#!/bin/bash

#=================================================
# GENERIC START
#=================================================
# IMPORT GENERIC HELPERS
#=================================================

source _common.sh
source /usr/share/yunohost/helpers

#=================================================
# LOAD SETTINGS
#=================================================
ynh_script_progression --message="Loading installation settings..." --weight=2

app=$YNH_APP_INSTANCE_NAME

domain=$(ynh_app_setting_get --app=$app --key=domain)
path_url=$(ynh_app_setting_get --app=$app --key=path)
final_path=$(ynh_app_setting_get --app=$app --key=final_path)

#=================================================
# CHECK VERSION
#=================================================

upgrade_type=$(ynh_check_app_version_changed)

#=================================================
# ENSURE DOWNWARD COMPATIBILITY
#=================================================
ynh_script_progression --message="Ensuring downward compatibility..."

# If final_path doesn't exist, create it
if [ -z "$final_path" ]; then
	final_path=/var/www/$app
	ynh_app_setting_set --app=$app --key=final_path --value=$final_path
fi

# language default value, if not set
if [ -z "$language" ]; then
	language='en'
	ynh_app_setting_set --app=$app --key=language --value=$language
fi

# Cleaning legacy permissions
admin_user=$(ynh_app_setting_get --app=$app --key=admin)

if [ -n "$admin_user" ]; then
	# Removing skipped/unprotected_uris under certain conditions, remove the visitors group added during the migration process of 3.7
	# Remove skipped_uris. If the app was public, add visitors again to the main permission
	if ynh_permission_has_user --permission=admin --user="$admin_user"
	then
		echo "permission admin already exist. Nothing to do"
	else
		ynh_permission_create --permission "admin" --allowed "$admin_user"
	fi
	# Remove legacy admin setting
	ynh_app_setting_delete --app=$app --key=admin
fi

is_public=$(ynh_app_setting_get --app=$app --key=is_public)
if [ -n "$is_public" ]; then
	# Remove unprotected_uris
	ynh_app_setting_delete --app=$app --key=unprotected_uris
	# Remove protected_uris
	ynh_app_setting_delete --app=$app --key=protected_uris

	# Removing skipped/unprotected_uris under certain conditions, remove the visitors group added during the migration process of 3.7
	# Remove skipped_uris. If the app was public, add visitors again to the main permission
	if ynh_permission_has_user --permission=main --user=visitors
	then
		ynh_app_setting_delete --app=$app --key=skipped_uris
		ynh_permission_update --permission "main" --add "visitors"
	else
		ynh_app_setting_delete --app=$app --key=skipped_uris
	fi
	ynh_app_setting_delete --app=$app --key=is_public
fi



# Yunohost specific configuration, if it isn't exist already

# Previously, these settings were store in an unique "dokuwiki.php"
# Now, they are split in multiple files to ease upgrading process (separate Yunohost config from user config)

# Loading order of configuration files
#
# By default DokuWiki loads its configuration files in the following order:
#
# 1. conf/dokuwiki.php
# 2. conf/local.php
# 3. conf/local.protected.php
#
# See https://www.dokuwiki.org/plugin:config#protecting_settings

# Configuration dedicated to Yunohost (LDAP and admin mainly)
# Create an empty configuration file if it does not exist
# This file will be overwritten anyway later in the part "# LDAP Configuration"
# The file is created here to prevent a failure of the helper `ynh_backup_if_checksum_is_different`
if [ ! -f "$final_path/conf/local.protected.php" ]; then
	touch $final_path/conf/local.protected.php
fi

# Do not overwrite existing dokuwiki configuration as it could have user customization's and settings.
# Create file if it does not exist
if [ ! -f "$final_path/conf/local.php" ]; then
	cp ../conf/local.php $final_path/conf

	# Set the default "language"
	ynh_replace_string --match_string="__YNH_LANGUAGE__" --replace_string="$language" --target_file="$final_path/conf/local.php"
fi

# Do not overwrite existing ACL configuration file as it could have user customization's and settings.
# Create file if it does not exist
# See https://www.dokuwiki.org/acl#background_info
if [ ! -f "$final_path/conf/acl.auth.php" ]; then
	cp ../conf/acl.auth.php $final_path/conf
fi

# For securing DokuWiki installation, create default files that will be writable in the "conf" folder.
# Other files will be read ony and owned by root.
# See https://www.dokuwiki.org/install:permissions

# If file does not exists
if [ ! -f "$final_path/conf/local.php.bak" ]; then
	# if template exists
	if [ -f "$final_path/conf/local.php.dist" ]; then
		# Copy template to create default file
		cp "$final_path/conf/local.php.dist" "$final_path/conf/local.php.bak"
	fi
fi

if [ ! -f "$final_path/conf/users.auth.php" ]; then
	if [ -f "$final_path/conf/users.auth.php.dist" ]; then
		cp $final_path/conf/users.auth.php.dist $final_path/conf/users.auth.php
	fi
fi

if [ ! -f "$final_path/conf/plugins.local.php" ]; then
	cp ../conf/plugins.local.php $final_path/conf
fi

if [ ! -f "$final_path/conf/plugins.local.php.bak" ]; then
	cp ../conf/plugins.local.php $final_path/conf/plugins.local.php.bak
fi


if [ ! -f "$final_path/inc/preload.php" ]; then
	# if template exists
	if [ -f "$final_path/inc/preload.php.dist" ]; then
		# Copy template to create default file
		cp "$final_path/inc/preload.php.dist" "$final_path/inc/preload.php"
	fi
fi

