#!/bin/bash
#
# scheme.sh - gerrit
#
# Copyright 2019 Luigi Santivetti <luigi.santivetti@gmail.com>

# Permission is hereby granted, free of charge, to any person obtaining a
# copy of this software and associated documentation files (the "Software"),
# to deal in the Software without restriction, including without limitation
# the rights to use, copy, modify, merge, publish, distribute, sublicense,
# and/or sell copies of the Software, and to permit persons to whom the
# Software is furnished to do so, subject to the following conditions:

# The above copyright notice and this permission notice (including the next
# paragraph) shall be included in all copies or substantial portions of the
# Software.

# THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
# IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
# FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL
# ITS SUPPLIERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER
# IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN
# CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.

declare -r entrypoint_bang_t="\
#!/bin/bash -e

if [ \"\${1}\" = \"init\" ]; then
	echo \"Initializing Gerrit site ...\"

	# NOTE: This is the real in-container init that actually matters
	# for properly start using Gerrit Code Review.

	java -jar /var/gerrit/bin/gerrit.war init --batch \\
		--no-auto-start --install-all-plugins -d /var/gerrit
	java -jar /var/gerrit/bin/gerrit.war reindex -d /var/gerrit
	git config -f /var/gerrit/etc/gerrit.config \\
		--add container.javaOptions \"${_GERRIT_JAVA_URANDOM_}\"
fi

git config -f /var/gerrit/etc/gerrit.config \\
	gerrit.canonicalWebUrl \"\${CANONICAL_WEB_URL:-http://\$HOSTNAME}\"
git config -f /var/gerrit/etc/gerrit.config \\
	httpd.listenUrl \"\${LISTEN_URL:-proxy-http://\$HOSTNAME}\"

sleep 1

if [ \"\${1}\" != \"init\" ]; then
	echo \"Running Gerrit ...\"
	/var/gerrit/bin/gerrit.sh run
fi"

if [ "$gerrit_has_https" -eq 1 ]; then
	declare -r config_t_has_secure_store="\
secureStoreClass = ${_GERRIT_SECURE_STORE_}"
	declare -r config_t_has_keystore="\
	sslKeyStore = ${_GERRIT_KEYSTORE_}"
	declare -r config_t_has_secure_config="\
[secureConfig]
	cipher = ${_GERRIT_SECURE_CIPHER_}
	passwordLength = 256"
else
	declare -r config_t_has_secure_store=""
	declare -r config_t_has_keystore=""
	declare -r config_t_has_secure_config=""
fi

declare -r config_t="\
[gerrit]
	basePath = git
	canonicalWebUrl = ${_GERRIT_CANON_URL_}
${config_t_has_secure_store}

[index]
	type = LUCENE

[auth]
	type = http
	gitBasicAuth = true
	gitBasicAuthPolicy = HTTP

[sendemail]
	smtpServer = localhost

[sshd]
	listenAddress = *:${_GERRIT_SSH_PORT_}

[httpd]
	listenUrl = ${_GERRIT_LISTEN_URL_}
${config_t_has_keystore}

[cache]
	directory = cache

[container]
	user = ${_GERRIT_USER_CON_}

[receive]
	enableSignedPush = false

[hooks]
	path = ${_GERRIT_HOOKS_CON_D_}

${config_t_has_secure_config}"

# secure.config isn't part of the instance create/update process, however
# it must be defined in mod_more_files in the first place.
declare -r secure_t="$(cat $secure_f 2>/dev/null | grep -E -- "^[^#]" 2>/dev/null)"

declare -r dockerfile_t="\
FROM ubuntu:16.04
MAINTAINER Gerrit Code Review Community

# Add Gerrit packages repository
RUN echo \"deb mirror://mirrorlist.gerritforge.com/bionic gerrit contrib\" \\
	> /etc/apt/sources.list.d/GerritForge.list
RUN apt-key adv --keyserver keyserver.ubuntu.com --recv-keys 847005AE619067D5

