#!/bin/bash
#############################################################
# Script name: random-cert.sh
# Author: Gilles Mouchet (gilles.mouchet@gmail.com
# Version: v1beta 2026-04-28
# Description: Generation certificates randomly
# License: CC BY-NC 4.0 (https://creativecommons.org/licenses/by-nc/4.0/)
#
# This script is provided "as is", WITHOUT ANY WARRANTY OF ANY KIND.
# Commercial use is strictly prohibited without prior authorization.
#
# Changelog
# [1.0.0] - 2026-04-28
# Added:
#   - generation certificates randomly
# Project initialization
#   - initialization by gilles.mouchet@gmail.com
#
############################################################
#
version=1.0.0

############################################################
# FUNCTIONS
############################################################
#-----------------------------------------------------------
# Display usage
usage() {
    cat << EOF
Usage: sudo ./$(basename "$0") options
Template script
Options:
    -g, --generate <number_of_iterations>
            Generate certificat
    -p, --purge 
            Remove all tests certificates
    -h, --help      
            Show this help 
    -v, --version   
            Show script version
EOF
}
#-----------------------------------------------------------
# Create a temporary certificate authority
create_tempo_ca(){
    if [ ! -f "${CRT_CA_PATH}/${CA_CRT}" ]; then
        echo "Creation of a temporary CA"
        SUBJ="/C=CH/ST=Vaud/L=Nyon/O=GMOLab/OU=IT/CN=TempoCA"
        # generating the CA private key
        openssl genrsa \
                -aes256 \
                -passout pass:pa55w0rd \
                -out $KEY_CA_PATH/$CA_KEY \
                4096
        chmod 400 $KEY_CA_PATH/$CA_KEY

        # generating the CA public key
        openssl req -x509 \
                -new \
                -key $KEY_CA_PATH/$CA_KEY \
                -passin pass:pa55w0rd \
                -sha256 \
                -days 3650 \
                -out $CRT_CA_PATH/$CA_CRT \
                -subj "$SUBJ"
        chmod 444 $CRT_CA_PATH/$CA_CRT
    fi
}
#-----------------------------------------------------------
# Generate certificate
generate_cert() {
    local CA_CRT=""
    local CA_KEY=""
    local COMMON_NAME=""
    local DAYS="$DAYS"
    local DNS=()
    local IP_ADDRS=()

    # parsing arguments
    while [[ $# -gt 0 ]]; do
        case "$1" in
            -c) CA_CRT=$2.crt; CA_KEY=$2.key ;shift 2 ;;
            -n) COMMON_NAME="$2"; shift 2 ;;
            -d) DNS_LINE="$COMMON_NAME,$2"; shift 2 ;;
            -i) IP_ADDRS_LINE=("$2"); shift 2 ;;
            -t) DAYS="$2"; shift 2 ;;
            *) echo "Option inconnue: $1"; return 1 ;;
        esac
    done
    IFS=',' read -r -a IP_ADDRS <<< "$IP_ADDRS_LINE"
    IFS=',' read -r -a DNS <<< "$DNS_LINE"
    if [ "${#DNS[@]}" -eq 0 ]; then
        DNS+="$COMMON_NAME"
    fi

    cat > "$CERTS_PATH/${COMMON_NAME}_openssl.cnf" << EOF
[ req ]
default_bits       = 2048
distinguished_name = req_distinguished_name
req_extensions     = req_ext
prompt             = no

[ req_distinguished_name ]
CN = $COMMON_NAME

[ req_ext ]
subjectAltName = @alt_names

[ alt_names ]
EOF

    # Add san dns"
    idns=1
    for SAN_DNS in "${DNS[@]}"; do
        echo "DNS.$idns = $SAN_DNS" >> "$CERTS_PATH/${COMMON_NAME}_openssl.cnf"
        ((idns++))
    done

    # add san ip
    iip=1
    for SAN_IP in "${IP_ADDRS[@]}"; do
        echo "IP.$iip = $SAN_IP" >> "$CERTS_PATH/${COMMON_NAME}_openssl.cnf"
        ((iip++))
    done

