proxmox/scripts/archive/consolidated/verify/check-npmplus-certificates.sh

#!/usr/bin/env bash
# Check NPMplus certificates and identify duplicates
# Analyzes certificates before cleanup

set -euo pipefail

# Load IP configuration
SCRIPT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)"
PROJECT_ROOT="$(cd "$SCRIPT_DIR/.." && pwd)"
source "${PROJECT_ROOT}/config/ip-addresses.conf" 2>/dev/null || true


# Colors
RED='\033[0;31m'
GREEN='\033[0;32m'
YELLOW='\033[1;33m'
BLUE='\033[0;34m'
CYAN='\033[0;36m'
NC='\033[0m'

log_info() { echo -e "${BLUE}[INFO]${NC} $1"; }
log_success() { echo -e "${GREEN}[✓]${NC} $1"; }
log_warn() { echo -e "${YELLOW}[⚠]${NC} $1"; }
log_error() { echo -e "${RED}[✗]${NC} $1"; }

# Configuration
PROXMOX_HOST="${1:-192.168.11.11}"
CONTAINER_ID="${2:-10233}"
NPM_URL="${3:-https://192.168.0.166:81}"
NPM_EMAIL="${4:-admin@example.org}"
NPM_PASSWORD="${5:-ce8219e321e1cd97bd590fb792d3caeb7e2e3b94ca7e20124acaf253f911ff72}"

echo ""
echo "━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━"
echo "🔍 NPMplus Certificate Analysis"
echo "━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━"
echo ""

# Check container status
log_info "Checking NPMplus container status..."
CONTAINER_STATUS=$(ssh root@"$PROXMOX_HOST" "pct exec $CONTAINER_ID -- docker ps --filter 'name=npmplus' --format '{{.Status}}' 2>/dev/null || echo 'not running'")

if echo "$CONTAINER_STATUS" | grep -q "not running\|Error"; then
    log_error "NPMplus container is not running"
    exit 1
fi
log_success "Container status: $CONTAINER_STATUS"
echo ""

# Get auth token
log_info "Authenticating to NPMplus API..."
TOKEN_RESPONSE=$(curl -s -k -X POST "$NPM_URL/api/tokens" \
    -H "Content-Type: application/json" \
    -d "{
        \"identity\": \"$NPM_EMAIL\",
        \"secret\": \"$NPM_PASSWORD\"
    }")

TOKEN=$(echo "$TOKEN_RESPONSE" | jq -r '.token // empty' 2>/dev/null || echo "")

if [ -z "$TOKEN" ] || [ "$TOKEN" = "null" ]; then
    ERROR_MSG=$(echo "$TOKEN_RESPONSE" | jq -r '.error.message // "Unknown error"' 2>/dev/null || echo "Unknown error")
    log_error "Failed to authenticate: $ERROR_MSG"
    log_info "Response: $TOKEN_RESPONSE"
    exit 1
fi
log_success "Authenticated successfully"
echo ""

# List all certificates
log_info "Fetching all certificates..."
CERTIFICATES_JSON=$(curl -s -k -X GET "$NPM_URL/api/nginx/certificates" \
    -H "Authorization: Bearer $TOKEN" \
    -H "Content-Type: application/json")

CERT_COUNT=$(echo "$CERTIFICATES_JSON" | jq -r '.result | length' 2>/dev/null || echo "0")

if [ "$CERT_COUNT" = "0" ]; then
    log_warn "No certificates found in NPMplus"
    exit 0
fi

log_info "Found $CERT_COUNT total certificates"
echo ""

# Display all certificates
echo "━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━"
echo "📋 All Certificates:"
echo "━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━"
echo ""

echo "$CERTIFICATES_JSON" | jq -r '.result[] | "ID: \(.id) | Domains: \(.domain_names | join(", ")) | Provider: \(.provider // "unknown") | Valid: \(.valid_from // "N/A") - \(.valid_to // "N/A")"' 2>/dev/null | while IFS= read -r line; do
    echo "  $line"
done

echo ""

