#!/bin/bash

set -e

KATELLO_SERVER=pipe-katello-server-nightly-centos7.tanso.example.com
PORT=443

KATELLO_SERVER_CA_CERT=katello-server-ca.pem
KATELLO_DEFAULT_CA_CERT=katello-default-ca.pem

CERT_DIR=/etc/rhsm/ca
PREFIX=/rhsm
CFG=/etc/rhsm/rhsm.conf
CFG_BACKUP=$CFG.kat-backup
CA_TRUST_ANCHORS=/etc/pki/ca-trust/source/anchors

read -r -d '' KATELLO_DEFAULT_CA_DATA << EOM || true
-----BEGIN CERTIFICATE-----
MIIHRjCCBS6gAwIBAgIJAPvOX6BIni80MA0GCSqGSIb3DQEBCwUAMIGgMQswCQYD
VQQGEwJVUzEXMBUGA1UECAwOTm9ydGggQ2Fyb2xpbmExEDAOBgNVBAcMB1JhbGVp
Z2gxEDAOBgNVBAoMB0thdGVsbG8xFDASBgNVBAsMC1NvbWVPcmdVbml0MT4wPAYD
VQQDDDVwaXBlLWthdGVsbG8tc2VydmVyLW5pZ2h0bHktY2VudG9zNy50YW5zby5l
eGFtcGxlLmNvbTAeFw0yMTEwMTQxMjM3NTlaFw0zODAxMTgxMjM3NTlaMIGgMQsw
CQYDVQQGEwJVUzEXMBUGA1UECAwOTm9ydGggQ2Fyb2xpbmExEDAOBgNVBAcMB1Jh
bGVpZ2gxEDAOBgNVBAoMB0thdGVsbG8xFDASBgNVBAsMC1NvbWVPcmdVbml0MT4w
PAYDVQQDDDVwaXBlLWthdGVsbG8tc2VydmVyLW5pZ2h0bHktY2VudG9zNy50YW5z
by5leGFtcGxlLmNvbTCCAiIwDQYJKoZIhvcNAQEBBQADggIPADCCAgoCggIBALoJ
SXY3NW1Pfm1MkClw/TGT1NxNGhYbzv1HPybWyUj6M7Nh893oi4NnC/h9tZWaitr1
z+ySCyB/BSofPWwJqLBzGrSfptzg/XBRXL4vGwR7EQtpGxQZO+GWBNykpmhVEBQ9
tCEnEfclUbsXYvdO8shQiNbLvgApPzMmHAq0QBfHb67RRB2iEey124c29SPj5xpN
SImvlycKVgwmm5Cd9e4+hOyFWZfxyy186RSFLMYJ5EejTmuLn1M/cv1Bo3qgC0r8
9YFRrL8/9WiTRywW7HuHdsFxmsRaqnqetiMMuGJoavducA/yM5m1YtQAavDMT2vL
D12R8GiesrwnkTHbQIIQBZI0YtdEHQ8aNaZSUnHWEcKYXqfTXRBkDoxAJvo0vZ69
FQOXnz7tcRUkXJZ1RsP64IOpHc90CqJsR/bow+0sOyPIgcL2C7CILddLeyrPC7oV
A/9aNenIEn8jFWMLoLDGzjSLxVLP0icY+vHN6TT7M0xlNC/xaPvB6Acof+XDlsLF
pWE9rvgsZW6caLysEOGSHoqOJddrGNn9M+mtqdZZZtXYM3Rm/c8THZWhE9TMniLz
MsZxl/zqAyL4ygV5/MBOhsdPWEYA299JdSRGZKKO2xBa1KesRYiV3MTLigUy1pvG
7542xpejkq8euAAisnaDQS1KMiDNmLwSnk6J583pAgMBAAGjggF/MIIBezAMBgNV
HRMEBTADAQH/MAsGA1UdDwQEAwIBpjAdBgNVHSUEFjAUBggrBgEFBQcDAQYIKwYB
BQUHAwIwEQYJYIZIAYb4QgEBBAQDAgJEMDUGCWCGSAGG+EIBDQQoFiZLYXRlbGxv
IFNTTCBUb29sIEdlbmVyYXRlZCBDZXJ0aWZpY2F0ZTAdBgNVHQ4EFgQUyg28bbxH
MnkCTqGBvC73hKTWZYcwgdUGA1UdIwSBzTCByoAUyg28bbxHMnkCTqGBvC73hKTW
ZYehgaakgaMwgaAxCzAJBgNVBAYTAlVTMRcwFQYDVQQIDA5Ob3J0aCBDYXJvbGlu
YTEQMA4GA1UEBwwHUmFsZWlnaDEQMA4GA1UECgwHS2F0ZWxsbzEUMBIGA1UECwwL
U29tZU9yZ1VuaXQxPjA8BgNVBAMMNXBpcGUta2F0ZWxsby1zZXJ2ZXItbmlnaHRs
eS1jZW50b3M3LnRhbnNvLmV4YW1wbGUuY29tggkA+85foEieLzQwDQYJKoZIhvcN
AQELBQADggIBAAmkOvJvfE56BF8JeXm6Ccj3ltPe16SW31Fvv+t3DVuJBTuTf6HM
xyDdtc8ATEo/tb3CMB+jejsApuZlCFSiTEoD/kNwvEVUT6Z8oDEKN22VgHFl2O2U
zvhvoJGAVyoZsc3Il3QT854q+LGpZdpNELt4pDefHi0gOlwRkAfr4vpsTyBvMADr
6QFeg4LLyD4egGO89amuKBgsBUYFswObw1/MoQq5nY9nyfWsAyDO+/Xm7uOHrPxX
iNZl20daGoyu8aeJnay39eFxMnlyEJN8QhlBskfv3ylwml76bLCaqz2dXhOlZ58P
/a/Qx2GidW0SjxjVt9LLnS6GW75kGoIm2l3oJ1P8ZXKCCsk7PNu0YrlgA8/wcnRP
PxkcZDeBszEvA1diNBPt2MjZDseMJsp4APhzECrqgbCBmKf07I1tn0UZKafQfbRa
NeEwElYlwFzFHJ7yiuejLUGj0qzK5CVj4GygiDPMGREK30JHvv0Og1K5CUTVcmV+
WqubcWbp4u5IWcIbYyWbxCjBfhbOzUmjXlXbHawIaBe7HgtxEYFC9CKMM/7pH8kF
U7hbcIchKZGwXq1x3cNADKetgGJUJcbOt60Qm6YTxo/N3OMZh0PY60nOqpNi5ODq
2Nfm8RjB32Yrdqp8HVLRmwtBq26nxaKq/FG/UsV4OTigvfRbNMXZzQl9
-----END CERTIFICATE-----

