#!/usr/bin/env zsh
#
# An adapter script to use gopass to store and retrieve passwords for ansible vault.
#
# When calling from ansible vault it get's passed --vault-id [ID] which is the id
# of the secret to retrieve.
#

local secretPath="ansible"

function usage() {
  cat <<EOF

  An adapter script that integrates gopass as storage for ansible vault id's.

  To retreive a secret based on the vault id, then pass the '--vault-id' flag with an
  associated [ID] to look for. (This is generally handled / passed in by the ansible-vault
  command)

  You can also call this script with the '--set' flag and an [ID] argument
  to create a new secret for the given id.  The default behavior of the
  set option is to prompt for the secret, you can optionally pass the '--generate'
  flag to automatically generate a secret.  If an [ID] argument is not supplied to
  the set option then we will prompt for the id to store the secret under.

  Secrets are stored in the default password store at '$secretPath/<ID>'.

  Usage: vault-gopass-client [-s | --set] [-g | --generate] [--vault-id <ID>] [ID]

      -s | --set:         Set a new secret for the given ID.
      -g | --generate:    Used with the set option to automatically generate the secret.
      --vault-id <ID>:    Used to retrieve a secret for the given ID.
      -h | --help:        Show this usage message.

  Examples:

    # Automatically generate a secret for the 'foo' id.
    $ vault-gopass --set --generate foo

    # Retrieve the secret for 'foo' and print it to stdout.
    $ vault-gopass --vault-id foo

EOF
}

# parse the passed in options, failing if unrecognized options are given.
zparseopts -D -E -F - \
  g=generateFlag -generate=generateFlag \
  h=helpFlag -help=helpFlag \
  s=setFlag -set=setFlag \
  -vault-id:=vaultId \
  || exit 1

# check for the help flag, show usage and exit.
[ ${#helpFlag} = 1 ] && usage && exit 0

if [ ${#vaultId} = 2 ]; then
  # we received the vault-id option, so we print the
  # secret to stdout
  password=$(gopass show --password "$secretPath/${vaultId[-1]}")
  echo "$password"
  exit 0
elif [ ${#setFlag} = 1 ]; then

  # Use the first argument as the id, we ask for an id
  # if not supplied.
  local id=$1
  if [ "$id" = "" ]; then
    read -r id\?"Vault ID: "
  fi

  # Check for generate flag to automatically generate a password.
  [ ${#generateFlag} = 1 ] \
    && gopass generate "$secretPath/$id" 24 \
    && exit 0

  # Insert a password prompting the user to supply it.
  gopass insert "$secretPath/$id"
fi