#!/bin/bash
#
# Copyright 2020 VEXXHOST, Inc.
#
# Licensed under the Apache License, Version 2.0 (the "License"); you may
# not use this file except in compliance with the License. You may obtain
# a copy of the License at
#
#    http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
# License for the specific language governing permissions and limitations
# under the License.

# install_keystone() - Collect source and prepare
function install_keystone {
	echo "Both installation and startup are included in the deployment of keystone crd."
}
export -f install_keystone

# configure_keystone() - Set config files, create data dirs, etc
function configure_keystone {
    sudo install -d -o $STACK_USER $KEYSTONE_CONF_DIR

    if [[ "$KEYSTONE_CONF_DIR" != "$KEYSTONE_DIR/etc" ]]; then
        install -m 600 /dev/null $KEYSTONE_CONF
    fi
    # Populate ``keystone.conf``
    if is_service_enabled ldap; then
        iniset $KEYSTONE_CONF identity domain_config_dir "$KEYSTONE_CONF_DIR/domains"
        iniset $KEYSTONE_CONF identity domain_specific_drivers_enabled "True"
    fi
    iniset $KEYSTONE_CONF identity driver "$KEYSTONE_IDENTITY_BACKEND"
    iniset $KEYSTONE_CONF identity password_hash_rounds $KEYSTONE_PASSWORD_HASH_ROUNDS
    iniset $KEYSTONE_CONF assignment driver "$KEYSTONE_ASSIGNMENT_BACKEND"
    iniset $KEYSTONE_CONF role driver "$KEYSTONE_ROLE_BACKEND"
    iniset $KEYSTONE_CONF resource driver "$KEYSTONE_RESOURCE_BACKEND"

    # Enable caching
    iniset $KEYSTONE_CONF cache enabled $KEYSTONE_ENABLE_CACHE
    iniset $KEYSTONE_CONF cache backend $CACHE_BACKEND
    iniset $KEYSTONE_CONF cache memcache_servers "mcrouter-memcached-keystone:11211"

    iniset_rpc_backend keystone $KEYSTONE_CONF oslo_messaging_notifications

    local service_port=$KEYSTONE_SERVICE_PORT
    local auth_port=$KEYSTONE_AUTH_PORT

    if is_service_enabled tls-proxy; then
        # Set the service ports for a proxy to take the originals
        service_port=$KEYSTONE_SERVICE_PORT_INT
        auth_port=$KEYSTONE_AUTH_PORT_INT
    fi

    # Override the endpoints advertised by keystone (the public_endpoint and
    # admin_endpoint) so that clients use the correct endpoint. By default, the
    # keystone server uses the public_port and admin_port which isn't going to
    # work when you want to use a different port (in the case of proxy), or you
    # don't want the port (in the case of putting keystone on a path in
    # apache).
    iniset $KEYSTONE_CONF DEFAULT public_endpoint $KEYSTONE_SERVICE_URI
    iniset $KEYSTONE_CONF DEFAULT admin_endpoint $KEYSTONE_AUTH_URI

    if [[ "$KEYSTONE_TOKEN_FORMAT" != "" ]]; then
        iniset $KEYSTONE_CONF token provider $KEYSTONE_TOKEN_FORMAT
    fi

    # Get mysql password
    KEYSTONE_DATABASE_USER=$(get_data_from_secret keystone-mysql openstack USER)
    KEYSTONE_DATABASE_PASSWORD=$(get_data_from_secret keystone-mysql openstack PASSWORD)
    KEYSTONE_DATABASE_NAME=$(get_data_from_secret keystone-mysql openstack DATABASE)
    iniset $KEYSTONE_CONF database connection "mysql+pymysql://$KEYSTONE_DATABASE_USER:$KEYSTONE_DATABASE_PASSWORD@keystone-mysql/$KEYSTONE_DATABASE_NAME?charset=utf8"

