cns-hook-util

function getservice {
	local vmuuid="$(dig +short txt "${domain}" @${NAMESERVER:-8.8.8.8} | tail -1 | sed 's/"//g')"
	if [ "a$vmuuid" == "a" ]; then
		echo "ERROR: ${domain} does not appear to be a CNS name or CNAME to a CNS name" >&2
		exit 1
	fi
	local sdcrole="$(sdc-vmadm get ${vmuuid} | json tags.smartdc_role)"
	local mantarole="$(sdc-vmadm get ${vmuuid} | json tags.manta_role)"
	case "$sdcrole" in
		cloudapi|adminui|docker|cmon)
			echo "$sdcrole"
			;;
		*)
			case "$mantarole" in
				loadbalancer)
					echo "manta"
					;;
				*)
					echo "ERROR: ${domain} points at VM ${vmuuid} with role ${role}, which is not supported" >&2
					exit 1
					;;
			esac
			;;
	esac
}

function verifyvm {
	local domain="${1}" vmuuid="${2}"

	if ! dig +short txt "${domain}" @${NAMESERVER:-8.8.8.8} | sed 's/"//g' | grep -w -- "${vmuuid}" >/dev/null; then
		echo "ERROR: ${domain} does not appear to be a CNS name or CNAME to a CNS name for VM ${vmuuid}" >&2
		exit 1
	fi

	local cname="$(dig +short cname "${domain}" @${NAMESERVER:-8.8.8.8})"
	if [ "a$cname" != "a" ]; then
		local acmecname="$(dig +short cname "_acme-challenge.${domain}" @${NAMESERVER:-8.8.8.8})"
		if [ "a$acmecname" == "a" ]; then
			echo "ERROR: ${domain} is a CNAME to ${cname}, but _acme-challenge.${domain} is not a CNAME" >&2
			exit 1
		fi
	fi

}

function waitfortxt {
        local domain="$1" txtval="$2"
        local count=0
        read -r -a values <<< "$txtval"
        for val in "${values[@]}"; do
                while [ $count -lt 3 ]; do
                        dig +short txt "_acme-challenge.${domain}" @${NAMESERVER:-8.8.8.8}
                        if dig +short txt "_acme-challenge.${domain}" @${NAMESERVER:-8.8.8.8} | grep -w "$val" >/dev/null; then
                                count=$(($count + 1))
                        else
                                count=0
                                sleep 1
                        fi
                done
                count=0
        done
}

function update_localvm {
	local vmuuid="$1" tokenval="$2"
	echo "{\"set_customer_metadata\":{\"triton.cns.acme-challenge\":\"${tokenval}\"}}" | \
		vmadm update "$vmuuid"
}

function update_remotevm {
	local vmuuid="$1" tokenval="$2"
	sdc-vmadm get $vmuuid | \
		json -j customer_metadata not_a_key | \
		json -j -e "this.customer_metadata['triton.cns.acme-challenge'] = '${tokenval}'" | \
		json -j -e "this.payload = { customer_metadata: this.customer_metadata };" payload not_a_key | \
		sdc-vmadm update $vmuuid
}

function find_path {
    local path="$1"
    if [ ! -e "$path" ]; then
        path=/native/$1
        if [ ! -e "$path" ]; then
            echo "ERROR: failed to find $(basename $path) command" >&2
            echo "       is this a Triton zone?" >&2
            exit 1
        fi
    fi
    cmd="$path"
    if [ -e "/usr/bin/pfexec" ]; then
        cmd="/usr/bin/pfexec ${cmd}"
    fi
    echo "$cmd"
}

function mdata_get {
    local cmd=$(find_path /usr/sbin/mdata-get)
    $cmd "$@"
}

function mdata_put {
    local cmd=$(find_path /usr/sbin/mdata-put)
    $cmd "$@"
}

function mdata_delete {
    local cmd=$(find_path /usr/sbin/mdata-delete)
	$cmd "$@"
}

function get_zonename {
    local cmd=$(find_path /usr/bin/zonename)
    $cmd
}

function merge_token {
	local domain="${1}" tokenval="${2}"
	local existing_token

	local zname=$(get_zonename)
	if [ "$zname" != "global" ]; then
		existing_token=$(mdata_get triton.cns.acme-challenge)
	else
		local vmservice vmuuid
		vmservice=$(getservice "${domain}")
		case "$vmservice" in
		cloudapi|adminui|docker|cmon)
			vmuuid="$(vmadm lookup alias=~${vmservice})"
			existing_token=$(vmadm get "$vmuuid" | json 'customer_metadata.["triton.cns.acme-challenge"]')
			;;
		manta)
			local poseidon=$(sdc-useradm get poseidon | json uuid)
			vmuuid=$(sdc-vmadm list -H -o uuid \
				owner_uuid="$poseidon" alias="loadbalancer" | \
				sort | tail -1)
			existing_token=$(sdc-vmapi "/vms/$vmuuid" | json -H 'customer_metadata.["triton.cns.acme-challenge"]')
			;;
		esac
	fi

