#!/usr/bin/env bash

GREEN_CHECK="\e[32m✔\e[0m"
RED_X="\e[31m✗\e[0m"
YELLOW_BANG="\e[33m!\e[0m"

#
# Function Definition
#


ssh_config_val() {
    local field="$1"
    local val

    if [[ -z "$field" ]]; then
        echo "usage: ssh_config_val <config name>" >&2
        return 2
    fi

    echo $(sshd -T 2>/dev/null | grep -i "^$field " | head -1 | awk '{print $2}')
}

green_checkmark() {
    printf "\e[32m✔\e[0m"
}

check_ssh_files() {
    row_success() {
        local key="$1"
        local path="$2"
        local perms=$(stat -c '%a' "$path")
        printf "%-17b %-20s %-6s %s\n" "  $GREEN_CHECK" "$key" "$perms" "$path"
    }

    row_fail() {
        local key="$1"
        local path="$2"
        printf "%-15b %-20s %-6s %s\n" "  $YELLOW_BANG" "$key" "-" "$path (missing)"
    }

    row_unconfigured() {
        local key="$1"
        printf "%-17b %-20s %-6s %s\n" "  $RED_X" "$key" "-" "(not configured)"
    }

    printf "%-6s %-20s %-6s %s\n" "STATUS" "KEY" "PERMS" "PATH"
    for key in hostkey hostcertificate trustedusercakeys; do
        path=$(ssh_config_val "$key")
        if [[ -z "$path" ]]; then
            row_unconfigured $key
            continue
        fi

        if [[ -e "$path" ]]; then
            row_success $key $path
        else
            row_fail $key $path
        fi
    done
}

ssh_fingerprint() {
	local field="$1"
	local ca_path

	if [[ -z "$field" ]]; then
        echo "usage: ssh_fingerprint <trusteduserca|hostcertificate|...>" >&2
        return 2
    fi

    cfg_path=$(ssh_config_val $field)

    if [[ -z "$cfg_path" ]]; then
        echo "error: sshd field '$field' not found or empty" >&2
        return 1
    fi

    if [[ ! -r "$cfg_path" ]]; then
        echo "error: file not readable: $cfg_path" >&2
        return 1
    fi

    ssh-keygen -lf "$cfg_path" | awk '{ print $2 }'
}

install_cert_config() {
    local base_dir="/etc/ssh/sshd_config.d"
    local cfg_path="${1:-$base_dir/certs.conf}"

    mkdir -p $(dirname $cfg_path)

    cat <<EOF > $cfg_path
TrustedUserCAKeys /etc/ssh/ssh_user_ca.pub
HostKey /etc/ssh/ssh_host_ed25519_key
HostCertificate /etc/ssh/ssh_host_ed25519_key-cert.pub
EOF

    echo -e "$GREEN_CHECK  Configured sshd to use and accept SSH certs."
}


restart_sshd() {
    if systemctl is-active --quiet sshd; then
        local sshd_pid=$(systemctl show --property MainPID --value sshd)
        echo "Restarting sshd service..."
        systemctl restart sshd
        echo -e "$GREEN_CHECK  Restarted sshd service on PID: $sshd_pid"
    else
        echo -e "$YELLOW_BANG  Not running sshd service"
        read -p "Do you want to start sshd? (y/n) " -n 1 -r
        echo
        if [[ $REPLY =~ ^[Yy]$ ]]; then
            systemctl start sshd
            echo -e "$GREEN_CHECK  Started sshd"
        fi
    fi
}

#
# Run Process
#

if [[ ! -e "/etc/ssh/sshd_config.d/certs.conf" ]]; then
    echo -e "$YELLOW_BANG  sshd not configured to use SSH certs"
    read -p "Do you want to configure sshd? (y/n) " -n 1 -r
    echo
    if [[ $REPLY =~ ^[Yy]$ ]]; then
        install_cert_config
        restart_sshd
    fi
fi

check_ssh_files

echo ""
echo "Host key fingerprint"
ssh_fingerprint hostkey