#/bin/bash

G_INSPECT_MMLPATH="/opt/huawei/snas/script/inspect_mml"
. $G_INSPECT_MMLPATH/CheckItems
TMPPATH=$(dirname $0)

CurInspectNum="314"
CurInspectFun="CheckAllCertificate"
LOGPATH="/tmp/tmp${CurInspectFun}"
RESULTFILE="/tmp/tmpResult${CurInspectFun}"
>$RESULTFILE

isPass=0
AllNodeNeedPemList="/opt/huawei/snas/etc/sslcert.pem /opt/huawei/snas/etc/cert/alarm/cacert.pem /opt/huawei/snas/etc/cert/password/cacert.pem /opt/huawei/snas/etc/cert/emui/cacert.pem /opt/huawei/deploy/etc/Equipment_Root_CA.der /opt/huawei/deploy/etc/IT_Product_CA.cer /etc/softcert/HuaweiRootCA.der /opt/huawei/deploy/etc/cluster_ca.cer /opt/huawei/deploy/etc/cluster_cert.pem"
DomainZeroPemList="/opt/huawei/deploy/etc/toolkit_dep_cert.pem /opt/deviceManager/apache/conf/cert_en.pem"
DominkeyStorelist="/opt/Runtime/tomcat7/cert/ToolKitDeploy.keystore /opt/Runtime/tomcat7/cert/IT_CA.keystore /opt/Runtime/tomcat7/conf/server.keystore" 
S3keyStorelist="/opt/obs/service/osc/etc/keystore /opt/obs/service/poe/etc/keystore /opt/obs/service/dcm/etc/keystore"
S3PemList="/var/uds/user/data_upf/server.crt"

#NoReplaceCertiList="/opt/huawei/deploy/etc/Equipment_Root_CA.der /opt/huawei/deploy/etc/IT_Product_CA.cer /etc/softcert/HuaweiRootCA.der /opt/huawei/deploy/etc/cluster_ca.cer /opt/huawei/deploy/etc/cluster_cert.pem /opt/huawei/deploy/etc/toolkit_dep_cert.pem /opt/deviceManager/apache/conf/cert_en.pem /opt/Runtime/tomcat7/cert/IT_CA.keystore"

function set_ifs
{
    IFS_OLD=$IFS
    IFS=$'\n'
}

function restore_ifs
{
    IFS=$IFS_OLD
}

#判断节点是否是UDS/S3节点,是的话,返回0,不是,返回1
function CheckNodeServiceType()
{
    local cfgfile="/opt/huawei/snas/etc/snas.ini"
    local UDS_Type="80"
    local DFS_Type="48"
    local DFS_ServiceType="1"
    if [ ! -f ${cfgfile} ];then
        echo "NULL"
        return
    fi
    local ProductType=$( grep productType ${cfgfile} |awk -F= '{print $2}' )
    if [ "X" == "X${ProductType}" ];then
        echo "NULL"
        return
    fi
    if [ "X${UDS_Type}" == "X${ProductType}" ];then
        echo 0
        return
    fi
    if [ "X${DFS_Type}" == "X${ProductType}" ];then
        local nodeServiceType=$( grep node_service_type ${cfgfile} | awk -F"=" '{print $2}' )
        if [ "X" == "X${nodeServiceType}" ];then
            echo "NULL"
            return
        fi
        if [ "X${DFS_ServiceType}" != "X${nodeServiceType}" ];then
            echo 0
            return
        fi
    fi

   echo 1
}

function GetDomain()
{
    local cfgfile="/opt/huawei/snas/etc/cm.ini"
    if [ ! -f ${cfgfile} ];then
        echo "NULL"
        return
    fi
    local SubDomain=$( grep SubDomain ${cfgfile} | awk -F"=" '{print $2}' )
    if [ "X" == "X${SubDomain}" ];then
        echo "NULL"
        return
    fi
    echo "${SubDomain}"
}


