#!/bin/bash

set -e

KATELLO_SERVER=pipe-katello-server-nightly-centos7.yatsu.example.com
PORT=443

KATELLO_SERVER_CA_CERT=katello-server-ca.pem
KATELLO_DEFAULT_CA_CERT=katello-default-ca.pem

CERT_DIR=/etc/rhsm/ca
PREFIX=/rhsm
CFG=/etc/rhsm/rhsm.conf
CFG_BACKUP=$CFG.kat-backup
CA_TRUST_ANCHORS=/etc/pki/ca-trust/source/anchors

read -r -d '' KATELLO_DEFAULT_CA_DATA << EOM || true
-----BEGIN CERTIFICATE-----
MIIHRjCCBS6gAwIBAgIJAMy3afJo5C76MA0GCSqGSIb3DQEBCwUAMIGgMQswCQYD
VQQGEwJVUzEXMBUGA1UECAwOTm9ydGggQ2Fyb2xpbmExEDAOBgNVBAcMB1JhbGVp
Z2gxEDAOBgNVBAoMB0thdGVsbG8xFDASBgNVBAsMC1NvbWVPcmdVbml0MT4wPAYD
VQQDDDVwaXBlLWthdGVsbG8tc2VydmVyLW5pZ2h0bHktY2VudG9zNy55YXRzdS5l
eGFtcGxlLmNvbTAeFw0yMTA5MTQwOTA3NTZaFw0zODAxMTgwOTA3NTZaMIGgMQsw
CQYDVQQGEwJVUzEXMBUGA1UECAwOTm9ydGggQ2Fyb2xpbmExEDAOBgNVBAcMB1Jh
bGVpZ2gxEDAOBgNVBAoMB0thdGVsbG8xFDASBgNVBAsMC1NvbWVPcmdVbml0MT4w
PAYDVQQDDDVwaXBlLWthdGVsbG8tc2VydmVyLW5pZ2h0bHktY2VudG9zNy55YXRz
dS5leGFtcGxlLmNvbTCCAiIwDQYJKoZIhvcNAQEBBQADggIPADCCAgoCggIBAK7C
mn4fuif60DG1I733q97frPd2WCZhXNLBOk8rwKrXMipL7S6VaE7/NMyDacvBaRFT
4RF4gHbJTKm7vkPCAJYiQ2u7y/UJmqubJXDkunuNn6OLaPAlhMeO6skX1lRJ0jAq
FXt6DElsPYxobkzpKIiCcARHce2bRE9I7VulxYNi3dbXWr4Kc3bBAK3EwTU0/6wX
rlxoEyvOm+QiI597bbBDblmTiCufL6r2fb0XUJ3yC9aPG9bYUzCpuOe2Ek7mkp2k
pz1kD/pMlzsjX/+ABJHCUMqEDO0wMFR+9UHGsRxrADTnyXTO5mgsNCmEtAU22hVG
BW6L5DBkYL6xnDuKFtxj0OvSjAMPraHOkgZiXzr++QaBmqWwkfpysc6BnTCKx83J
wIw8Qmocf7/8LRyIYGsjnONaE3b2J14dZ3+oR79gTI78nrTx3dZhFAox0z5q7pYS
t5KAkPV3wpWpdpk4gJc3kZo888YS+l264+IuwTro2kGfR4qPC+3UeNGO/7eAjYj2
E94lI8A/2MRnj+qTa+gkVEP+xLb+U0oEAuH2GyYUig0VP50LSeIAPg0ppnnB/qJ4
RZnAJIl6Bl1jeYI+6WCBO1HLiJiyYo+dP1cDxJZuhb4h4a7YY27sOf7VCHMYqcPj
0++2I1zh8SYdIvyA+trQ96LY7Od+hVbO1eBFM2sXAgMBAAGjggF/MIIBezAMBgNV
HRMEBTADAQH/MAsGA1UdDwQEAwIBpjAdBgNVHSUEFjAUBggrBgEFBQcDAQYIKwYB
BQUHAwIwEQYJYIZIAYb4QgEBBAQDAgJEMDUGCWCGSAGG+EIBDQQoFiZLYXRlbGxv
IFNTTCBUb29sIEdlbmVyYXRlZCBDZXJ0aWZpY2F0ZTAdBgNVHQ4EFgQU0lxFcCTo
UI3h3EhbU5uVM1JiAvYwgdUGA1UdIwSBzTCByoAU0lxFcCToUI3h3EhbU5uVM1Ji
AvahgaakgaMwgaAxCzAJBgNVBAYTAlVTMRcwFQYDVQQIDA5Ob3J0aCBDYXJvbGlu
YTEQMA4GA1UEBwwHUmFsZWlnaDEQMA4GA1UECgwHS2F0ZWxsbzEUMBIGA1UECwwL
U29tZU9yZ1VuaXQxPjA8BgNVBAMMNXBpcGUta2F0ZWxsby1zZXJ2ZXItbmlnaHRs
eS1jZW50b3M3LnlhdHN1LmV4YW1wbGUuY29tggkAzLdp8mjkLvowDQYJKoZIhvcN
AQELBQADggIBAALjs24PgopuTJlIJTiqIC4UQThVqiz4fXg001FPdqMSKjMRWuWF
Jr+ziXPdIvt34oAE44lwNF4Ru3AzDjAlcj2XUKWiN6MDkdbiH3HntrfxPiVIfJkf
MsCNe2QfyAr/uyadBbzqR16yM1s+5YLkWA/R8+kQn7OemqfU9MtidLHMRvH4nOoT
Cf7E6tTsA3wdM5hCMELdGE9uG0g6Sq5qnvk5fRE46zlR78+ZIvZbZbN3Pjy+sxYE
EHAeqw0KgfxfBVtyKQsa4VyFGlY5P3wlCwDAVsqEdPTTg6gma52XrKrYZpO9cvLA
x5E9cxDs5HLaBhqlbkmDs1OCd08dRPcDV6P3YKMBnU1sh2+gEZ1/PMGeDiWvHxXM
EwatJgxKlH3tJ35c6vXHkHrtDhko4q+WvZ86ZEp1IEt1tkr8nNSHVmFEddK/9p8J
5DmueijDLtQhECtdIzZu27WeYIcR/xUkKvf4QUXXUOicK2GXHptp9HyHyAahseAX
c9EowS4s2gfS6QDtdHfxrfn780RO6jrLhPSrgFhq8SNhtSQF83rFdRm6dbi9Xsq+
KdD0lhIC+7JJEXZZBX8BhnvN4icH5+igKXbbqqICieR8wMf/iRtVAf5hk+ARxNQI
mcsyVE8LsnuXzE0ce4Tv476H0Q4W+vLOT9AOP5P7StJmw9zDC8+BS8Wt
-----END CERTIFICATE-----

