# See README.md for usage information

define apache::vhost(

  $docroot,

  $manage_docroot              = true,

  $virtual_docroot             = false,

  $port                        = undef,

  $ip                          = undef,

  $ip_based                    = false,

  $add_listen                  = true,

  $docroot_owner               = 'root',

  $docroot_group               = $::apache::params::root_group,

  $docroot_mode                = undef,

  $serveradmin                 = undef,

  $ssl                         = false,

  $ssl_cert                    = $::apache::default_ssl_cert,

  $ssl_key                     = $::apache::default_ssl_key,

  $ssl_chain                   = $::apache::default_ssl_chain,

  $ssl_ca                      = $::apache::default_ssl_ca,

  $ssl_crl_path                = $::apache::default_ssl_crl_path,

  $ssl_crl                     = $::apache::default_ssl_crl,

  $ssl_crl_check               = $::apache::default_ssl_crl_check,

  $ssl_certs_dir               = $::apache::params::ssl_certs_dir,

  $ssl_protocol                = undef,

  $ssl_cipher                  = undef,

  $ssl_honorcipherorder        = undef,

  $ssl_verify_client           = undef,

  $ssl_verify_depth            = undef,

  $ssl_proxy_machine_cert      = undef,

  $ssl_options                 = undef,

  $ssl_openssl_conf_cmd        = undef,

  $ssl_proxyengine             = false,

  $priority                    = undef,

  $default_vhost               = false,

  $servername                  = $name,

  $serveraliases               = [],

  $options                     = ['Indexes','FollowSymLinks','MultiViews'],

  $override                    = ['None'],

  $directoryindex              = '',

  $vhost_name                  = '*',

  $logroot                     = $::apache::logroot,

  $logroot_ensure              = 'directory',

  $logroot_mode                = undef,

  $log_level                   = undef,

  $access_log                  = true,

  $access_log_file             = false,

  $access_log_pipe             = false,

  $access_log_syslog           = false,

  $access_log_format           = false,

  $access_log_env_var          = false,

  $access_logs                 = undef,

  $aliases                     = undef,

  $directories                 = undef,

  $error_log                   = true,

  $error_log_file              = undef,

  $error_log_pipe              = undef,

  $error_log_syslog            = undef,

  $error_documents             = [],

  $fallbackresource            = undef,

  $scriptalias                 = undef,

  $scriptaliases               = [],

  $proxy_dest                  = undef,

  $proxy_dest_match            = undef,

  $proxy_dest_reverse_match    = undef,

  $proxy_pass                  = undef,

  $proxy_pass_match            = undef,

  $suphp_addhandler            = $::apache::params::suphp_addhandler,

  $suphp_engine                = $::apache::params::suphp_engine,

  $suphp_configpath            = $::apache::params::suphp_configpath,

  $php_flags                   = {},

  $php_values                  = {},

  $php_admin_flags             = {},

  $php_admin_values            = {},

  $no_proxy_uris               = [],

  $no_proxy_uris_match         = [],

  $proxy_preserve_host         = false,

  $proxy_error_override        = false,

  $redirect_source             = '/',

  $redirect_dest               = undef,

  $redirect_status             = undef,

  $redirectmatch_status        = undef,

  $redirectmatch_regexp        = undef,

  $redirectmatch_dest          = undef,

  $rack_base_uris              = undef,

  $passenger_base_uris         = undef,

  $headers                     = undef,

  $request_headers             = undef,

  $filters                     = undef,

  $rewrites                    = undef,

  $rewrite_base                = undef,

  $rewrite_rule                = undef,

  $rewrite_cond                = undef,

  $setenv                      = [],

  $setenvif                    = [],

  $block                       = [],

  $ensure                      = 'present',

  $wsgi_application_group      = undef,

  $wsgi_daemon_process         = undef,

  $wsgi_daemon_process_options = undef,

  $wsgi_import_script          = undef,

  $wsgi_import_script_options  = undef,

