# Authors:
#     Jack Magne <jmagne@rehdat.com> based on work <ftweedal@redhat.com>
#
# This program is free software; you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation; version 2 of the License.
#
# This program is distributed in the hope that it will be useful',

# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License along
# with this program; if not', write to the Free Software Foundation', Inc.',
# 51 Franklin Street', Fifth Floor', Boston', MA 02110-1301 USA.
#
# Copyright (C) 2017 Red Hat', Inc.
# All rights reserved.

from __future__ import absolute_import
import os.path
from lxml import etree
import socket

import pki
from pki.server.upgrade import PKIServerUpgradeScriptlet

proplist = [
    ('op.format.externalRegISEtoken.auth.enable', 'true'),
    ('op.format.externalRegISEtoken.auth.id', 'ldap1'),
    ('op.format.externalRegISEtoken.ca.conn', 'ca1'),
    ('op.format.externalRegISEtoken.cardmgr_instance', 'A0000000030000'),
    ('op.format.externalRegISEtoken.cuidMustMatchKDD', 'false'),
    ('op.format.externalRegISEtoken.enableBoundedGPKeyVersion', 'true'),
    ('op.format.externalRegISEtoken.issuerinfo.enable', 'true'),
    ('op.format.externalRegISEtoken.issuerinfo.value', 'http://[PKI_HOSTNAME]:[PKI_UNSECURE_PORT]/tps/phoneHome'),
    ('op.format.externalRegISEtoken.loginRequest.enable', 'true'),
    ('op.format.externalRegISEtoken.maximumGPKeyVersion', 'FF'),
    ('op.format.externalRegISEtoken.minimumGPKeyVersion', '01'),
    ('op.format.externalRegISEtoken.revokeCert', 'false'),
    ('op.format.externalRegISEtoken.revokeCert.reason', '0'),
    ('op.format.externalRegISEtoken.rollbackKeyVersionOnPutKeyFailure', 'false'),
    ('op.format.externalRegISEtoken.tks.conn', 'tks1'),
    ('op.format.externalRegISEtoken.update.applet.directory', '/usr/share/pki/tps/applets'),
    ('op.format.externalRegISEtoken.update.applet.emptyToken.enable', 'true'),
    ('op.format.externalRegISEtoken.update.applet.encryption', 'true'),
    ('op.format.externalRegISEtoken.update.applet.requiredVersion', '1.4.58768072'),
    ('op.format.externalRegISEtoken.update.symmetricKeys.enable', 'false'),
    ('op.format.externalRegISEtoken.update.symmetricKeys.requiredVersion', '1'),
    ('op.format.externalRegISEtoken.validateCardKeyInfoAgainstTokenDB', 'true'),
    ('op.enroll.externalRegISEtoken._000', '#########################################'),
    ('op.enroll.externalRegISEtoken._001', '# Enrollment for externalReg'),
    ('op.enroll.externalRegISEtoken._002', '#     ID, Signing,Encryption'),
    ('op.enroll.externalRegISEtoken._003', '#    controlled by registration user record'),
    ('op.enroll.externalRegISEtoken._004', '#########################################'),
    ('op.enroll.externalRegISEtoken.auth.enable', 'true'),
    ('op.enroll.externalRegISEtoken.auth.id', 'ldap1'),
    ('op.enroll.externalRegISEtoken.cardmgr_instance', 'A0000000030000'),
    ('op.enroll.externalRegISEtoken.cuidMustMatchKDD', 'false'),
    ('op.enroll.externalRegISEtoken.enableBoundedGPKeyVersion', 'true'),
    ('op.enroll.externalRegISEtoken.issuerinfo.enable', 'true'),
    ('op.enroll.externalRegISEtoken.issuerinfo.value', 'http://[PKI_HOSTNAME]:[PKI_UNSECURE_PORT]/tps/phoneHome'),
    ('op.enroll.externalRegISEtoken.keyGen.authentication.SANpattern', '$auth.edipi$.$auth.pcc$@EXAMPLE.com'),
    ('op.enroll.externalRegISEtoken.keyGen.authentication.ca.conn', 'ca1'),
    ('op.enroll.externalRegISEtoken.keyGen.authentication.ca.profileId', 'caTokenUserDelegateAuthKeyEnrollment'),
    ('op.enroll.externalRegISEtoken.keyGen.authentication.certAttrId', 'c3'),
    ('op.enroll.externalRegISEtoken.keyGen.authentication.certId', 'C3'),
