#!/bin/sh

. /etc/init.d/functions.sh
. /etc/conf.d/cert_init

CERT_DIR=/etc/certs
CERT_CONF=$CERT_DIR/certificates.conf
STUNNEL_CONF=/etc/conf.d/stunnel
STUNNEL_CERT_NAME=/etc/ssl/certs/server.pem

migrate_certificate () {
	local stunnel_enabled enabled_cert enabled_cert_name
	local md5_cert md5_stunnel

	[ -d $CERT_DIR ] || return 1
	[ -r $CERT_CONF ] || return 1
	[ -r $STUNNEL_CONF ] || return 1

	stunnel_enabled=$(sed -rne 's|^STUNNEL_ENABLED[[:blank:]]*=[[:blank:]]*"?([[:alpha:]]+)"?|\1|p' $STUNNEL_CONF) || return 1

	enabled_cert=$(sed -rne 's|^ENABLED_CERT[[:blank:]]*=[[:blank:]]*"?([[:alnum:]/]+)"?|\1|p' $STUNNEL_CONF) || return 1

	if [ "$stunnel_enabled" = yes ]; then
		# Certificate.STUNNEL_ENABLED is set
		if [ "$enabled_cert" = none ]; then
			[ -e $STUNNEL_CERT_NAME ] || return 1
			information "Migrating $STUNNEL_CERT_NAME to new format"

			# First we need to calculate the name to use for
			# the enabled certificate.
			enabled_cert_name=$(md5sum $STUNNEL_CERT_NAME |
				sed -rn 's|^([0-9a-h]+)[[:blank:]]+.+$|'$CERT_DIR'/0.\1.pem|p') || return 1
			information "   Enabled cert name is $enabled_cert_name"

			# Now we should update the certificate database
			# index file.
			# The ID name (0) should be base64 encoded with
			# eventual padding '=' characters replaced with '%'.
			cat <<-EOF >> $CERT_CONF
MAo%=$enabled_cert_name
EOF

			information "   Copying $STUNNEL_CERT_NAME to $enabled_cert_name"
			# Now we need to copy the existing certificate to
			# the certificate database directory, and set the
			# correct file privilege.
			cp $STUNNEL_CERT_NAME $enabled_cert_name &&
			chown root $enabled_cert_name &&
			chgrp root $enabled_cert_name &&
			chmod 600 $enabled_cert_name || return 1

			# The last thing that has to be done is to update
			# ENABLED_CERT value in the stunnel configuration file.
			sed -ri 's|^(ENABLED_CERT[[:blank:]]*=[[:blank:]]*"?)none("?)|\1'$enabled_cert_name'\2|' $STUNNEL_CONF || return 1
		else
			[ -r $enabled_cert ] || return 1
			information "Verifying $enabled_cert ..."

			if [ -r $STUNNEL_CERT_NAME ]; then
				information "   $STUNNEL_CERT_NAME exists, checking md5"

				md5_stunnel=$(md5sum $STUNNEL_CERT_NAME |
					sed -rn 's|^([0-9a-h]+)[[:blank:]]+.+$|\1|p') || return 1
				information "   MDS for $STUNNEL_CERT_NAME is |$md5_stunnel|"

				md5_cert=$(echo $enabled_cert |
					sed -rn 's|^'$CERT_DIR'/[[:digit:]+]\.([0-9a-h]+)[.]pem$|\1|p') || return 1
				information "   MDS for enabled cert is |$md5_cert|"

				if [ "$md5_stunnel" = "$md5_cert" ]; then
					information "   MDS Checking OK, returning"
					return 0
				fi
			fi

			information "Copying $enabled_cert to $STUNNEL_CERT_NAME"
			# Now we need to copy the enabled certificate to the
			# the stunnel certificate and set the correct file
			# privilege.
			cp $enabled_cert $STUNNEL_CERT_NAME &&
			chown root $STUNNEL_CERT_NAME &&
			chgrp admin $STUNNEL_CERT_NAME &&
			chmod 660 $STUNNEL_CERT_NAME || return 1
		fi
	else
		rm -f $STUNNEL_CERT_NAME
	fi
	return 0
}

case "$1" in
	start)
		begin "SSL certificate migration script"
		migrate_certificate

		[ "$2" != stunnel-restart ] || /etc/init.d/stunnel restart
		end $?
		;;
	*)
		error "Usage: $0 start"
		;;
esac