#!/bin/sh

#
# px-issuer
#
# Copyright (c) 2017 SSH Communications Security, Finland
#                    All rights reserved
#

#
# NOTE! This file master lives in PrivX repository/vagrant, and is copied
# from there to keymanager (and possibly other users)
#

usage() {
    echo "`basename $0`:"
    echo "query - get runtime params"
    echo "set-trusted CA [NAME]- make the give cert/bundle a system trust anchor"
}

if [ $# -lt 1 ]; then
    usage
    exit 1
fi

cmd=$1; shift

if [ "$KUBERNETES_MODE" = "true" ]
then
    USER=privx
    GROUP=privx
else
    USER=root
    GROUP=root
fi


do_query() {
    rhel=0
    suse=0
    debian=0
    if [ -f /etc/os-release ]; then
        if [ "X`grep 'ID=' /etc/os-release | egrep -c -i '(rocky|centos|rhel|fedora)'`" = X1 ]; then
            osname="rhel"
        elif [ "X`grep 'ID_LIKE=' /etc/os-release | egrep -c -i '(rocky|centos|rhel|fedora)'`" = X1 ]; then
            osname="rhel"
        elif [ "X`grep 'ID=' /etc/os-release | egrep -c -i '(ubuntu|debian)'`" = X1 ]; then
            osname="debian"
        elif [ "X`grep 'ID=' /etc/os-release | egrep -c -i 'alpine'`" = X1 ]; then
            osname="alpine"
        fi
    elif [ -f /etc/redhat-release -o -f /etc/centos-release -o -f /etc/fedora-release -o -f /etc/rocky-release ]; then
        osname="rhel"
    elif [ -f /etc/SuSE-release ]; then
        osname="suse"
    else
        osname="debian"
    fi

    if [ "X$osname" = "Xdebian" ]; then
        catrust="/usr/share/ca-certificates/custom"
        cacmd="update-ca-certificates"
        keyowner="$USER:www-data"
    elif [ "X$osname" = "Xrhel" ]; then
        catrust="/etc/pki/ca-trust/source/anchors"
        cacmd="update-ca-trust extract"
        keyowner="$USER:nginx"
    elif [ "X$osname" = "Xalpine" ]; then
        catrust="/usr/local/share/ca-certificates"
        cacmd="update-ca-certificates"
        keyowner="$USER:nginx"
    elif [ "X$osname" = "Xsuse" ]; then
        # XXX tbd as well as other linux variants
        echo "Unsupported OS release" >&2
        exit 1
    else
        echo "Unidentified OS release" >&2
        exit 1
    fi

    echo "os=\"$osname\""
    echo "trustcmd=\"$cacmd\""
    echo "trustdir=\"$catrust\""
    echo "keyowner=\"$keyowner\""

    # PrivX CA is always stored to /opt/privx/etc/
    echo "cacert=\"/opt/privx/etc/privx-ca.crt\""
}

# setenv
eval `do_query`

case $cmd in
    query)
        do_query
    ;;

    set-trusted)
        if [ ! -d $trustdir ]; then
            mkdir -p $trustdir
            chown $USER:$GROUP $trustdir
        fi

        if [ -n "$2" ]; then
            target="$2.pem"
        else
            target="privx-ca.pem"
        fi

        cp "$1" "$trustdir/$target"

        chown $USER:$GROUP "$trustdir/$target"
        chmod 644 "$trustdir/$target"
        if [ "X$os" = "Xdebian" ]; then
            if [ "X`cat /etc/ca-certificates.conf | egrep -c "$target"`" = X0 ]; then
                echo "custom/$target" >> /etc/ca-certificates.conf
            fi
        fi
        if [ "X$os" = "Xrhel" ]; then
            ( umask 022; update-ca-trust enable ) > /dev/null 2>&1
        fi
        ( umask 022; $trustcmd ) > /dev/null 2>&1
        ;;

    *)
        usage
        exit 1
    ;;
esac
