<?php
/*
** Zabbix
** Copyright (C) 2001-2023 Zabbix SIA
**
** This program is free software; you can redistribute it and/or modify
** it under the terms of the GNU General Public License as published by
** the Free Software Foundation; either version 2 of the License, or
** (at your option) any later version.
**
** This program is distributed in the hope that it will be useful,
** but WITHOUT ANY WARRANTY; without even the implied warranty of
** MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
** GNU General Public License for more details.
**
** You should have received a copy of the GNU General Public License
** along with this program; if not, write to the Free Software
** Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA  02110-1301, USA.
**/


/**
 * Setup wizard form.
 */
class CSetupWizard extends CForm {

	public const STAGE_WELCOME			= 1;
	public const STAGE_REQUIREMENTS		= 2;
	public const STAGE_DB_CONNECTION	= 3;
	public const STAGE_SETTINGS			= 4;
	public const STAGE_SUMMARY			= 5;
	public const STAGE_INSTALL			= 6;

	private $frontend_setup;
	private $stages;

	private $disable_cancel_button = false;
	private $disable_back_button = false;
	private $show_retry_button = false;

	private $step_failed = false;

	public function __construct() {
		parent::__construct();

		$this->setId('setup-form');

		$this->frontend_setup = new CFrontendSetup();

		$this->stages = [
			self::STAGE_WELCOME => [
				'title' => _('Welcome'),
				'fn' => 'stageWelcome'
			],
			self::STAGE_REQUIREMENTS => [
				'title' => _('Check of pre-requisites'),
				'fn' => 'stageRequirements'
			],
			self::STAGE_DB_CONNECTION => [
				'title' => _('Configure DB connection'),
				'fn' => 'stageDbConnection'
			],
			self::STAGE_SETTINGS => [
				'title' => _('Settings'),
				'fn' => 'stageSettings'
			],
			self::STAGE_SUMMARY => [
				'title' => _('Pre-installation summary'),
				'fn' => 'stageSummary'
			],
			self::STAGE_INSTALL => [
				'title' => _('Install'),
				'fn' => 'stageInstall'
			]
		];

		$this->doAction();
	}

	public function getStep(): int {
		$step = $this->getConfig('step');

		return array_key_exists($step, $this->stages) ? $step : self::STAGE_WELCOME;
	}

	private function doAction(): void {
		/*
		 * Having non-super-admin authenticated at this step means:
		 *   - Either the config file has been manually created by the user.
		 *   - Or dealing with a spoofed session cookie.
		 *
		 * Since it is not possible to distinguish between the two, skip data validation and prevent stage switching.
		 * Any of either cases is only possible with self::STAGE_INSTALL stage.
		 */
		if (CWebUser::$data && CWebUser::getType() < USER_TYPE_SUPER_ADMIN) {
			return;
		}

		if (hasRequest('back') && array_key_exists($this->getStep(), getRequest('back'))) {
			$this->doBack();
		}

		if ($this->getStep() == self::STAGE_REQUIREMENTS) {
			if (hasRequest('next') && array_key_exists(self::STAGE_REQUIREMENTS, getRequest('next'))) {
				$finalResult = CFrontendSetup::CHECK_OK;

				foreach ($this->frontend_setup->checkRequirements() as $req) {
					if ($req['result'] > $finalResult) {
						$finalResult = $req['result'];
					}
				}

				if ($finalResult == CFrontendSetup::CHECK_FATAL) {
					$this->step_failed = true;
					unset($_REQUEST['next']);
				}
				else {
					$this->doNext();
				}
			}
		}
		elseif ($this->getStep() == self::STAGE_DB_CONNECTION) {
			$input = [
				'DB_TYPE' => getRequest('type', $this->getConfig('DB_TYPE')),
				'DB_SERVER' => getRequest('server', $this->getConfig('DB_SERVER', 'localhost')),
				'DB_PORT' => getRequest('port', $this->getConfig('DB_PORT', '0')),
				'DB_DATABASE' => getRequest('database', $this->getConfig('DB_DATABASE', 'zabbix')),
				'DB_CREDS_STORAGE' => getRequest('creds_storage',
					$this->getConfig('DB_CREDS_STORAGE', DB_STORE_CREDS_CONFIG)
				),
				'DB_PASSWORD' => getRequest('password', $this->getConfig('DB_PASSWORD', '')),
				'DB_SCHEMA' => getRequest('schema', $this->getConfig('DB_SCHEMA', '')),
				'DB_ENCRYPTION' => (bool) getRequest('tls_encryption', $this->getConfig('DB_ENCRYPTION', false)),
				'DB_ENCRYPTION_ADVANCED' => (bool) getRequest('verify_certificate',
					$this->getConfig('DB_ENCRYPTION_ADVANCED', false)
				),
				'DB_VERIFY_HOST' => (bool) getRequest('verify_host', $this->getConfig('DB_VERIFY_HOST', false)),
				'DB_KEY_FILE' => getRequest('key_file', $this->getConfig('DB_KEY_FILE', '')),
				'DB_CERT_FILE' => getRequest('cert_file', $this->getConfig('DB_CERT_FILE', '')),
				'DB_CA_FILE' => getRequest('ca_file', $this->getConfig('DB_CA_FILE', '')),
				'DB_CIPHER_LIST' => getRequest('cipher_list', $this->getConfig('DB_CIPHER_LIST', ''))
			];

			if (!$input['DB_ENCRYPTION_ADVANCED']) {
				$input['DB_KEY_FILE'] = '';
				$input['DB_CERT_FILE'] = '';
				$input['DB_CA_FILE'] = '';
				$input['DB_CIPHER_LIST'] = '';
			}
			else if ($input['DB_TYPE'] === ZBX_DB_MYSQL) {
				$input['DB_VERIFY_HOST'] = true;
			}

			if ($input['DB_TYPE'] !== ZBX_DB_POSTGRESQL) {
				$input['DB_SCHEMA'] = '';
			}

			foreach ($input as $name => $value) {
				$this->setConfig($name, $value);
			}

			switch ($this->getConfig('DB_CREDS_STORAGE')) {
				case DB_STORE_CREDS_VAULT_HASHICORP:
					$this->setConfig('DB_VAULT_URL', getRequest('vault_url',
						$this->getConfig('DB_VAULT_URL', CVaultHashiCorp::API_ENDPOINT_DEFAULT)
					));