  $wsgi_process_group          = undef,

  $wsgi_script_aliases         = undef,

  $wsgi_pass_authorization     = undef,

  $wsgi_chunked_request        = undef,

  $custom_fragment             = undef,

  $itk                         = undef,

  $action                      = undef,

  $fastcgi_server              = undef,

  $fastcgi_socket              = undef,

  $fastcgi_dir                 = undef,

  $additional_includes         = [],

  $use_optional_includes       = $::apache::use_optional_includes,

  $apache_version              = $::apache::apache_version,

  $allow_encoded_slashes       = undef,

  $suexec_user_group           = undef,

  $passenger_app_root          = undef,

  $passenger_app_env           = undef,

  $passenger_ruby              = undef,

  $passenger_min_instances     = undef,

  $passenger_start_timeout     = undef,

  $passenger_pre_start         = undef,

  $add_default_charset         = undef,

  $modsec_disable_vhost        = undef,

  $modsec_disable_ids          = undef,

  $modsec_disable_ips          = undef,

  $modsec_body_limit           = undef,

  $auth_kerb                   = false,

  $krb_method_negotiate        = 'on',

  $krb_method_k5passwd         = 'on',

  $krb_authoritative           = 'on',

  $krb_auth_realms             = [],

  $krb_5keytab                 = undef,

  $krb_local_user_mapping      = undef,

  $limit_request_field_size    = undef,

) {

  # The base class must be included first because it is used by parameter defaults

  if ! defined(Class['apache']) {

    fail('You must include the apache base class before using any apache defined resources')

  }

  $apache_name = $::apache::apache_name

  validate_re($ensure, '^(present|absent)$',

  "${ensure} is not supported for ensure.

  Allowed values are 'present' and 'absent'.")

  validate_re($suphp_engine, '^(on|off)$',

  "${suphp_engine} is not supported for suphp_engine.

  Allowed values are 'on' and 'off'.")

  validate_bool($ip_based)

  validate_bool($access_log)

  validate_bool($error_log)

  validate_bool($ssl)

  validate_bool($default_vhost)

  validate_bool($ssl_proxyengine)

  if $rewrites {

    validate_array($rewrites)

    validate_hash($rewrites[0])

  }

  # Input validation begins

  if $suexec_user_group {

    validate_re($suexec_user_group, '^[\w-]+ [\w-]+$',

    "${suexec_user_group} is not supported for suexec_user_group.  Must be 'user group'.")

  }

  if $wsgi_pass_authorization {

    validate_re(downcase($wsgi_pass_authorization), '^(on|off)$',

    "${wsgi_pass_authorization} is not supported for wsgi_pass_authorization.

    Allowed values are 'on' and 'off'.")

  }

  # Deprecated backwards-compatibility

  if $rewrite_base {

    warning('Apache::Vhost: parameter rewrite_base is deprecated in favor of rewrites')

  }

  if $rewrite_rule {

    warning('Apache::Vhost: parameter rewrite_rule is deprecated in favor of rewrites')

  }

  if $rewrite_cond {

    warning('Apache::Vhost parameter rewrite_cond is deprecated in favor of rewrites')

  }

  if $wsgi_script_aliases {

    validate_hash($wsgi_script_aliases)

  }

  if $wsgi_daemon_process_options {

    validate_hash($wsgi_daemon_process_options)

  }

  if $wsgi_import_script_options {

    validate_hash($wsgi_import_script_options)

  }

  if $itk {

    validate_hash($itk)

  }

  validate_re($logroot_ensure, '^(directory|absent)$',

  "${logroot_ensure} is not supported for logroot_ensure.

  Allowed values are 'directory' and 'absent'.")

  if $log_level {

    validate_apache_log_level($log_level)

  }

  if $access_log_file and $access_log_pipe {

    fail("Apache::Vhost[${name}]: 'access_log_file' and 'access_log_pipe' cannot be defined at the same time")

  }

  if $error_log_file and $error_log_pipe {

    fail("Apache::Vhost[${name}]: 'error_log_file' and 'error_log_pipe' cannot be defined at the same time")

  }

  if $fallbackresource {

    validate_re($fallbackresource, '^/|disabled', 'Please make sure fallbackresource starts with a / (or is "disabled")')

  }

  if $custom_fragment {

    validate_string($custom_fragment)

  }

  if $allow_encoded_slashes {

    validate_re($allow_encoded_slashes, '(^on$|^off$|^nodecode$)', "${allow_encoded_slashes} is not permitted for allow_encoded_slashes. Allowed values are 'on', 'off' or 'nodecode'.")

