build_server_tree

#!/usr/bin/env bash


# zzzxxx why the http2 message in error log?
# commend out current line and uncomment out
#    #LoadModule mpm_event_module modules/mod_mpm_event.so
# in /etc/httpd/conf.modules.d/00-mpm.conf
# per https://www.youtube.com/watch?v=zT2iCk7-HLs
# Step 3:
# cd /etc/httpd/conf
# vim httpd.conf
# 
# Add the below lines to bottom of the page:
# Protocols h2 http/1.1
# Protocols h2 h2c http/1.1
# 
# 
# Step 4:
# sudo service httpd restart
# sudo service mysqld restart
# 
# 
# Step 5:
# Ensure your website is still up and running without any issues
# 
# Check if HTTP/2 is successfully enabled using the below website:
# https://http2.pro/


# xxx change from filval to File::Slurp ?

# xxx add SNACC account? (to deal with this thing once and for all, since
#     EZID's batch interface probably won't ever support bulk minting

# xxxx bug: $sstub/apachebase.t fails on machines where only ports 80 and 443
#      are open; also t/service_n2t.t
# yyy ?move wegn and wegnpw from n2t repo into the eggnog repo
#      esp. as ApacheTester (and soon t/* tests) rely on them
#      don't forget that init.d/apache relies on wegn too.
# XXXX bug: two populators can't have binder of the same name
#      fix: change binders path to start binders/<populator>/<bindername>
#        instead of binders/<bindername>
# xxx add 1>&2 to error messages throughout (beyond first section)

# xxx don't listen on 80, assume portforwarding always
# XXX add this instruction/advice to make_instance?
# From stackoverflow
#How to stop apache permanently on mac Mavericks?
#Try this:
#   sudo launchctl unload -w /System/Library/LaunchDaemons/org.apache.httpd.plist
#This will stop a running instance of Apache, and record that it should
#not be restarted. It records your preference in
#/private/var/db/launchd.db/com.apple.launchd/overrides.plist.

# XXX see man sysctl and look at net.inet.ip.forwarding
# XXXX bug: fix timing of initializing rewrite2-server for n2t as a separate
#     step from creating N2T binders

evarnames=(
	PERL5LIB EGNAPA_TOP
	EGNAPA_BUILDOUT_ROOT EGNAPA_BINDERS_ROOT EGNAPA_MINTERS_ROOT
)
declare -x ${evarnames[@]}
# yyy review these vars -- are they still so special?

[[ -f ~/warts/env.sh ]] &&
	source ~/warts/env.sh

# Begin by making guesses as to your hostname and Apache instance,
# which will inform some of the help/usage information we may end up
# printing on early exit.
#
# First set values for $uname (OS name) and $host (fully qualified hostname).

uname=$( uname -a )		# get name of operating system (OS)
aws=				# XXX hack supporting $sstub/n2t
# on SLES, uname -a returns: Linux
# on EC2, uname -a returns: Linux.*amzn
[[ "$uname" =~ .*amzn.* ]] &&		# hack indicating if we're
	aws=1				# on an Amazon ec2 instance
# yyy?? I guess this means caller can set this on the way in
# on Mac, hostname -f returns: jak-macbook.local
# on EC2, hostname -f returns: ias-n2t-dev.cdlib.org
# on SLES, hostname -f returns: cdl-n2tpre-p01.ucop.edu
# on Solaris, hostname -f returns: error
#
host=$EGNAPA_HOST		# EGNAPA_HOST typically set in .bashrc
[[ "$host" ]] || {		# try for some platform independence
	host=$( hostname -f 2> /dev/null ) || {	# fails on Solaris
		host=$( hostname )
		#host+='.cdlib.org'		# XXX kludge
	}
}


# Then set value for $aptop (top-level apache2 root of public-facing server).
## Then set value for $aptop (top-level apache2 directory).
#
# Look for the first instance of apache2 that we can find; use it as our
# best guess for EGNAPA_TOP
# yyy is this . and .. search the best approach given $sv on the Mac?
#
aptop=$EGNAPA_TOP
[[ "$aptop" ]] || {
	dirs=( ` sed -e 's/:/ /g' -e 's,\([^ ]*\)/bin,\1 \1/etc,g' <<< $PATH ` )
	for d in . .. ${dirs[*]}
	do
		#echo d was $d
		d=$( sed 's,$,/apache2,' <<< $d )
		#echo d is $d
		[[ -d $d ]] && {
			aptop=$( cd $d && pwd -P )
			[[ "$aptop" ]] &&
				break
		}
	done
}

#
# When we get here, $aptop and $host will have either a caller-defined
# value or our best guess for a value. xxx document
#

# Initialize global variables and source the appropriate .cfg file.

src_top=`pwd -P`		# use -P because we don't want symlinks

function usage {
	cat << EOT

USAGE
    $0 [ --public ] Command ConfigDir

COMMANDS

  make   - build out-of-date parts of a server config tree for testing
  build  - force build of entire server config tree for testing purposes
  check  - check if server config tree is built and exit 0 if so
  env    - output bash config settings for ingest by others, eg, Perl
  which_pswdfile
         - output name of password file to be used (real or repo)
  cert   - create self-signed certificate only; side-effect of build
  help   - show this documentation

EXAMPLES
    $0 build web
    $0 build n2t

DESCRIPTION

  This script must be called from the eggnog source directory. It is usually
  run via File::ApacheTester::prep_server() with the "make" sub-command.
  $0 builds the filesystem pieces needed to test and
  run a binder/minter/resolver web service under an Apache HTTP Server.
  It creates essential server files in a temporary directory without
  altering existing non-test data or server log and configuration files.

  Most of the script runs after changing the current directory to
  \$buildout_root, with the current source directory available as \$src_top.
  
  If the optional --public option is given, the script creates versions of
  those server files (in a separate temporary directory) designed to work
  with the public-facing server.  These files are meant to be copied by the
  caller into the public server's Apache subdirectory when upgrading.
  
  The prep_server() call itself is meant to appear near the beginning of Perl
  test suites such as t/apachebase.t and t/service_n2t.t. Before calling, the
  suite should declare a server configuration directory, \$cfgdir.  There, a
  configuration file, \$cfgdir/build_server_tree.cfg, may set values for some
  of the script control variables if it wishes, notably defining users and
  XXXX passwords via a pwdfile variable, augmenting the $checkfiles
  array of files whose modification will trigger a rebuild.  See comments in
  the supplied examplar files for more information.
  
  Another configuration file, \$cfgdir/minder_builder.cfg, defines minters,
  binders, and base server documents (if any).  See comments for more.
  
  The caller can change this script's behavior by setting some environment
  variables before invoking it.  Use the optional variables below to set a
  specific hostname, Apache server directory, or SSL certificate (but only
  specify a chainfile if there is one).

xxx update encouraging reliance on warts/env.sh settings
xxx sysap     system apache root
    EGNAPA_TOP              public-facing server root eg, /etc/apache2
    EGNAPA_HOST             eg, n2t.net
    EGNAPA_SSL_KEYFILE      eg, ~sam/ssl/2019-07-19/fran.key
    EGNAPA_SSL_CERTFILE     eg, ~sam/ssl/2019-07-19/fran.crt
#    EGNAPA_SSL_CHAINFILE    eg, ~sam/ssl/2019-07-19/gd_bundle-g2-g1.crt

  Some other important variables are

    EGNAPA_BUILDOUT_ROOT    config files we build to complement EGNAPA_TOP
    EGNAPA_SRVREF_ROOT      final place from which files are referenced on
                            the running server (built vs running after copy)

  The script itself re-exports these control variables to the environment:

    export \\
	EGNAPA_TOP=\$aptop \\
	EGNAPA_HOST=\$host \\
	EGNAPA_PORT_HPA=\$port_hpa \\
	EGNAPA_PORT_HPAS=\$port_hpas \\
	EGNAPA_PORT_HPR=\$port_hpr \\
	EGNAPA_PORT_HPRS=\$port_hprs \\
	EGNAPA_SRVREF_ROOT=\$srvref_root \\
	EGNAPA_BUILDOUT_ROOT=\$buildout_root \\
	EGNAPA_BINDERS_ROOT=\$binders_root \\
	EGNAPA_MINTERS_ROOT=\$minters_root \\
	EGNAPA_SHOULDERS_ROOT=\$shoulders_root

EOT
}

# Basic argument and environment variable sanity checks.

pubflag=
if [[ $1 == --public ]]; then
	pubflag=1
	shift
elif [[ $1 =~ ^-- ]]; then
	echo "Error: unrecognized option: $1" 1>&2
	usage 1>&2
	exit 1
fi

cmd=$1
[[ "$cmd" ]] || {
	usage
	exit
}

cfgdir=$2
[[ "$cfgdir" ]] || {
	echo Error: missing ConfigDir argument. 1>&2
	usage 1>&2
	exit 1
}

EGG=""
service="$cfgdir"		# yyy "service" is the better var name
export EGG+=" --service $service "

# Needed for first rollout, before there's any may be eggnog_conf file
# (which would override it if it existed).
export EGNAPA_SERVICE="$service"

# Each build has a "signature" so we can run tests twice in a row without
# rebuilding, but we make sure to rebuild if the signature doesn't match.
#
cfgphrase="file \"$cfgdir\""		# "signature" of build

#bst_root=$src_top/$cfgdir		# "build_server_tree root"

sstub=t				# service config stub directory, eg, $sstub/n2t
bst_root=$src_top/$sstub/$cfgdir		# "build_server_tree root"
cfgfile=$bst_root/build_server_tree.cfg

hconf=httpd.conf

# Usage: is_build_out_of_date ConfigRoot
# Echoes empty string and returns 0 if not out of date, else
# echoes names of file newer than the $fqhconf file and returns 1.
#
# This is only part of the test for out-of-datedness. yyy
#
function is_build_out_of_date {

	local fqhconf=$1/conf/$hconf

	# (note grep -q won't stay quiet in case $fqhconf doesn't exist)
	grep "$sstub/$cfgdir" $fqhconf > /dev/null 2>&1 || {
		echo "server needs to be (re)built for $cfgdir"
		return 1
	}
	local out_of_date=$( find $bst_root -newer $fqhconf )
	#ls -l $0 $fqhconf 1>&2
	[[ $0 -nt $fqhconf ]] &&
		out_of_date=( $0 ${out_of_date[*]} )
	[[ ${out_of_date[0]} ]] || {
		echo ''			# good return -- not out of date
		return 0
	}
	echo "Server needs to be rebuilt, as these have changed:"
	for i in ${out_of_date[*]}
	do
		echo "    $i"
	done
	return 1
}

[[ ! $cmd || $cmd == help ]] && {
	usage
	exit 0
}

[[ -f Makefile.PL ]] || {
	echo "Error: should be called from eggnog module source directory" 1>&2
	usage 1>&2
	exit 1
}

[[ "$sv" ]] || {
	echo 'An SVU mode must be in effect, eg, "svu cur" or "svu new".' 1>&2
	echo 'Type "svu" for details.' 1>&2
	exit 1
}

#
# Configuring.
#

# Initialize with default settings, which may be very usefully changed
# as a side-effect of processing $cfgfile.  Eg, the $checkfiles array may
# be augmented with names of password files, and $buildout_root may have
# a whole new value.  Most of the interesting local variables follow.

# Paths that we use directly here to _create_ files.
#
buildout_root=$src_top/td_egnapa
[[ $pubflag ]] &&
	buildout_root=$src_top/td_egnapa_public

# Paths for all files that this script creates descend from $buildout_root.
#
# The script should never alter anything in $EGNAPA_TOP.
# This works fine for testing purposes, but when --public is specified,
# files that we create will later be moved (not by this script) under $aptop,
# and in order for them to work there, the paths that we insert into those
# files are set to reference files under $aptop (in advance of the move).
# Variable names of the form *ref_root are intended to work correctly as
# references in the ordinary and the --public cases.

srvref_root=$buildout_root
[[ $pubflag ]] &&
	srvref_root=$aptop

# ddddd sslref_root should no longer be needed, right?
#ssl_root=$buildout_root/ssl
# ddddd sslref_root does appear to host pwdfiles though, so we may need a
#       pwdfileref_root var (set to conf/
#sslref_root=$srvref_root/ssl

# yyy should be .../dvN?
pwdfile_root=$buildout_root/conf
pwdfref_root=$srvref_root/conf
binders_root=$buildout_root/binders
bdrsref_root=$srvref_root/binders
minters_root=$buildout_root/minters
mtrsref_root=$srvref_root/minters
shoulders_root=$buildout_root/shoulders
shdrsref_root=$srvref_root/shoulders
prefixes_root=$buildout_root/prefixes	# xxx drop? change?
# see also: $cgiref_egg

document_root=$srvref_root/htdocs	# paths referenced in files
ruu_document_root=$srvref_root/htdocs/ruu.app
rmap_root=$srvref_root/htdocs/a		# more paths referenced

template_root=$src_top/$sstub/$cfgdir	# paths to build input files

# ddddd  once these locations aren't used any longer for self-signed
#         certs, now where do generated password files go?  A: conf/
# ddddd set sslcert et al to EGNAPA_SSL_CERTFILE et al
#    ?? what about ...ref vars?
sslcert=$EGNAPA_SSL_CERTFILE
sslcertkey=$EGNAPA_SSL_KEYFILE
#sslchain=$EGNAPA_SSL_CHAINFILE

