#!/bin/sh
# Copyright 2022 Mitchell Riedstra
# 
# Permission to use, copy, modify, and/or distribute this software for any purpose
# with or without fee is hereby granted, provided that the above copyright notice
# and this permission notice appear in all copies.
# 
# THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES WITH
# REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY AND
# FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY SPECIAL, DIRECT,
# INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM LOSS
# OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE OR OTHER
# TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR PERFORMANCE OF
# THIS SOFTWARE.
# 
# This DPW storage plugin is backed to the AWS parameter store / SSM.
# This uses SecureString by default. You can optionally set an environment
# variable to specify a particular KMS key.
#
# The environment variable DPW_SSM_PREFIX can be used to prefix all keys
# with a specific identifier
#
# You can configure this client to use a non default KMS key with the
# environment variable DPW_KMS_KEY=<key-id>
#
# Configuration of the AWS calls should be done through environment variables
# Most notable are:
#
# AWS_PROFILE
# AWS_DEFAULT_REGION
# AWS_ACCESS_KEY_ID
# AWS_SECRET_ACCESS_KEY
#
# Full docs:
# https://docs.aws.amazon.com/cli/latest/userguide/cli-configure-envvars.html
set -e
# set -x

UMASK="${PASSWORD_STORE_UMASK:-077}"
umask "$UMASK"

# Interface

show() {
pth="$1"; shift
#shellcheck disable=SC2086
aws ssm get-parameter --with-decryption --name "${DPW_SSM_PREFIX}$pth" \
	| jq -r '.Parameter | .Value' \
	| base64 -d
}


insert() {
pth="$1"; shift

tmpdir=/dev/shm
if ! [ -d "$tmpdir" ] ; then
	printf "Your system does not have /dev/shm, continue? [Yy] "
	read -r resp
	ok=0
	case $resp in
		Y*|y*) ok=1
	esac
	echo ""
	[ $ok -eq 0 ] && return
	tmpdir=/tmp
fi
_f="$(mktemp "${tmpdir}/dpw.XXXXXXXXXX")"
base64 > "$_f"
if [ -n "$DPW_KMS_KEY" ] ; then
	aws ssm put-parameter \
		--key-id "$DPW_KMS_KEY" \
		--type SecureString \
		--name "${DPW_SSM_PREFIX}$pth" \
		--value "$(cat "$_f")"
else
	aws ssm put-parameter \
		--type SecureString \
		--name "${DPW_SSM_PREFIX}$pth" \
		--value "$(cat "$_f")"
fi
rm "$_f"
}

list() {
if [ -z "$DPW_SSM_PREFIX" ] ; then
	aws ssm describe-parameters | jq -r '.Parameters | .[] | .Name'
else
	aws ssm describe-parameters | jq -r '.Parameters | .[] | .Name' \
		| sed -n -e"s/^$DPW_SSM_PREFIX//gp"
fi
}

remove() {
pth="$1"; shift
aws ssm delete-parameter --name "${DPW_SSM_PREFIX}$pth"
}

_init() {
echo "No initialization needed"
}

act="$1"; shift
case $act in
	show) show "$@" ;;
	list) list "$@" ;;
	insert) insert "$@" ;;
	rm) remove "$@" ;;
	init) _init "$@" ;;
	*) echo "Bad command $act"; exit 1; ;;
esac