    # create certificate
    echo -e "Generating the private key..."
    openssl genrsa -out "${CERTS_PATH}/${COMMON_NAME}.key" 4096
    
    echo -e "Generating csr file..."
    openssl req -new -key "${CERTS_PATH}/${COMMON_NAME}.key" -out "${CERTS_PATH}/${COMMON_NAME}.csr" -config "$CERTS_PATH/${COMMON_NAME}_openssl.cnf"
    
    echo -e "Signing the certificate with the CA..."
    openssl x509 -req -in "${CERTS_PATH}/${COMMON_NAME}.csr" \
        -CA "$CRT_CA_PATH/$CA_CRT" -CAkey "$KEY_CA_PATH/$CA_KEY" -CAcreateserial \
        -out "${CERTS_PATH}/${COMMON_NAME}.crt" -days "$DAYS" \
        -extensions req_ext -extfile "$CERTS_PATH/${COMMON_NAME}_openssl.cnf" \
        -passin pass:pa55w0rd \
        > /dev/null 2>&1
    rc=$?
    echo -n "Result of certificate signing: "    
    check_rc $rc
}
#-----------------------------------------------------------
# generates a random FQDN
gen_fqdn() {
    local sub_len=$((RANDOM % 8 + 3))
    local name_len=$((RANDOM % 13 + 3))

    local sub=$(tr -dc 'a-z0-9' </dev/urandom | fold -w "$sub_len" | head -n 1)
    local name=$(tr -dc 'a-z0-9' </dev/urandom | fold -w "$name_len" | head -n 1)

    local tld=("com" "net" "org" "io" "ch" "fr")

    echo "tempo-${sub}.${name}.${tld[$((RANDOM % ${#tld[@]}))]}"
}
#-----------------------------------------------------------
# generates a random IP
gen_ip() {
    echo "$((RANDOM % 256)).$((RANDOM % 256)).$((RANDOM % 256)).$((RANDOM % 256))"
}
#-----------------------------------------------------------
# list (fqdn or ip)
gen_list() {
    local type=$1
    local count=$((RANDOM % 3 + 3))
    local list=""

    for ((i=0; i<count; i++)); do
        local item
        [[ "$type" == "fqdn" ]] && item=$(gen_fqdn) || item=$(gen_ip)
        list+="$item"
        [[ $i -lt $((count-1)) ]] && list+=","
    done
    echo "$list"
}
############################################################
# MAIN
############################################################

main(){
    SCRIPT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)"
    ROOT_DIR="$(dirname "$SCRIPT_DIR")"
    NAME_CA="tempo_ca"
    CA_CRT="${NAME_CA}.crt"
    CA_KEY="${NAME_CA}.key"

# read library
    source "$ROOT_DIR/lib/stdlib.sh"

# check if param exist
    if [ -z "$1" ]; then
        usage
        exit 1
    fi    
# init config
    init_default 
    init_env
    
# set color
    set_color
    
# check if script is run with sudo
    check_sudo

    while [[ "$#" -gt 0 ]]; do
        case "$1" in
            -g|--generate )
                # check if param $2 exist
                if [ -z "$2" ]; then
                    echo -e "\n${RED}Error: Argument missing for option -g or --generate${NC}\n"
                    usage
                    exit 1
                elif [[ "$2" =~ ^[0-9]+$ ]] && [ "$2" -ge 1 ] && [ "$2" -le "500" ]; then
                    create_tempo_ca
                    for ((i=1; i<=$2; i++)); do
                        args=()
                        fqdn=$(gen_fqdn)
        
                        # -d (50%)
                        if (( RANDOM % 2 )); then
                            args+=("-d" "$(gen_list fqdn)")
                        fi
                
                        # -i (50%)
                        if (( RANDOM % 2 )); then
                            args+=("-i" "$(gen_list ip)")
                        fi
                
                        # -t (50%)
                        if (( RANDOM % 2 )); then
                            args+=("-t" "$((RANDOM % $DAYS + 1))")
                        fi
                
                        echo "[$i/$2] generate_cert -c tempo_ca -n $fqdn ${args[*]}"
                
                        # Appel direct
                        generate_cert -c "tempo_ca" -n "$fqdn" "${args[@]}"
                    #    generate_cert -c gmolab_ca -n vwiy3rv1ui.6zghdqm1p8cj.io -d u0ba3i5rt.asfsdvrmf8iiltd.org,0sit366.w47txhyg.io,4ulkpy6.v39762sriaiy.com,zvw3o0ovee.gqv50o6ge6.io,a57v0x.rs8.net -i 161.21.147.75,81.67.128.79,81.54.192.190,95.116.177.195,13.111.172.161
                    done 
                fi
                shift 2
            ;; 
            -p|purge)
                yes_no "Are you sure to delete all tempo certificates"
                rm -rf "${CERTS_PATH}/tempo-"*
                rm -rf "${CRT_CA_PATH}/${CA_CRT}"
                rm -rf "${CRT_CA_PATH}/${NAME_CA}.srl"
                rm -rf "${KEY_CA_PATH}/${CA_KEY}"
                shift
            ;;   
            -v|--version)
                cat << EOF       
$(basename "$0") $version Copyright (C) 2003 - $(date +%Y) Gilles Mouchet
EOF
                exit
            ;;
            *|-h|--help)
                usage
                exit
            ;;
       esac
    done
}
main "$@"