#!/bin/bash
#
###############################################################################
# HIRS DB creation
# Environment variables used:
# a. HIRS_MYSQL_ROOT_PWD: Set this variable if mysql root password is already set
# b. HIRS_DB_PWD: Set the pwd if default password to hirs_db user needs to be changed
################################################################################

LOG_FILE=$1
UNATTENDED=$2
# Capture location of the script to allow from invocation from any location
SCRIPT_DIR=$( dirname -- "$( readlink -f -- "$0"; )"; )
SPRING_PROP_FILE="/etc/hirs/aca/application.properties"
ACA_PROP_FILE="/etc/hirs/aca/aca.properties"
DB_ADMIN_PWD=""
# Db Configuration files
DB_SRV_CONF="/etc/my.cnf.d/mariadb-server.cnf"
DB_CLIENT_CONF="/etc/my.cnf.d/client.cnf"
# Default Server Side Certificates
SSL_DB_SRV_CHAIN="/etc/hirs/certificates/HIRS/rsa_3k_sha384_certs/HIRS_rsa_3k_sha384_Cert_Chain.pem";
SSL_DB_SRV_CERT="/etc/hirs/certificates/HIRS/rsa_3k_sha384_certs/HIRS_db_srv_rsa_3k_sha384.pem"; 
SSL_DB_SRV_KEY="/etc/hirs/certificates/HIRS/rsa_3k_sha384_certs/HIRS_db_srv_rsa_3k_sha384.key";
# Default Client Side Certificates
SSL_DB_CLIENT_CHAIN="/etc/hirs/certificates/HIRS/rsa_3k_sha384_certs/HIRS_rsa_3k_sha384_Cert_Chain.pem";
SSL_DB_CLIENT_CERT="/etc/hirs/certificates/HIRS/rsa_3k_sha384_certs/HIRS_db_client_rsa_3k_sha384.pem"; 
SSL_DB_CLIENT_KEY="/etc/hirs/certificates/HIRS/rsa_3k_sha384_certs/HIRS_db_client_rsa_3k_sha384.key";

touch $ACA_PROP_FILE
touch $LOG_FILE
touch $DB_SRV_CONF

# Make sure required paths exist
mkdir -p /etc/hirs/aca/
mkdir -p /var/log/hirs/

source $SCRIPT_DIR/mysql_util.sh
source $ACA_PROP_FILE 

check_mysql_root_pwd () {
  # Check if DB root password needs to be obtained
 
  if [ -z $HIRS_MYSQL_ROOT_PWD ]; then
	 # Create a 32 character random password
	 echo "Using randomly generated password for the DB admin" | tee -a "$LOG_FILE"
	 DB_ADMIN_PWD=$(head -c 64 /dev/urandom | md5sum | tr -dc 'a-zA-Z0-9')
	 echo "DB Admin will be set to $DB_ADMIN_PWD , please make note for next mysql use."
     # Check UNATTENDED flag set m if not then prompt user for permission ot store mysql root password
	 if [ -z $UNATTENDED ]; then
	   read -p "Do you wish to save this password to the aca.properties file? " confirm
	   if [[ $confirm == [yY] || $confirm == [yY][eE][sS] ]]; then
	      echo "mysql_admin_password=$DB_ADMIN_PWD" >> $ACA_PROP_FILE
	      echo "Mysql root password saved locally"
	    else
	      echo "Mysql root password not saved locally"
	   fi
	 else
	   echo "mysql_admin_password=$DB_ADMIN_PWD" >> $ACA_PROP_FILE
	   echo "Mysql root password has been saved locally."
	 fi
	 mysqladmin --user=root password "$DB_ADMIN_PWD"
  else
    DB_ADMIN_PWD=$HIRS_MYSQL_ROOT_PWD
    echo "Using system variable supplied password" | tee -a "$LOG_FILE"
  fi
  # Make sure root password is correct
  $(mysql -u root -p$DB_ADMIN_PWD -e 'quit'  &> /dev/null);
  if [ $? -eq 0 ]; then
     echo "Mysql root password verified"  | tee -a "$LOG_FILE"
  else
     echo "MYSQL root password was not the default, not supplied,  or was incorrect"
     echo "      please set the HIRS_MYSQL_ROOT_PWD system variable and retry."
     echo "      ********** ACA Mysql setup aborted ********" ;
     exit 1;
  fi
}

