#!/bin/bash
# barium helper scripts
# author: rosalinux.ru: betcher_
echo 'Warning: DEPRECATED!'

MARRIAGETYPE='lspci'
. /usr/lib/rosa-rw/os-config
. /etc/ROSA-RW/config

export TEXTDOMAINDIR=/usr/share/locale
export TEXTDOMAIN=rosa-rw_functions
export PATH=${PATH}:/usr/lib/rosa-rw/scripts:/sbin:/usr/sbin:/bin:/usr/bin

MSG01="$(gettext -s "Mount the encrypted partition on this machine automatically?")"
MSG02="$(gettext -s "OK")"
MSG03="$(gettext -s "Your computer has been added to trusted")"
MSG04="$(gettext -s "Cancel")"
MSG05="$(gettext -s "the password may be incorrect ")"
MSG06="$(gettext -s "Slots avaliable")"
MSG07="$(gettext -s "To continue the boot process, you must add this machine to the list of trusted")"
MSG08="$(gettext -s "Enter the password for the encrypted partition again")"
MSG09="$(gettext -s "Password for the encrypted partition")"
MSG10="$(gettext -s "LUKS password")"
MSG11="$(gettext -s "Try on next boot")"
MSG12="$(gettext -s "Successfully")"
MSG13="$(gettext -s "Error")"
MSG14="$(gettext -s "The password may be incorrect.\nOr the key for the current machine is missing.")"
MSG15="$(gettext -s "Cannot find encrypted partition ")"
MSG16="$(gettext -s "Attantion")"

HLP() {
echo "$(basename $0):"
echo "Утилита для добавления/удаления ключей LUKS шифрованного раздела OC barium,"
echo "привязанных к характеристикам машины пользователя"
echo "Использование:" 
echo "	$(basename $0) addKey		- добавить ключ сгенерированный для текущей машины в слот LUKS"
echo "	$(basename $0) rmCurrent 	- удалить ключ текущей машины"
echo "	$(basename $0) rmAll		- удалить все ключи кроме первого"
echo "	$(basename $0) firstTime	- для автозапуска во время загрузки машины"
echo "	$(basename $0) (-h | --help)	- эта справка"
exit
}

[ "$1" == '--help' -o "$1" == '-h' ] && HLP

EXITCMD="poweroff -f"
LUKSSLOTS=8

. /usr/lib/rosa-rw/os-config
. /etc/ROSA-RW/config

[ "$2" ] && MARRIAGETYPE="$2"

BUSYBOX=busybox
which $BUSYBOX >/dev/null 2>&1 || BUSYBOX=busybox.static

getSlots() {
    enabled=$(cryptsetup luksDump "$1" | grep -E "^[[:space:]]+[[:digit:]]+:[[:space:]]+luks" |wc -l)
    echo $(( "$LUKSSLOTS" - "$enabled" ))
}

addKey() {
    DEVICE=$1
    echo "Processing $DEVICE"
    SLOTS=$(getSlots $DEVICE)
    HARDPASS=$($BUSYBOX lspci |md5sum |cut -f1 -d ' ')
    mdialog --yesno "${MSG01}\n${DEVICE}. ${MSG06}: $SLOTS"
    [ $? != 0 ] && return
    PASS=$(mdialog --password "${MSG09}: $DEVICE" password)
    [ -z "$PASS" -o "$PASS" == "password" ] && return

    if [ $MARRIAGETYPE == 'lspci' ] ; then
	echo -e "${PASS}\n${HARDPASS}" | cryptsetup luksAddKey $DEVICE --force-password
    elif [ $MARRIAGETYPE == 'tpm2' ] ; then
	echo -e "${PASS}" | clevis luks bind -d "$DEVICE" tpm2 '{"pcr_bank":"sha256","pcr_ids":"0,7"}'
    fi
    if [ $? == 0 ] ; then
	SLOTSNOW=$(getSlots $DEVICE )
	echo "$SLOTS -- $SLOTSNOW"
	SN=$(udevadm info -a -p  $(udevadm info -q path -n $DEVICE) |grep serial |head -n1 |cut -f3 -d '=')
	echo "${SN}" > /home/$(xuserrun whoami)/.trusted
	[ "$SLOTS" -gt "$SLOTSNOW" ] &&   mdialog --msgbox "${MSG03}\n${MSG06}: $SLOTSNOW"
	return
    fi
    mdialog --error "$MSG13, $MSG05"
}

