#!/bin/sh

set -e

#PKGOS-INCLUDE#

KEY_CONF=/etc/keystone/keystone.conf

keystone_get_debconf_admin_credentials () {
	db_get keystone/admin-user
	ADMIN_USER_NAME=${RET:-admin}
	db_get keystone/admin-password
	ADMIN_USER_PW=${RET:-$(gen_password)}
	db_get keystone/admin-email
	ADMIN_USER_EMAIL=${RET:-root@localhost}
	db_get keystone/admin-tenant-name
	ADMIN_TENANT_NAME=${RET:-admin}
	db_get keystone/admin-role-name
	ADMIN_ROLE_NAME=${RET:-admin}

	# We export the retrived credentials for later use
	export OS_PROJECT_DOMAIN_ID=default
	export OS_USER_DOMAIN_ID=default
	export OS_USERNAME=admin
	export OS_PASSWORD=${ADMIN_USER_PW}
	export OS_TENANT_NAME=${ADMIN_TENANT_NAME}
	export OS_PROJECT_NAME=${ADMIN_TENANT_NAME}
	export OS_AUTH_URL=http://127.0.0.1:35357/v3/
	export OS_IDENTITY_API_VERSION=3
	export OS_AUTH_VERSION=3
	export OS_PROJECT_DOMAIN_ID=default
	export OS_USER_DOMAIN_ID=default
	export OS_NO_CACHE=1
}

keystone_bootstrap_admin () {
	# This is the new way to bootstrap the admin user of Keystone
	# and we shouldn't use the admin auth token anymore.
	export OS_BOOTSTRAP_USERNAME=${ADMIN_USER_NAME}
	export OS_BOOTSTRAP_PROJECT_NAME=${ADMIN_TENANT_NAME}
	export OS_BOOTSTRAP_PASSWORD=${ADMIN_USER_PW}
	keystone-manage bootstrap
}

keystone_create_admin_tenant () {
	echo -n "Fixing-up: admin-project-desc "
	openstack project set --description "Default Debian admin project" $ADMIN_TENANT_NAME
	echo -n "service-project "
	openstack project create --or-show service --description "Default Debian service project" >/dev/null
	echo -n "default-admin-email "
	openstack user set --description "Default Debian admin user" --email ${ADMIN_USER_EMAIL} --enable $ADMIN_USER_NAME
	echo "...done!"

	# Note: heat_stack_owner is needed for heat to work, and Member ResellerAdmin
	# are needed for swift auto account creation.
	echo -n "Adding roles: "
	for i in admin KeystoneAdmin KeystoneServiceAdmin heat_stack_owner Member ResellerAdmin ; do
		echo -n "${i} "
		openstack role create --or-show ${i} >/dev/null
		openstack role add --project $ADMIN_TENANT_NAME --user $ADMIN_USER_NAME ${i} >/dev/null
	done
	echo "...done!"
}

keystone_create_endpoint_postinst () {
	local PKG_NAME
	PKG_NAME=${1}

	db_get keystone/endpoint-ip
	# Make sure a valid IP has been entered in Debconf.
	KEYSTONE_ENDPOINT_IP=`echo ${RET} | egrep '^[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}$'`
	if [ -n ${KEYSTONE_ENDPOINT_IP} ] ; then
		db_get keystone/region-name
		REGION_NAME=${RET}
		if [ -n "${REGION_NAME}" ] ; then
			NUM_LINES=$(OS_TOKEN=`openstack token issue -c id -f value` openstack service list --format=csv --os-url http://localhost:5000/v3 | q -d , -H 'SELECT ID FROM - WHERE `Type`="identity"' | wc -l)
			if [ "${NUM_LINES}" = "0" ] ; then
				echo -n "Setting-up: create-keystone-service "
				OS_TOKEN=`openstack token issue -c id -f value` openstack service create --name=keystone --description="Keystone Identity Service" identity --os-url http://localhost:5000/v3 >/dev/null
				echo -n "create-public-endpoint "
				OS_TOKEN=`openstack token issue -c id -f value` openstack endpoint create --region "${REGION_NAME}" \
					keystone public http://${KEYSTONE_ENDPOINT_IP}:5000/v2.0 --os-url http://localhost:5000/v3 >/dev/null
				echo -n "create-internal-endpoint "
				OS_TOKEN=`openstack token issue -c id -f value` openstack endpoint create --region "${REGION_NAME}" \
					keystone internal http://${KEYSTONE_ENDPOINT_IP}:5000/v2.0 --os-url http://localhost:5000/v3 >/dev/null
				echo -n "create-admin-endpoint "
				OS_TOKEN=`openstack token issue -c id -f value` openstack endpoint create --region "${REGION_NAME}" \
					keystone admin http://${KEYSTONE_ENDPOINT_IP}:35357/v2.0 --os-url http://localhost:5000/v3 >/dev/null
				echo "...done!"
			else
				echo -n "Keystone service already registered..."
			fi
		fi
	fi
}