					$this->setConfig('DB_VAULT_DB_PATH', getRequest('vault_db_path',
						$this->getConfig('DB_VAULT_DB_PATH', '')
					));

					$this->setConfig('DB_VAULT_TOKEN', getRequest('vault_token', $this->getConfig('DB_VAULT_TOKEN')));

					$this->unsetConfig(['DB_USER', 'DB_PASSWORD', 'DB_VAULT_CERTIFICATES', 'DB_VAULT_CERT_FILE',
						'DB_VAULT_KEY_FILE']
					);
					break;

				case DB_STORE_CREDS_VAULT_CYBERARK:
					$this->setConfig('DB_VAULT_URL', getRequest('vault_url',
						$this->getConfig('DB_VAULT_URL', CVaultCyberArk::API_ENDPOINT_DEFAULT)
					));

					$this->setConfig('DB_VAULT_DB_PATH',
						getRequest('vault_query_string', $this->getConfig('DB_VAULT_DB_PATH'))
					);

					$vault_certificates = (bool) getRequest('vault_certificates',
						$this->getConfig('DB_VAULT_CERTIFICATES', false)
					);
					$this->setConfig('DB_VAULT_CERTIFICATES', $vault_certificates);

					if ($vault_certificates) {
						$this->setConfig('DB_VAULT_CERT_FILE', getRequest('vault_cert_file',
							$this->getConfig('DB_VAULT_CERT_FILE')
						));

						$this->setConfig('DB_VAULT_KEY_FILE', getRequest('vault_key_file',
							$this->getConfig('DB_VAULT_KEY_FILE')
						));
					}

					$this->unsetConfig(['DB_USER', 'DB_PASSWORD', 'DB_VAULT_TOKEN']);
					break;

				default:
					$this->setConfig('DB_USER', getRequest('user', $this->getConfig('DB_USER', 'root')));
					$this->setConfig('DB_PASSWORD', getRequest('password', $this->getConfig('DB_PASSWORD', '')));

					$this->unsetConfig(['DB_VAULT_URL', 'DB_VAULT_DB_PATH', 'DB_VAULT_TOKEN', 'DB_VAULT_CERTIFICATES',
						'DB_VAULT_CERT_FILE', 'DB_VAULT_KEY_FILE']
					);
					break;
			}

			if (hasRequest('next') && array_key_exists(self::STAGE_DB_CONNECTION, getRequest('next'))) {
				switch ($this->getConfig('DB_CREDS_STORAGE')) {
					case DB_STORE_CREDS_VAULT_HASHICORP:
						$vault_provider = new CVaultHashiCorp($this->getConfig('DB_VAULT_URL'),
							$this->getConfig('DB_VAULT_DB_PATH'), $this->getConfig('DB_VAULT_TOKEN')
						);
						break;

					case DB_STORE_CREDS_VAULT_CYBERARK:
						$vault_provider = new CVaultCyberArk($this->getConfig('DB_VAULT_URL'),
							$this->getConfig('DB_VAULT_DB_PATH'), $this->getConfig('DB_VAULT_CERT_FILE'),
							$this->getConfig('DB_VAULT_KEY_FILE')
						);
						break;

					default:
						$vault_provider = null;
						break;
				}

				$db_connected = false;

				if ($vault_provider !== null) {
					if (ini_get('allow_url_fopen') != 1) {
						error(_('Please enable "allow_url_fopen" directive.'));
					}
					else {
						$db_credentials = $vault_provider->validateParameters()
							? $vault_provider->getCredentials()
							: null;

						if ($db_credentials === null) {
							foreach ($vault_provider->getErrors() as $error) {
								error($error);
							}
						}
						else {
							$db_connected = $this->dbConnect($db_credentials['user'], $db_credentials['password']);
						}
					}
				}
				else {
					$db_connected = $this->dbConnect();
				}

				if ($db_connected) {
					if ($this->checkConnection()) {
						$this->doNext();
					}

					$this->dbClose();
				}
				else {
					$this->step_failed = true;
					unset($_REQUEST['next']);
				}
			}
		}
		elseif ($this->getStep() == self::STAGE_SETTINGS) {
			$this->setConfig('ZBX_SERVER_NAME', getRequest('zbx_server_name', $this->getConfig('ZBX_SERVER_NAME', '')));

			if (hasRequest('next') && array_key_exists(self::STAGE_SETTINGS, getRequest('next'))) {
				$this->doNext();
			}
		}
		elseif ($this->getStep() == self::STAGE_INSTALL) {
			if (hasRequest('save_config')) {
				$vault_config = [
					'VAULT' => '',
					'VAULT_URL' => '',
					'VAULT_DB_PATH' => '',
					'VAULT_TOKEN' => '',
					'VAULT_CERT_FILE' => '',
					'VAULT_KEY_FILE' => ''
				];

				$db_creds_config = [
					'USER' => '',
					'PASSWORD' => ''
				];

				switch ($this->getConfig('DB_CREDS_STORAGE', DB_STORE_CREDS_CONFIG)) {
					case DB_STORE_CREDS_VAULT_HASHICORP:
						$vault_config['VAULT'] = CVaultHashiCorp::NAME;
						$vault_config['VAULT_URL'] = $this->getConfig('DB_VAULT_URL');
						$vault_config['VAULT_DB_PATH'] = $this->getConfig('DB_VAULT_DB_PATH');
						$vault_config['VAULT_TOKEN'] = $this->getConfig('DB_VAULT_TOKEN');
						break;

					case DB_STORE_CREDS_VAULT_CYBERARK:
						$vault_config['VAULT'] = CVaultCyberArk::NAME;
						$vault_config['VAULT_URL'] = $this->getConfig('DB_VAULT_URL');
						$vault_config['VAULT_DB_PATH'] = $this->getConfig('DB_VAULT_DB_PATH');
						$vault_config['VAULT_CERT_FILE'] = $this->getConfig('VAULT_CERT_FILE');
						$vault_config['VAULT_KEY_FILE'] = $this->getConfig('VAULT_KEY_FILE');
						break;

					default:
						$db_creds_config['USER'] = $this->getConfig('DB_USER');
						$db_creds_config['PASSWORD'] = $this->getConfig('DB_PASSWORD');
						break;
				}

