#!/bin/bash
# Copyright 2010 Novell, Inc.
# Author: Peter Bowen <pzb@novell.com> as a work made for hire.
#
# This work is licensed under the 
# Creative Commons Attribution-ShareAlike 3.0 Unported License. 
# To view a copy of this license, visit 
# http://creativecommons.org/licenses/by-sa/3.0/ or send a letter to 
# Creative Commons, 171 Second Street, Suite 300, 
# San Francisco, California, 94105, USA.
#

##private function: cleanup
function cleanup()
{
    if [ -n "SIG" -a -f "$SIG" ]; then
        rm -f "$SIG"
    fi
    if [ -n "$INI" -a -f "$INI" ]; then
        rm -f "$INI"
    fi
}
trap cleanup EXIT

##function: ec2-instance-data
ec2-instance-data() {
  local ver="latest"
  [ "$2" ] && ver="$2"
  curl --retry 3 --retry-delay 0 --silent --fail "http://169.254.169.254/$ver/$1
"
  [ $? -eq 0 ] && echo
}

##function: ec2-meta-data
ec2-meta-data() {
  ec2-instance-data "meta-data/$1" "$2"
}

##function: ec2-region
function ec2-region() {
    local az=$(ec2-meta-data placement/availability-zone 2008-02-01)
    echo ${az%?}
}

##function: ec2-instance-id
function ec2-instance-id() {
    local l=$(ec2-meta-data instance-id 1.0)
    local r=$(ec2-region)
    echo "$r/$l"
}

##function: getkey
function getkey() {
    local s='[[:space:]]*'
    sed -n -r -e "s/^${s}$1${s}=${s}(.*)/\1/pi" "$2"
}

##function: getsig
function getsig() {
    base64=$(type -p base64)
    if [ -z "$base64" ]; then
        base64="openssl base64"
    fi
    awk 'f == 1 { print  }; $0 == "---- BEGIN SIGNATURE ----" { f = 1 }' "$1" | $base64 -d
}

##function: getcontent
function getcontent() {
    awk '$0 == "---- BEGIN SIGNATURE ----" { exit } { print }' "$1"
}


    tf=/etc/sces/validation.token
    pk=/etc/sces/validation.pubkey
    if [ ! -f $tf -o ! -s $tf ]; then
        echo "Validation token not found." >&2
        exit 1
    fi
    if [ ! -f $pk -o ! -s $pk ]; then
        echo "Validation public key not found." >&2
        exit 2
    fi

    h=$(head -n 1 "$tf")
    if [ "$h" != "[SUSE Cloud Validated Entitlements]" ]; then
        echo "Unknown format for validation token." >&2
        exit 10
    fi
    
    INI=$(mktemp)
    SIG=$(mktemp)
    getsig $tf > $SIG
    getcontent $tf > $INI
    if [ ! -f $INI -o ! -s $INI ]; then
        echo "Count not get keys from token." >&2
        exit 3
    fi
    if [ ! -f $SIG -o ! -s $SIG ]; then
        echo "Could not get signature from token." >&2
        exit 5
    fi
    VERSTATE=$(openssl dgst -sha1 -verify $pk -signature $SIG $INI 2>&1)
    if [ "$VERSTATE" != "Verified OK" ]; then
        echo "Signature verification failed." >&2
	cat "$INI"
        exit 6
    fi
    if [ $(getkey version $INI) != "2010-08-29" ]; then
        echo "Unknown token version." >&2
        exit 4
    fi
    if [ $(getkey instance $INI) != $(ec2-instance-id) ]; then
        echo "Stale token detected." >&2
        exit 7
    fi

    # We have a signed license token that is for our instance!!!

    KEY=$(getkey apiid $INI)

    echo "Your instance entitlement identifier: $KEY"
exit 0
