#!/bin/bash
# Скрипт генерации SSL сертификатов для mTLS gRPC

set -e

CERT_DIR="${1:-/etc/mnemosyne/ssl}"
DAYS_VALID=365

echo "Generating CA and server certificates in ${CERT_DIR}..."

# Создаём директорию
mkdir -p "${CERT_DIR}"

# Если сертификаты уже есть и не пустые - не перегенерируем
if [ -s "${CERT_DIR}/ca.crt" ] && [ -s "${CERT_DIR}/server.crt" ] && [ -s "${CERT_DIR}/server.key" ]; then
    echo "Certificates already exist, skipping generation."
    exit 0
fi

# Если файлы существуют но пустые - удаляем их для перегенерации
rm -f "${CERT_DIR}/ca.crt" "${CERT_DIR}/ca.key" "${CERT_DIR}/server.crt" "${CERT_DIR}/server.key" "${CERT_DIR}/server.csr"

# Генерация CA
echo "Generating CA..."
openssl genpkey -algorithm RSA -pkeyopt rsa_keygen_bits:4096 -out "${CERT_DIR}/ca.key"
openssl req -x509 -new -nodes -sha256 -days ${DAYS_VALID} \
    -key "${CERT_DIR}/ca.key" \
    -out "${CERT_DIR}/ca.crt" \
    -subj "/CN=Mnemosyne Root CA"

# Генерация серверного сертификата
echo "Generating server certificate..."
openssl genpkey -algorithm RSA -pkeyopt rsa_keygen_bits:4096 -out "${CERT_DIR}/server.key"
openssl req -new -sha256 \
    -key "${CERT_DIR}/server.key" \
    -out "${CERT_DIR}/server.csr" \
    -subj "/CN=${SERVER_CN:-localhost}"

# Создаём конфиг для server SAN
# Поддержка переменных окружения:
#   SERVER_SAN_DNS - список DNS имен через запятую (например: localhost,backend,myserver.example.com)
#   SERVER_SAN_IP - список IP адресов через запятую (например: 127.0.0.1,192.168.1.100)
cat > "${CERT_DIR}/server.ext" <<EOF
authorityKeyIdentifier=keyid,issuer
basicConstraints=CA:FALSE
keyUsage = digitalSignature, keyEncipherment
extendedKeyUsage = serverAuth
subjectAltName = @alt_names

[alt_names]
EOF

# Добавляем DNS SAN
dns_idx=1
IFS=',' read -ra DNS_NAMES <<< "${SERVER_SAN_DNS:-localhost,backend}"
for dns_name in "${DNS_NAMES[@]}"; do
    dns_name=$(echo "$dns_name" | xargs)  # trim whitespace
    if [ -n "$dns_name" ]; then
        echo "DNS.${dns_idx} = ${dns_name}" >> "${CERT_DIR}/server.ext"
        ((dns_idx++))
    fi
done

# Добавляем wildcard для localhost если есть
echo "DNS.${dns_idx} = *.localhost" >> "${CERT_DIR}/server.ext"
((dns_idx++))

# Добавляем IP SAN
ip_idx=1
IFS=',' read -ra IP_ADDRS <<< "${SERVER_SAN_IP:-127.0.0.1}"
for ip_addr in "${IP_ADDRS[@]}"; do
    ip_addr=$(echo "$ip_addr" | xargs)  # trim whitespace
    if [ -n "$ip_addr" ]; then
        echo "IP.${ip_idx} = ${ip_addr}" >> "${CERT_DIR}/server.ext"
        ((ip_idx++))
    fi
done

openssl x509 -req -sha256 -days ${DAYS_VALID} \
    -in "${CERT_DIR}/server.csr" \
    -CA "${CERT_DIR}/ca.crt" \
    -CAkey "${CERT_DIR}/ca.key" \
    -CAcreateserial \
    -out "${CERT_DIR}/server.crt" \
    -extfile "${CERT_DIR}/server.ext"

# Очистка лишних файлов
rm -f "${CERT_DIR}/server.ext"

# Установка прав
chmod 600 "${CERT_DIR}"/*.key
chmod 644 "${CERT_DIR}"/*.crt

echo "Certificates generated successfully!"
echo "  CA:     ${CERT_DIR}/ca.crt"
echo "  Server: ${CERT_DIR}/server.crt + ${CERT_DIR}/server.key"
echo "  SAN DNS: ${SERVER_SAN_DNS:-localhost,backend}"
echo "  SAN IP:  ${SERVER_SAN_IP:-127.0.0.1}"