#!/usr/bin/sh
#----------------------------------------------------------------------------
# /var/install/bin/mysql-common-tools-userpass - change Admin and User password
#
# Creation:     2004-06-09 jv
# Last Update:  $Id$
#
# Copyright (c) 2004 Jens Vehlhaber, jvehlhaber(at)buchenwald(dot)de
# Copyright (c) 2012-@@YEAR@@ Holger Bruenjes, holgerbruenjes(at)gmx(dot)net
#
# This program is free software; you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation; either version 2 of the License, or
# (at your option) any later version.
#----------------------------------------------------------------------------

#include eislib
. /var/install/include/eislib

#debug=true

if ${debug:-false}
then
    exec 2>/tmp/$(basename ${0})-trace$$.log
    set -x
    ask_debug=true
    export ask_debug
fi

run_user=mysql
admin_user='root'
admin_pass=''

# handling for old passwords, if required
old_passwd='no'
old_passwd_entry=''
ask_passwd='o=OldPassword'

# handling for secure passwords, if required
secure_passwd='no'
secure_passwd_entry='ed25519'
ask_secpasswd='s=SecurePassword'

interactive='true'
password=''
user_name=''
PasswordParam=''
MKTEMP=/usr/bin/mktemp
CAT=/usr/bin/cat
RM=/usr/bin/rm
ASK=/var/install/bin/ask


# ---------------------------------------------------------------------------
# defaults
# ---------------------------------------------------------------------------
get_defaults()
{
    # default values
    . /srv/mysql/defaults.info
}

# ---------------------------------------------------------------------------
# check status and access of MariaDB/MySQL Database
# ---------------------------------------------------------------------------
check_status()
{
    if [ ! -f ${mysql_pid_file} ]
    then
        logger -t 'MariaDB/MYSQL-backup' 'Error MariaDB/MySQL Server not running'
        exit 1
    fi

    ${mysql_basedir}/${db_mysqladmin} --socket=${mysql_socket} \
                     status >/dev/null 2>&1
    if [ ${?} -ne 0 ]
    then
        # set root password
        /var/install/bin/mysql-common-tools-userpass -nu=root ${package_name}
        exit 0
    fi
}

# ---------------------------------------------------------------------------
# show password setting
# ---------------------------------------------------------------------------
show_passwd_setting()
{
    clrhome
    mecho --info 'Change password for MariaDB/MySQL user'

    case ${my_path} in
    11*)
        eval secure_pass='${'${project_name}'_SECURE_PASSWD}'
        if [ "${secure_pass:-no}" = "yes" ]
        then
            echo
            mecho -n --info 'Current password setting: '
            mecho -n 'Secure Password style = '
            mecho  "${secure_passwd}"
        else
            : # nothing to do
        fi
        ;;
    *)
        echo
        mecho -n --info 'Current password setting: '
        mecho -n 'Old Password style = '
        mecho  "${old_passwd}"
        ;;
    esac
}

# ---------------------------------------------------------------------------
# get username
# ---------------------------------------------------------------------------
get_username()
{
    show_passwd_setting

    case ${my_path} in
    11*)
        _user=$(${mysql_basedir}/${db_mysql} --socket=${mysql_socket} \
                        --database=mysql \
                        --skip-column-names ${skip_ssl} \
                        -e "SELECT user, host FROM user;" |
                        sort -u |
                        sed 's/\t/:/g')
        echo
        techo --begin '2 5r 1 17 18'
        techo --row '' No '' user host
        echo
        idx=1
        for line in ${_user}
        do
            _u1=$(echo ${line} | cut -d: -f1)
            _u2=$(echo ${line} | cut -d: -f2)

            techo --row '' "${idx}." '' "${_u1}" "${_u2}"

            idx=$((${idx} + 1))
        done
        techo --end

        echo
        echo
        _ask_tmpfile=$( ${MKTEMP} -t .XXXXXXXXXXXXX )
        ${ASK} 'Select' '' "1-$(echo "${_user}" | wc -l)" ${ask_secpasswd} '^$=Return' '0=Exit' >${_ask_tmpfile}
        rc=${?}
        read _user_change < ${_ask_tmpfile}
        ${RM} -f ${_ask_tmpfile}

