#!/usr/bin/python3 -I
# Authors: Martin Nagy <mnagy@redhat.com>
# Based on ipa-server-install by Karl MacMillan <kmacmillan@mentalrootkit.com>
#
# Copyright (C) 2007 - 2009  Red Hat
# see file 'COPYING' for use and warranty information
#
# This program is free software; you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation, either version 3 of the License, or
# (at your option) any later version.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program.  If not, see <http://www.gnu.org/licenses/>.
#

from __future__ import print_function

import logging
import os
import sys

from ipaserver.install import bindinstance
from ipaserver.install import installutils
from ipaplatform import services
from ipapython import version
from ipalib import api
from ipaplatform.paths import paths
from ipapython import ipautil
from ipapython.config import IPAOptionParser
from ipapython.ipa_log_manager import standard_logging_setup

from ipaserver.install import dns as dns_installer

logger = logging.getLogger(os.path.basename(__file__))

log_file_name = paths.IPASERVER_DNS_INSTALL_LOG

def parse_options():
    parser = IPAOptionParser(version=version.VERSION)
    parser.add_option("-d", "--debug", dest="debug", action="store_true",
                      default=False, help="print debugging information")
    parser.add_option("--ip-address", dest="ip_addresses", metavar="IP_ADDRESS",
                      default=[], action="append",
                      type="ip",
                      help="Master Server IP Address. This option can be used "
                           "multiple times")
    parser.add_option("--forwarder", dest="forwarders", action="append",
                      type="ip_with_loopback", help="Add a DNS forwarder. This option can be used multiple times")
    parser.add_option("--no-forwarders", dest="no_forwarders", action="store_true",
                      default=False, help="Do not add any DNS forwarders, use root servers instead")
    parser.add_option("--auto-forwarders", dest="auto_forwarders",
                      action="store_true", default=False,
                      help="Use DNS forwarders configured in /etc/resolv.conf")
    parser.add_option("--dns-over-tls", dest="dns_over_tls",
                      help="Configure DNS over TLS", default=False,
                      action="store_true")
    parser.add_option("--dot-forwarder", dest="dot_forwarders",
                      action="append",
                      default=[],
                      help="Add a DNS over TLS forwarder. "
                      "This option can be used multiple times")
    parser.add_option("--dns-over-tls-cert", dest="dns_over_tls_cert",
                      help="Certificate to use for DNS over TLS. "
                      "If empty, a new certificate will be requested "
                      "from IPA CA")
    parser.add_option("--dns-over-tls-key", dest="dns_over_tls_key",
                      help="Key for certificate specified "
                      "in --dns-over-tls-cert")
    parser.add_option("--dns-policy", dest="dns_policy",
                      choices=("relaxed", "enforced"), default="relaxed",
                      help="Policy for encrypted DNS enforcement")
    parser.add_option("--forward-policy", dest="forward_policy",
                      choices=("first", "only"), default=None,
                      help="DNS forwarding policy for global forwarders")
    parser.add_option("--reverse-zone", dest="reverse_zones",
                      default=[], action="append", metavar="REVERSE_ZONE",
                      help="The reverse DNS zone to use. This option can be used multiple times")
    parser.add_option("--no-reverse", dest="no_reverse", action="store_true",
                      default=False, help="Do not create new reverse DNS zone")
    parser.add_option("--auto-reverse", dest="auto_reverse", action="store_true",
                      default=False, help="Create necessary DNS zones")
    parser.add_option("--allow-zone-overlap", dest="allow_zone_overlap",
                      action="store_true", default=False, help="Create DNS "
                      "zone even if it already exists")
    parser.add_option("--no-dnssec-validation", dest="no_dnssec_validation", action="store_true",
                      default=False, help="Disable DNSSEC validation")
    parser.add_option("--dnssec-master", dest="dnssec_master", action="store_true",
                      default=False, help="Setup server to be DNSSEC key master")
    parser.add_option("--zonemgr", action="callback", callback=bindinstance.zonemgr_callback,
                      type="string",
                      help="DNS zone manager e-mail address. Defaults to hostmaster@DOMAIN")
    parser.add_option("-U", "--unattended", dest="unattended", action="store_true",
                      default=False, help="unattended installation never prompts the user")
    parser.add_option("--disable-dnssec-master", dest="disable_dnssec_master",
                      action="store_true", default=False, help="Disable the "
                      "DNSSEC master on this server")
    parser.add_option("--kasp-db", dest="kasp_db_file", type="string",
                      metavar="FILE", action="store", help="Copy OpenDNSSEC "
                      "metadata from the specified file (will not create a new "
                      "kasp.db file)")
    parser.add_option("--force", dest="force", action="store_true",
                      help="Force install")