				// make zabbix.conf.php downloadable
				header('Content-Type: application/x-httpd-php');
				header('Content-Disposition: attachment; filename="'.basename(CConfigFile::CONFIG_FILE_PATH).'"');
				$config = new CConfigFile(APP::getRootDir().CConfigFile::CONFIG_FILE_PATH);
				$config->config = [
					'DB' => [
						'TYPE' => $this->getConfig('DB_TYPE'),
						'SERVER' => $this->getConfig('DB_SERVER'),
						'PORT' => $this->getConfig('DB_PORT'),
						'DATABASE' => $this->getConfig('DB_DATABASE'),
						'SCHEMA' => $this->getConfig('DB_SCHEMA'),
						'ENCRYPTION' => (bool) $this->getConfig('DB_ENCRYPTION'),
						'VERIFY_HOST' => (bool) $this->getConfig('DB_VERIFY_HOST'),
						'KEY_FILE' => $this->getConfig('DB_KEY_FILE'),
						'CERT_FILE' => $this->getConfig('DB_CERT_FILE'),
						'CA_FILE' => $this->getConfig('DB_CA_FILE'),
						'CIPHER_LIST' => $this->getConfig('DB_CIPHER_LIST')
					] + $db_creds_config + $vault_config,
					'ZBX_SERVER_NAME' => $this->getConfig('ZBX_SERVER_NAME')
				];
				die($config->getString());
			}
		}

		if (hasRequest('next') && array_key_exists($this->getStep(), getRequest('next'))) {
			$this->doNext();
		}
	}

	private function doNext(): void {
		if (array_key_exists($this->getStep() + 1, $this->stages)) {
			$this->setConfig('step', $this->getStep() + 1);
		}
	}

	private function doBack(): void {
		if (array_key_exists($this->getStep() - 1, $this->stages)) {
			$this->setConfig('step', $this->getStep() - 1);
		}
	}

	protected function bodyToString($destroy = true): string {
		$setup_left = (new CDiv())
			->addClass(ZBX_STYLE_SETUP_LEFT)
			->addItem(makeLogo(LOGO_TYPE_NORMAL))
			->addItem($this->getList());

		$setup_right = (new CDiv($this->getStage()))->addClass(ZBX_STYLE_SETUP_RIGHT);

		if (CWebUser::$data && CWebUser::getType() == USER_TYPE_SUPER_ADMIN) {
			$cancel_button = (new CSubmit('cancel', _('Cancel')))
				->addClass(ZBX_STYLE_BTN_ALT)
				->addClass(ZBX_STYLE_FLOAT_LEFT);

			if ($this->disable_cancel_button) {
				$cancel_button->setEnabled(false);
			}
		}
		else {
			$cancel_button = null;
		}

		$back_button = (new CSubmit('back['.($this->getStep()).']', _('Back')))
			->addClass(ZBX_STYLE_BTN_ALT)
			->addClass(ZBX_STYLE_FLOAT_LEFT);

		if ($this->getStep() == self::STAGE_WELCOME || $this->disable_back_button) {
			$back_button->setEnabled(false);
		}

		if (array_key_exists($this->getStep() + 1, $this->stages)) {
			$next_button = new CSubmit('next['.($this->getStep()).']', _('Next step'));
		}
		else {
			$next_button = new CSubmit($this->show_retry_button ? 'retry' : 'finish', _('Finish'));
		}

		$setup_footer = (new CDiv([new CDiv([$next_button, $back_button]), $cancel_button]))
			->addClass(ZBX_STYLE_SETUP_FOOTER);

		$setup_container = (new CDiv([$setup_left, $setup_right, $setup_footer]))->addClass(ZBX_STYLE_SETUP_CONTAINER);

		return parent::bodyToString().$setup_container->toString();
	}

	private function getStage(): array {
		$function = $this->stages[$this->getStep()]['fn'];

		return $this->$function();
	}

	private function stageWelcome(): array {
		preg_match('/^\d+\.\d+/', ZABBIX_VERSION, $version);
		$setup_title = (new CDiv([new CSpan(_('Welcome to')), 'Zabbix '.$version[0]]))->addClass(ZBX_STYLE_SETUP_TITLE);

		$default_lang = $this->getConfig('default_lang');
		$lang_select = (new CSelect('default_lang'))
			->setId('default-lang')
			->setValue($default_lang)
			->setFocusableElementId('label-default-lang')
			->setAttribute('autofocus', 'autofocus');

		$all_locales_available = true;

		foreach (getLocales() as $localeid => $locale) {
			if (!$locale['display']) {
				continue;
			}

			/*
			 * Checking if this locale exists in the system. The only way of doing it is to try and set one
			 * trying to set only the LC_MONETARY locale to avoid changing LC_NUMERIC.
			 */
			$locale_available = ($localeid === ZBX_DEFAULT_LANG
				|| setlocale(LC_MONETARY, zbx_locale_variants($localeid))
			);

			$lang_select->addOption((new CSelectOption($localeid, $locale['name']))->setDisabled(!$locale_available));

			if (!$locale_available) {
				$all_locales_available = false;
			}
		}

		// Restoring original locale.
		setlocale(LC_MONETARY, zbx_locale_variants($default_lang));

		$language_error = '';
		if (!function_exists('bindtextdomain')) {
			$language_error = 'Translations are unavailable because the PHP gettext module is missing.';
			$lang_select->setReadonly();
		}
		elseif (!$all_locales_available) {
			$language_error = _('You are not able to choose some of the languages, because locales for them are not installed on the web server.');
		}

		$language_error = $language_error !== '' ? makeErrorIcon($language_error) : null;

