#!/bin/bash
set -e

ssl_dir="/opt/ssl"
php_dir="/opt/ldap_user_manager"

if [ ! "$SERVER_HOSTNAME" ]; then export SERVER_HOSTNAME="ldapusermanager.org"; fi
if [ ! "$SERVER_PATH" ]; then
  export SERVER_PATH="/";
  apache_alias=""
else
  apache_alias="Alias $SERVER_PATH $php_dir"
fi

#If LDAP_TLS_CACERT is set then write it out as a file
#and set up the LDAP client conf to use it.

if [ "$LDAP_TLS_CACERT" ]; then
  echo "$LDAP_TLS_CACERT" >/opt/ca.crt
  sed -i "s/TLS_CACERT.*/TLS_CACERT \/opt\/ca.crt/" /etc/ldap/ldap.conf
fi

if [ "${NO_HTTPS,,}" == "true" ]; then

  cat <<EoHTTPC >/etc/apache2/sites-enabled/lum.conf

<VirtualHost *:80>

 ServerName $SERVER_HOSTNAME
 DocumentRoot $php_dir
 $apache_alias
 DirectoryIndex index.php index.html

 <Directory $php_dir>
   Require all granted
 </Directory>

</VirtualHost>
EoHTTPC


else

  ########################
  #If there aren't any SSL certs then create a CA and then CA-signed certificate

  if [ ! -f "${ssl_dir}/server.key" ] && [ ! -f "${ssl_dir}/server.crt" ]; then

    mkdir -p $ssl_dir
    confout="${ssl_dir}/conf"
    keyout="${ssl_dir}/server.key"
    certout="${ssl_dir}/server.crt"
    cakey="${ssl_dir}/ca.key"
    cacert="${ssl_dir}/ca.crt"
    serialfile="${ssl_dir}/serial"

    echo "Generating CA key"
    openssl genrsa -out $cakey 2048
    if [ $? -ne 0 ]; then exit 1 ; fi

    echo "Generating CA certificate"
    openssl req \
            -x509 \
            -new \
            -nodes \
            -subj "/C=GB/ST=GB/L=GB/O=CA/OU=CA/CN=Wheelybird" \
            -key $cakey \
            -sha256 \
            -days 7300 \
            -out $cacert
    if [ $? -ne 0 ]; then exit 1 ; fi

    echo "Generating openssl configuration"

    cat <<EoCertConf>$confout
subjectAltName = DNS:${SERVER_HOSTNAME},IP:127.0.0.1
extendedKeyUsage = serverAuth
EoCertConf

    echo "Generating server key..."
    openssl genrsa -out $keyout 2048
    if [ $? -ne 0 ]; then exit 1 ; fi

    echo "Generating server signing request..."
    openssl req \
                 -subj "/CN=${SERVER_HOSTNAME}" \
                 -sha256 \
                 -new \
                 -key $keyout \
                 -out /tmp/server.csr
    if [ $? -ne 0 ]; then exit 1 ; fi

    echo "Generating server cert..."
    openssl x509 \
                  -req \
                  -days 7300 \
                  -sha256 \
                  -in /tmp/server.csr \
                  -CA $cacert \
                  -CAkey $cakey \
                  -CAcreateserial \
                  -CAserial $serialfile \
                  -out $certout \
                  -extfile $confout
    if [ $? -ne 0 ]; then exit 1 ; fi

  fi


  ########################
  #Create Apache config

  if [ -f "${ssl_dir}/chain.pem" ]; then ssl_chain="SSLCertificateChainFile ${ssl_dir}/chain.pem"; fi

  cat <<EoHTTPSC >/etc/apache2/sites-enabled/lum.conf

<VirtualHost *:80>

 RewriteEngine On
 RewriteRule ^/?(.*) https://%{SERVER_NAME}/\$1 [R,L]

</VirtualHost>

<VirtualHost _default_:443>

 ServerName $SERVER_HOSTNAME

 DocumentRoot $php_dir
 $apache_alias
 DirectoryIndex index.php index.html

 <Directory $php_dir>
   Require all granted
 </Directory>

 SSLEngine On
 SSLCertificateFile /opt/ssl/server.crt
 SSLCertificateKeyFile /opt/ssl/server.key
 $ssl_chain

</VirtualHost>
EoHTTPSC

fi

cat /etc/apache2/sites-enabled/lum.conf

########################
#Run Apache

# first arg is `-f` or `--some-option`
if [ "${1#-}" != "$1" ]; then
	set -- apache2-foreground "$@"
fi

exec "$@"