	if [ -n "$existing_token" ]; then
		new_token=$(echo "$existing_token $tokenval" | tr ' ' '\n' | sort -u | xargs)
	else
		new_token="$tokenval"
	fi
	echo "$new_token"
}

function deploy_challenge {
	local domain="${1}" tokenfn="${2}" tokenval="${3}"

	tokenval=$(merge_token "$domain" "$tokenval")

	local zname=$(get_zonename)
	if [ "$zname" != "global" ]; then
		verifyvm "$domain" "$zname"
		mdata_put "triton.cns.acme-challenge" "$tokenval"
	else
		local vmuuid
		case "$(getservice "${domain}")" in
		cloudapi|adminui|docker|cmon)
			local alias="$(getservice "${domain}")0"
			vmuuid="$(vmadm lookup alias=$alias)"
			verifyvm "$domain" "$vmuuid"
			update_localvm "$vmuuid" "$tokenval"
			;;
		manta)
			local poseidon=$(sdc-useradm get poseidon | json uuid)
			vmuuid=$(sdc-vmadm list -H -o uuid \
				owner_uuid="$poseidon" alias="loadbalancer" | \
				sort | tail -1)
			verifyvm "$domain" "$vmuuid"
			update_remotevm "$vmuuid" "$tokenval"
			;;
		*)
			echo "ERROR: Unknown domain: ${domain}" >&2
			exit 1
			;;
		esac
	fi

	waitfortxt "$domain" "$tokenval"

	echo "OK: deployed dns token for ${domain} successfully" >&2
	exit 0
}

function clean_challenge {
	local domain="${1}" tokenfn="${2}" tokenval="${3}"

	local zname=$(get_zonename)
	if [ "$zname" != "global" ]; then
		verifyvm "$domain" "$zname"
		mdata_delete "triton.cns.acme-challenge"
	else
		local vmuuid
		case "$(getservice "${domain}")" in
		cloudapi|adminui|docker|cmon)
			local alias="$(getservice "${domain}")0"
			vmuuid="$(vmadm lookup alias=$alias)"
			verifyvm "$domain" "$vmuuid"
			echo "{\"remove_customer_metadata\":[\"triton.cns.acme-challenge\"]}" | \
				vmadm update "$vmuuid"
			;;
		esac
	fi

	exit 0
}

function deploy_cert {
	local domain="${1}" keyfile="${2}" certfile="${3}" fullchainfile="${4}" chainfile="${5}"

	local zname=$(get_zonename)
	if [ "$zname" != "global" ]; then
		exit 0
	fi

	local vmuuid
	local certdir="$(dirname "$certfile")"
	case "$(getservice "${domain}")" in
	cloudapi)
		vmuuid="$(vmadm lookup alias=cloudapi0)"
		if [ ! -f "${certdir}/dhparams.pem" ]; then
			openssl dhparam 2048 > "${certdir}/dhparams.pem"
		fi
		cat "${keyfile}" "${fullchainfile}" "${certdir}/dhparams.pem" > "${certdir}/stud.pem"
		local subd="$(cat "${certdir}/stud.pem" | tr '\n' '\\' | sed 's/\\/\\n/g')"
		local muuid
		read muuid < <(sdc-sapi /manifests -XPOST -d '{"name": "cert", "version":"1.0.0", "path": "/opt/smartdc/cloudapi/ssl/stud.pem","post_cmd":"/usr/sbin/svcadm restart stud","template":"'"${subd}"'"}' | json -H uuid)
		local svcuuid
		read svcuuid < <(sdc-sapi /services?name=cloudapi | json -Ha uuid)
		sdc-sapi /services/${svcuuid} -XPUT -d '{"manifests":{"cert":"'"${muuid}"'"}}' >/dev/null
		echo "OK: cloudapi certificate deployed (sapi manifest updated)" >&2
		;;
	adminui)
		vmuuid="$(vmadm lookup alias=adminui0)"
		cat "${keyfile}" "${fullchainfile}" > "${certdir}/combined.pem"
		cp "${certdir}/combined.pem" "/zones/${vmuuid}/root/opt/smartdc/adminui/etc/ssl/default.pem"
		rm /zones/${vmuuid}/root/opt/smartdc/adminui/etc/ssl/ADMINUI.*
		zlogin "${vmuuid}" svcadm restart adminui
		echo "OK: adminui certificate deployed, and adminui restarted" >&2
		;;
	docker)
		sdcadm experimental install-docker-cert \
			-k "${keyfile}" -c "${fullchainfile}"
		local ep="tcp://${domain}:2376"
		local cloudapi_svc=$(sdc-sapi /services?name=cloudapi | json -H 0.uuid)
		sapiadm get $cloudapi_svc | \
			json -e "
				svcs = JSON.parse(this.metadata.CLOUDAPI_SERVICES || '{}');
				svcs.docker = '${ep}';
				this.update = {metadata: {CLOUDAPI_SERVICES: JSON.stringify(svcs)}};
				" update | \
			sapiadm update $cloudapi_svc
		echo "OK: docker certificate deployed" >&2
		;;
	cmon)
		cmon_servers=($(sdcadm insts cmon -Ho server))
		cmon_servers=$(tr ' ' , <<< "${cmon_servers[@]}")