#所有类型节点都需要检查的证书
function getALLPem()
{
    local iRet=""
    local iRet1=""

    for item in ${AllNodeNeedPemList}
    do
        if [ ! -f ${item} ];then
            echo "name=${item};DeadLine=NA;Key=NA"
            continue
        fi
        local DeadLine=$( openssl x509 -enddate -noout -in ${item} | awk -F"=" '{print $2}' )
        iRet=$?
        if [ 0 -ne ${iRet} ];then
             DeadLine="NA"
             continue
        fi
        if [ "X" == "X${DeadLine}" ];then
            DeadLine="NA"
            continue
        fi
        local SHAkey=$( openssl x509 -fingerprint -noout -in ${item} | awk -F"=" '{print $2}' )
        iRet1=$?
        if [ 0 -ne ${iRet1} ];then
             SHAkey="NA"
            continue
        fi
        if [ "X" == "X${SHAkey}" ];then
            SHAkey="NA"
            continue
        fi
        echo "name=${item};DeadLine=${DeadLine};Key=${SHAkey}"
    done

}
#所有类型节点都需要检查的证书
function getS3Pem()
{
    local iRet=""
    local iRet1=""

    for item in ${S3PemList}
    do
        if [ ! -f ${item} ];then
            echo "name=${item};DeadLine=NA;Key=NA"
            continue
        fi
        local DeadLine=$( openssl x509 -enddate -noout -in ${item} | awk -F"=" '{print $2}' )
        iRet=$?
        if [ 0 -ne ${iRet} ];then
             DeadLine="NA"
             echo "get ${item} deadline failed"
             continue
        fi
        if [ "X" == "X${DeadLine}" ];then
            DeadLine="NA"
            continue
        fi
        local SHAkey=$( openssl x509 -fingerprint -noout -in ${item} | awk -F"=" '{print $2}' )
        iRet1=$?
        if [ 0 -ne ${iRet1} ];then
             SHAkey="NA"
            continue
        fi
        if [ "X" == "X${SHAkey}" ];then
            SHAkey="NA" 
            continue
        fi
        echo "name=${item};DeadLine=${DeadLine};Key=${SHAkey}"
    done

}


#只需要检查0号子域的证书
function getZeroPemCerti()
{

    local iRet=""
    local iRet1=""
    
    for item in ${DomainZeroPemList}
    do  
        
        if [ ! -f ${item} ];then
            echo "name=${item};DeadLine=NA;Key=NA"
            continue
        fi
        local DeadLine=$( openssl x509 -enddate -noout -in ${item} | awk -F"=" '{print $2}' )
        iRet=$?
        if [ 0 -ne ${iRet} ];then
             DeadLine="NA"
            continue
        fi
        if [ "X" == "X${DeadLine}" ];then
            DeadLine="NA"
            continue
        fi
        local SHAkey=$( openssl x509 -fingerprint -noout -in ${item} | awk -F"=" '{print $2}' )
        iRet1=$?
        if [ 0 -ne ${iRet1} ];then
             SHAkey="NA"
            continue
        fi
        if [ "X" == "X${SHAkey}" ];then
            SHAkey="NA" 
            continue
        fi
        echo "name=${item};DeadLine=${DeadLine};Key=${SHAkey}"
    done


}


function getTimeZoneDiffSeconds()
{
    local timeSeconds=$1
    local curTimeZone="$(date +%z)"
    local curTimeZoneSign="${curTimeZone:0:1}"
    local curTimeZoneHour="${curTimeZone:1:2}"
    local curTimeZoneMin="${curTimeZone:3:2}"
    local diffSeconds=$(echo "${curTimeZoneHour} * 3600 + ${curTimeZoneMin} * 60" | bc)
    if [ "X${curTimeZoneSign}" == "X+" ];then
        timeSeconds=$(($timeSeconds - $diffSeconds))
    else
        timeSeconds=$(($timeSeconds + $diffSeconds))
    fi
    echo "${timeSeconds}"
}

