#!/bin/sh

set -euo pipefail

SECRET_JSON="$(@curl@/bin/curl \
	-H "X-Vault-Request: true" \
	--unix-socket "/run/tokend/sock" \
	"http://localhost:8200/v1/kv/data/apps/sslrenew-raritan")"

if [[ "$(@jq@/bin/jq .errors <(echo "$SECRET_JSON") 2>/dev/null)" != "null" ]]; then
	@jq@/bin/jq .errors <(echo "$SECRET_JSON") >&2
	exit 1
fi

RARITAN_USERNAME="$(@jq@/bin/jq -r .data.data.username <(echo "$SECRET_JSON"))"
RARITAN_PASSWORD="$(@jq@/bin/jq -r .data.data.password <(echo "$SECRET_JSON"))"

CERTIFICATE_JSON="$(@curl@/bin/curl \
	-H "X-Vault-Request: true" \
	-X PUT \
	-d "{\"common_name\": \"${CERTIFICATE_DOMAIN}\"}" \
	--unix-socket "/run/tokend/sock" \
	"http://localhost:8200/v1/acme/certs/${CERTIFICATE_ROLE}")"

if [[ "$(@jq@/bin/jq .errors <(echo "$CERTIFICATE_JSON") 2>/dev/null)" != "null" ]]; then
	@jq@/bin/jq .errors <(echo "$CERTIFICATE_JSON") >&2
	exit 1
fi

temp_dir=$(mktemp -d)
trap "rm -rf $temp_dir" INT TERM HUP EXIT

@jq@/bin/jq -r .data.cert <(echo "$CERTIFICATE_JSON") > "$temp_dir/cert.pem"
@jq@/bin/jq -r .data.private_key <(echo "$CERTIFICATE_JSON") > "$temp_dir/pkey.pem"

@curl@/bin/curl -k \
	--user "${RARITAN_USERNAME}:${RARITAN_PASSWORD}" \
	-F cert_file=@"$temp_dir/cert.pem" \
	-F key_file=@"$temp_dir/pkey.pem" \
	"https://${RARITAN_IP}/cgi-bin/server_ssl_cert_upload.cgi"
@curl@/bin/curl -k \
	--user "${RARITAN_USERNAME}:${RARITAN_PASSWORD}" \
	"https://${RARITAN_IP}/bulk" \
	-H 'Content-Type: application/json; charset=UTF-8' \
	--data-binary '{"jsonrpc":"2.0","method":"performBulk","params":{"requests":[{"rid":"/server_ssl_cert","json":{"jsonrpc":"2.0","method":"installPendingKeyPair","params":null,"id":1}}]},"id":2}'