RUN apt-get update
RUN apt-key update
RUN apt-get -y install sudo

# Needed by Gerrit 3.0 ?!
RUN apt-get -y install gnupg2

${_GERRIT_APT_GET_INSTALL_NMAP_}
${_GERRIT_APT_GET_INSTALL_PING_}

# Install OpenJDK and Gerrit in two subsequent transactions
# (pre-trans Gerrit script needs to have access to the Java command)
RUN apt-get -y install openjdk-8-jdk

# Add entrypoint
ADD entrypoint.sh /
RUN	chmod +x /entrypoint.sh

# Init Gerrit
RUN apt-get -y install gerrit=${_GERRIT_APT_GET_PACKAGE_} && \\
	/entrypoint.sh init && \\
	rm -f /var/gerrit/etc/{ssh,secure}* && \\
	rm -Rf /var/gerrit/{static,index,logs,data,index,cache,git,db,tmp}/* && \\
	chown -R gerrit:gerrit /var/gerrit

# Debian 9 fails with 'USER gerrit'
USER ${_GERRIT_USER_CON_}

# Define environment
ENV CANONICAL_WEB_URL=
ENV LISTEN_URL=

# Allow incoming traffic
EXPOSE ${_GERRIT_PROXY_PORT_} ${_GERRIT_SSH_PORT_}

VOLUME [\"/var/gerrit/git\", \"/var/gerrit/index\", \\
	\"/var/gerrit/cache\", \"/var/gerrit/db\", \"/var/gerrit/etc\"]

# Start Gerrit
ENTRYPOINT /entrypoint.sh"

declare -r gerrit_cli_bang_t="\
#!/bin/bash

if (return 0 2>/dev/null); then
	echo \"You must run this script\" >&2
	return 1
fi

function __help
{
	if [ -n \"\$1\" ]; then
		echo \"error: unknown option: \$1\" >&2
		echo \"------------------------\">&2
	fi

	cat <<EOF; exit 0
`printf \"\\033[1m%s\\033[0m\\n\" \"NAME\"`

  \${BASH_SOURCE[0]} - Gerrit bash CLI for ${host_name}

`printf \"\\033[1m%s\\033[0m\\n\" \"USAGE\"`

  \$ [ ENVIRONMENT ... ] \${BASH_SOURCE[0]} [ OPTION ARG ] ARGS

`printf \"\\033[1m%s\\033[0m\\n\" \"ENVIRONMENT\"`

  SSH_PORT            ssh port Gerrit listens on, default: ${_GERRIT_SSH_PORT_}
  SSH_USER            registered Gerrit user, default: NULL
  SSH_HOST            host where Gerrit runs, default: ${host_name}

  User, port and host passed on the command line take precedence over
  those defined in the environment

`printf \"\\033[1m%s\\033[0m\\n\" \"OPTION\"`

  -p                  ssh port
  -h                  ssh host
  -u                  ssh user
  -a                  action to perform

  Available actions:

  import              <src path> <dst path>
                      import in Gerrit all bare repositories found in src, if it
                      doesn't exist yet and if it's a valid src
  dry-import          <src path> <dst path>
                      create an empty project in Gerrit for each bare repository
                      found in src, if doesn't exist yet and if it's a valid src
  list                <flags>
                      list Gerrit projects with additional flags
  listall             -
                      list all Gerrit projects
  flushall            -
                      flush all Gerrit project caches
  delete              <project name>
                      delete named project and related data from Gerrit
  create              <flags> <project name>
                      create named project with additional flags
  create-permission   <project name>
                      create permission project, for access control only
  add-ssh-key         <container-user> <container-name>
                      import into Gerrit its own container id_rsa.pub. Then, copy
                      Gerrit's container public key into <container-name> to allow
                      pubkey authentication. Create a new pubkey if doesn't exists.
  cli                 <$@>
                      any valid list of arguments

`printf \"\\033[1m%s\\033[0m\\n\" \"EXAMPLES\"`

  \$ \${BASH_SOURCE[0]} -u linus -a import \"old_site_path\" \"new_site_path\"
  \$ SSH_PORT=1234 SSH_USER=linus \${BASH_SOURCE[0]} -a listall

