# -*- coding: utf-8 -*-
from setuphelpers import *

uninstallkey = []


def install():

    import re
    import nginxparser
    import jinja2
    import datetime
    import subprocess
    from waptcrypto import SSLCertificate,SSLPrivateKey
    try:
        import grp
    except:
        raise Exception("This package have to be installed on Linux")

    def generate_dhparam(NGINX_GID):
        dh_filename = '/etc/ssl/certs/dhparam.pem'
        if not os.path.exists(dh_filename):
            print(run('openssl dhparam -out %s  2048' % dh_filename))
        os.chown(dh_filename, 0, NGINX_GID) #pylint: disable=no-member
        os.chmod(dh_filename, 0o640)        #pylint: disable=no-member

    def selinux_rules(local_repo):
        """ SELinux httpd security rules """
        run('setsebool -P httpd_can_network_connect 1')
        run('setsebool -P httpd_setrlimit on')
        for sepath in ('wapt','wapt-host','waptwua'):
            path = makepath(local_repo,sepath)
            mkdirs(path)
            try:
                run('semanage fcontext -a -t httpd_sys_content_t "%s(/.*)?"' % (path))
            except:
                run('semanage fcontext -m -t httpd_sys_content_t "%s(/.*)?"' % (path))
            run('restorecon -R -v %s' % (path))

    def nginx_set_worker_limit(nginx_conf):
        already_set=False
        for entries in nginx_conf:
            if entries[0]=='worker_rlimit_nofile':
                print( "Nginx - worker_rlimit_nofile already set")
                already_set=True
        if not already_set:
            nginx_conf.insert(3,['worker_rlimit_nofile', '32768'])
        return nginx_conf

    def make_httpd_config(waptservice_dir, fqdn, local_repo):
        ssl_dir = makepath(waptservice_dir,'nginx','ssl')
        scripts_dir = makepath(waptservice_dir, 'scripts')
        wapt_ssl_key_file = makepath(ssl_dir,'key.pem')
        wapt_ssl_cert_file = makepath(ssl_dir,'cert.pem')

        # write the apache configuration fragment
        jinja_env = jinja2.Environment(loader=jinja2.FileSystemLoader(scripts_dir))
        template = jinja_env.get_template('wapt.nginxconfig.template')

        template_vars = {
            'wapt_repository_path': local_repo,
            'windows': False,
            'debian': type_debian(),
            'redhat': type_redhat(),
            'force_https': False,
            'wapt_ssl_key_file': wapt_ssl_key_file,
            'wapt_ssl_cert_file': wapt_ssl_cert_file,
            'fqdn': fqdn,
            'use_ssl_client_auth' : False,
            'clients_signing_certificate' : False,
            }

        print('Nginx - creating wapt.conf virtualhost')

        config_string = template.render(template_vars)
        if type_debian():
            dst_file_path = '/etc/nginx/sites-available/wapt.conf'
            if not os.path.exists('/etc/nginx/sites-enabled/wapt.conf'):
                print(run('ln -s /etc/nginx/sites-available/wapt.conf /etc/nginx/sites-enabled/wapt.conf'))
            if os.path.exists('/etc/nginx/sites-enabled/default'):
                os.unlink('/etc/nginx/sites-enabled/default')

        elif type_redhat():
            dst_file_path = '/etc/nginx/conf.d/wapt.conf'
        with open(dst_file_path, 'wt') as dst_file:
            dst_file.write(config_string)

        # create keys for https:// access

        if not os.path.exists(wapt_ssl_key_file) or not os.path.exists(wapt_ssl_cert_file):
            print('Nginx - generate self-signed certs')
            key = SSLPrivateKey(wapt_ssl_key_file)
            if not os.path.isfile(wapt_ssl_key_file):
                print('Create SSL RSA Key %s' % wapt_ssl_key_file)
                key.create()
                key.save_as_pem()

