#!/bin/bash -e
# vim: set ts=8 shiftwidth=4 softtabstop=4 expandtab smarttab colorcolumn=80:
#
# Copyright (c) 2020 Red Hat, Inc.
# Author: Sergio Correia <scorreia@redhat.com>
#
# This program is free software: you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation, either version 3 of the License, or
# (at your option) any later version.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program.  If not, see <http://www.gnu.org/licenses/>.
#

. clevis-luks-common-functions

SUMMARY="Edit a binding from a clevis-bound slot in a LUKS device"

usage() {
    echo >&2
    echo "Usage: clevis luks edit [-f] -d DEV -s SLT [-c CONFIG]" >&2
    echo >&2
    echo "$SUMMARY": >&2
    echo >&2
    echo "  -d DEV     The LUKS device to edit clevis-bound pins" >&2
    echo >&2
    echo "  -s SLOT    The slot to use when editing the clevis binding" >&2
    echo >&2
    echo "  -f         Proceed with the edit operation even if the configuration is the same" >&2
    echo >&2
    echo "  -c CONFIG  The updated config to use" >&2
    echo >&2
    exit 1
}

on_exit() {
    [ -d "$TMP" ] && rm -rf "${TMP}"
}

validate_cfg() {
    local json="${1}"
    jose fmt -j- -O <<< "${json}" 2>/dev/null
}

edit_cfg() {
    local cfg_file="${1}"
    local editor="${EDITOR:-vi}"

    "${editor}" "${cfg_file}" || true
    if ! validate_cfg "$(<"${cfg_file}")"; then
        local ans=
        while true; do
            read -r -p \
              "Malformed configuration. Would you like to edit again? [ynYN] " \
             ans < /dev/tty

            [[ "${ans}" =~ ^[nN]$ ]] && return 1
            [[ "${ans}" =~ ^[yY]$ ]] && break
        done
        edit_cfg "${cfg_file}"
    fi
    return 0
}

if [ "${#}" -eq 1 ] && [ "${1}" = "--summary" ]; then
    echo "${SUMMARY}"
    exit 0
fi

CFG=
FRC=
while getopts ":fd:s:c:" o; do
    case "$o" in
    d) DEV=${OPTARG};;
    s) SLT=${OPTARG};;
    c) CFG=${OPTARG};;
    f) FRC=-f;;
    *) usage;;
    esac
done

if [ -z "${DEV}" ]; then
    echo "Did not specify a device!" >&2
    usage
fi

if [ -z "${SLT}" ]; then
    echo "Did not specify a slot!" >&2
    usage
fi

if ! binding="$(clevis luks list -d "${DEV}" -s "${SLT}" 2>/dev/null)" \
                || [ -z "${binding}" ]; then
    echo "Error retrieving current configuration from ${DEV}:${SLT}" >&2
    exit 1
fi

read -r _ pin cfg <<< "${binding}"
# Remove single quotes.
cfg=${cfg//\'}
if ! pretty_cfg="$(jq . <<< "${cfg}")" || [ -z "${pretty_cfg}" ]; then
    echo "Error reading the configuration from ${DEV}:${SLT}" >&2
    exit 1
fi

if ! TMP="$(mktemp -d)" || [ -z "${TMP}" ]; then
    echo "Creating a temporary dir for editing binding failed" >&2
    exit 1
fi

trap 'on_exit' EXIT
trap 'on_exit' ERR

if [ -z "${CFG}" ]; then
   CFG_FILE="${TMP}/cfg"
    echo "${pretty_cfg}" > "${CFG_FILE}"
    if ! edit_cfg "${CFG_FILE}"; then
        exit 1
    fi

    if ! new_cfg="$(jq . -S < "${CFG_FILE}")" || [ -z "${new_cfg}" ]; then
        echo "Error reading the updated config for ${DEV}:${SLT}" >&2
        exit 1
    fi
else
    if ! validate_cfg "${CFG}"; then
        echo "Invalid configuration given as parameter with -c" >&2
        exit 1
    fi
    new_cfg="$(jq . -S <<< "${CFG}")"
fi