firstTime() {
	export LC_ALL=ru_RU.UTF-8
	export LC_MESSAGES=ru_RU.UTF-8
	DEVICE=$1
        echo "Processing $DEVICE"
	SLOTS=$(getSlots $DEVICE)
	HARDPASS=$($BUSYBOX lspci |md5sum |cut -f1 -d ' ')
	xuserrun zenity --question --width 400 --ok-label "$MSG02" --cancel-label "$MSG04" --text="${MSG07}.\n${MSG06}: $SLOTS" --title "$MSG16"
	#mdialog --yesno "${MSG07}.\n${MSG06}: $SLOTS "
	[ $? != 0 ] && $EXITCMD
	[ $SLOTS -lt 1 ] && $EXITCMD
	while [ -z "$PASS" ] ; do
	    PASS=$(xuserrun zenity --password --width 400 --ok-label "$MSG02" --title "$MSG10")
	    #PASS=$(mdialog --password "$MSG08" password)
	done
	if [ $MARRIAGETYPE == 'lspci' ] ; then
	    echo -e "${PASS}\n${HARDPASS}" | cryptsetup luksAddKey $DEVICE --force-password
	elif [ $MARRIAGETYPE == 'tpm2' ] ; then
	    echo -e "${PASS}" | clevis luks bind -d "$DEVICE" tpm2 '{"pcr_bank":"sha256","pcr_ids":"0,7"}'
	fi
	if [ $? == 0 ] ; then
		SLOTSNOW=$(getSlots $DEVICE)
		echo "$SLOTS -- $SLOTSNOW"
		SN=$(udevadm info -a -p  $(udevadm info -q path -n $DEVICE) |grep serial |head -n1 |cut -f3 -d '=')
		for a in $(ls -1 /home) ; do
			echo "${SN}" > /home/$a/.trusted
		done
		xuserrun zenity --info --width 400 --ok-label "$MSG02" --text="${MSG03},\n${MSG06}: $SLOTSNOW"
		# mdialog --msgbox "${MSG03},\n${MSG06}: $SLOTSNOW"
		[ "$SLOTS" -gt "$SLOTSNOW" ] && return 0 
		return 1
	fi
	# mdialog --error "${MSG13}! ${MSG05}\n${MSG11}"
	xuserrun zenity --info --width 400 --ok-label "$MSG013" --text="${MSG05},\n${MSG11}: $SLOTSNOW"
	$EXITCMD
}

rmAll() {
    DEVICE=$1
    echo "Processing $DEVICE"
    PASS=$(mdialog --password "${MSG09}: $DEVICE" password)
    rm -f /home/$(xuserrun whoami)/.trusted
    for a in $(seq 1 "$LUKSSLOTS") ; do
	echo -e "${PASS}" | cryptsetup  luksKillSlot $DEVICE $a
    done
    if command -v clevis ; then
	for SLOT in $(cryptsetup luksDump $DEVICE |sed -n '/clevis/{n;p;}' |awk '{print $NF}') ; do
    	    clevis luks unbind -d "$DEVICE" -s "$SLOT" -f
        done
    fi
    SLOTS=$(getSlots $DEVICE)
    mdialog --msgbox "${MSG06}: $SLOTS"
}

rmCurrent() {
    DEVICE=$1
    echo "Processing $DEVICE"
    SLOTS=$(getSlots $DEVICE)
    HARDPASS=$($BUSYBOX lspci |md5sum |cut -f1 -d ' ')
    if [ $MARRIAGETYPE == 'lspci' ] ; then
	echo -e "${HARDPASS}" | cryptsetup  luksRemoveKey $DEVICE
    elif [ $MARRIAGETYPE == 'tpm2' ] ; then
	. /usr/bin/clevis-luks-common-functions
	clevis_luks_unlock_device $DEVICE | cryptsetup  luksRemoveKey $DEVICE
    fi
    if [ $? == 0 ] ; then
	SLOTSNOW=$(getSlots $DEVICE)
	SN=$(udevadm info -a -p  $(udevadm info -q path -n $DEVICE) |grep serial |head -n1 |cut -f3 -d '=')
	sed -i '/'${SN}'/d' /home/$(xuserrun whoami)/.trusted
	[ "$SLOTSNOW" -gt "$SLOTS" ] &&   mdialog --msgbox "${MSG12}!\n${MSG06}: $SLOTSNOW"
	return
    fi
    mdialog --error "$MSG13, $MSG14"
}

DEVICES=$(grep '/dev/mapper/sd' /proc/mounts |awk '{print $1}' | sed 's:/mapper::' |sort -u)
[ -z "$DEVICES" ] && DEVICES=$(blkid |grep -i crypto_luks |cut -f1 -d ':' |sort -u)
[ -z "$DEVICES" ] && mdialog --error "$MSG13, $MSG15"
[ -z "$DEVICES" ] && exit 1

echo "LUKS DEVICES: 
$DEVICES"

case $1 in
    "firstTime" ) for a in $DEVICES ; do firstTime $a ; done ;;
    "addKey" ) 	  for a in $DEVICES ; do addKey    $a ; done ;;
    "rmAll" ) 	  for a in $DEVICES ; do rmAll     $a ; done ;;
    "rmCurrent" ) for a in $DEVICES ; do rmCurrent $a ; done ;;
esac

