#!/bin/bash

#    Licensed under the Apache License, Version 2.0 (the "License"); you may
#    not use this file except in compliance with the License. You may obtain
#    a copy of the License at
#
#         http://www.apache.org/licenses/LICENSE-2.0
#
#    Unless required by applicable law or agreed to in writing, software
#    distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
#    WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
#    License for the specific language governing permissions and limitations
#    under the License.
set -xe

CFSSLURL=https://pkg.cfssl.org/R1.2
for CFSSL_BIN in cfssl cfssljson; do
  if ! type -p "${CFSSL_BIN}"; then
    sudo curl -sSL -o "/usr/local/bin/${CFSSL_BIN}" "${CFSSLURL}/${CFSSL_BIN}_linux-amd64"
    sudo chmod +x "/usr/local/bin/${CFSSL_BIN}"
    ls "/usr/local/bin/${CFSSL_BIN}"
  fi
done

OSH_CONFIG_ROOT="/etc/openstack-helm"
OSH_CA_ROOT="${OSH_CONFIG_ROOT}/certs/ca"
OSH_SERVER_TLS_ROOT="${OSH_CONFIG_ROOT}/certs/server"

sudo mkdir -p ${OSH_CONFIG_ROOT}
sudo chown $(whoami): -R ${OSH_CONFIG_ROOT}

mkdir -p "${OSH_CA_ROOT}"
tee ${OSH_CA_ROOT}/ca-config.json << EOF
{
    "signing": {
        "default": {
            "expiry": "1y"
        },
        "profiles": {
            "server": {
                "expiry": "1y",
                "usages": [
                    "signing",
                    "key encipherment",
                    "server auth"
                ]
            }
        }
    }
}
EOF

tee ${OSH_CA_ROOT}/ca-csr.json << EOF
{
  "CN": "ACME Company",
  "key": {
    "algo": "rsa",
    "size": 2048
  },
  "names": [
    {
      "C": "US",
      "L": "SomeState",
      "ST": "SomeCity",
      "O": "SomeOrg",
      "OU": "SomeUnit"
    }
  ]
}
EOF

cfssl gencert -initca ${OSH_CA_ROOT}/ca-csr.json | cfssljson -bare ${OSH_CA_ROOT}/ca -

function check_cert_and_key () {
  TLS_CERT=$1
  TLS_KEY=$2
  openssl x509 -inform pem -in ${TLS_CERT} -noout -text
  CERT_MOD="$(openssl x509 -noout -modulus -in ${TLS_CERT})"
  KEY_MOD="$(openssl rsa -noout -modulus -in ${TLS_KEY})"
  if ! [ "${CERT_MOD}" = "${KEY_MOD}" ]; then
    echo "Failure: TLS private key does not match this certificate."
    exit 1
  else
    CERT_MOD=""
    KEY_MOD=""
    echo "Pass: ${TLS_CERT} is valid with ${TLS_KEY}"
  fi
}
check_cert_and_key ${OSH_CA_ROOT}/ca.pem ${OSH_CA_ROOT}/ca-key.pem