update DateONE Version Info Doc
#java -jar /usr/share/dataone-cn-version-tool/dataone-cn-version-tool.jar -F/usr/share/dataone-cn-version-tool/version-tool.properties -html > /var/www/cn-version.html

db_stop
exit 0