    ('op.enroll.externalRegISEtoken.keyGen.authentication.cuid_label', '$cuid$'),
    ('op.enroll.externalRegISEtoken.keyGen.authentication.dnpattern', 'cn=$auth.firstname$.$auth.lastname$.$auth.edipi$,e=$auth.mail$,o=TMS Org'),
    ('op.enroll.externalRegISEtoken.keyGen.authentication.keySize', '1024'),
    ('op.enroll.externalRegISEtoken.keyGen.authentication.keyUsage', '0'),
    ('op.enroll.externalRegISEtoken.keyGen.authentication.keyUser', '0'),
    ('op.enroll.externalRegISEtoken.keyGen.authentication.label', 'authentication key for $userid$'),
    ('op.enroll.externalRegISEtoken.keyGen.authentication.overwrite', 'true'),
    ('op.enroll.externalRegISEtoken.keyGen.authentication.private.keyCapabilities.decrypt', 'false'),
    ('op.enroll.externalRegISEtoken.keyGen.authentication.private.keyCapabilities.derive', 'false'),
    ('op.enroll.externalRegISEtoken.keyGen.authentication.private.keyCapabilities.encrypt', 'false'),
    ('op.enroll.externalRegISEtoken.keyGen.authentication.private.keyCapabilities.private', 'true'),
    ('op.enroll.externalRegISEtoken.keyGen.authentication.private.keyCapabilities.sensitive', 'true'),
    ('op.enroll.externalRegISEtoken.keyGen.authentication.private.keyCapabilities.sign', 'true'),
    ('op.enroll.externalRegISEtoken.keyGen.authentication.private.keyCapabilities.signRecover', 'true'),
    ('op.enroll.externalRegISEtoken.keyGen.authentication.private.keyCapabilities.token', 'true'),
    ('op.enroll.externalRegISEtoken.keyGen.authentication.private.keyCapabilities.unwrap', 'false'),
    ('op.enroll.externalRegISEtoken.keyGen.authentication.private.keyCapabilities.verify', 'false'),
    ('op.enroll.externalRegISEtoken.keyGen.authentication.private.keyCapabilities.verifyRecover', 'false'),
    ('op.enroll.externalRegISEtoken.keyGen.authentication.private.keyCapabilities.wrap', 'false'),
    ('op.enroll.externalRegISEtoken.keyGen.authentication.privateKeyAttrId', 'k6'),
    ('op.enroll.externalRegISEtoken.keyGen.authentication.privateKeyNumber', '6'),
    ('op.enroll.externalRegISEtoken.keyGen.authentication.public.keyCapabilities.decrypt', 'false'),
    ('op.enroll.externalRegISEtoken.keyGen.authentication.public.keyCapabilities.derive', 'false'),
    ('op.enroll.externalRegISEtoken.keyGen.authentication.public.keyCapabilities.encrypt', 'false'),
    ('op.enroll.externalRegISEtoken.keyGen.authentication.public.keyCapabilities.private', 'false'),
    ('op.enroll.externalRegISEtoken.keyGen.authentication.public.keyCapabilities.sensitive', 'false'),
    ('op.enroll.externalRegISEtoken.keyGen.authentication.public.keyCapabilities.sign', 'false'),
    ('op.enroll.externalRegISEtoken.keyGen.authentication.public.keyCapabilities.signRecover', 'false'),
    ('op.enroll.externalRegISEtoken.keyGen.authentication.public.keyCapabilities.token', 'true'),
    ('op.enroll.externalRegISEtoken.keyGen.authentication.public.keyCapabilities.unwrap', 'false'),
    ('op.enroll.externalRegISEtoken.keyGen.authentication.public.keyCapabilities.verify', 'true'),
    ('op.enroll.externalRegISEtoken.keyGen.authentication.public.keyCapabilities.verifyRecover', 'true'),
    ('op.enroll.externalRegISEtoken.keyGen.authentication.public.keyCapabilities.wrap', 'false'),
    ('op.enroll.externalRegISEtoken.keyGen.authentication.publicKeyAttrId', 'k7'),
    ('op.enroll.externalRegISEtoken.keyGen.authentication.publicKeyNumber', '7'),
    ('op.enroll.externalRegISEtoken.keyGen.authentication.recovery.destroyed.holdRevocationUntilLastCredential', 'false'),
    ('op.enroll.externalRegISEtoken.keyGen.authentication.recovery.destroyed.revokeCert', 'false'),
    ('op.enroll.externalRegISEtoken.keyGen.authentication.recovery.destroyed.revokeCert.reason', '0'),
