#!/usr/bin/env bash

#
# blackbox_postdeploy.sh -- Decrypt all blackbox files.
#

# Since this is often run in a security-critical situation, we
# force /usr/bin and /bin to the front of the PATH.
export PATH=/usr/bin:/bin:"$PATH"

. _blackbox_common.sh

# If we aren't in a repo, assume /etc/puppet.
if [[ "$REPOBASE" = "/dev/null" ]]; then
  REPOBASE=/etc/puppet
fi

prepare_keychain

# Decrypt:
echo '========== Decrypting new/changed files: START'
while read unencrypted_file; do
  encrypted_file=$(get_encrypted_filename "$unencrypted_file")
  decrypt_file_overwrite "$encrypted_file" "$unencrypted_file"
  chmod g+r,o-rwx "$unencrypted_file"
  $CHGRP puppet "$unencrypted_file"
done <"$BB_FILES"
echo '========== Decrypting new/changed files: DONE'