#!/bin/bash

set -e

ssl_dir="/usr/share/yunohost/yunohost-config/ssl/yunoCA"
ynh_ca="/etc/yunohost/certs/yunohost.org/ca.pem"
ynh_crt="/etc/yunohost/certs/yunohost.org/crt.pem"
ynh_key="/etc/yunohost/certs/yunohost.org/key.pem"
openssl_conf="/usr/share/yunohost/templates/ssl/openssl.cnf"

regen_local_ca() {

    domain="$1"

    echo -e "\n# Creating local certification authority with domain=$domain\n"

    # create certs and SSL directories
    mkdir -p "/etc/yunohost/certs/yunohost.org"
    mkdir -p "${ssl_dir}/"{ca,certs,crl,newcerts}

    pushd ${ssl_dir}

    # (Update the serial so that it's specific to this very instance)
    # N.B. : the weird RANDFILE thing comes from:
    # https://stackoverflow.com/questions/94445/using-openssl-what-does-unable-to-write-random-state-mean
    RANDFILE=.rnd openssl rand -hex 19 >serial
    rm -f index.txt
    touch index.txt
    cp /usr/share/yunohost/templates/ssl/openssl.cnf openssl.ca.cnf
    sed -i "s/yunohost.org/${domain}/g" openssl.ca.cnf
    openssl req -x509 \
        -new \
        -config openssl.ca.cnf \
        -days 3650 \
        -out ca/cacert.pem \
        -keyout ca/cakey.pem \
        -nodes \
        -batch \
        -subj /CN=${domain}/O=${domain%.*} 2>&1

    chmod 640 ca/cacert.pem
    chmod 640 ca/cakey.pem

    cp ca/cacert.pem $ynh_ca
    ln -sf "$ynh_ca" /etc/ssl/certs/ca-yunohost_crt.pem
    update-ca-certificates

    popd
}

do_init_regen() {

    LOGFILE=/tmp/yunohost-ssl-init
    echo "" >$LOGFILE
    chown root:root $LOGFILE
    chmod 640 $LOGFILE

    # Make sure this conf exists
    mkdir -p ${ssl_dir}
    cp /usr/share/yunohost/templates/ssl/openssl.cnf ${ssl_dir}/openssl.ca.cnf

    # create default certificates
    if [[ ! -f "$ynh_ca" ]]; then
        regen_local_ca yunohost.org >>$LOGFILE
    fi

    if [[ ! -f "$ynh_crt" ]]; then
        echo -e "\n# Creating initial key and certificate \n" >>$LOGFILE

        openssl req -new \
            -config "$openssl_conf" \
            -days 730 \
            -out "${ssl_dir}/certs/yunohost_csr.pem" \
            -keyout "${ssl_dir}/certs/yunohost_key.pem" \
            -nodes -batch &>>$LOGFILE

        openssl ca \
            -config "$openssl_conf" \
            -days 730 \
            -in "${ssl_dir}/certs/yunohost_csr.pem" \
            -out "${ssl_dir}/certs/yunohost_crt.pem" \
            -batch &>>$LOGFILE

        chmod 640 "${ssl_dir}/certs/yunohost_key.pem"
        chmod 640 "${ssl_dir}/certs/yunohost_crt.pem"

        cp "${ssl_dir}/certs/yunohost_key.pem" "$ynh_key"
        cp "${ssl_dir}/certs/yunohost_crt.pem" "$ynh_crt"
        ln -sf "$ynh_crt" /etc/ssl/certs/yunohost_crt.pem
        ln -sf "$ynh_key" /etc/ssl/private/yunohost_key.pem
    fi

    chown -R root:ssl-cert /etc/yunohost/certs/yunohost.org/
    chmod o-rwx /etc/yunohost/certs/yunohost.org/

    install -D -m 644 $openssl_conf "${ssl_dir}/openssl.cnf"
}

do_pre_regen() {
    pending_dir=$1

    cd /usr/share/yunohost/templates/ssl

    install -D -m 644 openssl.cnf "${pending_dir}/${ssl_dir}/openssl.cnf"
}

do_post_regen() {
    regen_conf_files=$1

    current_local_ca_domain=$(openssl x509 -in $ynh_ca -text | tr ',' '\n' | grep Issuer | awk '{print $4}')
    main_domain=$(cat /etc/yunohost/current_host)

    if [[ "$current_local_ca_domain" != "$main_domain" ]]; then
        regen_local_ca $main_domain
        # Idk how useful this is, but this was in the previous python code (domain.main_domain())
        ln -sf /etc/yunohost/certs/$domain/crt.pem /etc/ssl/certs/yunohost_crt.pem
        ln -sf /etc/yunohost/certs/$domain/key.pem /etc/ssl/private/yunohost_key.pem
    fi
}

do_$1_regen ${@:2}