  \$ export SSH_USER=linus
  \$ \${BASH_SOURCE[0]} -a create \"wheel\"

`printf \"\\033[1m%s\\033[0m\\n\" \"END\"`
EOF
}

function set_environment
{
	local SSH_PORT=\${1:-\$SSH_PORT}
	declare -gr SSH_PORT=\${SSH_PORT:-$_GERRIT_SSH_PORT_}

	local SSH_USER=\${2:-\$SSH_USER}
	declare -gr SSH_USER=\${SSH_USER:-}

	local SSH_HOST=\${3:-\$SSH_HOST}
	declare -gr SSH_HOST=\${SSH_HOST:-$host_name}
}

function gerrit_ssh
{
	ssh -p \$SSH_PORT \$SSH_USER@\$SSH_HOST \${@}
}

function gerrit_cli
{
	gerrit_ssh \"gerrit \${@}\"
}

function gerrit_create_project
{
	gerrit_cli create-project \${@}
}

function gerrit_list_projects
{
	gerrit_cli ls-projects \${@}
}

function gerrit_delete_project
{
	local -r flags=\"--yes-really-delete\"

	echo >&2 \"warning: to force deletion run:\"
	echo >&2 \"         ssh -p \$SSH_PORT \$SSH_USER@\$SSH_HOST delete-project delete \$flags --force \$1\"
	gerrit_ssh delete-project delete \$flags \${@}
}

function gerrit_flush_all_caches
{
	local -r flags=\"flush-caches --all\"

	gerrit_cli \$flags
}

function glp_all_projects
{
	local -r flags=\"--all --type all\"

	gerrit_list_projects \$flags
}

function gcp_permission_only
{
	local -r flags=\"--permissions-only --empty-commit\"
	local -r project_name=\"\$1\"

	gerrit_create_project \$flags \$project_name
}

function gcp_import_is_valid_src_repo
{
	local -r git_path=\"\$1\"

	if ! (echo \"\${git_path}\" | grep -qE -- \".+\\.git\$\"); then
		echo \"error: \$(basename \"\$git_path\"): invalid name\" >&2
		return 1
	fi

	if ! (GIT_DIR=\$git_path git rev-parse --is-bare-repository &>/dev/null); then
		echo \"error: \$(basename \"\$git_path\"): not bare\" >&2
		return 1
	fi
}

function gcp_import_project
{
	local -r repo_name=\"\${1%.git}\"
	local -r repo=\"\$1\"
	local -r src=\"\$2\"
	local -r dst=\"\$3\"
	local -r dry=\"\$4\"

	# List of projects to explicitly skip
	local -ar skiplist=(
		All-Projects
		All-Users
	)

	if printf \"%s\n\" \"\${skiplist[@]}\" | grep -qFx -- \"\$repo_name\"; then
		echo \"warning: \$repo_name: flagged out\" >&2
		return 1
	fi

	if ! gerrit_create_project \$repo_name; then
		echo \"error: \$repo_name: create failed\" >&2
		return 1
	fi

	if [ ! -d \"\$src/\$repo\" ]; then
		echo \"error: \$repo: repo source not found\" >&2
		return 1
	fi

	if [ ! -d \"\$dst/\$repo\" ]; then
		echo \"error: \$repo: destination not found\" >&2
		return 1
	fi

	if [ \"\$dry\" != \"true\" ]; then
		if ! sudo -E cp -ar \$src/\$repo/* \$dst/\$repo; then
			echo \"error: \$repo: copy failed\" >&2
			return 1
		fi

		if ! gerrit_flush_all_caches; then
			echo \"warning: \$project_name: flush cache\" >&2
		fi
	fi
}

function gcp_import_repo_list
{
	# Do this once and avoid multiple ssh access
	local -ar exist_proj_list=( \$(glp_all_projects) )
	local -a valid_repo_list
	# Arguments order matters
	local -r dry=\"\$1\"; shift
	local -r src=\"\$1\"; shift
	local -r dst=\"\$1\"; shift
	local proj repo ret act