		$language_select = (new CFormList())
			->addRow(new CLabel(_('Default language'), $lang_select->getFocusableElementId()), [
				$lang_select, $language_error
			]);

		return [(new CDiv([$setup_title, $language_select]))->addClass(ZBX_STYLE_SETUP_RIGHT_BODY)];
	}

	private function stageRequirements(): array {
		$table = (new CTable())
			->addClass(ZBX_STYLE_LIST_TABLE)
			->setHeader(['', _('Current value'), _('Required'), '']);

		$messages = [];
		$finalResult = CFrontendSetup::CHECK_OK;

		foreach ($this->frontend_setup->checkRequirements() as $req) {
			if ($req['result'] == CFrontendSetup::CHECK_OK) {
				$class = ZBX_STYLE_GREEN;
				$result = 'OK';
			}
			elseif ($req['result'] == CFrontendSetup::CHECK_WARNING) {
				$class = ZBX_STYLE_ORANGE;
				$result = new CSpan(_x('Warning', 'setup'));
			}
			else {
				$class = ZBX_STYLE_RED;
				$result = new CSpan(_('Fail'));
				$messages[] = ['type' => 'error', 'message' => $req['error']];
			}

			$table->addRow(
				[
					$req['name'],
					$req['current'],
					($req['required'] !== null) ? $req['required'] : '',
					(new CCol($result))->addClass($class)
				]
			);

			if ($req['result'] > $finalResult) {
				$finalResult = $req['result'];
			}
		}

		if ($finalResult == CFrontendSetup::CHECK_FATAL) {
			$message_box = makeMessageBox(ZBX_STYLE_MSG_BAD, $messages, null, false, true);
		}
		else {
			$message_box = null;
		}

		return [
			new CTag('h1', true, _('Check of pre-requisites')),
			(new CDiv([$message_box, $table]))->addClass(ZBX_STYLE_SETUP_RIGHT_BODY)
		];
	}

	private function stageDbConnection(): array {
		$DB['TYPE'] = $this->getConfig('DB_TYPE', key(CFrontendSetup::getSupportedDatabases()));
		$db_warning = _('Support for Oracle DB is deprecated since Zabbix 7.0 and will be removed in future versions.');

		$table = (new CFormList())
			->addItem([
				(new CVar('tls_encryption', 0))->removeId(),
				(new CVar('verify_certificate', 0))->removeId(),
				(new CVar('verify_host', 0))->removeId()
			])
			->addRow(new CLabel(_('Database type'), 'label-type'), [
				(new CSelect('type'))
					->setId('type')
					->setFocusableElementId('label-type')
					->setValue($DB['TYPE'])
					->addOptions(CSelect::createOptionsFromArray(CFrontendSetup::getSupportedDatabases())),
				makeWarningIcon($db_warning)->setId('db_warning')
			])
			->addRow(_('Database host'),
				(new CTextBox('server', $this->getConfig('DB_SERVER', 'localhost')))
					->setWidth(ZBX_TEXTAREA_SMALL_WIDTH)
			)
			->addRow(_('Database port'), [
				(new CNumericBox('port', $this->getConfig('DB_PORT', '0'), 5, false, false, false))
					->setWidth(ZBX_TEXTAREA_SMALL_WIDTH),
				(new CDiv())->addClass(ZBX_STYLE_FORM_INPUT_MARGIN),
				(new CSpan(_('0 - use default port')))->addClass(ZBX_STYLE_GREY)
			])
			->addRow(_('Database name'),
				(new CTextBox('database', $this->getConfig('DB_DATABASE', 'zabbix')))
					->setWidth(ZBX_TEXTAREA_SMALL_WIDTH)
			)
			->addRow(_('Database schema'),
				(new CTextBox('schema', $this->getConfig('DB_SCHEMA', '')))
					->setWidth(ZBX_TEXTAREA_SMALL_WIDTH),
				'db_schema_row',
				ZBX_STYLE_DISPLAY_NONE
			);

		$db_creds_storage = (int) $this->getConfig('DB_CREDS_STORAGE', DB_STORE_CREDS_CONFIG);