#sslcertref=$sslref_root/server.crt
#sslcertkeyref=$sslref_root/server.key
#sslchainref=
#cp -p $EGNAPA_SSL_CERTFILE $sslcert
#cp -p $EGNAPA_SSL_KEYFILE $sslcertkey
#[[ $EGNAPA_SSL_CHAINFILE ]] && {	# if there's a chain file
#	cp -p $EGNAPA_SSL_CERTFILE $EGNAPA_SSL_CHAINFILE

#sslcert=$ssl_root/server.crt
#sslcertkey=$ssl_root/server.key
#sslchain=
#sslcertref=$sslref_root/server.crt
#sslcertkeyref=$sslref_root/server.key
#sslchainref=

rotatelogs="/usr/sbin/rotatelogs -l"
#rotatelogs="$aptop/bin/rotatelogs -l"
weekly=604800				# number of seconds in a week
let monthly=(604800 * 4)		# actually, just 4 weeks

# The working directory we chdir to from inside scripts.  This value will
# change in the --public case.

scripts_wd=$src_top
[[ $pubflag ]] &&
	scripts_wd=$aptop

# Flags we pass to Perl when invoked from CGI scripts.  This value will
# change in the --public case.

# zzz pull 'td' string from Perl source definition? else not DRY
tda=td		# binder name qualifier for --testdata; protects public binders

perl_args="perl -Mblib"
#tda_arg="--testdata $tda"
isolation_arg="--testdata $tda"
[[ $pubflag ]] && {
	perl_args=""
	isolation_arg="--isolator public"
#	tda_arg="--isolator public"
}

# There are 3 categories of port pairs (http and https):
#   $port_hpa     http public-access (what you advertize)
#   $port_hpas    https public-access (what you advertize)
#   $port_hpr     http public-receive (what you receive on,
#			eg, after port-forwarding or load balancer)
#   $port_hprs    https public-receive (what you receive on,
#			eg, after port-forwarding or load balancer)
#   $port_hts     http test server
#   $port_htss    https test server
#
port_hts=8082
port_htss=8083
port_hpa=$port_hts
port_hpas=$port_htss
port_hpr=$port_hts
port_hprs=$port_htss
[[ $pubflag ]] && {
	port_hpa=80	# xxx var unused
	port_hpas=443	# xxx var unused
	port_hpr=18880
	port_hprs=18443
}

# usage: which_pswdfile
#
# Returns (via stdout) filename to be used as pswdfile.  This is the
# mechanism that permits real passwords to be stored outside of the
# source code repository.  Relies on global $cfgdir being defined.
# Other scripts rely on this output (eg, wegnpw).
#
# It first tries $HOME/warts/.pswdfile.$cfgdir.  If and only if that file
# does not exist, it tries "$sstub/$cfgdir/pswdfile" in the eggnog source.
#
function which_pswdfile {

	# First try for fully qualified config file.
	#
	fqconf=$HOME/warts/.pswdfile.$cfgdir
	[[ -f $fqconf ]] && {
		chmod 600 $fqconf	# make sure it's not readable to most
		echo $fqconf
		return 0		# success
	}

	# Second try.  This time we'll look in the source tree.
	fqconf=$bst_root/pswdfile
	[[ -f $fqconf ]] && {
		echo $fqconf
		return 0		# success
	}

	# failure
	return 1
}

# yyy properly add pwdfiles to checkfiles
# yyy is $bst_root/pswdfile even used any more?

checkfiles=(
	htdocs/a conf/$hconf $sslcert
	eggnog_conf_default
	$HOME/warts/env.sh
	$HOME/warts/.pswdfile.$cfgdir $bst_root/pswdfile
)

egpath=$PERL_INSTALL_BASE/bin:/bin:/usr/bin:/sbin:/usr/sbin
[[ "$PERLBREW_PATH" ]] &&	# modify base path if perlbrew is there,
	egpath=$PERLBREW_PATH:$egpath		# eg, for Mavericks/Mac OSX

[[ -f $cfgfile ]] || {
	echo "Error: $cfgfile: build_server_tree configuration" \
		"file not found" 1>&2
	exit 1
}

#[[ -f $cfgfile ]] || {
#	echo -n "Error: " 1>&2
#	if [[ "$cfgdir" ]]; then	# xxx problematic logic
#		echo "no ConfigDir argument" 1>&2
#	else
#		echo "$cfgfile: build_server_tree configuration file not found" 1>&2
#	fi
#	usage
#	exit 1
#}

source $cfgfile		# configure this build_server_tree script
			# yyy barely necessary with pswdfile separate

which_pswdfile=$( which_pswdfile )	# find password information

[[ $cmd == which_pswdfile ]] && {
	echo $which_pswdfile
	exit
}
# ok to output human readable messages now that that command has returned

[[ "$which_pswdfile" ]] || {
	echo "Error: no password file found in either warts or source" \
		"Config ($fqconf)." 1>&2
	exit 1
}

source $which_pswdfile		# configure password information
chmod go= $bst_root/pswdfile	# kill all perms except the owner's

echo Configured $cfgdir in $buildout_root.

# This script calls egg, and we want the latest -Mblib and cleanest, eg,
# XXX does this do anything?
export EGG="--home $buildout_root"	# wrt default config and prefixes

#export NOG="--home $build_root"     # yyy later?

# Done with configuring.  Now set environment variables based on latest
# that this script sets by default and that the config file overrode.

export \
	EGNAPA_TOP=$aptop \
	EGNAPA_HOST=$host \
	EGNAPA_PORT_HPA=$port_hpa \
	EGNAPA_PORT_HPAS=$port_hpas \
	EGNAPA_PORT_HPR=$port_hpr \
	EGNAPA_PORT_HPRS=$port_hprs \
	EGNAPA_SRVREF_ROOT=$srvref_root \
	EGNAPA_BUILDOUT_ROOT=$buildout_root \
	EGNAPA_BINDERS_ROOT=$binders_root \
	EGNAPA_MINTERS_ROOT=$minters_root \
	EGNAPA_SHOULDERS_ROOT=$shoulders_root

#	EGNAPA_PREFIXES_ROOT=$prefixes_root 
# yyy Something equivalent could be achieved, probably, with just shell
#     variable instead of environment variables.
# The "env" command (a) lets us see what configuration actually did and
# (b) provides non-bash processes (eg, Perl) with the ability to re-parse
# the settings for themselves in an easy, generic, label=value format.
#
[[ $cmd == env ]] && {

	# Print bash config settings for non-bash processes and exit

	echo Configuration settings after reading $cfgfile:
	env
	#set
	exit 0
}

# NB: this "egg cfq" is an expensive call (0.7 seconds), which can really
#     slow down the wegn and wegnpw scripts when they call this script;
#     so we move the call as late as we can
# yyy question: would EGNAPA_HOST_CLASS be missed from the "env" output?
#     and if so, how would we speed this up?
# XXX should EGNAPA_HOST_CLASS be set again (as before) in warts/env.sh,
# especially because we have installation probz during first rollout, when
# there's no eggnog_conf already installed?
# >>> trial: semi-kludge to override --home setting from EGG env var (since
#     that home dir setting doesn't exist yet) by using an explicit --home
#     arg pointing into the source tree so that config file is found;
#     instead probably should add new "--config file" arg to egg

# kludgy fake home directory
class=$( perl -Mblib egg --home $bst_root cfq class )
#class=$( perl -Mblib egg cfq class )

ruuapp=$( perl -Mblib egg --home $bst_root cfq vhost_ruuapp )

[[ "$class" != "$EGNAPA_HOST_CLASS" ]] && {
	echo "WARNING: configured host class ($class) differs from that" \
		"in ~/warts/env.sh ($EGNAPA_HOST_CLASS)"
	export EGNAPA_HOST_CLASS="$class"
}

[[ "$aptop" ]] || {
	echo Error: could not find apache2 on your system.
	exit 1
}

# XXX needed?
let errs=0
for i in ${evarnames[@]}
do
	[[ ${!i} ]] || {
		let errs++
		echo "$i not defined"
	}
done
[[ $errs > 0 ]] &&
	exit 1

# xxx true in Apache 2.4?
[[ ! $EGNAPA_TOP =~ ^/ || ! -d $EGNAPA_TOP/conf ]] && {
	echo "EGNAPA_TOP ($EGNAPA_TOP) must be a full pathname to an" \
		"Apache server root directory."
	usage
	exit 1
}

egg_dbie=
[[ "${EGG_DBIE:-}" ]] && {
	egg_dbie="$EGG_DBIE"
	[[ "$egg_dbie" =~ e ]] && {			# if exdb case
		mg status > /dev/null || {		# yyy assume mongo
			echo "error: database daemon not running;" \
				"did you do \"mg start\"?" 1>&2
			exit 1;				# bail out
		}
	}
}

#export LC_ALL=C				# to deal with unicode errors

out_of_date_msg=$( is_build_out_of_date $buildout_root )

# xxx to do: add prefixes to "n2t backup"
# Get a list of changed files or any error messages. Ignore status code which
# normally returns status 1 (fail) rebuilding isn't needed.

prefixes_need_rebuilding=$( pfx onboard 2>&1 )

# If it wasn't found out of date on the first test, do a second test.

if [[ ! "$out_of_date_msg" ]]
then
	checkdir=$buildout_root
	#( cd $checkdir; ls ${checkfiles[*]} > /dev/null 2>&1 ) || 
	chkr=$( cd $checkdir; ls ${checkfiles[*]} 2>&1 )
	# yyy not using $chkr
	if [[ $? -ne 0 ]]
	then
		out_of_date_msg="Server needs to be rebuilt, as some of these "
		out_of_date_msg+="checkfiles are missing:"
		for i in ${checkfiles[*]}
		do
			[[ -e "$checkdir/$i" ]] ||
				out_of_date_msg+=$'\n'"    $i"
		done
	#elif [[ "$prefixes_need_rebuilding" ]]
	#then
	#	echo "Prefixes file, not server itself, needs rebuilding."
	else
		echo "Server does not need to be rebuilt." \
			"yyy maybe minters don't need it too"
	fi
fi

[[ $cmd == check ]] && {	# handle the "check" sub-command and return
	[[ $out_of_date_msg ]] && {
		echo "$out_of_date_msg"
		exit 1
	}
	[[ "$prefixes_need_rebuilding" ]] && {
		echo "The prefixes file needs rebuilding."
		exit 1
	}
	echo Server in $checkdir is already built out.
	exit 0
}

rwplus=$buildout_root/conf/rewrite2-server.conf

chmod go= $bst_root/minder_builder.cfg	# make sure most perms are turned off
source $bst_root/minder_builder.cfg

function makebinder {	# args: binder name and owner (populator)
	bname=$1
	owner=$2

	[[ -d $binders_root/$bname ]] && {
		echo -n "(Skipping existing binder $binders_root/$bname.) "
		return 0
	}
	# We always use -Mblib here because we may need the latest and
	# greatest egg to complete the transition we're working towards.
	# yyy is it safe to use -Mblib always?

# zzz test that we can't rmbinder with --isolator public
	local args	# NB: --testdata needed to shield production DBs!!
	# This should ALWAYS use -testdata arg, never --isolator public,
	# because that would accidentally remove public-facing binders.
	args=( -p "$binders_root" --user "$owner" --testdata $tda )

		#perl -Mblib egg "${args[@]}" --force brm $bname; \
	(cd $src_top; \
		perl -Mblib egg "${args[@]}" --force rmbinder $bname; \
		perl -Mblib egg "${args[@]}" mkbinder $bname) || {
		    echo -n "(Problem creating $owner's binder \"$bname\".) "
		    return 1
	}
	return 0
}

# xxx test with minters
# xxx why does .../ark: not found show in error log?
# xxx document how all this works, eg, $2 names a populator's binder,
#      and $1 is a binder script path that triggers a populator-specific
#      authn realm and password file, and it is (?) symlinked so that it
#      will actually be executed as a script
#binder_new="${script_px}egg? --api -d $binders_root/"'$1 $2'
# yyyxxx minter_* untested; should include whole prefix in minter name, eg,
#     ark/99999/fk4  (for disambiguating shoulders)
# https://*.*.*/a/ezid/m?<M>.mint N	# api to ezid minter M
#cat << EOT >> $hconf


# Create minters, removing existing minters first if need be.
# First arg is populator
# and second arg is a comma-separated list of fqshoulders.  A fqshoulder
# (fully qualified shoulder) is of the form scheme:/*naan/shoulder.
# (yyy right now populator has exclusive use of a set of minters, but
# maybe that's not nuanced enough? is there a need for minters shared
# between populators?)
#
function makeminter {		# pass in populator and minter names as args
	local populator=$1 retstatus=0
	local shdrparts scheme naan shdr mname

	# Note: $2 looks like   ark:/99999/fk4,doi:5072/fk4
	for i in ` sed 's/, */ /g' <<< $2 `	# break list items at commas
	do
		shdrparts=( ` sed -e 's,:/*, ,' -e 's,/, ,' <<< $i ` )
		scheme=${shdrparts[0]}
		naan=${shdrparts[1]}
		shdr=${shdrparts[2]}
		mname=$minters_root/$populator/$scheme/$naan/$shdr
		shortmname=$scheme/$naan/$shdr

		# Important to invoke mkminter with $naan/$shdr as the
		# shoulder rather than pushing $naan into the -p path; that
		# way the check digit will be computed over "$naan/$shdr"
		# rather than just over $shdr.
		#
		# We always use -Mblib here because we may need the latest and
		# greatest nog to complete the transition we're working towards.
		#
		(cd $src_top; perl -Mblib nog -p \
				$minters_root/$populator/$scheme \
				mkminter $naan/$shdr) || {
			echo -n \
			  "(Problem creating minter \"$naan/$shdr\" ($mname).) "
			retstatus=1
			continue
		}
	done
	return $retstatus
}

# Make generic minders sufficient for testing.  Note that it doesn't make
# or initialize custom minders as determined by the ConfigDir setting.
# It won't complain and won't overwrite existing (eg, custom) binders,
# in part because it is often called right after removing everything.
# Minters and binders defined in $sstub/*/minder_builder.cfg.
#
function make_minders {

	local b n m

	echo -n "Creating proto-binders: "
	n=0
	for b in ${binders[*]}
	do
		makebinder $b ${populators[$n]} && echo -n "$b "
		let n++
	done
	echo ""

	echo -n "Creating proto-minters: "
	n=0
	for m in ${minters[*]}
	do
		# xxx this nicely creates the ark subdir, but is it best way to
		#     officially create it?
		makeminter ${populators[$n]} $m && echo -n "$m "
		let n++
	done
	echo ""
}

# If we got the "make" sub-command while the server is up-to-date, all we
# need to do is to possibly rebuild prefixes, and then rebuild minters,
# binders (which each maintain state that is altered by testing) to keep
# the next round of tests clean.

