#!/usr/bin/env bash
set -euo pipefail

if [[ $# -lt 1 ]]; then
  echo "Usage: $0 <client-name>"
  exit 1
fi

CLIENT_NAME="$1"
SCRIPT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)"
TRAEFIK_ROOT="$(cd "${SCRIPT_DIR}/.." && pwd)"
CLIENT_DIR="${TRAEFIK_ROOT}/certs/clients/${CLIENT_NAME}"
REVOKED_DIR="${TRAEFIK_ROOT}/certs/revoked"

if [[ ! -d "${CLIENT_DIR}" ]]; then
  echo "No certificate directory found for client '${CLIENT_NAME}'."
  exit 1
fi

mkdir -p "${REVOKED_DIR}"

STAMP="$(date -u +%Y%m%dT%H%M%SZ)"
mv "${CLIENT_DIR}" "${REVOKED_DIR}/${CLIENT_NAME}-${STAMP}"

echo "Moved client certificate material to ${REVOKED_DIR}/${CLIENT_NAME}-${STAMP}."
echo "Note: Traefik clientAuth with a CA file does not enforce revocation lists by default."
echo "For immediate hard revocation, rotate the client CA and re-issue trusted client certificates."