		$table
			->addRow(_('Store credentials in'),
				(new CRadioButtonList('creds_storage', $db_creds_storage))
					->addValue(_('Plain text'), DB_STORE_CREDS_CONFIG)
					->addValue(_('HashiCorp Vault'), DB_STORE_CREDS_VAULT_HASHICORP)
					->addValue(_('CyberArk Vault'), DB_STORE_CREDS_VAULT_CYBERARK)
					->setModern(true)
			)
			// Plaintext.
			->addRow(_('User'),
				(new CTextBox('user', $this->getConfig('DB_USER', 'zabbix')))->setWidth(ZBX_TEXTAREA_SMALL_WIDTH),
				'db_user',
				($db_creds_storage != DB_STORE_CREDS_CONFIG) ? ZBX_STYLE_DISPLAY_NONE : null
			)
			->addRow(_('Password'),
				(new CPassBox('password', $this->getConfig('DB_PASSWORD')))->setWidth(ZBX_TEXTAREA_SMALL_WIDTH),
				'db_password',
				($db_creds_storage != DB_STORE_CREDS_CONFIG) ? ZBX_STYLE_DISPLAY_NONE : null
			)
			// Vault common.
			->addRow(
				(new CLabel(_('Vault API endpoint')))->setAsteriskMark(),
				(new CTextBox('vault_url',
					$this->getConfig('DB_VAULT_URL', $db_creds_storage == DB_STORE_CREDS_VAULT_HASHICORP
						? CVaultHashiCorp::API_ENDPOINT_DEFAULT
						: CVaultCyberArk::API_ENDPOINT_DEFAULT
					)
				))->setWidth(ZBX_TEXTAREA_MEDIUM_WIDTH),
				'vault_url_row',
				!in_array($db_creds_storage, [DB_STORE_CREDS_VAULT_HASHICORP, DB_STORE_CREDS_VAULT_CYBERARK])
					? ZBX_STYLE_DISPLAY_NONE
					: null
			)
			// HashiCorp Vault - related fields.
			->addRow(
				_('Vault secret path'),
				(new CTextBox('vault_db_path', $this->getConfig('DB_VAULT_DB_PATH')))
					->setAttribute('placeholder', CVaultHashiCorp::DB_PATH_PLACEHOLDER)
					->setWidth(ZBX_TEXTAREA_SMALL_WIDTH),
				'vault_db_path_row',
				($db_creds_storage != DB_STORE_CREDS_VAULT_HASHICORP) ? ZBX_STYLE_DISPLAY_NONE : null
			)
			->addRow(_('Vault authentication token'),
				(new CTextBox('vault_token', $this->getConfig('DB_VAULT_TOKEN')))
					->setWidth(ZBX_TEXTAREA_SMALL_WIDTH)
					->setAttribute('maxlength', 2048),
				'vault_token_row',
				($db_creds_storage != DB_STORE_CREDS_VAULT_HASHICORP) ? ZBX_STYLE_DISPLAY_NONE : null
			)
			// CyberArk Vault - related fields.
			->addRow(
				(new CLabel(_('Vault secret query string')))->setAsteriskMark(),
				(new CTextBox('vault_query_string', $this->getConfig('DB_VAULT_DB_PATH')))
					->setAttribute('placeholder', CVaultCyberArk::DB_PATH_PLACEHOLDER)
					->setAttribute('maxlength', 2048)
					->setWidth(ZBX_TEXTAREA_MEDIUM_WIDTH),
				'vault_query_string_row',
				($db_creds_storage != DB_STORE_CREDS_VAULT_CYBERARK) ? ZBX_STYLE_DISPLAY_NONE : null
			)
			->addRow(
				(new CLabel(_('Vault certificates'), 'vault_certificates_toggle')),
				(new CCheckBox('vault_certificates'))
					->setId('vault_certificates_toggle')
					->setChecked($this->getConfig('DB_VAULT_CERTIFICATES', false)),
				'vault_certificates',
				($db_creds_storage != DB_STORE_CREDS_VAULT_CYBERARK) ? ZBX_STYLE_DISPLAY_NONE : null
			)
			->addRow(_('SSL certificate file'),
				(new CTextBox('vault_cert_file', $this->getConfig('VAULT_CERT_FILE', 'conf/certs/cyberark-cert.pem')))
					->setWidth(ZBX_TEXTAREA_MEDIUM_WIDTH)
					->setAttribute('maxlength', 2048),
				'vault_cert_file',
				($db_creds_storage != DB_STORE_CREDS_VAULT_CYBERARK || !$this->getConfig('DB_VAULT_CERTIFICATES', false))
					? ZBX_STYLE_DISPLAY_NONE
					: null
			)
			->addRow(_('SSL key file'),
				(new CTextBox('vault_key_file', $this->getConfig('VAULT_KEY_FILE', 'conf/certs/cyberark-key.pem')))
					->setWidth(ZBX_TEXTAREA_MEDIUM_WIDTH)
					->setAttribute('maxlength', 2048),
				'vault_key_file',
				($db_creds_storage != DB_STORE_CREDS_VAULT_CYBERARK || !$this->getConfig('DB_VAULT_CERTIFICATES', false))
					? ZBX_STYLE_DISPLAY_NONE
					: null
			);

		$table
			->addRow(_('Database TLS encryption'),
				[
					(new CCheckBox('tls_encryption'))->setChecked($this->getConfig('DB_ENCRYPTION', true)),
					(new CDiv(
						_('Connection will not be encrypted because it uses a socket file (on Unix) or shared memory (Windows).')
					))
						->setId('tls_encryption_hint')
						->addClass(ZBX_STYLE_DISPLAY_NONE)
				],
				'db_encryption_row',
				ZBX_STYLE_DISPLAY_NONE
			)
			->addRow(_('Verify database certificate'),
				(new CCheckBox('verify_certificate'))->setChecked($this->getConfig('DB_ENCRYPTION_ADVANCED')),
				'db_verify_host',
				ZBX_STYLE_DISPLAY_NONE
			)
			->addRow((new CLabel(_('Database TLS CA file')))->setAsteriskMark(),
				(new CTextBox('ca_file', $this->getConfig('DB_CA_FILE')))->setWidth(ZBX_TEXTAREA_MEDIUM_WIDTH),
				'db_cafile_row',
				ZBX_STYLE_DISPLAY_NONE
			)
			->addRow(_('Database TLS key file'),
				(new CTextBox('key_file', $this->getConfig('DB_KEY_FILE')))->setWidth(ZBX_TEXTAREA_MEDIUM_WIDTH),
				'db_keyfile_row',
				ZBX_STYLE_DISPLAY_NONE
			)
			->addRow(_('Database TLS certificate file'),
				(new CTextBox('cert_file', $this->getConfig('DB_CERT_FILE')))->setWidth(ZBX_TEXTAREA_MEDIUM_WIDTH),
				'db_certfile_row',
				ZBX_STYLE_DISPLAY_NONE
			)
			->addRow(_('Database host verification'),
				(new CCheckBox('verify_host'))->setChecked($this->getConfig('DB_VERIFY_HOST')),
				'db_verify_host_row',
				ZBX_STYLE_DISPLAY_NONE
			)
			->addRow(_('Database TLS cipher list'),
				(new CTextBox('cipher_list', $this->getConfig('DB_CIPHER_LIST')))->setWidth(ZBX_TEXTAREA_MEDIUM_WIDTH),
				'db_cipher_row',
				ZBX_STYLE_DISPLAY_NONE
			);

		if ($this->step_failed) {
			$message_box = makeMessageBox(ZBX_STYLE_MSG_BAD, CMessageHelper::getMessages(),
				_('Cannot connect to the database.'), false, true
			);
		}
		else {
			$message_box = null;
		}

		return [
			new CTag('h1', true, _('Configure DB connection')),
			(new CDiv([
				new CTag('p', true, _s('Please create database manually, and set the configuration parameters for connection to this database. Press "%1$s" button when done.', _('Next step'))),
				$message_box,
				$table
			]))->addClass(ZBX_STYLE_SETUP_RIGHT_BODY)
		];
	}

	private function stageSettings(): array {
		$timezones[ZBX_DEFAULT_TIMEZONE] = CTimezoneHelper::getTitle(CTimezoneHelper::getSystemTimezone(), _('System'));
		$timezones += CTimezoneHelper::getList();