    ('op.enroll.externalRegISEtoken.keyGen.authentication.recovery.destroyed.revokeExpiredCerts', 'false'),
    ('op.enroll.externalRegISEtoken.keyGen.authentication.recovery.destroyed.scheme', 'GenerateNewKey'),
    ('op.enroll.externalRegISEtoken.keyGen.authentication.recovery.keyCompromise.holdRevocationUntilLastCredential', 'false'),
    ('op.enroll.externalRegISEtoken.keyGen.authentication.recovery.keyCompromise.revokeCert', 'false'),
    ('op.enroll.externalRegISEtoken.keyGen.authentication.recovery.keyCompromise.revokeCert.reason', '1'),
    ('op.enroll.externalRegISEtoken.keyGen.authentication.recovery.keyCompromise.revokeExpiredCerts', 'false'),
    ('op.enroll.externalRegISEtoken.keyGen.authentication.recovery.keyCompromise.scheme', 'GenerateNewKey'),
    ('op.enroll.externalRegISEtoken.keyGen.authentication.recovery.onHold.holdRevocationUntilLastCredential', 'false'),
    ('op.enroll.externalRegISEtoken.keyGen.authentication.recovery.onHold.revokeCert', 'false'),
    ('op.enroll.externalRegISEtoken.keyGen.authentication.recovery.onHold.revokeCert.reason', '6'),
    ('op.enroll.externalRegISEtoken.keyGen.authentication.recovery.onHold.revokeExpiredCerts', 'false'),
    ('op.enroll.externalRegISEtoken.keyGen.authentication.recovery.onHold.scheme', 'GenerateNewKey'),
    ('op.enroll.externalRegISEtoken.keyGen.authentication.recovery.terminated.holdRevocationUntilLastCredential', 'true'),
    ('op.enroll.externalRegISEtoken.keyGen.authentication.recovery.terminated.revokeCert', 'true'),
    ('op.enroll.externalRegISEtoken.keyGen.authentication.recovery.terminated.revokeCert.reason', '1'),
    ('op.enroll.externalRegISEtoken.keyGen.authentication.recovery.terminated.revokeExpiredCerts', 'false'),
    ('op.enroll.externalRegISEtoken.keyGen.authentication.recovery.terminated.scheme', 'GenerateNewKey'),
    ('op.enroll.externalRegISEtoken.keyGen.authentication.serverKeygen.archive', 'false'),
    ('op.enroll.externalRegISEtoken.keyGen.authentication.serverKeygen.drm.conn', 'kra1'),
    ('op.enroll.externalRegISEtoken.keyGen.authentication.serverKeygen.enable', 'false'),
    ('op.enroll.externalRegISEtoken.keyGen.encryption.SANpattern', '$auth.mail$,$auth.edipi$.$auth.pcc$@EXAMPLE.com'),
    ('op.enroll.externalRegISEtoken.keyGen.encryption._000', '#########################################'),
    ('op.enroll.externalRegISEtoken.keyGen.encryption._001', '# encryption cert/keys are "recovered" for this profile'),
    ('op.enroll.externalRegISEtoken.keyGen.encryption._002', '# controlled from User Registartion db'),
    ('op.enroll.externalRegISEtoken.keyGen.encryption._003', '#########################################'),
    ('op.enroll.externalRegISEtoken.keyGen.encryption.ca.conn', 'ca1'),
    ('op.enroll.externalRegISEtoken.keyGen.encryption.ca.profileId', 'caTokenUserEncryptionKeyEnrollment'),
    ('op.enroll.externalRegISEtoken.keyGen.encryption.certAttrId', 'c2'),
    ('op.enroll.externalRegISEtoken.keyGen.encryption.certId', 'C2'),
    ('op.enroll.externalRegISEtoken.keyGen.encryption.cuid_label', '$cuid$'),
    ('op.enroll.externalRegISEtoken.keyGen.encryption.dnpattern', 'cn=$auth.firstname$.$auth.lastname$.$auth.exec-edipi$,e=$auth.mail$,o=TMS Org'),
    ('op.enroll.externalRegISEtoken.keyGen.encryption.keySize', '1024'),
    ('op.enroll.externalRegISEtoken.keyGen.encryption.keyUsage', '0'),
    ('op.enroll.externalRegISEtoken.keyGen.encryption.keyUser', '0'),
    ('op.enroll.externalRegISEtoken.keyGen.encryption.label', 'encryption key for $userid$'),
    ('op.enroll.externalRegISEtoken.keyGen.encryption.overwrite', 'true'),
    ('op.enroll.externalRegISEtoken.keyGen.encryption.private.keyCapabilities.decrypt', 'true'),
