#!/usr/bin/perl
# 
# This program sets/changes passwords on the Anvil! platform (nodes and dashboards).
# 
# Exit codes;
# 0 = Normal exit.
# 1 = The program is not running as root.
# 2 = Failed to connect to database(s).
# 3 = User didn't enter a password or the passwords didn't match.
# 4 = The password file doesn't exist, wasn't readable or was empty.
# 

use strict;
use warnings;
use Data::Dumper;
use Anvil::Tools;

my $THIS_FILE           =  ($0 =~ /^.*\/(.*)$/)[0];
my $running_directory   =  ($0 =~ /^(.*?)\/$THIS_FILE$/)[0];
if (($running_directory =~ /^\./) && ($ENV{PWD}))
{
	$running_directory =~ s/^\./$ENV{PWD}/;
}

# Turn off buffering so that the pinwheel will display while waiting for the SSH call(s) to complete.
$| = 1;

# Prevent a discrepency between UID/GID and EUID/EGID from throwing an error.
$< = $>;
$( = $);

my $anvil = Anvil::Tools->new();

# Make sure we're running as 'root'
# $< == real UID, $> == effective UID
if (($< != 0) && ($> != 0))
{
	# Not root
	print $anvil->Words->string({key => "error_0005"})."\n";
	$anvil->nice_exit({exit_code => 1});
}

$anvil->Get->switches;
$anvil->Log->entry({source => $THIS_FILE, line => __LINE__, level => 3, secure => 0, key => "log_0115", variables => { program => $THIS_FILE }});

# Connect
$anvil->Database->connect();
$anvil->Log->entry({source => $THIS_FILE, line => __LINE__, level => 2, secure => 0, key => "log_0132"});
if (not $anvil->data->{sys}{database}{connections})
{
	# No databases, exit.
	print $anvil->Words->string({key => "error_0003"})."\n";
	$anvil->nice_exit({exit_code => 2});
}

# The order that we pick up the new password is;
# 1. If we've been told of a password file, read it
# 2. If the user passed the password with --new-password <secret>, use that.
# 3. Ask the user for the new password.
if ($anvil->data->{switches}{'password-file'})
{
	# Read the password in from the file.
	$anvil->Log->variables({source => $THIS_FILE, line => __LINE__, level => 2, secure => 0, list => { "switches::password-file" => $anvil->data->{switches}{'password-file'} }});
	if (-e $anvil->data->{switches}{'password-file'})
	{
		# Read it in and remove the new-line(s), if it(they) exist.
		$anvil->data->{switches}{'new-password'} =  $anvil->Storage->read_file({file => $anvil->data->{switches}{'password-file'}});
		$anvil->data->{switches}{'new-password'} =~ s/\n//gs;
	}
	else
	{
		# The file doesn't exist.
		print $anvil->Words->string({key => "error_0008", variables => { file => $anvil->data->{switches}{'password-file'} }})."\n";
		$anvil->nice_exit({exit_code => 4});
	}
}
elsif (not $anvil->data->{switches}{'new-password'})
{
	print $anvil->Words->string({key => "message_0018"})."\n";
	# Turn off echo
	$anvil->System->stty_echo({set => "off"});
	my $password1 = <STDIN>;
	chomp($password1);
	$password1 =~ s/^\s+//;
	$password1 =~ s/\s+$//;
	# Turn echo on
	$anvil->System->stty_echo({set => "on"});
	
	if (not $password1)
	{
		print $anvil->Words->string({key => "error_0006"})."\n";
		$anvil->nice_exit({exit_code => 3});
	}
	
	print $anvil->Words->string({key => "message_0019"})."\n";
	# Turn off echo
	$anvil->System->stty_echo({set => "off"});
	my $password2 = <STDIN>;
	chomp($password2);
	$password2 =~ s/^\s+//;
	$password2 =~ s/\s+$//;
	# Turn echo on
	$anvil->System->stty_echo({set => "on"});
	
	if ($password1 eq $password2)
	{
		$anvil->data->{switches}{'new-password'} = $password1;
		$anvil->Log->variables({source => $THIS_FILE, line => __LINE__, level => 2, secure => 1, list => { "switches::new-password" => $anvil->data->{switches}{'new-password'} }});
	}
	else
	{
		print $anvil->Words->string({key => "error_0007"})."\n";
		$anvil->nice_exit({exit_code => 3});
	}
}

