#!/bin/bash

CONFIG=${CONFIG:=/etc/puppet/cosmos-modules.conf}
LOCALCONFIG=${LOCALCONFIG:=/etc/puppet/cosmos-modules_local.conf}
CACHE_DIR=/var/cache/puppet-modules
MODULES_DIR=${MODULES_DIR:=/etc/puppet/cosmos-modules}
export GNUPGHOME=/etc/cosmos/gnupg

python -c "import yaml" 2>/dev/null || apt-get -y install python-yaml

bold='\e[1m'
reset='\e[0m'
red='\033[01;31m'

stage_module() {
  rm -rf $CACHE_DIR/staging/$1
  git archive --format=tar --prefix=$1/ $2 | (cd $CACHE_DIR/staging/ && tar xf -)
}

if [ -f $CONFIG -o $LOCALCONFIG ]; then
  if [ ! -d $MODULES_DIR ]; then
    mkdir -p $MODULES_DIR
  fi
  if [ ! -d $CACHE_DIR ]; then
    mkdir -p $CACHE_DIR/{scm,staging}
  fi

  test -f $CONFIG || CONFIG=''
  test -f $LOCALCONFIG || LOCALCONFIG=''

  # First pass to clone any new modules, and update those marked for updating.
  grep -h -E -v "^#" $CONFIG $LOCALCONFIG | sort | (
    while read module src update pattern; do
      # We only support git:// urls and https:// urls atm
      if [ "${src:0:6}" = "git://" -o "${src:0:8}" = "https://" ]; then
        if [ ! -d $CACHE_DIR/scm/$module ]; then
          git clone -q $src $CACHE_DIR/scm/$module
        elif [ -d $CACHE_DIR/scm/$module/.git ]; then
          if [ "$update" = "yes" ]; then
            cd $CACHE_DIR/scm/$module
            if [ "$src" != "$(git config remote.origin.url)" ]; then
              git config remote.origin.url $src
            fi
            git pull -q
          else
            continue
          fi
        else
          echo -e "${red}ERROR: Ignoring non-git repository${reset}"
          continue
        fi
      elif [[ "$src" =~ .*:// ]]; then
        echo -e "${red}ERROR: Don't know how to install '${src}'${reset}"
        continue
      else
        echo -e "${bold}WARNING - attempting UNSAFE installation/upgrade of puppet-module ${module} from ${src}${reset}"
        if [ ! -d /etc/puppet/modules/$module ]; then
          puppet module install $src
        elif [ "$update" = "yes" ]; then
          puppet module upgrade $src
        fi
      fi
    done
  )

  # Second pass to verify the signatures on all modules and stage those that
  # have good signatures.
  grep -h -E -v "^#" $CONFIG $LOCALCONFIG | sort | (
    while read module src update pattern; do
      # We only support git:// urls atm
      if [ "${src:0:6}" = "git://" -o "${src:0:8}" = "https://" ]; then
        # Verify git tag
        cd $CACHE_DIR/scm/$module
        TAG=$(git tag -l "${pattern:-*}" | sort | tail -1)
        if [ "$COSMOS_VERBOSE" = "y" ]; then
          echo -e "Checking signature on puppet-module:tag ${bold}${module}:${TAG}${reset}"
        fi
        if [ -z "$TAG" ]; then
          echo -e "${red}ERROR: No git tag found for pattern '${pattern:-*}' on puppet-module ${module}${reset}"
          continue
        fi
        git tag -v $TAG &> /dev/null
        if [ $? == 0 ]; then
          #if [ "$COSMOS_VERBOSE" = "y" ]; then
          #  # short output on good signature
          #  git tag -v $TAG 2>&1 | grep "gpg: Good signature"
          #fi
          # Put archive in staging since tag verified OK
          stage_module $module $TAG
        else
          echo -e "${red}FAILED signature check on puppet-module ${module}${reset}"
          git tag -v $TAG
	  echo ''
        fi
      fi
    done
  )

  # Cleanup removed puppet modules from CACHE_DIR
  for MODULE in $(ls -1 $CACHE_DIR/staging/); do
    if ! grep -h -E -q "^$MODULE\s+" $CONFIG $LOCALCONFIG; then
      rm -rf $CACHE_DIR/{scm,staging}/$MODULE
    fi
  done

  # Installing verified puppet modules
  rsync --archive --delete $CACHE_DIR/staging/ $MODULES_DIR/
fi