#!/bin/bash
#
# Wrapper for hiera-eyaml.
#
# This program is free software: you can redistribute it and/or modify
# it under the terms of the GNU Affero General Public License as
# published by the Free Software Foundation, either version 3 of the
# License, or (at your option) any later version.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
# GNU Affero General Public License for more details.
#
# You should have received a copy of the GNU Affero General Public
# License along with this program.  If not, see
# <http://www.gnu.org/licenses/>.

# Load
source $APP_BASE/lib/hydra/functions || exit 1
hydra_config_load

# Parameters
BASENAME="`basename $0`"
NODE="$1"
ACTION="$2"
FQDN="`hydra_get_fqdn_from_nodename $NODE`"
DOMAIN="`echo $FQDN | cut -d . -f 2-`"
shift

# Check for eyaml
hydra_install_package hiera-eyaml

# Check for node
if [ -z "$NODE" ]; then
  echo "usage: hydra $HYDRA $BASENAME <node> <opts>"
  echo ""
  echo "examples:"
  echo ""
  echo -e "\thydra $HYDRA $BASENAME <node> encrypt -p -l my::hiera::param"
  echo -e "\thydra $HYDRA $BASENAME <node> decrypt --stdin"
  exit 1
fi

# Ensure keystore exists
mkdir -p $HYDRA_FOLDER/puppet/keys/$FQDN/eyaml

# Set pub and privkey paths
PRIV="$HYDRA_FOLDER/puppet/keys/$FQDN/eyaml/private_key.pkcs7.pem"
PUB="$HYDRA_FOLDER/puppet/keys/$FQDN/eyaml/public_key.pkcs7.pem"
PRIV_CRYPT="nodes/$FQDN/eyaml/private_key.pkcs7.pem.asc"
PUB_CRYPT="nodes/$FQDN/eyaml/public_key.pkcs7.pem"

# Test for single-key setup
if [ -e "$HYDRA_FOLDER/keyring/keys/domains/$DOMAIN/eyaml/private_key.pkcs7.pem.asc" ] && [ ! -h "$HYDRA_FOLDER/puppet/keys/private_key.pkcs7.pem" ]; then
  PRIV="$HYDRA_FOLDER/puppet/keys/private_key.pkcs7.pem"
  PUB="$HYDRA_FOLDER/puppet/keys/public_key.pkcs7.pem"
  PRIV_CRYPT="domains/$DOMAIN/eyaml/private_key.pkcs7.pem"
  PUB_CRYPT="domains/$DOMAIN/eyaml/public_key.pkcs7.pem"
fi

# Then set eyaml args
ARGS="--pkcs7-private-key $PRIV --pkcs7-public-key $PUB"

# Generate keypair if needed
if [ ! -e "$PRIV" ]; then
  if [ -e "$HYDRA_FOLDER/keyring/keys/$PRIV_CRYPT.asc" ]; then
    echo "Getting eyaml keys for $FDQN from keyringer..."
    keyringer $HYDRA decrypt $PRIV_CRYPT > $PRIV
    keyringer $HYDRA decrypt $PUB_CRYPT  > $PUB
  else
    echo "Generating eyaml keys for $FQDN..."
    eyaml createkeys $ARGS

    echo "Saving generated keys into keyringer..."
    keyringer $HYDRA encrypt $PRIV_CRYPT $PRIV
    keyringer $HYDRA encrypt $PUB_CRYPT  $PUB
  fi
fi

# Now call eyaml directly
if [ ! -z "$ACTION" ]; then
  eyaml $* $ARGS
fi