#!/usr/bin/env bash
set -euo pipefail

if [[ $# -lt 1 ]]; then
  echo "Usage: $0 <client-name> [days]"
  exit 1
fi

CLIENT_NAME="$1"
DAYS="${2:-825}"

SCRIPT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)"
TRAEFIK_ROOT="$(cd "${SCRIPT_DIR}/.." && pwd)"
CA_DIR="${TRAEFIK_ROOT}/certs/ca"
CLIENT_DIR="${TRAEFIK_ROOT}/certs/clients/${CLIENT_NAME}"

CA_KEY="${CA_DIR}/clients-ca.key"
CA_CERT="${CA_DIR}/clients-ca.crt"
CA_SERIAL="${CA_DIR}/clients-ca.srl"

CLIENT_KEY="${CLIENT_DIR}/${CLIENT_NAME}.key"
CLIENT_CSR="${CLIENT_DIR}/${CLIENT_NAME}.csr"
CLIENT_CERT="${CLIENT_DIR}/${CLIENT_NAME}.crt"
CLIENT_P12="${CLIENT_DIR}/${CLIENT_NAME}.p12"
OPENSSL_EXT="${CLIENT_DIR}/client.ext"

if [[ ! -f "${CA_KEY}" || ! -f "${CA_CERT}" ]]; then
  echo "Missing CA material. Run init-mtls-ca.sh first."
  exit 1
fi

if [[ -d "${CLIENT_DIR}" ]]; then
  echo "Client directory already exists (${CLIENT_DIR}); refusing to overwrite."
  exit 1
fi

mkdir -p "${CLIENT_DIR}"
chmod 700 "${CLIENT_DIR}"

cat > "${OPENSSL_EXT}" <<EXT
basicConstraints=CA:FALSE
keyUsage = digitalSignature, keyEncipherment
extendedKeyUsage = clientAuth
subjectAltName = DNS:${CLIENT_NAME}
EXT

openssl genrsa -out "${CLIENT_KEY}" 2048
chmod 600 "${CLIENT_KEY}"

openssl req -new -key "${CLIENT_KEY}" -subj "/CN=${CLIENT_NAME}" -out "${CLIENT_CSR}"

openssl x509 -req \
  -in "${CLIENT_CSR}" \
  -CA "${CA_CERT}" \
  -CAkey "${CA_KEY}" \
  -CAcreateserial \
  -out "${CLIENT_CERT}" \
  -days "${DAYS}" \
  -sha256 \
  -extfile "${OPENSSL_EXT}"
chmod 644 "${CLIENT_CERT}"

openssl pkcs12 -export \
  -inkey "${CLIENT_KEY}" \
  -in "${CLIENT_CERT}" \
  -certfile "${CA_CERT}" \
  -name "${CLIENT_NAME}" \
  -out "${CLIENT_P12}"
chmod 600 "${CLIENT_P12}"

rm -f "${CLIENT_CSR}" "${OPENSSL_EXT}"

echo "Issued client certificate for ${CLIENT_NAME}."
echo "CRT: ${CLIENT_CERT}"
echo "KEY: ${CLIENT_KEY}"
echo "P12: ${CLIENT_P12}"