#!/bin/sh
# UnconfigureScxPAM
#
# Check if pam is configured with single
# configuration file or with configuration
# directory.
#
UnconfigureScxPAM() {
    if [ -s /etc/pam.conf ]; then
        UnconfigureScxPAM_file
    elif [ -d /etc/pam.d ]; then
        UnconfigureScxPAM_dir
    fi
    return 0
}

UnconfigureScxPAM_file() {
    # Configured with single file
    #
    # Get all lines except scx configuration
    #
    pam_configuration=`grep -v "^[#	]*scx" /etc/pam.conf | grep -v "# The configuration of scx is generated by the scx installer." | grep -v "# End of section generated by the scx installer."`
    if [ $? -ne 0 ]; then
        # scx not configured in PAM
        return 0
    fi
    #
    # Write it back (to the copy first)
    #
    cp -p /etc/pam.conf /etc/pam.conf.tmp
    echo "$pam_configuration" > /etc/pam.conf.tmp
    if [ $? -ne 0 ]; then
        echo "can't write to /etc/pam.conf.tmp"
        return 1
    fi
    mv /etc/pam.conf.tmp /etc/pam.conf
    if [ $? -ne 0 ]; then
        echo "can't replace /etc/pam.conf"
        return 1
    fi
}

UnconfigureScxPAM_dir() {
    # Configured with directory
    if [ -f /etc/pam.d/scx ]; then  rm -f /etc/pam.d/scx
        return 0
    fi
}

CreateSoftLinkToSudo() {
    [ ! -L /etc/opt/microsoft/scx/conf/sudodir ] && ln -s /usr/bin /etc/opt/microsoft/scx/conf/sudodir || true
}

CreateSoftLinkToTmpDir() {
    [ ! -L /etc/opt/microsoft/scx/conf/tmpdir ] && ln -s /tmp /etc/opt/microsoft/scx/conf/tmpdir || true
}

WriteInstallInfo() {
    date +%Y-%m-%dT%T.0Z > /etc/opt/microsoft/scx/conf/installinfo.txt
    echo 1.9.1-0 >> /etc/opt/microsoft/scx/conf/installinfo.txt
}

ConfigureRunAs() {
    if [ -s /etc/opt/microsoft/scx/conf/scxrunas.conf ]; then
        # File is not zero size
        return 0
    fi
    /opt/microsoft/scx/bin/tools/scxadmin -config-reset RunAs AllowRoot > /dev/null 2>&1
}

HandleConfigFiles() {
    rm -f /etc/opt/microsoft/scx/conf/cimserver_current.conf* /etc/opt/microsoft/scx/conf/cimserver_planned.conf* /etc/opt/microsoft/scx/conf/omiserver.conf*

    # File /etc/scxagent-enable-port opens port 1270 for usage with opsmgr
    if [ -f /etc/scxagent-enable-port ]; then
        # Add port 1270 to the list of ports that OMI will listen on
        /opt/omi/bin/omiconfigeditor httpsport -a 1270 < /etc/opt/omi/conf/omiserver.conf > /etc/opt/omi/conf/omiserver.conf_temp
        mv /etc/opt/omi/conf/omiserver.conf_temp /etc/opt/omi/conf/omiserver.conf
    fi
    rm -f /etc/scxagent-enable-port
}

GenerateCertificate() {
    if [ ! -f /etc/opt/omi/ssl/.omi_cert_marker ]; then
	# No OMI cert marker.  This means that OM has installed certificates to this folder, or there's data corruption.
	return 0
    fi
    
    # Make temporary backups of the omi keys in case we fail to generate keys
    if [ -f /etc/opt/omi/ssl/omikey.pem ]; then
	mv -f /etc/opt/omi/ssl/omikey.pem /etc/opt/omi/ssl/omikey.pem_temp
    fi
    if [ -f /etc/opt/omi/ssl/omi.pem ]; then
	mv -f /etc/opt/omi/ssl/omi.pem /etc/opt/omi/ssl/omi.pem_temp
    fi
    
    if [ -d /etc/opt/omi/ssl ]; then
        if [ -f /etc/opt/microsoft/scx/ssl/scx-seclevel1-key.pem ] && [ ! -f /etc/opt/microsoft/scx/ssl/scx-key.pem ]; then
            mv -f /etc/opt/microsoft/scx/ssl/scx-seclevel1-key.pem /etc/opt/omi/ssl/omikey.pem
	elif [ -f /etc/opt/microsoft/scx/ssl/scx-key.pem ]; then
	    mv -f /etc/opt/microsoft/scx/ssl/scx-key.pem /etc/opt/omi/ssl/omikey.pem
        fi

        if [ -f /etc/opt/microsoft/scx/ssl/scx-seclevel1.pem ] && [ ! -f /etc/opt/microsoft/scx/ssl/scx.pem ]; then
	    rm -f /etc/opt/omi/ssl/omi.pem
            mv -f /etc/opt/microsoft/scx/ssl/scx-seclevel1.pem /etc/opt/omi/ssl/omi-host-`hostname`.pem
            ln -s -f /etc/opt/microsoft/scx/ssl/omi-host-`hostname`.pem /etc/opt/omi/ssl/omi.pem
	elif [ -f /etc/opt/microsoft/scx/ssl/scx.pem ]; then
	    mv /etc/opt/microsoft/scx/ssl/scx.pem /etc/opt/omi/ssl/omi.pem
        fi
	
