vault

#!/bin/bash

# MIT License
#
# Copyright (c) 2023 Tom Conley
#
# Permission is hereby granted, free of charge, to any person obtaining a copy
# of this software and associated documentation files (the "Software"), to deal
# in the Software without restriction, including without limitation the rights
# to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
# copies of the Software, and to permit persons to whom the Software is
# furnished to do so, subject to the following conditions:
#
# The above copyright notice and this permission notice shall be included in all
# copies or substantial portions of the Software.
#
# THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
# IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
# FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
# AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
# LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
# OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
# SOFTWARE.

password=
list_message=
output_password=
password_filename="password.txt"
script="$(basename "$0")"

# Find the root directory and build the source arrays.
function set_dotfiles_dir_and_sources() {
  local script_path
  local git_top_level_path # If the script is in a repo, this will be the repo root directory.
  local dotfiles_directory # Root dotfiles directory

  script_path="$(dirname -- "$( readlink -f -- "$0")")"
  git_top_level_path="$(git rev-parse --show-toplevel 2> /dev/null)"

  # Assume the dotfiles are always in a repo for backup and use the repo root path.
  if [ -n "$git_top_level_path" ]; then
    dotfiles_directory="$git_top_level_path"

  # If not, check the script directory.
  elif [ "$(basename "$script_path")" == "dotfiles" ]; then
    dotfiles_directory="$script_path"

  # Check the script directory's parent directory.
  elif [ "$(basename "${script_path%/*}")" == "dotfiles" ]; then
    dotfiles_directory="${script_path%/*}"
  else
    echo "The dotfiles directory couldn't be established! See the script's set_dotfiles_root_dir function."
    exit 1
  fi

  if [ ! -d "$dotfiles_directory" ]; then
    echo "The dotfiles directory doesn't exist!"
    exit 1
  fi
  encrypt_directory="$dotfiles_directory/vault"
  decrypt_directory="$dotfiles_directory/vault-key"
  encrypt_backup_directory="$decrypt_directory/vault_backups/vault"
  decrypt_backup_directory="$decrypt_directory/vault_backups/vault-key"
}

# Encrypt/decrypt and base64 encode/decode a string (e.g. file and directory names).
function encrypt_decrypt_name(){
  local source_name="$1"
  local operation="${2:-encrypt}"

  if [ "$operation" == "decrypt" ] || [ "$operation" == "list" ]; then
    echo "$( echo "$source_name" | base64 --decode | openssl aes-256-cbc -d -a -salt -pbkdf2 -pass pass:"$password")"
  else
    echo "$( echo "$source_name" | openssl aes-256-cbc -a -pbkdf2 -pass pass:"$password" | base64 -w 0)"
  fi

}

# Traverse a directory and encrypt and decrypt files along the way. File and directory names will also be
# encrypted/decrypted and base64 encoded to be URL safe.
function encrypt_decrypt_files() {
    local source_directory="$1"
    local target_directory="$2"
    local operation="${3:-decrypt}"
    local level="${4:-0}"
    local msg_spacer_fn=$(printf "%${level}s")
    local msg_spacer="${msg_spacer_fn// /  }"
    local filename
    local directory_name
    local target
    local msg

    for file in $(ls -A "$source_directory" | grep -v '.DS_Store'); do
      if [[ ! -d "$source_directory/$file" ]]; then
        # Encrypt/decrypt ALL filenames, including password.txt
        filename="$( encrypt_decrypt_name "$file" "$operation")"
        target="$target_directory/$filename"
        if [ "$operation" == "decrypt" ]; then
          openssl enc -in "$source_directory/$file" -d -aes-256-cbc -pbkdf2 -pass pass:"$password" > "$target"
        elif [ "$operation" == "encrypt" ]; then
          openssl enc -in "$source_directory/$file" -aes-256-cbc -pbkdf2 -pass pass:"$password" > "$target"
        else
          msg="$filename (${file: -5})"
          list_message="$list_message$msg_spacer$msg\n"
        fi
      else
        [[ "$source_directory/$file" == *"vault_backups"* && "$operation" != "list" ]] && continue
        directory_name="$( encrypt_decrypt_name "$file" "$operation")"
        if [ "$operation" == "list" ]; then
          msg="$directory_name/ (${file: -5})\n"
          list_message="$list_message$msg_spacer$msg"
        else
          mkdir "$target_directory/$directory_name"
        fi
        encrypt_decrypt_files "$source_directory/$file" "$target_directory/$directory_name" "$operation" $((level + 1))
      fi
    done
    [ "$level" -eq 0 ] && [ "$operation" == 'list' ] && echo -e "$list_message"
}

