#! /bin/sh
# This source code is released into the public domain.

. __LIBDIR__/init.sh
. __LIBDIR__/dnsutils.sh

# begin, done or failed
ACTION=$1
# ACME method, must be dns-01.
METHOD=$2
# This is the full domain name we're authorising.
DOMAIN=$3
# Token name, not used for dns-01.
TOKEN=$4
# The token value we need to create.
AUTH=$5

_KINIT="$(_findbin kinit $LFACME_KERBEROS_KINIT)"

if [ "$#" -ne 5 ]; then
	_fatal "missing arguments"
fi

if [ "$METHOD" != "dns-01" ]; then
	exit 1
fi

if [ -z "$LFACME_KERBEROS_PRINCIPAL" ]; then
	LFACME_KERBEROS_PRINCIPAL="host/$(hostname)"
fi

if [ -z "$LFACME_KERBEROS_KEYTAB" ]; then
	LFACME_KERBEROS_KEYTAB="/etc/krb5.keytab"
fi

if ! [ -r "$LFACME_KERBEROS_KEYTAB" ]; then
	_fatal "keytab does not exist (or is not readable): %s" \
		"$LFACME_KERBEROS_KEYTAB"
fi

if ! $_KINIT -k -t "$LFACME_KERBEROS_KEYTAB" "$LFACME_KERBEROS_PRINCIPAL"; then
	_fatal "failed to obtain a Kerberos ticket"
fi

# Add a new record using nsupdate.
_add_record() {
	local domain="$1"
	local auth="$2"

	$_NSUPDATE -g <<EOF
update add _acme-challenge.${DOMAIN}. 300 IN TXT "${AUTH}"
send
EOF
	return $?
}

# Remove an existing record using nsupdate.
_remove_record() {
	local domain="$1"
	local auth="$2"

	$_NSUPDATE -g <<EOF
update delete _acme-challenge.${DOMAIN}. 300 IN TXT "${AUTH}"
send
EOF
	return $?
}

case "$ACTION" in
	begin)
		if ! _add_record "$DOMAIN" "$AUTH"; then
			_fatal "failed to add the DNS record for %s" "$DOMAIN"
			exit 1
		fi

		if ! lfacme_dns_wait_for_record "$DOMAIN" "$AUTH"; then
			_fatal "timed out waiting for the DNS record for '%s' to be published" \
				"$DOMAIN"
			exit 1
		fi

		exit 0
		;;

	done|failed)
		_remove_record "$DOMAIN" "$AUTH"
		exit $?
		;;

	*)
		_fatal "unknown action: %s" "$ACTION"
		;;
esac