    ('op.enroll.externalRegISEtoken.keyGen.encryption.private.keyCapabilities.derive', 'false'),
    ('op.enroll.externalRegISEtoken.keyGen.encryption.private.keyCapabilities.encrypt', 'false'),
    ('op.enroll.externalRegISEtoken.keyGen.encryption.private.keyCapabilities.private', 'true'),
    ('op.enroll.externalRegISEtoken.keyGen.encryption.private.keyCapabilities.sensitive', 'true'),
    ('op.enroll.externalRegISEtoken.keyGen.encryption.private.keyCapabilities.sign', 'false'),
    ('op.enroll.externalRegISEtoken.keyGen.encryption.private.keyCapabilities.signRecover', 'false'),
    ('op.enroll.externalRegISEtoken.keyGen.encryption.private.keyCapabilities.token', 'true'),
    ('op.enroll.externalRegISEtoken.keyGen.encryption.private.keyCapabilities.unwrap', 'true'),
    ('op.enroll.externalRegISEtoken.keyGen.encryption.private.keyCapabilities.verify', 'false'),
    ('op.enroll.externalRegISEtoken.keyGen.encryption.private.keyCapabilities.verifyRecover', 'false'),
    ('op.enroll.externalRegISEtoken.keyGen.encryption.private.keyCapabilities.wrap', 'false'),
    ('op.enroll.externalRegISEtoken.keyGen.encryption.privateKeyAttrId', 'k4'),
    ('op.enroll.externalRegISEtoken.keyGen.encryption.privateKeyNumber', '4'),
    ('op.enroll.externalRegISEtoken.keyGen.encryption.public.keyCapabilities.decrypt', 'false'),
    ('op.enroll.externalRegISEtoken.keyGen.encryption.public.keyCapabilities.derive', 'false'),
    ('op.enroll.externalRegISEtoken.keyGen.encryption.public.keyCapabilities.encrypt', 'true'),
    ('op.enroll.externalRegISEtoken.keyGen.encryption.public.keyCapabilities.private', 'false'),
    ('op.enroll.externalRegISEtoken.keyGen.encryption.public.keyCapabilities.sensitive', 'false'),
    ('op.enroll.externalRegISEtoken.keyGen.encryption.public.keyCapabilities.sign', 'false'),
    ('op.enroll.externalRegISEtoken.keyGen.encryption.public.keyCapabilities.signRecover', 'false'),
    ('op.enroll.externalRegISEtoken.keyGen.encryption.public.keyCapabilities.token', 'true'),
    ('op.enroll.externalRegISEtoken.keyGen.encryption.public.keyCapabilities.unwrap', 'false'),
    ('op.enroll.externalRegISEtoken.keyGen.encryption.public.keyCapabilities.verify', 'false'),
    ('op.enroll.externalRegISEtoken.keyGen.encryption.public.keyCapabilities.verifyRecover', 'false'),
    ('op.enroll.externalRegISEtoken.keyGen.encryption.public.keyCapabilities.wrap', 'true'),
    ('op.enroll.externalRegISEtoken.keyGen.encryption.publicKeyAttrId', 'k5'),
    ('op.enroll.externalRegISEtoken.keyGen.encryption.publicKeyNumber', '5'),
    ('op.enroll.externalRegISEtoken.keyGen.encryption.recovery.destroyed.holdRevocationUntilLastCredential', 'false'),
    ('op.enroll.externalRegISEtoken.keyGen.encryption.recovery.destroyed.revokeCert', 'false'),
    ('op.enroll.externalRegISEtoken.keyGen.encryption.recovery.destroyed.revokeCert.reason', '0'),
    ('op.enroll.externalRegISEtoken.keyGen.encryption.recovery.destroyed.revokeExpiredCerts', 'false'),
    ('op.enroll.externalRegISEtoken.keyGen.encryption.recovery.destroyed.scheme', 'RecoverLast'),
    ('op.enroll.externalRegISEtoken.keyGen.encryption.recovery.keyCompromise.holdRevocationUntilLastCredential', 'false'),
    ('op.enroll.externalRegISEtoken.keyGen.encryption.recovery.keyCompromise.revokeCert', 'false'),
    ('op.enroll.externalRegISEtoken.keyGen.encryption.recovery.keyCompromise.revokeCert.reason', '1'),
    ('op.enroll.externalRegISEtoken.keyGen.encryption.recovery.keyCompromise.revokeExpiredCerts', 'false'),
    ('op.enroll.externalRegISEtoken.keyGen.encryption.recovery.keyCompromise.scheme', 'GenerateNewKey'),
    ('op.enroll.externalRegISEtoken.keyGen.encryption.recovery.onHold.holdRevocationUntilLastCredential', 'false'),