        if [ ${rc} = 255 ]
        then
            _user_change=0
        fi

        case ${_user_change} in
        '') exit 0    ;;
        0)  exit 127  ;;
        s|S)
            ask_secpasswd='n=DefaultPasswd'
            secure_passwd='yes'
#            echo
#            mecho --warn 'Please, use Old Password style only'
#            mecho --warn 'if you sure what you are doing.'
#            echo
#            anykey
            get_username
            ;;
        n|N)
            ask_secpasswd='s=SecurePasswd'
            secure_passwd='no'
            get_username
            ;;
        *)
            # get action line
            action_line="$(echo "${_user}"    |
                        sed -n "${_user_change}p" |
                        sed 's/^ *//')"

            user_name=$(echo ${action_line} | cut -d: -f1)
            host_name=$(echo ${action_line} | cut -d: -f2)

            if [ -z "${user_name}" ]
            then
                get_username
            fi

            echo
            mecho -n --info 'Selected user '
            mecho  "'${user_name}' ->  '${host_name}'"

            ;;
        esac
        ;;
     *)
        _user=$(${mysql_basedir}/${db_mysql} --socket=${mysql_socket} \
                        --database=mysql \
                        --user=root ${PasswordParam} \
                        --skip-column-names \
                        -e "SELECT user FROM user ;" |
                        sort -u)
        echo
        techo --begin '2 5r 1 17'
        techo --row '' No '' user
        echo
        idx=1
        echo "${_user}" |
        while read user
        do
            techo --row "" "${idx}." "" "${user}"

            idx=$((${idx} + 1))
        done
        techo --end

        echo
        echo
        _ask_tmpfile=$( ${MKTEMP} -t .XXXXXXXXXXXXX )
        ${ASK} 'Select' '' "1-$(echo "${_user}" | wc -l)" "${ask_passwd}" '^$=Return' '0=Exit' >${_ask_tmpfile}
        rc=${?}
        read _user_change < ${_ask_tmpfile}
        ${RM} -f ${_ask_tmpfile}

        if [ ${rc} = 255 ]
        then
            _user_change=0
        fi

        case ${_user_change} in
        '') exit 0    ;;
        0)  exit 127  ;;
        o|O)
            ask_passwd='n=NewPasswd'
            old_passwd='yes'
            old_passwd_entry='OLD_'
            echo
            mecho --warn 'Please, use Old Password style only'
            mecho --warn 'if you sure what you are doing.'
            echo
            anykey

            get_username
            ;;
        n|N)
            ask_passwd='o=OldPasswd'
            old_passwd='no'
            old_passwd_entry=''
            get_username
            ;;
        *)
            # get action line
            user_name="$(echo "${_user}"    |
                        sed -n "${_user_change}p" |
                        sed 's/^ *//')"

            if [ -z "${user_name}" ]
            then
                get_username
            fi

            echo
            mecho -n --info 'Selected user '
            mecho  "'${user_name}'"

            ;;
        esac
        ;;
    esac
}

# ---------------------------------------------------------------------------
# check if there is a root password required
# ---------------------------------------------------------------------------
check_for_root_pw()
{
    if ${interactive:-true}
    then
        ${mysql_basedir}/${db_mysqladmin} --socket=${mysql_socket} \
                   --user=root $PasswordParam status >/dev/null 2>&1
        if [ ${?} -eq 1 ]
        then
            echo
            if [ "${user_name:-0}" = "root" ]
            then
                _old="old "
            fi

            echo
            _ask_tmpfile=$(${MKTEMP} -t .XXXXXXXXXXXXX)
            ${ASK} "MariaDB/MySQL ${_old}root password required:" "" "+hidden+" >${_ask_tmpfile}
            rc=${?}
            read RootPassword < ${_ask_tmpfile}
            ${RM} -f ${_ask_tmpfile}

            # if ask break, ask returned 255
            if [ ${rc} = 255 ]
            then
                exit 127
            fi
            echo

            PasswordParam="-p${RootPassword}"
        fi
    fi
}

# ---------------------------------------------------------------------------
# check if user exists
# ---------------------------------------------------------------------------
check_user()
{
    _check_user=$(${mysql_basedir}/${db_mysql} --socket=${mysql_socket} \
                  --database=mysql \
                  --user=root ${PasswordParam} ${skip_ssl} \
                  -e "SELECT user FROM user WHERE user='${user_name}';")

    if [ -z "${_check_user}" ]
    then
        mecho --error "No user ${user_name} found!"
        exit 1
    fi
}