        ( set +e; [ -f /etc/profile ] && . /etc/profile; set -e; /opt/microsoft/scx/bin/tools/scxsslconfig )
        if [ $? -ne 0 ]; then
	    # Restore previous omi keys if they exist
	    if [ -f /etc/opt/omi/ssl/omikey.pem_temp ]; then
		mv -f /etc/opt/omi/ssl/omikey.pem_temp /etc/opt/omi/ssl/omikey.pem
	    fi
	    if [ -f /etc/opt/omi/ssl/omi.pem_temp ]; then
		mv -f /etc/opt/omi/ssl/omi.pem_temp /etc/opt/omi/ssl/omi.pem
	    fi
            exit 1
	else
	    # Certificate generated successfully.  Remove /etc/opt/omi/ssl/.omi_cert_marker to signify that we have overwritten omi's cert
	    rm -f /etc/opt/omi/ssl/.omi_cert_marker
	    rm -f /etc/opt/omi/ssl/omikey.pem_temp /etc/opt/omi/ssl/omi.pem_temp
        fi
    else
        # /etc/opt/omi/ssl : directory does not exist
        exit 1
    fi
}


set -e

CreateSoftLinkToSudo
CreateSoftLinkToTmpDir

WriteInstallInfo

set +e

UnconfigureScxPAM


ConfigureRunAs

HandleConfigFiles

# Open port 1270 on install if it was open at uninstall
if [ -f /etc/opt/microsoft/scx/conf/scxagent-enable-port ]; then
    /opt/omi/bin/omiconfigeditor httpsport -a 1270 < /etc/opt/omi/conf/omiserver.conf > /etc/opt/omi/conf/omiserver.conf_temp
    mv /etc/opt/omi/conf/omiserver.conf_temp /etc/opt/omi/conf/omiserver.conf
fi
rm -f /etc/opt/microsoft/scx/conf/scxagent-enable-port

set -e

GenerateCertificate

# Create link from SSL_DIR/scx.pem to OMI_SSL_DIR/omi.pem
if [ -f /etc/opt/microsoft/scx/ssl/scx.pem ]; then
    mv /etc/opt/microsoft/scx/ssl/scx.pem /etc/opt/microsoft/scx/ssl/scx.pem_backup
fi
ln -s /etc/opt/omi/ssl/omi.pem /etc/opt/microsoft/scx/ssl/scx.pem

/opt/omi/bin/service_control reload

# Have we previously installed a Universal Kit before? Keep track of that!
# This is used by the OS provider to mimic non-universal kit installations ...
if ! egrep -q '^ORIGINAL_KIT_TYPE=' /etc/opt/microsoft/scx/conf/scxconfig.conf; then
    if [ -s /etc/opt/microsoft/scx/conf/scx-release ]; then
        echo 'ORIGINAL_KIT_TYPE=Universal' >> /etc/opt/microsoft/scx/conf/scxconfig.conf
    else
        echo 'ORIGINAL_KIT_TYPE=!Universal' >> /etc/opt/microsoft/scx/conf/scxconfig.conf
    fi
fi

# Generate the conf/scx-release file
/opt/microsoft/scx/bin/tools/GetLinuxOS.sh

# Set up a cron job to logrotate
if [ ! -f /etc/cron.d/scxagent ]; then
    echo "0 */4 * * * root /usr/sbin/logrotate /etc/logrotate.d/scxagent --state /var/opt/microsoft/scx/log/scx-logrotate.status >/dev/null 2>&1" > /etc/cron.d/scxagent
fi


if [ -e /usr/sbin/semodule ]; then
    echo "System appears to have SELinux installed, attempting to install selinux policy module for logrotate"
    echo "  Trying /usr/share/selinux/packages/scxagent-logrotate/scxagent-logrotate.pp ..."
    sestatus=`sestatus|grep status|awk '{print $3}'`
    if [ "$sestatus" = "disabled" ]; then
        echo "WARNING: scxagent-logrotate selinux policy module has not yet installed due to selinux is disabled."
        echo "When enabling selinux, load scxagent-logrotate module manually with following commands for logrotate feature to work properly for scx logs."
        echo "/usr/sbin/semodule -i $SEPKG_DIR_SCXAGENT/scxagent-logrotate.pp >/dev/null 2>&1"
        echo "/sbin/restorecon -R /var/opt/microsoft/scx/log > /dev/null 2>&1"
    else
        /usr/sbin/semodule -i /usr/share/selinux/packages/scxagent-logrotate/scxagent-logrotate.pp >/dev/null 2>&1
        if [ $? -ne 0 ]; then
            echo "ERROR: scxagent-logrotate selinux policy module versions could not be installed"
            exit 0
        fi

        # Labeling scxagent log files
        /sbin/restorecon -R /var/opt/microsoft/scx/log > /dev/null 2>&1
    fi
fi

exit 0