#!/bin/bash

set -e

PROGNAME="ngcp-extend-api-ca"
PATH="/usr/sbin:${PATH}"

# load config
if ! [ -r /etc/default/ngcp-roles ] ; then
  echo "Error: cannot read /etc/default/ngcp-roles" >&2
  exit 1
fi

# shellcheck disable=SC1091
. /etc/default/ngcp-roles

# enable components
if [ "${NGCP_IS_MGMT}" = "no" ]; then
  echo "Error: this commnad needs to run on a management node" >&2
  exit 1
fi

#----- Setting variables -----
ACTION="check"
VALUE="3650"
CACERTPATH="unset"
CACERTKEYPATH="unset"
CACERTCONFIG="/usr/share/ngcp-panel-tools/opensslcnf.cnf"

# ----- Functions definition ----
usage() {
  echo "Usage: ${PROGNAME} [<option>...] <action>...

Action:
  -c, --check           Print certificate validity dates (default).
  -e, --extend <N>      Extend certificate validity by <N> days.

Options:
  -f, --cafile <file>   Certificate file path to work on
                          (default is ossbss.apache.restapi.sslcertfile).
  -h, --help            Print this output.
"
}

getoptions() {
  local _opts

  # Transform long options to short ones
  _opts=$(getopt -n ${PROGNAME} -o ce:f:h --long check,extend:,cafile:,help -- "$@")

  eval set -- "${_opts}"
  while :
  do
    case "$1" in
      -c | --check)
        ACTION="check"
        shift
        ;;
      -e | --extend)
        ACTION="extend"
        VALUE="$2"
        shift 2
        ;;
      -f | --cafile)
        CACERTPATH="$2"
        shift 2
        ;;
      -h | --help)
        usage
        exit 0
        ;;
      --)
        shift;
        break
        ;;
      *)
        echo "Error: parsing error in getopt on '$1'" >&2
        exit 1
        ;;
    esac
  done
}

#---- end functions definition ----

getoptions "$@"

if [ "${CACERTPATH}" = "unset" ]; then
  CACERTPATH="$(ngcpcfg get ossbss.apache.restapi.sslcertfile)"
  CACERTKEYPATH="$(ngcpcfg get ossbss.apache.restapi.sslcertkeyfile)"
else
  CACERTFILENAME="${CACERTPATH%.*}"
  CACERTKEYPATH="${CACERTFILENAME}.key"
fi

case "${ACTION}" in
  extend)
    echo "Extend CA certificate validity ${CACERTPATH} for ${VALUE} days"
    TMPNEWCSR="$(mktemp --tmpdir  -t ngcp-api-ca-csr.XXXXXXXXXX)"
    openssl req -new -key "${CACERTKEYPATH}" -out "${TMPNEWCSR}" -batch \
                -config "${CACERTCONFIG}"
    openssl x509 -req -in "${TMPNEWCSR}" -signkey "${CACERTKEYPATH}" \
                 -days "${VALUE}" -out "${CACERTPATH}.new"
    mv "${CACERTPATH}.new" "${CACERTPATH}"
    rm -f "${TMPNEWCSR}"
    ngcp-service restart nginx
    ;;
  check)
    echo "Checking CA certificate validity for ${CACERTPATH}"
    openssl x509 -noout -dates -in "${CACERTPATH}"
    ;;
  *)
    echo "Error: unknown action ${ACTION}" >&2
    exit 1
esac
exit 0
