#!/bin/bash

set -e

ssl_dir="/usr/share/yunohost/yunohost-config/ssl/yunoCA"
ynh_ca="/etc/yunohost/certs/yunohost.org/ca.pem"
ynh_crt="/etc/yunohost/certs/yunohost.org/crt.pem"
ynh_key="/etc/yunohost/certs/yunohost.org/key.pem"
openssl_conf="/usr/share/yunohost/templates/ssl/openssl.cnf"

regen_local_ca() {

    domain="$1"

    echo -e "\n# Creating local certification authority with domain=$domain\n"

    # create certs and SSL directories
    mkdir -p "/etc/yunohost/certs/yunohost.org"
    mkdir -p "${ssl_dir}/"{ca,certs,crl,newcerts}

    pushd ${ssl_dir}

    # (Update the serial so that it's specific to this very instance)
    # N.B. : the weird RANDFILE thing comes from:
    # https://stackoverflow.com/questions/94445/using-openssl-what-does-unable-to-write-random-state-mean
    RANDFILE=.rnd openssl rand -hex 19 > serial
    rm -f index.txt
    touch index.txt
    cp /usr/share/yunohost/templates/ssl/openssl.cnf openssl.ca.cnf
    sed -i "s/yunohost.org/${domain}/g" openssl.ca.cnf
    openssl req -x509 \
        -new \
        -config openssl.ca.cnf \
        -days 3650 \
        -out ca/cacert.pem \
        -keyout ca/cakey.pem \
        -nodes \
        -batch \
        -subj /CN=${domain}/O=${domain%.*} 2>&1

    chmod 640 ca/cacert.pem
    chmod 640 ca/cakey.pem

    cp ca/cacert.pem $ynh_ca
    ln -sf "$ynh_ca" /etc/ssl/certs/ca-yunohost_crt.pem
    update-ca-certificates

    popd
}



do_init_regen() {

  LOGFILE=/tmp/yunohost-ssl-init
  echo "" > $LOGFILE
  chown root:root $LOGFILE
  chmod 640 $LOGFILE

  # Make sure this conf exists
  mkdir -p ${ssl_dir}
  cp /usr/share/yunohost/templates/ssl/openssl.cnf ${ssl_dir}/openssl.ca.cnf

  # create default certificates
  if [[ ! -f "$ynh_ca" ]]; then
      regen_local_ca yunohost.org >>$LOGFILE
  fi

  if [[ ! -f "$ynh_crt" ]]; then
      echo -e "\n# Creating initial key and certificate \n" >>$LOGFILE

      openssl req -new \
        -config "$openssl_conf" \
        -days 730 \
        -out "${ssl_dir}/certs/yunohost_csr.pem" \
        -keyout "${ssl_dir}/certs/yunohost_key.pem" \
        -nodes -batch &>>$LOGFILE

      openssl ca \
        -config "$openssl_conf" \
        -days 730 \
        -in "${ssl_dir}/certs/yunohost_csr.pem" \
        -out "${ssl_dir}/certs/yunohost_crt.pem" \
        -batch &>>$LOGFILE

      chmod 640 "${ssl_dir}/certs/yunohost_key.pem"
      chmod 640 "${ssl_dir}/certs/yunohost_crt.pem"

      cp "${ssl_dir}/certs/yunohost_key.pem" "$ynh_key"
      cp "${ssl_dir}/certs/yunohost_crt.pem" "$ynh_crt"
      ln -sf "$ynh_crt" /etc/ssl/certs/yunohost_crt.pem
      ln -sf "$ynh_key" /etc/ssl/private/yunohost_key.pem
  fi

  chown -R root:ssl-cert /etc/yunohost/certs/yunohost.org/
  chmod o-rwx /etc/yunohost/certs/yunohost.org/

  install -D -m 644 $openssl_conf "${ssl_dir}/openssl.cnf"
}

do_pre_regen() {
  pending_dir=$1

  cd /usr/share/yunohost/templates/ssl

  install -D -m 644 openssl.cnf "${pending_dir}/${ssl_dir}/openssl.cnf"
}

do_post_regen() {
  regen_conf_files=$1

  current_local_ca_domain=$(openssl x509 -in $ynh_ca -text | tr ',' '\n' | grep Issuer | awk '{print $4}')
  main_domain=$(cat /etc/yunohost/current_host)

  if [[ "$current_local_ca_domain" != "$main_domain" ]]
  then
      regen_local_ca $main_domain
      # Idk how useful this is, but this was in the previous python code (domain.main_domain())
      ln -sf /etc/yunohost/certs/$domain/crt.pem /etc/ssl/certs/yunohost_crt.pem
      ln -sf /etc/yunohost/certs/$domain/key.pem /etc/ssl/private/yunohost_key.pem
  fi
}

FORCE=${2:-0}
DRY_RUN=${3:-0}

case "$1" in
  pre)
    do_pre_regen $4
    ;;
  post)
    do_post_regen $4
    ;;
  init)
    do_init_regen
    ;;
  *)
    echo "hook called with unknown argument \`$1'" >&2
    exit 1
    ;;
esac

exit 0