#!/bin/bash
#
# vault_init_and_renew
#
# Author        : Nohaj
# Contact       : johan@slashroot.fr
# Date          : 26/02/21
# Version       : 1.0
# Description   : Script qui permet de signer sa cle SSH en tant que staffslashroot sur vault afin de pouvoir se connecter aux serveurs Linux de l'equipe clusters
#               : La cle est generee sous le nom id_rsa-cert-adm_clusters.pub
# Require       : vault utility, une paire de cle ssh avec un nom defini "id_rsa/id_rsa.pub" dans ~/.ssh et les acces vault
#

#
# Thoughts ; un peu quick & dirty et pas assez modulable, a ameliorer a l'occasion
#

echo ""

#
# Check token vault
#
if ( ! vault token lookup &> /dev/null ) ; then
    echo "Token vault expire, on renouvelle"
    vault login -method=ldap -path=ldapnet username=$USER
    if [[ $? -ne 0 ]] ; then
        echo "Erreur lors de la connexon a Vault, abandon..."
        echo ""
        exit 1
    fi
fi

valid_until=$(vault token lookup | grep "expire_time" | awk '{print $2}')
valid_until_h=$(date -d $valid_until "+%d-%m-%Y %Hh%m")
echo "Token vault valide jusqu'au $valid_until_h"
echo ""

#
# Cas 1, pas de cle signee
#
if [[ ! -f ~/.ssh/id_rsa-cert-adm_clusters.pub ]] || [[ ! -s ~/.ssh/id_rsa-cert-adm_clusters.pub ]] ; then
    echo "Pas de cle, on en genere une"
    if [[ ! -f ~/.ssh/id_rsa.pub ]] ; then
        echo "Pas de cle publique trouvee (~/.ssh/id_rsa.pub). Merci d'en generer une d'abord"
        echo ""
        exit 1
    fi
    cat ~/.ssh/id_rsa.pub | vault write -field=signed_key adm_clusters/sign/staffslashroot public_key=- > ~/.ssh/id_rsa-cert-adm_clusters.pub
    if [[ $? -eq 0 ]] ; then
        valid_until=$(ssh-keygen -Lf ~/.ssh/id_rsa-cert-adm_clusters.pub | grep "Valid:" | awk '{print $5}')
        valid_until_h=$(date -d $valid_until "+%d-%m-%Y %Hh%m")
        echo "Renouvellement OK"
        echo "Cle valide jusqu'au $valid_until_h"
        echo ""
        exit 0
    else
        echo "ERREUR - La cle n'a pas ete renouvelee"
        echo ""
        exit 1
    fi
fi

#
# Cas 2, une cle signee existe
#
date_now=$(date +%Y-%m-%dT%H:%m:%S)
valid_until=$(ssh-keygen -Lf ~/.ssh/id_rsa-cert-adm_clusters.pub | grep "Valid:" | awk '{print $5}')
valid_until_h=$(date -d $valid_until "+%d-%m-%Y %Hh%m")

date_now_ts=$(date -d $date_now +%s)
valid_until_ts=$(date -d $valid_until +%s)

if [[ $date_now_ts -gt $valid_until_ts ]] ; then
    echo "Cle expire, on renouvelle"
    cat ~/.ssh/id_rsa.pub | vault write -field=signed_key adm_clusters/sign/staffslashroot public_key=- > ~/.ssh/id_rsa-cert-adm_clusters.pub
    if [[ $? -eq 0 ]] ; then
        valid_until=$(ssh-keygen -Lf ~/.ssh/id_rsa-cert-adm_clusters.pub | grep "Valid:" | awk '{print $5}')
        valid_until_h=$(date -d $valid_until "+%d-%m-%Y %Hh%m")
        echo "Renouvellement OK"
        echo "Cle valide jusqu'au $valid_until_h"
        echo ""
    else
        echo "ERREUR - La cle n'a pas ete renouvelee"
        echo ""
        exit 1
    fi
else
    echo "Cle valide jusqu'au $valid_until_h, on ne fait rien"
    echo ""
fi