#!/bin/bash

# Setting up TLS certificate if provided
DEFAULT_CERT_PATH="${TLS_CERT_DIRECTORY}/gateway_cert.pem"
CERT_PATH="${TLS_CERT_PATH}"
PROXY_CONF_FILE="${LUNAR_HAPROXY_CONFIG}"
PROXY_HTTPS_ENABLED='bind *:443 ssl crt "${TLS_CERT_PATH}" ssl-min-ver TLSv1.2'
mTLS_CONFIG=$LUNAR_PROXY_POLICIES_CONFIG

# Check if flows feature flag is enabled, if it is then use the new gateway_config.yaml file
if [ "$LUNAR_STREAMS_ENABLED" = "true" ]; then
    mTLS_CONFIG="$LUNAR_PROXY_CONFIG_DIR/gateway_config.yaml"
fi

# Check if CERT_PATH is empty
if [ -z "$CERT_PATH" ]; then
    CERT_PATH="$DEFAULT_CERT_PATH"
fi

if [ -f "$CERT_PATH" ]; then
    echo "*** TLS certificate found ***"
    echo "Certificate found at $CERT_PATH"
    echo "Using certificate for HTTPS configuration in LunarProxy"
    echo "*** TLS certificate found ***"
    awk -v replacement="$PROXY_HTTPS_ENABLED" '{gsub(/# _ # Lunar_HTTPS_Binder # _ #/, replacement); print}' "$PROXY_CONF_FILE" > modified_haproxy_cfg && mv modified_haproxy_cfg "$PROXY_CONF_FILE"
else
    if [ "$CERT_PATH" != "$DEFAULT_CERT_PATH" ]; then
        # If the certificate path is not the default path and the certificate is not found, then log a warning
        echo "*** TLS certificate not found ***"
        echo "No certificate found at $CERT_PATH"
        echo "Using default HTTP configuration in Lunar Proxy"
        echo "*** TLS certificate not found ***"
        echo ""
    fi
fi

# Setting up mTLS certificate if provided
MAP_FILE="/etc/haproxy/maps/mtls.map"
> "$MAP_FILE"


if [ -f "$mTLS_CONFIG" ]; then
    yq e '.mTLS[] | .domain + " " + (.cert // "")' "$mTLS_CONFIG" >> "$MAP_FILE"
else
    echo "Configuration file not found: $mTLS_CONFIG"
fi

if [[ -s "$MAP_FILE" ]]; then
    echo "Extracting mTLS configuration from configuration file: $mTLS_CONFIG"
    echo "mTLS configuration:"
    mtls_configured=false
    missing_certs=()
    if [ -f "$mTLS_CONFIG" ]; then
        while read -r domain cert ca; do
            if [ ! -f "$cert" ]; then
                missing_certs+=("Certificate '$cert' for domain: '$domain' not found.")
                continue
            fi

            modified_crt="crt $cert"
            mtls_configured=true
            section="backend $domain
            mode http
            server clear $domain:443 ssl verify required $modified_crt verify none sni str($domain)

            "

            # Check if the domain is already in the configuration file
            if grep -q "backend $domain" "$LUNAR_HAPROXY_CONFIG"; then
                continue
            fi

            echo "Adding mTLS configuration for $domain with cert $cert"
            awk -v replacement="$section" '
            {
                # If we find the placeholder, insert the replacement data first
                if ($0 ~ /# _ # Lunar_mTLS_Backend_Binder # _ #/) {
                    print replacement
                }
                print
            }' "$LUNAR_HAPROXY_CONFIG" > modified_haproxy_cfg && mv modified_haproxy_cfg "$LUNAR_HAPROXY_CONFIG"
        done < <(yq eval '.mTLS[] | .domain + " " + .cert + " " + (.ca // "nil")' "$mTLS_CONFIG")

        if ! $mtls_configured; then
            echo "------------------------------------------------------ mTLS Disabled ------------------------------------------------------"
            echo "mTLS certificate files configured in $mTLS_CONFIG not found, this will result in mTLS not being enabled"
            echo "Please ensure all mTLS certificate files are present and try again"
        else
            if [ ${#missing_certs[@]} -gt 0 ]; then
                echo "------------------------------------------------------ mTLS Warning ------------------------------------------------------"
                echo "Some mTLS certificate files configured in $mTLS_CONFIG were not found, this will result in unsupported mTLS providers"
                echo "Please ensure all mTLS certificate files are present and try again"
                echo "Missing certificates:"
                for cert in "${missing_certs[@]}"; do
                    echo "$cert"
                done
            else
                echo "------------------------------------------------------ mTLS Status ------------------------------------------------------"
                echo "mTLS configuration loaded"
            fi   
        fi
        echo "---------------------------------------------------------------------------------------------------------------------------"
    else
        echo "mTLS configuration file not found: $mTLS_CONFIG"
    fi
fi