#!/usr/bin/env bash
source "$PLUGIN_CORE_AVAILABLE_PATH/common/functions"
source "$PLUGIN_AVAILABLE_PATH/certs/functions"
set -eo pipefail
[[ $DOKKU_TRACE ]] && set -x

cmd-certs-report() {
  declare desc="displays an ssl report for one or more apps"
  declare cmd="certs:report"
  [[ "$1" == "$cmd" ]] && shift 1
  declare APP="$1" INFO_FLAG="$2"

  if [[ -n "$APP" ]] && [[ "$APP" == --* ]]; then
    INFO_FLAG="$APP"
    APP=""
  fi

  if [[ -z "$APP" ]] && [[ -z "$INFO_FLAG" ]]; then
    INFO_FLAG="true"
  fi

  if [[ -z "$APP" ]]; then
    for app in $(dokku_apps); do
      cmd-certs-report-single "$app" "$INFO_FLAG" | tee || true
    done
  else
    cmd-certs-report-single "$APP" "$INFO_FLAG"
  fi
}

cmd-certs-report-single() {
  declare APP="$1" INFO_FLAG="$2"
  if [[ "$INFO_FLAG" == "true" ]]; then
    INFO_FLAG=""
  fi
  verify_app_name "$APP"
  local flag_map=(
    "--ssl-dir: $DOKKU_ROOT/$APP/tls"
    "--ssl-enabled: $(fn-ssl-enabled "$APP")"
    "--ssl-hostnames: $(fn-ssl-hostnames "$APP")"
    "--ssl-expires-at: $(fn-ssl-expires-at "$APP")"
    "--ssl-issuer: $(fn-ssl-issuer "$APP")"
    "--ssl-starts-at: $(fn-ssl-starts-at "$APP")"
    "--ssl-subject: $(fn-ssl-subject "$APP")"
    "--ssl-verified: $(fn-ssl-verified "$APP")"
  )

  if [[ -z "$INFO_FLAG" ]]; then
    dokku_log_info2_quiet "$APP ssl information"
    for flag in "${flag_map[@]}"; do
      key="$(echo "${flag#--}" | cut -f1 -d' ' | tr - ' ')"
      dokku_log_verbose "$(printf "%-30s %-25s" "${key^}" "${flag#*: }")"
    done
  else
    local match=false
    local value_exists=false
    for flag in "${flag_map[@]}"; do
      valid_flags="${valid_flags} $(echo "$flag" | cut -d':' -f1)"
      if [[ "$flag" == "${INFO_FLAG}:"* ]]; then
        value=${flag#*: }
        size="${#value}"
        if [[ "$size" -ne 0 ]]; then
          echo "$value" && match=true && value_exists=true
        else
          match=true
        fi
      fi
    done
    [[ "$match" == "true" ]] || dokku_log_fail "Invalid flag passed, valid flags:${valid_flags}"
    [[ "$value_exists" == "true" ]] || dokku_log_fail "not deployed"
  fi
}

fn-ssl-enabled() {
  declare APP="$1"
  local SSL_ENABLED=false

  if is_ssl_enabled "$APP"; then
    SSL_ENABLED=true
  fi
  echo "$SSL_ENABLED"
}

fn-ssl-expires-at() {
  declare APP="$1"
  local APP_SSL_PATH="$DOKKU_ROOT/$APP/tls"

  if is_ssl_enabled "$APP"; then
    openssl x509 -in "$APP_SSL_PATH/server.crt" -noout -text | grep "Not After :" | awk -F " : " '{ print $2 }'
  fi
}

fn-ssl-hostnames() {
  declare APP="$1"

  if is_ssl_enabled "$APP"; then
    get_ssl_hostnames "$APP" | xargs
  fi
}

fn-ssl-issuer() {
  declare APP="$1"
  local APP_SSL_PATH="$DOKKU_ROOT/$APP/tls"

  if is_ssl_enabled "$APP"; then
    openssl x509 -in "$APP_SSL_PATH/server.crt" -noout -text | grep "Issuer:" | head -n1 | sed -e 's/Issuer: //g' -e 's/^[[:space:]]*//'
  fi
}

fn-ssl-starts-at() {
  declare APP="$1"
  local APP_SSL_PATH="$DOKKU_ROOT/$APP/tls"

  if is_ssl_enabled "$APP"; then
    openssl x509 -in "$APP_SSL_PATH/server.crt" -noout -text | grep "Not Before:" | awk -F ": " '{ print $2 }'
  fi
}

fn-ssl-subject() {
  declare APP="$1"
  local APP_SSL_PATH="$DOKKU_ROOT/$APP/tls"

  if is_ssl_enabled "$APP"; then
    openssl x509 -in "$APP_SSL_PATH/server.crt" -noout -subject | sed -e "s:subject= ::g" | sed -e "s:^/::g" | sed -e "s:/:; :g"
  fi
}

fn-ssl-verified() {
  declare APP="$1"
  local APP_SSL_PATH="$DOKKU_ROOT/$APP/tls"
  local SSL_VERIFY_OUTPUT=false SSL_SELF_SIGNED="self signed"

  if ! is_ssl_enabled "$APP"; then
    return
  fi

  if [[ -f "$APP_SSL_PATH/server.letsencrypt.crt" ]]; then
    SSL_VERIFY_OUTPUT="$(openssl verify -verbose -purpose sslserver -CAfile "$APP_SSL_PATH/server.crt" "$APP_SSL_PATH/server.letsencrypt.crt" 2>/dev/null | awk -F ':' '{ print $2 }' | tail -1 | xargs || true)"
  else
    SSL_VERIFY_OUTPUT="$(openssl verify -verbose -purpose sslserver "$APP_SSL_PATH/server.crt" 2>/dev/null | awk -F ':' '{ print $2 }' | tail -1 | xargs || true)"
  fi

  if [[ "$SSL_VERIFY_OUTPUT" == "OK" ]]; then
    SSL_SELF_SIGNED="verified by a certificate authority"
  fi

  echo "$SSL_SELF_SIGNED"
}
