#!/usr/bin/env bash

#
# blackbox_postdeploy.sh -- Decrypt all blackbox files.
#

# Usage:
#   blackbox_postdeploy.sh [GROUP]
#       GROUP is optional.  If supplied, the resulting files
#       are chgrp'ed to that group.

# Since this is often run in a security-critical situation, we
# force /usr/bin and /bin to the front of the PATH.
export PATH=/usr/bin:/bin:"$PATH"

set -e
blackbox_home=$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd )
source ${blackbox_home}/_blackbox_common.sh

if [[ "$1" == "" ]]; then
  FILE_GROUP=""
else
  FILE_GROUP="$1"
fi

change_to_root
prepare_keychain

# Decrypt:
echo '========== Decrypting new/changed files: START'
while IFS= read <&99 -r unencrypted_file; do
  encrypted_file=$(get_encrypted_filename "$unencrypted_file")
  decrypt_file_overwrite "$encrypted_file" "$unencrypted_file"
  chmod g+r "$unencrypted_file"
  if [[ ! -z "$FILE_GROUP" ]]; then
    chgrp $FILE_GROUP "$unencrypted_file"
  fi
done 99<"$BB_FILES"
echo '========== Decrypting new/changed files: DONE'