#!/bin/bash
#
# Author: Georg Voell - georg.voell@standby.cloud
# Version: @(#)get-authkeys 3.2.0 11.09.2024 (c)2024 Standby.cloud
# Licensed under the Universal Permissive License v 1.0 as shown at https://oss.oracle.com/licenses/upl/
#
# This script can be used free of charge. Use it as is or customize as needed. It is not guaranteed to be
# error free and you will not be reimbursed for any damage it may cause.
#
#@  Get public keys from users authorized_keys file and instance metadata and display them.
#@  To define authorized keys for every login user, create an entry starting with
#@  "ssh-rsa" in "$roothome/.ssh/instance_authorized_keys" file.
#@  This script is beeing called by AuthorizedKeysCommand from sshd_config.
#
# Update history:
#
# V 3.0.0 09.07.2020 New version
# V 3.0.1 16.01.2021 Don't get original keys from instance metadata (because they can't be changed)
# V 3.0.2 11.09.2021 By default - don't check keys in Instance Metadata
# V 3.0.3 04.06.2023 Changed description
# V 3.1.0 05.06.2023 New copyright
# V 3.2.0 11.09.2024 New minor version
#
# Exit codes:
#  01: No root privileges.
#  99: User interrupt.

# Set this to true if you want to get the keys in instance metadata
checkmetadata=false

# Find executable bash library and source it
lib=`which lib.bash 2>/dev/null | sed 's|^no 'lib.bash' in .*||'`
if [ "$lib" != "" ]; then
	source "$lib"
else
	progdir=`dirname "$0"`
	if [ -r "${progdir}/lib.bash" ]; then
		source "${progdir}/lib.bash"
	else
		echo "Unexpected error: Unable to locate bash library 'lib.bash'."
		exit 1
	fi
fi

# Login user
user=${1}
if [ "$user" = "" ]; then
	user="$USER"
fi

# Cloud infos
ocimetadata_v2="http://169.254.169.254/opc/v2/instance/metadata/"
ocimetadata_v1="http://169.254.169.254/opc/v1/instance/metadata/"
opcmetadata="http://192.0.0.192/latest/attributes/sshkeys/"
infofolder="/usr/local/share/info"
cloudfile="${infofolder}/cloud.json"

# Auth files
userhome="$(eval echo ~${user})"
authfile="${userhome}/.ssh/authorized_keys"
roothome="$(eval echo ~root)"
rootauthfile="${roothome}/.ssh/authorized_keys"
instanceauthfile="${roothome}/.ssh/instance_authorized_keys"

# Check if scratchfile contains any json
function CheckResult() {
	local result=""
	
	result=`filecheck -sl "$scratchfile"`
	if [ "$result" != "" ]; then
		head1=`head -n 1 "$scratchfile"`
		if [ "$head1" != "{" ]; then
			result=""
		fi
	fi
	
	echo $result
}

# Main
if [ "$USER" != "root" ]; then
	errormsg 1 "This script needs root privileges to work."
	exit 1
fi

if [ "$checkmetadata" = true ]; then
	# Create infofolder, if it does not exists
	if [ ! -d "$infofolder" ]; then
		mkdir -m 0755 -p "$infofolder"
	fi

	# Get infos about the cloud (if we don't have already an info file)
	if [ ! -f "$cloudfile" ]; then
		get-cloud --output json > $cloudfile
		chmod 644 $cloudfile
	fi

	# Check if cloudfile with cloud_id exists
	if [ -r "$cloudfile" ]; then
		cloud_id=`cat "$cloudfile" | browse-json cloud_id --select 1 --quiet --raw`
	else
		cloud_id=""
	fi
fi

if [ "$user" = "root" ]; then
	if [ -r "$rootauthfile" ]; then
		cat "$rootauthfile"
	fi
else
	# Cat authorized_keys for user
	if [ -r "$authfile" ]; then
		grep '^ssh-rsa ' "$authfile"	# Only grep valid keys beginning with "ssh-rsa"
	fi

	# Cat authorized_keys for instance (from $roothome/.ssh/instance_authorized_keys)
	if [ -r "$instanceauthfile" ]; then
		grep '^ssh-rsa ' "$instanceauthfile"	# Only grep valid keys beginning with "ssh-rsa"
	fi
fi

if [ "$checkmetadata" = true ]; then
	exit 0
fi

# Check if he have curl and jq in path
curl=`filecheck -x curl`
if [ "$curl" != "" ]; then
	# Check if we get metadata from oci
	if [ "$cloud_id" = "ORACLE-OCI" ]; then
		## $curl -L --connect-timeout 5 --silent -H "Authorization: Bearer Oracle" "$ocimetadata_v2" | norm-json > $scratchfile 2>&1
		sh -c "transfer --auth '$ocimetadata_v2' --export '$scratchfile'"
		stat=$?
		result=`CheckResult`
		
		if [ $stat -gt 0 -o "$result" = "" ]; then
			## $curl -L --connect-timeout 5 --silent "$ocimetadata_v1" | norm-json > $scratchfile 2>&1
			sh -c "transfer '$ocimetadata_v1' --export '$scratchfile'"
			stat=$?
			result=`CheckResult`
		fi
		
		if [ $stat -eq 0 -a "$result" != "" ]; then
#			# Original keys that were distributed when instace was created
#			result=`grep '"ssh_authorized_keys"' "$scratchfile"`
#			if [ "$result" != "" ]; then
#				cat "$scratchfile" | browse-json "ssh_authorized_keys" --quiet --raw --select 1 --output keys | sed 's|^.*:||g' | sed 's|\\n|\n|g'
#			fi
			
			# Additional keys from metadata
			result=`grep '"authorized_keys"' "$scratchfile"`
			if [ "$result" != "" ]; then
				cat "$scratchfile" | browse-json "authorized_keys" --quiet --raw --select 1 --output keys | sed 's|^.*:||g'
			fi
		fi
	fi

	# Check if we get metadata from opc (oci-classic)
	if [ "$cloud_id" = "ORACLE-OPC" ]; then
		# curl --silent -L "http://192.0.0.192/latest/meta-data/public-keys/" > "$scratchfile"
		## $curl -L --connect-timeout 5 --silent "$opcmetadata" | norm-json > $scratchfile 2>&1
		sh -c "transfer '$opcmetadata' --export '$scratchfile'"
		stat=$?
		result=`CheckResult`

		if [ $stat -eq 0 -a "$result" != "" ]; then
			cat "$scratchfile"
		fi
	fi
fi

# Cleanup
filecheck -rm "$scratchfile"