		$table = (new CFormList())
			->addRow(
				_('Zabbix server name'),
				(new CTextBox('zbx_server_name', $this->getConfig('ZBX_SERVER_NAME', '')))
					->setWidth(ZBX_TEXTAREA_SMALL_WIDTH)
			)
			->addRow(
				new CLabel(_('Default time zone'), 'label-default-timezone'),
				(new CSelect('default_timezone'))
					->setValue($this->getConfig('default_timezone', ZBX_DEFAULT_TIMEZONE))
					->addOptions(CSelect::createOptionsFromArray($timezones))
					->setFocusableElementId('label-default-timezone')
					->setAttribute('autofocus', 'autofocus')
			)
			->addRow(new CLabel(_('Default theme'), 'label-default-theme'),
				(new CSelect('default_theme'))
					->setId('default-theme')
					->setFocusableElementId('label-default-theme')
					->setWidth(ZBX_TEXTAREA_SMALL_WIDTH)
					->setValue($this->getConfig('default_theme'))
					->addOptions(CSelect::createOptionsFromArray(APP::getThemes()))
			);

		return [
			new CTag('h1', true, _('Settings')),
			(new CDiv($table))->addClass(ZBX_STYLE_SETUP_RIGHT_BODY)
		];
	}

	private function stageSummary(): array {
		$db_type = $this->getConfig('DB_TYPE');
		$databases = CFrontendSetup::getSupportedDatabases();

		$table = (new CFormList())
			->addRow(
				(new CSpan(_('Database type')))->addClass(ZBX_STYLE_GREY),
				$databases[$db_type]
			);

		$db_port = ($this->getConfig('DB_PORT') == 0) ? _('default') : $this->getConfig('DB_PORT');

		if ($this->getConfig('DB_CREDS_STORAGE', DB_STORE_CREDS_CONFIG) == DB_STORE_CREDS_CONFIG) {
			$db_password = preg_replace('/./', '*', $this->getConfig('DB_PASSWORD'));
			$db_username = $this->getConfig('DB_USER');
		}
		else {
			$db_password = _('Stored in Vault secret');
			$db_username = _('Stored in Vault secret');
		}

		$table
			->addRow(
				(new CSpan(_('Database server')))->addClass(ZBX_STYLE_GREY),
				$this->getConfig('DB_SERVER')
			)
			->addRow(
				(new CSpan(_('Database port')))->addClass(ZBX_STYLE_GREY),
				$db_port
			)
			->addRow(
				(new CSpan(_('Database name')))->addClass(ZBX_STYLE_GREY),
				$this->getConfig('DB_DATABASE')
			)
			->addRow(
				(new CSpan(_('Database user')))->addClass(ZBX_STYLE_GREY),
				$db_username
			)
			->addRow(
				(new CSpan(_('Database password')))->addClass(ZBX_STYLE_GREY),
				$db_password
			);

		if ($db_type === ZBX_DB_POSTGRESQL) {
			$table->addRow(
				(new CSpan(_('Database schema')))->addClass(ZBX_STYLE_GREY),
				$this->getConfig('DB_SCHEMA')
			);
		}

		if ($this->getConfig('DB_CREDS_STORAGE', DB_STORE_CREDS_CONFIG) == DB_STORE_CREDS_VAULT_HASHICORP) {
			$table
				->addRow(
					(new CSpan(_('Vault API endpoint')))->addClass(ZBX_STYLE_GREY),
					$this->getConfig('DB_VAULT_URL')
				)
				->addRow(
					(new CSpan(_('Vault secret path')))->addClass(ZBX_STYLE_GREY),
					$this->getConfig('DB_VAULT_DB_PATH')
				)
				->addRow(
					(new CSpan(_('Vault authentication token')))->addClass(ZBX_STYLE_GREY),
					$this->getConfig('DB_VAULT_TOKEN')
				);
		}

		if ($this->getConfig('DB_CREDS_STORAGE', DB_STORE_CREDS_CONFIG) == DB_STORE_CREDS_VAULT_CYBERARK) {
			$table
				->addRow(
					(new CSpan(_('Vault API endpoint')))->addClass(ZBX_STYLE_GREY),
					$this->getConfig('DB_VAULT_URL')
				)
				->addRow(
					(new CSpan(_('Vault secret query string')))->addClass(ZBX_STYLE_GREY),
					$this->getConfig('DB_VAULT_DB_PATH')
				)
				->addRow(
					(new CSpan(_('Vault certificates')))->addClass(ZBX_STYLE_GREY),
					$this->getConfig('DB_VAULT_CERTIFICATES') ? 'true' : 'false'
				);

			if ($this->getConfig('DB_VAULT_CERTIFICATES')) {
				$table
					->addRow(
						(new CSpan(_('SSL certificate file')))->addClass(ZBX_STYLE_GREY),
						$this->getConfig('VAULT_CERT_FILE') ? $this->getConfig('VAULT_CERT_FILE') : ''
					)
					->addRow(
						(new CSpan(_('SSL key file')))->addClass(ZBX_STYLE_GREY),
						$this->getConfig('VAULT_KEY_FILE') ? $this->getConfig('VAULT_KEY_FILE') : ''
					);
			}
		}

		$table->addRow(
			(new CSpan(_('Database TLS encryption')))->addClass(ZBX_STYLE_GREY),
			$this->getConfig('DB_ENCRYPTION') ? 'true' : 'false'
		);

		if ($this->getConfig('DB_ENCRYPTION_ADVANCED')) {
			$table
				->addRow(
					(new CSpan(_('Database TLS CA file')))->addClass(ZBX_STYLE_GREY),
					$this->getConfig('DB_CA_FILE')
				)
				->addRow(
					(new CSpan(_('Database TLS key file')))->addClass(ZBX_STYLE_GREY),
					$this->getConfig('DB_KEY_FILE')
				)
				->addRow(
					(new CSpan(_('Database TLS certificate file')))->addClass(ZBX_STYLE_GREY),
					$this->getConfig('DB_CERT_FILE')
				)
				->addRow(
					(new CSpan(_('Database host verification')))->addClass(ZBX_STYLE_GREY),
					$this->getConfig('DB_VERIFY_HOST') ? 'true' : 'false'
				);

			if ($db_type === ZBX_DB_MYSQL) {
				$table->addRow(
					(new CSpan(_('Database TLS cipher list')))->addClass(ZBX_STYLE_GREY),
					$this->getConfig('DB_CIPHER_LIST')
				);
			}
		}

