#!/bin/bash

## Keep in mind possible race conditions as this script will be called
## from different place to update the access tokens.


##
## Code
##

RSYNC_KEY_PATH=/etc/rsync/keys
RSYNC_HOME=/var/lib/rsync
BACKUP_KEY_PATH=${RSYNC_KEY_PATH}/backup
RECOVER_KEY_PATH=${RSYNC_KEY_PATH}/recover


mkdir -p "$RSYNC_HOME/.ssh" "$RECOVER_KEY_PATH"

## delete old recovery keys
find "${RECOVER_KEY_PATH}" \
    -maxdepth 1 -not -newermt "-15 minutes" \
    -type f -delete


##
## New
##

pid=$$
new="$RSYNC_HOME"/.ssh/authorized_keys.tmp."$pid"
touch "$new"

for f in "$BACKUP_KEY_PATH"/*/*.pub "$RECOVER_KEY_PATH"/*.pub; do
    [ -e "$f" ] || continue
    content=$(cat "$f")
    if [[ "$content" == *" "*" "*@* ]]; then
        ident="${content##*@}"
    else
        ident="${f##*/}"
        ident="${ident%.pub}"
    fi
    if ! [[ "$ident" =~ ^[a-zA-Z0-9._-]+$ ]]; then
        echo "bad: '$ident'" >&2
        continue
    fi
    if [[ "$f" == "${RECOVER_KEY_PATH}"/*.pub ]]; then
        basename=${f##*/}
        basename=${basename%.pub}
        cmd="/usr/local/sbin/ssh-recover-cmd-validate $basename"
    else
        cmd=/usr/local/sbin/ssh-cmd-validate
    fi
    echo "command=\"$cmd \\\"$ident\\\"\",no-port-forwarding,no-X11-forwarding,no-agent-forwarding,no-pty $content"
done >> "$new"

[ -e "$RSYNC_HOME"/.ssh/authorized_keys ] &&
  mv "$RSYNC_HOME"/.ssh/authorized_keys{,.old}

## XXXvlab: Atomic operation. It's the last call to this instruction
## that will prevail. There are some very special cases where some
## added key would not be added as expected: for instance an older
## call to ``ssh-update-key``, if made before a specific public key
## file was added to directory, could take a longer time to reach this
## next instruction than a more recent call (that would be after
## the specific public key was added).
mv "$new" "$RSYNC_HOME"/.ssh/authorized_keys

chown rsync:rsync "$RSYNC_HOME"/.ssh -R