#!/bin/bash

create_files() {
        mkdir -p /var/log/privacyidea
        mkdir -p /var/lib/privacyidea
        touch /var/log/privacyidea/privacyidea.log
        pi-manage create_enckey || true > /dev/null
        pi-manage createdb || true > /dev/null
        pi-manage create_audit_keys || true > /dev/null
        chown -R $USERNAME /var/log/privacyidea
        chown -R $USERNAME /var/lib/privacyidea
        chown -R $USERNAME /etc/privacyidea
        chmod 600 /etc/privacyidea/enckey
        chmod 600 /etc/privacyidea/private.pem
	# we need to change access right, otherwise each local user could call
	# pi-manage
	chgrp root /etc/privacyidea/pi.cfg
	chmod 640 /etc/privacyidea/pi.cfg
}

create_certificate() {
if [ ! -e /etc/privacyidea/server.pem ]; then
        # This is the certificate when running with paster...
        cd /etc/privacyidea
        openssl genrsa -out server.key 2048
        openssl req -new -key server.key -out server.csr -subj "/CN=privacyidea"
        openssl x509 -req -days 365 -in server.csr -signkey server.key -out server.crt
        cat server.crt server.key > server.pem
        rm -f server.crt server.key
        chown privacyidea server.pem
        chmod 400 server.pem
fi

if [ ! -e /etc/ssl/certs/privacyideaserver.pem ]; then
        # This is the certificate when running with apache or nginx
        KEY=/etc/ssl/private/privacyideaserver.key
        CSR=`mktemp`
        CERT=/etc/ssl/certs/privacyideaserver.pem
        openssl genrsa -out $KEY 2048
        openssl req -new -key $KEY -out $CSR -subj "/CN=`hostname`"
        openssl x509 -req -days 365 -in $CSR -signkey $KEY -out $CERT
        rm -f $CSR
        chmod 400 $KEY
fi
}

adapt_pi_cfg() {
	    # PEPPER does not exist, yet
	    PEPPER="$(tr -dc A-Za-z0-9_ </dev/urandom | head -c24)"
	    echo "PI_PEPPER = '$PEPPER'" >> /etc/privacyidea/pi.cfg
	    # SECRET_KEY does not exist, yet
	    SECRET="$(tr -dc A-Za-z0-9_ </dev/urandom | head -c24)"
	    echo "SECRET_KEY = '$SECRET'" >> /etc/privacyidea/pi.cfg
}

reset_database() {
	# reset the MYSQL database
	    USER="debian-sys-maint"
	    PASSWORD=$(grep "^password" /etc/mysql/debian.cnf | sort -u | cut -d " " -f3)
	    NPW="$(tr -dc A-Za-z0-9_ </dev/urandom | head -c12)"
	    mysql -u $USER --password=$PASSWORD -e "drop database pi;" || true
	    mysql -u $USER --password=$PASSWORD -e "create database pi;" || true
	    mysql -u $USER --password=$PASSWORD -e "grant all privileges on pi.* to 'pi'@'localhost' identified by '$NPW';"
	    echo "SQLALCHEMY_DATABASE_URI = 'mysql://pi:$NPW@localhost/pi'" >> /etc/privacyidea/pi.cfg
}

update_db() {
	# Set the version to the first PI 2.0 version
	pi-manage db stamp 4f32a4e1bf33 -d /usr/lib/privacyidea/migrations > /dev/null
	# Upgrade the database
	pi-manage db upgrade -d /usr/lib/privacyidea/migrations > /dev/null
}

# clean up
rm -f /etc/privacyidea/enckey
rm -f /etc/privacyidea/private.pem
rm -f /etc/privacyidea/public.pem
rm -f /etc/privacyidea/server.pem
rm -f /etc/ssl/certs/privacyideaserver.pem

adapt_pi_cfg
create_files
create_certificate
reset_database
update_db
service apache2 restart