EOM

read -r -d '' KATELLO_SERVER_CA_DATA << EOM || true
-----BEGIN CERTIFICATE-----
MIIHRjCCBS6gAwIBAgIJAPvOX6BIni80MA0GCSqGSIb3DQEBCwUAMIGgMQswCQYD
VQQGEwJVUzEXMBUGA1UECAwOTm9ydGggQ2Fyb2xpbmExEDAOBgNVBAcMB1JhbGVp
Z2gxEDAOBgNVBAoMB0thdGVsbG8xFDASBgNVBAsMC1NvbWVPcmdVbml0MT4wPAYD
VQQDDDVwaXBlLWthdGVsbG8tc2VydmVyLW5pZ2h0bHktY2VudG9zNy50YW5zby5l
eGFtcGxlLmNvbTAeFw0yMTEwMTQxMjM3NTlaFw0zODAxMTgxMjM3NTlaMIGgMQsw
CQYDVQQGEwJVUzEXMBUGA1UECAwOTm9ydGggQ2Fyb2xpbmExEDAOBgNVBAcMB1Jh
bGVpZ2gxEDAOBgNVBAoMB0thdGVsbG8xFDASBgNVBAsMC1NvbWVPcmdVbml0MT4w
PAYDVQQDDDVwaXBlLWthdGVsbG8tc2VydmVyLW5pZ2h0bHktY2VudG9zNy50YW5z
by5leGFtcGxlLmNvbTCCAiIwDQYJKoZIhvcNAQEBBQADggIPADCCAgoCggIBALoJ
SXY3NW1Pfm1MkClw/TGT1NxNGhYbzv1HPybWyUj6M7Nh893oi4NnC/h9tZWaitr1
z+ySCyB/BSofPWwJqLBzGrSfptzg/XBRXL4vGwR7EQtpGxQZO+GWBNykpmhVEBQ9
tCEnEfclUbsXYvdO8shQiNbLvgApPzMmHAq0QBfHb67RRB2iEey124c29SPj5xpN
SImvlycKVgwmm5Cd9e4+hOyFWZfxyy186RSFLMYJ5EejTmuLn1M/cv1Bo3qgC0r8
9YFRrL8/9WiTRywW7HuHdsFxmsRaqnqetiMMuGJoavducA/yM5m1YtQAavDMT2vL
D12R8GiesrwnkTHbQIIQBZI0YtdEHQ8aNaZSUnHWEcKYXqfTXRBkDoxAJvo0vZ69
FQOXnz7tcRUkXJZ1RsP64IOpHc90CqJsR/bow+0sOyPIgcL2C7CILddLeyrPC7oV
A/9aNenIEn8jFWMLoLDGzjSLxVLP0icY+vHN6TT7M0xlNC/xaPvB6Acof+XDlsLF
pWE9rvgsZW6caLysEOGSHoqOJddrGNn9M+mtqdZZZtXYM3Rm/c8THZWhE9TMniLz
MsZxl/zqAyL4ygV5/MBOhsdPWEYA299JdSRGZKKO2xBa1KesRYiV3MTLigUy1pvG
7542xpejkq8euAAisnaDQS1KMiDNmLwSnk6J583pAgMBAAGjggF/MIIBezAMBgNV
HRMEBTADAQH/MAsGA1UdDwQEAwIBpjAdBgNVHSUEFjAUBggrBgEFBQcDAQYIKwYB
BQUHAwIwEQYJYIZIAYb4QgEBBAQDAgJEMDUGCWCGSAGG+EIBDQQoFiZLYXRlbGxv
IFNTTCBUb29sIEdlbmVyYXRlZCBDZXJ0aWZpY2F0ZTAdBgNVHQ4EFgQUyg28bbxH