		$server_name = $this->getConfig('ZBX_SERVER_NAME');

		if ($server_name !== '') {
			$table
				->addRow(null)
				->addRow(
					(new CSpan(_('Zabbix server name')))->addClass(ZBX_STYLE_GREY),
					$this->getConfig('ZBX_SERVER_NAME')
				);
		}

		return [
			new CTag('h1', true, _('Pre-installation summary')),
			(new CDiv([
				new CTag('p', true, _s('Please check configuration parameters. If all is correct, press "%1$s" button, or "%2$s" button to change configuration parameters.', _('Next step'), _('Back'))),
				$table
			]))->addClass(ZBX_STYLE_SETUP_RIGHT_BODY)
		];
	}

	private function stageInstall(): array {
		/*
		 * Having non-super-admin authenticated at this step means:
		 *   - Either the config file has been manually created by the user.
		 *   - Or dealing with a spoofed session cookie.
		 *
		 * Since it is not possible to distinguish between the two, it's also impossible to validate the config file
		 * and display any discrepancies with the configuration stored within the session.
		 */
		if (CWebUser::$data && CWebUser::getType() < USER_TYPE_SUPER_ADMIN) {
			CSessionHelper::clear();

			return $this->stageInstalled();
		}

		$vault_config = [
			'VAULT' => '',
			'VAULT_URL' => '',
			'VAULT_DB_PATH' => '',
			'VAULT_TOKEN' => '',
			'VAULT_CERT_FILE' => '',
			'VAULT_KEY_FILE' => ''
		];

		$db_creds_config = [
			'USER' => '',
			'PASSWORD' => ''
		];

		$db_user = null;
		$db_password = null;

		if ($this->getConfig('DB_CREDS_STORAGE', DB_STORE_CREDS_CONFIG) == DB_STORE_CREDS_VAULT_HASHICORP) {
			$vault_config['VAULT'] = CVaultHashiCorp::NAME;
			$vault_config['VAULT_URL'] = $this->getConfig('DB_VAULT_URL');
			$vault_config['VAULT_DB_PATH'] = $this->getConfig('DB_VAULT_DB_PATH');
			$vault_config['VAULT_TOKEN'] = $this->getConfig('DB_VAULT_TOKEN');

			$vault_provider = new CVaultHashiCorp($vault_config['VAULT_URL'], $vault_config['VAULT_DB_PATH'],
				$vault_config['VAULT_TOKEN']
			);

			$db_credentials = $vault_provider->getCredentials();

			if ($db_credentials === null) {
				$this->step_failed = true;
				$this->setConfig('step', self::STAGE_DB_CONNECTION);
				return $this->stageDbConnection();
			}

			$db_user = $db_credentials['user'];
			$db_password = $db_credentials['password'];
		}
		elseif ($this->getConfig('DB_CREDS_STORAGE', DB_STORE_CREDS_CONFIG) == DB_STORE_CREDS_VAULT_CYBERARK) {
			$vault_config['VAULT'] = CVaultCyberArk::NAME;
			$vault_config['VAULT_URL'] = $this->getConfig('DB_VAULT_URL');
			$vault_config['VAULT_DB_PATH'] = $this->getConfig('DB_VAULT_DB_PATH');
			$vault_config['VAULT_CERT_FILE'] = $this->getConfig('DB_VAULT_CERT_FILE');
			$vault_config['VAULT_KEY_FILE'] = $this->getConfig('DB_VAULT_KEY_FILE');

			$vault_provider = new CVaultCyberArk($vault_config['VAULT_URL'], $vault_config['VAULT_DB_PATH'],
				$vault_config['VAULT_CERT_FILE'], $vault_config['VAULT_KEY_FILE']);

			$db_credentials = $vault_provider->getCredentials();

			if ($db_credentials === null) {
				$this->step_failed = true;
				$this->setConfig('step', self::STAGE_DB_CONNECTION);
				return $this->stageDbConnection();
			}

			$db_user = $db_credentials['user'];
			$db_password = $db_credentials['password'];
		}
		else {
			$db_creds_config['USER'] = $this->getConfig('DB_USER');
			$db_creds_config['PASSWORD'] = $this->getConfig('DB_PASSWORD');
		}

		$this->dbConnect($db_user, $db_password);

		$update = [];
		foreach (['default_lang', 'default_timezone', 'default_theme'] as $key) {
			$update[] = $key.'='.zbx_dbstr($this->getConfig($key));
		}
		DBexecute('UPDATE config SET '.implode(',', $update));
		$this->dbClose();

		$this->setConfig('ZBX_CONFIG_FILE_CORRECT', true);

		$config_file_name = APP::getRootDir().CConfigFile::CONFIG_FILE_PATH;
		$config = new CConfigFile($config_file_name);
		$config->config = [
			'DB' => [
				'TYPE' => $this->getConfig('DB_TYPE'),
				'SERVER' => $this->getConfig('DB_SERVER'),
				'PORT' => $this->getConfig('DB_PORT'),
				'DATABASE' => $this->getConfig('DB_DATABASE'),
				'SCHEMA' => $this->getConfig('DB_SCHEMA'),
				'ENCRYPTION' => $this->getConfig('DB_ENCRYPTION'),
				'KEY_FILE' => $this->getConfig('DB_KEY_FILE'),
				'CERT_FILE' => $this->getConfig('DB_CERT_FILE'),
				'CA_FILE' => $this->getConfig('DB_CA_FILE'),
				'VERIFY_HOST' => $this->getConfig('DB_VERIFY_HOST'),
				'CIPHER_LIST' => $this->getConfig('DB_CIPHER_LIST')
			] + $db_creds_config + $vault_config,
			'ZBX_SERVER_NAME' => $this->getConfig('ZBX_SERVER_NAME')
		];

		$error = false;