[[ $cmd == make && ! $out_of_date_msg ]] && {

	[[ "$prefixes_need_rebuilding" ]] && {
		echo Prefix rebuild triggered by: \
			"${prefixes_need_rebuilding[@]}"
		pfx build || {
			echo "Could not rebuild prefixes" 1>&2
			exit 1
		}
	}
	# We would normally leave now that we know the server isn't out
	# of date, but first we have to re-set a few things.
	#
	echo Initializing minters, binders, and logs so that tests run clean.
	rm -fr $buildout_root/{bind,mint}ers/* $buildout_root/logs/*_log
	make_minders > /dev/null	# not so interesting on "make"
	exit 0
}

# yyy probably shouldn't do this in case of 'cert' command
rebuild_prefixes=
pfx save $buildout_root	||	# tuck away prefixes stuff for re-use
	rebuild_prefixes=1

# If we get here, $cmd is "make", "build", or "cert".
# XXX this logic isn't right if "build" is a forced make
#
if [[ $out_of_date_msg || $cmd == build ]]
then
	[[ $out_of_date_msg ]] &&
		echo "$out_of_date_msg"
	[[ $buildout_root =~ apache2?/*$ ]] && {
		echo "Sorry, it looks like I'm to remove \"$buildout_root\"," \
		" which makes me nervous because it's named like a real server."
		echo "Bailing.  You may want to remove it manually."
		exit 1
	}
	echo "  now removing $buildout_root for the rebuild"
	[[ -f $buildout_root/logs/httpd.pid ]] && {
		echo "There appears to be an egnapa server running."
		msg="Now shut down."
		# xxx this cmd+args is repeated in ApacheTester.pm
		#     define once and re-use
		#$aptop/bin/httpd -f $buildout_root/conf/httpd.conf -d $aptop \
		httpd -f $buildout_root/conf/httpd.conf -d $aptop -k stop ||
			msg="Warning: error shutting down server."
		echo "   $msg"
	}

	# ============== Destroy server !!!! ================
	rm -fr $buildout_root

	#echo Removing config and prefix defaults affecting your generic use.
	#rm -fr $HOME/.eggnog/{eggnog_conf_default,prefixes.yaml}
	## yyy kludge, only affects user installing new server
fi
# If we get here, entire server and prefix infrastructure needs rebuilding.

echo Building skeleton server structure extensions.

# yyy what's httpauth for? var/state? should we use var/{run,lock}?
msg=$( mkdir -p 2>&1 $buildout_root \
	$buildout_root/{htdocs,conf,cgi-bin,logs} \
	$buildout_root/htdocs/ruu.app \
	$buildout_root/htdocs/{a,e,r,e/{pop,pub,admin},e/{images,x,css}} )
(cd $buildout_root/htdocs/ruu.app; ln -s ../e e)

[[ -e $bst_root/eggnog_conf ]] && {
	echo Copying $bst_root/eggnog_conf
	cp -p $bst_root/eggnog_conf $buildout_root/
}

#ln -s $aptop/conf/mime.types $buildout_root/conf/mime.types
cp -p $aptop/conf/mime.types $buildout_root/conf/mime.types
ln -s $aptop/modules $buildout_root/modules		# link for modules
ln -s $aptop/conf.modules.d $buildout_root/conf.modules.d	# load modules

[[ $msg != '' ]] && {
	echo "Some structures already existed (ok):"
	echo "$msg" | sed 's/^/  /'
	# yyy is this useful?
}

# xxx bug somewhere: remove prebuild area and test fresh?
#     or do I really need -d?
# xxx bottom line: need SURE way to update prefixes on running prd system
#     as not even n2t rollout will catch latest updates

# xxx much more efficient (instead of rebuilding prefixes all the time),
#     would be to save a per-system prefix build that senses when to rebuild,
#     eg, changes in pfx or Resolve.pm or ??
#    where to cache? in ~/pfx_harvest/tmpxyz?

#pfx onboard || exit
#pfx build || exit
pfx restore $buildout_root ||		# restore saved prefixes, which might
	rebuild_prefixes=1
pfx onboard &&				# still need rebuilding; exit 1 says yes
	rebuild_prefixes=1
[[ "$rebuild_prefixes" ]] && {
	pfx build
}

# The next two items help reduce useless noise in error_log.
#
favicon=$buildout_root/htdocs/e/images/favicon.ico
[[ -e $favicon ]] ||			# create empty favicon.ico file
	cp /dev/null $favicon		# to prevent routine log errors
robots=$buildout_root/htdocs/robots.txt
[[ -e $robots ]] ||			# create empty robots.txt file
	cp /dev/null $robots		# to prevent routine log errors

## yyy drop this form now that google form is available
## Establish a simple, executable form to assist NAAN curation.
#
#naancure=$buildout_root/htdocs/e/admin/q2e.pl
## https://n2t-dev.n2t.net/e/admin/q2e.pl?unusednaan=12345&formout=name%3A+value%0D%0Akey%3A+value
#[[ -e $naancure ]] || {
#	cat > $naancure <<- EOT
#	#!/bin/sh
#
#	PERL5LIB=$PERL5LIB
#	PATH=$egpath
#	export PERL5LIB PATH
#
#	exec perl <<- 'EOS'
#
#	#!/usr/bin/env perl
#	##
#	##  printenv -- demo CGI program which just prints its environment
#	##
#
#	print "Content-type: text/plain; charset=UTF-8\n\n";
#	print "xxx Stub q2e.\n";
#	my (\$var, \$val);
#	foreach \$var (sort(keys(%ENV))) {
#	    \$val = \$ENV{\$var};
#	    \$val =~ s|\n|\\n|g;
#	    \$val =~ s|"|\\"|g;
#	    print "\${var}=\"\${val}\"\n";
#	}
#	EOS
#
#	EOT
#
#	chmod 755 $naancure
#}

# Establish a script to handle inflections and content negotiation.
# CrossRef handles these:
# application/rdf+xml
# text/turtle
# application/atom+xml
#
cp -p $HOME/local/bin/pfx $buildout_root/htdocs/e/x/pfx		# local copy
inflect=$buildout_root/htdocs/e/x/inflect
[[ -e $inflect ]] || {

	# Remember to quote normal $ \ and ` in << blocks.
	cat > $inflect << EOT
#!/bin/sh
# This "inflect" script handles inflections and prefix lookup.
# Script args arrive via a QUERY_STRING as name=value pairs.
# The script constructs a pfx commmand, runs it, and returns its output.
# Add /usr/local/bin to path so that we get our version of bash.

	PERL5LIB=$PERL5LIB
	PATH=/usr/local/bin:$egpath
	LANG=en_US.UTF-8
	export PERL5LIB PATH LANG

	exec perl << 'EOS'

	#!/usr/bin/env perl

	use 5.10.1;
	use strict;
	use warnings;

	print	"Content-type: text/plain; charset=UTF-8\n",
		"THUMP-Status: 0.7 200 OK\n",
		"\n";

	use Text::ParseWords;

	#say "qs: \$ENV{QUERY_STRING}";
	# QUERY_STRING contains pseudo command arguments
	my @args = shellwords( \$ENV{QUERY_STRING} );
	my (%h, \$key, \$val);
	for (@args) {
		/^-/ and		# skip flag args starting with '-'
			next;
		! /^([^=]+)=(.*)/ and	# split at first "=" and skip line
			next;		# if it doesn't look like key=...
		(\$key, \$val) = (\$1, \$2);
		\$val =~ s/%([[:xdigit:]]{2})/chr hex \$1/eg;	# hex decode
		\$h{\$key} = \$val;
	}

	if (\$h{op} eq 'partial') {
		# prefix lookup, eg, n2t.net/pdb:   
		# n2t.net/pdbe/pdb:
		#    */pdb: == pdb:
		#    */pdb:12345 -> list of targets
		#    user-supplied regex disallowed for now by use of \Q ... \E

		# yyy need $sv to keep pfx working
		# copy \$sv from current to inherited environment
		\$ENV{sv} = "$sv";

		my \$p = \$h{partial};
		\$p =~ s|[:/]*\$||;

		# prepare to call pfx script, which should be in the same dir
		my \$cmd = "./pfx ";
		my \$pfxflag;

		my \$initglob = \$p =~ s|^\*/||; # whether glob spec removed
		my \$tsearch = \$h{ac} // '';	# "after colon"

		my \$re = "(?:^|/)\\Q\$p\\E(?:/\\\\w*)?\\\$";   # PERL regex
		if (\$initglob and \$tsearch) {
			\$pfxflag = '-s targets';
			\$cmd .= "\$pfxflag find '\$re' ";
			\$cmd .= "| sed -n 's/\\\$id/\$tsearch/gp'";
		}
		else {
			\$pfxflag = '-s records';
			\$cmd .= "\$pfxflag find '\$re' 2>&1";
		}
		my \$result = \`\$cmd\`;
		\$result =~ /^\\s*\$/s and
			\$result = 'Not Found';
		say \$result;
		#say \`\$cmd\`;
		exit;
	}
	\$h{suffix} eq '?' and
		say "\$h{briefblob}";
	\$h{suffix} eq '??' and
		say "\$h{metablob}";
	say "# inflections under construction";
	say "# reference https://n2t.net/e/n2t_apidoc.html";

	#say "args: \$@";
	#foreach $var (sort(keys(%ENV))) {
	#    $val = $ENV{$var};
	#    $val =~ s|\n|\\n|g;
	#    $val =~ s|"|\\"|g;
	#    print "${var}=\"${val}\"\n";
	#}
EOS

EOT

	chmod 755 $inflect
}

# yyy consider putting tlog and pfxf stuff into config file under --home
homedb="--home $srvref_root"
#[[ "${EGG_DBIE:-}" ]] && {
#	homedb+=" --dbie '$EGG_DBIE'"
#}
[[ "$egg_dbie" ]] && {
	homedb+=" --dbie '$egg_dbie'"
}

## Need this to use transaction log invoked via RewriteRule.
##
#tlog="--txnlog $srvref_root/logs/transaction_log"

## Need this to use prefixes file ("database") with resolution.
##
#pfxf="--pfx_file $srvref_root/$pfxs"

# NB: this next line will need to change if switching the yyy DVCS
# (distributed version control system), eg, hg to git).  The file we
# save to should already be independent of hg or git.
# xxx done here and upon rollout, but just here should suffice?
#hg identify $src_top | sed 's/ .*//' > $buildout_root/logs/dvcsid

git show --oneline | sed 's/ .*//;q' > $buildout_root/logs/dvcsid

# Possible legend for filename suffixes in an ssl/ directory.
# .crt – The actual certificate
# .key – The key generated when creating the certificate request
# .csr – The certificate request sent to obtain a trusted signed certificate
# .int-root – The Intermediate Root authority certificate

# Now make sure there's a certificate (to support ssl/https).  You can
# test this code with, eg, previously created self-signed certs, as in
#
# x=$sv/apache2/conf
# export EGNAPA_SSL_CERTFILE=$x/server.crt EGNAPA_SSL_KEYFILE=$x/server.key

# removing this check because new Let's Encrypt certs don't use this
#[[ "$EGNAPA_SSL_CHAINFILE" ]]	|| err+=' EGNAPA_SSL_CHAINFILE'

err=			# 3 environment variables should be non-empty
[[ "$EGNAPA_SSL_CERTFILE" ]]	|| err+=' EGNAPA_SSL_CERTFILE'
[[ "$EGNAPA_SSL_KEYFILE" ]]	|| err+=' EGNAPA_SSL_KEYFILE'
[[ "$err" ]] && {
	echo "Error: one or more certificate file variables -$err -" \
		"aren't defined" 1>&2
	exit 1
}

let ncertfiles=0
[[ -f "$EGNAPA_SSL_CERTFILE" ]]		&&  let ncertfiles++
[[ -f "$EGNAPA_SSL_KEYFILE" ]]		&&  let ncertfiles++
#[[ -f "$EGNAPA_SSL_CHAINFILE" ]]	&&  let ncertfiles++
#[[ $ncertfiles -eq 0 || $ncertfiles -eq 3 ]] || {	# eg, one file exists
[[ $ncertfiles -eq 0 || $ncertfiles -eq 2 ]] || {	# eg, one file exists
							# but not the other two
	echo "Error: either none or all of these certificate files must exist:
    $EGNAPA_SSL_CERTFILE
    $EGNAPA_SSL_KEYFILE" 1>&2
#    $EGNAPA_SSL_CHAINFILE" 1>&2
	exit 1
}

[[ $ncertfiles -eq 0 ]] && {		# when no cert files exist ...

