#!/bin/bash

declare -rg CERT_KEY_FILE="/etc/lighttpd/server.pem"
declare -rg PUB_CERT_FILE="/etc/lighttpd/pub-cert.pem"
declare -rg CHAIN_FILE="/etc/lighttpd/chain.pem"
declare -rg REDIR_FLAG="/etc/lighttpd/redirect.flag"

op_disable ()
{
	[ -e "$CERT_KEY_FILE" ] || exit 0
	rm -f -- "$CERT_KEY_FILE" || exit 1
	rm -f -- "$CHAIN_FILE"
}

op_test ()
{
	[ $# -eq 2 ] || exit 1
	local K=$1
	local C=$2
	[ -r "$K" ] || exit 2
	[ -r "$C" ] || exit 3
	# Encrypt something, then decrypt again and compare
	local TEST_IN=$(mktemp --tmpdir bwlp-XXXXXXXX)
	local TEST_OUT=$(mktemp --tmpdir bwlp-XXXXXXXX)
	local TEST_DIFF=$(mktemp --tmpdir bwlp-XXXXXXXX)
	[ -z "$TEST_IN" ] && exit 4
	[ -z "$TEST_OUT" ] && exit 5
	[ -z "$TEST_DIFF" ] && exit 6
	date > "$TEST_IN"
	openssl smime -encrypt -binary -aes-256-cbc -in "$TEST_IN" -out "$TEST_OUT" -outform DER "$C" || exit 7
	openssl smime -decrypt -binary -in "$TEST_OUT" -inform DER -out "$TEST_DIFF" -inkey "$K" || exit 8
	diff -q "$TEST_IN" "$TEST_DIFF" || exit 9
	exit 0 # No restart either way
}

op_import ()
{
	[ $# -lt 2 ] && exit 1
	local K=$1
	local C=$2
	local CHAIN=$3
	[ -r "$K" ] || exit 2
	[ -r "$C" ] || exit 3
	rm -f -- "$CHAIN_FILE"
	# Create server.pem
	{
		cat "$C"
		# If we have a chainfile, try to use it aswell
		if [ -s "$CHAIN" ] && openssl x509 -noout -hash -in "$CHAIN" &> /dev/null \
				&& [ "$( grep -c '^-----END' "$CHAIN" )" = "$( grep -c '^-----BEGIN' "$CHAIN" )" ]; then
			echo
			cat "$CHAIN"
		fi
		echo
		cat "$K"
	} > "$CERT_KEY_FILE"
	chmod 0600 "$CERT_KEY_FILE" || exit 4
	rm -f -- "$C" "$K"
	post_setup_hook
	return 0
}

op_random ()
{
	[ -z "$1" ] && exit 1
	rm -f -- "$CHAIN_FILE"
	openssl req -x509 -new -newkey rsa:4096 -keyout "$CERT_KEY_FILE" -out "$CERT_KEY_FILE" -days 5000 -nodes -subj "/C=DE/ST=Nowhere/L=Springfield/O=bwLehrpool/CN=$1" || exit 2
	chmod 0600 "$CERT_KEY_FILE" || exit 3
	post_setup_hook
	return 0
}

post_setup_hook ()
{
	rm -f -- "$PUB_CERT_FILE"
	openssl x509 -outform pem -in "$CERT_KEY_FILE" -out "$PUB_CERT_FILE"
}

setup_redirect ()
{
	if [ -n "$REDIR" ]; then
		touch "$REDIR_FLAG"
	else
		rm -f -- "$REDIR_FLAG"
	fi
}

RE_ONLY=
REDIR=
while true; do
	case "$1" in
	--redirect-only)
		RE_ONLY=tru
		;;
	--redirect)
		REDIR=truh
		;;
	*)
		break
		;;
	esac
	shift
done

setup_redirect

if [ -z "$RE_ONLY" ]; then

	OP=$1
	shift

	case "$OP" in
		--random) op_random "$@" ;;
		--test) op_test "$@" ;;
		--import) op_import "$@" ;;
		--disable) op_disable ;;
		*)
			echo "Invalid operation: $1"
			exit 1
			;;
	esac

fi

sleep .5
systemctl restart lighttpd

exit 0