function getVerArrayIndex()
{
    rec=$1

    local index=0

    for item in ${checkVerArray[@]}
    do
        if [ "$rec" = "$item" ]; then
            break
        else
            index=$((index+1))
        fi
    done

    echo $index
}

#检查证书是否过期,证书是否替换
function CheckCertificate()
{
    local CertiInfo=$@
    local EXPAND_CONFIG_FILE="${G_INSPECT_MMLPATH}/Certificate.conf"
    local ExpirTime="15552000" #180*24*60*60
    local CertiTime=""
    local tmpDeadline=""
    local isDefaultCerti="YES"
    local IsSoonOutTime="NO"
    local sslcertSHAList="C8:E9:25:F7:34:9D:28:F9:D3:D2:8E:F9:2C:63:90:47:2D:B9:A4:D6 5C:D4:A7:E7:81:B4:F4:F8:35:21:5C:80:6C:B7:B1:C0:E5:8E:CD:24 C3:9E:9D:9E:90:EF:48:13:88:CD:21:5A:41:3F:C2:9B:53:F8:99:50 17:EF:D7:AF:65:D4:21:0E:8B:B9:EA:30:6C:1D:E1:47:B1:CF:06:31"
    local cacertSHAList="3D:8B:B7:90:4D:23:AC:85:51:F7:CC:C2:BF:36:D1:9E:11:10:EE:7D EC:27:82:F7:77:29:BD:94:4D:F5:15:AB:40:16:DD:E5:8C:7B:72:8A 60:B2:B7:BE:EF:2F:83:2C:59:6E:FF:75:CD:4C:F8:2B:19:B0:79:04"
    local clustercertSHAList="F5:CC:07:B0:CC:62:AF:12:87:04:07:F0:5A:30:BA:53:C8:5D:E9:AC 8C:FF:D5:12:F1:73:57:6B:E5:20:E4:CF:64:D6:34:FF:89:1C:2F:FB"
    local keystoreSHAList="FD:FA:98:99:36:B6:DC:00:B1:0A:91:10:CE:F7:8C:CF:AD:19:CA:EB AB:73:D3:8A:F5:BC:23:41:9E:24:91:E4:1A:66:EA:95:26:1C:CE:23 27:69:80:AD:75:16:90:50:87:9B:2F:42:C6:0C:29:82:DF:A7:55:1B"

    local CerName=$( echo ${CertiInfo} | awk -F";" '{print $1}' | awk -F"=" '{print $2}' )
    local Deadline=$( echo ${CertiInfo} | awk -F";" '{print $2}' | awk -F"=" '{print $2}' )
    local SHAkey=$( echo ${CertiInfo} | awk -F";" '{print $3}' | awk -F"=" '{print $2}' )

    #check expiration time
    if [ "XNA" == "X${Deadline}" ];then
        DeadLine="NA"
        IsSoonOutTime="NA"
    else

        CertiTime=$( date -d "${Deadline}" +%s 2>/dev/null )
        if [ $? -ne 0 ];then
            #LOG "Get Seconds Fail! Time para is ${filedate}"
            local zt=$(echo "$Deadline" | grep -Po '[A-Z]{2,9}')
            if [[ "${zt}" != "" ]] && [[ "${zt}" != " " ]];then
                tmpDeadline=$(echo "$Deadline" | sed "s/${zt}/UTC/g")
                CertiTime="$( date -u -d "${tmpDeadline}" +%s 2>/dev/null )"
                CertiTime=$(getTimeZoneDiffSeconds ${CertiTime})
            fi
        fi
        if [[ "${CertiTime}" == "" ]];then
            IsSoonOutTime="--"
        else
            local passtime=`expr $CertiTime - $curtime`
            if [ $passtime -le ${ExpirTime} ];then   #180*24*60*60
                IsSoonOutTime="YES"
            fi
        fi
    fi

