#!/usr/bin/perl

# Copyright 2009-2012 Eucalyptus Systems, Inc.
#
# This program is free software: you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation; version 3 of the License.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program.  If not, see http://www.gnu.org/licenses/.
#
# Please contact Eucalyptus Systems, Inc., 6755 Hollister Ave., Goleta
# CA 93117, USA or visit http://www.eucalyptus.com/licenses/ if you need
# additional information or have any questions.
#
# This file may incorporate work covered under the following copyright
# and permission notice:
#
#   Software License Agreement (BSD License)
#
#   Copyright (c) 2008, Regents of the University of California
#   All rights reserved.
#
#   Redistribution and use of this software in source and binary forms,
#   with or without modification, are permitted provided that the
#   following conditions are met:
#
#     Redistributions of source code must retain the above copyright
#     notice, this list of conditions and the following disclaimer.
#
#     Redistributions in binary form must reproduce the above copyright
#     notice, this list of conditions and the following disclaimer
#     in the documentation and/or other materials provided with the
#     distribution.
#
#   THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
#   "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
#   LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS
#   FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
#   COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT,
#   INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING,
#   BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
#   LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER
#   CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
#   LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN
#   ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
#   POSSIBILITY OF SUCH DAMAGE. USERS OF THIS SOFTWARE ACKNOWLEDGE
#   THE POSSIBLE PRESENCE OF OTHER OPEN SOURCE LICENSED MATERIAL,
#   COPYRIGHTED MATERIAL OR PATENTED MATERIAL IN THIS SOFTWARE,
#   AND IF ANY SUCH MATERIAL IS DISCOVERED THE PARTY DISCOVERING
#   IT MAY INFORM DR. RICH WOLSKI AT THE UNIVERSITY OF CALIFORNIA,
#   SANTA BARBARA WHO WILL THEN ASCERTAIN THE MOST APPROPRIATE REMEDY,
#   WHICH IN THE REGENTS' DISCRETION MAY INCLUDE, WITHOUT LIMITATION,
#   REPLACEMENT OF THE CODE SO IDENTIFIED, LICENSING OF THE CODE SO
#   IDENTIFIED, OR WITHDRAWAL OF THE CODE CAPABILITY TO THE EXTENT
#   NEEDED TO COMPLY WITH ANY SUCH LICENSES OR RIGHTS.

use strict;
use Getopt::Long;

my $EUCALYPTUS = $ENV{'EUCALYPTUS'};
my $CERT = "$EUCALYPTUS/var/lib/eucalyptus/keys/cloud-cert.pem";
my $TEMPLATE = "$EUCALYPTUS/usr/share/eucalyptus/lic_template";
my $FORMAT = "RSA/ECB/PKCS1Padding";
my $PASS_LINE = qr/"auth-credentials"\s*:\s*"(.*)"/;

my $USAGE = <<END;

This is a tool to help create the LDAP integration configuration.

Usage: euca-lictool <options>

Options:
  --password <password>      : set the password for result LIC
  --out      <output path>   : output to a file
  --passonly                 : print encrypted password only, no LIC template
  --custom <custom lic path> : use a custom LIC file instead of installed LIC template
  --nocomment                : remove comments from the LIC template

Examples:

# create a LIC template with encrypted password, print to STDOUT
\$ euca-lictool --password secret > example.lic

# create a LIC template with encrypted password, print to a file
\$ euca-lictool --password secret --out example.lic

# only print the encrypted password
\$ euca-lictool --password secret --passonly

# use an existing LIC and replace the credential field with encrypted password
\$ euca-lictool --password secret --custom my.lic --out mynew.lic

# create a LIC template with encrypted password and with comments removed
\$ euca-lictool --password secret --out example.lic --nocomment

# encrypt password in an existing LIC file and output the new file
\$ euca-lictool --custom my.lic

# encrypt password in an existing LIC file in place
\$ euca-lictool --custom my.lic --out my.lic
END

sub print_usage {
  print STDERR $USAGE."\n";
  exit(1);
}

sub encrypt {
  my($clear) = @_;
  my $crypt = `echo -n $clear | openssl rsautl -encrypt -inkey $CERT -certin | openssl base64 | tr -d '\n'`;
  if ($? != 0 or $crypt eq "") {
    print STDERR "Failed to encrypt password";
    exit(1);
  }
  $crypt = "{$FORMAT}".$crypt;
  return $crypt;
}

my $password = "";
my $outfile = "";
my $passonly = 0;
my $custom_template = "";
my $remove_comment = 0;

my $result = GetOptions("password=s" => \$password,
                        "out=s"      => \$outfile,
                        "passonly"   => \$passonly,
                        "custom=s"   => \$custom_template,
                        "nocomment"  => \$remove_comment);

if (not $result) {
  print_usage;
}

# password is either from command line or from user provided LIC
if ($password eq "" and $custom_template eq "") {
  print_usage;
}

if ($EUCALYPTUS eq "") {
  $EUCALYPTUS = "/";
}

my $encrypted = "";
if ($password ne "") {
  $encrypted = encrypt($password);
}

my $input_file;
if ($custom_template eq "") {
  $input_file = $TEMPLATE;
} else {
  $input_file = $custom_template;
}
my @lic = ();
open TEMP, "<$input_file" or die "Can not open $input_file: $!";
while (<TEMP>) {
  if (/$PASS_LINE/) {
    if ($encrypted eq "") {
      $encrypted = encrypt($1);
    }
    s/$PASS_LINE/"auth-credentials":"$encrypted"/g;
  } elsif (/\"_comment\":/) {
    next if ($remove_comment);
  }
  push(@lic, $_);
}
close TEMP;

if ($passonly) {
  print $encrypted;
  exit(0);
}

my $lic_out = join("", @lic);
if ($outfile eq "") {
  print $lic_out;
} else {
  open OUT, ">$outfile" or die "Can not open $outfile to write: $!";
  print OUT $lic_out;
  close OUT;
}