	# If we get here, we will generate a self-signed certificate.
	# This follows instructions from onlamp.com/onlamp/2008/03/
	#    04/step-by-step-configuring-ssl-under-apache.html

	days=7300				# 20 years
	echo Creating self-signed $EGNAPA_SSL_CERTFILE.

	# Hmm: openssl doesn't seem to return an error status; maybe one day?

	#openssl req -new -x509 -days $days -sha1 -newkey rsa:2048 \
	err=$( openssl req -new -x509 -days $days -sha256 -newkey rsa:2048 \
		-keyout $EGNAPA_SSL_KEYFILE -out $EGNAPA_SSL_CERTFILE \
		-nodes -subj "/O=Company/OU=Department/CN=$host" 2>&1 ) ||
			echo Error: openssl failed: "$err"

	# For self-signed, we repurpose the cert for the intermediate file.
	#cp -p $EGNAPA_SSL_CERTFILE $EGNAPA_SSL_CHAINFILE

	# To get a certificate signed by a CA, you first need to create
	# a keypair and a certificate request (note no -x509):
	#openssl req -new -sha1 -newkey rsa:1024 -nodes \ 
	#	-keyout conf/server.key -out $host.csr \ 
	#	-subj "/O=Company/OU=Department/CN=$host"
}

## By copying these source files into the built server, our service is
## safely isolated if someone refreshes/renews the cert source files.
#
#cp -p $EGNAPA_SSL_CERTFILE $sslcert
#cp -p $EGNAPA_SSL_KEYFILE $sslcertkey
#echo "Using cert file $sslcert."
#
#[ XXXXX
#[[ $EGNAPA_SSL_CHAINFILE ]] && {	# if there's a chain file
#	[[ -f $EGNAPA_SSL_CHAINFILE ]] || {
#		echo "Error: chain file (EGNAPA_SSL_CHAINFILE:" \
#			"$EGNAPA_SSL_CHAINFILE) doesn't exist" ]]
#		exit 1
#	}
#	sslchain=$ssl_root/server.chain
#	sslchainref=$sslref_root/server.chain
#	cp -p $EGNAPA_SSL_CHAINFILE $sslchain
#	chmod 644 $sslchain
#}
#] XXXXX

# if [[ $EGNAPA_SSL_CERTFILE ]]		# if there is a certificate
# then
# 	[[ -f $EGNAPA_SSL_CERTFILE ]] || {
# 		echo "Error: certificate file (EGNAPA_SSL_CERTFILE:" \
# 			"$EGNAPA_SSL_CERTFILE) doesn't exist"
# 		exit 1
# 	}
# 	[[ $EGNAPA_SSL_KEYFILE ]] || {
# 		echo Error: either none or both of these environment \
# 			variables should be set: EGNAPA_SSL_{CERT,KEY}FILE
# 		exit 1
# 	}
# 	[[ -f $EGNAPA_SSL_KEYFILE ]] || {
# 		echo "Error: key file (EGNAPA_SSL_KEYFILE:" \
# 			"$EGNAPA_SSL_KEYFILE) doesn't exist"
# 		exit 1
# 	}
# 
# 	# By copying these source files into the built server, our service is
# 	# safely isolated if someone refreshes/renews the cert source files.
# 	#
# 	cp -p $EGNAPA_SSL_CERTFILE $sslcert
# 	cp -p $EGNAPA_SSL_KEYFILE $sslcertkey
# 	echo "Using cert file $sslcert."
# 
# 	[[ $EGNAPA_SSL_CHAINFILE ]] && {	# if there's a chain file
# 		[[ -f $EGNAPA_SSL_CHAINFILE ]] || {
# 			echo "Error: chain file (EGNAPA_SSL_CHAINFILE:" \
# 				"$EGNAPA_SSL_CHAINFILE) doesn't exist" ]]
# 			exit 1
# 		}
# 		sslchain=$ssl_root/server.chain
# 		sslchainref=$sslref_root/server.chain
# 		cp -p $EGNAPA_SSL_CHAINFILE $sslchain
# 		chmod 644 $sslchain
# 	}
# 
# elif [[ ! -f $sslcert ]]	# if no self-signed exists, create it
# then
# 
# 	# This follows instructions from onlamp.com/onlamp/2008/03/
# 	#    04/step-by-step-configuring-ssl-under-apache.html
# 	#
# 	days=7300				# 20 years
# 	echo Creating self-signed $sslcert.
# 
# 	# Hmm: openssl doesn't seem to return an error status; maybe one day?
# 	#
# 	#openssl req -new -x509 -days $days -sha1 -newkey rsa:2048 \
# 	err=$( openssl req -new -x509 -days $days -sha256 -newkey rsa:2048 \
# 		-nodes -keyout $sslcertkey -out $sslcert \
# 		-subj "/O=Company/OU=Department/CN=$host" 2>&1 ) ||
# 			echo Error: openssl failed: "$err"
# 
# 	# To get a certificate signed by a CA, you first need to create
# 	# a keypair and a certificate request (note no -x509):
# 	#openssl req -new -sha1 -newkey rsa:1024 -nodes \ 
# 	#	-keyout conf/server.key -out $host.csr \ 
# 	#	-subj "/O=Company/OU=Department/CN=$host"
# fi

chmod 600 $sslcertkey		# should be root-readable only
chmod 644 $sslcert		# must be readable to Apache user
#chmod 644 $sslcert $sslchain	# must be readable to Apache user

# Enabling or disabling cert checking actually done at the client, but we
# announce whether it should or shouldn't be in effect.  A client will
# generally assume a signed cert if $EGNAPA_SSL_CERTFILE is set.
#
i=$( openssl x509 -issuer  -noout -in $sslcert )
s=$( openssl x509 -subject -noout -in $sslcert )
if [[ "${i#issuer=}" == "${s#subject=}" ]]
then
	echo "Certificate is self-signed;" \
		ok to DISABLE client-side cert checking.
else
	echo "Certificate is NOT self-signed;" \
		ok to enable client-side cert checking.
fi
# notAfter=Jan  5 23:59:59 2020 GMT
enddate=$( openssl x509 -enddate -noout -in $sslcert |
	perl -pe 's/^.*=(.*) (\d\d\d\d) +(\w\w\w) *$/$2 $1 $3/' )
echo "  EXPIRES $enddate"

# Now that the files are created, create a text block that we'll use for
# referencing them from the Apache config files.

#SSLCertificateChainFile \"$sslchain\""

sslcertblock="
SSLCertificateFile \"$sslcert\"
SSLCertificateKeyFile \"$sslcertkey\""

#SSLCertificateFile \"$sslcertref\"
#SSLCertificateKeyFile \"$sslcertkeyref\""
#SSLCertificateChainFile \"$sslchainref\""

#[[ $sslchainref ]] && {
#	sslcertblock+="
#SSLCertificateChainFile \"$sslchainref\""
#	echo Adding chainfile directive.
#}

# You can test cert installation with https://www.ssllabs.com/ssltest/ .

[[ $cmd == cert ]] &&		# if $cmd was "cert", we can exit early
	exit

# xxx does this remove need to create td_{egg,nog} from {apache,dura}base.t??
mkdir $binders_root 2>&1
cat > $binders_root/README << EOT
This directory contains egg binders. See ../htdocs/a for the web-facing
paths and scripts that access them (a=api). Place a file called NOBACKUP
here to prevent all binder backups, or inside a binder directory to prevent
backing up any particular binder (backups are first enabled in eggnog_conf).
EOT
mkdir $minters_root 2>&1
cat > $minters_root/README << EOT
This directory contains nog minters.  See ../htdocs/a for the web-facing
paths and scripts that access them (a=api).
EOT
mkdir $shoulders_root 2>&1 && cat > $shoulders_root/README << EOT
This directory contains eggnog shoulders, which provide the initial
substring for globally unique identifiers.
EOT
#}

# Chdir to $buildout_root to do the rest.

cd $buildout_root || {
	echo "Couldn't make $buildout_root the current directory."
	echo "Bailing out."
	exit 1
}

# This blob of HTTP client headers gets passed to RewriteMap for logging
# and content negotiation.  Needed before calling minder_builder.
# NB: use !!! to bracket _both_ sides of every field, so code can match
# field boundaries in the middle, beginning, or ending of the blob.
# xxx use %{ENV:XFF} ??
#
hdrblob='esc:!!!pr=%{ENV:proto}!!!ac=%{HTTP_ACCEPT}!!!ff=%{HTTP:X-Forwarded-For}!!!ra=%{REMOTE_ADDR}!!!co=%{HTTP_COOKIE}!!!re=%{HTTP_REFERER}!!!ua=%{HTTP_USER_AGENT}!!!'

[[ -e $bst_root/minder_builder ]] && {
	chmod go= $bst_root/minder_builder	# turn off most perms
	source $bst_root/minder_builder
}

# If we get here, $cmd is "build".

function build_passwd {

	[[ "$pwdfile" ]] ||		# if the list or 1st item is empty
		return 0		# don't create a password file

	local n i pfile bc flp
## xxx true in Apache 2.4?
#	bc=$EGNAPA_TOP/bin/htpasswd	# xxx remove after linux2 conversion
#	[[ -e $bc ]] ||			# xxx remove after linux2 conversion
#		bc=htpasswd		# eg, in /usr/bin
	bc=htpasswd			# eg, in /usr/bin
	flp=( $pwdfile )		# expand to file/login/password triples

	echo -n "Making "
	# pass 1 to initialize the password files that need to be built
	n=${#flp[*]}
	for (( i=0; i < $n; i+=3 )) do
		pfile=$pwdfile_root/${flp[ $i ]}	# a pwdfile
		[[ ! -e $pfile ]] && {
			echo -n "${flp[$i]} "
			$bc -b -c $pfile dummy dummy > /dev/null 2>&1
			chmod 600 $pfile
		}
	done
	echo ""

	# pass 2 to actually set the passwords
	n=${#flp[*]}
	for (( i=0; i < $n; i+=3 )) do
		pfile=$pwdfile_root/${flp[ $i ]}
		$bc -b $pfile ${flp[ $i+1 ]} "${flp[ $i+2 ]}" > /dev/null 2>&1
	done
	return 0
}

build_passwd || {
	echo Error building password file
	exit 1
}

# create password file pwdfile_naan_curators for NAAN curators from input:
#    Working Email       Generated Password
#    jakkbl@gmail.com        lkajsjfoiwe
#    bertrand@bnf.fr     woruouweuou
# generate 12-char password for every member of NAAN WG
# yyy       date +%s | md5sum | head -c 12
# yyy (mac) date +%s | md5    | head -c 12

function build_ncure_passwd {

	[[ "$ncurepwdfile" ]] ||	# if the list or 1st item is empty
		return 0		# don't create a password file

	local n i bc flp
	bc=htpasswd
	ep=( $pwdfile )			# expand to email/password pairs

	local pfile=pwdfile_naan_curators
	[[ ! -e $pfile ]] && {
		# initialize the password file that needs to be built
		$bc -b -c $pfile dummy dummy > /dev/null 2>&1
		chmod 600 $pfile
	}
	# actually set the passwords
	n=${#ep[*]}
	for (( i=0; i < $n; i+=2 )) do
		$bc -b $pfile ${ep[ $i ]} "${ep[ $i+1 ]}" > /dev/null 2>&1
	done
	return 0
}

build_ncure_passwd || {
	echo Error building NAAN curators password file
	exit 1
}

# apache2/data -> ~/dv4 ?
# apache2/data/ezid/b -> ~/dv4/ezid/b/ ?
# apache2/data/ezid/b -> ../td_egg/b/
# apache2/data/ezid/m -> ../td_nog/
# apache2/data/ezid/m/foo -> ~/dv4/ezid/m/foo ?