    ('op.enroll.externalRegISEtoken.keyGen.encryption.recovery.onHold.revokeCert', 'false'),
    ('op.enroll.externalRegISEtoken.keyGen.encryption.recovery.onHold.revokeCert.reason', '6'),
    ('op.enroll.externalRegISEtoken.keyGen.encryption.recovery.onHold.revokeExpiredCerts', 'false'),
    ('op.enroll.externalRegISEtoken.keyGen.encryption.recovery.onHold.scheme', 'GenerateNewKey'),
    ('op.enroll.externalRegISEtoken.keyGen.encryption.recovery.terminated.holdRevocationUntilLastCredential', 'true'),
    ('op.enroll.externalRegISEtoken.keyGen.encryption.recovery.terminated.revokeCert', 'true'),
    ('op.enroll.externalRegISEtoken.keyGen.encryption.recovery.terminated.revokeCert.reason', '1'),
    ('op.enroll.externalRegISEtoken.keyGen.encryption.recovery.terminated.revokeExpiredCerts', 'false'),
    ('op.enroll.externalRegISEtoken.keyGen.encryption.recovery.terminated.scheme', 'GenerateNewKey'),
    ('op.enroll.externalRegISEtoken.keyGen.encryption.serverKeygen.archive', 'true'),
    ('op.enroll.externalRegISEtoken.keyGen.encryption.serverKeygen.drm.conn', 'kra1'),
    ('op.enroll.externalRegISEtoken.keyGen.encryption.serverKeygen.enable', 'True'),
    ('op.enroll.externalRegISEtoken.keyGen.keyType.num', '3'),
    ('op.enroll.externalRegISEtoken.keyGen.keyType.value.0', 'signing'),
    ('op.enroll.externalRegISEtoken.keyGen.keyType.value.1', 'authentication'),
    ('op.enroll.externalRegISEtoken.keyGen.keyType.value.2', 'encryption'),
    ('op.enroll.externalRegISEtoken.keyGen.recovery.destroyed.keyType.num', '3'),
    ('op.enroll.externalRegISEtoken.keyGen.recovery.destroyed.keyType.value.0', 'signing'),
    ('op.enroll.externalRegISEtoken.keyGen.recovery.destroyed.keyType.value.1', 'authentication'),
    ('op.enroll.externalRegISEtoken.keyGen.recovery.destroyed.keyType.value.2', 'encryption'),
    ('op.enroll.externalRegISEtoken.keyGen.recovery.keyCompromise.keyType.num', '3'),
    ('op.enroll.externalRegISEtoken.keyGen.recovery.keyCompromise.keyType.value.0', 'signing'),
    ('op.enroll.externalRegISEtoken.keyGen.recovery.keyCompromise.keyType.value.1', 'authentication'),
    ('op.enroll.externalRegISEtoken.keyGen.recovery.keyCompromise.keyType.value.2', 'encryption'),
    ('op.enroll.externalRegISEtoken.keyGen.recovery.onHold.keyType.num', '3'),
    ('op.enroll.externalRegISEtoken.keyGen.recovery.onHold.keyType.value.0', 'signing'),
    ('op.enroll.externalRegISEtoken.keyGen.recovery.onHold.keyType.value.1', 'authentication'),
    ('op.enroll.externalRegISEtoken.keyGen.recovery.onHold.keyType.value.2', 'encryption'),
    ('op.enroll.externalRegISEtoken.keyGen.signing.SANpattern', '$auth.mail$'),
    ('op.enroll.externalRegISEtoken.keyGen.signing.ca.conn', 'ca1'),
    ('op.enroll.externalRegISEtoken.keyGen.signing.ca.profileId', 'caTokenUserDelegateSigningKeyEnrollment'),
    ('op.enroll.externalRegISEtoken.keyGen.signing.certAttrId', 'c1'),
    ('op.enroll.externalRegISEtoken.keyGen.signing.certId', 'C1'),
    ('op.enroll.externalRegISEtoken.keyGen.signing.cuid_label', '$cuid$'),
    ('op.enroll.externalRegISEtoken.keyGen.signing.dnpattern', 'cn=$auth.firstname$.$auth.lastname$.$auth.edipi$,e=$auth.mail$,o=TMS Org'),
    ('op.enroll.externalRegISEtoken.keyGen.signing.keySize', '1024'),
    ('op.enroll.externalRegISEtoken.keyGen.signing.keyUsage', '0'),
    ('op.enroll.externalRegISEtoken.keyGen.signing.keyUser', '0'),
    ('op.enroll.externalRegISEtoken.keyGen.signing.label', 'signing key for $userid$'),
    ('op.enroll.externalRegISEtoken.keyGen.signing.overwrite', 'true'),
    ('op.enroll.externalRegISEtoken.keyGen.signing.private.keyCapabilities.decrypt', 'false'),
    ('op.enroll.externalRegISEtoken.keyGen.signing.private.keyCapabilities.derive', 'false'),