#=================================================
# BACKUP BEFORE UPGRADE THEN ACTIVE TRAP
#=================================================
ynh_script_progression --message="Backing up the app before upgrading (may take a while)..." --weight=9

# Backup the current version of the app
ynh_backup_before_upgrade
ynh_clean_setup () {
	# restore it if the upgrade fails
	ynh_restore_upgradebackup
}
# Exit if an error occurs during the execution of the script
ynh_abort_if_errors

#=================================================
# CHECK THE PATH
#=================================================

# Normalize the URL path syntax
path_url=$(ynh_normalize_url_path --path_url=$path_url)

#=================================================
# STANDARD UPGRADE STEPS
#=================================================
# DOWNLOAD, CHECK AND UNPACK SOURCE
#=================================================

if [ "$upgrade_type" == "UPGRADE_APP" ]
then
	ynh_script_progression --message="Upgrading source files..." --weight=2

	# Download, check integrity, uncompress and patch the source from app.src
	ynh_setup_source --dest_dir="$final_path"
fi

#=================================================
# NGINX CONFIGURATION
#=================================================
ynh_script_progression --message="Upgrading nginx web server configuration..." --weight=2

# Create a dedicated nginx config
ynh_add_nginx_config

#=================================================
# CREATE DEDICATED USER
#=================================================
ynh_script_progression --message="Making sure dedicated system user exists..."

# Create a system user
ynh_system_user_create --username=$app

#=================================================
# PHP-FPM CONFIGURATION
#=================================================
ynh_script_progression --message="Upgrading php-fpm configuration..."

# Create a dedicated php-fpm config
ynh_add_fpm_config

#=================================================
# SPECIFIC UPGRADE
#=================================================

if [ "$upgrade_type" == "UPGRADE_APP" ]
then
    ynh_script_progression --message="Upgrading dokuwiki..." --weight=7

    # Remove upgrade notification inside Dokuwiki's admin panel
    # See https://www.dokuwiki.org/update_check
    touch $final_path/doku.php

    # Remove files not used anymore after upgrade
    # See https://www.dokuwiki.org/install:unused_files
    if [ -f "$final_path/data/deleted.files" ]; then

        # Feed output of grep[...] line by line to 'ynh_secure_remove'
        # 'ynh_secure_remove' can only work file by file. Cannot work with a list
        # This is a (complicated) workaround this limitation
        while IFS= read -r line; do

            # Added this test to reduce the spam printed by helper to the user in the webadmin.
            # Should be less 'scary' to them I think
            #
            # number of messages = number of lines *2    (673 lines while writing this)
            ### grep --extended-regexp --invert-match '^($|#)' data/deleted.files | wc -l
            ### 673
            #
            # Spam sample:
                #Attention : /!\ Packager ! You provided more than one argument to ynh_secure_remove but it will be ignored... Use this helper with one argument at time.
                #Info : 'inc/parser/spamcheck.php' wasn't deleted because it doesn't exist.
                #Attention : /!\ Packager ! You provided more than one argument to ynh_secure_remove but it will be ignored... Use this helper with one argument at time.
                #Attention : /!\ Packager ! You provided more than one argument to ynh_secure_remove but it will be ignored... Use this helper with one argument at time.
                #Info : 'lib/images/favicon.ico' wasn't deleted because it doesn't exist.
                #Info : 'lib/images/thumbup.gif' wasn't deleted because it doesn't exist.
                #Attention : /!\ Packager ! You provided more than one argument to ynh_secure_remove but it will be ignored... Use this helper with one argument at time.
                #Info : 'lib/images/toolbar/code.png' wasn't deleted because it doesn't exist.
                #Attention : /!\ Packager ! You provided more than one argument to ynh_secure_remove but it will be ignored... Use this helper with one argument at time.
                #Info : 'lib/images/toolbar/empty.png' wasn't deleted because it doesn't exist.
            if [ -f "$line" ]; then
                ynh_secure_remove --file "$line"
            fi
        done < <(grep --null --extended-regexp --invert-match '^($|#)' "$final_path/data/deleted.files" | xargs --null --max-args=1 || true)
        #    ^ ^  First < is redirection, second is process substitution.
        # Source: https://tldp.org/LDP/abs/html/process-sub.html

        # Previous attemps if someone reads this one day
        ###grep --extended-regexp --invert-match '^($|#)' data/deleted.files | xargs --max-args=1 rm --verbose --force --dir 2>&1 || true
        ###grep --extended-regexp --invert-match '^($|#)' data/deleted.files | xargs --max-args=1 ynh_secure_remove --file 2>&1
        