# Should support all these cases. XXX  test!!
# yyy hH=(http|https)://foo.example.org[:port]
# Need to nail down (a) n2t populator (ezid, oca, test), (b) cgi script, and
#   (c) minter or binder name
# 
# pest="populator test" ("test" is too common a string)
# https://*.*.*/a/ezid/b		# api to ezid's binder
#  where /a/{ezid,oca,pest_x,pest_y}/b has is sorta like this (yyy no)
#    ^/a/([^/?]+)/b(\?(.*))$ ${script_px}binder? --api -d $binders_root/$1 $3
#         and binders_root=$apache_top/../dvN
#         and script_px=$apache_top/cgi-bin/
# but, in test mode,
#         and binders_root=$src_top/td_egg
#         and script_px=$src_top/blib/script/test_
# https://*.*.*/a/ezid/m?<M>.mint N	# api to ezid minter M
# https://*.*.*/a/ezid/r/<id>		# (api to) ezid resolver
#     /a/ezid has its own password file			
# https://*.*.*/a/oca/b			# api to binder named oca
#    where ... see above for ezid
# https://*.*.*/a/oca/m/<M>		# api to oca minter M
# https://*.*.*/a/oca/r/<id>		# (api to) oca resolver
#     /a/oca has its own password file
# https://*.*.*/a/test/b		# api to binder named test
#    where ... see above for ezid
# https://*.*.*/a/test/m/<M>		# api to test minter M
# https://*.*.*/a/test/r/<id>		# (api to) test resolver
#     /a/test has its own password file
#
# http://*.*.*/r/			# resolver
#xxx this is wrong, but on right track
#  a. final rewrite to set query string with correct args
#  b. final script path match so scriptalias can make executable (XXX or can
#     <Location ...>SetHandler cgi-script\n Options +ExecCGI</Location> work?)
#  c. early script path match to set Authn domain (to choose password file
#      pwdfile_x/pwdfile_y and AuthName pest_x/pest_y)
#  d. earlier initial script path match to require SSL ($api)
#
# https://*.*.*/<id>			# main (combined) N2T resolver
# http://*.*.*/a/* -> https://...	# redirection to https for api xxx
# http:... 	# to any of the above redirects to https: (yyy auto or needed?)
# http://*.*.*/e/...			# extras (eg, docs) open to the public
# https://*.*.*/e/... -> http://...	# seamless redirection to docs
# a=api, b=binder, r=resolver, m=minter

# yyy?? do these add anything?
# https://*.*.*/a/b/t1			# api to oca's binder
# https://*.*.*/a/r/n2t			# api to resolver named n2t
# https://localhost:8083/a/b/binder_t	# api to generic test binder
# http://*.*.*/a/b/* -> https://...	# redirection to https for api xxx
# http://*.*.*/a/doc/...		# to redirection for simple docs xxx

# xxx don't really need b, r, m dirs
# Under htdocs/ we have
#   a/...		APIs
#   a/ezid/b		API for the EZID binder
#   a/ezid/m/13030/fk4	API for the EZID minter shoulder, 13030/fk4 (xxx notyet)
#   a/oca/b		API for the OCA binder
#   a/oca/m/13960/t	API for the OCA minter shoulder, 13960/t (xxx notyet)
#   <?>	(not public)	RewriteMap prg for EZID; a/ezid/rmap_ezid
#   <?>	(not public)	RewriteMap prg for OCA a/oca/rmap_oca
#   <?>	(not public)	RewriteMap prg for EZID+OCA a/n2t/rmap_n2t
#			this uses --resolverlist
#   <?>	(not public)	redirect target for inflections (? -> ?<thump expand>
#   e			extras: eg, documentation
#

## Derive config files from vanilla apache.
## Recall that this code must work whether we're currently in the permanent
## or temporary server config directory.
## 

# Initialize new $hconf from scratch.

echo Deriving basic server config info.

hostport=$EGNAPA_HOST:$port_hpr
shostport=$EGNAPA_HOST:$port_hprs

#### Begin building main Apache HTTP server configuration file.

# Remember to quote $ \ and ` in << blocks, or (in this case) to protect regexp
# special chars by having them appear only as result of parameter expansion.
# Kind of a kludge, but the second line of this new file should start with
# "# configuration", which we grep for when we start a server so that we can
# remind the user what configuration is in effect.

cat << EOT > conf/$hconf
# This file was generated automatically by build_server_tree based on the
# configuration $cfgphrase.
#
# It is the main Apache HTTP server configuration file for the resolver
# and parallels the default Apache config file.

# yyy Do we need all these, eg, conf.modules.d/00-mpm.conf ?
Include $EGNAPA_TOP/conf.modules.d/*.conf

SetEnv PERL5LIB $PERL5LIB


# This is actually defined via httpd CLI option, so try not to repeat it
# ServerRoot "$EGNAPA_TOP"
# wrong for 2.4:


Listen $port_hpr
Listen $port_hprs

# NB: having our own PidFile allows us to bring the test server up and down
# without bring the public server down. yyy should it live in ../var/run?

PidFile $srvref_root/logs/httpd.pid

User ${User:=daemon}
Group ${Group:=daemon}

#<IfModule !mpm_netware_module>
#<IfModule !mpm_winnt_module>
#    User ${User:=daemon}
#    Group ${Group:=daemon}
#</IfModule> 
#</IfModule>

ServerName $hostport
DocumentRoot "$document_root"
ServerAdmin ${ServerAdmin:=you@example.com}

## Patch to prevent a denial of service attack.  The following
## declarations can (and should) be removed once we upgrade to Apache
## 2.4.  See <http://mail-archives.apache.org/mod_mbox/httpd-announce/
## 201108.mbox/%3C20110826103531.998348F82@minotaur.apache.org%3E> for
## more information.
#SetEnvIf Range (?:,.*?){5,5} bad-range=1
#RequestHeader unset Range env=bad-range
#RequestHeader unset Request-Range

# This helps with problem introduced by timeout change in Apache 2.4.39.

RequestReadTimeout header=20-40,MinRate=500 body=20,MinRate=500

# CORS (Cross-Origin Resource Sharing) support for cross-site forwarding
# for universal JavaScript/browser access. Test with something like
#
#   curl --max-redirs 0 -I https://n2t-stg.n2t.net/ark:/99152/p0
#
# Should be safe because (a) we use "*" below and (b) we don't use cookies.
# Use "always" so it happens no matter what the status, eg, 2XX, 3XX, etc.

# Via user request (2020.05.28):
# In modern web browsers, making requests from JavaScript (JS) to URLs with
# domains that differ from the one where the JavaScript originated is
# forbidden by default. Servers that wish to allow JS requests from other
# domains can indicate this by setting an Access-Control-Allow-Origin header
# [1], e.g.
# 
#   Access-Control-Allow-Origin: *

Header always set Access-Control-Allow-Origin "*" \\
    "expr=%{REQUEST_METHOD} in { 'GET', 'HEAD', 'OPTIONS' }"

# to allow JS requests from any domain. Since JS applications working with N2T
# URLs need to be able to make GET requests to those URLs, in order to discover
# the resources to which they point, then it makes sense for N2T to set this
# header. Since a 302 redirect response is useless without the Location header,
# and CORS by default does not expose the Location header to JS, it also makes
# sense for N2T to expose that header by setting an
# Access-Control-Expose-Headers header [2], e.g.:
# 
#   Access-Control-Expose-Headers: Location

Header always set Access-Control-Expose-Headers "Location"

# Finally, in order to ensure that Javascript on arbitrary domains can only
# read and not write to n2t.net, it would also make sense to only allow GET
# requests by setting an Access-Control-Allow-Methods header [3], e.g.:
# 
#   Access-Control-Allow-Methods: GET

Header always set Access-Control-Allow-Methods "GET, HEAD, OPTIONS"

# By setting these three headers, N2T URLs would become usable from JS running
# in browsers, without compromising the security of N2T servers.
# 
# [1] https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Access-Control-Allow-Origin
# [2] https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Access-Control-Expose-Headers
# [3] https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Access-Control-Allow-Methods


<Directory />
    Options FollowSymLinks
    AllowOverride None
    Require all denied
#    Order deny,allow
#    Deny from all
</Directory>

# Note that Indexes has been removed from Options.
<Directory "$document_root">
    Options FollowSymLinks
    AllowOverride None
    Require all granted
#    Order allow,deny
#    Allow from all
</Directory>


# Turn on UTF-8 and Server Side Includes for HTML pages served from htdocs/e.
#
AddDefaultCharset utf-8
AddType text/html .html
AddOutputFilter INCLUDES .html

<Directory "$srvref_root/htdocs/e">
	Options Includes 
#	Options +Includes 
</Directory>

# This <Directory> directive makes things in htdocs/e/x/ executable.
# This is instead of opening up cgi-bin/.
#
<Directory "$srvref_root/htdocs/e/x">
        AllowOverride None
	Options FollowSymLinks
        Require all granted
#        Order allow,deny
#        Allow from all
	SetHandler cgi-script
	Options +ExecCGI
</Directory>

# This <Directory> directive makes things in htdocs/e/admin/ executable.
# This is instead of opening up cgi-bin/.
#
<Directory "$srvref_root/htdocs/e/admin">
        AllowOverride None
	Options FollowSymLinks Includes 
        Require all granted
#        Order allow,deny
#        Allow from all
	Options +ExecCGI
	AddHandler cgi-script .pl

    AuthType Basic
    AuthName "Email address"
    AuthBasicProvider file
    AuthUserFile /apps/n2t/sv/cv2/apache2/conf/pwdfile_ezid
    Require valid-user
</Directory>

# NB: we don't set Indexes option, so server won't auto-generate listings
<IfModule dir_module>
    DirectoryIndex index.html
</IfModule>

<FilesMatch "^\\.ht">
    Require all denied
</FilesMatch>

# start new log file every month
ErrorLog "|$rotatelogs $srvref_root/logs/error_log.%Y.%m.%d $monthly"

#LogLevel warn
## Default is "LogLevel warn". Also useful is "LogLevel debug".

# XXX shouldn't this be HTTP:X-Forwarded-For ??
CustomLog "|$rotatelogs $srvref_root/logs/access_log.%Y.%m.%d $monthly" \\
    "%{XFF}e %h %l %u %t \\"%r\\" %>s %b \\"%{Referer}i\\" \\"%{User-Agent}i\\""
#    "%{X-Forwarded-For}i %h %l %u %t \\"%r\\" %>s %b \\"%{Referer}i\\" \\"%{User-Agent}i\\""

# XXX should probably ditch more conditionals

AliasMatch ^/\$ $document_root/e/homepage.html
#AliasMatch ^/\$ $document_root/index.html

# new (2.4) not allowed
#DefaultType text/plain
# yyy what to replace it with?

# yyy are these types all needed?
<IfModule mime_module>
    TypesConfig conf/mime.types
    AddType application/x-compress .Z
    AddType application/x-gzip .gz .tgz
    AddType application/x-x509-ca-cert .crt
    AddType application/x-pkcs7-crl .crl
</IfModule>

#<IfModule ssl_module>
#SSLRandomSeed startup builtin
#SSLRandomSeed connect builtin
#</IfModule>

# Here ends the part that closely parallels httpd.conf.
# What follows are additions to support generic resolver rewrite rules.

# commenting this out to see if it helps stop accumulating httpd procs
# !! mitigate an Apache RewriteMap memory leak [jak]
#MaxRequestsPerChild 100
# xxx is this needed?
# xxx but will this have any effect on the number of rewritemap requests?
#     should rewritemap do it's own count and die, and does it restart
#     automatically?

# Apache 2.4 log levels
#LogLevel warn
LogLevel warn rewrite:trace8

#LogLevel warn rewrite:trace8
#rewrite:trace8 writes maximum amount of log info
# used to be RewriteLogLevel 9

# new (2.4) can't do separate rewrite logging
## !! RewriteLock file must not exist on startup [jak]
#RewriteLock $srvref_root/logs/lock_rewritemap
##RewriteLog $srvref_root/logs/rewrite_log
## start new log file every month
#RewriteLog "|$rotatelogs $srvref_root/logs/rewrite_log.%Y.%m.%d $monthly"

EOT

# Usage:  activate_popbinder Populator [ Binder ]
# If Binder isn't given, it defaults to the same name as the Populator.
#
# Make an httpd.conf Directory declaration that "activates" (a) a populator
# directory and (b) a binder under it.  Once the populater P is activated,
# any number of minters can be placed under it, for its exclusive use, by
# using the path <P>/r/*, eg, <P>/r/ark/99999/fk4.
#
function activate_popbinder {

populator=$1
binder=${2:-$populator}
authnblock=
[[ -e $pwdfile_root/pwdfile_$populator ]] &&
	authnblock="
    AuthType Basic
    AuthName $populator
    AuthBasicProvider file
    AuthUserFile $pwdfref_root/pwdfile_$populator
    Require valid-user
"

cat << EOT >> conf/$hconf

# This <Directory> directive stipulates an authenticated user.
# It uses pwdfile_$populator as its password file and also makes
# things in htdocs/a/$populator executable.
#
<Directory "$srvref_root/htdocs/a/$binder">
        AllowOverride None
	Options FollowSymLinks
#        Order allow,deny
#        Allow from all
#        Require all granted
	SetHandler cgi-script
	Options +ExecCGI
$authnblock
</Directory>

# Similarly, this <Directory> is for non-executable files
# available only to the $populator user.
#
<Directory "$srvref_root/htdocs/e/pop/$populator">
        AllowOverride None
	Options FollowSymLinks
#        Order allow,deny
#        Allow from all
#        Require all granted
$authnblock
</Directory>
EOT

}

# http://localhost:8083/d/api/test_binder
# http://n2t.net/a/b/test_binder
# http://n2t.net/a/b/ezid
# http://n2t.net/a/b/oca
# http://n2t.net/a/b/doc
#
# Call with two args: bare script name (egg or nog) and the filename that
# we're writing to.  Eg,
#	create_cgi egg $cgi_egg
#	create_cgi nog $cgi_nog
#
function create_cgi {

	local eon=$1 cgi=$2	# eon = egg or nog

	cat <<- EOT > $cgi	# '-' in <<- strips leading tabs from below
	#!/bin/sh

	# This file was generated automatically by build_server_tree.
	# It is a CGI wrapper for "$eon" that sets up the environment,
	# working directory, and possible testing arguments ("-Mblib").
	# The most important arguments (eg, which binder, what operation)
	# are supplied upon invocation via a RewriteRule, which happens
	# (a) when resolver rewritemaps are established on server startup
	# and (b) when a user attempts a binder operation.

	# Errors in this script therefore affect resolution and binding.
	# Problems arising in this script often result in "ERROR 500:
	# Internal Server Error", and some clue can be found in the Apache
	# error_log* file. The message at the bottom sometimes gets trapped
	# there as well.