    ('op.enroll.externalRegISEtoken.keyGen.signing.private.keyCapabilities.encrypt', 'false'),
    ('op.enroll.externalRegISEtoken.keyGen.signing.private.keyCapabilities.private', 'true'),
    ('op.enroll.externalRegISEtoken.keyGen.signing.private.keyCapabilities.sensitive', 'true'),
    ('op.enroll.externalRegISEtoken.keyGen.signing.private.keyCapabilities.sign', 'true'),
    ('op.enroll.externalRegISEtoken.keyGen.signing.private.keyCapabilities.signRecover', 'true'),
    ('op.enroll.externalRegISEtoken.keyGen.signing.private.keyCapabilities.token', 'true'),
    ('op.enroll.externalRegISEtoken.keyGen.signing.private.keyCapabilities.unwrap', 'false'),
    ('op.enroll.externalRegISEtoken.keyGen.signing.private.keyCapabilities.verify', 'false'),
    ('op.enroll.externalRegISEtoken.keyGen.signing.private.keyCapabilities.verifyRecover', 'false'),
    ('op.enroll.externalRegISEtoken.keyGen.signing.private.keyCapabilities.wrap', 'false'),
    ('op.enroll.externalRegISEtoken.keyGen.signing.privateKeyAttrId', 'k2'),
    ('op.enroll.externalRegISEtoken.keyGen.signing.privateKeyNumber', '2'),
    ('op.enroll.externalRegISEtoken.keyGen.signing.public.keyCapabilities.decrypt', 'false'),
    ('op.enroll.externalRegISEtoken.keyGen.signing.public.keyCapabilities.derive', 'false'),
    ('op.enroll.externalRegISEtoken.keyGen.signing.public.keyCapabilities.encrypt', 'false'),
    ('op.enroll.externalRegISEtoken.keyGen.signing.public.keyCapabilities.private', 'false'),
    ('op.enroll.externalRegISEtoken.keyGen.signing.public.keyCapabilities.sensitive', 'false'),
    ('op.enroll.externalRegISEtoken.keyGen.signing.public.keyCapabilities.sign', 'false'),
    ('op.enroll.externalRegISEtoken.keyGen.signing.public.keyCapabilities.signRecover', 'false'),
    ('op.enroll.externalRegISEtoken.keyGen.signing.public.keyCapabilities.token', 'true'),
    ('op.enroll.externalRegISEtoken.keyGen.signing.public.keyCapabilities.unwrap', 'false'),
    ('op.enroll.externalRegISEtoken.keyGen.signing.public.keyCapabilities.verify', 'true'),
    ('op.enroll.externalRegISEtoken.keyGen.signing.public.keyCapabilities.verifyRecover', 'true'),
    ('op.enroll.externalRegISEtoken.keyGen.signing.public.keyCapabilities.wrap', 'false'),
    ('op.enroll.externalRegISEtoken.keyGen.signing.publicKeyAttrId', 'k3'),
    ('op.enroll.externalRegISEtoken.keyGen.signing.publicKeyNumber', '3'),
    ('op.enroll.externalRegISEtoken.keyGen.signing.recovery.destroyed.holdRevocationUntilLastCredential', 'false'),
    ('op.enroll.externalRegISEtoken.keyGen.signing.recovery.destroyed.revokeCert', 'false'),
    ('op.enroll.externalRegISEtoken.keyGen.signing.recovery.destroyed.revokeCert.reason', '0'),
    ('op.enroll.externalRegISEtoken.keyGen.signing.recovery.destroyed.revokeExpiredCerts', 'false'),
    ('op.enroll.externalRegISEtoken.keyGen.signing.recovery.destroyed.scheme', 'GenerateNewKey'),
    ('op.enroll.externalRegISEtoken.keyGen.signing.recovery.keyCompromise.holdRevocationUntilLastCredential', 'false'),
    ('op.enroll.externalRegISEtoken.keyGen.signing.recovery.keyCompromise.revokeCert', 'false'),
    ('op.enroll.externalRegISEtoken.keyGen.signing.recovery.keyCompromise.revokeCert.reason', '1'),
    ('op.enroll.externalRegISEtoken.keyGen.signing.recovery.keyCompromise.revokeExpiredCerts', 'false'),
    ('op.enroll.externalRegISEtoken.keyGen.signing.recovery.keyCompromise.scheme', 'GenerateNewKey'),
    ('op.enroll.externalRegISEtoken.keyGen.signing.recovery.onHold.holdRevocationUntilLastCredential', 'false'),
    ('op.enroll.externalRegISEtoken.keyGen.signing.recovery.onHold.revokeCert', 'false'),
    ('op.enroll.externalRegISEtoken.keyGen.signing.recovery.onHold.revokeCert.reason', '6'),
