#!/bin/bash
# Script to install UCS CA certificate into system and browsers
# Usage: ./install-ca-cert.sh [ca-server-ip]

set -e

# Configuration
UCS_SERVER="${1:-10.0.0.21}"
CA_CERT_FILE="/usr/local/share/ca-certificates/ucs-root-ca.crt"
TEMP_CERT="/tmp/ucs-root-ca.crt"

echo "============================================================"
echo "UCS CA Certificate Installation"
echo "============================================================"
echo "CA Server:     $UCS_SERVER"
echo "Install to:    System + All Browsers"
echo "============================================================"
echo ""

# Check if running as root for system installation
if [ "$EUID" -eq 0 ]; then
    SUDO=""
    RUNNING_AS_ROOT=true
else
    SUDO="sudo"
    RUNNING_AS_ROOT=false
fi

# Step 1: Download CA certificate from UCS server
echo "[1/5] Downloading CA certificate from UCS server..."
scp root@${UCS_SERVER}:/etc/univention/ssl/ucsCA/CAcert.pem "$TEMP_CERT"
if [ $? -ne 0 ]; then
    echo "Error: Failed to download CA certificate"
    exit 1
fi

echo "✓ Downloaded CA certificate"
echo ""

# Step 2: Install to system CA certificates
echo "[2/5] Installing to system CA certificates..."
if [ "$RUNNING_AS_ROOT" = true ]; then
    cp "$TEMP_CERT" "$CA_CERT_FILE"
    update-ca-certificates
else
    $SUDO cp "$TEMP_CERT" "$CA_CERT_FILE"
    $SUDO update-ca-certificates
fi

if [ $? -eq 0 ]; then
    echo "✓ Installed to system CA certificates"
else
    echo "⚠ Warning: Failed to install system CA certificate"
fi
echo ""

# Step 3: Install to NSS database (Chrome, Chromium, Brave)
echo "[3/5] Installing to NSS database (Chrome/Chromium/Brave)..."
NSS_DB="$HOME/.pki/nssdb"

if [ -d "$NSS_DB" ]; then
    # Remove old certificate if exists
    certutil -D -d sql:$NSS_DB -n "UCS Root CA" 2>/dev/null || true
    
    # Add certificate
    certutil -A -d sql:$NSS_DB -t "CT,C,C" -n "UCS Root CA" -i "$TEMP_CERT"
    
    if [ $? -eq 0 ]; then
        echo "✓ Installed to NSS database"
    else
        echo "⚠ Warning: Failed to install to NSS database"
    fi
else
    echo "⚠ NSS database not found at $NSS_DB"
    echo "  (Chrome/Chromium/Brave may not be installed)"
fi
echo ""

# Step 4: Install to Firefox profiles
echo "[4/5] Installing to Firefox profiles..."
FIREFOX_DIR="$HOME/.mozilla/firefox"
FIREFOX_INSTALLED=false

if [ -d "$FIREFOX_DIR" ]; then
    for profile in "$FIREFOX_DIR"/*.default*; do
        if [ -d "$profile" ]; then
            PROFILE_NAME=$(basename "$profile")
            
            # Check if cert9.db exists
            if [ -f "$profile/cert9.db" ]; then
                # Remove old certificate if exists
                certutil -D -d sql:$profile -n "UCS Root CA" 2>/dev/null || true
                
                # Add certificate
                certutil -A -d sql:$profile -t "CT,C,C" -n "UCS Root CA" -i "$TEMP_CERT"
                
                if [ $? -eq 0 ]; then
                    echo "  ✓ Installed to Firefox profile: $PROFILE_NAME"
                    FIREFOX_INSTALLED=true
                else
                    echo "  ⚠ Failed to install to profile: $PROFILE_NAME"
                fi
            fi
        fi
    done
    
    if [ "$FIREFOX_INSTALLED" = false ]; then
        echo "⚠ No Firefox profiles found with cert9.db"
    fi
else
    echo "⚠ Firefox directory not found"
    echo "  (Firefox may not be installed)"
fi
echo ""

# Step 5: Verify installation
echo "[5/5] Verifying installation..."
echo ""

# Check system CA
if [ -f "$CA_CERT_FILE" ]; then
    echo "✓ System CA: Installed"
else
    echo "✗ System CA: Not found"
fi

# Check NSS database
if [ -d "$NSS_DB" ]; then
    if certutil -L -d sql:$NSS_DB | grep -q "UCS Root CA"; then
        echo "✓ NSS Database: Installed (Chrome/Chromium/Brave)"
    else
        echo "✗ NSS Database: Not installed"
    fi
fi

# Check Firefox
if [ -d "$FIREFOX_DIR" ]; then
    FIREFOX_OK=false
    for profile in "$FIREFOX_DIR"/*.default*; do
        if [ -f "$profile/cert9.db" ]; then
            if certutil -L -d sql:$profile | grep -q "UCS Root CA" 2>/dev/null; then
                FIREFOX_OK=true
                break
            fi
        fi
    done
    
    if [ "$FIREFOX_OK" = true ]; then
        echo "✓ Firefox: Installed"
    else
        echo "✗ Firefox: Not installed"
    fi
fi

# Clean up
rm -f "$TEMP_CERT"

echo ""
echo "============================================================"
echo "✓ CA Certificate Installation Complete!"
echo "============================================================"
echo ""
echo "Certificate Details:"
openssl x509 -in "$CA_CERT_FILE" -noout -subject -issuer -dates
echo ""
echo "IMPORTANT: Restart your browsers for changes to take effect!"
echo ""
echo "To verify, visit any UCS-signed HTTPS site:"
echo "  https://$UCS_SERVER"
echo "============================================================"