#! /usr/bin/python -E
# Authors: Karl MacMillan <kmacmillan@mentalrootkit.com>
#
# Copyright (C) 2007  Red Hat
# see file 'COPYING' for use and warranty information
#
# This program is free software; you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation, either version 3 of the License, or
# (at your option) any later version.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program.  If not, see <http://www.gnu.org/licenses/>.
#

import sys
import os
import pwd
import tempfile

import traceback

import krbV, getpass

from ipapython.ipautil import user_input

from ipaserver.install import certs, dsinstance, httpinstance, installutils
from ipalib import api
from ipaserver.plugins.ldap2 import ldap2
from ipaserver.install import installutils

def get_realm_name():
    c = krbV.default_context()
    return c.default_realm

def parse_options():
    from optparse import OptionParser
    parser = OptionParser()

    parser.add_option("-d", "--dirsrv", dest="dirsrv", action="store_true",
                      default=False, help="install certificate for the directory server")
    parser.add_option("-w", "--http", dest="http", action="store_true",
                      default=False, help="install certificate for the http server")
    parser.add_option("--dirsrv_pin", dest="dirsrv_pin",
                      help="The password of the Directory Server PKCS#12 file")
    parser.add_option("--http_pin", dest="http_pin",
                      help="The password of the Apache Server PKCS#12 file")

    options, args = parser.parse_args()

    if not options.dirsrv and not options.http:
        parser.error("you must specify dirsrv and/or http")
    if ((options.dirsrv and not options.dirsrv_pin) or
            (options.http and not options.http_pin)):
        parser.error("you must provide the password for the PKCS#12 file")

    if len(args) != 1:
        parser.error("you must provide a pkcs12 filename")

    return options, args[0]

def set_ds_cert_name(cert_name, dm_password):
    conn = ldap2(shared_instance=False, base_dn='')
    conn.connect(bind_dn='cn=directory manager', bind_pw=dm_password)
    mod = {'nssslpersonalityssl': cert_name}
    conn.update_entry('cn=RSA,cn=encryption,cn=config', mod)
    conn.disconnect()

def choose_server_cert(server_certs):
    print "Please select the certificate to use:"
    num = 1
    for cert in server_certs:
        print "%d. %s" % (num, cert[0])
        num += 1

    while 1:
        num = user_input("Certificate number", 1)
        print ""
        if num < 1 or num > len(server_certs):
            print "number out of range"
        else:
            break

    return server_certs[num - 1]

def import_cert(dirname, pkcs12_fname, pkcs12_passwd, db_password):
    cdb = certs.CertDB(api.env.realm, nssdir=dirname)
    cdb.create_passwd_file(db_password)
    cdb.create_certdbs()
    [pw_fd, pw_name] = tempfile.mkstemp()
    os.write(pw_fd, pkcs12_passwd)
    os.close(pw_fd)

    try:
        try:
            cdb.import_pkcs12(pkcs12_fname, pw_name)
            ca_names = cdb.find_root_cert_from_pkcs12(pkcs12_fname, pw_name)
        except RuntimeError, e:
            print str(e)
            sys.exit(1)
    finally:
        os.remove(pw_name)

    server_certs = cdb.find_server_certs()
    if len(server_certs) == 0:
        print "could not find a suitable server cert in import"
        sys.exit(1)
    elif len(server_certs) == 1:
        server_cert = server_certs[0]
    else:
        server_cert = choose_server_cert(server_certs)

    for ca in ca_names:
        cdb.trust_root_cert(ca)

    return server_cert

def main():
    installutils.check_server_configuration()

    options, pkcs12_fname = parse_options()

    cfg = dict(in_server=True,)

    api.bootstrap(**cfg)
    api.finalize()

    try:
        if options.dirsrv:
            dm_password = getpass.getpass("Directory Manager password: ")
            realm = get_realm_name()
            dirname = dsinstance.config_dirname(dsinstance.realm_to_serverid(realm))
            fd = open(dirname + "/pwdfile.txt")
            passwd = fd.read()
            fd.close()

            server_cert = import_cert(dirname, pkcs12_fname, options.dirsrv_pin, passwd)
            set_ds_cert_name(server_cert[0], dm_password)

        if options.http:
            dirname = certs.NSS_DIR
            server_cert = import_cert(dirname, pkcs12_fname, options.http_pin, "")
            installutils.set_directive(httpinstance.NSS_CONF, 'NSSNickname', server_cert[0])

            # Fix the database permissions
            os.chmod(dirname + "/cert8.db", 0640)
            os.chmod(dirname + "/key3.db", 0640)
            os.chmod(dirname + "/secmod.db", 0640)

            pent = pwd.getpwnam("apache")
            os.chown(dirname + "/cert8.db", 0, pent.pw_gid )
            os.chown(dirname + "/key3.db", 0, pent.pw_gid )
            os.chown(dirname + "/secmod.db", 0, pent.pw_gid )

    except Exception, e:
        traceback.print_exc(file=sys.stderr)
        sys.exit("an unexpected error occurred: %s" % str(e))

    return 0

try:
    if not os.geteuid()==0:
        sys.exit("\nYou must be root to run this script.\n")

    main()
except SystemExit, e:
    sys.exit(e)
except RuntimeError, e:
    sys.exit(e)