#!/bin/bash

#
# AIM: Ask SSL certificates to an ACME Server
#

function openPorts()
{
	local SOURCE=${1}
	shift
	local PORTS=${@}

	for prt in ${PORTS}
	do
		iptables -I INPUT -p tcp -m tcp --dport ${prt} --tcp-flags FIN,SYN,RST,ACK SYN -j ACCEPT
	done
}

function startWWW()
{
	PIDFILE=$(mktemp)
	WWWSRV=nginx
	OPT="-c /etc/eole/ssl/nginx-minimal.conf"
	CMD="${WWWSRV} ${OPT}"
	[[ ! -d "/tmp/www" ]] && mkdir -p /tmp/www

	${CMD}
	PID=$(pidof ${CMD})
	if [[ -n ${PID} ]]
	then
		echo ${PID} > ${PIDFILE}
		echo ${PIDFILE}
		return 0
	else
		return 1
	fi
}

function getRevProxDomains()
{
	local names=($(CreoleGet revprox_domainname))
	local cert=($(CreoleGet revprox_le_cert))
	local toRet=""
	local i=0

	for rep in ${cert[@]}
	do
		if [[ ${rep} == 'oui' ]]
		then
			toRet="${toRet} ${names[${i}]}"
		fi
		((i+=1))
	done

	echo ${toRet}
	return 0
}

if [[ $(CreoleGet cert_type non) == 'letsencrypt'  ]]
then

    PROTOC="https"
	SERVER=$(CreoleGet le_server_addr)
	PORT=$(CreoleGet le_server_port)
	HTTP01PORT=$(CreoleGet le_http_01_port)
	TLSNSIPORT=$(CreoleGet le_tls_sni_port)
	CONFDIR=$(CreoleGet le_config_dir)
	WOKRDIR=$(CreoleGet le_work_dir)
	LOGSDIR=$(CreoleGet le_logs_dir)
	LEMODE=$(CreoleGet le_client_mode)
	PIDFILE=""

	LECLIENT='letsencrypt'
	LEOPT='certonly'

    if [[ -n ${SERVER} ]]
    then
        SERVER="--server ${PROTOC}://${SERVER}"
        [[ -n ${PORT} ]] && SERVER="${SERVER}:${PORT}"
		SERVER="${SERVER}/directory"
	fi

	NOMDOMAINEMACHINE="$(CreoleGet nom_domaine_machine)"
	WEBURL=$(CreoleGet web_url "")

	DOMAINS=""
	for domain in $(CreoleGet le_extra_names)
	do
		DOMAINS="${DOMAINS} ${domain}"
	done

	if [[ "$(CreoleGet activer_revprox non )" == "oui" ]]
	then
		DOMAINS="${DOMAINS} $(getRevProxDomains)"
	fi

	# Removing duplicate entries in domain list
    DOMAINS=$(awk '{ while(++i<=NF) printf (!a[$i]++) ? $i FS : ""; i=split("",a); print ""  }'  <<< ${DOMAINS})


	if [[ ${LEMODE} = 'standalone' ]]
	then
		openPorts "${SERVER}" "${HTTP01PORT}" "${TLSNSIPORT}"
		MODE_OPT="--standalone"
	else
		openPorts "${SERVER}" "80"
		PIDFILE=$(startWWW)
		if [[ ${?} -ne 0 ]]
		then
			echo "Erreur lors du lancement du serveur web temporaire"
			exit 22
		fi
		MODE_OPT="--webroot --webroot-path /tmp/www"
	fi

	# Creating ACME client command line options for main domain
	DOM_OPT="-d ${NOMDOMAINEMACHINE}"
	if [[ -n ${WEBURL} ]]
	then
		if [[ ${NOMDOMAINEMACHINE} != ${WEBURL} ]]
		then
			DOM_OPT="${DOM_OPT} -d ${WEBURL}"
			echo -n "  - Demande de certificat pour ${NOMDOMAINEMACHINE} ${WEBURL}"
		else
			echo -n "  - Demande de certificat pour ${NOMDOMAINEMACHINE}"
		fi
	else
		echo -n "  - Demande de certificat pour ${NOMDOMAINEMACHINE}"
	fi
	${LECLIENT} ${LEOPT}                  \
		${MODE_OPT}						  \
		--expand                          \
		${SERVER}                         \
		--http-01-port ${HTTP01PORT}      \
		--tls-sni-01-port ${TLSNSIPORT}   \
		${DOM_OPT} 						  \
		--no-verify-ssl                   \
		--non-interactive                 \
		--no-redirect                     \
		--agree-tos                       \
		--register-unsafely-without-email \
		--manual-public-ip-logging-ok     \
		--config-dir ${CONFDIR}           \
		--work-dir ${WOKRDIR}             \
		--logs-dir ${LOGSDIR} > /dev/null 2>&1
	cres=${?}
	[[ ${cres} -ne 0 ]] && echo -e "\t\t\t [KO]"
	[[ ${cres} -eq 0 ]] && echo -e "\t\t\t [OK]"
	((res+=${cres}))

	# Creating ACME client command line options for extra domains
    res=0
	for dom in ${DOMAINS}
	do
        echo -n "  - Demande de certificat pour ${dom}"
        ${LECLIENT} ${LEOPT}                  \
            ${MODE_OPT}						  \
            --expand                          \
            ${SERVER}                         \
            --http-01-port ${HTTP01PORT}      \
            --tls-sni-01-port ${TLSNSIPORT}   \
            -d ${dom}                         \
            --no-verify-ssl                   \
            --non-interactive                 \
            --no-redirect                     \
            --agree-tos                       \
            --register-unsafely-without-email \
            --manual-public-ip-logging-ok     \
            --config-dir ${CONFDIR}           \
            --work-dir ${WOKRDIR}             \
            --logs-dir ${LOGSDIR} > /dev/null 2>&1
        cres=${?}
        [[ ${cres} -ne 0 ]] && echo -e "\t\t\t [KO]"
        [[ ${cres} -eq 0 ]] && echo -e "\t\t\t [OK]"
        ((res+=${cres}))
    done

	[[ ${res} -ne 0 ]] && echo "Erreur lors de la requête ACME veuillez consulter les journaux dans le répertoire ${LOGSDIR}"

	# Stop http server
	if [[ -e ${PIDFILE} ]]
	then
		kill $(cat ${PIDFILE})
		if [[ ${?} -ne 0 ]]
		then
			echo "Erreur lors de l'arrêt du processus $(cat ${PIDFILE}) (serveur web temporaire)"
			exit 45
		else
			rm -rf ${PIDFILE}
		fi
	fi
	exit ${res}
else
	exit 0
fi
