#!/usr/local/cpanel/3rdparty/bin/perl

# cpanel - scripts/expunge_expired_certificates_from_sslstorage
#                                                  Copyright 2022 cPanel, L.L.C.
#                                                           All rights reserved.
# copyright@cpanel.net                                         http://cpanel.net
# This code is subject to the cPanel license. Unauthorized copying is prohibited

package scripts::expunge_expired_certificates_from_sslstorage;

use strict;
use warnings;

use parent qw( Cpanel::HelpfulScript );

use Cpanel::Config::Users                ();
use Cpanel::PIDFile                      ();
use Cpanel::SSLStorage::User             ();
use Cpanel::PwCache::Build               ();
use Cpanel::PwCache                      ();
use Cpanel::AccessIds::ReducedPrivileges ();

use Try::Tiny;

=encoding utf-8

=head1 NAME

scripts::expunge_expired_certificates_from_sslstorage

=head1 SYNOPSIS

    expunge_expired_certificates_from_sslstorage [ --user <username> | --help ]

=head1 DESCRIPTION

This command will look at the SSLStorage databases for all the users (or optionally a specific user) and checks for
certificates that have been expired for over a set time (C<$Cpanel::SSLStorage::EXPUNGE_CERTIFICATES_AFTER_SECONDS> seconds)
and removes them.

NOTE: This only operates on the user's SSL Storage database. This does not uninstall
certificates from websites, mail, cpsrvd, or other services.

=cut

our $PID_FILE = '/var/run/expunge_expired_certificates_from_sslstorage.pid';

sub _OPTIONS {
    return qw( user=s );
}

__PACKAGE__->new(@ARGV)->script() unless caller();

sub script {
    my ($self) = @_;

    if ( $self->getopt('user') ) {
        my $user = $self->getopt('user');
        print "Checking for expired certificates for the user '$user'.\n";

        try {
            my $expired_certs = $self->call_for_one_user($user);
            print "Found and expunged " . scalar @$expired_certs . " expired certificates for '$user'.\n";
        }
        catch {
            warn "There was an error expunging certificates for '$user': $_\n";
        };

        return;
    }

    Cpanel::PwCache::Build::init_passwdless_pwcache();

    Cpanel::PIDFile->do(
        $PID_FILE,
        sub {
            print "Checking for expired certificates for all users.\n";
            my @users = ( Cpanel::Config::Users::getcpusers(), 'root' );

            for my $user (@users) {
                try {
                    my $expired_certs = $self->call_for_one_user($user);
                    print "Found and expunged " . scalar @$expired_certs . " expired certificates for '$user'.\n";
                }
                catch {
                    warn "There was an error expunging certificates for '$user': $_\n";
                };
            }
        }
    );

    return;
}

sub call_for_one_user {
    my ( $self, $user ) = @_;

    my $expired_certs;

    my $privs;

    if ( $user ne 'root' ) {
        my $homedir = Cpanel::PwCache::gethomedir($user);
        die "No ssl storage exists for '$user'" if !-d "$homedir/ssl" || -z "$homedir/ssl/ssl.db";
        $privs = Cpanel::AccessIds::ReducedPrivileges->new($user);
    }

    my ( $ok, $storage ) = Cpanel::SSLStorage::User->new( user => $user, 'disable_required_fields_check' => 1 );
    die "There was an error getting the SSLStorage database for '$user': $storage" if !$ok;

    ( $ok, $expired_certs ) = $storage->_expunge_expired_certificates();    # we already reduced privs
    die "There was an error expunging expired certificates for '$user': $expired_certs" if !$ok;

    return $expired_certs;
}

1;