#!/usr/bin/env bash

# Conditionally installs custom SSL certificates from CERTIFICATE_URLS environment variable.

set -o nounset
set -o errexit
set -o pipefail
IFS=$'\n\t'

CERT_DIR="/usr/local/share/ca-certificates"

if [ -z "${CERTIFICATE_URLS:-}" ]; then
  printf "%s: Skipped, CERTIFICATE_URLS is empty.\n" "${0}"
  exit 0
fi

printf "%s\n" "Installing custom SSL certificates..."

IFS=',' read -ra urls <<< "${CERTIFICATE_URLS}"

for url in "${urls[@]}"; do
  # Trim whitespace.
  url=$(printf "%s" "${url}" | xargs)

  if [ -z "${url}" ]; then
    continue
  fi

  printf "%s\n" "Downloading certificate: ${url}."

  filename=$(basename "${url}")

  # Change extension to .crt (required by update-ca-certificates).
  cert_name="${filename%.*}.crt"

  if curl --fail --silent --show-error --location "${url}" --output "${CERT_DIR}/${cert_name}"; then
    printf "%s\n" "Downloaded ${url} to ${CERT_DIR}/${cert_name}."
  else
    printf "%s\n" "ERROR: Failed to download from ${url}."
  fi
done

printf "%s\n" "Updating CA certificates..."
update-ca-certificates
printf "%s\n" "Custom SSL certificates installed successfully."
