#!/bin/bash

# ============================================================================
# OceanBase SSL/TLS 证书生成脚本
# 功能：生成 CA 证书、服务端证书及私钥，并放置到 wallet 目录
# 目标目录：/var/lib/oceanbase/wallet
# ============================================================================

set -e  # 遇到错误立即退出

# ============================================================================
# 配置变量
# ============================================================================

WALLET_DIR="/var/lib/oceanbase/wallet"
CERT_DAYS=3650              # 证书有效期（天），10年
COUNTRY="CN"
STATE="Beijing"
CITY="Beijing"
ORGANIZATION="OceanBase"
ORG_UNIT="DBaaS"
COMMON_NAME="192.168.11.16"  # 请修改为实际 OBServer 域名或 IP

# CA 证书文件
CA_KEY="${WALLET_DIR}/ca-key.pem"
CA_CERT="${WALLET_DIR}/ca.pem"

# 服务端证书文件
SERVER_KEY="${WALLET_DIR}/server-key.pem"
SERVER_CERT="${WALLET_DIR}/server-cert.pem"
SERVER_CSR="/tmp/server-cert.csr"

# ============================================================================
# 函数定义
# ============================================================================

log_info() {
    echo "[INFO] $(date '+%Y-%m-%d %H:%M:%S') - $1"
}

log_error() {
    echo "[ERROR] $(date '+%Y-%m-%d %H:%M:%S') - $1" >&2
}

check_openssl() {
    if ! command -v openssl &> /dev/null; then
        log_error "openssl 未安装，请先安装 openssl"
        exit 1
    fi
    log_info "openssl 版本: $(openssl version)"
}

create_wallet_dir() {
    if [ ! -d "$WALLET_DIR" ]; then
        log_info "创建 wallet 目录: $WALLET_DIR"
        mkdir -p "$WALLET_DIR"
    else
        log_info "wallet 目录已存在: $WALLET_DIR"
    fi
}

generate_ca() {
    log_info "开始生成 CA 证书..."
    
    # 生成 CA 私钥
    openssl genrsa -out "$CA_KEY" 2048
    log_info "CA 私钥已生成: $CA_KEY"
    
    # 生成 CA 证书
    openssl req -x509 -new -nodes \
        -key "$CA_KEY" \
        -sha256 \
        -days "$CERT_DAYS" \
        -out "$CA_CERT" \
        -subj "/C=${COUNTRY}/ST=${STATE}/L=${CITY}/O=${ORGANIZATION}/OU=${ORG_UNIT}/CN=ca.${COMMON_NAME}"
    
    log_info "CA 证书已生成: $CA_CERT"
    
    # 验证 CA 证书
    openssl x509 -in "$CA_CERT" -text -noout | head -10
}

generate_server_cert() {
    log_info "开始生成服务端证书..."
    
    # 生成服务端私钥
    openssl genrsa -out "$SERVER_KEY" 2048
    log_info "服务端私钥已生成: $SERVER_KEY"
    
    # 生成证书签名请求 (CSR)
    openssl req -new \
        -key "$SERVER_KEY" \
        -out "$SERVER_CSR" \
        -subj "/C=${COUNTRY}/ST=${STATE}/L=${CITY}/O=${ORGANIZATION}/OU=${ORG_UNIT}/CN=${COMMON_NAME}"
    
    log_info "证书签名请求已生成: $SERVER_CSR"
    
    # 使用 CA 签名生成服务端证书
    openssl x509 -req \
        -in "$SERVER_CSR" \
        -CA "$CA_CERT" \
        -CAkey "$CA_KEY" \
        -CAcreateserial \
        -out "$SERVER_CERT" \
        -days "$CERT_DAYS" \
        -sha256
    
    log_info "服务端证书已生成: $SERVER_CERT"
    
    # 清理临时 CSR 文件
    rm -f "$SERVER_CSR"
    rm -f "${WALLET_DIR}/ca-key.pem.srl"
}

verify_certificates() {
    log_info "验证证书匹配性..."
    
    # 验证 CA 证书
    echo ""
    log_info "=== CA 证书信息 ==="
    openssl x509 -in "$CA_CERT" -issuer -subject -dates -noout
    
    # 验证服务端证书
    echo ""
    log_info "=== 服务端证书信息 ==="
    openssl x509 -in "$SERVER_CERT" -issuer -subject -dates -noout
    
    # 验证证书链
    echo ""
    log_info "=== 验证证书链 ==="
    if openssl verify -CAfile "$CA_CERT" "$SERVER_CERT" &> /dev/null; then
        log_info "证书链验证成功！"
    else
        log_error "证书链验证失败！"
        exit 1
    fi
    
    # 验证私钥和证书是否匹配
    echo ""
    log_info "=== 验证私钥与证书匹配性 ==="
    SERVER_KEY_MOD=$(openssl rsa -noout -modulus -in "$SERVER_KEY" 2>/dev/null | openssl md5)
    SERVER_CERT_MOD=$(openssl x509 -noout -modulus -in "$SERVER_CERT" 2>/dev/null | openssl md5)
    
    if [ "$SERVER_KEY_MOD" = "$SERVER_CERT_MOD" ]; then
        log_info "私钥与证书匹配成功！"
    else
        log_error "私钥与证书不匹配！"
        exit 1
    fi
}

set_permissions() {
    log_info "设置文件权限..."
    
    # 设置目录权限
    chmod 755 "$WALLET_DIR"
    
    # 私钥文件权限设置为 600（仅所有者可读写）
    chmod 600 "$CA_KEY"
    chmod 600 "$SERVER_KEY"
    
    # 证书文件权限设置为 644（所有者读写，其他人只读）
    chmod 644 "$CA_CERT"
    chmod 644 "$SERVER_CERT"
    
    log_info "权限设置完成"
}

list_files() {
    log_info "wallet 目录文件列表:"
    echo ""
    ls -la "$WALLET_DIR"
    echo ""
}

# ============================================================================
# 主流程
# ============================================================================

main() {
    log_info "========== OceanBase SSL/TLS 证书生成脚本 =========="
    log_info "目标目录: $WALLET_DIR"
    log_info "===================================================="
    
    check_openssl
    create_wallet_dir
    generate_ca
    generate_server_cert
    verify_certificates
    set_permissions
    list_files
    
    log_info "========== 证书生成完成 =========="
    echo ""
    log_info "请确认以下文件已就位："
    echo "  - ${WALLET_DIR}/ca.pem"
    echo "  - ${WALLET_DIR}/server-cert.pem"
    echo "  - ${WALLET_DIR}/server-key.pem"
    echo ""
    log_info "接下来可以执行数据库命令："
    echo "  1. ALTER SYSTEM SET ssl_client_authentication='ON';"
    echo "  2. 重启 OBServer 节点使配置生效"
}

# 执行主流程
main