#!/bin/bash
set -euo pipefail
set -x
#Variables
if [[ -n "$JAVA_HOME" ]] && [[ -x "$JAVA_HOME/bin/java" ]];  then
  echo "found java executable in JAVA_HOME"
else
  export JAVA_HOME=/usr/lib/jvm/java-openjdk
fi
if [ -f "/opt/aws/puppet/bin/puppet" ]; then
  echo "Puppet found in path"
  puppet_cmd='/opt/aws/puppet/bin/puppet'
else
  puppet_cmd='puppet'
fi
sudo -E bash -c 'echo $JAVA_HOME'
installpath=/usr/lib/ranger
ranger_server_fqdn=$1
#mysql_jar_location=http://central.maven.org/maven2/mysql/mysql-connector-java/5.1.39/mysql-connector-java-5.1.39.jar
mysql_jar=mysql-connector-java-5.1.39.jar
ranger_version=$2
s3bucket=$3
project_version=${4-'2.0'}
emr_version=${5-'emr-5.30'}
http_protocol=${6-'http'}
install_cloudwatch_agent_for_audit=${7-'false'}

if [ "$http_protocol" == "https" ]; then
  RANGER_HTTP_URL=https://$ranger_server_fqdn:6182
  SOLR_HTTP_URL=https://$ranger_server_fqdn:8984
else
  RANGER_HTTP_URL=http://$ranger_server_fqdn:6080
  SOLR_HTTP_URL=http://$ranger_server_fqdn:8983
fi


ranger_download_version=0.5

emr_release_version_regex="^emr-6.*"
if [[ ( "$emr_version" =~ $emr_release_version_regex ) ]]; then
  ranger_download_version=2.1.0-SNAPSHOT
else
   ranger_download_version=1.2.1-SNAPSHOT
fi

ranger_s3bucket=$s3bucket/ranger/ranger-$ranger_download_version
ranger_hbase_plugin=ranger-$ranger_download_version-hbase-plugin

## --- SSL Config ---

## Cert configuration
certs_s3_location=${s3bucket}/${project_version}/emr-tls/
certs_path="/tmp/certs"

ranger_agents_certs_path="${certs_path}/ranger-agents-certs"
ranger_server_certs_path="${certs_path}/ranger-server-certs"
solr_certs_path="${certs_path}/solr-client-certs"

truststore_ranger_server_alias="rangerServerTrust"
truststore_solr_alias="solrtrust"
truststore_password="changeit"
truststore_location="/etc/hadoop/conf/ranger-plugin-truststore.jks"
jvm_truststore_location="$JAVA_HOME/lib/security/cacerts"

keystore_alias="rangerAgent"
keystore_password="changeit"
keystore_location="/etc/hadoop/conf/ranger-plugin-keystore.jks"

if [ ! -f "$truststore_location" ] || [ ! -f "$keystore_location" ]; then
  echo "$truststore_location does not exist. will download the create"
  #Download certs
  sudo rm -rf ${certs_path}
  sudo rm -rf ${truststore_location}
  sudo rm -rf ${keystore_location}

  mkdir ${certs_path}
  aws s3 sync ${certs_s3_location} ${certs_path}

  mkdir ${ranger_agents_certs_path}
  mkdir ${ranger_server_certs_path}
  mkdir ${solr_certs_path}

  unzip ${ranger_agents_certs_path}.zip -d ${ranger_agents_certs_path}
  unzip ${ranger_server_certs_path}.zip -d ${ranger_server_certs_path}
  unzip ${solr_certs_path}.zip -d ${solr_certs_path}

  #Setup RangerAgents Keystore

  openssl pkcs12 -export -in ${ranger_agents_certs_path}/certificateChain.pem -inkey ${ranger_agents_certs_path}/privateKey.pem -chain -CAfile ${ranger_agents_certs_path}/trustedCertificates.pem -name ${keystore_alias} -out ${ranger_agents_certs_path}/keystore.p12 -password pass:${keystore_password}
  keytool -delete -alias ${keystore_alias} -keystore ${keystore_location} -storepass ${keystore_password} -noprompt || true
  sudo keytool -importkeystore -deststorepass ${keystore_password} -destkeystore ${keystore_location} -srckeystore ${ranger_agents_certs_path}/keystore.p12 -srcstoretype PKCS12 -srcstorepass ${keystore_password}
  sudo chmod 444 ${keystore_location}

  #Setup Truststore - add RangerServer cert
  sudo keytool -delete -alias ${truststore_ranger_server_alias} -keystore ${truststore_location} -storepass ${truststore_password} -noprompt || true
  sudo keytool -import -file ${ranger_server_certs_path}/trustedCertificates.pem -alias ${truststore_ranger_server_alias} -keystore ${truststore_location} -storepass ${truststore_password} -noprompt

  #Setup Truststore - add SOLR cert
  sudo keytool -delete -alias ${truststore_solr_alias} -keystore ${truststore_location} -storepass ${truststore_password} -noprompt || true
  sudo keytool -import -file ${solr_certs_path}/trustedCertificates.pem -alias ${truststore_solr_alias} -keystore ${truststore_location} -storepass ${truststore_password} -noprompt
  sudo keytool -delete -alias ${truststore_solr_alias} -keystore ${jvm_truststore_location} -storepass ${truststore_password} -noprompt || true
  sudo keytool -import -file ${solr_certs_path}/trustedCertificates.pem -alias ${truststore_solr_alias} -keystore ${jvm_truststore_location} -storepass ${truststore_password} -noprompt

