#!/usr/bin/perl
#=============================================================================
# Rotation of OpenID Connect keys
#
# This script is written to be used by cron to rotate keys.
#
# This is part of LemonLDAP::NG product, released under GPL
#=============================================================================

use strict;

use Lemonldap::NG::Common::Conf;
use Lemonldap::NG::Common::Util::Crypto;
use URI;

my $debug = 0;

#=============================================================================
# Load configuration
#=============================================================================
my $lmconf = Lemonldap::NG::Common::Conf->new()
  or die $Lemonldap::NG::Common::Conf::msg;
my $conf = $lmconf->getConf();

my $cn = eval { URI->new( $conf->{portal} )->host } || 'localhost';
print "Configuration loaded\n" if $debug;

# Verify type
my $type = (
      $conf->{oidcServiceNewPrivateKeySig}
    ? $conf->{oidcServiceNewKeyTypeSig}
    : $conf->{oidcServiceKeyTypeSig}
  )
  || 'RSA';

die "Unknown key type $type" unless $type =~ /^(?:RSA|EC)$/;
print "Type is $type\n" if $debug;

#=============================================================================
# Generate new key
#=============================================================================
my $keys;

if ( $type eq 'EC' ) {
    $keys = Lemonldap::NG::Common::Util::Crypto::genEcKey('secp256r1');
}
else {
    $keys = Lemonldap::NG::Common::Util::Crypto::genCertKey( 2048, undef, $cn );
}

print "Private key generated:\n" . $keys->{private} . "\n" if $debug;
print "Public key generated:\n" . $keys->{public} . "\n"   if $debug;
print "Key ID generated: " . $keys->{hash} . "\n"          if $debug;

#=============================================================================
# Save configuration
#=============================================================================
$conf->{cfgAuthor} = 'Key rotation script';

if ( $conf->{oidcServiceNewKeyIdSig} and $conf->{oidcServiceNewPublicKeySig} ) {

    # Move current key into previous one
    $conf->{oidcServiceOldPrivateKeySig} = $conf->{oidcServicePrivateKeySig};
    $conf->{oidcServiceOldPublicKeySig}  = $conf->{oidcServicePublicKeySig};
    $conf->{oidcServiceOldKeyIdSig}      = $conf->{oidcServiceKeyIdSig};
    $conf->{oidcServiceOldKeyTypeSig}    = $conf->{oidcServiceKeyTypeSig};

    # Move next key into current one
    $conf->{oidcServicePrivateKeySig} = $conf->{oidcServiceNewPrivateKeySig};
    $conf->{oidcServicePublicKeySig}  = $conf->{oidcServiceNewPublicKeySig};
    $conf->{oidcServiceKeyIdSig}      = $conf->{oidcServiceNewKeyIdSig};
    $conf->{oidcServiceKeyTypeSig}    = $conf->{oidcServiceNewKeyTypeSig};
}
else {
    print STDERR
      "No previous pending new key found. Rotation will be done next time\n";
}

# Store new key
$conf->{oidcServiceNewPrivateKeySig} = $keys->{private};
$conf->{oidcServiceNewPublicKeySig}  = $keys->{public};
$conf->{oidcServiceNewKeyIdSig}      = $keys->{hash};
$conf->{oidcServiceNewKeyTypeSig}    = $type;

if ( $conf->{oidcServicePrivateKeyEnc} ) {
    $type = $conf->{oidcServiceKeyTypeEnc} || 'RSA';
    if ( $type eq 'EC' ) {
        $keys = Lemonldap::NG::Common::Util::Crypto::genEcKey('secp256r1');
    }
    else {
        $keys =
          Lemonldap::NG::Common::Util::Crypto::genCertKey( 2048, undef, $cn );
    }

    # Move current key into previous one
    $conf->{oidcServiceOldPrivateKeyEnc} = $conf->{oidcServicePrivateKeyEnc};
    $conf->{oidcServiceOldPublicKeyEnc}  = $conf->{oidcServicePublicKeyEnc};
    $conf->{oidcServiceOldKeyIdEnc}      = $conf->{oidcServiceKeyIdEnc};
    $conf->{oidcServiceOldKeyTypeEnc}    = $conf->{oidcServiceKeyTypeEnc};

    # Store new key
    $conf->{oidcServicePrivateKeyEnc} = $keys->{private};
    $conf->{oidcServicePublicKeyEnc}  = $keys->{public};
    $conf->{oidcServiceKeyIdEnc}      = $keys->{hash};
    $conf->{oidcServiceKeyTypeEnc}    = $type;
}

( $lmconf->saveConf($conf) > 0 ) or die $Lemonldap::NG::Common::Conf::msg;

print "Configuration saved\n" if $debug;

exit 0;
