#!/bin/sh

SCRIPT="$(basename $0)"

usage() {
cat <<EOH
Downloads and installs the latest version of the System CA Certificates.

Usage: $0 [options]

Options:
 -v  Verbose mode
 -C  Adds or removes the scheduled monthly cron job
 -U  Download the latest version of $SCRIPT from GitHub

EOH
exit
}

upgrade() {
  RESPONSE_CODE=$(curl -kLsI -o /dev/null -w '%{http_code}' https://raw.githubusercontent.com/seud0nym/tch-gui-unhide/master/utilities/$SCRIPT)
  if [ "$RESPONSE_CODE" = 200 ]
  then
    curl -kL -o $SCRIPT https://raw.githubusercontent.com/seud0nym/tch-gui-unhide/master/utilities/$SCRIPT
    if [ $? -eq 0 ]
    then
      chmod +x $SCRIPT
      echo "[$SCRIPT] Successfully downloaded $SCRIPT."
    else
      echo "[$SCRIPT] Failed to download $SCRIPT."
    fi
  elif [ "$RESPONSE_CODE" = 404 ]
  then
    echo "[$SCRIPT] ERROR! Not found on GitHub???"
  elif [ "$RESPONSE_CODE" = 000 ]
  then
    echo "[$SCRIPT] ERROR! No Internet connection???"
  else
    echo "[$SCRIPT] ERROR! Unknown response code $RESPONSE_CODE"
  fi
  exit
}

log() {
  if [ $DE_TELSTRA = "N" ]; then
    logger $LGGR_OPT -t rpc.gui.opkg -p $*
    if [ "$1" = "user.err" ]; then
      echo $* 1>&2
    fi
  else
    echo $*
  fi
}

CRON="N"
CURL_OPT="--connect-timeout 10 --fail --silent --insecure"
LGGR_OPT=""
DE_TELSTRA="N"

cd $(dirname $0)

while getopts :vCU-: option; do
 case "${option}" in
  -)  [ "${OPTARG}" = "update-de-telstra" -a "$(uname -m)" = "x86_64" -a -e de-telstra ] && DE_TELSTRA="Y" || usage;;
  v)  CURL_OPT="$(echo -e "$CURL_OPT" | sed -e 's/--silent//')"; LGGR_OPT="-s";;
  C)  CRON="Y";;
  U)  upgrade;;
  *)  usage;;
 esac
done
shift $((OPTIND-1))

if [ $DE_TELSTRA = "N" -a $CRON = "Y" ]; then
  grep -q "$SCRIPT" /etc/crontabs/root
  if [ $? = 0 ]
  then
    sed -e "/$SCRIPT/d" -i /etc/crontabs/root
    echo Scheduled update has been removed.
  else
    mm=$(awk 'BEGIN{srand();print int(rand()*59);}')
    hh=$(awk 'BEGIN{srand();print int(rand()*3)+2;}')
    dd=$(awk 'BEGIN{srand();print int(rand()*28);}')
    echo "$mm $hh $dd * * $(cd $(dirname $0); pwd)/$SCRIPT" >> /etc/crontabs/root
    echo System certificates update has been scheduled to execute at $hh:$(printf '%02d' $mm)am on day $dd of each month.
    echo Execution messages will be written to the system log, and can be viewed with the following command:
    echo
    echo "  logread -e rpc.gui.opkg"
    echo
  fi
  /etc/init.d/cron reload
  exit
fi

