#!/bin/bash

#!/bin/bash
if [ "$#" -lt 1 ]; then
    echo "Usage: $0 <keyserver>" "[socket]"
    echo "Example: $0 https://keyserver.example.com"
    echo "Example: $0 https://keyserver.example.com /var/run/kmsplugin/socket.sock"
    exit 1
fi

KEYSERVER=$1
SOCKET=${2:-/var/run/kmsplugin/socket.sock}

# if keyserver is not reachable, exit
if ! curl -s -I $KEYSERVER > /dev/null; then
    logger "start_encryption_provider: Key server not reachable, exiting."
    exit 1
fi

uuid=$(cat /proc/cpuinfo | grep 'model name' | head -1)
uuid+=$(ip link show eth0 | grep ether | awk '{print $2}')
uuid+=$(sudo dmidecode -s system-uuid)
KEYID=$(echo -n "$uuid" | md5sum | awk '{print $1}')

logger "start_encryption_provider: Downloading key from key server,"
LOCALKEYFILE=$(mktemp)
curl -s -o $LOCALKEYFILE $KEYSERVER/$KEYID-encryption-service-credentials.json
if [ $? -ne 0 ]; then
    logger "start_encryption_provider: Failed to download key from key server"
    rm $LOCALKEYFILE
    exit 1
fi

logger "start_encryption_provider: Key downloaded successfully, extracting credentials"
export AWS_ACCESS_KEY_ID=$(jq -r '.access_key' $LOCALKEYFILE)
if [ $? -ne 0 ]; then
    logger "start_encryption_provider: Failed to extract AWS credentials from key file"
    rm $LOCALKEYFILE
    exit 1
fi

export AWS_SECRET_ACCESS_KEY=$(jq -r '.secret_key' $LOCALKEYFILE)
if [ $? -ne 0 ]; then
    logger "start_encryption_provider: Failed to extract AWS credentials from key file"
    rm $LOCALKEYFILE
    exit 1
fi
KEYARN=$(jq -r '.key_arn' $LOCALKEYFILE)
if [ $? -ne 0 ]; then
    logger "start_encryption_provider: Failed to extract KMS key ARN from key file"
    rm $LOCALKEYFILE
    exit 1
fi
REGION=$(jq -r '.region' $LOCALKEYFILE)
if [ $? -ne 0 ]; then
    logger "start_encryption_provider: Failed to extract region from key file"
    rm $LOCALKEYFILE
    exit 1
fi

logger "start_encryption_provider: Removing key file"
rm $LOCALKEYFILE

logger "start_encryption_provider: Starting encryption provider"
mkdir {{ encryption_kms_socket_dir | dirname }} }} 2>/dev/null || true
chmod 700 {{ encryption_kms_socket_dir | dirname }} 2>/dev/null

if [ ! -f /usr/local/bin/aws-encryption-provider ]; then
    logger "start_encryption_provider: Encryption provider not found, exiting."
    exit 1
fi

/usr/local/bin/aws-encryption-provider --key=$KEYARN --region=$REGION --listen=$SOCKET
if [ $? -ne 0 ]; then
    logger "start_encryption_provider: Failed to start encryption provider"
    exit 1
fi
exit 0
