#!/usr/local/cpanel/3rdparty/bin/perl

# cpanel - scripts/ssl_crt_status                  Copyright 2022 cPanel, L.L.C.
#                                                           All rights reserved.
# copyright@cpanel.net                                         http://cpanel.net
# This code is subject to the cPanel license. Unauthorized copying is prohibited

package scripts::ssl_crt_status;

use strict;
use warnings;

use Cpanel::SSLPath                 ();
use Cpanel::SSLInfo                 ();
use Getopt::Param                   ();
use Cpanel::StringFunc              ();
use Cpanel::ArrayFunc               ();
use Term::ANSIColor                 ();
use Cpanel::Config::LoadUserDomains ();
use Cpanel::Hostname                ();

__PACKAGE__->run() unless caller();

sub run {
    my $param = Getopt::Param->new(
        {
            'quiet'        => 0,
            'help_coderef' => sub {
                print <<"END_HELP";
$0 - give a status report of the server's SSL certificates

    --help          this screen
    --verbose       show more than just errors
    --verbose=long  include verification result of valid crts

By default it will check every domain, you can specify one or more specific
domains to check by passing one or more --domain flags:

    --domain=your.domain.here --domain=other.domain.here

END_HELP
                exit;
            },
        }
    );

    my $debug   = $param->get_param('debug');
    my $verbose = $param->get_param('verbose');

    my @domains = Cpanel::ArrayFunc::uniq_from_arrayrefs( [ $param->exists_param('domain') ? $param->get_param('domain') : ( Cpanel::Hostname::gethostname(), grep( !/^\*/, sort keys %{ Cpanel::Config::LoadUserDomains::loaduserdomains( undef, 1 ) } ) ) ] );

    if ( grep /^--domain$/, @domains ) {
        print "Domain must be unambiguously specified in this format --domain=fqdn.tld\n\n";
        $param->help();
    }

    my $sslroot = Cpanel::SSLPath::getsslroot();

    print "[info] SSL root: $sslroot\n" if $verbose;

    if ($debug) {
        require Data::Dumper;
    }

    # fetchinfo() is and verifysslcert() may still be "loud"
    close STDERR;                     # just to be on the safe side
    open STDERR, '>', '/dev/null';    ## no critic qw(InputOutput::RequireCheckedOpen)

    for my $domain (@domains) {
        my $ssl_info_hr = Cpanel::SSLInfo::fetchinfo($domain);

        if ($debug) {
            print Data::Dumper::Dumper($ssl_info_hr);
        }
        if ( $ssl_info_hr->{'statusmsg'} =~ /^No certificate for the domain \S+ could be found[.]$/ ) {
            if ($verbose) {
                print Term::ANSIColor::color 'bold blue';
                print "Ok: $domain does not have an SSL crt\n";
                print Term::ANSIColor::color 'reset';
            }
        }
        else {
            my ( $rc, $msg ) = Cpanel::SSLInfo::verifysslcert(
                $sslroot,
                $ssl_info_hr->{'crt'},
                $ssl_info_hr->{'key'},
                $ssl_info_hr->{'cab'},
                1,    # makes verifysslcert() not do any print()s
                1,    # makes verifysslcert() return plain text instead of HTML
            );

            if ($rc) {
                if ($verbose) {
                    print Term::ANSIColor::color 'bold green';
                    print "Ok: $domain SSL crt verified\n";
                    print Term::ANSIColor::color 'reset';
                    if ( $verbose eq 'long' ) {
                        print Cpanel::StringFunc::indent_string($msg) . "\n";
                    }
                }
            }
            else {
                print Term::ANSIColor::color 'bold red';
                print "Error: $domain SSL crt verification failed:\n";
                print Term::ANSIColor::color 'reset';
                print Cpanel::StringFunc::indent_string($msg) . "\n";
            }
        }
    }
    return 1;
}
1;