#!/usr/bin/env bash
#======================================================================
#                        HA Web Konsole (Hawk)
# --------------------------------------------------------------------
#            A web-based GUI for managing and monitoring the
#          Pacemaker High-Availability cluster resource manager
#
# Copyright (c) 2009-2013 SUSE LLC, All Rights Reserved.
#
# Author: Tim Serong <tserong@suse.com>
#
# This program is free software; you can redistribute it and/or modify
# it under the terms of version 2 of the GNU General Public License as
# published by the Free Software Foundation.
#
# This program is distributed in the hope that it would be useful, but
# WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.
#
# Further, this software is distributed without any warranty that it is
# free of the rightful claim of any third person regarding infringement
# or the like.  Any license provided herein, whether implied or
# otherwise, applies only to this software file.  Patent licenses, if
# any, provided herein do not apply to combinations of this program with
# other software, or any other product whatsoever.
#
# You should have received a copy of the GNU General Public License
# along with this program; if not, write the Free Software Foundation,
# Inc., 59 Temple Place - Suite 330, Boston MA 02111-1307, USA.
#
#======================================================================

#
# Generate a self-signed SSL certificate if necessary. Will not
# generate certificate if one already exists, so administrator can
# install a "real" certificate by simply replacing the generated
# one at /etc/ssl/certs/hawk.pem
#
# NOTE: This is essentially a heavily stripped-back shell version
# of the more generic check-create-certificate.pl script from WebYaST.
# If this latter script becomes generally available, we should prefer
# using it over this.
#

openssl_bin=/usr/bin/openssl
c_rehash_bin=/usr/bin/c_rehash

cert_key_file=/etc/ssl/certs/hawk.key
[ -n "$HAWK_KEY" ] && cert_key_file=$HAWK_KEY

cert_file=/etc/ssl/certs/hawk.pem
[ -n "$HAWK_CERT" ] && cert_file=$HAWK_CERT

log_file=$(dirname $0)/../log/certificate.log

[ -e "$cert_key_file" ] && [ -e $cert_file ] && exit 0

echo "No SSL certificate found. Creating one now."
mkdir -p $(dirname $cert_key_file)
mkdir -p $(dirname $cert_file)

old_mask=$(umask)
umask 137

CN=$(hostname -f)

[ -z "$CN" ] && CN=$(hostname)
[ -z "$CN" ] && CN=localhost

$openssl_bin req -newkey rsa:2048 -x509 -nodes -days 1095 -batch -config /dev/fd/0 -out $cert_file -keyout $cert_key_file >$log_file 2>&1 <<CONF
[req]
distinguished_name = user_dn
prompt = no

[user_dn]
commonName=$CN
emailAddress=root@$CN
organizationName=HA Web Konsole
organizationalUnitName=Automatically Generated Certificate
CONF

rc=$?

if [ $rc -eq 0 ]; then
  [ -x "$c_rehash_bin" ] && $c_rehash_bin $(dirname $cert_file) >/dev/null 2>&1
else
  echo "Could not generate certificate. Please see $log_file for details"
fi

chown root:haclient $cert_key_file $cert_file

umask $old_mask
exit $rc