    ('op.enroll.externalRegISEtoken.keyGen.signing.recovery.onHold.revokeExpiredCerts', 'false'),
    ('op.enroll.externalRegISEtoken.keyGen.signing.recovery.onHold.scheme', 'GenerateNewKey'),
    ('op.enroll.externalRegISEtoken.keyGen.signing.recovery.terminated.holdRevocationUntilLastCredential', 'false'),
    ('op.enroll.externalRegISEtoken.keyGen.signing.recovery.terminated.revokeCert', 'true'),
    ('op.enroll.externalRegISEtoken.keyGen.signing.recovery.terminated.revokeCert.reason', '1'),
    ('op.enroll.externalRegISEtoken.keyGen.signing.recovery.terminated.revokeExpiredCerts', 'false'),
    ('op.enroll.externalRegISEtoken.keyGen.signing.recovery.terminated.scheme', 'GenerateNewKey'),
    ('op.enroll.externalRegISEtoken.keyGen.signing.serverKeygen.archive', 'false'),
    ('op.enroll.externalRegISEtoken.keyGen.signing.serverKeygen.drm.conn', 'kra1'),
    ('op.enroll.externalRegISEtoken.keyGen.signing.serverKeygen.enable', 'false'),
    ('op.enroll.externalRegISEtoken.keyGen.tokenName', '$auth.cn$'),
    ('op.enroll.externalRegISEtoken.loginRequest.enable', 'true'),
    ('op.enroll.externalRegISEtoken.maximumGPKeyVersion', 'FF'),
    ('op.enroll.externalRegISEtoken.minimumGPKeyVersion', '01'),
    ('op.enroll.externalRegISEtoken.pinReset.enable', 'true'),
    ('op.enroll.externalRegISEtoken.pinReset.pin.maxLen', '10'),
    ('op.enroll.externalRegISEtoken.pinReset.pin.maxRetries', '127'),
    ('op.enroll.externalRegISEtoken.pinReset.pin.minLen', '4'),
    ('op.enroll.externalRegISEtoken.pkcs11obj.compress.enable', 'true'),
    ('op.enroll.externalRegISEtoken.pkcs11obj.enable', 'true'),
    ('op.enroll.externalRegISEtoken.renewal._000', '#########################################'),
    ('op.enroll.externalRegISEtoken.renewal._001', '# Token Renewal.'),
    ('op.enroll.externalRegISEtoken.renewal._002', '#'),
    ('op.enroll.externalRegISEtoken.renewal._003', '# For each token in TPS UI, set the'),
    ('op.enroll.externalRegISEtoken.renewal._004', '# following to trigger renewal'),
    ('op.enroll.externalRegISEtoken.renewal._005', '# operations:'),
    ('op.enroll.externalRegISEtoken.renewal._006', '#'),
    ('op.enroll.externalRegISEtoken.renewal._007', '#     RENEW=YES'),
    ('op.enroll.externalRegISEtoken.renewal._008', '#'),
    ('op.enroll.externalRegISEtoken.renewal._009', '# Optional grace period enforcement'),
    ('op.enroll.externalRegISEtoken.renewal._010', '# must coincide exactly with what'),
    ('op.enroll.externalRegISEtoken.renewal._011', '# the CA enforces.'),
    ('op.enroll.externalRegISEtoken.renewal._012', '#'),
    ('op.enroll.externalRegISEtoken.renewal._013', '# In case of renewal, encryption certId'),
    ('op.enroll.externalRegISEtoken.renewal._014', '# values are for completeness only, server'),
    ('op.enroll.externalRegISEtoken.renewal._015', '# code calculates actual values used.'),
    ('op.enroll.externalRegISEtoken.renewal._016', '#'),
    ('op.enroll.externalRegISEtoken.renewal._017', '#########################################'),
    ('op.enroll.externalRegISEtoken.renewal.authentication.ca.conn', 'ca1'),
    ('op.enroll.externalRegISEtoken.renewal.authentication.ca.profileId', 'caTokenUserDelegateAuthKeyRenewal'),
    ('op.enroll.externalRegISEtoken.renewal.authentication.certAttrId', 'c3'),
    ('op.enroll.externalRegISEtoken.renewal.authentication.certId', 'C3'),
    ('op.enroll.externalRegISEtoken.renewal.authentication.enable', 'true'),
    ('op.enroll.externalRegISEtoken.renewal.authentication.gracePeriod.after', '30'),
    ('op.enroll.externalRegISEtoken.renewal.authentication.gracePeriod.before', '30'),
    ('op.enroll.externalRegISEtoken.renewal.authentication.gracePeriod.enable', 'false'),
