#!/bin/bash
#
# Check puppet fingerprints, hydractl perspective.
#
# This program is free software: you can redistribute it and/or modify
# it under the terms of the GNU Affero General Public License as
# published by the Free Software Foundation, either version 3 of the
# License, or (at your option) any later version.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
# GNU Affero General Public License for more details.
#
# You should have received a copy of the GNU Affero General Public
# License along with this program.  If not, see
# <http://www.gnu.org/licenses/>.

# Load
source $APP_BASE/lib/hydra/functions || exit 1
hydra_config_load

# Command line arguments
BASENAME="`basename $0`"

# Execute openssl
function puppet_openssl {
  if [ -z "$1" ]; then
    return
  fi

  openssl x509 -text -noout -fingerprint -in $1 | grep "^SHA1 Fingerprint=" | \
    sed -e 's/^SHA1 Fingerprint=//'
}

# Print a fingerprint with correct padding.
function print_fingerprint {
  if [ -z "$2" ]; then
    return
  fi

  len="`echo $1 | wc -c`"
  offset="$((85 - $len))"
  printf "$1: %${offset}s\n" "$2"
}

# Master:
#
#  openssl x509 -text -noout -fingerprint -in /var/lib/puppetmaster/ssl/ca/signed/fqdn.pem
#  openssl x509 -text -noout -fingerprint -in /var/lib/puppetmaster/ssl/certs/ca.pem
#
if [ -d "/var/lib/puppetmaster/ssl" ]; then
  if [ -d "/var/lib/puppetmaster/ssl/ca/signed" ]; then
    for file in `ls /var/lib/puppetmaster/ssl/ca/signed`; do
      fp="`puppet_openssl /var/lib/puppetmaster/ssl/ca/signed/$file`"
      print_fingerprint `basename $file .pem` $fp
    done
  fi

  if [ -f "/var/lib/puppetmaster/ssl/certs/ca.pem" ]; then
    print_fingerprint ca `puppet_openssl /var/lib/puppetmaster/ssl/certs/ca.pem`
  fi
fi

# Node:
#
#  openssl x509 -text -noout -fingerprint -in /var/lib/puppet/ssl/certs/fqdn.pem
#  openssl x509 -text -noout -fingerprint -in /var/lib/puppet/ssl/certs/ca.pem
#
if [ -d "/var/lib/puppet/ssl" ]; then
  fqdn="`facter fqdn`"
  print_fingerprint $fqdn `puppet_openssl /var/lib/puppet/ssl/certs/$fqdn.pem`
  print_fingerprint ca    `puppet_openssl /var/lib/puppet/ssl/certs/ca.pem`
fi