#!/bin/sh

# SPDX-FileCopyrightText: 2015 - 2020 Marek Marczykowski-Gorecki <marmarek@invisiblethingslab.com>
# SPDX-FileCopyrightText: 2024 Benjamin Grande M. S. <ben.grande.b@gmail.com>
#
# SPDX-License-Identifier: GPL-2.0-only

## Description: rewrite repositories definitions to be used with the cacher.
## It works for qubes that should be configured to use the cacher via Qrexec
## or Netvm (direct networking).
##
## Looping through files and testing their permissions (read, write) is better
## than finding a file and trying to sed it without knowledge, it is also
## beneficial as 'find' fails if file is not existent and sending all 'find'
## output to /dev/stderr is not great.
##
## Assigning the repositories files to '$@' avoids having to parse their names
## in case they contain spaces, newlines and other dangerous characters to the
## shell, it is also an easy way to use an array for /bin/sh.

set -eu

set_proxy_marker(){
  marker_begin_text="QUBES BEGIN"
  marker_end_text="QUBES END"
  marker_begin="### ${marker_begin_text} ###"
  marker_end="### ${marker_end_text} ###"
  proxy_file="${1}"
  proxy_options="${2}"

  if ! grep -q "^${marker_begin}$" "${proxy_file}"; then
    if grep -q "^${marker_end}$" "${proxy_file}"; then
      echo "Error: found marker ${marker_end_text} but not ${marker_begin_text} in ${proxy_file}" >&2
      echo "Fix the file by either removing both markers or adding missing ones and retry" >&2
      exit 1
    fi
    cp "${proxy_file}" "${proxy_file}.qubes-orig"
    echo "${marker_begin}" | tee -a "${proxy_file}" >/dev/null
    echo "${marker_end}" | tee -a "${proxy_file}" >/dev/null
  elif ! grep -q "^${marker_end}$" "${proxy_file}"; then
    echo "Error: found marker ${marker_begin_text} but not ${marker_end_text} in ${proxy_file}" >&2
    echo "Fix the file by either removing both markers or adding missing ones and retry" >&2
    exit 1
  fi

  proxy_tmp_file="$(mktemp)"
  cat >"${proxy_tmp_file}" <<EOF
# The text between ${marker_begin_text} and ${marker_end_text} is automatically
# generated by $0. All changes here will be overriden.
# You can override options after the ${marker_end_text}.
${proxy_options}
EOF

  ## Couldn't figure out how to write only changes on the next sed.
  if ! grep -q "${proxy_options}" "${proxy_file}"; then
    tee -a "${changes_file}" <"${proxy_tmp_file}" >/dev/null
  fi
  ## GNU Sed, only reliable while we don't support BSD.
  sed -i -e "/^${marker_begin}$/,/^${marker_end}$/{
    /^${marker_end}$/b
    /^${marker_begin}$/!d
    r ${proxy_tmp_file}
    }" "${proxy_file}"
  rm -f "${proxy_tmp_file}"
}

check_netvm_cacher(){
  proxy_host="127.0.0.1"
  proxy_port="8082"
  proxy_addr=""
  proxy_url=""
  proxy_conf=""
  if ! test -f /var/run/qubes-service/updates-proxy-setup; then
    return 0
  fi
  if test -f /var/run/qubes-service/netvm-cacher; then
    proxy_host="$(qubesdb-read /qubes-gateway)"
    if test -z "${proxy_host}"; then
      echo "Error: service netvm-cacher enabled but netvm IP was not found" >&2
      return 1
    fi
  fi
  proxy_addr="${proxy_host}:${proxy_port}"
  proxy_url="http://${proxy_addr}"
  proxy_conf="proxy=${proxy_addr}"
}

reject_os(){
  echo "${0##*/} does not support your Operating System distribution." >&2
  exit 1
}

# shellcheck disable=SC2317
set_proxy_os(){
  if test -e /etc/fedora-release; then
    ## Fedora

    if test -w /etc/dnf/dnf.conf; then
      set_proxy_marker /etc/dnf/dnf.conf "zchunk=False
${proxy_conf}"
    fi
    if test -n "${proxy_addr}"; then
      cat >/etc/yum.conf.d/qubes-proxy.conf <<EOF
${proxy_conf}
EOF
    else
      rm -f /etc/yum.conf.d/qubes-proxy.conf
    fi

    set --
    for repo in \
      /etc/yum.repos.d/*.repo
    do
      test -f "${repo}" || continue
      test -r "${repo}" || continue
      test -w "${repo}" || continue
      set -- "${@}" "${repo}"
    done
    test -n "${*}" || return 0

    case "${action}" in
      install)
        find "${@}" -type f -exec sed -i \
          -e "s|baseurl\s*=\s*https://|baseurl=http://HTTPS///|w ${changes_file}" \
          -e "s|metalink\s*=\s*https://|metalink=http://HTTPS///|w ${changes_file}" \
        {} \+

        set --
        for repo in \
          /etc/yum.repos.d/rpmfusion*.repo
        do
          test -f "${repo}" || continue
          test -r "${repo}" || continue
          test -w "${repo}" || continue
          set -- "${@}" "${repo}"
        done
        test -n "${*}" || return 0

        find "${@}" -type f -exec sed -i \
          -e "s|^\s*#.*baseurl|baseurl|w ${changes_file}" \
          -e "s|^\s*metalink\s*=\s*|#metalink=|w ${changes_file}" \
        {} \+
        ;;

