#!/usr/bin/sh -e
#
# Generate a new random password for the database
#

if [ "$(id -u)" != "0" ]
then
    echo "This command must be run as root."
    exit 1
fi


TMPBASE=${TMP:=/tmp}/$(basename $0).$$

cleanup()
{
    rm -rf $TMPBASE*
}
trap cleanup EXIT


[ -t 0 -a -t 1 -a -t 2 ] && INTERACTIVE=true || INTERACTIVE=false


DATABASE="pscheduler"
ROLE="pscheduler"
PASSWORDFILE="/etc/pscheduler/database/database-password"
DSNFILE="/etc/pscheduler/database/database-dsn"
PGPASSFILE="//etc/pscheduler/database/pgpassfile"


# Generate the new password and write it to the config files

# Make a file that's safe from prying eyes
protected()
{
    rm -rf "$@"
    touch "$@"
    chmod 600 "$@"
    chown pscheduler:root "$@"
}


# Password
protected "${PASSWORDFILE}"
(< /dev/urandom tr -dc _A-Za-z0-9 | head -c64 && echo) >> "${PASSWORDFILE}"

# DSN
protected "${DSNFILE}"
cat >> "${DSNFILE}" <<EOF
dbname=${DATABASE} user=${ROLE} password=$(cat "${PASSWORDFILE}")
EOF

# Pg Password
protected "${PGPASSFILE}"
cat >> "${PGPASSFILE}" <<EOF
*:*:${DATABASE}:${ROLE}:$(cat "${PASSWORDFILE}")
EOF


# Change it in the database

# Don't use protected for this.  We own it.
ROLESQL="${TMPBASE}.rolesql"
touch "${ROLESQL}"
chmod 600 "${ROLESQL}"

cat >> "${ROLESQL}" <<EOF
DO \$\$
BEGIN
    PERFORM pg_terminate_backend(pg_stat_activity.pid)
    FROM pg_stat_activity
    WHERE
        pg_stat_activity.datname = '${DATABASE}'
        AND usename = '${ROLE}'
        AND pid <> pg_backend_pid()     -- Not this connection
        AND application_name <> 'psql'  -- Not interactive sessions
        ;
END;
\$\$ LANGUAGE plpgsql;
EOF

printf "ALTER ROLE ${ROLE} WITH PASSWORD '" > "${ROLESQL}"
tr -d "\n" < "${PASSWORDFILE}" >> "${ROLESQL}"
printf "';\n"  >> "${ROLESQL}"

postgresql-load "${ROLESQL}"

if $INTERACTIVE
then
    cat <<'EOF'
Password changed.

Note that this program is intended for use during installation and
upgrades.  Using it manually requires that the pScheduler services and
Apache be restarted manually.
EOF
fi