# List decrypted file names in all the backup directories.
function list_backups() {
  if [ -d "$encrypt_backup_directory" ]; then
    for backup_dir in $(ls -A "$encrypt_backup_directory"); do
      echo "$backup_dir/"
      encrypt_decrypt_files "$encrypt_backup_directory/$backup_dir" "" "list"
      list_message=
    done
  else
    echo "No backup directory."
  fi
}

# View how to use the script.
function usage() {
  local help="
Description:
  $script [-e|--encrypt] [-l|--list] [--list-backups] [-h|--help] <password>
  
  Encrypt files stored in the vault-key directory to the vault directory, or decrypt files from vault
  to vault-key. The password.txt file is automatically managed:
  
  - When encrypting: password.txt is created in vault-key and encrypted with other files
  - When decrypting: password.txt is decrypted to vault-key for shell auto-loading
  - Backup process: existing files (including password.txt) are moved to timestamped backup folders
  
  The vault-key directory is ignored by git. When encrypting or decrypting, any existing files in the
  target directory are backed up to vault-key/vault_backups/TIMESTAMP/ so nothing is ever overwritten.

Options:
  -e, --encrypt          Encrypt files stored in the vault-key directory to the vault directory
                         (default operation is decrypt)
  -l, --list             List the encrypted file and directory names
  --list-backups         List files in backup directories
  -h, --help             Show this help message

Usage:
  $script my-password                  # Decrypt files from vault/ to vault-key/
                                       # password.txt will be decrypted and available for shell auto-load
  
  $script -e my-password               # Encrypt files from vault-key/ to vault/
                                       # password.txt will be created in vault-key first, then encrypted
  
  $script --list my-password           # List encrypted file/directory names in vault/
  $script --list-backups my-password   # List files in backup directories

Note: password.txt is automatically created/managed in vault-key/ and your shell configs
will auto-load it as VAULT_PASSWORD environment variable on next shell session."
 echo "$help"
}

# Parse the options and run the correct operation.
function main() {
  local short="elh"
  local long="list,list-backups,help,encrypt"
  local options
  local operation=decrypt
  local source_directory
  local target_directory
  local backup_directory
  local date
  local timestamp

  set_dotfiles_dir_and_sources

  if [ "$(uname)" == "Darwin" ]; then
    if [ -e "$(brew --prefix)/opt/gnu-getopt/bin/getopt" ]; then
      options=$("$(brew --prefix)/opt/gnu-getopt/bin/getopt" -l "$long" -o "$short" -- "$@")
    else
      echo "This script requires the latest getopt command. Upgrade with: brew install gnu-getopt"
      exit 1
    fi
  else
      options=$(getopt -l "$long" -o "$short" -a -- "$@")
  fi

  # Set the positional parameters to the parsed getopt command output.
  eval set -- "$options"

  while true; do
    case "$1" in
      -e|--encrypt) operation=encrypt; shift;;
      -l|--list) operation=list ; shift;;
      --list-backups) operation=list_backups ; shift;;
      -h|--help) usage; exit 0;;
      --) shift;;
      *)
        # Check for password: command line argument first, then fall back to env var
        # This ensures explicit passwords always take precedence
        if [ -n "$1" ]; then
          password="$1"
        elif [ -n "$VAULT_PASSWORD" ]; then
          password="$VAULT_PASSWORD"
        fi
        
