#!/usr/bin/perl -w

=head1 NAME

B<dh_sslcert2> - sets up the package to use the ssl-cert2 framework

=cut

use strict;
use Debian::Debhelper::Dh_Lib;

=head1 SYNOPSIS

B<dh_sslcert2> [S<I<debhelper options>>]

=head1 DESCRIPTION

B<dh_sslcert2> is a debhelper program that automatically adds calls to postinst
and postrm to use the ssl-cert2 framework. It also adds a dependency on ssl-cert2 to ${misc:Depends} as well.

If you wish to have your certificate or key in a different place then set the 
variables $SSL_CERT2_CERT_LOCATION and $SSL_CERT2_KEY_LOCATION in your 
postinst before the #DEBHELPER# tag. These locations will then be used.

If you want to override the defaults for certain things about the certificate
then you can use a debian/package.certificate or debian/certificate file. 
This file resembles debian/control, i.e.

Owner: www-data
Group: www-data
Permissions: 0600

see /usr/share/doc/ssl-cert2/examples/certificate for examples of all the 
fields. The meaning of the fields is

Service: The service name you would like to be registered under. If you do not
set Certificate or Key then they will be named $service.pem in their respective
directories, if $service is the value you use for this field. If you don't use
this field then the name of the package will be used instead.

Certificate: The absolute path of the file that you would like to contain the 
certificate. 

Key: The absolute path of the file that you would like to contain the secret
key. 

Owner: The user that you would like the key to be owned by. This can only be
done if the admin has chosen to use separate certificates, which is not the
default, so you should expect it not to be honoured.

Group: The group that should own the key. Again this requires the admin to 
have set it up, so assume that it is at it's default value of ssl-cert. You 
should add users that need to access it to this group.

Permissions: The permissions that should be placed on the key, in numeric form.
Again, this is honoured at the admin's discretion, so you should not rely on it
being fulfilled.

=head1 OPTIONS

=over 4

=item B<-n>, B<--noscripts>

Do not modify postinst/postrm scripts.

=back

=head1 EXAMPLES

=over 4

=item dh_sslcert2 -pfoo

Assuming this is a package named foo, generates a postinst snippet that
looks something like:
  
  if [ "$1" = "configure" ]; then
    make-ssl-cert2 foo
  fi

and a snippet in postrm that looks like
  
  if [ "$1" = "purge" ]; then
    make-ssl-cert2 -r foo || true
  fi

Which will create a certificate named /etc/ssl/certs/foo.pem and an associated key /etc/ssl/private/foo.pem

It is a good idea to use the -p option with this command, as otherwise there
would be a cert created for each binary package.

=back

=head1 NOTES

=over 4

If your package creates a user that must have access to the key file then
it must be a member of the ssl-cert group.

=back

=cut

init();

foreach my $package (@{$dh{DOPACKAGES}}) {
	next if is_udeb($package);
	
	my $tmp=tmpdir($package);
  my $file=pkgfile($package, "certificate");

  #Default is the name of the package
  my $service = $package;
  my $certfile = "";
  my $keyfile = "";
  my $owner = "";
  my $group = "";
  my $perms = "";

  if ($file) {

    open(SSL_CERT_FILE_IN, $file) || error("cannot read $file: $1");

    while (<SSL_CERT_FILE_IN>) {

      if ($_ =~ m/^(\w+): (.+)$/) {

        my ($field, $value) = ($1, $2);

        if ( $field =~ m/^Service$/ ) {
          $service = $value;
        } elsif ( $field =~ m/^Certificate$/ ) {
          $certfile = $value;
        } elsif ( $field =~ m/^Key$/ ) {
          $keyfile = $value;
        } elsif ( $field =~ m/^Owner$/ ) {
          $owner = $value;
        } elsif ( $field =~ m/^Group$/ ) {
          $group = $value;
        } elsif ( $field =~ m/^Permissions$/ ) {
          $perms = $value;
        } else {
          warning "Unknown field: $field";
        }

      } else {
        warning "Invalid field format $_.";
      }
    
    }

    close SSL_CERT_FILE_IN;

    if ( $perms !~ /^\d{3,4}$/ ) {
      error "Invalid Permissions: $perms";
    }

    if ( $owner !~ /^\w+$/ ) {
      error "Invalid Owner: $owner";
    }

    if ( $group !~ /^\w+$/ ) {
      error "Invalid Group: $group";
    }

  }

  if (! -d "$tmp/DEBIAN") {
	  doit("install","-d","$tmp/DEBIAN");
	}

  $owner = "-o ".$owner if $owner !~ m/^$/;
  $group = "-g ".$group if $group !~ m/^$/;
  $perms = "-p ".$perms if $perms !~ m/^$/;
  $certfile = "-c ".$certfile if $certfile !~ m/^$/;
  $keyfile = "-k ".$keyfile if $keyfile !~ m/^$/;

  if ( ! $dh{NOSCRIPTS} ) {
    my $sed = "s/#SERVICE#/$service/g;s/#OWNER#/$owner/g;s/#GROUP#/$group/g;s/#PERMS#/$perms/g;s/#CERTFILE#/$certfile/g;s/#KEYFILE#/$keyfile/g";

    autoscript($package,"postinst","postinst-sslcert2",$sed);
    autoscript($package,"postrm","postrm-sslcert2",$sed);

    addsubstvar($package, "misc:Depends", "ssl-cert2");
  }
}

=head1 SEE ALSO

L<debhelper(7)> L<ssl-cert(7)>

This program is a part of debhelper.

=head1 AUTHOR

James Westby <jw+debian@jameswestby.net>

=cut