#!/usr/bin/perl -w
# 
# puke if not root
# deps: libsys-hostname-long-perl
#	

use strict;
use Sys::Hostname::Long;
use Getopt::Long;
use fdstools;

my %opt;
GetOptions(
    \%opt,
    	'h',		# display help
	'q',		# initialize cert database files
	'w',		# create CAcert certificate
	'c=s',		# create Server-Cert ceritificate
	'i',		# init mode,  same as -qwc (cannot use altname extensions here)
	'n=s',		# hostname to use,  generally want to pass the FQDN hostname
	'8=s',		# use altDNS extensions when creating Server Cert,  comma separated ex -8 "fds,fds.ldap.com,192.168.0.10"
	'l:s',		# list certs in the database, get detailed info with -l "CERTNAME"
	'x=s',		# export a Server-Cert to file, must pass cert name from a -l listing eg -x "Server-Cert-fds"
	'm=s',		# import a cert into the database.  must pass the cert filename eg -m /tmp/cacert.asc or -m /tmp/Server-Cert.p12
	'p=s',		# use pwd file from the CACert during a -m import,  otherwise you'll be prompted for the password used to create the exported cert
	't=s',		# turn on ssl on fds running on the localhost,  Must also inclde the cert name to use ie -t Server-Cert-fdsserv1, use -l to find names.	
	'e'		# show fdssl examples

);


my $fdst = new fdstools();

my $locations = $fdst->get_file_locations();


if (defined($opt{h})) {
	showHelp();
	exit 0;
}

if (defined($opt{e})) {
	showExamples();
	exit 0;
}

# import keys into db
if (defined($opt{m})) {
	$fdst->import_cert($opt{m});
	exit 0;
}
# list certs if -l
if (defined($opt{l})) {
	# if the $opt{l} string is empty, get all certs
	if ( $opt{l} eq "" ) {
		$fdst->listCerts();
	} else {
		# otherwise get detailed info on $opt{l}
		$fdst->listCerts($opt{l});
	}
	exit 0;
}

if (defined($opt{t})) {
	$fdst->enable_ssl("localhost",$opt{t});
	exit 0;
}

# extract cert
# don't extract if -c is given aswell, we need to create it first then extract.
if ( (defined($opt{x})) && (!defined($opt{c})) ) {
	$fdst->exportCert($opt{x});
	exit 0;
}

# init mode,  create cb, cacert and server cert for the LOCALHOST
if (defined($opt{i})) {

	if ((defined($opt{q})) || (defined($opt{w})) || (defined($opt{c}))) {
		print "You can't run init mode any of -c -w -q,  quitting\n";
		exit 1;
	}
	$fdst->createDB();
	$fdst->createCA();
	$fdst->createCert(hostname_long);
	exit 0;
	
}
# init db if -q is passed
if (defined($opt{q})) {
	$fdst->createDB();
	exit 0;
}

# create CACert if -w is passed
if (defined($opt{w})) {
	$fdst->createCA();
	exit 0;
}

# create a Server-Cert
if (defined($opt{c})) {
	# use altname extensions if passed.
	if (defined($opt{8})) {
		$fdst->createCert($opt{c}, $opt{8});
	} else {
		$fdst->createCert($opt{c});
	}
	exit 0;
}

# no options,  display help

showHelp();
exit 0;


##################### subs ##############################3

# 
 sub showHelp {

	# display help
	print "setup_ssl - setup and manage certificates and certificate databases for Fedora Directory Server\n";
	print "It's essentially a glorifed wrapper for certutil and pk12util.\n\n";
	print "OPTIONS:

		-q	-  initialize the database files at location $locations->{SEC_DIR}  
				Probably a good idea to move old files to a backup locations, and this will generate new ones.
				
		-w	-  Create a CACert in the database located at $locations->{SEC_DIR}
				
		-c	-  Create a Server-Cert in the database located at $locations->{SEC_DIR}
				Additional switches used
					-c -- FQDN of the host you're creating the cert for. REQUIRED 
					-8 -- Comma separated list of altname dns extension hostnames to add to the cert with. [optional]
		-i	-  Init mode.  Will run -q -w -c all in one shot.  Good for setting up the initial db on your CACert generating host
				but don't run on any other servers as it will create additional CACerts. WILL NOT USE dns altname extensions
				
		-l	-  List all the certs in the database located at $locations->{SEC_DIR}
				Additional switches used
					use -l to get the list of names, then run again with -l CERT_NAME to get detailed info

		-x	-  Extract a Server-Cert to a $locations->{SEC_DIR}/Server-Cert.p12 takes the Server-Cert name as the argument
					eq -x Server-Cert-fds
					Cert names are listed by running a setup_ssl -l

		-m	-  Import a cert into an existing database,  will take either a .asc cert or .p12 as the argument
				ie -m /tmp/cacert.asc or -m /tmp/Server-Cert-fds.p12
				Additional switches used
					-p /path/to/pwdfile used to encrypt p12 Server Cert.  This is the pwdfile on the machine that
						created the cert.  If omitted,  you will be prompted for the password.
		
		-t	-  Turn on ssl on localhost for instance $locations->{INSTANCE} with perl ldap calls
				Must also pass the Cert name to use ie -t Server-Cert-fds. -l to list certs
		-e	-  Show example commands

		\n\n\n";

 }

sub showExamples {


	print "\n\n\t\tEXAMPLES

		
		initial setup for your CACert signing instance of fds (you only want one of these)
		Remove/backup your existing $locations->{SEC_DIR}/key3.db cert8.db secmod.db file first
		
			setup_ssl -i
	
		Then turn on ssl for your server
		
			setup_ssl -t

		If you're only using one server you should be done here

		Create a Server-Cert for another Server

			setup_ssl -c \"fds.test.com\"
			setup_ssl -c \"fds.test.com\" -8 \"fds,192.168.0.100\"

		EXtract the cert you just created 
			
			setup_ssl -l	(to list the available certs)
			setup_ssl -x \"Server-Cert-test\"
			NOTE:  This is assuming you have custom cert names turned on in the config file.
				otherwise you'll end up with a bunch of certs all named Server-Cert
			This will create $locations->{SEC_DIR}/Server-Cert-test.p12

		Rinse and repeat for any other FDS servers you want to use SSL on.

		Importing keys into other servers

		Once you have your CACert signing server up and configured,  you need to import the keys/CAs generated on that machine.
		scp (or however you want to transfer the cacert.asc and Server-Cert.p12 file to the new machine.  You can also transfer 
		over the CACert machine's $locations->{SEC_DIR}/pwdfile for importing the cert into the new machine.  
			* you don't need to copy the pwdfile,  but you will be prompted for its contents when importing the key *

		On the new server,  remove the old cert8.db, key3.db and secmod.db files in $locations->{SEC_DIR} (doesn't hurt to back those up I guess)

		Now init the database on this machine (DON'T RUN WITH -i on other machines)

			setup_ssl -q
	
		When done,  import the CACert

			setup_ssl -m /tmp/cacert.asc

		When done,  import the Server-Cert
			
			setup_ssl -m /tmp/Server-Cert-test.p12	(you will be prompted for the password used to create the Cert)
			or
			setup_ssl -m /tmp/Server-Cert-test.p12 -p /path/to/CACerts/pwdfile.  
				* Remember,  this is the pwdfile FROM THE MACHINE THAT CREATED THE CERT *

		Then turn on ssl 

			setup_ssl -t
	
		You *should* now be running fds with ssl mode enabled. Yay.\n\n\n";
		

		
}