#!/bin/bash
# Copyright (C) The Arvados Authors. All rights reserved.
#
# SPDX-License-Identifier: AGPL-3.0

exec 2>&1
set -ex -o pipefail

. /usr/local/lib/arvbox/common.sh

uuid_prefix=$(cat /var/lib/arvados/api_uuid_prefix)

if ! openssl verify -CAfile $root_cert $root_cert ; then
    # req           signing request sub-command
    # -new          new certificate request
    # -nodes        "no des" don't encrypt key
    # -sha256       include sha256 fingerprint
    # -x509         generate self-signed certificate
    # -subj         certificate subject
    # -reqexts      certificate request extension for subjectAltName
    # -extensions   certificate request extension for subjectAltName
    # -config       certificate generation configuration plus subjectAltName
    # -out          certificate output
    # -keyout       private key output
    # -days         certificate lifetime
    openssl req \
	    -new \
	    -nodes \
	    -sha256 \
	    -x509 \
	    -subj "/C=US/ST=MA/O=Arvados testing/OU=arvbox/CN=test root CA for ${uuid_prefix} generated $(date --rfc-3339=seconds)" \
	    -extensions x509_ext \
	    -config <(cat /etc/ssl/openssl.cnf \
			  <(printf "\n[x509_ext]\nbasicConstraints=critical,CA:true,pathlen:0\nkeyUsage=critical,keyCertSign,cRLSign")) \
            -out $root_cert \
            -keyout $root_cert_key \
            -days 365
    chown arvbox:arvbox $root_cert $root_cert_key
    rm -f $server_cert $server_cert_key
fi

cp $root_cert /usr/local/share/ca-certificates/arvados-testing-cert.crt
update-ca-certificates

if ! openssl verify -CAfile $root_cert $server_cert ; then

    rm -f $server_cert $server_cert_key

    if [[ $localip =~ ^[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}$ ]]; then
	san=IP:$localip
    else
	san=DNS:$localip
    fi

    # req           signing request sub-command
    # -new          new certificate request
    # -nodes        "no des" don't encrypt key
    # -sha256       include sha256 fingerprint
    # -subj         certificate subject
    # -reqexts      certificate request extension for subjectAltName
    # -extensions   certificate request extension for subjectAltName
    # -config       certificate generation configuration plus subjectAltName
    # -out          certificate output
    # -keyout       private key output
    # -days         certificate lifetime
    openssl req \
	    -new \
	    -nodes \
	    -sha256 \
	    -subj "/C=US/ST=MA/O=Arvados testing/OU=arvbox/CN=test server cert for ${uuid_prefix} generated $(date --rfc-3339=seconds)" \
	    -reqexts x509_ext \
	    -extensions x509_ext \
	    -config <(cat /etc/ssl/openssl.cnf \
			  <(printf "\n[x509_ext]\nkeyUsage=critical,digitalSignature,keyEncipherment\nsubjectAltName=DNS:localhost,$san")) \
            -out /var/lib/arvados/server-cert-${localip}.csr \
            -keyout $server_cert_key \
            -days 365

    openssl x509 \
	    -req \
	    -in /var/lib/arvados/server-cert-${localip}.csr \
	    -CA $root_cert \
	    -CAkey $root_cert_key \
	    -out $server_cert \
	    -set_serial $RANDOM$RANDOM \
	    -extfile <(cat /etc/ssl/openssl.cnf \
			  <(printf "\n[x509_ext]\nkeyUsage=critical,digitalSignature,keyEncipherment\nsubjectAltName=DNS:localhost,$san")) \
	    -extensions x509_ext \
	    -days 365

    chown arvbox:arvbox $server_cert $server_cert_key
fi

sv stop certificate