#!/bin/sh
# $Id: bitkeys 26 2012-03-06 20:36:02Z root $

umask 077

if [ -x /usr/sbin/cfagent ]; then
    echo "CFEngine is installed on this box. Refusing to run."
    exit 0
fi

if uname -a | grep -q "SunOS"; then
	PATH="/opt/bin:/opt/sbin:/usr/gnu/bin:/usr/bin:/usr/X11/bin:/usr/sbin:/sbin"
else
	PATH="/bin:/usr/bin:/usr/local/bin:/sbin:/usr/sbin:/usr/local/sbin"
fi

SSHDIR="$HOME/.ssh"
DEFFILE="$SSHDIR/authorized_keys.local"
DEFFILE2="$SSHDIR/authorized_keys2.local"
KEYLOC="https://bitkeys.bit.nl/bitkeys/bitkeys.tar"
KEYLOCSIG="https://bitkeys.bit.nl/bitkeys/bitkeys.tar.sig"
GOODSIG="Good signature from \"BIT Engineering (Key used to sign bitkeys and bitkeys.tar) <bitkeys@bit.nl>\""
BITKEYSSIGNATURE="pub 1024D/6E5F299E 2004-08-13 BIT Engineering (Key used to sign bitkeys and bitkeys.tar) <bitkeys@bit.nl>"
BITKEYSSIGID="6E5F299E"
BITKEYS="bitkeys.tar"
BITKEYSSIG="bitkeys.tar.sig"
BITKEYSOLD="bitkeys.tar.old"
BITKEYSSIGOLD="bitkeys.tar.sig.old"
#
GPGKEYSERVER="subkeys.pgp.net"		#This server uses a RoundRobin DB
GPGKEYSERVER2="pgp.surfnet.nl"		# ...but still breaks down

# Checken of de .ssh dir bestaat en zo nee, aanmaken.
[ ! -d ${SSHDIR} ] && mkdir -p ${SSHDIR} 

# chdir naar de sshdir
cd ${SSHDIR} || exit 1

# Nu ff bitkeys toei verplaatsen
if [ -f ${BITKEYS} ]; then
	mv -- ${BITKEYS} ${BITKEYSOLD} || exit 1
fi

if [ -f ${BITKEYSSIG} ]; then 
	mv -- ${BITKEYSSIG} ${BITKEYSSIGOLD} || exit 1
fi

# bitkeys ophalen vanaf $KEYLOC met wget
wget --quiet -t 20 -O bitkeys.tar ${KEYLOC}

if [ ! -f ${BITKEYS} ]; then
	if [ -f ${BITKEYSOLD} ]; then
		echo "Could not retrieve ${KEYLOC}, using old ${BITKEYS}."
		mv -- ${BITKEYSOLD} ${BITKEYS}
	else
		echo "Could not retrieve ${KEYLOC}, bailing!"
		exit 127
	fi
fi
if [ ! -s ${BITKEYS} ]; then
	echo "Retrieved ${KEYLOC}, but it's empty, using old ${BITKEYS}."
	mv -- ${BITKEYSOLD} ${BITKEYS}
fi

# Nu checken of GnuPG aanwezig is, en zo ja, dan $KEYLOCSIG downloaden
gpg --help 1>/dev/null 2>&1
if [ "$?" = "0" ]; then
	wget --quiet -t 20 -O bitkeys.tar.sig ${KEYLOCSIG}
	if [ ! -f ${BITKEYSSIG} ]; then
		if [ -f ${BITKEYSSIGOLD} ]; then
			echo "Could not retrieve ${KEYLOCSIG}, using old ${BITKEYSSIG}! " 1>&2
			mv -- ${BITKEYSSIGOLD} ${BITKEYSSIG}
		else
			echo "Could not retrieve ${KEYLOCSIG}!" 1>&2
			exit 127
		fi
	fi

	if [ -f ${BITKEYSSIG} -a -f ${BITKEYS} ]; then
		# controleren of de pub key van bitkeys@bit.nl al aanwezig is
		gpg --list-keys ${BITKEYSSIGID} 1>/dev/null 2>&1
		if [ "$?" = "2" ]; then
			# pubkey niet aanwezig
			# eerst de key van bitkeys@bit.nl downloaden
			echo "bitkeys signature 0x${BITKEYSSIGID} not found, now trying to retrieve from $GPGKEYSERVER or $GPGKEYSERVER2."
			gpg --quiet --keyserver ${GPGKEYSERVER} --recv-keys ${BITKEYSSIGID} 1>/dev/null 2>&1
			if [ "$?" = "0" ]; then
				echo "Succesfuly retrieved key ${BITKEYSSIGID} from keyserver. "
			else
				echo "First attempt to retrieve the key failed. Let's try it one more time at ${GPGKEYSERVER2}."
				gpg --quiet --keyserver ${GPGKEYSERVER2} --recv-keys ${BITKEYSSIGID} 1>/dev/null 2>&1
				if [ "$?" = "0" ]; then
					echo "Succesfuly retrieved key ${BITKEYSSIGID} from keyserver. "
				else
					echo "Failed to retrieve key ${BITKEYSSIGID} from keyserver(s)! " 1>&2
					exit 127
				fi
			fi
		fi

		# nu hebben we de bitkeys en de GPG signed sig, en gaan we kijken of deze bij elkaar horen
		if ! gpg --quiet --verify ${BITKEYSSIG} ${BITKEYS} 2>&1 | grep -q "${GOODSIG}"; then
			# dat is niet het geval, exiten uit het prog dus
			mv -- ${BITKEYS} ${BITKEYS}.BAD
			echo "Wrong GPG signed bitkeys! " 1>&2
			exit 127
		else
			# nu hebben we een geldige versie van bitkeys.tar
			echo "${BITKEYS} has been succesfully checked against GPG sig ${BITKEYSSIG} "
		fi
	else
		# het is niet gelukt om de bitkeys.sig ($BITKEYSSIG) te vinden en dus kan bitkeys niet GPG gevalideerd worden
		echo "${BITKEYS} was *not* succesfully checked against GPG sig ${BITKEYSSIG}! " 1>&2
		exit 127
	fi
fi

echo ""

# bitkeys uitpakken
tar -xf ${BITKEYS}

# ouwe zut dumpen, defaultkeys kopieren
# SSH1
[ -f ${SSHDIR}/authorized_keys ] && rm -- ${SSHDIR}/authorized_keys
[ -f ${DEFFILE} ] && cp -- ${DEFFILE} ${SSHDIR}/authorized_keys
# SSH2
[ -f ${SSHDIR}/authorized_keys2 ] && rm -- ${SSHDIR}/authorized_keys2
[ -f ${DEFFILE2} ] && cp -- ${DEFFILE2} ${SSHDIR}/authorized_keys2

# keys toevoegen die we hebben binnen geslurpt
# SSH1
find . -maxdepth 1 -type f -iname 'identity.pub.*' | while read i
do
	USER=`cat $i | cut -d" " -f4`
	cat ${SSHDIR}/$i >> ${SSHDIR}/authorized_keys
	echo "Added key: ${USER}"
done
# SSH2
find . -maxdepth 1 -type f -iname 'id_dsa.pub.*' | while read i
do
	USER=`cat $i | cut -d" " -f3`
	cat ${SSHDIR}/$i >> ${SSHDIR}/authorized_keys2
	echo "Added key: ${USER}"
done

# clean up
rm -f -- identity.pub.* 
rm -f -- id_dsa.pub.*