	PERL5LIB=$PERL5LIB
	PATH=$egpath
	export PERL5LIB PATH

	#MG_CSTRING_HOSTS="$MG_CSTRING_HOSTS"	# exdb mongo database
	#MG_REPSETOPTS="$MG_REPSETOPTS"
	#MG_REPSETNAME="$MG_REPSETNAME"
	#export MG_CSTRING_HOSTS MG_REPSETOPTS MG_REPSETNAME

# zzz shouldn't we be exporting EGNAPA_HOST too? since we can't count on
# Perl's hostname to give us the proper fqdn?
	EGNAPA_HOST_CLASS="$EGNAPA_HOST_CLASS"	# to form exdb dbname xxx
	EGNAPA_HOST="$EGNAPA_HOST"		# to form exdb dbname
	export EGNAPA_HOST EGNAPA_HOST_CLASS

# zzz document which perl routine calls this and with which args
	cd $scripts_wd
	#exec $perl_args $eon \$*
	exec $perl_args $eon $homedb \$*

	echo ""		# yyy not sure why this helps error show in rmap case
	echo "error: command failure:" \
		"\"cd $scripts_wd ; exec $perl_args $eon \$*\"" \
		"status: \$?" 2>&1
	exit 1;
	EOT

	chmod 0755 $cgi ||
		return 1
	return 0
}

# Paths to CGI shell scripts that wrap egg and nog.
# XXXX   my $eggcmd = defined($blib::VERSION) ? "perl -Mblib " : "";
#
cgi_egg=$buildout_root/cgi-bin/egg.sh
cgiref_egg=$srvref_root/cgi-bin/egg.sh
cgi_nog=$buildout_root/cgi-bin/nog.sh
cgiref_nog=$srvref_root/cgi-bin/nog.sh

# Although these scripts live in cgi-bin, which is natural given their
# roles, they're made inaccessible to callers who would try typical URL
# paths (eg, n2t.net/cgi-bin/egg.sh). Instead callers our routed through
# paths that trigger AuthN first, and script invocation in cgi-bin is
# accomplished by symbolic link.
#


# zzz add tdata ??

create_cgi egg $cgi_egg
create_cgi nog $cgi_nog

# Usage: create_rmap [populator] resolver
# Example: create_rmap ezid
# Example: create_rmap ezid
# Example: create_rmap ezid ezid_test
#
# Here, an "rmap" is a "resolver map" shell program that is named in an
# Apache RewriteMap directive.  It sits in a filename starting "rmap_".
# An rmap exists because RewriteMap directives don't permit us to pass
# arguments, such as which binder/resolver to use, so a different program
# content and filename is used to sort of hardwire the different kinds of
# behavior.  Each rmap program is basically a wrapper around an exec to
# one "rmapper" script called with different argument combos.
#
# The rmap (and rmapper) programs are only invoked at Apache server
# (re)start, and then become long-running processes that communicate via
# pipes to Apache in response to RewriteMap events.  Because they're long
# running, rmap and rmapper startup delays are not considered important.
# XXXXXX how to make startup errors visible?
#
# If the resolver arg
# is a colon-separated list, eg, pest_x or pestxy:pest_x:pest_y then the
# first resolver in the list is a pseudo-resolver that will invoke the
# 2nd binder in the list to do resolution, which will try to match across
# the 2nd, 3rd, etc. resolvers in the list.  A pseudo-resolver should have
# pseudo-populator (which just becomes a directory name).
#   XXX then do we need to repeat it as the first list element?
#
function create_rmap {

	local populator=$1 r=$2
	local remainder rmp binder rlist i

	[[ $r ]] ||
		r=$populator			# resolver same as populator
	# if the caller specified more than one binder, then we take
	if [[ $r =~ ":" ]]; then		# the first bit to name a
		rmp=$( sed 's/:.*//' <<< $r )	# pseudo-resolver, with the
		binder=				# real binder as yet unknown
		remainder=$( sed 's/^[^:]*://' <<< $r )	# remaining binders
	else					# only one binder specified,
		rmp=$r				# so the rmap script is the
		binder=$r			# same as the binder
	fi

	local cmd

	cmd=$cgiref_egg	# this is a shell script, so -Mblib doesn't apply

	for i in $( sed 's/:/ /g' <<< "$remainder" )	# for remaining binders
	do
		if [[ ! $rlist ]]; then		# initialize rlist
			binder="$i"		# now we know which binder
			rlist="$bdrsref_root/$binder"
		else				# extend rlist already begun
			rlist+=":$bdrsref_root/$i"
		fi
	done
	local rrmlogbase="htdocs/a/$populator/rrmlog_$rmp"
	local rmap="htdocs/a/$populator/rmap_$rmp"

	#cmd+=" --rrm $home $tlog $pfxf -d $bdrsref_root/$binder"
	# Resolvers are invoked with some of these arguments.

	# for resolution, force --user to be same as binder name
# zzz $homedb is a set of args, eg, --home ...
	cmd+=" --rrm $homedb --user $populator -d $bdrsref_root/$binder"
	#cmd+=" --testdata $tda" # NB: --testdata shields production DBs!!
	# $isolation_arg gives us either testdata binder or public binder
	cmd+=" $isolation_arg"

	[[ $rlist ]] &&			# caller wanted list of resolvers
		cmd+=" --resolverlist=\"$rlist\""	# qualify command

	cat <<- EOT > $rmap	# '-' in <<- strips leading tabs from below
		#!/bin/sh

		# This file was generated automatically by build_server_tree.
		# It is a "resolver map" (rmap) script that you can partially
		# test by starting it from an interactive shell with no args
		# and then entering read-only resolver commands on the stdin.
		# xxx add tests to make this more certain
		#
		# Because it is usually started from Apache via a RewriteMap
		# directive, it doesn't inherit environment variables needed
		# to run, so we set these variables explicitly.  It cannot
		# leave any diagnostic if it doesn't start up correctly, but
		# some EGNAPA_* environment variables are set so that
		# rrminfo() can reveal some status info.

		PERL5LIB=$PERL5LIB
		PATH=$egpath
		export PERL5LIB PATH

		#MG_CSTRING_HOSTS="$MG_CSTRING_HOSTS"	# exdb mongo database
		#MG_REPSETOPTS="$MG_REPSETOPTS"
		#MG_REPSETNAME="$MG_REPSETNAME"
		#export MG_CSTRING_HOSTS MG_REPSETOPTS MG_REPSETNAME

# zzz shouldn't we be exporting EGNAPA_HOST too? since we can't count on
# Perl's hostname to give us the proper fqdn?
		EGNAPA_HOST_CLASS="$EGNAPA_HOST_CLASS"	# to form exdb dbname
		EGNAPA_HOST="$EGNAPA_HOST"		# to form dbname
		export EGNAPA_HOST EGNAPA_HOST_CLASS

		cd $scripts_wd

		EGNAPA_RMAP=\$0				# for rrminfo
		EGNAPA_SRVREF_ROOT=$EGNAPA_SRVREF_ROOT	# for rrminfo
		export EGNAPA_RMAP EGNAPA_SRVREF_ROOT
		
		# Long-running resolver process started here, with arguments
		# defined inside $cmd string, eg, --home.

		# xxx To make startup errors visible, the exec should fall
		# through to exec an artificial resolver that redirects all
		# to example.com with a path containing the error message.

		exec $cmd

		echo "Failed \"cd $scripts_wd ; exec $cmd\" with status \$?" \\
			1>&2
		exit 1;
	EOT
	chmod 755 $rmap;
}

echo Deriving SSL server config info.

# new
#llpath=$( sed "s,^\([^:]*\)/bin:*.*,\1/lib:$LD_LIBRARY_PATH," <<< $PATH )
# perl -pi -e 's,Jan,Feb,' $buildout_root/bin/envvars

#t=`mktemp -d -t bst.XXXX`	# build server tree tmp file (platform indep.)
##t=/tmp/build_server_tree_tmp
#trap "rm -fr $t" EXIT		# make sure to cleanup on exit

# --- From mod_rewrite documentation:
# "Substitutions are only treated as a file-system path when the rule is
# configured in server (virtualhost) context and the first component of
# the path in the substitution exists in the file-system"
#
# --- From mod_rewrite documentation for the Substitution part:
# VERY IMPORTANT
# "Note that mod_rewrite tries to guess whether you have specified a
# file-system path or a URL-path by checking to see if the first segment
# of the path exists at the root of the file-system. For example, if you
# specify a Substitution string of /www/file.html, then this will be
# treated as a URL-path unless a directory named www exists at the root or
# your file-system (or, in the case of using rewrites in a .htaccess file,
# relative to your document root), in which case it will be treated as a
# file-system path. If you wish other URL-mapping directives (such as
# Alias) to be applied to the resulting URL-path, use the [PT] flag as
# described below.

# Remember to quote $ \ and ` in << blocks, or (in this case) to protect regexp
# special chars, by having them appear only as result of parameter expansion.
#
cat << EOT >> conf/$hconf

# This section and comments are adapted from /etc/httpd/conf.d/ssl.conf.

##
##  SSL Global Context
##
##  All SSL configuration in this context applies both to
##  the main server and all SSL-enabled virtual hosts.
##

#   Pass Phrase Dialog:
#   Configure the pass phrase gathering process.
#   The filtering dialog program ('builtin' is a internal
#   terminal dialog) has to provide the pass phrase on stdout.
SSLPassPhraseDialog exec:/usr/libexec/httpd-ssl-pass-dialog

#   Inter-Process Session Cache:
#   Configure the SSL Session Cache: First the mechanism 
#   to use and second the expiring timeout (in seconds).
SSLSessionCache         shmcb:$srvref_root/var/run/sslcache(512000)
SSLSessionCacheTimeout  300

#   Pseudo Random Number Generator (PRNG):
#   Configure one or more sources to seed the PRNG of the 
#   SSL library. The seed data should be of good random quality.
#   WARNING! On some platforms /dev/random blocks if not enough entropy
#   is available. This means you then cannot use the /dev/random device
#   because it would lead to very long connection times (as long as
#   it requires to make more entropy available). But usually those
#   platforms additionally provide a /dev/urandom device which doesn't
#   block. So, if available, use this one instead. Read the mod_ssl User
#   Manual for more details.
SSLRandomSeed startup file:/dev/urandom  256
SSLRandomSeed connect builtin
#SSLRandomSeed startup file:/dev/random  512
#SSLRandomSeed connect file:/dev/random  512
#SSLRandomSeed connect file:/dev/urandom 512

#
# Use "SSLCryptoDevice" to enable any supported hardware
# accelerators. Use "openssl engine -v" to list supported
# engine names.  NOTE: If you enable an accelerator and the
# server does not start, consult the error logs and ensure
# your accelerator is functioning properly. 
#
SSLCryptoDevice builtin
#SSLCryptoDevice ubsec

##
## SSL Virtual Host Context
##

<VirtualHost _default_:$port_hprs>

#
#### HTTPS section:  how API connections will be processed
#

# xxx not recommended for security reasons -- move this to $sstub/n2t/...?
AllowEncodedSlashes On

# General setup for the virtual host, inherited from global configuration
#DocumentRoot "/var/www/html"
#ServerName www.example.com:443

## xxx drop DocumentRoot and ServerName as redundant?
#ServerName $shostport
#DocumentRoot "$document_root"
## XXX is this next line necessary?
#ServerAdmin ${ServerAdmin:=you@example.com}


## Use separate log files for the SSL virtual host; note that LogLevel
## is not inherited from httpd.conf.
#ErrorLog logs/ssl_error_log
#TransferLog logs/ssl_access_log
#LogLevel warn

#   SSL Engine Switch:
#   Enable/Disable SSL for this virtual host.
SSLEngine on

#   SSL Protocol support:
# List the enable protocol levels with which clients will be able to
# connect.  Disable SSLv2 access by default:
SSLProtocol all -SSLv3

#   SSL Cipher Suite:
#   List the ciphers that the client is permitted to negotiate.
#   See the mod_ssl documentation for a complete list.
SSLCipherSuite HIGH:MEDIUM:!aNULL:!MD5:!SEED:!IDEA

#   Speed-optimized SSL Cipher configuration:
#   If speed is your main concern (on busy HTTPS servers e.g.),
#   you might want to force clients to specific, performance
#   optimized ciphers. In this case, prepend those ciphers
#   to the SSLCipherSuite list, and enable SSLHonorCipherOrder.
#   Caveat: by giving precedence to RC4-SHA and AES128-SHA
#   (as in the example below), most connections will no longer
#   have perfect forward secrecy - if the server's key is
#   compromised, captures of past or future traffic must be
#   considered compromised, too.
#SSLCipherSuite RC4-SHA:AES128-SHA:HIGH:MEDIUM:!aNULL:!MD5
#SSLHonorCipherOrder on 

#   Server Certificate:
# Point SSLCertificateFile at a PEM encoded certificate.  If
# the certificate is encrypted, then you will be prompted for a
# pass phrase.  Note that a kill -HUP will prompt again.  A new
# certificate can be generated using the genkey(1) command.
#SSLCertificateFile /etc/pki/tls/certs/localhost.crt

#   Server Private Key:
#   If the key is not combined with the certificate, use this
#   directive to point at the key file.  Keep in mind that if
#   you've both a RSA and a DSA private key you can configure
#   both in parallel (to also allow the use of DSA ciphers, etc.)
#SSLCertificateKeyFile /etc/pki/tls/private/localhost.key

