#!/bin/sh

# Supposedly unsafe because from a generated token it is possible to
# bruteforce the symmetric secret from a known value on the attacker
# ressources.

# Admin managed
# =============
secret=389c5b9b1690309bc33abd1cf5800908aff1781929a3d60b7b001a27bedd4
revoked='
	U2FsdGVkX19faWHqjYlwCpiP55IDGNdW7OBdsL9yzOv091EPmcx4avIBIMot/U1X
	U2FsdGVkX18cI1l3KZBkfebn5kx2zAvS9njj4udOp3wdhDQwBPJeIOEwmUONTG3d
	U2FsdGVkX1/l932eHKTnzDkjDOj+tQCvCMR/4I9LsXhz42BXtcxXIvzUX2g1hbnp
'
# =============

update() {
	given_token=$1
	for r in $revoked; do
		case $given_token in
		"$r")
			echo 1>&2 "ERROR: Revoked token: $r"
			return 3
			;;
		esac
	done
	domain="$(retreive "$given_token")"
	echo 1>&2 "Updating RR: $domain"
	#dns_update "$domain" "$ip"
}

token() {
	openssl enc -aes-256-cbc -pass pass:"$secret" -base64 <<-eof
		$1
	eof
}

retreive() {
	openssl enc -aes-256-cbc -d -pass pass:"$secret" -base64 <<-eof
		$1
	eof
}

"$@"

# Test output
# ===========
#
#     $ sh ./poc.sh token a.sub.domain.org
# U2FsdGVkX1+rsd2xk1F5vE/4YjFeaLNkMRA2Un22BTtn4MKtO3t8EPovhlGsODzN
#     $ sh ./poc.sh token a.sub.domain.org
# U2FsdGVkX1/l932eHKTnzDkjDOj+tQCvCMR/4I9LsXhz42BXtcxXIvzUX2g1hbnp
#     $ sh ./poc.sh token a.sub.domain.org
# U2FsdGVkX18PBI+SxrYdPlUVoKwsjyxAPqtUoVHaiCKq4zQDoGeMyeLQtLFBSiF/
#     $ sh ./poc.sh update U2FsdGVkX1/l932eHKTnzDkjDOj+tQCvCMR/4I9LsXhz42BXtcxXIvzUX2g1hbnp
# Updating RR: a.sub.domain.org
#     $ sh ./poc.sh update U2FsdGVkX1/l932eHKTnzDkjDOj+tQCvCMR/4I9LsXhz42BXtcxXIvzUX2g1hbnp
# ERROR: Revoked token: U2FsdGVkX1/l932eHKTnzDkjDOj+tQCvCMR/4I9LsXhz42BXtcxXIvzUX2g1hbnp