#!/bin/bash -e
# vim: set tabstop=8 shiftwidth=4 softtabstop=4 expandtab smarttab colorcolumn=80:
#
# Copyright (c) 2016 Red Hat, Inc.
# Author: Nathaniel McCallum <npmccallum@redhat.com>
#
# This program is free software: you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation, either version 3 of the License, or
# (at your option) any later version.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program.  If not, see <http://www.gnu.org/licenses/>.
#

SUMMARY="Unlocks a LUKS volume"
UUID=cb6e8904-81ff-40da-a84a-07ab9ab5715e

# We require cryptsetup >= 2.0.4 to fully support LUKSv2.
# Support is determined at build time.
function luks2_supported() {
    return @OLD_CRYPTSETUP@
}

function usage() {
    exec >&2
    echo
    echo "Usage: clevis luks unlock -d DEV [-n NAME]"
    echo
    echo "$SUMMARY":
    echo
    echo "  -d DEV  The LUKS device on which to perform unlocking"
    echo
    echo "  -n NAME The name of the unlocked device node"
    echo
    exit 2
}

if [ $# -eq 1 ] && [ "$1" == "--summary" ]; then
    echo "$SUMMARY"
    exit 0
fi

while getopts ":d:n:" o; do
    case "$o" in
    d) DEV="$OPTARG";;
    n) NAME="$OPTARG";;
    *) usage;;
    esac
done

if [ -z "$DEV" ]; then
    echo "Did not specify a device!" >&2
    usage
fi

if ! cryptsetup isLuks "$DEV"; then
    echo "$DEV is not a LUKS device!" >&2
    exit 1
fi

if luks2_supported; then
    if cryptsetup isLuks --type luks1 "$DEV"; then
        luks_type="luks1"
    elif cryptsetup isLuks --type luks2 "$DEV";then
        luks_type="luks2"
    else
        echo "$DEV is not a supported LUKS device!" >&2
        exit 1
    fi
else
    luks_type="luks1"
fi
NAME="${NAME:-luks-"$(cryptsetup luksUUID "$DEV")"}"

luks1_decrypt() {
    luksmeta load "$@" \
        | clevis decrypt

    local rc
    for rc in "${PIPESTATUS[@]}"; do
        [ $rc -eq 0 ] || return $rc
    done
    return 0
}

luks2_decrypt() {
    # jose jwe fmt -c outputs extra \n, so clean it up
    cryptsetup token export "$@" \
        | jose fmt -j- -Og jwe -o- \
        | jose jwe fmt -i- -c \
        | tr -d '\n' \
        | clevis decrypt

    local rc
    for rc in "${PIPESTATUS[@]}"; do
        [ $rc -eq 0 ] || return $rc
    done
    return 0
}

if [ "$luks_type" == "luks1" ]; then
    while read -r slot state uuid; do
        [ "$state" == "active" ] || continue
        [ "$uuid" == "$UUID" ] || continue

        pt="$(luks1_decrypt -d $DEV -s $slot -u $UUID)" \
            || continue
        exec cryptsetup open -d- "$DEV" "$NAME" < <(
            echo -n "$pt"
        )
    done < <(luksmeta show -d "$DEV")

elif [ "$luks_type" == "luks2" ]; then
    while read -r id; do
        pt="$(luks2_decrypt --token-id "$id" "$DEV")" \
            || continue
        exec cryptsetup open -d- "$DEV" "$NAME" < <(
            echo -n "$pt"
        )
    done < <(cryptsetup luksDump "$DEV" | sed -rn 's|^\s+([0-9]+): clevis|\1|p')
fi

echo "$DEV could not be opened." >&2
exit 1