#!/usr/bin/env bash
# onx-cert-list — List all certificates tracked by acme.sh with expiry dates.
#
# Input (stdin JSON): {} (no fields required)
#
# Output (stdout JSON):
#   {"certs": [{"domain":..., "expires_at":..., "days_left":..., "status":...}, ...]}
#
# Exit codes: 0=ok 2=preflight-fail
#
# Deployed to: /usr/local/onoxsoft/bin/onx-cert-list

set -euo pipefail

SCRIPT_DIR="$(dirname "$(readlink -f "$0")")"
# shellcheck source=_lib/common.sh
source "${SCRIPT_DIR}/_lib/common.sh"

# ── Constants ────────────────────────────────────────────────────────────────
export LE_WORKING_DIR="/etc/onoxsoft/acme.sh"
ACME_BIN="${LE_WORKING_DIR}/acme.sh"
ACME_CERT_BASE="/etc/letsencrypt/live"

# ── Preflight ────────────────────────────────────────────────────────────────
[[ -f "${ACME_BIN}" && -x "${ACME_BIN}" ]] || \
  onx_die 2 "acme.sh not found: ${ACME_BIN}"
command -v openssl >/dev/null 2>&1 || onx_die 2 "openssl not found"

# ── Gather cert info ─────────────────────────────────────────────────────────
NOW_EPOCH=$(date +%s)
CERTS_JSON=""
FIRST=1

# Parse acme.sh --list output (tab-separated)
# Columns: Domain | KeyLength | SAN_Domains | Created | Renew
while IFS=$'\t' read -r DOMAIN KEY_LEN SAN_DOMAINS CREATED RENEW_AT; do
  [[ -z "${DOMAIN}" || "${DOMAIN}" == "Main_Domain" ]] && continue

  CERT_FILE="${ACME_CERT_BASE}/${DOMAIN}/fullchain.pem"
  EXPIRES_AT="unknown"
  DAYS_LEFT="unknown"
  STATUS="unknown"

  if [[ -f "${CERT_FILE}" ]]; then
    EXPIRY_STR=$(openssl x509 -enddate -noout -in "${CERT_FILE}" 2>/dev/null \
      | sed 's/notAfter=//' || echo "")
    if [[ -n "${EXPIRY_STR}" ]]; then
      EXPIRES_AT="${EXPIRY_STR}"
      EXPIRY_EPOCH=$(date -d "${EXPIRY_STR}" +%s 2>/dev/null || echo 0)
      if [[ "${EXPIRY_EPOCH}" -gt 0 ]]; then
        DAYS_LEFT=$(( (EXPIRY_EPOCH - NOW_EPOCH) / 86400 ))
        if [[ "${DAYS_LEFT}" -lt 0 ]]; then
          STATUS="expired"
        elif [[ "${DAYS_LEFT}" -le 30 ]]; then
          STATUS="expiring_soon"
        else
          STATUS="active"
        fi
      fi
    fi
  else
    STATUS="missing_file"
  fi

  # JSON escape helper (basic — no special chars in domains/dates expected)
  json_str() { printf '%s' "$1" | sed 's/\\/\\\\/g; s/"/\\"/g'; }

  ENTRY=$(printf '{"domain":"%s","expires_at":"%s","days_left":"%s","status":"%s","san":"%s"}' \
    "$(json_str "${DOMAIN}")" \
    "$(json_str "${EXPIRES_AT}")" \
    "${DAYS_LEFT}" \
    "$(json_str "${STATUS}")" \
    "$(json_str "${SAN_DOMAINS}")")

  if [[ "${FIRST}" -eq 1 ]]; then
    CERTS_JSON="${ENTRY}"
    FIRST=0
  else
    CERTS_JSON="${CERTS_JSON},${ENTRY}"
  fi

done < <("${ACME_BIN}" --list 2>/dev/null | tail -n +2)

# ── Output ────────────────────────────────────────────────────────────────────
printf '{"certs":[%s]}\n' "${CERTS_JSON}"
