require 'openssl'
require 'certificate_authority'
require 'date'
require 'digest/md5'

module LeapCli; module Commands

  desc 'Creates the public and private key for your Certificate Authority.'
  command :'init-ca' do |c|
    c.action do |global_options,options,args|
      assert_files_missing! :ca_cert, :ca_key
      assert_config! 'provider.ca.name'
      assert_config! 'provider.ca.bit_size'

      provider = manager.provider
      root = CertificateAuthority::Certificate.new

      # set subject
      root.subject.common_name = provider.ca.name
      possible = ['country', 'state', 'locality', 'organization', 'organizational_unit', 'email_address']
      provider.ca.keys.each do |key|
        if possible.include?(key)
          root.subject.send(key + '=', provider.ca[key])
        end
      end

      # set expiration
      years = 2
      today = Date.today
      root.not_before = Time.gm today.year, today.month, today.day
      root.not_after = root.not_before + years * 60 * 60 * 24 * 365

      # generate private key
      root.serial_number.number = 1
      root.key_material.generate_key(provider.ca.bit_size)

      # sign self
      root.signing_entity = true
      root.parent = root
      root.sign!(ca_root_signing_profile)

      # save
      write_file!(:ca_key, root.key_material.private_key.to_pem)
      write_file!(:ca_cert, root.to_pem)
    end
  end

  desc 'Creates or renews a X.509 certificate/key pair for a single node or all nodes'
  arg_name '<node-name | "all">', :optional => false, :multiple => false
  command :'update-cert' do |c|
    c.action do |global_options,options,args|
      assert_files_exist! :ca_cert, :ca_key, :msg => 'Run init-ca to create them'
      assert_config! 'provider.ca.server_certificates.bit_size'
      assert_config! 'provider.ca.server_certificates.life_span'

      if args.first == 'all'
        bail! 'not supported yet'
      else
        provider = manager.provider
        ca_root  = cert_from_files(:ca_cert, :ca_key)
        node     = get_node_from_args(args)

        # set subject
        cert = CertificateAuthority::Certificate.new
        cert.subject.common_name = node.domain.full

        # set expiration
        years = provider.ca.server_certificates.life_span.to_i
        today = Date.today
        cert.not_before = Time.gm today.year, today.month, today.day
        cert.not_after = cert.not_before + years * 60 * 60 * 24 * 365

        # generate key
        cert.serial_number.number = cert_serial_number(node.domain.full)
        cert.key_material.generate_key(provider.ca.server_certificates.bit_size)

        # sign
        cert.parent = ca_root
        cert.sign!(server_signing_profile(node))

        # save
        write_file!([:node_x509_key, node.name], cert.key_material.private_key.to_pem)
        write_file!([:node_x509_cert, node.name], cert.to_pem)
      end
    end
  end

  desc 'Generates Diffie-Hellman parameter file (needed for server-side of TLS connections)'
  command :'init-dh' do |c|
    c.action do |global_options,options,args|
      long_running do
        if cmd_exists?('certtool')
          progress('Generating DH parameters (takes a long time)...')
          output = assert_run!('certtool --generate-dh-params --sec-param high')
          write_file!(:dh_params, output)
        else
          progress('Generating DH parameters (takes a REALLY long time)...')
          output = OpenSSL::PKey::DH.generate(3248).to_pem
          write_file!(:dh_params, output)
        end
      end
    end
  end

  private

  def cert_from_files(crt, key)
    crt = read_file!(crt)
    key = read_file!(key)
    openssl_cert = OpenSSL::X509::Certificate.new(crt)
    cert = CertificateAuthority::Certificate.from_openssl(openssl_cert)
    cert.key_material.private_key = OpenSSL::PKey::RSA.new(key, nil)  # second argument is password, if set
    return cert
  end

  def ca_root_signing_profile
    {
      "extensions" => {
        "basicConstraints" => {"ca" => true},
        "keyUsage" => {
          "usage" => ["critical", "keyCertSign"]
        },
        "extendedKeyUsage" => {
          "usage" => []
        }
      }
    }
  end

  #
  # for keyusage, openvpn server certs can have keyEncipherment or keyAgreement. I am not sure which is preferable.
  # going with keyAgreement for now.
  #
  # digest options: SHA512, SHA1
  #
  def server_signing_profile(node)
    {
      "digest" => "SHA256",
      "extensions" => {
        "keyUsage" => {
          "usage" => ["digitalSignature", "keyAgreement"]
        },
        "extendedKeyUsage" => {
          "usage" => ["serverAuth"]
        },
        "subjectAltName" => {
          "uris" => [
            "IP:#{node.ip_address}",
            "DNS:#{node.domain.internal}"
          ]
        }
      }
    }
  end

  #
  # For cert serial numbers, we need a non-colliding number less than 160 bits.
  # md5 will do nicely, since there is no need for a secure hash, just a short one.
  # (md5 is 128 bits)
  #
  def cert_serial_number(domain_name)
    Digest::MD5.hexdigest("#{domain_name} -- #{Time.now}").to_i(16)
  end

end; end