#! /usr/bin/python2
#
# Authors: Sumit Bose <sbose@redhat.com>
# Based on ipa-server-install by Karl MacMillan <kmacmillan@mentalrootkit.com>
# and ipa-dns-install by Martin Nagy
#
# Copyright (C) 2011  Red Hat
# see file 'COPYING' for use and warranty information
#
# This program is free software; you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation, either version 3 of the License, or
# (at your option) any later version.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program.  If not, see <http://www.gnu.org/licenses/>.
#

from __future__ import print_function

import logging
import os
import sys

import six

from optparse import SUPPRESS_HELP  # pylint: disable=deprecated-module

from ipalib.install import sysrestore
from ipaserver.install import adtrust
from ipaserver.install.installutils import (
    read_password,
    check_server_configuration,
    run_script)
from ipapython.admintool import ScriptError
from ipapython import version
from ipapython import ipautil
from ipalib import api, errors, krb_utils
from ipapython.config import IPAOptionParser
from ipaplatform.paths import paths
from ipapython.ipa_log_manager import standard_logging_setup

if six.PY3:
    unicode = str

logger = logging.getLogger(os.path.basename(__file__))

log_file_name = paths.IPASERVER_INSTALL_LOG


def parse_options():
    parser = IPAOptionParser(version=version.VERSION)
    parser.add_option("-d", "--debug", dest="debug", action="store_true",
                      default=False, help="print debugging information")
    parser.add_option("--netbios-name", dest="netbios_name",
                      help="NetBIOS name of the IPA domain")

    # no-msdcs has not effect, option is here just for backward compatibility
    parser.add_option("--no-msdcs", dest="no_msdcs", action="store_true",
                      default=False, help=SUPPRESS_HELP)

    parser.add_option("--rid-base", dest="rid_base", type=int, default=1000,
                      help="Start value for mapping UIDs and GIDs to RIDs")
    parser.add_option("--secondary-rid-base", dest="secondary_rid_base",
                      type=int, default=100000000,
                      help="Start value of the secondary range for mapping "
                           "UIDs and GIDs to RIDs")
    parser.add_option("-U", "--unattended", dest="unattended",
                      action="store_true",
                      default=False,
                      help="unattended installation never prompts the user")
    parser.add_option("-a", "--admin-password",
                      sensitive=True, dest="admin_password",
                      help="admin user kerberos password")
    parser.add_option("-A", "--admin-name",
                      sensitive=True, dest="admin_name", default='admin',
                      help="admin user principal")
    parser.add_option("--add-sids", dest="add_sids", action="store_true",
                      default=False, help="Add SIDs for existing users and"
                                          " groups as the final step")
    parser.add_option("--add-agents", dest="add_agents", action="store_true",
                      default=False,
                      help="Add IPA masters to a list of hosts allowed to "
                      "serve information about users from trusted forests")
    parser.add_option("--enable-compat",
                      dest="enable_compat", default=False, action="store_true",
                      help="Enable support for trusted domains for old "
                           "clients")

    options, _args = parser.parse_args()
    safe_options = parser.get_safe_opts(options)

    return safe_options, options


def read_admin_password(admin_name):
    print("Configuring cross-realm trusts for IPA server requires password "
          "for user '%s'." % (admin_name))
    print("This user is a regular system account used for IPA server "
          "administration.")
    print("")
    admin_password = read_password(admin_name, confirm=False, validate=None)
    return admin_password


def ensure_admin_kinit(admin_name, admin_password):
    try:
        ipautil.run(['kinit', admin_name], stdin=admin_password+'\n')
    except ipautil.CalledProcessError:
        print("There was error to automatically re-kinit your admin user "
              "ticket.")
        return False
    return True


def main():
    safe_options, options = parse_options()

    if os.getegid() != 0:
        raise ScriptError("Must be root to setup AD trusts on server")

    standard_logging_setup(log_file_name, debug=options.debug, filemode='a')
    print("\nThe log file for this installation can be found in %s"
          % log_file_name)

    logger.debug('%s was invoked with options: %s', sys.argv[0], safe_options)
    logger.debug(
        "missing options might be asked for interactively later\n")
    logger.debug('IPA version %s', version.VENDOR_VERSION)

    check_server_configuration()

    fstore = sysrestore.FileStore(paths.SYSRESTORE)

    print("================================================================"
          "==============")
    print("This program will setup components needed to establish trust to "
          "AD domains for")
    print("the FreeIPA Server.")
    print("")
    print("This includes:")
    print("  * Configure Samba")
    print("  * Add trust related objects to FreeIPA LDAP server")
    # TODO:
    # print "  * Add a SID to all users and Posix groups"
    print("")
    print("To accept the default shown in brackets, press the Enter key.")
    print("")

    # Check if samba packages are installed
    # the same check is in the adtrust module but we must fail first if the
    # package is missing
    adtrust.check_for_installed_deps()

    # Initialize the ipalib api
    api.bootstrap(
        in_server=True,
        debug=options.debug,
        context='install',
        confdir=paths.ETC_IPA
    )
    api.finalize()

    admin_password = options.admin_password
    if not (options.unattended or admin_password):
        admin_password = read_admin_password(options.admin_name)

    admin_kinited = None
    if admin_password:
        admin_kinited = ensure_admin_kinit(options.admin_name, admin_password)
        if not admin_kinited:
            print("Proceeding with credentials that existed before")

    try:
        principal = krb_utils.get_principal()
    except errors.CCacheError as e:
        raise ScriptError(
            "Must have Kerberos credentials to setup AD trusts on server: "
            "{err}".format(err=e))

    try:
        api.Backend.ldap2.connect()
    except errors.ACIError:
        raise ScriptError(
            "Outdated Kerberos credentials. "
            "Use kdestroy and kinit to update your ticket")
    except errors.DatabaseError:
        raise ScriptError(
            "Cannot connect to the LDAP database. Please check if IPA "
            "is running")

    try:
        user = api.Command.user_show(
            principal.partition('@')[0].partition('/')[0])['result']
        group = api.Command.group_show(u'admins')['result']
        if not (user['uid'][0] in group['member_user'] and
                group['cn'][0] in user['memberof_group']):
            raise errors.RequirementError(name='admins group membership')
    except errors.RequirementError as e:
        raise ScriptError(
            "Must have administrative privileges to setup AD trusts on server"
        )
    except Exception as e:
        raise ScriptError(
            "Unrecognized error during check of admin rights: %s" % e)

    adtrust.install_check(True, options, api)
    adtrust.install(True, options, fstore, api)

    print("""
=============================================================================
Setup complete

You must make sure these network ports are open:
\tTCP Ports:
\t  * 135: epmap
\t  * 138: netbios-dgm
\t  * 139: netbios-ssn
\t  * 445: microsoft-ds
\t  * 1024..1300: epmap listener range
\t  * 3268: msft-gc
\tUDP Ports:
\t  * 138: netbios-dgm
\t  * 139: netbios-ssn
\t  * 389: (C)LDAP
\t  * 445: microsoft-ds

See the ipa-adtrust-install(1) man page for more details

=============================================================================
""")
    if admin_password:
        admin_kinited = ensure_admin_kinit(options.admin_name, admin_password)

    if not admin_kinited:
        print("""
WARNING: you MUST re-kinit admin user before using 'ipa trust-*' commands
family in order to re-generate Kerberos tickets to include AD-specific
information""")

    api.Backend.ldap2.disconnect()

    return 0

if __name__ == '__main__':
    run_script(
        main,
        log_file_name=log_file_name,
        operation_name='ipa-adtrust-install')