  #cleanup
  rm -rf ${certs_path}
fi

#Setup
sudo rm -rf $installpath/$ranger_hbase_plugin
mkdir -p $installpath/hbase/lib
mkdir -p $installpath/hbase/conf
cd $installpath
mkdir $ranger_hbase_plugin
aws s3 cp $ranger_s3bucket/$ranger_hbase_plugin.tar.gz . --region us-east-1
tar -xvf $ranger_hbase_plugin.tar.gz -C $ranger_hbase_plugin --strip-components=1
cd $installpath/$ranger_hbase_plugin
sudo ln -sfn /etc/hbase/conf $installpath/hbase/conf
sudo ln -sfn /usr/lib/hbase $installpath/hbase/lib

#SSL configs
sudo sed -i "s|POLICY_MGR_URL=.*|POLICY_MGR_URL=$RANGER_HTTP_URL|g" install.properties
sudo sed -i "s|SSL_TRUSTSTORE_FILE_PATH=.*|SSL_TRUSTSTORE_FILE_PATH=${truststore_location}|g" install.properties
sudo sed -i "s|SSL_TRUSTSTORE_PASSWORD=.*|SSL_TRUSTSTORE_PASSWORD=${truststore_password}|g" install.properties
sudo sed -i "s|SSL_KEYSTORE_FILE_PATH=.*|SSL_KEYSTORE_FILE_PATH=${keystore_location}|g" install.properties
sudo sed -i "s|SSL_KEYSTORE_PASSWORD=.*|SSL_KEYSTORE_PASSWORD=${keystore_password}|g" install.properties

#Update Ranger URL in HDFS conf
sudo sed -i "s|SQL_CONNECTOR_JAR=.*|SQL_CONNECTOR_JAR=$installpath/$mysql_jar|g" install.properties
sudo sed -i "s|REPOSITORY_NAME=.*|REPOSITORY_NAME=hbasedev|g" install.properties
sudo sed -i "s|COMPONENT_INSTALL_DIR_NAME=.*|COMPONENT_INSTALL_DIR_NAME=/usr/lib/hbase|g" install.properties
sudo sed -i "s|XAAUDIT.SOLR.ENABLE=.*|XAAUDIT.SOLR.ENABLE=true|g" install.properties
sudo sed -i "s|XAAUDIT.SOLR.URL=.*|XAAUDIT.SOLR.URL=$SOLR_HTTP_URL/solr/ranger_audits|g" install.properties
sudo sed -i "s|XAAUDIT.SOLR.SOLR_URL=.*|XAAUDIT.SOLR.SOLR_URL=$SOLR_HTTP_URL/solr/ranger_audits|g" install.properties

#Filecache to write to local file system
sudo mkdir -p /var/log/ranger/audit/
sudo chmod -R 777 /var/log/ranger/audit/

#to solve java.lang.NoClassDefFoundError: org/apache/commons/configuration/Configuration
sed -i 's|jceks://file|localjceks://file|g' enable-hbase-plugin.sh

#Filecache to write to local file system
if [ "$install_cloudwatch_agent_for_audit" == "true" ]; then
  sudo mkdir -p /var/log/ranger/audit/
  sudo chmod -R 777 /var/log/ranger/audit/
  sudo sed -i "s|XAAUDIT.FILECACHE.IS_ENABLED=.*|XAAUDIT.FILECACHE.IS_ENABLED=true|g" install.properties
  sudo sed -i "s|XAAUDIT.FILECACHE.FILE_SPOOL_DIR=.*|XAAUDIT.FILECACHE.FILE_SPOOL_DIR=/var/log/ranger/audit/|g" install.properties
  sudo sed -i "s|XAAUDIT.FILECACHE.FILE_SPOOL.ROLLOVER.SECS=.*|XAAUDIT.FILECACHE.FILE_SPOOL.ROLLOVER.SECS=30|g" install.properties
  sudo sed -i "s|XAAUDIT.FILECACHE.FILE_SPOOL.MAXFILES=.*|XAAUDIT.FILECACHE.FILE_SPOOL.MAXFILES=10|g" install.properties
fi

sudo -E bash enable-hbase-plugin.sh

sudo touch -a /var/log/hbase/SecurityAuth.audit
sudo touch -a /var/log/hbase/hbase.log
sudo chmod 777 /var/log/hbase/SecurityAuth.audit || true
sudo chmod 777 /var/log/hbase/hbase.log || true

sudo ${puppet_cmd} apply -e 'service { "hbase-master": ensure => false, }'
sudo ${puppet_cmd} apply -e 'service { "hbase-master": ensure => true, }'
sudo ${puppet_cmd} apply -e 'service { "hbase-regionserver": ensure => false, }'
sudo ${puppet_cmd} apply -e 'service { "hbase-regionserver": ensure => true, }'