# This module is distributed under the GNU Affero General Public License:
# 
# Monkeysphere module for puppet
# Copyright (C) 2009-2010 Sarava Group
# 
# This program is free software: you can redistribute it and/or modify
# it under the terms of the GNU Affero General Public License as
# published by the Free Software Foundation, either version 3 of the
# License, or any later version.
# 
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
# GNU Affero General Public License for more details.
# 
# You should have received a copy of the GNU Affero General Public License
# along with this program.  If not, see <http://www.gnu.org/licenses/>.

#
# Class for monkeysphere management
#

class monkeysphere inherits monkeysphere::defaults {
  # The needed packages
  package { monkeysphere: ensure => installed, }

  file { "monkeysphere_conf":
    path => "/etc/monkeysphere/monkeysphere.conf",
    mode => 644,
    ensure => present,
    content => template("monkeysphere/monkeysphere.conf.erb"),
  }
  file { "monkeysphere_host_conf":
    path => "/etc/monkeysphere/monkeysphere-host.conf",
    mode => 644,
    ensure => present,
    content => template("monkeysphere/monkeysphere-host.conf.erb"),
  }
  file { "monkeysphere_authentication_conf":
    path => "/etc/monkeysphere/monkeysphere-authentication.conf",
    mode => 644,
    ensure => present,
    content => template("monkeysphere/monkeysphere-authentication.conf.erb"),
  }
}

class monkeysphere::defaults {
  $keyserver = $monkeysphere_keyserver ? {
    '' => 'pool.sks-keyservers.net',
    default => $monkeysphere_keyserver
  }
}

define monkeysphere::import_key ( $scheme = 'ssh://', $port = '', $path = '/etc/ssh/ssh_host_rsa_key', $hostname = $fqdn ) {

  # if we're getting a port number, prefix with a colon so it's valid
  $prefixed_port = $port ? {
    '' => '',
    default => ":$port"
  }

  $key = "${scheme}${fqdn}${prefixed_port}"

  exec { "monkeysphere-host import-key $path $key":
    alias => "monkeysphere-import-key",
	  require => [ Package["monkeysphere"],  File["monkeysphere_host_conf"] ],
	  unless => "/usr/sbin/monkeysphere-host s | grep $key > /dev/null"
  }
}

# Server host key publication
define monkeysphere::publish_server_keys ( $keyid = '--all' ) { 
  exec { "monkeysphere-host publish-keys $keyid":
    environment => "MONKEYSPHERE_PROMPT=false",
	  require => [ Package["monkeysphere"], Exec["monkeysphere-import-key"], File["monkeysphere_host_conf"] ],
  }
}

# optionally, mail key somehwere 
define monkeysphere::email_server_keys ( ) {
  $email = $title    
  exec { "mail -s 'monkeysphere host pgp keys for $fqdn' $email < /var/lib/monkeysphere/host_keys.pub.pgp":
	  require => [ Package["monkeysphere"], Exec["monkeysphere-import-key"] ],
  }
}

# add certifiers
define monkeysphere::add_id_certifier( $keyid ) {
  exec { "monkeysphere-authentication add-id-certifier $keyid":
	  environment => "MONKEYSPHERE_PROMPT=false",
	  require => [ Package["monkeysphere"], File["monkeysphere_authentication_conf"] ],
	  unless => "/usr/sbin/monkeysphere-authentication list-id-certifiers | grep $keyid > /dev/null"
  }
}

define monkeysphere::authorized_user_ids( $user_ids,  $dest_dir = '/root/.monkeysphere', $dest_file = 'authorized_user_ids', $group = '') {
  $user = $title
  $calculated_group = $group ? {
    '' => $user,
    default => $group
  }