OPENWRT_LATEST="packages-24.10"

rm -f /tmp/ca-*.ipk

SRC="https://downloads.openwrt.org/releases/${OPENWRT_LATEST}/arm_cortex-a9/base"
for IPK in $(curl $CURL_OPT -s $SRC/Packages.gz | gunzip | grep '^Filename: ca-' | cut -d' ' -f2); do
  PKG="$(echo $IPK | grep -Eo '^ca-[^_]+')"
  VER="$(echo $IPK | grep -Eo '[0-9][-r0-9]+')"
  if [ $DE_TELSTRA = "N" -a "$(opkg list-installed 2>/dev/null | grep $PKG | cut -d- -f3- | xargs)" = "$VER" ]; then
    log user.info $PKG is up to date: Version $VER already installed
  else
    log user.info Downloading $SRC/$IPK...
    if curl $CURL_OPT -kL $SRC/$IPK -o /tmp/$IPK; then
      if [ $DE_TELSTRA = "N" ]; then
        log user.info Installing $IPK...
        opkg --force-overwrite install /tmp/$IPK 2>&1 | log user.info
      fi
    else 
      log user.warn Download of $SRC/$IPK failed!
      [ $DE_TELSTRA = "Y" ] && exit 2
    fi
  fi
done

if [ $DE_TELSTRA = "Y" ]; then
  TARGET="/tmp/.update_de-telstra_ca_packages"
  log user.info Creating $TARGET
  echo "upgrade_certificates() {" > $TARGET
  echo "  rm -f /tmp/ca-*_all.ipk" >> $TARGET
  for IPK in /tmp/ca-*.ipk; do
    log user.info Adding $IPK to $TARGET
    PKG="$(echo $IPK | grep -Eo 'ca-[^_]+')"
    VER="$(echo $IPK | grep -Eo '[0-9][-r0-9]+')"
    echo "  if ! opkg list-installed | grep -q '$PKG - $VER'; then" >> $TARGET
    echo "    #region (Source = $SRC/$(basename $IPK))" >> $TARGET
    echo "    echo '$(base64 $IPK)' | base64 -d > $IPK" >> $TARGET
    echo "    #endregion" >> $TARGET
    echo "  fi" >> $TARGET
  done
  echo "  if [ \$(ls /tmp/ca-*_all.ipk 2>/dev/null | wc -l) -gt 0 ]; then" >> $TARGET
  echo "    echo [\$SCRIPT]: - Upgrading CA certificates for repository access..." >> $TARGET
  echo "    opkg --force-overwrite install /tmp/ca-*.ipk" >> $TARGET
  echo "    rm /tmp/ca-*_all.ipk" >> $TARGET
  echo "  fi" >> $TARGET
  echo "}" >> $TARGET
  log user.info Updating de-telstra
  LINE_NO=$(( $(grep -n '^upgrade_certificates() {' de-telstra | cut -d: -f1) - 1))
  sed -e '/^upgrade_certificates() {/,/^}/d' -e "${LINE_NO}r $TARGET" -i de-telstra
  rm $TARGET
fi

rm -f /tmp/ca-*_all.ipk

[ $DE_TELSTRA = "Y" ] && exit

log user.info Updating ca-certificates.crt from https://curl.se/ca/cacert.pem if changed...
curl $CURL_OPT -kLz /etc/ssl/certs/ca-certificates.crt -o /etc/ssl/certs/ca-certificates.crt https://curl.se/ca/cacert.pem | log user.info

if [ -z "$ENV" ]; then
  log user.info Updating /etc/profile with SSL_CERT_FILE and CURL_CA_BUNDLE environment variables if required
  grep -q CURL_CA_BUNDLE /etc/profile || echo "export CURL_CA_BUNDLE='/etc/ssl/certs/ca-certificates.crt'" >> /etc/profile
  grep -q SSL_CERT_FILE /etc/profile || echo "export SSL_CERT_FILE='/etc/ssl/cert.pem'" >> /etc/profile
else
  log user.info Updating $ENV with SSL_CERT_FILE and CURL_CA_BUNDLE environment variables if required
  grep -q CURL_CA_BUNDLE $ENV || echo "export CURL_CA_BUNDLE='/etc/ssl/certs/ca-certificates.crt'" >> $ENV
  grep -q SSL_CERT_FILE $ENV || echo "SSL_CERT_FILE='/etc/ssl/cert.pem'" >> $ENV
fi
grep -q 'ca_directory=' /root/.wgetrc 2>/dev/null || echo 'ca_directory=/etc/ssl/certs' >> /root/.wgetrc