  }

  validate_bool($auth_kerb)

  if $limit_request_field_size {

    validate_integer($limit_request_field_size)

  }

  # Validate the docroot as a string if:

  # - $manage_docroot is true

  if $manage_docroot {

    validate_string($docroot)

  }

  # Input validation ends

  if $ssl and $ensure == 'present' {

    include ::apache::mod::ssl

    # Required for the AddType lines.

    include ::apache::mod::mime

  }

  if $auth_kerb and $ensure == 'present' {

    include ::apache::mod::auth_kerb

  }

  if $virtual_docroot {

    include ::apache::mod::vhost_alias

  }

  if $wsgi_daemon_process {

    include ::apache::mod::wsgi

  }

  if $suexec_user_group {

    include ::apache::mod::suexec

  }

  if $passenger_app_root or $passenger_app_env or $passenger_ruby or $passenger_min_instances or $passenger_start_timeout or $passenger_pre_start {

    include ::apache::mod::passenger

  }

  # Configure the defaultness of a vhost

  if $priority {

    $priority_real = "${priority}-"

  } elsif $priority == false {

    $priority_real = ''

  } elsif $default_vhost {

    $priority_real = '10-'

  } else {

    $priority_real = '25-'

  }

  ## Apache include does not always work with spaces in the filename

  $filename = regsubst($name, ' ', '_', 'G')

  # This ensures that the docroot exists

  # But enables it to be specified across multiple vhost resources

  if $manage_docroot and $docroot and ! defined(File[$docroot]) {

    file { $docroot:

      ensure  => directory,

      owner   => $docroot_owner,

      group   => $docroot_group,

      mode    => $docroot_mode,

      require => Package['httpd'],

      before  => Concat["${priority_real}${filename}.conf"],

    }

  }

  # Same as above, but for logroot

  if ! defined(File[$logroot]) {

    file { $logroot:

      ensure  => $logroot_ensure,

      mode    => $logroot_mode,

      require => Package['httpd'],

      before  => Concat["${priority_real}${filename}.conf"],

    }

  }

  # Is apache::mod::passenger enabled (or apache::mod['passenger'])

  $passenger_enabled = defined(Apache::Mod['passenger'])

  # Is apache::mod::shib enabled (or apache::mod['shib2'])

  $shibboleth_enabled = defined(Apache::Mod['shib2'])

  if $access_log and !$access_logs {

    if $access_log_file {

      $_logs_dest = "${logroot}/${access_log_file}"

    } elsif $access_log_pipe {

      $_logs_dest = $access_log_pipe

    } elsif $access_log_syslog {

      $_logs_dest = $access_log_syslog

    } else {

      $_logs_dest = undef

    }

    $_access_logs = [{

      'file'        => $access_log_file,

      'pipe'        => $access_log_pipe,

      'syslog'      => $access_log_syslog,

      'format'      => $access_log_format,

      'env'         => $access_log_env_var

    }]

  } elsif $access_logs {

    if !is_array($access_logs) {

      fail("Apache::Vhost[${name}]: access_logs must be an array of hashes")

    }

    $_access_logs = $access_logs

  }

  if $error_log_file {

    $error_log_destination = "${logroot}/${error_log_file}"

  } elsif $error_log_pipe {

    $error_log_destination = $error_log_pipe

  } elsif $error_log_syslog {

    $error_log_destination = $error_log_syslog

  } else {

    if $ssl {

      $error_log_destination = "${logroot}/${name}_error_ssl.log"

    } else {

      $error_log_destination = "${logroot}/${name}_error.log"

    }

  }

  if $ip {

    if $port {

      $listen_addr_port = suffix(any2array($ip),":${port}")

      $nvh_addr_port = suffix(any2array($ip),":${port}")

    } else {

      $listen_addr_port = undef

      $nvh_addr_port = $ip

      if ! $servername and ! $ip_based {

        fail("Apache::Vhost[${name}]: must pass 'ip' and/or 'port' parameters for name-based vhosts")

      }

    }

  } else {

    if $port {

      $listen_addr_port = $port

      $nvh_addr_port = "${vhost_name}:${port}"

    } else {

      $listen_addr_port = undef

      $nvh_addr_port = $name

      if ! $servername {

        fail("Apache::Vhost[${name}]: must pass 'ip' and/or 'port' parameters, and/or 'servername' parameter")

      }

    }

  }

  if $add_listen {

    if $ip and defined(Apache::Listen["${port}"]) {

      fail("Apache::Vhost[${name}]: Mixing IP and non-IP Listen directives is not possible; check the add_listen parameter of the apache::vhost define to disable this")

    }

    if $listen_addr_port and $ensure == 'present' {

      ensure_resource('apache::listen', $listen_addr_port)

    }

  }

  if ! $ip_based {

    if $ensure == 'present' and (versioncmp($apache_version, '2.4') < 0) {

      ensure_resource('apache::namevirtualhost', $nvh_addr_port)

    }

  }

  # Load mod_rewrite if needed and not yet loaded

  if $rewrites or $rewrite_cond {

    if ! defined(Class['apache::mod::rewrite']) {

      include ::apache::mod::rewrite

    }