if [ "$1" = "configure" ] ; then
	. /usr/share/debconf/confmodule
	. /usr/share/dbconfig-common/dpkg/postinst

	# Create user and group keystone, plus /var/log and /var/lib owned by it
	# We need a bash shell so that keystone-manage pkg_setup works, and the
	# Wheezy package doesn't have it, failing upgrades
	pkgos_var_user_group keystone /bin/sh
	# Make sure we have a folder to create certs, that isn't world readable
	mkdir -p /etc/keystone/ssl/certs
	chown keystone:keystone /etc/keystone/ssl/certs
	chmod 750 /etc/keystone/ssl/certs
	chown keystone:keystone /etc/keystone/ssl
	chmod 750 /etc/keystone/ssl

	# Create keystone.conf if it's not there
	pkgos_write_new_conf keystone keystone.conf
	# Set the auth_token directive in in keystone.conf
	db_get keystone/auth-token
	AUTH_TOKEN=${RET}
	if [ -z "${AUTH_TOKEN}" ] ; then
		AUTH_TOKEN=`pkgos_gen_pass`
	fi
	pkgos_inifile set ${KEY_CONF} DEFAULT admin_token ${AUTH_TOKEN}
	OSTACKCLI_PARAMS="--os-url=http://127.0.0.1:35357/v3/ --os-domain-name default --os-identity-api-version=3"

	# Make sure /var/log/keystone/keystone.log is owned by keystone
	# BEFORE any keystone-manage calls.
	chown -R keystone:keystone /var/log/keystone

	# Upgrade or create the db if directed to do so
	db_get keystone/configure_db
	if [ "$RET" = "true" ] ; then
		# Configure the SQL connection of keystone.conf according to dbconfig-common
		pkgos_dbc_postinst ${KEY_CONF} database connection keystone $@
		echo "Running su keystone -s /bin/sh -c 'keystone-manage --noverbose db_sync'..."
		if [ "${PKGOS_VERBOSE}" = "yes" ] ; then
			su keystone -s /bin/sh -c "keystone-manage --verbose db_sync"
		else
			su keystone -s /bin/sh -c "keystone-manage --noverbose db_sync"
		fi
	fi

	# Generate the ssl keys for keystone.
	# It seems that starting it each time this script is launch
	# isn't a problem.
	#su keystone -s /bin/sh -c "keystone-manage pki_setup"

	# Activate the keystone.service
	deb-systemd-helper unmask keystone.service >/dev/null || true
	if deb-systemd-helper --quiet was-enabled keystone.service ; then
		deb-systemd-helper enable keystone.service >/dev/null || true
	else
		deb-systemd-helper update-state keystone.service >/dev/null || true
	fi

	# Setup init script and start keystone
	pkgos_init keystone

	# On first install, create basics configuration and add roles
	if [ -z "$2" ] ; then
		echo -n "Sleeping 5 seconds to make sure the keystone daemon is up and running: 5..."
		sleep 1
		echo -n "4..."
		sleep 1
		echo -n "3..."
		sleep 1
		echo -n "2..."
		sleep 1
		echo -n "1..."
		sleep 1
		echo "0"
		db_get keystone/create-admin-tenant
		if [ "$RET" = "true" ] ; then
			keystone_get_debconf_admin_credentials
			echo "===> Bootstraping tenants with 'keystone-manage bootstrap':"
			keystone_get_debconf_admin_credentials
			keystone_bootstrap_admin
			db_get keystone/register-endpoint
			if [ "$RET" = "true" ] ; then
				echo "===> Registering keystone endpoint"
				keystone_create_endpoint_postinst
			fi
			echo "===> Editing bootstraped tenants and adding default roles"
			keystone_create_admin_tenant

			echo "done!"
		fi
	fi
	db_stop
fi

exit 0