#!/usr/bin/env bash
#
# Author: Georg Voell - georg.voell@standby.cloud
# Version: @(#)get-authkeys 3.2.1 27.10.2025 (c)2025 Standby.cloud
# Licensed under the Universal Permissive License v 1.0 as shown at https://oss.oracle.com/licenses/upl/
#
# This script can be used free of charge. Use it as is or customize as needed. It is not guaranteed to be
# error free and you will not be reimbursed for any damage it may cause.
#
#@  This script is beeing called by AuthorizedKeysCommand from sshd_config.
#@  If variable "keysfile" is set, the tool reads an JSON file and displays public ssh keys for the user.
#@  The JSON could be in the instance metadata, on a webserver / objectstorge or in a local file.
#@  JSON example: https://standby.cloud/download/samples/authorized_keys.json
#
# Update history:
#
# V 3.0.0 09.07.2020 New version
# V 3.0.1 16.01.2021 Don't get original keys from instance metadata (because they can't be changed)
# V 3.0.2 11.09.2021 By default - don't check keys in Instance Metadata
# V 3.0.3 04.06.2023 Changed description
# V 3.1.0 05.06.2023 New copyright
# V 3.2.0 11.09.2024 New minor version
# V 3.2.1 27.10.2025 Revised version
#
# Exit codes:
#  01: No admin scripts installed.
#  02: No user specified.
#  02: No jq installed.
#  99: User interrupt.
#

# Find executable bash library and source it
lib=`which lib.bash 2>/dev/null | sed 's|^no 'lib.bash' in .*||'`
if [ "$lib" != "" ]; then
	source "$lib"
else
	progdir=`dirname "$0"`
	if [ -r "${progdir}/lib.bash" ]; then
		source "${progdir}/lib.bash"
	else
		echo "Unexpected error: Unable to locate bash library 'lib.bash'."
		exit 1
	fi
fi

# Login user
user=${1}
if [ "$user" = "" ]; then
	exitcode=2
	errormsg $exitcode "No user specified."
	exit $exitcode
else
	if [ "$user" = "ubuntu" ]; then
		user="opc"
	fi
fi

# Preset
insturl="http://169.254.169.254/opc/v2/instance"
keysconfig="/etc/ssh/keys_config"

# The file "keysconfig" defines where we get the keys from. Examples:
# file:///etc/ssh/authorized_keys.json							# Local file
# http://169.254.169.254/opc/v2/instance/metadata				# Instance metadata
# https://standby.cloud/download/samples/authorized_keys.json	# HTTP Server
# https://frkzmjjrez4k.objectstorage.eu-frankfurt-1.oci.customer-oci.com/p/frhiTL_MDZAzDEQ5LIO2i96oPU6pgppMJVIXrhKSjf4lu4whaTiXBDMenVjQn1Sr/n/frkzmjjrez4k/b/Operations/o/Infra/authorized_keys.json

# Main

# Get keysfile from config file
if [ -s "$keysconfig" ]; then
	keysfile=`cat "$keysconfig" | stripcomment | head -n 1`
else
	keysfile="https://standby.cloud/download/samples/authorized_keys.json"
fi

# Only return keys if keysfile is defined
if [ "$keysfile" != "" ]; then
	jq=`which "jq" 2>/dev/null | sed 's|^no jq in .*||'`
	
	if [ "$jq" = "" ]; then
		exitcode=3
		errormsg $exitcode "Tool jq needs to be installed first."
	else
		result=`echo "$keysfile" | grep "^$insturl"`
		if [ "$result" != "" ]; then
			# Looking for instance metadata
			sh -c "transfer --auth --quiet $keysfile | $jq .authorized_keys.${user} > $scratchfile"
			stat=$?
		else
			result=`echo "$keysfile" | grep "^file://"`
			if [ "$result" != "" ]; then
				# Looking for keys in a local file
				keysfile=`echo "$keysfile" | sed 's|^file://||'`
				if [ -s "$keysfile" ]; then
					cat "$keysfile" | $jq ".authorized_keys.${user}" > $scratchfile
					stat=$?
				else
					stat=1
				fi
			else
				# Looking for keys on a WebServer or ObjectStorage
				sh -c "transfer --quiet $keysfile | $jq ".authorized_keys.${user}" > $scratchfile"
				stat=$?
			fi
		fi

		# Display keys if specified user was found
		if [ $stat -eq 0 -a -s $scratchfile ]; then
			result=`head -n 1 $scratchfile`
			if [ "$result" != "null" ]; then
				$jq -r '.[]' $scratchfile
			fi
		fi
	fi
fi

# Cleanup and exit with exitcode
Cleanup
exit $exitcode