#! /usr/bin/python2 -E
# Authors: Martin Nagy <mnagy@redhat.com>
# Based on ipa-server-install by Karl MacMillan <kmacmillan@mentalrootkit.com>
#
# Copyright (C) 2007 - 2009  Red Hat
# see file 'COPYING' for use and warranty information
#
# This program is free software; you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation, either version 3 of the License, or
# (at your option) any later version.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program.  If not, see <http://www.gnu.org/licenses/>.
#

from optparse import OptionGroup, SUPPRESS_HELP

import krbV

from ipaserver.install import service, bindinstance, ntpinstance, httpinstance
from ipaserver.install.installutils import *
from ipaserver.install import installutils
from ipapython import version
from ipapython import ipautil, sysrestore
from ipalib import api, errors, util
from ipaplatform.paths import paths
from ipapython.config import IPAOptionParser
from ipapython.ipa_log_manager import standard_logging_setup, root_logger

log_file_name = paths.IPASERVER_INSTALL_LOG

def parse_options():
    parser = IPAOptionParser(version=version.VERSION)
    parser.add_option("-p", "--ds-password", dest="dm_password",
                      sensitive=True, help="admin password")
    parser.add_option("-d", "--debug", dest="debug", action="store_true",
                      default=False, help="print debugging information")
    parser.add_option("--ip-address", dest="ip_addresses",
                      default=[], action="append",
                      type="ip", ip_local=True, help="Master Server IP Address")
    parser.add_option("--forwarder", dest="forwarders", action="append",
                      type="ip", help="Add a DNS forwarder")
    parser.add_option("--no-forwarders", dest="no_forwarders", action="store_true",
                      default=False, help="Do not add any DNS forwarders, use root servers instead")
    parser.add_option("--reverse-zone", dest="reverse_zones",
                      default=[], action="append",
                      help="The reverse DNS zone to use")
    parser.add_option("--no-reverse", dest="no_reverse", action="store_true",
                      default=False, help="Do not create new reverse DNS zone")
    parser.add_option("--zonemgr", action="callback", callback=bindinstance.zonemgr_callback,
                      type="string",
                      help="DNS zone manager e-mail address. Defaults to hostmaster@DOMAIN")
    parser.add_option("-U", "--unattended", dest="unattended", action="store_true",
                      default=False, help="unattended installation never prompts the user")

    options, args = parser.parse_args()
    safe_options = parser.get_safe_opts(options)

    # Disable DNSSEC support
    options.no_dnssec_validation = False
    options.dnssec_master = False

    if options.forwarders and options.no_forwarders:
        parser.error("You cannot specify a --forwarder option together with --no-forwarders")
    elif options.reverse_zones and options.no_reverse:
        parser.error("You cannot specify a --reverse-zone option together with --no-reverse")

    if options.unattended:
        if not options.forwarders and not options.no_forwarders:
            parser.error("You must specify at least one --forwarder option or --no-forwarders option")

    return safe_options, options

def main():
    safe_options, options = parse_options()

    if os.getegid() != 0:
        sys.exit("Must be root to setup server")

    standard_logging_setup(log_file_name, debug=options.debug, filemode='a')
    print "\nThe log file for this installation can be found in %s" % log_file_name

    root_logger.debug('%s was invoked with options: %s' % (sys.argv[0], safe_options))
    root_logger.debug("missing options might be asked for interactively later\n")
    root_logger.debug('IPA version %s' % version.VENDOR_VERSION)

    installutils.check_server_configuration()

    global fstore
    fstore = sysrestore.FileStore(paths.SYSRESTORE)

    print "=============================================================================="
    print "This program will setup DNS for the IPA Server."
    print ""
    print "This includes:"
    print "  * Configure DNS (bind)"
    print ""
    print "To accept the default shown in brackets, press the Enter key."
    print ""

    if options.dnssec_master and not options.unattended and not ipautil.user_input(
            "Do you want to setup this IPA server as DNSSEC key master?",
            False):
        sys.exit("Aborted")

    # Check bind packages are installed
    if not bindinstance.check_inst(options.unattended):
        sys.exit("Aborting installation.")

    # Initialize the ipalib api
    cfg = dict(
        in_server=True,
        debug=options.debug,
    )
    api.bootstrap(**cfg)
    api.finalize()

    # Create a BIND instance
    if options.unattended and not options.dm_password:
        sys.exit("\nIn unattended mode you need to provide at least the -p option")

    dm_password = options.dm_password or read_password("Directory Manager",
                                             confirm=False, validate=False)
    if dm_password is None:
        sys.exit("Directory Manager password required")
    bind = bindinstance.BindInstance(fstore, dm_password)

    # try the connection
    try:
        bind.ldap_connect()
        bind.ldap_disconnect()
    except errors.ACIError:
        sys.exit("Password is not valid!")

    ip_addresses = get_server_ip_address(api.env.host, fstore,
        options.unattended, True, options.ip_addresses)

    if options.no_forwarders:
        dns_forwarders = ()
    elif options.forwarders:
        dns_forwarders = options.forwarders
    else:
        dns_forwarders = read_dns_forwarders()

    # test DNSSEC forwarders
    if dns_forwarders:
        if (not bindinstance.check_forwarders(dns_forwarders, root_logger)
                and not options.no_dnssec_validation):
            options.no_dnssec_validation = True
            print "WARNING: DNSSEC validation will be disabled"

    root_logger.debug("will use dns_forwarders: %s\n", str(dns_forwarders))

    if bind.dm_password:
        api.Backend.ldap2.connect(bind_dn=DN(('cn', 'Directory Manager')), bind_pw=bind.dm_password)
    else:
        # See if our LDAP server is up and we can talk to it over GSSAPI
        ccache = krbV.default_context().default_ccache()
        api.Backend.ldap2.connect(ccache)

    reverse_zones = bindinstance.check_reverse_zones(ip_addresses,
        options.reverse_zones, options, options.unattended, True)

    if reverse_zones:
        print "Using reverse zone(s) %s" % ', '.join(reverse_zones)

    conf_ntp = ntpinstance.NTPInstance(fstore).is_enabled()

    if not options.unattended:
        print ""
        print "The following operations may take some minutes to complete."
        print "Please wait until the prompt is returned."
        print ""

    bind.setup(api.env.host, ip_addresses, api.env.realm, api.env.domain,
               dns_forwarders, conf_ntp, reverse_zones, zonemgr=options.zonemgr,
               no_dnssec_validation=options.no_dnssec_validation)
    bind.create_instance()

    bind.start_named()

    # Restart http instance to make sure that python-dns has the right resolver
    # https://bugzilla.redhat.com/show_bug.cgi?id=800368
    http = httpinstance.HTTPInstance(fstore)
    service.print_msg("Restarting the web server")
    http.restart()

    print "=============================================================================="
    print "Setup complete"
    print ""
    bind.check_global_configuration()
    print ""
    print ""
    print "\tYou must make sure these network ports are open:"
    print "\t\tTCP Ports:"
    print "\t\t  * 53: bind"
    print "\t\tUDP Ports:"
    print "\t\t  * 53: bind"

    return 0

if __name__ == '__main__':
    with private_ccache():
        installutils.run_script(main, log_file_name=log_file_name,
            operation_name='ipa-dns-install')