    # Set up logging
    if [ "$SYSLOG" != "False" ]; then
        iniset $KEYSTONE_CONF DEFAULT use_syslog "True"
    fi

    # Format logging
    setup_logging $KEYSTONE_CONF

    iniset $KEYSTONE_CONF DEFAULT debug $ENABLE_DEBUG_LOG_LEVEL

    if [ "$KEYSTONE_DEPLOY" == "mod_wsgi" ]; then
        iniset $KEYSTONE_CONF DEFAULT logging_exception_prefix "%(asctime)s.%(msecs)03d %(process)d TRACE %(name)s %(instance)s"
        _config_keystone_apache_wsgi
    else # uwsgi
        write_uwsgi_config "$KEYSTONE_PUBLIC_UWSGI_CONF" "$KEYSTONE_PUBLIC_UWSGI" "/identity"
        write_uwsgi_config "$KEYSTONE_ADMIN_UWSGI_CONF" "$KEYSTONE_ADMIN_UWSGI" "/identity_admin"
    fi

    iniset $KEYSTONE_CONF DEFAULT max_token_size 16384

    iniset $KEYSTONE_CONF fernet_tokens key_repository "$KEYSTONE_CONF_DIR/fernet-keys/"

    iniset $KEYSTONE_CONF credential key_repository "$KEYSTONE_CONF_DIR/credential-keys/"

    # Configure the project created by the 'keystone-manage bootstrap' as the cloud-admin project.
    # The users from this project are globally admin as before, but it also
    # allows policy changes in order to clarify the adminess scope.
    #iniset $KEYSTONE_CONF resource admin_project_domain_name Default
    #iniset $KEYSTONE_CONF resource admin_project_name admin

    if [[ "$KEYSTONE_SECURITY_COMPLIANCE_ENABLED" = True ]]; then
        iniset $KEYSTONE_CONF security_compliance lockout_failure_attempts $KEYSTONE_LOCKOUT_FAILURE_ATTEMPTS
        iniset $KEYSTONE_CONF security_compliance lockout_duration $KEYSTONE_LOCKOUT_DURATION
        iniset $KEYSTONE_CONF security_compliance unique_last_password_count $KEYSTONE_UNIQUE_LAST_PASSWORD_COUNT
    fi
}

# init_keystone() - Initialize databases, etc.
function init_keystone {
    kubectl create secret generic keystone-config --from-file=/etc/keystone/keystone.conf -n openstack
	# NOTE(mnaser): Permissions here are bad but it's temporary so we don't care as much.
	sudo chmod -Rv 777 /etc/keystone

	if [[ "$RECREATE_KEYSTONE_DB" == True ]]; then
		# (Re)create keystone database
		recreate_database keystone
	fi
}
export -f init_keystone

# start_keystone() - Start running processes
function start_keystone {

	# rollout keystone
	kubernetes_rollout_restart daemonset/keystone
	kubernetes_rollout_status daemonset/keystone

	# Get right service port for testing
	local service_port=$KEYSTONE_SERVICE_PORT
	local auth_protocol=$KEYSTONE_AUTH_PROTOCOL
	if is_service_enabled tls-proxy; then
		service_port=$KEYSTONE_SERVICE_PORT_INT
		auth_protocol="http"
	fi
	proxy_pass_to_kubernetes /identity_admin keystone keystone-wsgi-admin
	proxy_pass_to_kubernetes /identity keystone keystone-wsgi-public

	echo "Waiting for keystone to start..."
	# Check that the keystone service is running. Even if the tls tunnel
	# should be enabled, make sure the internal port is checked using
	# unencryted traffic at this point.
	# If running in Apache, use the path rather than port.

	local service_uri=$auth_protocol://$KEYSTONE_SERVICE_HOST/identity/v$IDENTITY_API_VERSION/

	if ! wait_for_service $SERVICE_TIMEOUT $service_uri; then
		die $LINENO "keystone did not start"
	fi

	# Start proxies if enabled
	if is_service_enabled tls-proxy; then
		start_tls_proxy keystone-service '*' $KEYSTONE_SERVICE_PORT $KEYSTONE_SERVICE_HOST $KEYSTONE_SERVICE_PORT_INT
		start_tls_proxy keystone-auth '*' $KEYSTONE_AUTH_PORT $KEYSTONE_AUTH_HOST $KEYSTONE_AUTH_PORT_INT
	fi

	# (re)start memcached to make sure we have a clean memcache.
	kubectl rollout restart statefulset/memcached-keystone
	sleep 10
}
export -f start_keystone

# bootstrap_keystone() - Initialize user, role and project
function bootstrap_keystone {
	echo noop
}
export -f bootstrap_keystone