From ebd2c819ecba10f99807e44967c4d98433ee0af2 Mon Sep 17 00:00:00 2001
From: jdreichmann <johanna.reichmann@delta-industries.de>
Date: Sun, 7 Jun 2020 16:38:50 +0200
Subject: [PATCH] ansible-gpg-vault: add init script, enable adding users and
 reencrypting

---
 vault.sh | 92 ++++++++++++++++++++++++++++++++++++++++++++------------
 1 file changed, 73 insertions(+), 19 deletions(-)

diff --git a/vault.sh b/vault.sh
index a2a37a8..e3b534d 100755
--- a/vault.sh
+++ b/vault.sh
@@ -4,38 +4,92 @@ set -e -u
 
 # Keyserver to use. You need to trust this keyserver that the uid is not spoofed when receiving keys
 KEYSERVER=""
-# File which contains a list of fingerprints to receive and encrypt the vault for
-KEY_FILE=""
-REPO_BASE_PATH="$(dirname $0)/.."
+
+REPO_BASE_PATH="`pwd`/../ansible-gpg-vault-store"
 # File in which the passphrase for the gpg vault is encrypted
-VAULT_PASS_FILE="$REPO_BASE_PATH/gpg/vault_passphrase.gpg"
+VAULT_PASS_FILE="$REPO_BASE_PATH/vault_passphrase.gpg"
+# File which contains a list of fingerprints to receive and encrypt the vault for
+KEY_FILE="$REPO_BASE_PATH/gpg_ids.list"
+VAULT_PASS_RAW_FILE="$REPO_BASE_PATH/vault_passphrase"
+# Length of the generated passphrase
+VAULT_PASS_LENGTH="128"
 
-ACTION="$1"
-# default action is vault decrypt
-if [[ -z "$ACTION" ]]; then
+# Default action is vault decrypt
+if [ $# -eq 0 ]; then
     ACTION="decrypt"
-fi
+else
+    ACTION="$1"
+fi;
 
+addUser() {
+    USER="$1"
+    echo "grep for user $USER"
+    grep "$USER" $KEY_FILE
+    echo "rc=$?"
+    if ! grep -q "$USER" $KEY_FILE; then
+        echo "$USER" >> $KEY_FILE
+    else
+        echo "WARNING: user '$USER' already in key file"
+    fi;
+    reencrypt
+}
+
+reencrypt() {
+    gpg2 --batch --use-agent --output "$VAULT_PASS_RAW_FILE" --decrypt "$VAULT_PASS_FILE"
+    rm -v $VAULT_PASS_FILE
+    CMD="gpg2 --batch --use-agent --armor --output $VAULT_PASS_FILE"
+    for ID in $(cat $KEY_FILE); do
+        CMD="$CMD --recipient $ID";
+    done
+    CMD="$CMD --encrypt $VAULT_PASS_RAW_FILE"
+    $($CMD)
+    RC=$?
+    rm -v $VAULT_PASS_RAW_FILE
+    return "$RC"
+}
+
+decrypt() {
+    if [[ ! -f "$VAULT_PASS_FILE" ]]; then
+        echo "ERROR: vault script not initialised"
+        exit -1;
+    fi;
+    gpg2 --batch --use-agent --decrypt $VAULT_PASS_FILE 2>/dev/null
+}
 
 case "$ACTION" in
     "decrypt")
-        gpg2 --batch --use-agent --decrypt $VAULT_PASS_FILE 2>/dev/null
+        decrypt
     ;;
 
     "reencrypt")
-        gpg2 --batch --use-agent --output $REPO_BASE_PATH/gpg/vault_passphrase --decrypt $VAULT_PASS_FILE
-	CMD="gpg2 --batch --use-agent --armor --output $VAULT_PASS_FILE"
-        for FINGERPRINT in $(cat KEY_FILE) do
-          CMD="$CMD --recipient $FINGERPRINT"
-        done
-        CMD="$CMD --encrypt $REPO_BASE_PATH/gpg/vault_passhphrase"
-	$($CMD)
+        reencrypt
     ;;
 
     "init")
-        mkdir -p $REPO_BASE_PATH/gpg
-	touch $REPO_BASE_PATH/gpg/vault_passphrase
-	touch $REPO_BASE_PATH/gpg/$KEY_FILE
+        mkdir $REPO_BASE_PATH
+        if [[ ! -e "$VAULT_PASS_RAW_FILE" ]] && [[ ! -s "$VAULT_PASS_FILE" ]]; then
+            dd if=/dev/random bs=1 count=$VAULT_PASS_LENGTH 2>/dev/null \
+                | base64 -w 0 | rev | cut -b 2- | rev \
+                > $VAULT_PASS_RAW_FILE
+        else
+            echo "WARNING: File not empty, not overwriting potential existing keyphrase"
+            exit -1;
+        fi;
+        touch $KEY_FILE
+        echo "Specify the inital user who may access the vault"
+        read -p "GPG user id: " GPG_USER
+        echo "$GPG_USER" >> $KEY_FILE
+        CMD="gpg2 --batch --use-agent --armor --output $VAULT_PASS_FILE --recipient $GPG_USER --encrypt $VAULT_PASS_RAW_FILE"
+        $($CMD)
+        rm -v $VAULT_PASS_RAW_FILE
     ;;
+
+    "add")
+        if [ $# -eq 2 ]; then
+            USER="$2"
+        else
+            read -p "GPG user id to add: " GPG_USER
+        fi;
+        addUser $USER
 esac