### TODO: Check for access to all known Anvil! nodes and warn the user that they will have to manually update
###       the password for us on any node we can't access
### NOTE: 'anvil' can be a name or UUID
# If we're called without an '--anvil' switch, then change the local password only. 
if ($anvil->data->{switches}{anvil})
{
	# Find the Anvil! and verify access to both nodes. If neither are accessible, abort.
}
else
{
	### TODO: Support '--peers' to also update the peer dashboards.
	# Updating just ourself
	$anvil->Log->variables({source => $THIS_FILE, line => __LINE__, level => 2, secure => 1, list => { "switches::new-password" => $anvil->data->{switches}{'new-password'} }});
	if (($anvil->data->{switches}{y}) or ($anvil->data->{switches}{yes}))
	{
		print $anvil->Words->string({key => "message_0023"})."\n";
		update_local_passwords($anvil);
	}
	else
	{
		print $anvil->Words->string({key => "message_0020"})."\n";
		print $anvil->Words->string({key => "message_0021"})." ";
		my $answer = <STDIN>;
		chomp($answer);
		if ($answer =~ /^y/)
		{
			update_local_passwords($anvil);
		}
		else
		{
			# Abort.
			print $anvil->Words->string({key => "message_0022"})."\n";
		}
	}
}


$anvil->nice_exit({exit_code => 0});

#############################################################################################################
# Functions                                                                                                 #
#############################################################################################################

# This updates the local passwords.
sub update_local_passwords
{
	my ($anvil) = @_;
	
	# Update the 'admin' user password in the database.
	my $user = "admin";
	print $anvil->Words->string({key => "message_0024", variables => { user => $user }});
	
	my $user_uuid = $anvil->Database->insert_or_update_users({
		debug               => 2,
		user_name           => $user, 
		user_password_hash  => $anvil->data->{switches}{'new-password'}, 
		user_is_admin       => 1, 
		user_is_experienced => 1, 
		user_is_trusted     => 1, 
	});
	# Log out any Striker sessions.
	$anvil->Account->logout({host_uuid => "all"});
	print $anvil->Words->string({key => "message_0025"})."\n";
	
	# Validate
	my $valid = $anvil->Account->validate_password({
		debug    => 2,
		user     => $user,
		password => $anvil->data->{switches}{'new-password'},
	});
	
	### NOTE: We directly connect to the local 'template1' database as 
	# Update the database passwords
	my $host_uuid    = $anvil->data->{sys}{host_uuid};
	my $old_password = $anvil->data->{database}{$host_uuid}{password};
	my $dbh          = DBI->connect("DBI:Pg:dbname=template1;host=localhost;port=5432", "postgres", $old_password, {
		RaiseError     => 1,
		AutoCommit     => 1,
		pg_enable_utf8 => 1
	});
	my $query = "SELECT a.datname, b.usename FROM pg_catalog.pg_database a, pg_catalog.pg_user b WHERE a.datdba = b.usesysid AND a.datistemplate IS NOT TRUE AND a.datname != 'postgres'";
	my $DBreq = $dbh->prepare($query) or $anvil->Log->entry({source => $THIS_FILE, line => __LINE__, level => 0, priority => "err", key => "log_0075", variables => { 
			query    => $query, 
			server   => "localhost",
			db_error => $DBI::errstr, 
		}});
	
	# Execute on the query
	$DBreq->execute() or $anvil->Log->entry({source => $THIS_FILE, line => __LINE__, level => 0, priority => "err", key => "log_0076", variables => { 
			query    => $query, 
			server   => "localhost",
			db_error => $DBI::errstr, 
		}});
	
	# Return the array
	my $results       = $DBreq->fetchall_arrayref();
	my $database_name = $results->[0]->[0];
	my $owner_name    = $results->[0]->[1];
	foreach my $user ("postgres", $owner_name)
	{
		print $anvil->Words->string({key => "message_0026", variables => { user => $user }});
		my $query = "ALTER ROLE ".$user." WITH PASSWORD ".$dbh->quote($anvil->data->{switches}{'new-password'});
		$dbh->do($query) or $anvil->Log->entry({source => $THIS_FILE, line => __LINE__, level => 0, priority => "err", key => "log_0090", variables => { 
				query    => $anvil->Log->is_secure($query), 
				server   => "localhost",
				db_error => $DBI::errstr, 
			}});
		print $anvil->Words->string({key => "message_0025"})."\n";
	}
	
	# Update our database password in anvil.conf
	print $anvil->Words->string({key => "message_0027", variables => { file => $anvil->data->{switches}{'new-password'} }});
	$anvil->Storage->update_config({
		debug    => 2,
		secure   => 1, 
		variable => "database::${host_uuid}::password", 
		value => $anvil->data->{switches}{'new-password'},
	});
	print $anvil->Words->string({key => "message_0025"})."\n";
		
	### TODO: Loop through any other dashboards and nodes we know about and call the above with 'target'
	###       (and password, port and remote_user) set.
	
	# Update the local users.
	foreach my $user ("admin", "root")
	{
		print $anvil->Words->string({key => "message_0028", variables => { user => $user }});
		$anvil->System->change_shell_user_password({debug => 2, user => $user, new_password => $anvil->data->{switches}{'new-password'}});
		print $anvil->Words->string({key => "message_0025"})."\n";
	}
	
	# All done!
	print $anvil->Words->string({key => "message_0029"})."\n";
	
	return(0);
}