#!/usr/bin/env bash
set -u
set -o pipefail

script_dir="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)"
cert_path=""

if [[ -f "$script_dir/connpack-root-ca.cer" ]]; then
    cert_path="$script_dir/connpack-root-ca.cer"
elif [[ -f "$script_dir/connpack-root-ca.crt" ]]; then
    cert_path="$script_dir/connpack-root-ca.crt"
else
    echo "FAIL[2]: Certificate file not found. Place connpack-root-ca.cer or connpack-root-ca.crt next to this script."
    exit 2
fi

if ! command -v security >/dev/null 2>&1; then
    echo "FAIL[3]: macOS security tool not found."
    exit 3
fi

run_privileged() {
    if [[ "$(id -u)" -eq 0 ]]; then
        "$@"
        return $?
    fi

    if command -v sudo >/dev/null 2>&1; then
        sudo "$@"
        return $?
    fi

    return 127
}

system_attempt_allowed=false
if [[ "$(id -u)" -eq 0 ]] || command -v sudo >/dev/null 2>&1; then
    system_attempt_allowed=true
fi

if [[ "$system_attempt_allowed" == true ]]; then
    if run_privileged security add-trusted-cert -d -r trustRoot -k /Library/Keychains/System.keychain "$cert_path"; then
        echo "OK[0]: ConnPack root certificate installed in System keychain."
        exit 0
    fi
    echo "INFO: System keychain install failed. Trying login keychain."
fi

login_keychain="$HOME/Library/Keychains/login.keychain-db"
if [[ ! -f "$login_keychain" ]]; then
    login_keychain="$HOME/Library/Keychains/login.keychain"
fi

if security add-trusted-cert -d -r trustRoot -k "$login_keychain" "$cert_path"; then
    echo "OK[0]: ConnPack root certificate installed in login keychain."
    exit 0
fi

echo "FAIL[5]: Unable to install ConnPack root certificate into System or login keychain."
exit 5