#!/usr/bin/env bash
# onx-dkim-list — /etc/onox/dkim/ altındaki tüm anahtarları listeler
# stdin: {} (opsiyonel: {"domain":"example.com"} için filtreleme)
# stdout: {"keys":[{"domain":"…","selector":"…","key_size":N,"fingerprint":"…"},…],"count":N}

set -euo pipefail
SCRIPT_DIR="$(dirname "$(readlink -f "$0")")"
source "${SCRIPT_DIR}/_lib/common.sh"

require_root
require_cmd openssl

onx_json_input

FILTER_DOMAIN=$(onx_json_field "domain" "")

DKIM_BASE="/etc/onox/dkim"

if [[ ! -d "$DKIM_BASE" ]]; then
    json_ok "{\"keys\":[],\"count\":0}"
fi

KEYS_JSON="["
FIRST=1
COUNT=0

for DOMAIN_DIR in "$DKIM_BASE"/*/; do
    [[ -d "$DOMAIN_DIR" ]] || continue
    DOMAIN=$(basename "$DOMAIN_DIR")

    # Domain filtresi
    if [[ -n "$FILTER_DOMAIN" && "$DOMAIN" != "$FILTER_DOMAIN" ]]; then
        continue
    fi

    for PRIV_KEY in "$DOMAIN_DIR"*.private; do
        [[ -f "$PRIV_KEY" ]] || continue
        SELECTOR=$(basename "$PRIV_KEY" .private)
        PUB_KEY="${DOMAIN_DIR}${SELECTOR}.pub"

        FINGERPRINT=""
        KEY_BITS=0

        if [[ -f "$PRIV_KEY" ]]; then
            FINGERPRINT=$(openssl rsa -in "$PRIV_KEY" -pubout -outform DER 2>/dev/null | openssl dgst -sha256 -hex | awk '{print $2}' 2>/dev/null || echo "")
            KEY_BITS=$(openssl rsa -in "$PRIV_KEY" -text -noout 2>/dev/null | grep "Private-Key:" | grep -oP '\d+' | head -1 || echo "0")
        fi

        DNS_PAYLOAD=""
        if [[ -f "$PUB_KEY" ]]; then
            DNS_PAYLOAD=$(grep -v "^-----" "$PUB_KEY" | tr -d '\n')
        fi

        [[ $FIRST -eq 0 ]] && KEYS_JSON+=","
        FIRST=0
        COUNT=$((COUNT + 1))

        KEYS_JSON+="{\"domain\":\"${DOMAIN}\",\"selector\":\"${SELECTOR}\",\"key_size\":${KEY_BITS},\"fingerprint\":\"${FINGERPRINT}\",\"has_public_key\":$([ -f "$PUB_KEY" ] && echo true || echo false),\"dns_txt_payload\":\"v=DKIM1; k=rsa; p=${DNS_PAYLOAD}\"}"
    done
done

KEYS_JSON+="]"

json_ok "{\"keys\":${KEYS_JSON},\"count\":${COUNT}}"
