#!/usr/bin/env bash

if [ `id -gn` != "root" ]; then
    echo "Run as root!"
    exit 1
fi

source "${SNAP}/init"
DOMAIN=`snapctl get domain`

echo "See log (journal -exf --grep=snap.${SNAP_NAME}*) for result"
if [ "${DOMAIN}" != "--not-set" ]; then
    snapctl is-connected certs

    if [ $? -ne 0 ]; then
        snapctl set domain="--not-set"
        exit 0
    fi

    readarray -d '' DOMAINS < <(find "${CERTS_DIR}" -type d -name "${DOMAIN}" -print0)

    if [ "${#DOMAINS[@]}" -ne 0 ]; then
        DOMAIN_DIR="${DOMAINS[0]}"
        LAST_EDITED=`stat "${DOMAIN_DIR}/.time" --format="%Y" 2> /dev/null || echo 0`
        ORIG_EDITED=`stat "${SSL_DIR}/.time" --format="%Y" 2> /dev/null || echo 0`

        if [ "${LAST_EDITED}" -le "${ORIG_EDITED}" ]; then 
            logger "${SNAP_NAME}: Certificate for ${DOMAIN} is not changed"
            exit 0
        fi

        gpg_start_agent

        i=0
        readarray -d '' CERTIFICATES < <(find "${DOMAIN_DIR}" -type f -name "*.gpg" -print0)
        for CERTIFICATE in "${CERTIFICATES[@]}"; do
            DEST="${SSL_DIR}/`basename "${CERTIFICATE}" ".gpg"`"
            ORIG=""
            if [ -f "${DEST}" ]; then
                ORIG="`cat "${DEST}"`"
            fi
            gpg --batch --yes --output "${DEST}" --decrypt "${CERTIFICATE}"
                
            DIFF=`echo "${ORIG}" | diff "${DEST}" -`
            RET=$?
            if [ "${RET}" -ne 0 ]; then
                echo "${ORIG}" > "${DEST}.backup"
                (( i = $i + 1 ))
            fi
        done
        if [ "${i}" -ne 0 ]; then
            cp -f "${DOMAIN_DIR}/.time" "${SSL_DIR}/.time"
            logger "${SNAP_NAME}: Certificates (${DOMAIN}) changed for ${SNAP_NAME}-${UUID}, restart"
            snapctl restart "${SNAP_NAME}"
        fi
        gpg_close_agent
    else
        logger "No certificate for ${DOMAIN} for ${SNAP_NAME}"
    fi
fi