            if os.path.isfile(wapt_ssl_cert_file):
                crt = SSLCertificate(wapt_ssl_cert_file)
                if crt.cn != fqdn:
                    os.rename(wapt_ssl_cert_file,"%s-%s.old" % (wapt_ssl_cert_file,'{:%Y%m%d-%Hh%Mm%Ss}'.format(datetime.datetime.now())))
                    crt = key.build_sign_certificate(cn=fqdn,dnsname=fqdn,is_code_signing=False)
                    print('Create X509 cert %s' % wapt_ssl_cert_file)
                    crt.save_as_pem(wapt_ssl_cert_file)
            else:
                crt = key.build_sign_certificate(cn=fqdn,dnsname=fqdn,is_code_signing=False)
                print('Create X509 cert %s' % wapt_ssl_cert_file)
                crt.save_as_pem(wapt_ssl_cert_file)

    def nginx_clean_default_vhost(nginx_conf):
        for entry in nginx_conf:
            if entry[0]==['http']:
                for subentry in entry[1]:
                    if subentry[0]==['server']:
                        print('Nginx - removing default vhost')
                        entry[1].remove(subentry)
        return nginx_conf

    def enable_nginx():
        print(run('systemctl enable nginx'))

    def restart_nginx():
        print(run('systemctl restart nginx'))

    def nginx_cleanup():
        with open('/etc/nginx/nginx.conf','r') as read_conf:
            nginx_conf = nginxparser.load(read_conf)
            nginx_conf = nginx_set_worker_limit(nginx_conf)
            nginx_conf = nginx_clean_default_vhost(nginx_conf)
        with open("/etc/nginx/nginx.conf", "w") as nginx_conf_file:
            nginx_conf_file.write(nginxparser.dumps(nginx_conf))

    def setup_firewall():
        """ Add permanent rules for firewalld """
        if type_redhat():
            output = run('firewall-cmd --list-ports')
            if '443/tcp' in output and '80/tcp' in output:
                print("Firewall already configured, skipping firewalld configuration")
            elif subprocess.call(['firewall-cmd', '--state'], stdout=open(os.devnull, 'w')) == 0:
                run('firewall-cmd --permanent --add-port=443/tcp')
                run('firewall-cmd --permanent --add-port=80/tcp')
                run('firewall-cmd --reload')
            else:
                run('firewall-offline-cmd --add-port=443/tcp')
                run('firewall-offline-cmd --add-port=80/tcp')

    print("Install nginx to permit WAPTAgent to become a repository")
    if type_debian():
        install_apt('nginx')
        NGINX_GID = grp.getgrnam('www-data').gr_gid
    elif type_redhat():
        install_yum('nginx')
        NGINX_GID = grp.getgrnam('nginx').gr_gid
    else:
        raise Exception("Distribution not supported yet")

    print("Create WAPTService directories for nginx")
    for dirname in ['nginx','scripts']:
        mkdirs(makepath(WAPT.wapt_base_dir,'waptservice',dirname))
    for dirname in ['ssl']:
        mkdirs(makepath(WAPT.wapt_base_dir,'waptservice','nginx',dirname))

    copytree2('scripts',makepath(WAPT.wapt_base_dir,'waptservice','scripts'))

    local_repo = inifile_readstring(WAPT.config_filename,'repo-sync','local_repo_path') or makepath(WAPT.wapt_base_dir,'repository')

    # SELinux rules for CentOS/RedHat
    if type_redhat():
        if re.match('^SELinux status:.*enabled', run('sestatus')):
                print('Redhat/Centos detected, tweaking SELinux rules')
                selinux_rules(local_repo)
                print('Nginx - SELinux correctly configured for Nginx reverse proxy')

    fqdn = get_fqdn()

    # Nginx configuration
    generate_dhparam(NGINX_GID)
    nginx_cleanup()
    make_httpd_config(makepath(WAPT.wapt_base_dir,'waptservice'), fqdn,local_repo)
    print("Testing NGINX configuration")
    run('nginx -t')
    enable_nginx()
    restart_nginx()
    try:
        setup_firewall()
    except:
        pass


def update_package():
    # Initializing variables
    version = control.version.split('-')[0]

    # Incrementing version of the package
    control.version = '%s-%s'%(version,int(control.version.split('-')[-1])+1)
    control.save_control_to_wapt()
    print('Changing package version to: %s in WAPT\\control' % control.version)