#!/bin/sh

DIR_ETC=./etc/

HOST_CA_PRIV=${DIR_ETC}private/host/meutel_host_ca
USER_CA_PRIV=${DIR_ETC}private/user/meutel_user_ca
HOST_CONFIG_ROOT=${DIR_ETC}public/host/
USER_CONFIG_ROOT=${DIR_ETC}public/user/

ARGS_COUNT=$#
# public key file
PUBKEY=$1
# certificate type: user/host
TYPE=$2
# config name
NAME=$3
# certificate validity duration
VALIDITY=$4
# principals for user cert
PRINCIPALS=$5
if [ "$ARGS_COUNT" -gt 5 ]
then
  shift 5
  # certificate options
  OPTS=$@
  echo "options: $OPTS"
fi

usage()
{
  echo "signer.sh <pubkey_file> <user|host> <name> <validity> (<principals> <options...>)"
}

check_pubkey()
{
	if [ ! -f $PUBKEY ]; then
		echo "missing public key: $PUBKEY" >&2
    usage
		exit 1
	fi
}

check_ca_key()
{
	CA_PRIV=$1
	if [ ! -f $CA_PRIV ]; then
		echo "missing private CA key: $CA_PRIV" >&2
		exit 2
	fi
}

check_config()
{
	CONFIG_DIR=$1
	if [ ! -d $CONFIG_DIR ]; then
		echo "missing config: $CONFIG_DIR" >&2
		exit 3
	fi
}

user_cert()
{
	check_ca_key $USER_CA_PRIV
	USER_CONFIG=${USER_CONFIG_ROOT}${NAME}
	check_config $USER_CONFIG
	if [ -z "$PRINCIPALS" ]; then
		echo "missing principals" >&2
    usage
		exit 1
	fi
	if [ -z "$VALIDITY" ]; then
		echo "missing validity duration" >&2
    usage
		exit 1
	fi
  if ls $USER_CONFIG/*-cert.pub 2>/dev/null > /dev/null ; then
    SERIAL=$(( $( ls $USER_CONFIG/*-cert.pub | wc -l ) + 1 ))
  else
    SERIAL=1
  fi
  TS=$( date '+%Y%m%d%H%M.%S' )
  CERT_ID="Cert $NAME for $PRINCIPALS generated $TS"
  USER_PUB_KEY="$USER_CONFIG/key-${TS}.pub"
  # copy key
  cp -f "$PUBKEY" "$USER_PUB_KEY"

  echo "Generate user certificate"
  echo "  key: $PUBKEY"
  echo "  serial: $SERIAL"
  echo "  ID: $CERT_ID"
  echo "  principals: $PRINCIPALS"
  echo "  validity: $VALIDITY"
  

	#ssh-keygen -I "$CERT_ID" -s "$USER_CA_PRIV" -n "$PRINCIPALS" $OPT_PARAMS -V "$VALIDITY" -z "$SERIAL" "$USER_PUB_KEY"
  # declare -a PARAMS
  # PARAMS=( "-I" "$CERT_ID" "-s" "$USER_CA_PRIV" "-n" "$PRINCIPALS" "-V" "$VALIDITY" "-z" "$SERIAL" "$USER_PUB_KEY" )
  # for opt in "$OPTS"
  # do
    # PARAMS+=( $opt )
  # done
  # echo "${PARAMS[@]}"
  
  # ssh-keygen "${PARAMS[@]}"

	gen_cert 
  if [ "$?" -eq 0 ] ; then
    cp "${USER_PUB_KEY%.pub}-cert.pub" "${PUBKEY%.pub}-cert.pub"
    ssh-keygen -L -f "${PUBKEY%.pub}-cert.pub"
  fi
}

gen_cert()
{
  for opt in $OPTS
  do
    set -- "$@" "-O"
    set -- "$@" "$opt"
  done
  
	ssh-keygen -I "$CERT_ID" -s "$USER_CA_PRIV" -n "$PRINCIPALS" -V "$VALIDITY" -z "$SERIAL" $@ "${USER_PUB_KEY}"
}

host_cert()
{
	check_ca_key $HOST_CA_PRIV
	HOST_CONFIG=${HOST_CONFIG_ROOT}${NAME}
	check_config $HOST_CONFIG
}

if [ "$ARGS_COUNT" -lt 4 ]; then 
  usage
  exit 1
fi
check_pubkey
case $TYPE in
	"user")
		user_cert
		;;
	"host")
		host_cert
		;;
	*)
		echo "unknown certificate type" >&2
    usage
		exit 1
		;;
esac