#!/usr/bin/env bash
#
# This script creates a self-signed CA and a server certificate for the Azurite Emulator.
#
# For more sophisticated certificate management, consider using Simple CA project
# from: https://gitea.koszewscy.waw.pl/slawek/simple-ca.git

CA_DIR="${CA_DIR:-./ca}"
CA_NAME="${CA_NAME:-Azurite Emulator CA}"
STORAGE_ACCOUNT_NAME="${STORAGE_ACCOUNT_NAME:-azuritelocal}"
openssl req \
    -x509 -noenc -text \
    -newkey rsa:4096 \
    -keyout "${CA_DIR}/ca_key.pem" \
    -out "${CA_DIR}/ca_cert.pem" \
    -days 3650 \
    -subj "/CN=$CA_NAME" \
    -addext "basicConstraints=critical,CA:TRUE,pathlen:0"
HASH=$(openssl x509 -in "${CA_DIR}/ca_cert.pem" -noout -hash 2>/dev/null)
ln -sf $(basename "${CA_DIR}/ca_cert.pem") "${CA_DIR}/$HASH.0" # Check it
ALTNAMES=()
for endpoint in blob queue table; do
    ALTNAMES+=("DNS:${STORAGE_ACCOUNT_NAME}.${endpoint}.core.windows.net")
done
openssl req \
    -newkey rsa:4096 \
    -noenc \
    -keyout "${CA_DIR}/${STORAGE_ACCOUNT_NAME}_key.pem" \
    -subj "/CN=${STORAGE_ACCOUNT_NAME}.blob.core.windows.net" \
    -addext "basicConstraints=critical,CA:FALSE" \
    -addext "keyUsage=digitalSignature, keyEncipherment" \
    -addext "extendedKeyUsage=serverAuth" \
    -addext "subjectAltName=$(IFS=, ; echo "${ALTNAMES[*]}")" \
| openssl x509 \
    -req -text \
    -CA "${CA_DIR}/ca_cert.pem" \
    -CAkey "${CA_DIR}/ca_key.pem" \
    -copy_extensions copyall \
    -days 365 \
    -out "${CA_DIR}/${STORAGE_ACCOUNT_NAME}_cert.pem"
openssl verify -CApath "${CA_DIR}" "${CA_DIR}/${STORAGE_ACCOUNT_NAME}_cert.pem"
cat <<EOF
Add the following line to your /etc/hosts file to resolve the emulator endpoints:

127.0.0.1 $(IFS=' '; echo "${ALTNAMES[@]#DNS:}")
EOF