#!/bin/dash

die() { echo "$0: Error: $*" >&2; exit 1; }

b16_to_b32()
{
    echo -n "$1" | basez -x -d | basez -j -l | tr -d =
}

[ "$SSH_USER_AUTH" ] || die "not defined: \$SSH_USER_AUTH"
[ -f "$SSH_USER_AUTH" ] || die "file does not exist: \$SSH_USER_AUTH=${SSH_USER_AUTH}"

PEMFILE="${SSH_USER_AUTH}.tmp"

sed -ne 's/^publickey //p' < "${SSH_USER_AUTH}" > "${PEMFILE}" || die "could not rewrite SSH_USER_AUTH file"

SSH_CLIENT_FINGERPRINT=$(ssh-keygen -r . -f "${PEMFILE}" | sed -ne 's/^. IN SSHFP [0-9]* 2 //p') &&
  [ "$SSH_CLIENT_FINGERPRINT" ] || die "could not determine ssh client fingerprint"
SSH_CLIENT_FINGERPRINT_B32=$(b16_to_b32 "$SSH_CLIENT_FINGERPRINT")

read keytype keydata < "${PEMFILE}" || die "reading from PEMFILE=$PEMFILE"

ssh_keytag_to_path_fragment()
{
        case "$1" in
                ssh-dss) echo dsa ;;
                ecdsa-sha2-nistp256) echo ecdsa ;;
                ssh-rsa|ssh-ed25519) echo ${1#ssh-} ;;
                *) return 1 ;;
        esac
}

if keyfrag=$(ssh_keytag_to_path_fragment "$keytype")
then
    domain=${keyfrag}.cryptonomic.net
else
    die "Unsupported key type: $keytype"
fi

if [ "$1" = '--copy-pem' -a "$2" ]
then
  if [ -d "$2" ] || mkdir "$2"
  then
    mv "${PEMFILE}" "$2"/${SSH_CLIENT_FINGERPRINT}.${keytype}.pem
  fi
else
  rm -f "${PEMFILE}"
fi

env -i \
  SSH_CLIENT_FINGERPRINT="$SSH_CLIENT_FINGERPRINT_B32" \
  SSH_CLIENT_KEYTYPE="$keytype" \
  SSH_CLIENT_DOMAIN="$domain" \
  SSH_CLIENT_PEMFILE="$PEMFILE" \
  SSH_CLIENT_KEYDATA="$keydata"