		sdc-oneachnode -n "$cmon_servers" -X -g "${fullchainfile}" -d /tmp
		sdc-oneachnode -n "$cmon_servers" -X -g "${keyfile}" -d /tmp
		sdc-oneachnode -n "$cmon_servers" '
		mv /tmp/fullchain.pem /zones/$(vmadm lookup alias=~cmon)/root/data/tls/cert.pem
		mv /tmp/privkey.pem /zones/$(vmadm lookup alias=~cmon)/root/data/tls/key.pem
		svcadm -z $(vmadm lookup alias=~cmon) restart cmon
		'
		;;
	manta)
		if [ ! -f "${certdir}/dhparams.pem" ]; then
			openssl dhparam 2048 > "${certdir}/dhparams.pem"
		fi
		cat "${keyfile}" "${fullchainfile}" "${certdir}/dhparams.pem" > "${certdir}/stud.pem"
		local mantazone=$(vmadm lookup alias=manta0)
		cp "${certdir}/stud.pem" /zones/$mantazone/root/var/tmp/stud.pem
		zlogin $mantazone bash --login -c '/opt/smartdc/manta-deployment/cmd/manta-replace-cert.js /var/tmp/stud.pem'
		rm /zones/$mantazone/root/var/tmp/stud.pem
		echo "OK: New Manta certificate deployed, but loadbalancers have not been restarted." >&2
		echo "    You will need to visit each loadbalancer instance with manta-login and " >&2
		echo "    restart the 'stud' service." >&2
		;;
	*)
		echo "ERROR: Unknown domain: ${domain}" >&2
		exit 1
		;;
	esac

}

function unchanged_cert {
	local domain="${1}" keyfile="${2}" certfile="${3}" fullchainfile="${4}" chainfile="${5}"

	local zname=$(get_zonename)
	if [ "$zname" != "global" ]; then
		exit 0
	fi

	local vmuuid
	local certdir="$(dirname "$certfile")"
	case "$(getservice "${domain}")" in
	cloudapi)
		vmuuid="$(vmadm lookup alias=cloudapi0)"
		if [ ! -f "${certdir}/dhparams.pem" ]; then
			openssl dhparam 2048 > "${certdir}/dhparams.pem"
		fi
		cat "${keyfile}" "${fullchainfile}" "${certdir}/dhparams.pem" > "${certdir}/stud.pem"
		local target="/zones/${vmuuid}/root/opt/smartdc/cloudapi/ssl/stud.pem"
		if ! diff "${certdir}/stud.pem" "${target}" >/dev/null; then
			local subd="$(cat "${certdir}/stud.pem" | tr '\n' '\\' | sed 's/\\/\\n/g')"
			local muuid
			read muuid < <(sdc-sapi /manifests -XPOST -d '{"name": "cert", "version":"1.0.0", "path": "/opt/smartdc/cloudapi/ssl/stud.pem","post_cmd":"/usr/sbin/svcadm restart stud","template":"'"${subd}"'"}' | json -H uuid)
			local svcuuid
			read svcuuid < <(sdc-sapi /services?name=cloudapi | json -Ha uuid)
			sdc-sapi /services/${svcuuid} -XPUT -d '{"manifests":{"cert":"'"${muuid}"'"}}' >/dev/null
			echo "OK: cloudapi certificate deployed (sapi manifest updated)" >&2
		fi
		echo "OK: cloudapi certificate up to date" >&2
		;;
	adminui)
		vmuuid="$(vmadm lookup alias=adminui0)"
		cat "${keyfile}" "${fullchainfile}" > "${certdir}/combined.pem"
		local target="/zones/${vmuuid}/root/opt/smartdc/adminui/etc/ssl/default.pem"
		if ! diff "${certdir}/combined.pem" "${target}" >/dev/null; then
			cp "${certdir}/combined.pem" "/zones/${vmuuid}/root/opt/smartdc/adminui/etc/ssl/default.pem"
			rm /zones/${vmuuid}/root/opt/smartdc/adminui/etc/ssl/ADMINUI.*
			zlogin "${vmuuid}" svcadm restart adminui
			echo "OK: adminui certificate deployed, and adminui restarted" >&2
		fi
		echo "OK: adminui certificate up to date" >&2
		;;
	cmon|docker|manta)
		echo "OK: certificate up to date" >&2
		;;
	*)
		echo "ERROR: Unknown domain: ${domain}" >&2
		exit 1
		;;
	esac
}

function exit_hook {
	exit 0
}

function invalid_challenge {
	exit 0
}

function startup_hook {
	exit 0
}