  # don't require user if it's root because root is not handled 
  # by puppet
  case $user {
    root: {
      file {
        $dest_dir:
          owner => $user,
          group => $calculated_group,
          mode => 755,
          ensure => directory,
      }
    }
    default: {
      file {
        $dest_dir:
          owner => $user,
          group => $calculated_group,
          mode => 755,
          ensure => directory,
          require => User[$user]
      }
    }
  }

  file {
    "${dest_dir}/${dest_file}":
      owner => $user,
      group => $calculated_group,
      mode => 644,
      content => template('monkeysphere/authorized_user_ids.erb'),
      ensure => present,
      recurse => true,
      require => File[$dest_dir] 
  }

  exec { "monkeysphere-authentication update-users $user":
    refreshonly => true,
    require => [ File["monkeysphere_authentication_conf"], Package["monkeysphere"] ],
    subscribe => File["${dest_dir}/${dest_file}"] 
  }
}

# ensure that the user has a gpg key created and it is authentication capable
# in the monkeysphere. This is intended to be the same as generated a
# password-less ssh key 
#
define monkeysphere::auth_capable_user ( $expire = "1y", $length = "2048", 
  $uid_name = undef, $email = undef ) { 

  $user = $title

  # The goal is no passphrase, monkeysphere won't work without a passphrase. 
  $calculated_passphrase = $gpg_auto_password ? {
    '' => 'monkeys',
    default => $gpg_auto_password
  }

  $calculated_name = $uid_name ? {
    '' => "$user user",
    default => $uid_name
  }
  $calculated_email = $email ? {
    '' => "$user@$fqdn",
    default => $email
  }
  exec { "monkeysphere-gen-key-$user":
    command => "printf 'Key-Type: RSA\nKey-Length: 2048\nKey-Usage: encrypt,sign\nSubkey-Type: RSA\nSubkey-Length: 2048\nSubkey-Usage: encrypt\nName-Real: $calculated_name\nName-Email: $calculated_email\nPassphrase: $calculated_passphrase\nExpire-Date: 1y\n' | gpg --batch --gen-key",
    require => [ Package["monkeysphere"] ],
    user => $user,
    unless => "gpg --list-secret-key | grep ^sec >/dev/null"
  }

  #FIXME - we should check expiration date and extend it if we're < n days before expiration

  # handle auth subkey
  exec { "monkeysphere-gen-subkey-$user":
    command => "printf '$calculated_passphrase\n' | monkeysphere gen-subkey",
    require => [ Package["monkeysphere"], Exec["monkeysphere-gen-key-$user" ] ],
    user => $user,
    unless => "gpg --list-key --with-colons $(gpg --list-secret-key --with-colons | grep ^sec | cut -d: -f5) | grep ^sub | cut -d: -f12 | grep a >/dev/null"
  }

}

define monkeysphere::publish_user_key ( ){
  $user = $title

  $keyserver_arg = $monkeysphere_keyserver ? {
    '' => '',
    default => "--keyserver $monkeysphere_keyserver"
  }

  exec { "monkeysphere-gpg-send-key-$user":
    command => "gpg $keyserver_arg --send-key $(gpg --list-secret-key --with-colons | grep ^sec | cut -d: -f5)",
    require => [ Package["monkeysphere"], Exec["monkeysphere-gen-key-$user" ] ],
    user => $user,
  }

}

define monkeysphere::owner_trust( $fingerprint, $user = 'root', $level = 6 ) {
  $keyserver_arg = $monkeysphere_keyserver ? {
    '' => '',
    default => "--keyserver $monkeysphere_keyserver"
  }

  # ensure the key is in the key ring
  exec { "monkeysphere-gpg-recv-key-$user-$fingerprint":
    command => "gpg $keyserver_arg --recv-key $fingerprint",
    require => [ Package["monkeysphere"] ],
    user => $user,
    unless => "gpg --list-key $fingerprint 2>&1 >/dev/null"
  }
  # provide ownertrust
  exec { "monkeysphere-gpg-ownertrust-$user-$fingerprint":
    command => "printf '$fingerprint:$level\n'\$(gpg --export-ownertrust) | gpg --import-ownertrust",
    require => [ Package["monkeysphere"] ],
    user => $user,
    unless => "gpg --export-ownertrust | grep $fingerprint >/dev/null"
  }
}