#!/bin/sh
#
# Manage svc-runner home-brew secrets
#

. /etc/default/svc-runner

if test -z "$SVCRUNNER_ETC" -o -z "$SVCRUNNER_USER" -o -z "$SVCRUNNER_ADMIN" -o -z "$SVCRUNNER_GROUP" -o -z "$JAVA_HOME"
then
    echo "ERROR: SVCRUNNER_ETC, SVCRUNNER_USER, SVCRUNNER_ADMIN, SVCRUNNER_GROUP and JAVA_HOME not specified in /etc/default/svc-runner"
    exit 64
fi

if test "$1" = "--help" -o "$1" = "-h" -o "$1" = "help"
then
    echo "usage: svc-runner-secrets [-init|-list|-add|-decrypt]"
    echo "     Manage home-brew svc-runner secrets."
    echo "       -init initializes the masterkey."
    echo "       -list <file> list secrets in file."
    echo "       -add <file> <pid> <key> <value> stores a value for a config."
    echo "                key to be accessed by a PID."
    echo "       -decrypt <file> <pid> <key> decrypt a value for a config."
    echo "                key previously store with -add."
    echo "        Encrypted secret files are stored in"
    echo '          /etc/svc-runner/secrets.d/*.properties'
    echo 'examples:'
    echo '  svc-runner-secrets -init'
    echo '  svc-runner-secrets -add db-secrets.properties org.clazzes.jdbc.provider FANCYMAIL-db-passwd foobar123!#'
    echo '  svc-runner-secrets -list db-secrets.properties'
    echo '  svc-runner-secrets -decrypt db-secrets.properties org.clazzes.jdbc.provider FANCYMAIL-db-passwd'
    exit 0
fi

SVCRUNNER_MK_FILE=$SVCRUNNER_ETC/conf.d/secret-masterkey.properties

SVCRUNNER_SECRETS_DIR=$SVCRUNNER_ETC/secrets.d

if test "$1" = "-init"
then
    if test -f "$SVCRUNNER_MK_FILE"
    then
        echo "Warn: $SVCRUNNER_MK_FILE exists, setting permissions."
        chown $SVCRUNNER_ADMIN:$SVCRUNNER_GROUP "$SVCRUNNER_MK_FILE" || exit 2
        chmod 440 "$SVCRUNNER_MK_FILE" || exit 3
        echo "Successfully set permissions on $SVCRUNNER_MK_FILE"
    else
        sudo -u $SVCRUNNER_ADMIN -g $SVCRUNNER_GROUP /bin/sh <<EOF
           echo -n svc.runner.secretsMasterKey= > $SVCRUNNER_MK_FILE
           chmod 640 "$SVCRUNNER_MK_FILE"
           head -c 32 /dev/random | base64 >> "$SVCRUNNER_MK_FILE"
           chmod 440 "$SVCRUNNER_MK_FILE"
EOF
        if test $? -eq 0
        then
            echo "Successfully created $SVCRUNNER_MK_FILE"
        else
            echo "Error creating $SVCRUNNER_MK_FILE, please check manaully"
        fi
    fi

    if test -d "$SVCRUNNER_SECRETS_DIR"
    then
        echo "Warn: $SVCRUNNER_SECRETS_DIR exists, setting permissions."
    else
        echo "Creating $SVCRUNNER_SECRETS_DIR."
        mkdir $SVCRUNNER_SECRETS_DIR || exit 4
        echo "Successfully created $SVCRUNNER_SECRETS_DIR, setting permissions."
    fi
    chown $SVCRUNNER_ADMIN:$SVCRUNNER_GROUP "$SVCRUNNER_SECRETS_DIR" || exit 5
    chmod 750 "$SVCRUNNER_SECRETS_DIR" || exit 6
    echo "Successfully set permissions on $SVCRUNNER_SECRETS_DIR"
else

    if test ! -f "$SVCRUNNER_MK_FILE"
    then
        echo "Error: $SVCRUNNER_MK_FILE does not exist, call 'svc-runner-secrets -init'"
        exit 1
    fi

    if test ! -d "$SVCRUNNER_SECRETS_DIR"
    then
        echo "Error: $SVCRUNNER_SECRETS_DIR does not exist, call 'svc-runner-secrets -init'"
        exit 2
    fi

    echo "Running in directory $SVCRUNNER_SECRETS_DIR"
    cd "$SVCRUNNER_SECRETS_DIR"
    
    sudo -u $SVCRUNNER_ADMIN -g $SVCRUNNER_GROUP SVCRUNNER_SECRETS_MK=$(sed 's/^ *svc\.runner\.secretsMasterKey *= *//p;d' $SVCRUNNER_MK_FILE) "${JAVA_HOME}/bin/java" -Dsvc.runner.etcPath="$SVCRUNNER_ETC" --module-path /usr/share/svc-runner/lib -m org.clazzes.svc.runner.core/org.clazzes.svc.runner.ManageSecrets "$@"
    code=$?
    
    test -f "$2" && chmod o-rwx "$2"
    exit $code
fi