#   Server Certificate Chain:
#   Point SSLCertificateChainFile at a file containing the
#   concatenation of PEM encoded CA certificates which form the
#   certificate chain for the server certificate. Alternatively
#   the referenced file can be the same as SSLCertificateFile
#   when the CA certificates are directly appended to the server
#   certificate for convinience.
#SSLCertificateChainFile /etc/pki/tls/certs/server-chain.crt

#   Certificate Authority (CA):
#   Set the CA certificate verification path where to find CA
#   certificates for client authentication or alternatively one
#   huge file containing all of them (file must be PEM encoded)
#SSLCACertificateFile /etc/pki/tls/certs/ca-bundle.crt

$sslcertblock

#   Client Authentication (Type):
#   Client certificate verification type and depth.  Types are
#   none, optional, require and optional_no_ca.  Depth is a
#   number which specifies how deeply to verify the certificate
#   issuer chain before deciding the certificate is not valid.
#SSLVerifyClient require
#SSLVerifyDepth  10

#   Access Control:
#   With SSLRequire you can do per-directory access control based
#   on arbitrary complex boolean expressions containing server
#   variable checks and other lookup directives.  The syntax is a
#   mixture between C and Perl.  See the mod_ssl documentation
#   for more details.
#<Location />
#SSLRequire (    %{SSL_CIPHER} !~ m/^(EXP|NULL)/ \
#            and %{SSL_CLIENT_S_DN_O} eq "Snake Oil, Ltd." \
#            and %{SSL_CLIENT_S_DN_OU} in {"Staff", "CA", "Dev"} \
#            and %{TIME_WDAY} >= 1 and %{TIME_WDAY} <= 5 \
#            and %{TIME_HOUR} >= 8 and %{TIME_HOUR} <= 20       ) \
#           or %{REMOTE_ADDR} =~ m/^192\.76\.162\.[0-9]+$/
#</Location>

#   SSL Engine Options:
#   Set various options for the SSL engine.
#   o FakeBasicAuth:
#     Translate the client X.509 into a Basic Authorisation.  This means that
#     the standard Auth/DBMAuth methods can be used for access control.  The
#     user name is the 'one line' version of the client's X.509 certificate.
#     Note that no password is obtained from the user. Every entry in the user
#     file needs this password: 'xxj31ZMTZzkVA'.
#   o ExportCertData:
#     This exports two additional environment variables: SSL_CLIENT_CERT and
#     SSL_SERVER_CERT. These contain the PEM-encoded certificates of the
#     server (always existing) and the client (only existing when client
#     authentication is used). This can be used to import the certificates
#     into CGI scripts.
#   o StdEnvVars:
#     This exports the standard SSL/TLS related 'SSL_*' environment variables.
#     Per default this exportation is switched off for performance reasons,
#     because the extraction step is an expensive operation and is usually
#     useless for serving static content. So one usually enables the
#     exportation for CGI and SSI requests only.
#   o StrictRequire:
#     This denies access when "SSLRequireSSL" or "SSLRequire" applied even
#     under a "Satisfy any" situation, i.e. when it applies access is denied
#     and no other module can change it.
#   o OptRenegotiate:
#     This enables optimized SSL connection renegotiation handling when SSL
#     directives are used in per-directory context. 
#SSLOptions +FakeBasicAuth +ExportCertData +StrictRequire
<Files ~ "\.(cgi|shtml|phtml|php3?)$">
    SSLOptions +StdEnvVars
</Files>
<Directory "$srvref_root/cgi-bin">
    SSLOptions +StdEnvVars
</Directory>

#   SSL Protocol Adjustments:
#   The safe and default but still SSL/TLS standard compliant shutdown
#   approach is that mod_ssl sends the close notify alert but doesn't wait for
#   the close notify alert from client. When you need a different shutdown
#   approach you can use one of the following variables:
#   o ssl-unclean-shutdown:
#     This forces an unclean shutdown when the connection is closed, i.e. no
#     SSL close notify alert is send or allowed to received.  This violates
#     the SSL/TLS standard but is needed for some brain-dead browsers. Use
#     this when you receive I/O errors because of the standard approach where
#     mod_ssl sends the close notify alert.
#   o ssl-accurate-shutdown:
#     This forces an accurate shutdown when the connection is closed, i.e. a
#     SSL close notify alert is send and mod_ssl waits for the close notify
#     alert of the client. This is 100% SSL/TLS standard compliant, but in
#     practice often causes hanging connections with brain-dead browsers. Use
#     this only for browsers where you know that their SSL implementation
#     works correctly. 
#   Notice: Most problems of broken clients are also related to the HTTP
#   keep-alive facility, so you usually additionally want to disable
#   keep-alive for those clients, too. Use variable "nokeepalive" for this.
#   Similarly, one has to force some clients to use HTTP/1.0 to workaround
#   their broken HTTP/1.1 implementation. Use variables "downgrade-1.0" and
#   "force-response-1.0" for this.
BrowserMatch "MSIE [2-5]" \
         nokeepalive ssl-unclean-shutdown \
         downgrade-1.0 force-response-1.0

#   Per-Server Logging:
#   The home of a custom SSL log file. Use this when you want a
#   compact non-error SSL logfile on a virtual host basis.
#CustomLog logs/ssl_request_log \
#          "%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b"

# What follows are lots of additions to support the binder for
# calls coming in via https, which are required to use the API.

# Rewrite stuff follows. yyy

#RewriteCond %{HTTPS} on	# yyy don't think we need to test this here

# Because RewriteEngine On only goes in a VirtualHost section, and we
# need to rewrite from either http or https, we have to duplicate a lot
# of directives (see rewrite1, rewrite2, and rewrite3 files) between the
# two sections.

# !! RewriteEngine On required in VirtualHost section [jak]
RewriteEngine On
# !! RewriteOptions Inherit required in VirtualHost section [jak]
RewriteOptions Inherit

# From: http://stackoverflow.com/questions/19372594/preserve-http-https-protocol-in-htaccess-redirects
# And from AWS load balancer docs:
#   If X-Forwarded-Proto is “https”, then it was an HTTPS request.
#   If X-Forwarded-Proto is “http”, then it was an HTTP request.
# NB: according to stackoverflow entry, starting with Apache 2.4 you can
#     also use the variable %{REQUEST_SCHEME} to preserve the scheme, eg,
# 
#RewriteRule "^" "%{REQUEST_SCHEME}://sub.domain.com:2368%{REQUEST_URI}" [P,QSA,L]

# For benefit of --rrm mode, set "proto" env var to either http or https.
# Reference value as %{ENV:proto} in rules.
RewriteCond %{HTTP:X-Forwarded-Proto} =http [OR]
RewriteCond %{HTTPS} !=on
RewriteRule ^(.*)$ - [env=proto:http]
RewriteCond %{HTTP:X-Forwarded-Proto} =https [OR]
RewriteCond %{HTTPS} =on
RewriteRule ^(.*)$ - [env=proto:https]

#
#### Main HTTPS rewrite section:  how to talk to binders and minters
#

# Do a=api first, then r=resolver, then e=extras.
# Send API calls to the script directory with revised arguments.
# Note that the [L] flag means "last rule" (don't process further).
#
## Inflections and content-negotiation are resolved with this rule.
#RewriteRule ^_rslv_inflect (.*)\$ \\
#  "$document_root/inflect? $tlog --ua %{QUERY_STRING}" [L]

# Binders are invoked with this rule.
RewriteRule ^(/a/([^/]+)/b)\$ \\
  "$document_root\$1? --api $homedb --all -d $bdrsref_root/\$2 $isolation_arg --ua %{QUERY_STRING}" [L]
#  "$document_root\$1? --api $homedb --all -d $bdrsref_root/\$2 $tda_arg --ua %{QUERY_STRING}" [L]
#  "$document_root\$1? --api $home $tlog --all -d $bdrsref_root/\$2 --ua %{QUERY_STRING}" [L]


# XXXXXXXXXXX this is where an open minter might be invoked
#      path /a/sortofunique/m? try 10 12345/x8 {short|medium|long}
# Minters are invoked with this rule.
RewriteRule ^(/a/([^/]+)/m)/(.+)\$ \\
  "$document_root\$1? --api $homedb -d $mtrsref_root/\$2/\$3 --ua %{QUERY_STRING}" [L]
#  "$document_root\$1? --api $home $tlog -d $mtrsref_root/\$2/\$3 --ua %{QUERY_STRING}" [L]
# yyy minters don't currently use $homedb

# This will be an edge case.
RewriteRule ^(/a/[^/]+/m/*)\$ \\
  "$document_root\$1? --api $homedb -p $mtrsref_root --ua %{QUERY_STRING}" [L]
#  "$document_root\$1? --api $home $tlog -p $mtrsref_root --ua %{QUERY_STRING}" [L]

## Edge case rules to send to HTTP for extras or a resolver (e/... or r/...).
##
##RewriteRule ^(/[re](/.*)?)\$ http://$hostport\$1 [R=302,L]

# Edge case rule to forgive a stubby API or directed resolver path
# (/a or /a/ or /r or /r/) and index.html file.
#
RewriteRule ^/([ar])/*\$ /\$1/ [PT]

## A rule for the empty URL path:
## XXX 302 is the default, so is it necessary to say R=302?
#RewriteRule ^/\$ http://$hostport/ [R=302,L]

## Assume any https call not caught above is a botched API call and
## redirect towards some help.
##
#RewriteRule .* "http://$hostport/e/api_help.html" [R=302,L]

# That accounts for all service available via https.
# xxx why not support resolution via https too?

# Note that these files are Include'd once for HTTP and once for HTTPS,
# which means that there are two RewriteMap processes for each binder.
#
####### Include rewrite1-setup.conf for HTTPS
#
Include $srvref_root/conf/rewrite1-setup.conf

# XXX rewrite2-server.conf expected to be created by (currently) $sstub/n2t/
####### Include rewrite2-server.conf for HTTPS
#
Include $srvref_root/conf/rewrite2-server.conf

####### Include rewrite3-generic.conf for HTTPS
#
Include $srvref_root/conf/rewrite3-generic.conf

</VirtualHost>

<VirtualHost _default_:$port_hpr>

#
#### HTTP section:
#

# This VirtualHost section is only for calls coming in via http URLs.
# The main use of rewriting here is to support resolution, which has more
# involved rewriting than https but doesn't require SSL or authentication.

AllowEncodedSlashes On

#RewriteCond %{HTTPS} off	# yyy don't think we need to test this here
RewriteEngine On
RewriteOptions Inherit

# For benefit of --rrm mode, set "proto" env var to either http or https.
RewriteCond %{HTTP:X-Forwarded-Proto} =http [OR]
RewriteCond %{HTTPS} !=on
RewriteRule ^(.*)$ - [env=proto:http]
RewriteCond %{HTTP:X-Forwarded-Proto} =https [OR]
RewriteCond %{HTTPS} =on
RewriteRule ^(.*)$ - [env=proto:https]

# Edge case rule to send stuff intended for the API over to https (/a/...).
# xxx should this use the permanent redirect code?

RewriteRule ^(/a/.+)\$ https://$EGNAPA_HOST\$1 [R=302,L]

# Secure admin interface
RewriteRule ^(/e/admin/.+)\$ https://$EGNAPA_HOST\$1 [R=302,L]

# Note that these files are Include'd once for HTTP and once for HTTPS,
# which means that there are two RewriteMap processes for each binder.
#
####### Include rewrite1-setup.conf for HTTP

Include $srvref_root/conf/rewrite1-setup.conf

####### Include rewrite2-server.conf for HTTP

Include $srvref_root/conf/rewrite2-server.conf

####### Include rewrite3-generic.conf for HTTP

Include $srvref_root/conf/rewrite3-generic.conf

</VirtualHost>

<VirtualHost _default_:$port_hpr>

# HTTP (not https) ://ruu.app virtual hosting -- send all to https

# These <VirtualHost> directives must come after the N2T virtualhost
# directive to avoid their taking precedence.

# xxx don't know if can test via scripts unless we alter $shostport
ServerName $ruuapp
ServerAlias www.$ruuapp

RewriteEngine On
# Send all http traffic to https
RewriteRule ^(.*)$ https://$ruuapp\$1 [L]
#Redirect permanent / https://$ruuapp/

# XXX is this the best way??
# XXX logs?

</VirtualHost>

<VirtualHost _default_:$port_hprs>

# HTTPS://ruu.app virtual hosting

ServerName $ruuapp
ServerAlias www.$ruuapp

DocumentRoot "$ruu_document_root"

# xxx not recommended for security reasons -- move this to $sstub/n2t/...?
AllowEncodedSlashes On

#   Enable/Disable SSL for this virtual host.
SSLEngine on
SSLProtocol all -SSLv3
SSLCipherSuite HIGH:MEDIUM:!aNULL:!MD5:!SEED:!IDEA

$sslcertblock

<Files ~ "\.(cgi|shtml|phtml|php3?)$">
    SSLOptions +StdEnvVars
</Files>
<Directory "$srvref_root/cgi-bin">
    SSLOptions +StdEnvVars
</Directory>

BrowserMatch "MSIE [2-5]" \
         nokeepalive ssl-unclean-shutdown \
         downgrade-1.0 force-response-1.0

# xxx needed?
# !! RewriteEngine On required in VirtualHost section [jak]
RewriteEngine On
# !! RewriteOptions Inherit required in VirtualHost section [jak]
#RewriteOptions Inherit