	for repo in \${@}; do
		if printf \"%s\n\" \"\${exist_proj_list[@]}\" | \\
				grep -qFx -- \"\${repo%.git}\"; then
			echo \"warning: \${repo%.git}: already exists\" >&2
			continue
		fi
		gcp_import_is_valid_src_repo \"\$src/\$repo\" || continue
		valid_repo_list+=( \"\$repo\" )
	done

	if [ \"\${#valid_repo_list[@]}\" -gt 0 ]; then
		[ \"\$dry\" = \"true\" ] && act=\"dry-copy\" || act=\"copy\"
		echo \"info: attempt to \$act\" >&2
		echo >&2
		echo \"     *  from \$src\" >&2
		echo \"     *    to \$dst\" >&2
		echo >&2
		cat -n <(printf \"%s\\\n\" \"\${valid_repo_list[@]}\") >&2
		echo >&2
		echo \"info: press any key to continue, [CTRL^C] to cancel\"
		echo >&2
		read -s -n 1

		for repo in \${valid_repo_list[@]}; do
			gcp_import_project \$repo \$src \$dst \$dry && ret=\"done\" || ret=\"skip\"
			printf \"%s: %s\n\" \"\$ret\" \"\$repo\" >&2
		done
	else
		echo \"warning: nothing to do\" >&2
	fi
}

# @1      : path to find bare git repositories from
# @2      : path copy repositories into
# @desc   : import any bare repository found in \$1 into \$2
function gcp_import_copy_from_into
{
	local -r regex=\".+/.+[^/]\\.git\$\"
	local -r src=\"\$(realpath -q \"\$1\")\"
	local -r dst=\"\$(realpath -q \"\$2\")\"
	local -r dry=\"\$3\"
	local flags

	# Flag order matters
	flags=\"-type d\"
	flags+=\" -regex \$regex\"

	local -ar list=\$(find \"\$src\" \$flags 2>/dev/null)

	gcp_import_repo_list \$dry \$src \$dst \${list[@]//\$src\\//}
}

function gssh_add_container_pubkey
{
	local -r running_services=\\
\"sudo -E docker-compose ps --services --filter \\\"status=running\\\"\"
	local -r host_container=\"\$2\"
	local -r host_user=\"\$1\"

	if [ \"\$host_container\" = \"${_GERRIT_DKRC_CONTAINER_/gerrit/openssh}\" ]; then
		local -r keys_f=\"/config/.ssh/authorized_keys\"
	elif [ \"\$host_user\" = \"root\" ]; then
		local -r keys_f=\"/\$host_user/.ssh/authorized_keys\"
	else
		local -r keys_f=\"/home/\$host_user/.ssh/authorized_keys\"
	fi

	pushd ${instance_d} >/dev/null || exit 1
	if ! (eval \"\${running_services}\" | \\
		grep -q -- \"${_GERRIT_DKRC_SERVICE_}\"); then
		echo \"error: ${_GERRIT_DKRC_SERVICE_} not running\" >&2
		popd >/dev/null || exit 1
		exit 1
	fi
	popd >/dev/null || exit 1

	if sudo -E docker exec ${_GERRIT_DKRC_CONTAINER_} /bin/bash -c \\
		'test -f ${_GERRIT_SSH_RSA_ID_F_}'; then
		echo \"info: '${_GERRIT_SSH_RSA_ID_F_}' found\" >&2
	else
		echo \"error: ${_GERRIT_SSH_RSA_ID_F_} not found\" >&2
		echo \"error: run --upmod=gerrit and restart the instance\" >&2
		exit 1
	fi

	if (sudo -E docker exec ${_GERRIT_DKRC_CONTAINER_} \\
		/bin/bash -c 'cat ${_GERRIT_SSH_RSA_ID_F_}.pub') | \\
		gerrit_cli set-account --add-ssh-key - \$SSH_USER; then
		echo \"info: public key added to Gerrit\" >&2
	else
		echo \"error: failed to add public key to Gerrit\" >&2
		exit 1
	fi

