#!/usr/bin/env bash

# https://mosquitto.org/man/mosquitto-tls-7.html
set -euo pipefail

# Set working directory to project root
cd "$(dirname "$0")/../"
CDIR=$(pwd -P)
export CDIR

MOSQUITTO_CERTS_DIR="${CDIR}/.mosquitto/certs"
TLS_CERT_DURATION="${TLS_CERT_DURATION:-365}"
CA_COMMON_NAME="${CA_COMMON_NAME:-runcible.io}"
HOSTNAME=$(hostname)

warn(){
    echo -e "\nFOR LOCAL DEVELOPMENT ONLY!!! These certs do not follow best practices.\n\
Keys are not encypted! Seriously, don't use this for anything other than local development.\n"
}

generate_ca_cert(){
    echo "Generating CA key in ${MOSQUITTO_CERTS_DIR}..."
    openssl genpkey -algorithm RSA -out "${MOSQUITTO_CERTS_DIR}/ca.key"

    echo "Generating CA cert..."
    openssl req -x509 -new -nodes -key "${MOSQUITTO_CERTS_DIR}/ca.key" -sha256 -days "${TLS_CERT_DURATION}" \
    -extensions v3_ca -out "${MOSQUITTO_CERTS_DIR}/ca.crt" -subj "/C=US/O=Runcible/CN=${CA_COMMON_NAME}"
    
    echo "CA cert generation complete."
}

generate_server_cert(){
    echo "Generating server key..."
    openssl genrsa -out "${MOSQUITTO_CERTS_DIR}/server.key" 2048
    
    echo "Generating cert signing request for CA..."
    openssl req -out "${MOSQUITTO_CERTS_DIR}/server.csr" -key "${MOSQUITTO_CERTS_DIR}/server.key" -new \
    -subj "/C=US/O=Runcible/CN=${HOSTNAME}"
    
    echo "Sending server CSR to CA..."
    openssl x509 -req -in "${MOSQUITTO_CERTS_DIR}/server.csr" -CA "${MOSQUITTO_CERTS_DIR}/ca.crt" \
    -CAkey "${MOSQUITTO_CERTS_DIR}/ca.key" -CAcreateserial -out "${MOSQUITTO_CERTS_DIR}/server.crt" \
    -days "${TLS_CERT_DURATION}"
    
    echo "Server cert generation complete."
}

generate_client_cert(){
    echo "Creating client cert in $CDIR"
    echo "Generating client key..."
    openssl genrsa -out "${CDIR}/client.key" 2048

    echo "Generating client CSR for CA..."
    openssl req -out "${CDIR}/client.csr" -key "${CDIR}/client.key" -new -subj "/C=US/O=Runcible/CN=localhost"

    echo "Sending client CSR to CA..."
    openssl x509 -req -in "${CDIR}/client.csr" -CA "${MOSQUITTO_CERTS_DIR}/ca.crt" -CAkey "${MOSQUITTO_CERTS_DIR}/ca.key" \
    -CAcreateserial -out "${CDIR}/client.crt" -days "${TLS_CERT_DURATION}"

    echo "Client cert generation complete."
}


warn
generate_ca_cert
generate_server_cert
generate_client_cert
warn