if [ "${new_cfg}" = "$(jq -S . <<< "${pretty_cfg}")" ] && [ -z "${FRC}" ]; then
    echo "No changes detected; exiting" >&2
    exit 1
fi

if ! jcfg="$(jose fmt -j- -Oo- <<< "${new_cfg}" 2>/dev/null)" \
             || [ -z "${jcfg}" ]; then
    echo "Error preparing the configuration for the binding update" >&2
    exit 1
fi

if [ -z "${CFG}" ]; then
    printf "Pin: %s\nNew config:\n%s\n" "${pin}" "${new_cfg}"
    while true; do
        read -r -p \
          "Would you like to proceed with the updated configuration? [ynYN] " \
         ans < /dev/tty
        [[ "${ans}" =~ ^[nN]$ ]] && exit 0
        [[ "${ans}" =~ ^[yY]$ ]] && break
    done
fi

echo "Updating binding..."

# Create new key.
if ! new_pass=$(generate_key "${DEV}"); then
    echo "Error generating new key for device ${DEV}" >&2
    exit 1
fi

# Reencrypt the new password.
if ! jwe="$(clevis encrypt "${pin}" "${jcfg}" -y <<< "${new_pass}")"; then
    echo "Error using pin '${pin}' with config '${jcfg}'" >&2
    exit 1
fi

# Backup LUKS header.
if ! clevis_luks_backup_dev "${DEV}" "${TMP}"; then
    echo "Error while trying to back up LUKS header from ${DEV}" >&2
    exit 1
fi

# Get passphrase.
if ! pt="$(clevis_luks_unlock_device "${DEV}")" \
           || [ -z "${pt}" ]; then
    # Unable to retrieve a passphrase from the bindings, so let's query
    # the user.
    read -r -s -p "Enter existing LUKS password: " pt; echo
    # Check if the key is valid.
    if ! clevis_luks_is_key_valid "${DEV}" "${pt}"; then
        echo "The key provided is not valid for ${DEV}" >&2
        exit 1
    fi
fi

# Check if we can do the update in-place, i.e., if the key we got is the one
# for the slot we are interested in.
in_place=
if cryptsetup open --test-passphrase --key-slot "${SLT}" "${DEV}" \
        <<< "${pt}"; then
    in_place=true
fi

# Update the key slot with the new key. If we have the key for this slot,
# the change happens in-place. Otherwise, we kill the slot and re-add it.
if [ -n "${in_place}" ]; then
    if ! cryptsetup luksChangeKey "${DEV}" --key-slot "${SLT}" \
            <(echo -n "${new_pass}") <<< "${pt}"; then
        echo "Error updating LUKS passphrase in ${DEV}:${SLT}" >&2
        clevis_luks_restore_dev "${DEV}" "${TMP}"
        exit 1
    fi
else
    if ! cryptsetup luksKillSlot --batch-mode "${DEV}" "${SLT}"; then
        echo "Error wiping slot ${SLT} from ${DEV}" >&2
        clevis_luks_restore_dev "${DEV}" "${TMP}"
        exit 1
    fi

    if ! echo -n "${new_pass}" \
            | cryptsetup luksAddKey --key-slot "${SLT}" \
                         --key-file <(echo -n "${pt}") "${DEV}"; then
        echo "Error updating LUKS passphrase in ${DEV}:${SLT}." >&2
        clevis_luks_restore_dev "${DEV}" "${TMP}"
        exit 1
    fi
fi

# Update the metadata.
if ! clevis_luks_save_slot "${DEV}" "${SLT}" "${jwe}" "overwrite"; then
    echo "Error updating metadata in ${DEV}:${SLT}" >&2
    clevis_luks_restore_dev "${DEV}" "${TMP}"
    exit 1
fi

# Make sure we can unlock the device with this keyslot.
if ! clevis_luks_unlock_device_by_slot "${DEV}" "${SLT}" >/dev/null \
                                       2>/dev/null; then
    echo "Invalid configuration detected. Reverting changes." >&2
    clevis_luks_restore_dev "${DEV}" "${TMP}"
    exit 1
fi

echo "Binding edited successfully."