    ('op.enroll.externalRegISEtoken.renewal.keyType.num', '2'),
    ('op.enroll.externalRegISEtoken.renewal.keyType.value.0', 'signing'),
    ('op.enroll.externalRegISEtoken.renewal.keyType.value.1', 'authentication'),
    ('op.enroll.externalRegISEtoken.renewal.signing.ca.conn', 'ca1'),
    ('op.enroll.externalRegISEtoken.renewal.signing.ca.profileId', 'caTokenUserSigningKeyRenewal'),
    ('op.enroll.externalRegISEtoken.renewal.signing.certAttrId', 'c1'),
    ('op.enroll.externalRegISEtoken.renewal.signing.certId', 'C1'),
    ('op.enroll.externalRegISEtoken.renewal.signing.enable', 'true'),
    ('op.enroll.externalRegISEtoken.renewal.signing.gracePeriod.after', '30'),
    ('op.enroll.externalRegISEtoken.renewal.signing.gracePeriod.before', '30'),
    ('op.enroll.externalRegISEtoken.renewal.signing.gracePeriod.enable', 'false'),
    ('op.enroll.externalRegISEtoken.rollbackKeyVersionOnPutKeyFailure', 'false'),
    ('op.enroll.externalRegISEtoken.temporaryToken.tokenType', 'externalRegISEtokenTemporary'),
    ('op.enroll.externalRegISEtoken.tks.conn', 'tks1'),
    ('op.enroll.externalRegISEtoken.update.applet.directory', '/usr/share/pki/tps/applets'),
    ('op.enroll.externalRegISEtoken.update.applet.emptyToken.enable', 'true'),
    ('op.enroll.externalRegISEtoken.update.applet.enable', 'true'),
    ('op.enroll.externalRegISEtoken.update.applet.encryption', 'true'),
    ('op.enroll.externalRegISEtoken.update.applet.requiredVersion', '1.4.58768072'),
    ('op.enroll.externalRegISEtoken.update.symmetricKeys.enable', 'false'),
    ('op.enroll.externalRegISEtoken.update.symmetricKeys.requiredVersion', '1'),
    ('op.enroll.externalRegISEtoken.validateCardKeyInfoAgainstTokenDB', 'true')
]


class AddTPSExternalRegISEtokenParams(PKIServerUpgradeScriptlet):
    def __init__(self):
        super(AddTPSExternalRegISEtokenParams, self).__init__()
        self.parser = etree.XMLParser(remove_blank_text=True)
        self.message = 'Add token profile params for externalRegISEtoken for TPS CS.cfg'

    def upgrade_subsystem(self, instance, subsystem):
        if subsystem.name == 'tps':
            self.upgrade_config(instance, subsystem)

    def upgrade_config(self, instance, subsystem):  # pylint: disable=W0613
        filename = os.path.join(subsystem.conf_dir, 'CS.cfg')
        server_xml = os.path.join(instance.conf_dir, 'server.xml')
        self.backup(filename)
        properties = pki.PropertyFile(filename)
        properties.read()

        # Get the unsecure phone home url out of the server.xml

        tps_unsecure_port = None
        hostname = socket.gethostname()

        document = etree.parse(server_xml, self.parser)
        server = document.getroot()
        connectors = server.findall('.//Connector')

        for connector in connectors:
            # find the Secure connector
            name = connector.get('name')
            if name != 'Unsecure':
                continue
            else:
                tps_unsecure_port = connector.get('port')

        # if the property exists, leave it alone', otherwise set
        # it to the value defined above
        # replace the standard non secure phone home url with value
        # from the server.xml file, which is known correct

        for k, v in proplist:
            cur = properties.get(k)
            if cur is None:
                properties.set(k, v)
                # handle the case when we have an issuer url to plug in
                if k.find("issuerinfo.value") != -1:
                    if tps_unsecure_port is not None:
                        properties.set(k, "http://" + hostname + ":" + tps_unsecure_port + "/tps/phoneHome")

        properties.write()
