keys.delete-keeper: Only do one pass through the file system.

[distorted-keys] / keys.delete-keeper

#! /bin/sh
###
### Delete a keeper set
###
### (c) 2012 Mark Wooding
###

###----- Licensing notice ---------------------------------------------------
###
### This file is part of the distorted.org.uk key management suite.
###
### distorted-keys is free software; you can redistribute it and/or modify
### it under the terms of the GNU General Public License as published by
### the Free Software Foundation; either version 2 of the License, or
### (at your option) any later version.
###
### distorted-keys is distributed in the hope that it will be useful,
### but WITHOUT ANY WARRANTY; without even the implied warranty of
### MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
### GNU General Public License for more details.
###
### You should have received a copy of the GNU General Public License
### along with distorted-keys; if not, write to the Free Software Foundation,
### Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA.

set -e
case "${KEYSLIB+t}" in t) ;; *) echo >&2 "$0: KEYSLIB unset"; exit 1 ;; esac
. "$KEYSLIB"/keyfunc.sh

defhelp <<HELP
KEEPER
Delete the keeper set named KEEPER.
HELP

## Parse the command line.
case $# in 1) ;; *) usage_err ;; esac
keeper=$1
checkword "keeper set label" "$keeper"

## Check that the set actually exists.
cd $KEYS/keeper
if [ ! -d $keeper ]; then
  echo >&2 "$quis: unknown keeper set \`$keeper'"
  exit 1
fi

## Make sure that there aren't recovery keys which would be orphaned by
## deleting this keeper set.  Also, build a data structure of recovery keys
## and their instances: `$recov' is a space-separated list of recovery key
## labels, and for each such label R, `$ri_R' is a space-separated list of
## its instances.
unset deps; recov=" "
if [ -d $KEYS/recov ]; then
  cd $KEYS/recov

  ## Work through the available recovery keys.
  for r in $(find . -type l -name current -print); do
    r=${r#./}; r=${r%/current}
    if ! expr >/dev/null "Q$r" : "Q$R_LABEL"; then continue; fi

    ## Add the key to our list.
    recov="$recov$r "

    ## Now work through the instances.
    ii=""
    for ri in $r/*; do
      i=${ri##*/}
      case "$i" in *[!0-9]*) continue ;; esac

      ## Add the instance to our list.
      ii="$ii $i"

      ## For each recovery key, make sure that: either it doesn't depend on
      ## this keeper set, or it also depends on at least one other set.  If
      ## not, add it to the `deps' list.
      this=nil others=nil
      for kp in $r/current/*.param; do
        k=${kp##*/}; k=${k%.param}
        case $k in $keeper) this=t ;; *) others=t ;; esac
      done
      case $this,$others in t,nil) deps="$deps $ri" ;; esac
    done

    ## Record the list of instances.
    eval "ri_$r=\$ii"
  done
fi

## If we found any hard dependencies, report a failure.
case "${deps+t}" in
  t)
    echo >&2 "$quis: deleting keeper \`$keeper' would orphan recovery keys:"
    for d in $deps; do echo 2>&1 "      $d"; done
    exit 1
    ;;
esac

## Disentangle the dependent recovery keys from this keeper set.
for r in $recov; do

  ## Remove the keeper data from the key's instances.
  eval "ii=\$ri_$r"
  for i in $ii; do rm -f $r/$i/$keeper.*; done

  ## Work through the current keepers, and remove our keeper's name from the
  ## list.
  changep=nil
  while read k rest; do
    case $k in $keeper) changep=t ;; *) echo "$k $rest" ;; esac
  done <$r/keepers >$r/keepers.new
  case $changep in
    t) mv $r/keepers.new $r/keepers ;;
    nil) rm $r/keepers.new ;;
  esac
done

## Finally, actually delete the keeper keys.
cd $KEYS/keeper
rm -r $keeper

###----- That's all, folks --------------------------------------------------