#!/usr/bin/env bash
# AZ-688: ensure the dev TLS cert for ../satellite-provider exists.
#
# Mirrors the cert-generation step in
# `../satellite-provider/scripts/run-tests.sh` so the upstream compose can
# find ./certs/api.pfx at the same relative path both in the upstream repo
# and here. Self-signed for dev/test only; gitignored under
# satellite-provider/certs/ and regenerated on demand.
#
# Produces three artefacts:
#   * api.pfx — Kestrel server cert (PKCS#12, passphrase: satellite-dev-cert)
#   * api.crt — public cert (PEM); AZ-692 mounts this as the CA trust anchor
#                in gps-denied client containers
#   * api.key — private key (PEM)
#
# SAN includes `api` (upstream compose service name) and `satellite-provider`
# (the alias added in docker-compose.test.jetson.yml override) so HttpClient
# can validate the cert against either DNS name.

set -euo pipefail

SCRIPT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)"
REPO_ROOT="$(cd "${SCRIPT_DIR}/.." && pwd)"

if [[ ! -d "${REPO_ROOT}/../satellite-provider" ]]; then
    echo "ERROR: ../satellite-provider not found relative to ${REPO_ROOT}." >&2
    echo "       Clone the sibling repo before running the Jetson harness." >&2
    exit 64
fi

SATPROV_DIR="$(cd "${REPO_ROOT}/../satellite-provider" && pwd)"
CERTS_DIR="${SATPROV_DIR}/certs"
PFX="${CERTS_DIR}/api.pfx"
CRT="${CERTS_DIR}/api.crt"
KEY="${CERTS_DIR}/api.key"

if [[ -f "${PFX}" && -f "${CRT}" && -f "${KEY}" ]]; then
    echo "[ensure-dev-cert] cert present at ${PFX}"
    exit 0
fi

if ! command -v docker >/dev/null 2>&1; then
    echo "ERROR: docker not on PATH; cannot generate cert via alpine container." >&2
    exit 65
fi

echo "[ensure-dev-cert] generating dev TLS cert in ${CERTS_DIR}"
mkdir -p "${CERTS_DIR}"

docker run --rm -v "${CERTS_DIR}:/work" -w /work alpine:3.20 sh -c '
    set -e
    apk add --no-cache openssl >/dev/null
    cat > /tmp/openssl.cnf <<EOF
[req]
distinguished_name = req_distinguished_name
x509_extensions    = v3_req
prompt             = no

[req_distinguished_name]
CN = satellite-provider-dev

[v3_req]
keyUsage         = digitalSignature, keyEncipherment
extendedKeyUsage = serverAuth
subjectAltName   = @alt_names

[alt_names]
DNS.1 = api
DNS.2 = satellite-provider
DNS.3 = localhost
IP.1  = 127.0.0.1
EOF
    openssl req -x509 -newkey rsa:2048 -nodes \
        -keyout api.key -out api.crt \
        -days 365 -config /tmp/openssl.cnf >/dev/null 2>&1
    openssl pkcs12 -export -out api.pfx -inkey api.key -in api.crt \
        -passout pass:satellite-dev-cert
    chmod 644 api.pfx api.crt api.key
'

echo "[ensure-dev-cert] wrote:"
echo "  ${PFX}      (Kestrel server cert; passphrase: satellite-dev-cert)"
echo "  ${CRT}      (public cert; mounted as CA in gps-denied clients per AZ-692)"
echo "  ${KEY}      (private key; DEV ONLY, never deploy to prod)"