#! /bin/sh
# postinst script for ca-certificates
#
# see: dh_installdeb(1)

# summary of how this script can be called:
#        * <postinst> `configure' <most-recently-configured-version>
#        * <old-postinst> `abort-upgrade' <new version>
#        * <conflictor's-postinst> `abort-remove' `in-favour' <package>
#          <new-version>
#        * <deconfigured's-postinst> `abort-deconfigure' `in-favour'
#          <failed-install-package> <version> `removing'
#          <conflicting-package> <version>
# for details, see /usr/share/doc/packaging-manual/
#
# quoting from the policy:
#     Any necessary prompting should almost always be confined to the
#     post-installation script, and should be protected with a conditional
#     so that unnecessary prompting doesn't happen if a package's
#     installation fails and the `postinst' is called with `abort-upgrade',
#     `abort-remove' or `abort-deconfigure'.

set -e

each_value() {
 echo "$1" |tr ',' '\n' | sed -e 's/^[[:space:]]*//' 
}

memberp() {
 m="$1"
 l="$2"
 each_value "$l" | grep -q "^$m\$"
}

delca() {
 m="$1"
 l="$2"
 echo "$l" |sed -e 's|'"$m"', ||' -e 's|'"$m"'$||' -e 's/,[[:space:]]*,/, /' -e 's/^[[:space:]]*//' -e 's/,[[:space:]]*$//'
}

case "$1" in
    configure)
        if [ ! -e /usr/local/share/ca-certificates ]
        then
            if mkdir /usr/local/share/ca-certificates 2>/dev/null
            then
                chown root:staff /usr/local/share/ca-certificates
                chmod 2775 /usr/local/share/ca-certificates
            fi
        fi

        . /usr/share/debconf/confmodule
	db_version 2.0
	db_capb multiselect
	db_metaget ca-certificates/enable_crts choices
	CERTS_AVAILABLE="$RET"
	db_get ca-certificates/enable_crts
	CERTS_ENABLED="$RET"
	# XXX unmark seen for next configuration
	db_fset ca-certificates/new_crts seen false
	# We should clean up this value now, as everyone will have
	# upgraded to a fixed version.
	db_fset ca-certificates/enable_crts asked_pt_br_question false
	db_stop || true
	if test -f /etc/ca-certificates.conf; then
	  # XXX: while in subshell?
	  while read line
	  do
	    if echo "$line" | grep -q '^#'; then
	     echo "$line"
	    else
	     case "$line" in
	     !*) ca=$(echo "$line" | sed -e 's/^!//');;
	     *)   ca="$line";;
	     esac
	     if memberp "$ca" "$CERTS_ENABLED"; then
	       echo "$ca"
	       # CERTS_ENABLED=$(delca "$ca" "$CERTS_ENABLED")
         elif memberp "$ca" "$CERTS_AVAILABLE" ||
              echo "$line" | grep -q '^!'; then
           echo "!$ca"
         elif [ -f /usr/share/ca-certificates/"$ca" ] || \
              [ -f /usr/local/share/ca-certificates/"$ca" ]; then
           echo "$ca"
	     else
	       echo "!$ca"
	     fi
	     # CERTS_AVAILABLE=$(delca "$ca" "$CERTS_AVAILABLE")
	    fi
	  done < /etc/ca-certificates.conf > /etc/ca-certificates.conf.dpkg-new
	  if echo "$CERTS_ENABLED" | egrep -q "^([[:space:]]*,)*[[:space:]]*$"; then
	      :
	  else
	    each_value "$CERTS_ENABLED" | while read ca
 	    do
	      if grep -q "^$ca" /etc/ca-certificates.conf.dpkg-new; then
		  :
	      else
		  echo "$ca" >> /etc/ca-certificates.conf.dpkg-new
	      fi
            done
	  fi
	  each_value "$CERTS_AVAILABLE" | while read ca
	  do
	    if memberp "$ca" "$CERTS_ENABLED"; then
		:
	    elif grep -q "^!$ca" /etc/ca-certificates.conf.dpkg-new; then
	        :
	    else
		echo "!$ca" >> /etc/ca-certificates.conf.dpkg-new
	    fi
	  done
	  if cmp -s /etc/ca-certificates.conf /etc/ca-certificates.conf.dpkg-new; then
	    rm -f /etc/ca-certificates.conf.dpkg-new
	  else
	    mv -f /etc/ca-certificates.conf /etc/ca-certificates.conf.dpkg-old
	    mv /etc/ca-certificates.conf.dpkg-new /etc/ca-certificates.conf
	  fi
	else
	  # new file
	  cat > /etc/ca-certificates.conf <<EOF
# This file lists certificates that you wish to use or to ignore to be
# installed in /etc/ssl/certs.
# update-ca-certificates(8) will update /etc/ssl/certs by reading this file.
#
# This is autogenerated by dpkg-reconfigure ca-certificates.
# Certificates should be installed under /usr/share/ca-certificates
# and files with extension '.crt' is recognized as available certs.
#
# line begins with # is comment.
# line begins with ! is certificate filename to be deselected.
#
EOF
	  (echo $CERTS_ENABLED | tr ',' '\n'; \
	   echo $CERTS_AVAILABLE | tr ',' '\n') | \
	    sed -e 's/^[[:space:]]*//' | \
	    sort | uniq -c | \
	    sed -e 's/^[[:space:]]*2[[:space:]]*//' \
	        -e 's/^[[:space:]]*1[[:space:]]*/!/' \
	    >> /etc/ca-certificates.conf
	fi
	# fix bogus symlink to ca-certificates.crt on upgrades; see
	# Debian #643667; drop after wheezy
	if dpkg --compare-versions "$2" lt-nl 20111025; then
	    update-ca-certificates --fresh
	else
	    update-ca-certificates
	fi
    ;;

    abort-upgrade|abort-remove|abort-deconfigure)

    ;;

    *)
        echo "postinst called with unknown argument \`$1'" >&2
        exit 1
    ;;
esac

# dh_installdeb will replace this with shell code automatically
# generated by other debhelper scripts.

#DEBHELPER#

exit 0