MnkCTqGBvC73hKTWZYcwgdUGA1UdIwSBzTCByoAUyg28bbxHMnkCTqGBvC73hKTW
ZYehgaakgaMwgaAxCzAJBgNVBAYTAlVTMRcwFQYDVQQIDA5Ob3J0aCBDYXJvbGlu
YTEQMA4GA1UEBwwHUmFsZWlnaDEQMA4GA1UECgwHS2F0ZWxsbzEUMBIGA1UECwwL
U29tZU9yZ1VuaXQxPjA8BgNVBAMMNXBpcGUta2F0ZWxsby1zZXJ2ZXItbmlnaHRs
eS1jZW50b3M3LnRhbnNvLmV4YW1wbGUuY29tggkA+85foEieLzQwDQYJKoZIhvcN
AQELBQADggIBAAmkOvJvfE56BF8JeXm6Ccj3ltPe16SW31Fvv+t3DVuJBTuTf6HM
xyDdtc8ATEo/tb3CMB+jejsApuZlCFSiTEoD/kNwvEVUT6Z8oDEKN22VgHFl2O2U
zvhvoJGAVyoZsc3Il3QT854q+LGpZdpNELt4pDefHi0gOlwRkAfr4vpsTyBvMADr
6QFeg4LLyD4egGO89amuKBgsBUYFswObw1/MoQq5nY9nyfWsAyDO+/Xm7uOHrPxX
iNZl20daGoyu8aeJnay39eFxMnlyEJN8QhlBskfv3ylwml76bLCaqz2dXhOlZ58P
/a/Qx2GidW0SjxjVt9LLnS6GW75kGoIm2l3oJ1P8ZXKCCsk7PNu0YrlgA8/wcnRP
PxkcZDeBszEvA1diNBPt2MjZDseMJsp4APhzECrqgbCBmKf07I1tn0UZKafQfbRa
NeEwElYlwFzFHJ7yiuejLUGj0qzK5CVj4GygiDPMGREK30JHvv0Og1K5CUTVcmV+
WqubcWbp4u5IWcIbYyWbxCjBfhbOzUmjXlXbHawIaBe7HgtxEYFC9CKMM/7pH8kF
U7hbcIchKZGwXq1x3cNADKetgGJUJcbOt60Qm6YTxo/N3OMZh0PY60nOqpNi5ODq
2Nfm8RjB32Yrdqp8HVLRmwtBq26nxaKq/FG/UsV4OTigvfRbNMXZzQl9
-----END CERTIFICATE-----

EOM

is_debian()
{
  if [ -r "/etc/os-release" ]
  then
    ID="$(sed -n -e "s/^ID\s*=\s*\(.*\)/\1/p" /etc/os-release)"
    ID_LIKE="$(sed -n -e "s/^ID_LIKE\s*=\s*\(.*\)/\1/p" /etc/os-release)"

    if [ "$ID" = "debian" ] ||       # Debian
       [ "$ID_LIKE" = "debian" ] ||  # e.g Ubuntu
       [ "$ID_LIKE" = "ubuntu" ]     # e.g. Linux Mint
    then
      return 0
    fi
  fi
  return 1
}

# exit on non-RHEL systems or when rhsm.conf is not found
test -f $CFG || exit
type -P subscription-manager >/dev/null || type -P subscription-manager-cli >/dev/null || exit