# xxx change this to index.html?
RewriteRule ^/$ "$ruu_document_root/arks.html" [L]
#RewriteRule ^(/favicon.ico.*)$ "$ruu_document_root$1" [L]
RewriteRule ^/favicon.ico $ruu_document_root/favicon.ico [L]
RewriteRule ^/robots.txt $document_root/e/robots.txt [L]
RewriteRule ^/css/(.+) $document_root/e/css/\$1 [L]

# Note that Indexes has been removed from Options.
<Directory "$ruu_document_root">
    Options FollowSymLinks Includes
    AllowOverride None
    Require all granted
</Directory>

</VirtualHost>

EOT

# Remember to quote $ \ and ` in << blocks, or (in this case) to protect regexp
# special chars, by having them appear only as result of parameter expansion.
#
cat << EOT >> conf/rewrite1-setup.conf

# Some common requests for both HTTP and HTTPS.
RewriteRule ^/favicon.ico $document_root/e/images/favicon.ico [L]
RewriteRule ^/robots.txt $document_root/e/robots.txt [L]
RewriteRule ^/css/(.+) $document_root/e/css/\$1 [L]

# XXX why not using %{ENV:XFF}?
# Establish some shorthand and set the XFF environment variable.
RewriteMap uc int:toupper
RewriteMap esc int:escape
RewriteRule .* - [E=XFF:%{HTTP:X-Forwarded-For}]

# We want to use URI PATH and QUERY exactly as they were entered, calling
# the result THUMPER.  This way we can detect the case of a single question
# mark ("?"), which is one of the shorthands in THUMP.  Because Apache
# sets the QUERY_STRING to contain only what _follows_ the first question
# mark, we check if there's any question mark at all in the request and
# then we can safely prepend it to QUERY_STRING (even if empty).  The
# THUMPER environment variable will therefore be QUERY_STRING preceded by
# a "?", but it will be empty if there was no "?" in the request.
#
RewriteCond %{THE_REQUEST} \\?
RewriteRule .* - [E=THUMPER:?%{QUERY_STRING}]

# Rewrite rules are ordered to service the common expected cases first.
# We expect server access will be for 
#
#   1. most common: look up in the binder for forwarding (redirection)
#   2. less common: API access by populators such as EZID and OCA
#   3. much less common: access to home page, api_help, and extras

EOT

cat << EOT >> conf/rewrite3-generic.conf

# We fall through to these rewrite rules only if nothing was found before.

#############
# NOTE: if we're in this section, the "uri" we're trying to match has already
# been looked up via RewriteMap, ie, we're POST database lookup processing.
#############

# * These inflection checks should come after rewritemap lookups
# * because SPT will have left them intact.
#
# XXXXX inflections: test!!
# resolver code checks inflections for ids we have stored, but they
# remain for ids we don't store, eg, for rule-based redirects
# Detect ? and ?? inflections and map with THUMP compatibility mode.
# xxxx consider also real THUMP?
# One question mark case:  ?  -> ?thump=0&show=brief&as=anvl/erc
RewriteCond %{THE_REQUEST}  \\?
RewriteCond %{QUERY_STRING} ^$
RewriteRule ^(.*)\$ "\$1?thump=0&show=brief&as=anvl/erc"

# Two question mark case:  ?? -> ?thump=0&show=support&as=anvl/erc
RewriteCond %{QUERY_STRING} ^\\?$
RewriteRule ^(.*)\$ "\$1?thump=0&show=support&as=anvl/erc"

# !! convert encoded ':' (%3A) case-insensitive (NC) into ':' [jak]
# xxx this only substitutes the first occurrence, and seems silly
# xxx is this due to problem of not %-decoding target returned redirect URLs?
RewriteRule ^(.*)%3A(.*)\$  \$1:\$2  [NC]

# Redirect if it looks like the target is a URL (matches "://").
# XXX NE flag prevents hex encoding of chars like ? and #
#         does preventing it create some other problems?
#
# xxx this rule obviated by new _rslv_CommandVerb protocol, right?
#RewriteRule ^_rslv_([^:]*://.*)\$    \$1 [R=302,L,NE]

# Strip added _rslv_ if it looks like a rewrite intended for this server.
#
# xxx good?  bad?
RewriteRule ^_rslv_(/.*)\$    \$1 [PT]

# Restore value if lookup failed and fall through to next ruleset.
#
#RewriteRule ^_rslv_\$      %{REQUEST_URI}
RewriteRule "^_rslv_redir3.. \$"      %{REQUEST_URI}

# XXXX the /r/... (directed resolver) rewrites go here?

# Service priority level 3 access to actual documents on this server.
#
# L=last means we're done.
# xxx is this causing/related to the 301 redirect?
#RewriteRule ^(/e(/.*)?)\$ $document_root\$1 [L]
# I think we need to add the trailing slash ourselves or the server will
# trigger a redirect that re-uses the incoming port, which won't work
# when we're port fowarding/mapping with a load balancer and firewalls.

RewriteRule ^/e\$ $document_root/e/index.html [L]
RewriteRule ^(/e/.*)\$ $document_root\$1 [L]
RewriteRule ^/\$ $document_root/e/homepage.html [L]
#RewriteRule ^/\$ $document_root/index.html [L]

# Edge case rule to forgive a stubby API or directed resolver path.
RewriteRule ^/([ar])/*\$ /\$1/ [PT]

#
#### Externally supported scheme section:  known schemes and their resolvers
#

# This is the last section and therefore the final attempt to make sense
# of the user's request.  To start, don't waste time on it unless it
# looks like something beginning with a scheme name ending in a colon
# (it could even start with a colon), ie, if it doesn't look like that,
# just pass it through for a 404 error.
#
# XXXX untested
RewriteCond %{REQUEST_URI} !^/[^:]*:.+\$
RewriteRule (.*)    \$1 [R=404,L]

#############
# NOTE: if we're in this section, the "uri" we're trying to match
# has been RESTORED to its PRE-database lookup state.
#############

# yyy add Greg's N2T rules

# yyy special rule for escholarship; remove when EZID registers their ARKs
RewriteRule ^/ark:/*13030/qt(.*)\$ "http://escholarship.org/uc/item/\$1" [R=302,L,NC]
# yyy special rule for OAC; remove when EZID registers their ARKs
RewriteRule ^/ark:/*(13030/(?:tf|ft|kt).*)\$ "http://ark.cdlib.org/ark:/\$1" [R=302,L,NC]

# XXX move 'url:' out of apache and into code
# URLs.  This place-holder prevents "url:" label from going to lsrn.org.
RewriteRule ^/(url:/?(.*))\$     "http://\$2" [R=302,L,NC]
#RewriteRule ^/13030/(.*)\$      "http://www.cdlib.org/\$1" [R=302,L,NC]
 
# If we fall through to here, no matches were found.
# The URL either matches something on the local server or it doesn't.

##### end http includes here

EOT

# XXXXXXXXXXXXX make fall through above END at our own resolver so we can
#    log what falls through; it's also more polite to others

# http://*.*.*/a/b/* -> https://...	# redirection to https for api xxx
# http://*.*.*/a/b/* -> https://...	# redirection to https for api xxx
# http://*.*.*/a/doc/...		# to redirection for simple docs xxx

# Above code is basic to setting up almost any server supporting eggnog.
# Now we source scripts to build out stuff that instance-specific server
# tests rely on.

echo Deriving rewrite rule and populator config info.

# Note: this step also modifies conf/$hconf

function build_minders {

	# XXX for now, DOI minting takes place via special-NAAN ARKs:
	#     10.nnnn -> bnnnn, 10.1nnnn -> cnnnn, 10.2nnnn -> dnnnn, ...
	#     edge: 10.n -> b.000n, 10.nn -> b.00nn, 10.nnn -> b.0nnn
	# xxx mkminter nicely creates ark subdir, but is that
	#     best way to support it?

	local n poprs b p

	poprs=` for i in ${populators[*]}; do echo $i; done | sort -u `

	echo Building proto-minders across populators: \
		"("$poprs")."		# inner quotes suppress newlines(?)

	# xxx document next: this is a per-populator read-protected area
	#     for non-executable files
	for p in ${populators[*]}
	do
		mkdir -p htdocs/e/pop/$p
	done

	# XXX check that there's at least one binder and error out if not
	n=0
	for b in ${binders[*]}
	do
		activate_popbinder ${populators[$n]} $b
		let n++
	done

	rwnamed=conf/rewrite-namedresolvers.conf

	cat <<- EOT > $rwnamed
	# RewriteRule ^/r/all/+(.*)\$ "_rslv_\${map_all:\$1.get _t}"
	# RewriteRule ^/r/all_test/+(.*)\$ "_rslv_\${map_all_test:\$1.get _t}"
	EOT

	n=0
	cp /dev/null $rwplus.post	# initialize for appending
	for b in ${binders[*]}
	do
		# write to one file
		echo "
RewriteMap map_$b prg:$rmap_root/${populators[$n]}/rmap_$b" >> $rwplus.post
		# write to a different file
		# NB: next line must match regex for $numrwrules calculation
		echo "
RewriteRule ^/r/$b/+(.*)\$ \"_rslv_\${map_$b:\$1.resolve \${$hdrblob}}\"" >> $rwnamed
#RewriteRule ^/r/$b/+(.*)\$ \"_rslv_\${map_$b:\$1.get _t}\"" >> $rwnamed
		let n++
	done

	numrwrules=$( grep -c "^RewriteRule" $rwnamed )
	cat - $rwnamed <<- EOT >> $rwplus.post

	# Below is an "if" statement equivalent: if the submitted URI didn't
	# have a specific resolver, skip over the block of rules that takes
	# action on specific resolvers, each beginning with /r/.
	#
	RewriteCond %{REQUEST_URI} !^/r/
	RewriteRule .? - [SKIP=$numrwrules]

	EOT
	rm $rwnamed

	cat - <<- EOT >> $rwplus.post

	# This is the end of the "if" statement equivalent.
	EOT

	# yyy it's unfortunate that we have two (rrm) resolver processes
	# for each binder, but we need to handle both http and https
	# resolutions.  I don't know how to do that except in separate
	# virtual host sections, and we can't start a rewrite engine
	# that's shared between two virtual host blocks.

	# Recall that the main resolver engine is in $rwplus.pre, eg,
	# built by $sstub/n2t/minder_builder.  Now we put the pieces together.
	#
	cat $rwplus.pre $rwplus.post > $rwplus
	rm $rwplus.pre $rwplus.post

	local m= msg=

	for b in ${binders[*]} all all_test
	do
		m=$( mkdir htdocs/a/$b 2>&1 )
		[[ "$m" ]] &&
			msg+="
    $m"
	done
	[[ $msg != '' ]] && {
		echo "One or more files/dirs may have already existed (ok):"
		sed -e '/^$/d' <<< "$msg"
	}

	make_minders			# make minters and binders

	echo Linking to binder and minter scripts.

	# Establish binders and symlinks to executable scripts.
	# Symlinks allow us to maintain the original pathnames
	# needed for <Directory>-based authN.
	# xxx document this
	#
	for b in ${binders[*]}
	do
		linkdir=htdocs/a/$b
		rm -f $linkdir/{m,b}
		ln -s $cgiref_egg $linkdir/b
		ln -s $cgiref_nog $linkdir/m

		#mkdir $linkdir/{m,m/ark,m/doi,m/urn,m/url,m/purl,m/pmid}
		# yyy mshow shows all minders in path
		#
		# Note: we normalize the : out of ark:/, doi:, urn:, etc
		# it makes the code easier and more portable to Windows
	done

	echo "Establishing public documents."

	# Some html docs are just copied. If there's a 'makefile' present,
	# run that first (eg, to create a .html file from .rst markdown).

	local file

	# run any makefiles first, eg, restructured text -> html
	for file in $( find $template_root -name '[mM]akefile' )
	do
		( cd $( dirname $file ) ; make )
	done

	for dir in a e r e/admin ruu.app
	do
		# yyy skip if $dir is missing; this is a kludge that props up
		#     support in t/n2t for virtualhost ruu.app
		[[ ! -d $template_root/$dir ]] &&
			continue
		(shopt -s nullglob;
			cp -p $template_root/$dir/*.{html,txt,pl} htdocs/$dir)
	done
#	(shopt -s nullglob; cp -p $template_root/?/*.{html,txt} htdocs/e)
#	local a=arks.org
#	(shopt -s nullglob; cp -p $template_root/$a/*.{html,txt} htdocs/$a/)
#	for file in $( cd $template_root; \
#			find . -name '*.html' -o -name '*.txt' )
#	do
#		# copy path "as is"
#		cp $template_root/$file htdocs/$file
#	done
	# yyy used to have .html files generated by bash << EOT in order to get
	# variables substituted (not needed at the moment); makefiles could
	# also take care of this

	[[ -e $template_root/e/images ]] &&
		cp -r $template_root/e/images $buildout_root/htdocs/e
	[[ -e $template_root/e/css ]] &&
		cp -r $template_root/e/css $buildout_root/htdocs/e
	[[ -e $template_root/e/fonts ]] &&
		cp -r $template_root/e/fonts $buildout_root/htdocs/e
	#[[ -e $template_root/robots.txt ]] &&
	#	cp $template_root/robots.txt $robots

	echo Creating resolver map scripts.

	n=0
	for resolver in ${binders[*]}
	do
		create_rmap ${populators[$n]} $resolver || {
			echo Aborting
			exit 1
		}
		let n++
	done
}

build_minders || {
	echo Error in build_minders.
	exit 1
}

exit