# ---------------------------------------------------------------------------
# get password
# ---------------------------------------------------------------------------
get_password()
{
    if [ -f /usr/bin/pwgen ]
    then
        _ask_tmpfile=$(${MKTEMP} -t .XXXXXXXXXXXXX)
        ${ASK} 'Create password with pwgen' 'yes' >${_ask_tmpfile}
        rc=${?}
        read _passwd_pwgen < ${_ask_tmpfile}
        ${RM} -f ${_ask_tmpfile}

        if [ ${rc} = 255 ]
        then
            exit 127
        fi
    fi

    if [ "${_passwd_pwgen:-no}" = "yes" ]
    then
        # entry in passwdlib
        # create password
        # pwgen --help
        # return password
        get_pwgen_passwd
    else
        # entry in passwdlib
        # get password from cmdline
        get_passwd --check
    fi
}

# ---------------------------------------------------------------------------
# send mail
# ---------------------------------------------------------------------------
send_mail()
{
    _ask_tmpfile=$( ${MKTEMP} -t .XXXXXXXXXXXXX )
    echo 'Send e-mail with [ENTER] to the given user'
    ${ASK} 'or type in the address:' "${user_name}@$(hostname -d)" "*" > ${_ask_tmpfile}
    rc=${?}
    read _send_mail < ${_ask_tmpfile}
    ${RM} -f ${_ask_tmpfile}

    if [ ${rc} = 255 ]
    then
        exit 127
    fi

    eval send_from='${'${project_name}'_SEND_MAIL_FROM}'

    # entry in passwdlib
    send_passwd --user ${user_name} \
                --realm ${project_name} \
                --passwd ${password} \
                --mail ${_send_mail:-root} \
                --sender ${send_from:-root}
}

# ---------------------------------------------------------------------------
# set password
# ---------------------------------------------------------------------------
set_root_password()
{
    my_server=$(ls -1 /etc/mysql/my*.cnf)

    for SERVER in ${my_server}
    do
        local init_server=$(grep 'etc/config.d' ${SERVER} | sed 's|^.*/||')
        local port_server=$(grep '^port' ${SERVER} | sed 's|[^[:digit:]]||g' | uniq)
        local my_path=$(echo ${init_server} | sed 's|[^[:digit:]]||g')

        get_defaults

        local running=$(${mysql_basedir}/${db_mysqladmin} \
                        --socket=/run/mysql/${my_path}/mysql.sock \
                        status 2>/dev/null)

        if ! echo "${running}" | grep -iq 'uptime'
        then
            if [ ! -S /run/mysql/${my_path}/mysql.sock ]
            then
                continue
            fi
        fi

        mecho -n --info 'Set new '
        mecho -n --std  "'root' "
        mecho -n --info 'password on server '
        mecho --std     "'${init_server}'"


        case "${my_path}" in
        11*)
            ${mysql_basedir}/${db_mysql} \
                --socket=/run/mysql/${my_path}/mysql.sock \
                --database=mysql \
                --user=root  ${PasswordParam} ${skip_ssl} \
                -e "ALTER USER '${user_name}'@'${host_name:-localhost}' IDENTIFIED BY '${password}'; \
                flush privileges;"

        #         neu fuer ed25519
        #        CREATE USER edtest@localhost IDENTIFIED VIA ed25519 USING PASSWORD('secret');
            ;;
        *)
             # stop database server and restart insecurity mode without network
            if [ -f /etc/init.d/${init_server} ]
            then
                /etc/init.d/${init_server} stop
                sleep 3
                /etc/init.d/${init_server} --skip start
            elif [ -f /usr/lib/systemd/system/${init_server}.service ]
            then
                my_version="$(${mysql_basedir}/${db_mysqld} --version | /usr/bin/gawk '/Ver/ {print $3}' | /usr/bin/cut -d'.' -f-2)"

                echo "MYSQL_OPTION='--skip-grant-tables --skip-networking'" >/etc/sysconfig/${init_server}
                /usr/sbin/service --msg=" * Resarting MariaDB/MySQL database: server ${my_version} insecure" restart ${init_server}.service
                rm -f /etc/sysconfig/${init_server}
            fi

            ${mysql_basedir}/${db_mysql} \
                --socket=/run/mysql/${my_path}/mysql.sock \
                --database=mysql \
                --user=root  ${PasswordParam} \
                -e "update user set password=${old_passwd_entry}PASSWORD('${password}') \
                where user='${user_name}'; \
                flush privileges;"

            # restart database server in security mode
            if [ -f /etc/init.d/${init_server} ]
            then
                /etc/init.d/${init_server} restart
            elif [ -f /usr/lib/systemd/system/${init_server}.service ]
            then
                /usr/sbin/service restart ${init_server}.service
            fi
            ;;
        esac
    done

    cat > /root/.my.cnf <<EOF
[client]
user=root
password="${password}"

