#!/bin/bash

RSYNC_KEY_PATH=/etc/rsync/keys
RECOVER_KEY_PATH=${RSYNC_KEY_PATH}/recover


ANSI_ESC=$'\e['

NORMAL="${ANSI_ESC}0m"

GRAY="${ANSI_ESC}1;30m"
RED="${ANSI_ESC}1;31m"
GREEN="${ANSI_ESC}1;32m"
YELLOW="${ANSI_ESC}1;33m"
BLUE="${ANSI_ESC}1;34m"
PINK="${ANSI_ESC}1;35m"
CYAN="${ANSI_ESC}1;36m"
WHITE="${ANSI_ESC}1;37m"

DARKGRAY="${ANSI_ESC}0;30m"
DARKRED="${ANSI_ESC}0;31m"
DARKGREEN="${ANSI_ESC}0;32m"
DARKYELLOW="${ANSI_ESC}0;33m"
DARKBLUE="${ANSI_ESC}0;34m"
DARKPINK="${ANSI_ESC}0;35m"
DARKCYAN="${ANSI_ESC}0;36m"
DARKWHITE="${ANSI_ESC}0;37m"


ssh:mk-private-key() {
    local comment="$1"
    (
        tmpdir=$(mktemp -d)
        chmod go-rwx "$tmpdir"
        ssh-keygen -t rsa -N "" -f "$tmpdir/rsync_rsa" -C "$service_name@$host" >/dev/null
        cat "$tmpdir/rsync_rsa"
        rm -rf "$tmpdir"
    )
}


md5() {
    local md5
    md5=$(cat | md5sum)
    echo "${md5%% *}"
}


request-recovery-key() {
    local label="$1" ident="$2" key public_key

    ## Admin should have claimed the ident with at least one backup key
    if [ -n "$label" ] && ! [ -e "${RSYNC_KEY_PATH}/backup/$label/$ident.pub" ]; then
        echo "Error: Current admin '$label' has no ident '$ident' claimed." >&2
        return 1
    fi

    ## Find new label
    while true; do
        key=$(ssh:mk-private-key "recover@$ident")
        md5=$(printf "%s" "$key" | md5)
        [ -e "${RECOVER_KEY_PATH}/$md5" ] || break
    done

    mkdir -p "${RECOVER_KEY_PATH}"
    public_key=$(ssh-keygen -y -f <(printf "%s\n" "$key"))
    printf "%s %s\n" "$public_key" "recover@$ident" > "${RECOVER_KEY_PATH}/$md5.pub"
    touch "${RECOVER_KEY_PATH}/$md5"
    chmod go-rwx "${RECOVER_KEY_PATH}/$md5"
    printf "%s\n" "$key" | tee -a "${RECOVER_KEY_PATH}/$md5"

    /usr/local/sbin/ssh-update-keys
}


request-recovery-key "$@"