        if [ -z "$password" ];then
          echo "A password is required! Provide via:"
          echo "  - Command line argument: vault [options] password"
          echo "  - VAULT_PASSWORD environment variable (fallback)"
          echo "See usage: vault --help"
          exit 1
        fi
        break;;
    esac
  done

  if [ "$operation" == "list_backups" ]; then
    list_backups
    exit 0
  fi

  date="$(date)"
  timestamp="${date// /_}"
  # Set the source and target directories
  if [ "$operation" == "decrypt" ] || [ $operation == "list" ]; then
    source_directory="$encrypt_directory"
    target_directory="$decrypt_directory"
    backup_directory="$decrypt_backup_directory/$timestamp"
  else
    source_directory="$decrypt_directory"
    target_directory="$encrypt_directory"
    backup_directory="$encrypt_backup_directory/$timestamp"
  fi

  # Handle password file and backups based on operation
  if [ "$operation" == "decrypt" ] || [ "$operation" == "encrypt" ]; then
    # Create target directory if it doesn't exist
    [ ! -d "$target_directory" ] && mkdir -p "$target_directory"

    # Backup existing files in target directory if not empty
    if [ "$(ls -A "$target_directory" | grep -v '.DS_Store')" ]; then
      [ ! -d "$backup_directory" ] && mkdir -p "$backup_directory"
      
      # Move existing target files to backup
      find "$target_directory" -maxdepth 1 -mindepth 1 -not -name .DS_Store -not -name vault_backups \
        -exec mv '{}' "$backup_directory" \;
      
      # For encryption: ALSO copy vault-key/password.txt to the vault backup
      # This preserves the password that can decrypt the vault files we just backed up
      if [ "$operation" == "encrypt" ] && [ -f "$source_directory/$password_filename" ]; then
        cp "$source_directory/$password_filename" "$backup_directory/$password_filename"
        chmod 600 "$backup_directory/$password_filename"
        echo "Saved password.txt to vault backup: $backup_directory/$password_filename"
      fi
      
      echo "Backed up existing files to: $backup_directory"
    fi

    # For encryption: Create NEW password.txt in vault-key with the NEW password from command line
    # This will be encrypted along with other vault-key files
    # IMPORTANT: Use $password (command line arg), NOT $VAULT_PASSWORD (environment variable)
    if [ "$operation" == "encrypt" ]; then
      echo "$password" > "$source_directory/$password_filename"
      chmod 600 "$source_directory/$password_filename"
      echo "Updated password.txt in vault-key with: $password"
      echo "This will be encrypted to vault/"
    fi
  fi

  # Perform encryption/decryption
  encrypt_decrypt_files "$source_directory" "$target_directory" $operation
  
  # Set proper permissions and export for both operations
  if [ "$operation" == "decrypt" ]; then
    # Password.txt was decrypted from vault/ - just set permissions
    if [ -f "$target_directory/$password_filename" ]; then
      chmod 600 "$target_directory/$password_filename"
      export VAULT_PASSWORD="$password"
      echo "Password file decrypted to: $target_directory/$password_filename"
      echo "Shell configs will auto-load this password on next session"
    fi
  elif [ "$operation" == "encrypt" ]; then
    # Password.txt was just encrypted - set proper permissions on source
    if [ -f "$source_directory/$password_filename" ]; then
      chmod 600 "$source_directory/$password_filename"
      echo "Password file encrypted from: $source_directory/$password_filename"
    fi
  fi
  
  # Set proper permissions on decrypted SSH keys and config
  if [ "$operation" == "decrypt" ]; then
    echo "Setting permissions on decrypted files..."
    # SSH directory
    [ -d "$HOME/.ssh" ] && chmod 700 "$HOME/.ssh"
    # SSH keys (files without extension, excluding .pub files)
    find "$target_directory" -type f ! -name "*.pub" ! -name "*.txt" ! -name "*.sh" ! -name "*.env" -exec chmod 600 {} \; 2>/dev/null || true
    # SSH config if it exists
    [ -f "$target_directory/config" ] && chmod 600 "$target_directory/config"
    echo "Permissions set successfully"
  fi
}

main "$@"