	if (sudo -E docker exec \${host_container} /bin/bash -c \"cat \$keys_f\") | \\
		grep -q -- \"\$(sudo -E docker exec ${_GERRIT_DKRC_CONTAINER_} \\
				/bin/bash -c 'cat ${_GERRIT_SSH_RSA_ID_F_}.pub')\"; then
		echo \"warning: public key already added to \$host_container\" >&2
		exit 0
	fi

	local -r gerrit_pub=\"\$(sudo -E docker exec ${_GERRIT_DKRC_CONTAINER_} \\
				/bin/bash -c 'cat ${_GERRIT_SSH_RSA_ID_F_}.pub')\"
	if (sudo -E docker exec \${host_container} /bin/bash -c \\
		\"echo \\\"\$gerrit_pub\\\" | tee -a \$keys_f\"); then

		if (sudo -E docker exec \${host_container} /bin/bash -c \\
			\"chmod 0600 \$keys_f && chown \$host_user:\$host_user \$keys_f\"); then
			echo \"info: public key added to \$host_container\" >&2
			exit 0
		fi
		echo \"error: failed to set public key file mode\" >&2
		exit 1
	fi

	echo \"error: public key *NOT* added to \$host_container\" >&2
	exit 1
}

function __do_import
{
	if [ -z \"\$1\" ] || [ ! -d \"\$1\" ]; then
		echo \"error: invalid source path\" >&2
		exit 1
	fi

	if [ -z \"\$2\" ] || [ ! -d \"\$2\" ]; then
		echo \"error: invalid target path\" >&2
		exit 1
	fi

	gcp_import_copy_from_into \$1 \$2 \"false\"
}

function __do_dry_import
{
	if [ -z \"\$1\" ] || [ ! -d \"\$1\" ]; then
		echo \"error: invalid source path\" >&2
		exit 1
	fi

	if [ -z \"\$2\" ] || [ ! -d \"\$2\" ]; then
		echo \"error: invalid target path\" >&2
		exit 1
	fi

	gcp_import_copy_from_into \$1 \$2 \"true\"
}

function __do_cli
{
	gerrit_cli \${@}
}

function __do_flushall
{
	gerrit_flush_all_caches
}

function __do_list
{
	gerrit_list_projects \$@
}

function __do_listall
{
	glp_all_projects
}

function __do_delete
{
	gerrit_delete_project \$@
}

function __do_create
{
	gerrit_create_project \$@
}

function __do_cpermi
{
	gcp_permission_only \$@
}

function __do_ssh_id
{
	gssh_add_container_pubkey \$@
}

function __do_unknown
{
	if [ \"\$1\" != help ]; then
		echo \"error: unknown action: \$1\" >&2
		echo >&2
	fi
	__help
}

while getopts \":hp:s:u:a:\" OPTION; do
	case \"\$OPTION\" in
		 p ) declare -rg port=\"\$OPTARG\" ;;
		 s ) declare -rg host=\"\$OPTARG\" ;;
		 u ) declare -rg user=\"\$OPTARG\" ;;
		 a ) declare -rg __do=\"\$OPTARG\" ;;
		\\? ) __help \$OPTARG ;;
	esac
done

if ! set_environment \"\$port\" \"\$user\" \"\$host\"; then
	echo \"error: user must be set, try ? or -a help\"
	exit 1
fi

shift \$((OPTIND - 1))

case \"\$__do\" in
	import            ) __do_import \$@     ;;
	dry-import        ) __do_dry_import \$@ ;;
	list              ) __do_list \$@       ;;
	listall           ) __do_listall       ;;
	flushall          ) __do_flushall      ;;
	delete            ) __do_delete \$@     ;;
	create            ) __do_create \$@     ;;
	create-permission ) __do_cpermi \$@     ;;
	add-ssh-key       ) __do_ssh_id \$@     ;;
	cli               ) __do_cli \$@        ;;
	*                 ) __do_unknown \$__do ;;
esac"