EOM

read -r -d '' KATELLO_SERVER_CA_DATA << EOM || true
-----BEGIN CERTIFICATE-----
MIIHRjCCBS6gAwIBAgIJAMy3afJo5C76MA0GCSqGSIb3DQEBCwUAMIGgMQswCQYD
VQQGEwJVUzEXMBUGA1UECAwOTm9ydGggQ2Fyb2xpbmExEDAOBgNVBAcMB1JhbGVp
Z2gxEDAOBgNVBAoMB0thdGVsbG8xFDASBgNVBAsMC1NvbWVPcmdVbml0MT4wPAYD
VQQDDDVwaXBlLWthdGVsbG8tc2VydmVyLW5pZ2h0bHktY2VudG9zNy55YXRzdS5l
eGFtcGxlLmNvbTAeFw0yMTA5MTQwOTA3NTZaFw0zODAxMTgwOTA3NTZaMIGgMQsw
CQYDVQQGEwJVUzEXMBUGA1UECAwOTm9ydGggQ2Fyb2xpbmExEDAOBgNVBAcMB1Jh
bGVpZ2gxEDAOBgNVBAoMB0thdGVsbG8xFDASBgNVBAsMC1NvbWVPcmdVbml0MT4w
PAYDVQQDDDVwaXBlLWthdGVsbG8tc2VydmVyLW5pZ2h0bHktY2VudG9zNy55YXRz
dS5leGFtcGxlLmNvbTCCAiIwDQYJKoZIhvcNAQEBBQADggIPADCCAgoCggIBAK7C
mn4fuif60DG1I733q97frPd2WCZhXNLBOk8rwKrXMipL7S6VaE7/NMyDacvBaRFT
4RF4gHbJTKm7vkPCAJYiQ2u7y/UJmqubJXDkunuNn6OLaPAlhMeO6skX1lRJ0jAq
FXt6DElsPYxobkzpKIiCcARHce2bRE9I7VulxYNi3dbXWr4Kc3bBAK3EwTU0/6wX
rlxoEyvOm+QiI597bbBDblmTiCufL6r2fb0XUJ3yC9aPG9bYUzCpuOe2Ek7mkp2k
pz1kD/pMlzsjX/+ABJHCUMqEDO0wMFR+9UHGsRxrADTnyXTO5mgsNCmEtAU22hVG
BW6L5DBkYL6xnDuKFtxj0OvSjAMPraHOkgZiXzr++QaBmqWwkfpysc6BnTCKx83J
wIw8Qmocf7/8LRyIYGsjnONaE3b2J14dZ3+oR79gTI78nrTx3dZhFAox0z5q7pYS
t5KAkPV3wpWpdpk4gJc3kZo888YS+l264+IuwTro2kGfR4qPC+3UeNGO/7eAjYj2
E94lI8A/2MRnj+qTa+gkVEP+xLb+U0oEAuH2GyYUig0VP50LSeIAPg0ppnnB/qJ4
RZnAJIl6Bl1jeYI+6WCBO1HLiJiyYo+dP1cDxJZuhb4h4a7YY27sOf7VCHMYqcPj
0++2I1zh8SYdIvyA+trQ96LY7Od+hVbO1eBFM2sXAgMBAAGjggF/MIIBezAMBgNV
HRMEBTADAQH/MAsGA1UdDwQEAwIBpjAdBgNVHSUEFjAUBggrBgEFBQcDAQYIKwYB
BQUHAwIwEQYJYIZIAYb4QgEBBAQDAgJEMDUGCWCGSAGG+EIBDQQoFiZLYXRlbGxv
IFNTTCBUb29sIEdlbmVyYXRlZCBDZXJ0aWZpY2F0ZTAdBgNVHQ4EFgQU0lxFcCTo
