#cloud-config
mounts:
  - [ /dev/disk/by-label/config-2, /mnt/config ]
write_files:
  - path: /root/tatu-setup-ssh.sh
    permissions: '0700'
    owner: root:root
    content: |
        #!/bin/bash
        # Name: tatu-setup-ssh.sh
        #
        # Purpose: Fetch a SSH host cert from Tatu and configure SSH to use certs.
        metadata=$(cat /mnt/config/openstack/latest/meta_data.json)
        auth_id=$(echo $metadata | grep -Po 'project_id": "\K[^"]*')
        if [ -z $auth_id ]; then
          echo Failed to extract the project ID from metadata
          exit 1
        fi
        echo auth_id=$auth_id
        host_id=$(echo $metadata | grep -Po 'uuid": "\K[^"]*')
        echo host_id=$host_id
        vendordata=$(cat /mnt/config/openstack/latest/vendor_data2.json)
        token=$(echo $vendordata | grep -Po '"token": "\K[^"]*')
        if [ -z $token ]; then
          echo Failed to extract the Tatu token ID from vendordata
          exit 1
        fi
        echo token=$token
        ca_user=$(echo $vendordata | grep -Po '"auth_pub_key_user": "\K[^"]*')
        echo ca_user=$ca_user
        echo $ca_user > /etc/ssh/ca_user.pub
        #root_principals=$(echo $vendordata | grep -Po '"root_principals": "\K[^"]*')
        #echo root_principals=$root_principals
        users=$(echo $vendordata | grep -Po '"users": "\K[^"]*')
        echo users=$users
        sudoers=$(echo $vendordata | grep -Po '"sudoers": "\K[^"]*')
        echo sudoers=$sudoers
        ssh_port=$(echo $vendordata | grep -Po '"ssh_port": \K[^,]*')
        echo ssh_port=$ssh_port
        host_pub_key=$(cat /etc/ssh/ssh_host_rsa_key.pub)
        echo host public key is $host_pub_key
        data=$(echo {\"token_id\": \"$token\", \"host_id\": \"$host_id\", \"pub_key\": \"$host_pub_key\"})
        echo $data > /tmp/tatu_cert_request.json
        url=http://169.254.169.254/noauth/hostcerts
        echo url=$url
        echo Posting Host Certificate request to Tatu API
        response=$(curl -s -w "%{http_code}" -d "@/tmp/tatu_cert_request.json" -X POST $url)
        code=${response##*\}}
        if [ "$code" != "200" ]; then
          echo Curl to Tatu API failed with code $code
          exit 1
        fi
        echo Tatu response is $response
        cert=$(echo $response | grep -Po 'cert": "\K[^"]*')
        cert=${cert%%\\n} # TODO: fix the trailing \n on the server side.
        echo $cert > /etc/ssh/ssh_host_rsa_key-cert.pub
        mkdir -p /etc/ssh/auth_principals
        #root_principals_file=/etc/ssh/auth_principals/root
        #> $root_principals_file
        #for i in ${root_principals//,/ }
        #do
        #  echo $i >> $root_principals_file
        #done
        for i in ${users//,/ }; do
          id -u $i > /dev/null 2>&1
          if [ $? == 1 ]; then
            #adduser --disabled-password --gecos '' $i
            adduser $i
          fi
        done
        for i in ${sudoers//,/ }; do
          if [ $(getent group sudo) ]; then
            usermod -aG sudo $i
          fi
          if [ $(getent group wheel) ]; then
            usermod -aG wheel $i
          fi
        done
        sed -i -e '$aTrustedUserCAKeys /etc/ssh/ca_user.pub' /etc/ssh/sshd_config
        # man sshd_config, under AuthorizedPrincipalsFile:  The default is none, i.e. not to use a principals file
        # – in this case, the username of the user must appear in a certificate's principals list for it to be accepted.
        #sed -i -e '$aAuthorizedPrincipalsFile /etc/ssh/auth_principals/%u' /etc/ssh/sshd_config
        sed -i -e '$aHostCertificate /etc/ssh/ssh_host_rsa_key-cert.pub' /etc/ssh/sshd_config
        sed -i -e '/^PasswordAuthentication /d' /etc/ssh/sshd_config
        sed -i -e '$aPasswordAuthentication no' /etc/ssh/sshd_config
        > /etc/ssh/revoked-keys
        sed -i -e '$aRevokedKeys /etc/ssh/revoked-keys' /etc/ssh/sshd_config
        sed -i -e '$aPort '"$ssh_port" /etc/ssh/sshd_config
        sed -i -e '$aPort 22' /etc/ssh/sshd_config
        setenforce permissive
        systemctl restart sshd
  - path: /root/tatu-manage-revoked-keys.sh
    permissions: '0700'
    owner: root:root
    content: |
        #!/bin/bash
        # Name: tatu-manage-revoked-keys.sh
        #
        # Purpose: Fetch the revoked keys data from Tatu and write it to /etc/ssh
        # !/usr/bin/env python
        metadata=$(cat /mnt/config/openstack/latest/meta_data.json)
        auth_id=$(echo $metadata | grep -Po 'project_id": "\K[^"]*')
        echo auth_id=$auth_id
        url=http://169.254.169.254/noauth/revokeduserkeys/$auth_id
        echo url=$url
        response=$(curl -s -w "%{http_code}" $url)
        code=${response##*\}}
        if [ "$code" != "200" ]; then
          echo Curl to Tatu API failed with code $code
          exit 1
        fi
        echo Tatu response is $response
        b64revoked=$(echo $response | grep -Po 'revoked_keys_data": "\K[^"]*')
        echo $b64revoked | base64 -d > /etc/ssh/revoked-keys
runcmd:
  - /root/tatu-setup-ssh.sh > /var/log/tatu-setup-ssh.log 2>&1
  - /root/tatu-manage-revoked-keys.sh > /var/log/tatu-revoked-keys.log
  - crontab -l | { cat; echo "* * * * * /root/tatu-manage-revoked-keys.sh >> /var/log/tatu-revoked-keys.log"; } | crontab -