#!/bin/sh
#(c) 2017 BIT


fatal() {
    echo "$*"
    exit 127
}


if [ "$1" != "--force" -a -x /usr/sbin/cfagent ]; then
    echo "CFEngine is installed on this box. Refusing to run. Run with --force to force."
    exit 127
fi


umask 077
export LANG="en_US.UTF-8"
export LANGUAGE="en_US:en"
export PATH="/bin:/usr/bin:/sbin:/usr/sbin"


ssh_dir="$HOME/.ssh"
bit_keys_dir="${ssh_dir}/bit-keys/"
auth_file="${ssh_dir}/authorized_keys2"


mkdir -p ${bit_keys_dir}
cd ${bit_keys_dir}
rm -f bit-keys.tar bit-keys.tar.sig


rm -f ${ssh_dir}/bitkeys.tar
rm -f ${ssh_dir}/bitkeys.tar.*


wget -t 20 -qO bit-keys.tar     https://bitkeys.bit.nl/bit-keys/bit-keys.tar
wget -t 20 -qO bit-keys.tar.sig https://bitkeys.bit.nl/bit-keys/bit-keys.tar.sig
[ -f bit-keys.tar -a -f bit-keys.tar.sig ] || fatal "Downloading bit-keys failed?"


gpg -q --list-key 7703B420B543BD2DF9AF6197F22B95441BFBE521 >/dev/null 2>&1
rval=$?
if [ $rval != 0 ]; then
       gpg -q --import >/dev/null 2>&1 <<EOT
-----BEGIN PGP PUBLIC KEY BLOCK-----

mQGNBFuD9iMBDADYPh5/ApKD474Y9lh8UQXi7aZnxS3waF4Yexf7p3P7as3Q9RD8
FwXuwktW84jIwb5yQrGlIHtj5nMTLIErdJYYqaDaq2Lwt/hqYoSoUjXoPxjGSBQ6
P+TyZBPBGSnLoVN/8sDlFVYQ7PtRlNVe0A3SNjCPzpQnBJh9EBJCiJHpfaK0Kmxw
ya1U4bjIggynW2NfYb2pI7dpkTLGEWj6+rreZRu8E6EoIRYNPoAVqBXgAbVZ7F+w
5uZtPYmbJvvVTowAjPeoe0+VkNp1CYKlzmuLIUeHgCOA7v/fopw5Oo77oPkQxH11
VnyFqPN5nOO5505NbnYKJ5jXIXempKE4DCHXFXA5Z3lUv3rOqcdYaTxASlrcG0t9
kJlqdzeGQ9cX1qltsChLemn3Iu9mAAsIGqPd7dJzZ3XM8dTrzpZAEGPKo4qNUnDN
kBJD5K8U9FdBi4mOCQyKtC5P4ncmpzyavOq0i8EeHIS8X58kRo4GR52GWvlB/Vc9
RGkOK/f1JrjSvQcAEQEAAbQZQklUIEtleXMgPHN1cHBvcnRAYml0Lm5sPokB1AQT
AQoAPhYhBHcDtCC1Q70t+a9hl/IrlUQb++UhBQJbg/YjAhsDBQkDwmcABQsJCAcC
BhUKCQgLAgQWAgMBAh4BAheAAAoJEPIrlUQb++UhdhwMAMH42Xy28lqWns0AskQo
idIRhzqFXhbgTLYOiuae7dDEtQeeQkOmA7AqZIBAKaO+IhC9bMbIn7aqA7VYbIPE
XbCtDrXRvEKn5NLYx32wZjfmsgDo9PWMBld8I6R2eMT+JkZJcSKLH4mQ5UxSFHhw
5qO8vBRvgpTddtwdPBY29Z8F9IpB7sKTgxaKJqoiszg+Zn8vNoCw2HAn6OeuyP4S
H5LfrdY1rUQM+pA1unNTzilUs0SWGg6VFLmU5rmwERTznvRhH7Mx6VUJOIip6gK5
OrAmnUjM4MGp/oeCtjYXrjYkm0MM1e55+qcEESd7Gg/i5/C+NjxuyAaccbcfWkrG
5PRVOL89u506oMnFKCK+MTa4elM2cQ+JWi0IXJM2VCOjUxMIgErcgRxShDbYp9ca
3YvNa5bcz4zihvIbb6yiCCg5+LRSysEptfe2l3hJXB+v3RixTH+Y8umvxd/aH7JY
yL1IjZrHpVKDtyzd1j8WmkZ/7qa/Z5bjp+lLFbCI//O6kbkBjQRbg/YjAQwAvXQ7
I12rrlxhvGztoNTCFtwHveNF7hLASw6ByrC+s8v2CCz2ThrQeIqxAvcWTkVoIGd1
4AEuhYvdy8zlpxteBBsDSaMwd0iPOHKiwc4N5ffEz9ZZEA1zanRVynla5w+gf1G3
BgGEc+WHIWoMOigo1m4uJL/1DjAoG7O4wvxt+PtEvgAsBY7ofi8Qt5K95jIj2wc8
QwDXVwXicpMaykj0dDWuacuJl2uwXGxdpZ9vfffE1zk5XpwgfWIaec8YRNPFxrqf
mfcpakyAPAjRVXMgE8j3jFK8uA2ARxjdjZQg2GQ0Mvq0e/VpoKhvh1xX0hWx4tq6
4BP095O8zKowUlVvowhinZAyTxCZs2sS/4cmhB1lBFhZznQGsa9WyHJscqBMqMPi
8y/HyWWo0Qp2KxMmYXZ/wqSk48REOth/RPWjj8omQQ4/UUxmtBMx7+88MEP71YqG
c3ngYf/gVyD59jvzJQew8SVBVCZPE4I2IfMk0GNqcx/ldXp6qVbZaSIrYXevABEB
AAGJAbwEGAEKACYWIQR3A7QgtUO9LfmvYZfyK5VEG/vlIQUCW4P2IwIbDAUJA8Jn
AAAKCRDyK5VEG/vlIbyTDADJ3MXwE8cP9514K5LdiH4ACauJzQHtkISSbqIJNrtR
AmLIH53apIaunUftSh8Fdio2NIDT3cOQz1J+/5Iw9HfjFYwK0nQyzVn2UIbwNbx2
bBpMfw+Vu39OK8evMTNgdCM4wgRr9X6AF+BENJPCvUXOqac4wu3Gq/uqpl1V1/aH
AZcpUmfXajMr2Do9cPm/624qOw16DQ755FsjPvuurIDGRPmBgAlwH4jlwaKykqZm
ywuNwbMM2a4mHmRXUJWetsMPprP6OYMPONRu+k5V3pCEhIetEBECyWhCy6ju0war
1ACn37nzUyYH+BT/QMn5eUPXjIT5PzbYGDviKyLhA/oBrsanNmHn1h4gPHvnC4mG
6rmHELqe2voraYpKntCDkgnBZg1romku1UXZ8ymTt+8T1H/UKOPwPcvuWTHfbCAY
TI66gaskq8+BWl9hile5+zf0mXqu+KEaEY/bcMU8YtntfcoxEELdRToU+Z2M8ZhJ
88Va5Kee049ZF9QfKG4A378=
=33oF
-----END PGP PUBLIC KEY BLOCK-----
EOT
        rval=$?
        [ $rval = 0 ] || fatal "GPG public key import failed?"
        echo "The GPG public key was imported."
fi