		/*
		 * Create session secret key for first installation. If installation already exists, don't make a new key
		 * because that will terminate the existing session.
		 */
		$db_connected = $this->dbConnect($db_user, $db_password);
		$is_superadmin = (CWebUser::$data && CWebUser::getType() == USER_TYPE_SUPER_ADMIN);

		$session_key_update_failed = $db_connected && !$is_superadmin
			? !CEncryptHelper::updateKey(CEncryptHelper::generateKey())
			: false;

		if (!$db_connected || $session_key_update_failed) {
			$this->step_failed = true;
			$this->setConfig('step', self::STAGE_DB_CONNECTION);

			return $this->stageDbConnection();
		}

		$this->dbClose();

		$messages = [];

		if (!$config->save()) {
			$error = true;
			$messages[] = [
				'type' => 'error',
				'message' => $config->error
			];
		}

		if ($error) {
			$this->show_retry_button = true;

			$this->setConfig('ZBX_CONFIG_FILE_CORRECT', false);

			$message_box = makeMessageBox(ZBX_STYLE_MSG_BAD, $messages, _('Cannot create the configuration file.'),
				false, true
			);
			$message = [
				new CTag('p', true, _('Alternatively, you can install it manually:')),
				new CTag('ol', true, [
					new CTag('li', true, new CLink(_('Download the configuration file'), 'setup.php?save_config=1')),
					new CTag('li', true, _s('Save it as "%1$s"', $config_file_name))
				])
			];

			return [
				new CTag('h1', true, _('Install')),
				(new CDiv([$message_box, $message]))->addClass(ZBX_STYLE_SETUP_RIGHT_BODY)
			];
		}

		// Clear session after success install.
		CSessionHelper::clear();

		return $this->stageInstalled();
	}

	private function stageInstalled() {
		$this->disable_cancel_button = true;
		$this->disable_back_button = true;

		$message_box = null;
		$message = [
			(new CTag('h1', true, _('Congratulations! You have successfully installed Zabbix frontend.')))
				->addClass(ZBX_STYLE_GREEN),
			new CTag('p', true, _s('Configuration file "%1$s" created.', ltrim(CConfigFile::CONFIG_FILE_PATH, '/')))
		];

		return [
			new CTag('h1', true, _('Install')),
			(new CDiv([$message_box, $message]))->addClass(ZBX_STYLE_SETUP_RIGHT_BODY)
		];
	}

	private function getConfig($name, $default = null) {
		return CSessionHelper::has($name) ? CSessionHelper::get($name) : $default;
	}

	private function setConfig($name, $value): void {
		CSessionHelper::set($name, $value);
	}

	private function unsetConfig(array $keys): void {
		CSessionHelper::unset($keys);
	}

	private function getList(): CList {
		$list = new CList();

		foreach ($this->stages as $id => $data) {
			$list->addItem($data['title'], ($id <= $this->getStep()) ? ZBX_STYLE_SETUP_LEFT_CURRENT : null);
		}

		return $list;
	}

	private function dbConnect(string $username = null, string $password = null) {
		global $DB;

		if (!$this->getConfig('check_fields_result')) {
			return false;
		}

		$DB['TYPE'] = $this->getConfig('DB_TYPE');
		if ($DB['TYPE'] === null) {
			return false;
		}

		$DB['SERVER'] = $this->getConfig('DB_SERVER', 'localhost');
		$DB['PORT'] = $this->getConfig('DB_PORT', '0');
		$DB['DATABASE'] = $this->getConfig('DB_DATABASE', 'zabbix');
		$DB['USER'] = $username ?? $this->getConfig('DB_USER', 'root');
		$DB['PASSWORD'] = $password ?? $this->getConfig('DB_PASSWORD', '');
		$DB['SCHEMA'] = $this->getConfig('DB_SCHEMA', '');
		$DB['ENCRYPTION'] = (bool) $this->getConfig('DB_ENCRYPTION', true);
		$DB['VERIFY_HOST'] = (bool) $this->getConfig('DB_VERIFY_HOST', true);
		$DB['KEY_FILE'] = $this->getConfig('DB_KEY_FILE', '');
		$DB['CERT_FILE'] = $this->getConfig('DB_CERT_FILE', '');
		$DB['CA_FILE'] = $this->getConfig('DB_CA_FILE', '');
		$DB['CIPHER_LIST'] = $this->getConfig('DB_CIPHER_LIST', '');

		$error = '';

		// Check certificate files exists.
		if ($DB['ENCRYPTION'] && ($DB['TYPE'] === ZBX_DB_MYSQL || $DB['TYPE'] === ZBX_DB_POSTGRESQL)) {
			if (($this->getConfig('DB_ENCRYPTION_ADVANCED') || $DB['CA_FILE'] !== '') && !file_exists($DB['CA_FILE'])) {
				error(_s('Incorrect file path for "%1$s": %2$s.', _('Database TLS CA file'), $DB['CA_FILE']));

				return false;
			}

			if ($DB['KEY_FILE'] !== '' && !file_exists($DB['KEY_FILE'])) {
				error(_s('Incorrect file path for "%1$s": %2$s.', _('Database TLS key file'), $DB['KEY_FILE']));

				return false;
			}

			if ($DB['CERT_FILE'] !== '' && !file_exists($DB['CERT_FILE'])) {
				error(_s('Incorrect file path for "%1$s": %2$s.', _('Database TLS certificate file'),
					$DB['CERT_FILE']));

				return false;
			}
		}

		if (!DBconnect($error)) {
			error($error);

			return false;
		}

		return true;
	}

	private function dbClose(): void {
		global $DB;

		DBclose();

		$DB = null;
	}

	private function checkConnection() {
		global $DB;

		$result = true;

		if ($DB['TYPE'] === ZBX_DB_POSTGRESQL && $DB['SCHEMA'] !== '') {
			$db_schema = DBselect(
				'SELECT NULL'.
					' FROM information_schema.schemata'.
					' WHERE schema_name='.zbx_dbstr($DB['SCHEMA'])
			);
			$result = (bool) DBfetch($db_schema);
		}

		$db = DB::getDbBackend();

		if (!$db->checkEncoding()) {
			error($db->getWarning());

			return false;
		}

		return $result;
	}
}