    restore_ifs
    #check if the certificate has been replaced
    checkCertiValueInfo=$(grep "${CerName}" $EXPAND_CONFIG_FILE 2>/dev/null)
    if [ "$checkCertiValueInfo" = "" ];then
        isDefaultCerti="NA" 
    else
        checkVerInfo=`cat $EXPAND_CONFIG_FILE | grep -w "ProductVer"`
        if [ "$checkVerInfo" = "" ]; then
            isDefaultCerti="NA"
        else
            checkVerArray=($checkVerInfo)
            itemIndex=$( getVerArrayIndex ${productversion} )
            checkCertiValueArray=(${checkCertiValueInfo})
            DefSHA="${checkCertiValueArray[${itemIndex}]}"
            if [[ "${CerName}" =~ "sslcert.pem" ]];then
                if [[ ${sslcertSHAList} =~ "${SHAkey}" ]];then
                    isDefaultCerti="YES"
                else
                    isDefaultCerti="NO"   
                fi
            elif [[ "${CerName}" =~ "cacert.pem" ]];then
                if [[ ${cacertSHAList} =~ "${SHAkey}" ]];then
                    isDefaultCerti="YES"
                else
                    isDefaultCerti="NO"   
                fi
            elif [[ "${CerName}" =~ "server.keystore" ]];then
                if [[ ${keystoreSHAList} =~ "${SHAkey}" ]];then
                    isDefaultCerti="YES"
                else
                    isDefaultCerti="NO"   
                fi
            elif [[ "${CerName}" =~ "cluster_cert.pem" ]];then
                if [[ ${clustercertSHAList} =~ "${SHAkey}" ]];then
                    isDefaultCerti="YES"
                else
                    isDefaultCerti="NO"   
                fi
            elif [ "${SHAkey}" == "NA" ];then
                isDefaultCerti="NA"
            elif [ "${SHAkey}" != "${DefSHA}" ];then
                isDefaultCerti="NO"
            fi 
        fi
    fi
    set_ifs
    echo "CerName:${CerName}||IsSoonOutTime:${IsSoonOutTime}||ExpirationTime:${Deadline}||IsDefaultCertificate:${isDefaultCerti}||key:${SHAkey}" >>$RESULTFILE 2>&1

}

function main()
{
    
    #检查节点证书信息
    local AllCheckPem=$( getALLPem )
    set_ifs
    for Certi in ${AllCheckPem}
    do
        CheckCertificate ${Certi}
    done
    restore_ifs 
    
    
    #检查S3/UDS特有证书信息
    if [ "0" == "${IS_S3}" ];then
       local S3CheckPem=$( getS3Pem )
        set_ifs
        for Certi in ${S3CheckPem}
        do
            CheckCertificate ${Certi}
        done
        restore_ifs
    
        #检查keystore类证书信息
        S3keyStoreCerti=$( ${G_INSPECT_MMLPATH}/KeyStoreGet "${S3keyStorelist}" )
        set_ifs
        for Certi in ${S3keyStoreCerti}
        do
            CheckCertificate ${Certi}
        done
        restore_ifs
    fi 
    
    
     
  
    
    #检查0号子域生效证书信息
    if [ "X0" == "X${subDomain}" ];then
        local ZeroPem=$( getZeroPemCerti )
        set_ifs
        for Certi in ${ZeroPem}
        do
            CheckCertificate ${Certi}
        done
        restore_ifs
    
        DominkeyStoreCerti=$( ${G_INSPECT_MMLPATH}/KeyStoreGet "${DominkeyStorelist}" )
        set_ifs
        for Certi in ${DominkeyStoreCerti}
        do
            CheckCertificate ${Certi}
        done
        restore_ifs
    fi
    
}

subDomain=$( GetDomain )
productversion=$( grep "ProductVersion" /opt/huawei/deploy/package/version | awk -F"=" '{print $2}')
IS_S3=$( CheckNodeServiceType )
curtime="$( date +%s )"
main

