#!/usr/bin/python
#
# Bootstraps the PLC database with a default administrator account and
# a default site. Also generates the MA/SA API certificate.
#
# Mark Huang <mlhuang@cs.princeton.edu>
# Copyright (C) 2006 The Trustees of Princeton University
#
# $Id: api-config,v 1.15 2006/07/11 20:57:25 mlhuang Exp $
#

from plc_config import PLCConfiguration
import os
import re
import xml
import CertOps, Certificate
import Certificate
import commands


def main():
    cfg = PLCConfiguration()
    cfg.load()
    variables = cfg.variables()

    # Load variables into dictionaries
    for category_id, (category, variablelist) in variables.iteritems():
        globals()[category_id] = dict(zip(variablelist.keys(),
                                       [variable['value'] for variable in variablelist.values()]))

    # Get the issuer e-mail address and public key from the root CA certificate
    root_ca_email = commands.getoutput("openssl x509 -in %s -noout -email" % \
                                       plc_ma_sa['ca_ssl_crt'])
    root_ca_key_pub = commands.getoutput("openssl x509 -in %s -noout -pubkey" % \
                                         plc_ma_sa['ca_ssl_crt'])

    # Verify API certificate
    if os.path.exists(plc_ma_sa['api_crt']):
        print "Verifying API certificate '%s'" % plc_ma_sa['api_crt']
        try:
            cert_xml = file(plc_ma_sa['api_crt']).read().strip()
            # Verify root CA signature
            CertOps.authenticate_cert(cert_xml, {root_ca_email: root_ca_key_pub})
            # Check if MA/SA e-mail address has changed
            dom = xml.dom.minidom.parseString(cert_xml)
            for subject in dom.getElementsByTagName('subject'):
                if subject.getAttribute('email') != plc_mail['support_address']:
                    raise Exception, "E-mail address '%s' in certificate '%s' does not match support address '%s'" % \
                          (subject.getAttribute('email'), plc_ma_sa['api_crt'], plc_mail['support_address'])
        except Exception, e:
            # Delete invalid API certificate
            print "Warning: ", e
            os.unlink(plc_ma_sa['api_crt'])

    # Generate self-signed API certificate
    if not os.path.exists(plc_ma_sa['api_crt']):
        print "Generating new API certificate"
        try:
            cert = Certificate.Certificate('ticket-cert-0')
            ma_sa_ssl_key_pub = commands.getoutput("openssl x509 -in %s -noout -pubkey" % \
                                                   plc_ma_sa['ssl_crt'])
            cert.add_subject_pubkey(pubkey = ma_sa_ssl_key_pub, email = plc_mail['support_address'])
            root_ca_subject = commands.getoutput("openssl x509 -in %s -noout -subject" % \
                                                 plc_ma_sa['ssl_crt'])
            m = re.search('/CN=([^/]*).*', root_ca_subject)
            if m is None:
                root_ca_cn = plc['name'] + " Management and Slice Authority"
            else:
                root_ca_cn = m.group(1)
            cert.set_issuer(email = root_ca_email, cn = root_ca_cn)
            cert_xml = cert.sign(plc_ma_sa['ssl_key'])
            ma_sa_api_crt = file(plc_ma_sa['api_crt'], "w")
            ma_sa_api_crt.write(cert_xml)
            ma_sa_api_crt.close()
        except Exception, e:
            print "Warning: Could not generate API certificate: ", e

    # For backward compatibility, until we can convert all code to use
    # the now standardized variable names.

    # API expects root SSH public key to be at /etc/planetlab/node_root_key
    if not os.path.exists("/etc/planetlab/node_root_key"):
        os.symlink(plc['root_ssh_key_pub'], "/etc/planetlab/node_root_key")

    # Old variable names littered throughout the API
    if plc_mail['enabled'] == "true":
        plc_mail_enabled = "1"
    else:
        plc_mail_enabled = "0"        

    old_variables = {'PL_API_SERVER': plc_api['host'],
                     'PL_API_PATH': plc_api['path'],
                     'PL_API_PORT': plc_api['port'],
                     'PL_API_CAPABILITY_AUTH_METHOD': "capability",
                     'PL_API_CAPABILITY_PASS': plc_api['maintenance_password'],
                     'PL_API_CAPABILITY_USERNAME': plc_api['maintenance_user'],
                     'PLANETLAB_SUPPORT_EMAIL': plc_mail['support_address'],
                     'BOOT_MESSAGES_EMAIL': plc_mail['boot_address'],
                     'WWW_BASE': plc_www['host'],
                     'BOOT_BASE': plc_boot['host'],

                     'PLC_MAIL_ENABLED': plc_mail_enabled,
                     'MA_SA_NAMESPACE': plc_ma_sa['namespace'],
                     'SESSION_LENGTH_HOURS': "24",
                     'ROOT_CA_EMAIL': root_ca_email,
                     'ROOT_CA_PUB_KEY': plc_ma_sa['ca_ssl_key_pub'],
                     'API_CERT_PATH': plc_ma_sa['api_crt'],
                     'MA_SA_PRIVATE_KEY': plc_ma_sa['ssl_key'],
                     'PL_API_TICKET_KEY_FILE': plc_ma_sa['ssl_key']}

    # The format of an "allowed maintenance source" specification is
    #
    # ip:max_role_id:organization_id:password
    #
    # It is unlikely that we will let federated sites use the
    # maintenance account to access each others' APIs, so we always
    # set organization_id to -1.
    old_variables['PL_API_CAPABILITY_SOURCES'] = " ".join(
        ["%s:-1:-1:%s" % (ip, plc_api['maintenance_password']) \
         for ip in plc_api['maintenance_sources'].split()])

    old_config = open("/etc/planetlab/plc_api", "w")
    for name, value in old_variables.iteritems():
        old_config.write("%s='%s'\n" % (name, value))
    old_config.close()


if __name__ == '__main__':
    main()