    options, _args = parser.parse_args()
    safe_options = parser.get_safe_opts(options)

    if options.dnssec_master and options.disable_dnssec_master:
        parser.error("Invalid combination of parameters: --dnssec-master and "
                     "--disable-dnssec-master")

    if options.forwarders and options.no_forwarders:
        parser.error("You cannot specify a --forwarder option together with --no-forwarders")
    elif options.reverse_zones and options.no_reverse:
        parser.error("You cannot specify a --reverse-zone option together with --no-reverse")
    elif options.auto_reverse and options.no_reverse:
        parser.error("You cannot specify a --auto-reverse option together with --no-reverse")

    if options.dns_policy == "enforced" and not options.dns_over_tls:
        parser.error("If encrypted DNS policy is enforced, "
                     "--dns-over-tls must be specified.")

    unbound = services.knownservices["unbound"]
    if options.dns_over_tls and not unbound.is_installed():
        parser.error(
            "To enable DNS over TLS, package ipa-server-encrypted-dns "
            "must be installed."
        )

    if not options.dns_over_tls and options.dot_forwarders:
        parser.error("You cannot specify a "
                     "--dot-forwarder option without --dns-over-tls")
    elif options.dns_over_tls and not options.dot_forwarders:
        parser.error(
            "You must specify --dot-forwarder "
            "when enabling DNS over TLS")
    elif bool(options.dns_over_tls_key) != bool(options.dns_over_tls_cert):
        parser.error(
            "You cannot specify a --dns-over-tls-key option "
            "without the --dns-over-tls-cert option and vice versa")

    if options.unattended:
        if (not options.forwarders
                and not options.no_forwarders
                and not options.auto_forwarders
                and not options.dot_forwarders):
            parser.error("You must specify at least one option: "
                         "--forwarder or --no-forwarders or --auto-forwarders"
                         " or --dot-forwarder")

    if options.kasp_db_file and not os.path.isfile(options.kasp_db_file):
        parser.error("File %s does not exist" % options.kasp_db_file)

    return safe_options, options

def main():
    safe_options, options = parse_options()

    if os.getegid() != 0:
        sys.exit("Must be root to setup server")

    standard_logging_setup(log_file_name, debug=options.debug, filemode='a')
    print("\nThe log file for this installation can be found in %s" % log_file_name)

    logger.debug('%s was invoked with options: %s', sys.argv[0], safe_options)
    logger.debug("missing options might be asked for interactively later\n")
    logger.debug('IPA version %s', version.VENDOR_VERSION)

    installutils.check_server_configuration()

    # Initialize the ipalib api
    api.bootstrap(
        context='installer', confdir=paths.ETC_IPA,
        in_server=True, debug=options.debug,
    )
    api.finalize()
    api.Backend.ldap2.connect()

    options.setup_ca = None  # must be None to enable autodetection

    dns_installer.install_check(True, api, False, options, hostname=api.env.host)
    dns_installer.install(True, False, options)
    # Services are enabled in dns_installer.install()

    # execute ipactl to refresh services status
    ipautil.run([paths.IPACTL, 'start', '--ignore-service-failures'],
                raiseonerr=False)

    api.Backend.ldap2.disconnect()

    return 0

if __name__ == '__main__':
    installutils.run_script(main, log_file_name=log_file_name,
                            operation_name='ipa-dns-install')