# backup configuration during the first run
test -f $CFG_BACKUP || cp $CFG $CFG_BACKUP

# create the cert
echo "$KATELLO_SERVER_CA_DATA" > $CERT_DIR/$KATELLO_SERVER_CA_CERT
chmod 644 $CERT_DIR/$KATELLO_SERVER_CA_CERT

echo "$KATELLO_DEFAULT_CA_DATA" > $CERT_DIR/$KATELLO_DEFAULT_CA_CERT
chmod 644 $CERT_DIR/$KATELLO_DEFAULT_CA_CERT

if is_debian
then
  # Debian setup
  BASEURL=https://$KATELLO_SERVER/pulp/deb

  subscription-manager config \
    --server.hostname="$KATELLO_SERVER" \
    --server.prefix="$PREFIX" \
    --server.port="$PORT" \
    --rhsm.repo_ca_cert="%(ca_cert_dir)s$KATELLO_SERVER_CA_CERT" \
    --rhsm.baseurl="$BASEURL"
else
  # rhel setup
  BASEURL=https://$KATELLO_SERVER/pulp/content/

  # Get version of RHSM
  RHSM_V="$((rpm -q --queryformat='%{VERSION}' subscription-manager 2> /dev/null || echo 0.0.0) | tail -n1 | tr . ' ')"
  declare -a RHSM_VERSION=($RHSM_V)

  # configure rhsm
  # the config command was introduced in rhsm 0.96.6
  # fallback left for older versions
  if test ${RHSM_VERSION[0]:-0} -gt 0 -o ${RHSM_VERSION[1]:-0} -gt 96 -o \( ${RHSM_VERSION[1]:-0} -eq 96 -a ${RHSM_VERSION[2]:-0} -gt 6 \); then
    subscription-manager config \
      --server.hostname="$KATELLO_SERVER" \
      --server.prefix="$PREFIX" \
      --server.port="$PORT" \
      --rhsm.repo_ca_cert="%(ca_cert_dir)s$KATELLO_SERVER_CA_CERT" \
      --rhsm.baseurl="$BASEURL"

    # Older versions of subscription manager may not recognize
    # report_package_profile and package_profile_on_trans options.
    # So set them separately and redirect out & error to /dev/null
    # to fail silently.
    subscription-manager config --rhsm.package_profile_on_trans=1 > /dev/null 2>&1 || true
    subscription-manager config --rhsm.report_package_profile=1 > /dev/null 2>&1 || true
  else
    sed -i "s/^hostname\s*=.*/hostname = $KATELLO_SERVER/g" $CFG
    sed -i "s/^port\s*=.*/port = $PORT/g" $CFG
    sed -i "s|^prefix\s*=.*|prefix = $PREFIX|g" $CFG
    sed -i "s|^repo_ca_cert\s*=.*|repo_ca_cert = %(ca_cert_dir)s$KATELLO_SERVER_CA_CERT|g" $CFG
    sed -i "s|^baseurl\s*=.*|baseurl=$BASEURL|g" $CFG
  fi

  if grep --quiet full_refresh_on_yum $CFG; then
    sed -i "s/full_refresh_on_yum\s*=.*$/full_refresh_on_yum = 1/g" $CFG
  else
    full_refresh_config="#config for on-premise management\nfull_refresh_on_yum = 1"
    sed -i "/baseurl/a $full_refresh_config" $CFG
  fi
fi

# also add the katello ca cert to the system wide ca cert store
if [ -d $CA_TRUST_ANCHORS ]; then
  update-ca-trust enable
  cp $CERT_DIR/$KATELLO_SERVER_CA_CERT $CA_TRUST_ANCHORS
  update-ca-trust
fi

# EL5 systems and subscription-manager versions before 1.18.1-1 don't have the network.fqdn fact.
# For these cases, we have to update the "hostname-override" fact
if (test -f /etc/redhat-release && grep -q -i "Red Hat Enterprise Linux Server release 5" /etc/redhat-release) || \
   (test -f /etc/centos-release && grep -q -i "CentOS Linux release 5" /etc/centos-release) || \
   test ${RHSM_VERSION[0]:-0} -lt 1 -o ${RHSM_VERSION[1]:-0} -lt 18 -o \( ${RHSM_VERSION[1]:-0} -eq 18 -a ${RHSM_VERSION[2]:-0} -lt 2 \); then
  FQDN="$(hostname -f 2>/dev/null || echo localhost)"
  if [ "$FQDN" != "localhost" ] && [ -d /etc/rhsm/facts/ ]; then
    echo "{\"network.hostname-override\":\"$FQDN\"}" > /etc/rhsm/facts/katello.facts
  fi
fi

exit 0
