#!/bin/bash -e
#
# Licensed to the Apache Software Foundation (ASF) under one
# or more contributor license agreements.  See the NOTICE file
# distributed with this work for additional information
# regarding copyright ownership.  The ASF licenses this file
# to you under the Apache License, Version 2.0 (the
# "License"); you may not use this file except in compliance
# with the License.  You may obtain a copy of the License at
#
#   http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing,
# software distributed under the License is distributed on an
# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
# KIND, either express or implied.  See the License for the
# specific language governing permissions and limitations
# under the License.
#

##
## @fn encrypt-json.sh 
##
## Encrypts and signs JSON using the provided key, returning base64-encoded
## data ready to be submitted to Guacamole and used by the guacamole-auth-json
## authentication provider. Beware that this base64-encoded must still be
## URL-encoded prior to submission to /api/tokens via POST. Base64 encoding may
## contain + and = characters, which have special meaning in URLs.
##
## To submit the resulting data easily via curl, the following will work:
##
## curl --data-urlencode "data=$(<file_containing_result)" GUAC_URL/api/tokens
##
## @param SECRET_KEY
##     The key to encrypt and sign the JSON file with, as a 16-byte (32-digit)
##     hexadecimal value. This key must match the key specified within
##     guacamole.properties using the "json-secret-key" property.
##
## @param JSON_FILENAME
##     The filename of the JSON to encrypt and sign.
##

##
## Encryption/signing key.
##
SECRET_KEY="$1"

##
## The filename of the JSON data being signed and encrypted.
##
JSON_FILENAME="$2"

##
## A null (all zeroes) IV.
##
NULL_IV="00000000000000000000000000000000"

##
## Signs the contents of the given file using the given key. The signature is
## created using HMAC/SHA-256, and is output in binary form to STDOUT, followed
## by the raw contents of the file.
##
## @param KEY
##     The key to use to sign the contents of the given file with HMAC/SHA-256.
##
## @param FILENAME
##     The filename of the file to sign.
##
sign() {

    KEY="$1"
    FILENAME="$2"

    #
    # Write out signature
    #

    openssl dgst                                \
        -sha256 -mac HMAC -macopt hexkey:"$KEY" \
        -binary "$FILENAME"

    #
    # Write out file contents
    #

    cat "$FILENAME"

}

##
## Encrypts all data received through STDIN using the provided key. Data is
## encrypted using 128-bit AES in CBC mode (with a null IV). The encrypted
## result is printed to STDOUT encoded with base64.
##
## @param KEY
##     The key to encrypt STDIN with, as a 16-byte (32-digit) hexadecimal
##     value.
##
encrypt() {

    KEY="$1"

    #
    # Encrypt STDIN
    #

    openssl enc -aes-128-cbc -K "$KEY" -iv "$NULL_IV" -nosalt -a

}

#
# Sign and encrypt file using secret key
#

sign "$SECRET_KEY" "$JSON_FILENAME" | encrypt "$SECRET_KEY"