UI3h3EhbU5uVM1JiAvYwgdUGA1UdIwSBzTCByoAU0lxFcCToUI3h3EhbU5uVM1Ji
AvahgaakgaMwgaAxCzAJBgNVBAYTAlVTMRcwFQYDVQQIDA5Ob3J0aCBDYXJvbGlu
YTEQMA4GA1UEBwwHUmFsZWlnaDEQMA4GA1UECgwHS2F0ZWxsbzEUMBIGA1UECwwL
U29tZU9yZ1VuaXQxPjA8BgNVBAMMNXBpcGUta2F0ZWxsby1zZXJ2ZXItbmlnaHRs
eS1jZW50b3M3LnlhdHN1LmV4YW1wbGUuY29tggkAzLdp8mjkLvowDQYJKoZIhvcN
AQELBQADggIBAALjs24PgopuTJlIJTiqIC4UQThVqiz4fXg001FPdqMSKjMRWuWF
Jr+ziXPdIvt34oAE44lwNF4Ru3AzDjAlcj2XUKWiN6MDkdbiH3HntrfxPiVIfJkf
MsCNe2QfyAr/uyadBbzqR16yM1s+5YLkWA/R8+kQn7OemqfU9MtidLHMRvH4nOoT
Cf7E6tTsA3wdM5hCMELdGE9uG0g6Sq5qnvk5fRE46zlR78+ZIvZbZbN3Pjy+sxYE
EHAeqw0KgfxfBVtyKQsa4VyFGlY5P3wlCwDAVsqEdPTTg6gma52XrKrYZpO9cvLA
x5E9cxDs5HLaBhqlbkmDs1OCd08dRPcDV6P3YKMBnU1sh2+gEZ1/PMGeDiWvHxXM
EwatJgxKlH3tJ35c6vXHkHrtDhko4q+WvZ86ZEp1IEt1tkr8nNSHVmFEddK/9p8J
5DmueijDLtQhECtdIzZu27WeYIcR/xUkKvf4QUXXUOicK2GXHptp9HyHyAahseAX
c9EowS4s2gfS6QDtdHfxrfn780RO6jrLhPSrgFhq8SNhtSQF83rFdRm6dbi9Xsq+
KdD0lhIC+7JJEXZZBX8BhnvN4icH5+igKXbbqqICieR8wMf/iRtVAf5hk+ARxNQI
mcsyVE8LsnuXzE0ce4Tv476H0Q4W+vLOT9AOP5P7StJmw9zDC8+BS8Wt
-----END CERTIFICATE-----

EOM

is_debian()
{
  if [ -r "/etc/os-release" ]
  then
    ID="$(sed -n -e "s/^ID\s*=\s*\(.*\)/\1/p" /etc/os-release)"
    ID_LIKE="$(sed -n -e "s/^ID_LIKE\s*=\s*\(.*\)/\1/p" /etc/os-release)"

    if [ "$ID" = "debian" ] ||       # Debian
       [ "$ID_LIKE" = "debian" ] ||  # e.g Ubuntu
       [ "$ID_LIKE" = "ubuntu" ]     # e.g. Linux Mint
    then
      return 0
    fi
  fi
  return 1
}

# exit on non-RHEL systems or when rhsm.conf is not found
test -f $CFG || exit
type -P subscription-manager >/dev/null || type -P subscription-manager-cli >/dev/null || exit

