#!/bin/bash

PROVISIONER_DIR="/etc/hirs/provisioner"
CERTIFICATES="/etc/hirs/certificates/provisioner"
SITE_CONFIG_FILE="/etc/hirs/hirs-site.config"
PROVISIONER_PROPERTIES="$PROVISIONER_DIR/provisioner.properties"
TMP_PROPERTIES="$PROVISIONER_DIR/tmp.properties"
PROVISIONER_LOG_DIR="/var/log/hirs/provisioner"
PROVISIONER_LOG_FILE="$PROVISIONER_LOG_DIR/HIRS_Provisioner.log"

# ensure log file exists
mkdir -p $PROVISIONER_LOG_DIR
touch $PROVISIONER_LOG_FILE


mkdir -p ${CERTIFICATES}/private

# certificates and key stores generated by this script.
CLIENT_PEM=${CERTIFICATES}/private/hirs.client.pem
CLIENT_CERT=${CERTIFICATES}/hirs.client.cert
INTERNAL_P12=${CERTIFICATES}/hirs.p12
KEYSTORE_JKS=${CERTIFICATES}/keyStoreClient.jks

# delete the key store if it exists
if [ -f ${KEYSTORE_JKS} ]; then
    echo "----> Deleting existing key store" | tee -a $PROVISIONER_LOG_FILE
    rm -f ${KEYSTORE_JKS}
fi

# Read site config
source ${SITE_CONFIG_FILE}

# Read a block of raw data bytes from /dev/urandom  and convert it to text characters.
P12_PASSWORD=$(head -c 64 /dev/urandom | md5sum | tr -dc 'a-zA-Z0-9')

# generate a key and certificate. The key is the private key used to sign the well known CA cert.
echo 'Creating 2048 bit key' >> $PROVISIONER_LOG_FILE 2>&1
openssl req -x509 -nodes -days 3652 -newkey rsa:2048 -keyout ${CLIENT_PEM} -out ${CLIENT_CERT} -subj "/C=US/O=HIRS/OU=Provisioner/CN=$CLIENT_HOSTNAME" >> $PROVISIONER_LOG_FILE 2>&1

# export the certificate and key as a p12 file
echo 'Exporting key' >> $PROVISIONER_LOG_FILE 2>&1
openssl pkcs12 -export -in ${CLIENT_CERT} -inkey ${CLIENT_PEM} -out ${INTERNAL_P12} -passout pass:${P12_PASSWORD} >> $PROVISIONER_LOG_FILE 2>&1

# create a key store using the pk12 file.
echo 'Configuring key store' >> $PROVISIONER_LOG_FILE 2>&1
keytool -importkeystore -srckeystore ${INTERNAL_P12} -destkeystore ${KEYSTORE_JKS} -srcstoretype pkcs12 -srcstorepass ${P12_PASSWORD} -deststoretype jks -deststorepass ${P12_PASSWORD} -noprompt >> $PROVISIONER_LOG_FILE 2>&1

if [ ! -f ${KEYSTORE_JKS} ]; then
    echo "${KEYSTORE_JKS} was not created" | tee -a $PROVISIONER_LOG_FILE
    exit 1;
fi

grep -v "javax.net.ssl" ${PROVISIONER_PROPERTIES} > ${TMP_PROPERTIES}
mv ${TMP_PROPERTIES} ${PROVISIONER_PROPERTIES}

echo "javax.net.ssl.keyStore=$KEYSTORE_JKS" >> ${PROVISIONER_PROPERTIES}
echo "javax.net.ssl.trustStore=${CERTIFICATES}/TrustStore.jks" >> ${PROVISIONER_PROPERTIES}
echo "javax.net.ssl.keyStorePassword=$P12_PASSWORD" >> ${PROVISIONER_PROPERTIES}

# Checking for existing HIRS TrustStore
if [ -f "${CERTIFICATES}/TrustStore.jks" ]; then
    rm -f ${CERTIFICATES}/TrustStore.jks
fi

echo "----> Downloading truststore" | tee -a $PROVISIONER_LOG_FILE
wget https://"$ATTESTATION_CA_FQDN":"$ATTESTATION_CA_PORT"/HIRS_AttestationCA/client-files/TrustStore.jks --no-check-certificate -P ${CERTIFICATES} >/dev/null 2>/dev/null
if [ ! -f "${CERTIFICATES}/TrustStore.jks" ]; then
    echo "----> ERROR: Truststore could not be downloaded from $ATTESTATION_CA_FQDN" | tee -a $PROVISIONER_LOG_FILE
fi

sed -i "s/provisioner\.aca\.host\s*=\s*.*/provisioner.aca.host            = $ATTESTATION_CA_FQDN/" $PROVISIONER_PROPERTIES
sed -i "s/provisioner\.aca\.port\s*=\s*.*/provisioner.aca.port            = $ATTESTATION_CA_PORT/" $PROVISIONER_PROPERTIES