#!/usr/bin/sh -e
#
# Copyright Red Hat, Inc.
#
# SPDX-License-Identifier: GPL-2.0-or-later
#

PKI_STORAGE_NICKNAME="${PKI_STORAGE_NICKNAME:-kra_storage}"
PKI_TRANSPORT_NICKNAME="${PKI_TRANSPORT_NICKNAME:-kra_transport}"
PKI_SUBSYSTEM_NICKNAME="${PKI_SUBSYSTEM_NICKNAME:-subsystem}"
PKI_SSLSERVER_NICKNAME="${PKI_SSLSERVER_NICKNAME:-sslserver}"

# Allow the owner of the container (who might not be in the root group)
# to manage the config and log files.
umask 000

echo "################################################################################"

if [ -z "$(ls -A /conf 2> /dev/null)" ]
then
    echo "INFO: Installing default config files"
    cp -r /var/lib/pki/pki-tomcat/conf.default/* /conf
fi

if [ "$UID" = "0" ]
then
    chown -Rf pkiuser:root /conf
    chown -Rf pkiuser:root /logs
fi

find /conf -type f -exec chmod +rw -- {} +
find /conf -type d -exec chmod +rwx -- {} +
find /logs -type f -exec chmod +rw -- {} +
find /logs -type d -exec chmod +rwx -- {} +

echo "################################################################################"

if [ -f /certs/server.p12 ]
then
    echo "INFO: Importing system certs and keys"

    pki \
        -d /conf/alias \
        -f /conf/password.conf \
        pkcs12-import \
        --pkcs12 /certs/server.p12 \
        --password Secret.123
fi

echo "################################################################################"

if [ -f /certs/kra_storage.csr ]
then
    echo "INFO: Importing KRA storage CSR"
    cp /certs/kra_storage.csr /conf/certs/kra_storage.csr
fi

echo "INFO: KRA storage cert:"
pki \
    -d /conf/alias \
    -f /conf/password.conf \
    nss-cert-show \
    "$PKI_STORAGE_NICKNAME"

echo "################################################################################"

if [ -f /certs/kra_transport.csr ]
then
    echo "INFO: Importing KRA transport CSR"
    cp /certs/kra_transport.csr /conf/certs/kra_transport.csr
fi

echo "INFO: KRA transport cert:"
pki \
    -d /conf/alias \
    -f /conf/password.conf \
    nss-cert-show \
    "$PKI_TRANSPORT_NICKNAME"

echo "################################################################################"

if [ -f /certs/kra_audit_signing.csr ]
then
    echo "INFO: Importing audit signing CSR"
    cp /certs/kra_audit_signing.csr /conf/certs/kra_audit_signing.csr
fi

echo "INFO: Audit signing cert:"
pki \
    -d /conf/alias \
    -f /conf/password.conf \
    nss-cert-show \
    "$PKI_AUDIT_SIGNING_NICKNAME" \
    2> /dev/null || true

echo "################################################################################"

if [ -f /certs/subsystem.csr ]
then
    echo "INFO: Importing subsystem CSR"
    cp /certs/subsystem.csr /conf/certs/subsystem.csr
fi

echo "INFO: Subsystem cert:"
pki \
    -d /conf/alias \
    -f /conf/password.conf \
    nss-cert-show \
    "$PKI_SUBSYSTEM_NICKNAME"

echo "################################################################################"

if [ -f /certs/sslserver.csr ]
then
    echo "INFO: Importing SSL server CSR"
    cp /certs/sslserver.csr /conf/certs/sslserver.csr
fi

echo "INFO: SSL server cert:"
pki \
    -d /conf/alias \
    -f /conf/password.conf \
    nss-cert-show \
    "$PKI_SSLSERVER_NICKNAME"

echo "################################################################################"
echo "INFO: Creating KRA server"

OPTIONS=()

OPTIONS+=(--conf /conf)
OPTIONS+=(--logs /logs)

OPTIONS+=(-f /usr/share/pki/server/examples/installation/kra.cfg)
OPTIONS+=(-s KRA)

OPTIONS+=(-D pki_group=root)

OPTIONS+=(-D pki_cert_chain_path=/certs/ca_signing.crt)
OPTIONS+=(-D pki_cert_chain_nickname=ca_signing)

OPTIONS+=(-D pki_ds_url=$PKI_DS_URL)
OPTIONS+=(-D pki_ds_password=$PKI_DS_PASSWORD)
OPTIONS+=(-D pki_ds_database=userroot)
OPTIONS+=(-D pki_ds_setup=False)
OPTIONS+=(-D pki_skip_ds_verify=True)
OPTIONS+=(-D pki_share_db=True)

OPTIONS+=(-D pki_issuing_ca=)
OPTIONS+=(-D pki_import_system_certs=False)

OPTIONS+=(-D pki_storage_nickname="$PKI_STORAGE_NICKNAME")
OPTIONS+=(-D pki_storage_csr_path=/conf/certs/kra_storage.csr)

OPTIONS+=(-D pki_transport_nickname="$PKI_TRANSPORT_NICKNAME")
OPTIONS+=(-D pki_transport_csr_path=/conf/certs/kra_transport.csr)

OPTIONS+=(-D pki_audit_signing_nickname="$PKI_AUDIT_SIGNING_NICKNAME")
if [ -f /conf/certs/kra_audit_signing.csr ]
then
    OPTIONS+=(-D pki_audit_signing_csr_path=/conf/certs/kra_audit_signing.csr)
fi

OPTIONS+=(-D pki_subsystem_nickname="$PKI_SUBSYSTEM_NICKNAME")
OPTIONS+=(-D pki_subsystem_csr_path=/conf/certs/subsystem.csr)

OPTIONS+=(-D pki_sslserver_nickname="$PKI_SSLSERVER_NICKNAME")
OPTIONS+=(-D pki_sslserver_csr_path=/conf/certs/sslserver.csr)

OPTIONS+=(-D pki_admin_setup=False)
OPTIONS+=(-D pki_security_domain_setup=False)
OPTIONS+=(-D pki_security_manager=False)
OPTIONS+=(-D pki_systemd_service_create=False)
OPTIONS+=(-D pki_registry_enable=False)

OPTIONS+=(-v)

pkispawn "${OPTIONS[@]}"

echo "################################################################################"
echo "INFO: Configuring KRA server"

pki-server kra-config-set internaldb.minConns 0

echo "################################################################################"
echo "INFO: Updating owners and permissions"

if [ "$UID" = "0" ]
then
    chown -Rf pkiuser:root /conf
    chown -Rf pkiuser:root /logs
fi

find /conf -type f -exec chmod +rw -- {} +
find /conf -type d -exec chmod +rwx -- {} +
find /logs -type f -exec chmod +rw -- {} +
find /logs -type d -exec chmod +rwx -- {} +

echo "################################################################################"
echo "INFO: Starting KRA server"

trap "kill -- -$(ps -o pgid= $PID | grep -o '[0-9]*')" TERM

if [ "$UID" = "0" ]; then
    # In Docker the server runs as root user but it will switch
    # into pkiuser (UID=17) that belongs to the root group (GID=0).
    pki-server run &
    PID=$!
    wait $PID
else
    # In OpenShift/Podman the server runs as a non-root user
    # (with a random UID) that belongs to the root group (GID=0).
    #
    # https://www.redhat.com/en/blog/jupyter-on-openshift-part-6-running-as-an-assigned-user-id
    pki-server run --as-current-user &
    PID=$!
    wait $PID
fi