        ###grep --null --extended-regexp --invert-match '^($|#)' data/deleted.files > toto.list
        ###xargs --null --verbose --max-args=1 --arg-file=toto.list ynh_secure_remove 2>&1
fi

    # TODO Taken from old "upgrade" script. Should check if it is needed and what it does
    # Update all plugins
    for name_plugin in $(sudo -s cat $final_path/lib/plugins/*/plugin.info.txt | grep url | awk -F ':' '{print $3}');
    do
        # Get a official plugin for dokuwiki, not update a no-official
        wget -nv --quiet "https://github.com/splitbrain/dokuwiki-plugin-$name_plugin/zipball/master" -O "${name_plugin}.zip" -o /dev/null || true
        if [ -s "${name_plugin}.zip" ]; then
            unzip ${name_plugin}.zip
            cp -a splitbrain-dokuwiki-plugin-${name_plugin}*/. "$final_path/lib/plugins/$name_plugin/"
        fi
    done
fi

#=================================================
# LDAP Configuration
#=================================================

### Verify the checksum of a file, stored by `ynh_store_file_checksum` in the install script.
### And create a backup of this file if the checksum is different. So the file will be backed up if the admin had modified it.
ynh_backup_if_checksum_is_different --file="$final_path/conf/local.protected.php"

# Always overwrite local file with the one from package.
cp ../conf/local.protected.php $final_path/conf

# Create the "admin" group and add the "admin" user
#ynh_permission_create --permission "admin" --allowed "$admin_user"

# Customize admin group in case of multiple wiki install managed by different admins
# dokuwiki.admin; dokuwiki__1.admin; etc
ynh_replace_string --match_string="__APP__" --replace_string="$app" --target_file="$final_path/conf/local.protected.php"

# Recalculate and store the checksum of the file for the next upgrade.
ynh_store_file_checksum --file="$final_path/conf/local.protected.php"

#=================================================
# INSTALL LOGAUTHERROR PLUGIN FOR FAIL2BAN
#=================================================
ynh_script_progression --message="Upgrading logautherror plugin for fail2ban..." --weight=2

ynh_setup_source --dest_dir="$final_path/lib/plugins/logautherror" --source_id=logautherror

#=================================================
# GENERIC FINALIZATION
#=================================================
# SECURE FILES AND DIRECTORIES
#=================================================

# Try to use "least privilege" to grant minimal access
# For details, see https://www.dokuwiki.org/install:permissions

# Files owned by DokuWiki can just read
chown -R root: $final_path

# DokuWiki needs to write inside these folders. Make "DokuWiki" owner
chown $app:root $final_path/{conf,inc}

# Make "DokuWiki" owner of configuration files that must be writable
chown $app:root $final_path/conf/{local.php,local.php.bak,users.auth.php,acl.auth.php,plugins.local.php,plugins.local.php.bak}

# Usefull for some plugins like https://www.dokuwiki.org/plugin:siteexport
# See https://www.dokuwiki.org/devel:preload
chown $app:root $final_path/inc/preload.php

# Grant read-only to all files as files copied above are owned by root by defaut and nginx cannot read them
# There are only files in the folder and there are no sublevels. No need to use "find"
chmod -R a+r $final_path/{conf,inc}

# Give write access to "data" and subfolders
chown -R $app:root $final_path/data
# Remove access to "other"
chmod -R o-rwx $final_path/data

# Allow the web admin panel to run, aka "Extension Manager"
chown -R $app:root $final_path/lib/plugins
# Allow to install templates
chown -R $app:root $final_path/lib/tpl

# Allow access to public assets like style sheets
find $final_path/lib -type f -print0 | xargs -0 chmod 0644
find $final_path/lib -type d -print0 | xargs -0 chmod 0755
# Using "find" instead of "chmod -R 755" so files does not become executable too
# chmod :   -rwxr-xr-x  1 root root  241 May  3 08:36 index.html   => BAD
# find  :   -rw-r--r--  1 1001 1002  241 May  3 08:36 index.html   => GOOD

#=================================================
# SETUP FAIL2BAN
#=================================================
ynh_script_progression --message="Reconfiguring fail2ban..." --weight=7

ynh_add_fail2ban_config --logpath="/var/log/nginx/$domain-error.log" --failregex="^.*authentication failure. while reading response header from upstream, client: <HOST>,.*POST $path_url.*$" --max_retry=5

#=================================================
# SETUP SSOWAT
#=================================================
 # Nothinf to do here. Already done in "ENSURE DOWNWARD COMPATIBILITY" part
 #ynh_script_progression --message="Upgrading permissions configuration..." --weight=2

#=================================================
# RELOAD NGINX
#=================================================
ynh_script_progression --message="Reloading nginx web server..."

ynh_systemd_action --service_name=nginx --action=reload

#=================================================
# END OF SCRIPT
#=================================================

ynh_script_progression --message="Upgrade of $app completed" --last