#!/bin/bash
# verify-p12 - Verify WebDAV cartridge access with Bearer or Basic auth (optionally mTLS)
#
# Usage:
#   verify-p12 <hostname> <token> [p12_password] [p12_file]
#   verify-p12 --basic <hostname> <user:pass> [p12_password] [p12_file]
#   verify-p12 -h
#
# Options:
#   --basic         Use Basic auth instead of Bearer
#   hostname        Instance hostname (e.g. dev01-web-example.demandware.net)
#   token           Bearer token for authorization (default auth mode)
#   user:pass       Username and password for Basic auth (with --basic)
#   p12_password    (optional) Password for the .p12 client certificate
#   p12_file        (optional) Path to .p12 file (default: $USER-hostname.p12)
#   -h, --help      Show help message

_verify_p12() (
    local SCRIPT_NAME; SCRIPT_NAME="$(basename "${BASH_SOURCE[0]}")"
    case "${BASH_SOURCE[0]}" in /dev/*|/proc/*) SCRIPT_NAME="" ;; esac
    case "$SCRIPT_NAME" in ""|bash|sh|zsh|dash) SCRIPT_NAME="verify-p12" ;; esac

    _error() { echo "[ERR][$SCRIPT_NAME] $*" >&2; }

    _show_help() {
        local s; [ -t 1 ] && s=$'\033[4m'
        local r; [ -t 1 ] && r=$'\033[24m'
        echo "NAME"
        echo "  $SCRIPT_NAME - verify WebDAV cartridge access with Bearer or Basic auth"
        echo "SYNOPSIS"
        echo "  $SCRIPT_NAME ${s}hostname${r} ${s}token${r} [${s}p12_password${r}] [${s}p12_file${r}]"
        echo "  $SCRIPT_NAME --basic ${s}hostname${r} ${s}user:pass${r} [${s}p12_password${r}] [${s}p12_file${r}]"
        echo "  $SCRIPT_NAME -h"
        echo "DESCRIPTION"
        echo "  Sends a GET request to /webdav/Sites/Cartridges on ${s}hostname${r}."
        echo "  Prints the HTTP status line and cartridge directory listing."
        echo ""
        echo "  Default auth is Bearer using the given ${s}token${r}. With --basic,"
        echo "  auth is Basic using ${s}user:pass${r} (the full colon-delimited string)."
        echo ""
        echo "  When ${s}p12_password${r} is provided, adds mTLS client certificate"
        echo "  authentication using the .p12 file. Default ${s}p12_file${r} is"
        echo "  \$USER-${s}hostname${r}.p12 in the current directory."
        echo "OPTIONS"
        echo "  --basic        Use Basic auth instead of Bearer"
        echo "  ${s}hostname${r}       Instance hostname (e.g. dev01-web-example.demandware.net)"
        echo "  ${s}token${r}          Bearer token for authorization (default auth mode)"
        echo "  ${s}user:pass${r}      Username and password for Basic auth (with --basic)"
        echo "  ${s}p12_password${r}   (optional) Password for the .p12 client certificate"
        echo "  ${s}p12_file${r}       (optional) Path to .p12 file (default: \$USER-hostname.p12)"
        echo "  -h, --help     Show this help message"
        echo "PRECONDITIONS"
        echo "  - If ${s}p12_password${r} is given, the .p12 file must exist and be readable"
        echo "  - Network must be able to reach ${s}hostname${r} on port 443"
        echo "  - Credentials (token or user:pass, and .p12 password if used) must be valid"
        echo "EXIT STATUS"
        echo "  0   curl succeeded (check HTTP status line -- 401/403 still exit 0)"
        echo "  1   Argument / usage error"
        echo "  *   curl exit code on network or TLS failure"
        echo ""
        echo "  Common curl codes: 35 = TLS handshake, 51 = server cert, 58 = .p12 /"
        echo "  client-cert problem, 60 = CA cert."
        echo "CAVEATS"
        echo "  curl exit 58 typically means the .p12 file is missing, unreadable, or"
        echo "  the password is wrong."
        echo "DEPENDENCIES"
        echo "  curl (always); openssl (only with --basic)"
        echo "SEE ALSO"
        echo "  propfind-p12, generate-p12"
    }

    local auth_mode="bearer"
    local positional=()
    while [ $# -gt 0 ]; do
        case "$1" in
            -h|--help) _show_help; return 0 ;;
            --basic) auth_mode="basic"; shift ;;
            *) positional+=("$1"); shift ;;
        esac
    done

    if [ "${#positional[@]}" -lt 2 ]; then
        _error "Expected 2 arguments, received ${#positional[@]}. Run \`$SCRIPT_NAME -h\` for usage"
        return 1
    fi

    local hostname="${positional[0]}"
    local credential="${positional[1]}"
    local p12_pass="${positional[2]-}"
    local p12_arg4="${positional[3]-}"
    local DEFAULT_P12_FILE="$USER-$hostname.p12"

    local auth_header
    case "$auth_mode" in
        bearer)
            auth_header="Authorization: Bearer $credential"
            ;;
        basic)
            local encoded; encoded="$(printf %s "$credential" | openssl enc -base64 -A)"
            auth_header="Authorization: Basic $encoded"
            ;;
    esac

    local p12_args=()
    if [ "$p12_pass" ]; then
        local p12_file="${p12_arg4:-"$DEFAULT_P12_FILE"}"
        # -k (--insecure) disables curl's TLS CA check, otherwise we need to pass --cacert "$ca_cert"
        # This does NOT disable TLS, it simply allows a self-signed certificate without needing to provide the CA cert
        p12_args=("-k" "--cert-type" "p12" "--cert" "$p12_file:$p12_pass")
    fi

    local url="https://$hostname/on/demandware.servlet/webdav/Sites/Cartridges"
    # Print request URL to stderr
    echo "GET $url" >&2
    # Print the HTTP status line and file URLs
    # -i == include response headers in output
    curl -si -X GET \
        --url "$url" \
        -H "$auth_header" \
        "${p12_args[@]}" \
    | tr -d '\r' \
    | grep -e '^HTTP/[.0-9]\{1,3\} [0-9]\{3\} [ A-Za-z]*$' \
           -e '<a href="' \
    | sed 's|^.*<a href="/on/demandware.servlet||; s|">.*$||'
)

_verify_p12 "$@"
__verify_p12_rc=$?
unset -f _verify_p12
if [ -n "${BASH_SOURCE[0]}" ] && [ "${BASH_SOURCE[0]}" != "$0" ]; then
    eval "unset __verify_p12_rc; return $__verify_p12_rc"
fi
eval "unset __verify_p12_rc; exit $__verify_p12_rc"