      uninstall)
        find "${@}" -type f -exec sed -i \
          -e "s|baseurl\s*=\s*http://HTTPS///|baseurl=https://|w ${changes_file}" \
          -e "s|metalink\s*=\s*http://HTTPS///|metalink=https://|w ${changes_file}" \
        {} \+

        set --
        for repo in \
          /etc/yum.repos.d/rpmfusion*.repo
        do
          test -f "${repo}" || continue
          test -r "${repo}" || continue
          test -w "${repo}" || continue
          set -- "${@}" "${repo}"
        done
        test -n "${*}" || return 0

        find "${@}" -type f -exec sed -i \
          -e "s|^\s*baseurl|#baseurl|w ${changes_file}" \
          -e "s|^\s*#.*metalink\s*=|metalink=|w ${changes_file}" \
        {} \+ 2>/dev/null || true
        ;;
    esac

  elif test -e /etc/debian_version && test ! -e /usr/share/whonix/marker; then
    ## Debian and derivatives but not Whonix.

    if test -n "${proxy_addr}"; then
      cat >/etc/apt/apt.conf.d/50cacher-proxy <<EOF
# Use Cacher NetVM Update Proxy
Acquire::http::Proxy "${proxy_url}";
Acquire::tor::proxy "${proxy_url}";
EOF
    else
      rm -f /etc/apt/apt.conf.d/50cacher-proxy
    fi

    set --
    for repo in \
      /etc/apt/sources.list \
      /etc/apt/sources.list.d/*.list \
      /etc/apt/sources.list.d/*.sources
    do
      test -f "${repo}" || continue
      test -r "${repo}" || continue
      test -w "${repo}" || continue
      set -- "${@}" "${repo}"
    done
    test -n "${*}" || return 0

    case "${action}" in
      install)
        find "${@}" -type f -exec sed -i \
          -e "s|URIs:\s*https://|URIs: http://HTTPS///|w ${changes_file}" \
          -e "s|^\s*\(#*\)\s*deb\(.*\)https://|\1deb\2http://HTTPS///|w ${changes_file}" \
        {} \+
        ;;

      uninstall)
        find "${@}" -type f -exec sed -i \
          -e "s|URIs:\s*http://HTTPS///|URIs: https://|w ${changes_file}" \
          -e "s|^\s*\(#*\)\s*deb\(.*\)http://HTTPS///|\1deb\2https://|w ${changes_file}" \
        {} \+
        ;;
    esac

  elif test -e /etc/arch-release; then
    ## Archlinux

    if test -n "${proxy_addr}"; then
      if ! test -d /run/qubes/bin; then
        mkdir -p /run/qubes/bin
      fi
      cat >/run/qubes/bin/pacman <<EOF
#!/bin/sh
exec env ALL_PROXY="${proxy_url}" /usr/bin/pacman "\$@"
EOF
      chmod +x /run/qubes/bin/pacman
      cat >/etc/profile.d/qubes-proxy.sh << EOF
export PATH=/run/qubes/bin:\$PATH
EOF
    else
      rm -f /run/qubes/bin/pacman /etc/profile.d/qubes-proxy.sh
    fi

    set --
    for repo in \
      /etc/pacman.d/mirrorlist \
      /etc/pacman.d/*.conf \
      /etc/pacman.d/*.conf.disabled
    do
      test -f "${repo}" || continue
      test -r "${repo}" || continue
      test -w "${repo}" || continue
      set -- "${@}" "${repo}"
    done
    test -n "${*}" || return 0

    case "${action}" in
      install)
        find "${@}" -type f -exec sed -i \
          -e "s|Server\s*=\s*https://|Server = http://HTTPS///|w ${changes_file}" \
        {} \+
        ;;

      uninstall)
        find "${@}" -type f -exec sed -i \
          -e "s|Server\s*=\s*http://HTTPS///|Server = https://|w ${changes_file}" \
        {} \+
        ;;
    esac

  else
    ## Gentoo: upstream does not have a good solution:
    ##   https://wiki.gentoo.org/wiki/Local_distfiles_cache#Configuring_for_Gentoo
    reject_os
  fi
}

set_proxy_unspecific_os(){
  if test -w /etc/PackageKit/PackageKit.conf; then
    set_proxy_marker /etc/PackageKit/PackageKit.conf "ProxyHTTP=${proxy_url}"
  fi
}

usage(){
  echo "Usage: ${0##*/} [install|uninstall]"
  echo "Note: autodetection occurs if not argument is specified"
  exit 1
}

changes_file="$(mktemp)"
trap 'rm -f "${changes_file}"' HUP INT QUIT ABRT EXIT

if test -f /var/run/qubes-service/updates-proxy-setup ||
  test -f /var/run/qubes-service/netvm-cacher
then
  action="install"
else
  action="uninstall"
fi

case "${1-}" in
  install|uninstall) action="${1}";;
  "") ;;
  *) usage;;
esac

if test "$(id -u)" != "0"; then
  echo "Error: Permission denied, action requires root privileges."
  exit 1
fi

check_netvm_cacher
set_proxy_os
set_proxy_unspecific_os

## Stateful Salt cmd Module.
echo
if test -s "${changes_file}"; then
  echo "changed=yes comment='configuration was modified'"
else
  echo "changed=no comment='configuration remained untouched'"
fi
exit