set_mysql_server_tls () {
  # Check DB server setup. If ssl params dont exist then we need to add them.
  if [[ $(cat "$DB_SRV_CONF" | grep -c "ssl") < 1 ]]; then
    # Add TLS files to my.cnf
    echo "Updating $DB_SRV_CONF with ssl parameters..." | tee -a "$LOG_FILE"
    echo "ssl_ca=$SSL_DB_SRV_CHAIN" >> "$DB_SRV_CONF"
    echo "ssl_cert=$SSL_DB_SRV_CERT" >> "$DB_SRV_CONF"
    echo "ssl_key=$SSL_DB_SRV_KEY" >> "$DB_SRV_CONF"
    # Make sure mysql can access them
    chown mysql:mysql $SSL_DB_SRV_CHAIN $SSL_DB_SRV_CERT $SSL_DB_SRV_KEY
    # Make selinux contexts for config files, if selinux is enabled
    selinuxenabled
    if [ $? -eq 0 ]; then
       semanage fcontext -a -t mysqld_etc_t $DB_SRV_CONF  > /dev/null #adds the context type to file
       restorecon -v -F $DB_SRV_CONF      > /dev/null                 # changes the file's context type
    fi
  else
       echo "mysql.cnf contians existing entry for ssl, skipping..." | tee -a "$LOG_FILE"
  fi
}

set_mysql_client_tls () {
# Update ACA property file with client cert info, if not there already
if [[ $(cat "$DB_CLIENT_CONF" | grep -c "ssl") < 1 ]]; then 
  echo "Updating $DB_CLIENT_CONF with ssl parameters..." | tee -a "$LOG_FILE"
  echo "ssl_ca=$SSL_DB_CLIENT_CHAIN" >> $DB_CLIENT_CONF
  echo "ssl_cert=$SSL_DB_CLIENT_CERT" >> $DB_CLIENT_CONF
  echo "ssl_key=$SSL_DB_CLIENT_KEY" >> $DB_CLIENT_CONF
  chown mysql:mysql $SSL_DB_CLIENT_CHAIN $SSL_DB_CLIENT_CERT $SSL_DB_CLIENT_KEY 
  # Make selinux contexts for config files, if selinux is enabled
  selinuxenabled
  if [ $? -eq 0 ]; then
      semanage fcontext -a -t mysqld_etc_t $DB_CLIENT_CONFf > /dev/null  #adds the context type to file
      restorecon -F $DB_CLIENT_CONF                         > /dev/null #changes the file's context type
  fi                           
fi
}

# Process HIRS DB USER
set_hirs_db_pwd () {

   RESULT="$(mysql -u root --password=$DB_ADMIN_PWD -e "SELECT EXISTS(SELECT 1 FROM mysql.user WHERE user = 'hirs_db')")"
   if [ "$RESULT" = 1 ]; then
      echo "hirs-db user exists"
      HIRS_DB_PWD=$hirs_db_password
   else   
   # Check if Mysql HIRS DB  password set by system variable or set to random number
     if [ -z $HIRS_DB_PWD ]; then
       HIRS_DB_PWD=$(head -c 64 /dev/urandom | md5sum | tr -dc 'a-zA-Z0-9')
     fi

     echo "hirs_db_username=hirs_db" >> $ACA_PROP_FILE
     echo "hirs_db_password=$HIRS_DB_PWD" >> $ACA_PROP_FILE
  fi

}

# Create a hirs_db with client side TLS enabled
create_hirs_db_with_tls () {
  # Check if hirs_db not created and create it if it wasn't
  mysqlshow --user=root --password="$DB_ADMIN_PWD" | grep "hirs_db" > /dev/null 2>&1
  if [ $? -eq 0 ]; then
     echo "hirs_db exists, skipping hirs_db create"
  else
     mysql -u root --password=$DB_ADMIN_PWD < $MYSQL_DIR/db_create.sql
     mysql -u root --password=$DB_ADMIN_PWD < $MYSQL_DIR/secure_mysql.sql
     mysql -u root --password=$DB_ADMIN_PWD -e "ALTER USER 'hirs_db'@'localhost' IDENTIFIED BY '"$HIRS_DB_PWD"'; FLUSH PRIVILEGES;";
  fi
}

# HIRS ACA Mysqld processing ...
check_mariadb_install
check_for_container -p
set_mysql_server_tls
set_mysql_client_tls
start_mysqlsd
check_mysql_root_pwd
set_hirs_db_pwd
create_hirs_db_with_tls
mysqld_reboot