# backup configuration during the first run
test -f $CFG_BACKUP || cp $CFG $CFG_BACKUP

# create the cert
echo "$KATELLO_SERVER_CA_DATA" > $CERT_DIR/$KATELLO_SERVER_CA_CERT
chmod 644 $CERT_DIR/$KATELLO_SERVER_CA_CERT

echo "$KATELLO_DEFAULT_CA_DATA" > $CERT_DIR/$KATELLO_DEFAULT_CA_CERT
chmod 644 $CERT_DIR/$KATELLO_DEFAULT_CA_CERT

if is_debian
then
  # Debian setup
  BASEURL=https://$KATELLO_SERVER/pulp/deb

  subscription-manager config \
    --server.hostname="$KATELLO_SERVER" \
    --server.prefix="$PREFIX" \
    --server.port="$PORT" \
    --rhsm.repo_ca_cert="%(ca_cert_dir)s$KATELLO_SERVER_CA_CERT" \
    --rhsm.baseurl="$BASEURL"
else
  # rhel setup
  BASEURL=https://$KATELLO_SERVER/pulp/content/

  # Get version of RHSM
  RHSM_V="$((rpm -q --queryformat='%{VERSION}' subscription-manager 2> /dev/null || echo 0.0.0) | tail -n1 | tr . ' ')"
  declare -a RHSM_VERSION=($RHSM_V)

  # configure rhsm
  # the config command was introduced in rhsm 0.96.6
  # fallback left for older versions
  if test ${RHSM_VERSION[0]:-0} -gt 0 -o ${RHSM_VERSION[1]:-0} -gt 96 -o \( ${RHSM_VERSION[1]:-0} -eq 96 -a ${RHSM_VERSION[2]:-0} -gt 6 \); then
    subscription-manager config \
      --server.hostname="$KATELLO_SERVER" \
      --server.prefix="$PREFIX" \
      --server.port="$PORT" \
      --rhsm.repo_ca_cert="%(ca_cert_dir)s$KATELLO_SERVER_CA_CERT" \
      --rhsm.baseurl="$BASEURL"

    # Older versions of subscription manager may not recognize
    # report_package_profile and package_profile_on_trans options.
    # So set them separately and redirect out & error to /dev/null
    # to fail silently.
    subscription-manager config --rhsm.package_profile_on_trans=1 > /dev/null 2>&1 || true
    subscription-manager config --rhsm.report_package_profile=1 > /dev/null 2>&1 || true
  else
    sed -i "s/^hostname\s*=.*/hostname = $KATELLO_SERVER/g" $CFG
    sed -i "s/^port\s*=.*/port = $PORT/g" $CFG
    sed -i "s|^prefix\s*=.*|prefix = $PREFIX|g" $CFG
    sed -i "s|^repo_ca_cert\s*=.*|repo_ca_cert = %(ca_cert_dir)s$KATELLO_SERVER_CA_CERT|g" $CFG
    sed -i "s|^baseurl\s*=.*|baseurl=$BASEURL|g" $CFG
  fi

  if grep --quiet full_refresh_on_yum $CFG; then
    sed -i "s/full_refresh_on_yum\s*=.*$/full_refresh_on_yum = 1/g" $CFG
  else
    full_refresh_config="#config for on-premise management\nfull_refresh_on_yum = 1"
    sed -i "/baseurl/a $full_refresh_config" $CFG
  fi
fi

# also add the katello ca cert to the system wide ca cert store
if [ -d $CA_TRUST_ANCHORS ]; then
  update-ca-trust enable
  cp $CERT_DIR/$KATELLO_SERVER_CA_CERT $CA_TRUST_ANCHORS
  update-ca-trust
fi

# EL5 systems and subscription-manager versions before 1.18.1-1 don't have the network.fqdn fact.
# For these cases, we have to update the "hostname-override" fact
if (test -f /etc/redhat-release && grep -q -i "Red Hat Enterprise Linux Server release 5" /etc/redhat-release) || \
   (test -f /etc/centos-release && grep -q -i "CentOS Linux release 5" /etc/centos-release) || \
   test ${RHSM_VERSION[0]:-0} -lt 1 -o ${RHSM_VERSION[1]:-0} -lt 18 -o \( ${RHSM_VERSION[1]:-0} -eq 18 -a ${RHSM_VERSION[2]:-0} -lt 2 \); then
  FQDN="$(hostname -f 2>/dev/null || echo localhost)"
  if [ "$FQDN" != "localhost" ] && [ -d /etc/rhsm/facts/ ]; then
    echo "{\"network.hostname-override\":\"$FQDN\"}" > /etc/rhsm/facts/katello.facts
  fi
fi

exit 0
