# profiles::ssh::sign
class profiles::ssh::sign (
  Optional[Array[Stdlib::Host]] $principals = [],
){

  # validate and prepare additional alt_names, if any
  $default_principals = [
    $::facts['networking']['hostname'],
    $::facts['networking']['fqdn'],
    $::facts['networking']['ip'],
  ]
  $effective_principals = $principals ? {
    []      => $default_principals,
    default => concat($default_principals, $principals),
  }

  # path for the principals file
  $principals_file = '/etc/ssh/host_principals'

  # alt_names_file contents
  $principals_file_content = $effective_principals

  # manage the alt names file
  file { $principals_file:
    ensure  => file,
    owner   => 'root',
    group   => 'root',
    mode    => '0644',
    content => join($principals_file_content, "\n"),
  }

  # compare the sorted arrays of principals from disk (fact) vs what is intended (this run)
  $principals_match = sort($::facts['sshd_host_principals']) == sort($principals_file_content)

  # only renew signed certificate if doesnt exist or the principals have changed
  if ! $::facts['sshd_host_cert_exists'] or ! $principals_match {

    $common_name = $::facts['networking']['fqdn']
    $valid_hours = '87600h'

    # prepare alt_names and ip_sans arguments conditionally
    $principals_string = $effective_principals.empty() ? {
      true    => '',
      default => join($effective_principals, ','),
    }

    # sshsignhost arguments
    $cmd = '/usr/local/bin/sshsignhost'
    $principals_arg = '--valid_principals'
    $ttl_arg = '--ttl'
    $public_key_arg = '--public_key'

    # call the script with generate(), capturing json output
    $json_output = generate(
      $cmd,
      $principals_arg,
      $principals_string,
      $ttl_arg,
      $valid_hours,
      $public_key_arg,
      "${facts['ssh']['rsa']['type']} ${facts['ssh']['rsa']['key']}",
      '--json'
    )
    $signed_data = parsejson($json_output)

    # manage the signed hostkey file
    file { '/etc/ssh/ssh_host_rsa_key-cert.pem':
      ensure  => file,
      content => $signed_data['signed_key'],
      owner   => 'root',
      group   => 'root',
      mode    => '0644',
    }

  }else{
    # manage the signed hostkey file
    file { '/etc/ssh/ssh_host_rsa_key-cert.pem':
      ensure => file,
      owner  => 'root',
      group  => 'root',
      mode   => '0644',
    }
  }
}