[mysqladmin]
user=root
password="${password}"

[mysqldump]
user=root
password="${password}"

[mysql]
user=root
password="${password}"

[mysqlcheck]
user=root
password="${password}"

[mysql_update]
user=root
password="${password}"
EOF

    chmod 0640 /root/.my.cnf
    ln -sf /root/.my.cnf /home/eis/.my.cnf
    chmod 0700 /home/eis

}

# ---------------------------------------------------------------------------
# change password
# ---------------------------------------------------------------------------
change_password()
{
    case ${my_path} in
    11*)
        if [ "${user_name:-0}" = "root" ] &&
           [ "${host_name:-0}" = "localhost" ] ||
           [ -z "${host_name}" ]
        then
            set_root_password
        else
            if [ "${secure_passwd:-no}" = "yes" ]
            then
                # set secure passwd with ed25519
                ${mysql_basedir}/${db_mysql} --socket=${mysql_socket} \
                    --database=mysql ${skip_ssl} \
                    -e "ALTER USER '${user_name}'@'${host_name:-localhost}' IDENTIFIED VIA ed25519 USING PASSWORD('${password}'); \
                    flush privileges;"
            else
                ${mysql_basedir}/${db_mysql} --socket=${mysql_socket} \
                    --database=mysql ${skip_ssl} \
                    -e "ALTER USER '${user_name}'@'${host_name:-localhost}' IDENTIFIED BY '${password}'; \
                    flush privileges;"
            fi
        fi
        ;;
    *)
        if [ "${user_name:-0}" = "root" ]
        then
            set_root_password
        else
            ${mysql_basedir}/${db_mysql} --socket=${mysql_socket} \
                --database=mysql \
                --user=root  ${PasswordParam} \
                -e "update user set password=${old_passwd_entry}PASSWORD('${password}') \
                where user='${user_name}'; \
                flush privileges;"
        fi
        ;;
    esac

    if [ ${?} -eq 0 ]
    then
        if ${interactive:-true}
        then
            mecho --info "done"
        fi

        eval send_from='${'${project_name}'_SEND_MAIL_FROM}'

        if [ -n "${send_from}" ] &&
           [ "${user_name}" != "root" ]
        then
            send_mail
        fi
    fi
}

# ---------------------------------------------------------------------------
# get parameter
# ---------------------------------------------------------------------------
get_parameter()
{
    while [ ${#} -ne 0 ]
    do
        case "${1}" in
        -nu=*)
            interactive='false'
            user_name=$(echo "${1}" | sed -e 's;-nu=;;')
            shift
            ;;
        -np=*)
            interactive='false'
            password=$(echo "${1}" | sed -e 's;-np=;;')
            shift
            ;;
        -u=*)
            interactive='false'
            admin_user=$(echo "${1}" | sed -e 's;-u=;;')
            shift
            ;;
        -p=*)
            interactive='false'
            passwd=$(echo "${1}" | sed -e 's;-p=;;')
            if [ -n "${passwd}" ]
            then
                PasswordParam="-p${passwd}"
            fi
            shift
            ;;
        mariadb*|mysql*)
            package_name="${1}"
            project_name=$(echo ${package_name} | tr [:lower:] [:upper:])
            my_path=$(echo "${package_name}" | sed 's|[^[:digit:]]||g')
            shift
            ;;
        *)
            echo "Unknown argument '${1}'"
            exit 1
            ;;
        esac
    done
}

# ---------------------------------------------------------------------------
# main
# ---------------------------------------------------------------------------
main()
{
    get_parameter "${@}"

    # include passwdlib
    . /var/install/include/passwdlib

    # include config
    . /etc/config.d/${package_name}

    eval ssl_use='${'${project_name}'_SSL_USE:-no}'
    if [ ${my_path:-110} = 114 ] &&
       [ "${ssl_use}" != "yes" ]
    then
        skip_ssl='--skip-ssl'
    fi

    get_defaults

    if [ "${user_name}" != "root" ]
    then
        check_status
    fi

    if [ -z "${user_name}" ]
    then
        get_username
    fi

    check_for_root_pw

    if [ "${user_name}" != "root" ]
    then
        check_user
    fi

    if [ -z "${password}" ]
    then
        get_password
    fi

    change_password

    if ${interactive:-true}
    then
        echo
        anykey
    fi

    exit 0
}

# ---------------------------------------------------------------------------
# call function main
# ---------------------------------------------------------------------------
main "${@}"

# ---------------------------------------------------------------------------
# end
# ---------------------------------------------------------------------------