#!/bin/bash

# Validate the salt-generated nginx configs

if [[ $(whoami) != 'root' ]]; then
    if [[ -f /usr/bin/sudo ]]; then
        SUDO='/usr/bin/sudo'
    else
        echo 'Please install sudo first, or run this script as root'
        exit 1
    fi
fi

reset_nginx() {
    rm -rf /etc/nginx
    cp -a /etc/nginx_orig /etc/nginx
    printf "roles:\n- $role" | $SUDO tee /etc/salt/grains > /dev/null
}

create_fake_certs() {
    # We are replacing both the cert/key pair because:
    # - the key is encrypted and the CI worker can't decrypt it
    # - the nginx validation command tries to match the pair

    PRIVATE_KEYS=( $(grep ssl_certificate_key pillar/role/$role.sls | cut -d':' -f2) )
    for key in ${PRIVATE_KEYS[@]}; do
        $SUDO cp test/fixtures/domain.key $key
    done

    PUBLIC_CERTS=( $(grep "ssl_certificate:" pillar/role/$role.sls | cut -d':' -f2) )
    for cert in ${PUBLIC_CERTS[@]}; do
        $SUDO cp test/fixtures/domain.crt $cert
    done
}

WEB_ROLES=( $(bin/get_roles.py | grep web_) )

for role in ${WEB_ROLES[@]}; do
    if grep nginx salt/role/$role.sls > /dev/null; then
        echo "Testing role: $role"
        reset_nginx
        $SUDO salt-call --local -l quiet state.apply role.$role > /dev/null
        create_fake_certs
        if $(nginx -tq); then
            echo 'PASSED'
        else
            STATUS=1
        fi
    fi
done

exit $STATUS