#!/bin/bash -e

# endless-ca-trust-user - Trust Endless SSL CA certificate for user
# Copyright (C) 2017  Endless Mobile, Inc.
#
# This program is free software; you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation; either version 2 of the License, or
# (at your option) any later version.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License along
# with this program; if not, write to the Free Software Foundation, Inc.,
# 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.

# Add the installed Endless CA certificate to the user's NSS database.
# This is needed for chromium and chrome, which supply a builtin CA
# store with user customizations in ~/.pki/nssdb. See
# https://chromium.googlesource.com/chromium/src/+/lkcr/docs/linux_cert_management.md
# for details.

NSSDB="$HOME/.pki/nssdb"
CERT_PATH=/usr/share/eos-keyring/endless-ca.crt
CA_NAME="Endless CA"

usage() {
    cat <<EOF
Usage: $0 [OPTION...]
Trust Endless SSL CA certificate in user's NSS database

  -f, --force           force import of certificate
  -n, --dry-run         show what would be done
  -h, --help            display this help and exit
EOF
}

ARGS=$(getopt -n "$0" -o fnh -l force,dry-run,help -- "$@")
eval set -- "$ARGS"

FORCE=false
DRY_RUN=false
while true; do
    case "$1" in
        -f|--force)
            FORCE=true
            shift
            ;;
        -n|--dry-run)
            DRY_RUN=true
            shift
            ;;
        -h|--help)
            usage
            exit 0
            ;;
        --)
            shift
            break
            ;;
        *)
            echo "Unrecognized option $1" >&2
            usage >&2
            exit 1
            ;;
    esac
done

# Make sure certutil is installed
if ! type -p certutil >/dev/null; then
    echo "certutil is not installed" >&2
    exit 1
fi

if [ ! -d "$NSSDB" ]; then
    # Create it unless this is a dry run in which case nothing else can
    # be done
    if $DRY_RUN; then
        echo "No NSS database found at $NSSDB, cannot continue dry run"
        exit 1
    fi

    echo "Creating $NSSDB"
    mkdir -p -m700 "$NSSDB"
    certutil -d "sql:$NSSDB" -N --empty-password
fi

# Check if the certificate is already added
if certutil -d "sql:$NSSDB" -L -n "$CA_NAME" 2>/dev/null | \
        grep -q 'Trusted CA'
then
    if ! $FORCE; then
        echo "$CA_NAME certificate already trusted"
        exit 0
    fi
fi

if [ ! -f "$CERT_PATH" ]; then
    echo "Could not find Endless CA cert at $CERT_PATH" >&2
    exit 1
fi

# Add it as a trusted CA
echo "Adding $CA_NAME certificate $CERT_PATH"
if ! $DRY_RUN; then
    certutil -d "sql:$NSSDB" -A -t "C,," -n "$CA_NAME" -i "$CERT_PATH"
fi