gpg --quiet --verify bit-keys.tar.sig bit-keys.tar >/dev/null 2>&1
rval=$?
case "$rval" in
    0)
        # sig verified
        ;;

    1)
        # sig invalid
        fatal "Invalid GPG signature for this tarball. Bailing!"
        ;;

    2)
        # key not found
        fatal "The GPG public key was not found. Bailing!"
        exit 0
        ;;

    *)
        # unhandled GPG error state
        fatal "Unhandled GPG error state '$rval'. Bailing!"
        ;;
esac


tar xf bit-keys.tar
[ $rval = 0 ] || fatal "Untar failed?"


rm -f      ${auth_file}
touch      ${auth_file}
chmod 0640 ${auth_file}
cat >>${auth_file} <<EOT
# Updated: $(date -R)
#
# DO NOT CHANGE THIS FILE - IT IS MANAGED BY BIT-KEYS!
# ADD YOUR LOCAL SSH PUBLIC KEYS TO A FILE NAMED
# authorized_keys.local OR authorized_keys2.local
# AND IT WILL BE INCLUDED IN THIS FILE BY BIT-KEYS!
#
EOT


for aklf in authorized_keys.local authorized_keys2.local
do
    if [ -e ${ssh_dir}/${aklf} ]; then
        echo "Added keys from ${ssh_dir}/${aklf}"
        cat ${ssh_dir}/${aklf} >> ${auth_file}
    fi
done


find . -maxdepth 1 -type f -iname 'id_*.pub.*' | while read idfile
do
    idname=`echo "$idfile" | rev | cut -d"." -f1 | rev`
    cat $idfile >> ${auth_file}
    echo "Added key: ${idname}"
done


rm -f -- identity.pub.* 
rm -f -- id_*.pub.*