# Analyze for duplicates
log_info "Analyzing for duplicate certificates..."
echo ""

declare -A CERT_GROUPS
declare -A CERT_DETAILS

# Group certificates by domain names
while IFS= read -r cert_json; do
    if [ -n "$cert_json" ] && [ "$cert_json" != "null" ]; then
        cert_id=$(echo "$cert_json" | jq -r '.id // empty' 2>/dev/null || echo "")
        domain_names=$(echo "$cert_json" | jq -r '.domain_names | sort | join(",")' 2>/dev/null || echo "")
        provider=$(echo "$cert_json" | jq -r '.provider // "unknown"' 2>/dev/null || echo "unknown")
        valid_from=$(echo "$cert_json" | jq -r '.valid_from // "N/A"' 2>/dev/null || echo "N/A")
        valid_to=$(echo "$cert_json" | jq -r '.valid_to // "N/A"' 2>/dev/null || echo "N/A")
        
        if [ -n "$cert_id" ] && [ -n "$domain_names" ]; then
            # Create a key from sorted domain names
            key=$(echo "$domain_names" | tr '[:upper:]' '[:lower:]')
            
            # Store certificate details
            CERT_DETAILS["$cert_id"]="$domain_names|$provider|$valid_from|$valid_to"
            
            # Group by domain names
            if [ -z "${CERT_GROUPS[$key]:-}" ]; then
                CERT_GROUPS[$key]="$cert_id"
            else
                CERT_GROUPS[$key]="${CERT_GROUPS[$key]},$cert_id"
            fi
        fi
    fi
done < <(echo "$CERTIFICATES_JSON" | jq -c '.result[]' 2>/dev/null || echo "")

# Identify duplicates
echo "━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━"
echo "🔍 Duplicate Analysis:"
echo "━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━"
echo ""

duplicate_found=false
total_duplicates=0

for key in "${!CERT_GROUPS[@]}"; do
    cert_ids="${CERT_GROUPS[$key]}"
    cert_array=(${cert_ids//,/ })
    
    if [ ${#cert_array[@]} -gt 1 ]; then
        duplicate_found=true
        total_duplicates=$((total_duplicates + ${#cert_array[@]} - 1))
        
        log_warn "Duplicate certificates found for domains: $key"
        echo ""
        
        # Find the best certificate to keep
        best_cert_id=""
        best_valid_to="0"
        
        for cert_id in "${cert_array[@]}"; do
            details="${CERT_DETAILS[$cert_id]}"
            IFS='|' read -r domains provider valid_from valid_to <<< "$details"
            
            echo "  Certificate ID: $cert_id"
            echo "    Domains: $domains"
            echo "    Provider: $provider"
            echo "    Valid From: $valid_from"
            echo "    Valid To: $valid_to"
            echo ""
            
            # Determine best certificate (prefer later expiration)
            if [ "$valid_to" != "N/A" ] && [ "$valid_to" != "null" ] && [ "$valid_to" != "0" ]; then
                if [ -z "$best_cert_id" ] || [ "$valid_to" -gt "$best_valid_to" ]; then
                    best_cert_id="$cert_id"
                    best_valid_to="$valid_to"
                fi
            elif [ -z "$best_cert_id" ]; then
                best_cert_id="$cert_id"
            fi
        done
        
        log_success "  → Keep Certificate ID: $best_cert_id (latest expiration)"
        
        # Mark others for deletion
        for cert_id in "${cert_array[@]}"; do
            if [ "$cert_id" != "$best_cert_id" ]; then
                log_warn "    → Delete Certificate ID: $cert_id"
            fi
        done
        echo ""
    fi
done

if [ "$duplicate_found" = false ]; then
    log_success "✅ No duplicate certificates found!"
    echo ""
    exit 0
fi

# Summary
echo "━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━"
log_info "Summary:"
log_info "  Total certificates: $CERT_COUNT"
log_info "  Unique domain groups: ${#CERT_GROUPS[@]}"
log_info "  Duplicate certificates: $total_duplicates"
echo "━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━"
echo ""

# Check proxy hosts
log_info "Checking proxy host certificate assignments..."
PROXY_HOSTS_JSON=$(curl -s -k -X GET "$NPM_URL/api/nginx/proxy-hosts" \
    -H "Authorization: Bearer $TOKEN" \
    -H "Content-Type: application/json")

PROXY_COUNT=$(echo "$PROXY_HOSTS_JSON" | jq -r '.result | length' 2>/dev/null || echo "0")
log_info "Found $PROXY_COUNT proxy hosts"
echo ""

# Show which certificates are in use
echo "$PROXY_HOSTS_JSON" | jq -r '.result[] | "Host: \(.domain_names[0] // "N/A") | Cert ID: \(.certificate_id // "None")"' 2>/dev/null | while IFS= read -r line; do
    echo "  $line"
done

echo ""
log_info "Next step: Run cleanup script to remove duplicates"
log_info "  bash scripts/cleanup-duplicate-certificates.sh $PROXMOX_HOST $CONTAINER_ID $NPM_URL $NPM_EMAIL $NPM_PASSWORD"
echo ""