#!/bin/bash
# info: adding letsencrypt ssl cetificate for domain
# options: USER DOMAIN [ALIASES] [RESTART] [NOTIFY]
#
# The function turns on SSL support for a domain. Parameter ssl_dir is a path
# to directory where 2 or 3 ssl files can be found. Certificate file 
# domain.tld.crt and its key domain.tld.key  are mandatory. Certificate
# authority domain.tld.ca file is optional. If home directory  parameter
# (ssl_home) is not set, https domain uses public_shtml as separate
# documentroot directory.


#----------------------------------------------------------#
#                    Variable&Function                     #
#----------------------------------------------------------#

# Argument definition
user=$1
domain=$2
aliases=$3
restart=$4
notify=$5

# Includes
source $VESTA/func/main.sh
source $VESTA/func/domain.sh
source $VESTA/conf/vesta.conf


#----------------------------------------------------------#
#                    Verifications                         #
#----------------------------------------------------------#

check_args '2' "$#" 'USER DOMAIN [ALIASES] [RESTART] [NOTIFY]'
is_format_valid 'user' 'domain'
is_system_enabled "$WEB_SYSTEM" 'WEB_SYSTEM'
is_system_enabled "$WEB_SSL" 'SSL_SUPPORT'
is_object_valid 'user' 'USER' "$user"
is_object_unsuspended 'user' 'USER' "$user"
is_object_valid 'web' 'DOMAIN' "$domain"
is_object_unsuspended 'web' 'DOMAIN' "$domain"


#----------------------------------------------------------#
#                       Action                             #
#----------------------------------------------------------#

# Parsing domain data
get_domain_values 'web'

# Registering LetsEncrypt user account
$BIN/v-add-letsencrypt-user $user
if [ "$?" -ne 0  ]; then
    touch $VESTA/data/queue/letsencrypt.pipe
    sed -i "/ $domain /d" $VESTA/data/queue/letsencrypt.pipe
    send_notice "LETSENCRYPT" "Account registration failed"
    check_result $E_CONNECT "LE account registration" >/dev/null
fi

# Parsing LetsEncrypt account data
source $USER_DATA/ssl/le.conf
email=$EMAIL

# Validating domain and aliases
i=1
for alias in $(echo $domain,$aliases |tr ',' '\n' |sort -u); do
    $BIN/v-check-letsencrypt-domain $user $alias
    if [ "$?" -ne 0 ]; then
        touch $VESTA/data/queue/letsencrypt.pipe
        sed -i "/ $domain /d" $VESTA/data/queue/letsencrypt.pipe
        send_notice "LETSENCRYPT" "$alias validation failed"
        check_result $E_INVALID "LE domain validation" >/dev/null
    fi

    # Checking LE limits per account
    if [ "$i" -gt 100 ]; then
        touch $VESTA/data/queue/letsencrypt.pipe
        sed -i "/ $domain /d" $VESTA/data/queue/letsencrypt.pipe
        send_notice 'LETSENCRYPT' 'Limit of domains per account is reached'
        check_result $E_LIMIT "LE can't sign more than 100 domains"
    fi
    i=$((i++))
done

# Generating CSR
ssl_dir=$($BIN/v-generate-ssl-cert "$domain" "$email" "US" "California" \
    "San Francisco" "Vesta" "IT" "$aliases" |tail -n1 |awk '{print $2}')

# Signing CSR
crt=$($BIN/v-sign-letsencrypt-csr $user $domain $ssl_dir)
if [ "$?" -ne 0 ]; then
    touch $VESTA/data/queue/letsencrypt.pipe
    sed -i "/ $domain /d" $VESTA/data/queue/letsencrypt.pipe
    send_notice "LETSENCRYPT" "$alias validation failed"
    check_result "$E_INVALID" "LE $domain validation"
fi
echo "$crt" > $ssl_dir/$domain.crt

# Dowloading CA certificate
le_certs='https://letsencrypt.org/certs'
x1='lets-encrypt-x1-cross-signed.pem.txt'
x3='lets-encrypt-x3-cross-signed.pem.txt'
issuer=$(openssl x509 -text -in $ssl_dir/$domain.crt |grep "Issuer:")
if [ -z "$(echo $issuer|grep X3)" ]; then
    curl -s $le_certs/$x1 > $ssl_dir/$domain.ca
else
    curl -s $le_certs/$x3 > $ssl_dir/$domain.ca
fi

# Adding SSL
$BIN/v-delete-web-domain-ssl $user $domain >/dev/null 2>&1
$BIN/v-add-web-domain-ssl $user $domain $ssl_dir
if [ "$?" -ne '0' ]; then
    touch $VESTA/data/queue/letsencrypt.pipe
    sed -i "/ $domain /d" $VESTA/data/queue/letsencrypt.pipe
    send_notice 'LETSENCRYPT' "$domain certificate installation failed"
    check_result $? "SSL install" >/dev/null
fi

# Adding LE autorenew cronjob
if [ -z "$(grep v-update-lets $VESTA/data/users/admin/cron.conf)" ]; then
    min=$(generate_password '012345' '2')
    hour=$(generate_password '1234567' '1')
    cmd="sudo $BIN/v-update-letsencrypt-ssl"
    $BIN/v-add-cron-job admin "$min" "$hour" '*' '*' '*' "$cmd" > /dev/null
fi

# Updating letsencrypt key
if [ -z "$LETSENCRYPT" ]; then
    add_object_key "web" 'DOMAIN' "$domain" 'LETSENCRYPT' 'FTP_USER'
fi
update_object_value 'web' 'DOMAIN' "$domain" '$LETSENCRYPT' 'yes'


#----------------------------------------------------------#
#                       Vesta                              #
#----------------------------------------------------------#

# Restarting web
$BIN/v-restart-web $restart
if [ "$?" -ne 0  ]; then
    send_notice 'LETSENCRYPT' "web server needs to be restarted manually"
fi

# Notifying user
send_notice 'LETSENCRYPT' "$domain SSL has been installed successfully"

# Deleteing task from queue
touch $VESTA/data/queue/letsencrypt.pipe
sed -i "/ $domain /d" $VESTA/data/queue/letsencrypt.pipe

# Logging
log_event "$OK" "$ARGUMENTS"

exit
