#!/bin/bash

# GitHub SSH Key Updater
# ---------------------
# SECURITY WARNING: This script grants SSH access to your machine!
# Only add keys from GitHub users you absolutely trust with full SSH access to your system.
# Each added public key will allow that user to log into your machine via SSH.
#
# Purpose:
#   Fetches and merges public SSH keys from a GitHub user into your ~/.ssh/authorized_keys file,
#   effectively granting them SSH access to your machine.
#
# Usage:
#   ./update_github_keys.sh <github_username>
#
# Security Implications:
#   - The added user will have full SSH access to your machine
#   - Each backup preserves a record of previous authorized keys
#
# Features:
#   - Creates timestamped backups of existing authorized_keys
#   - Maintains proper SSH file permissions (600)
#   - Preserves existing keys while removing duplicates
#   - Validates GitHub API response
#   - Creates ~/.ssh directory if needed
#
# Example:
#   ./update_github_keys.sh trusted_colleague
#
# The script will:
#   1. Backup your current authorized_keys file
#   2. Fetch the user's public keys from GitHub
#   3. Merge them with your existing keys
#   4. Remove any duplicates
#   5. Set correct file permissions

# Check if GitHub username is provided
if [ -z "$1" ]; then
    echo "Usage: $0 <github_username>"
    exit 1
fi

GITHUB_USER="$1"
TIMESTAMP=$(date -u +"%Y-%m-%dT%H%M%S")
AUTH_KEYS_FILE="$HOME/.ssh/authorized_keys"
TEMP_KEYS_FILE="/tmp/github_keys_${TIMESTAMP}_$$"
BACKUP_FILE="${AUTH_KEYS_FILE}.${TIMESTAMP}.backup"

# Create authorized_keys file if it doesn't exist
mkdir -p "$HOME/.ssh"
touch "$AUTH_KEYS_FILE"

# Fetch GitHub keys
echo "Fetching keys for GitHub user: $GITHUB_USER"
if ! curl -s "https://github.com/$GITHUB_USER.keys" > "$TEMP_KEYS_FILE"; then
    echo "Error: Failed to fetch keys from GitHub"
    rm -f "$TEMP_KEYS_FILE"
    exit 1
fi

# Check if any keys were found
if [ ! -s "$TEMP_KEYS_FILE" ]; then
    echo "No SSH keys found for GitHub user: $GITHUB_USER"
    rm -f "$TEMP_KEYS_FILE"
    exit 1
fi

# Create backup of current authorized_keys
cp "$AUTH_KEYS_FILE" "$BACKUP_FILE"

# Merge keys without duplicates
cat "$TEMP_KEYS_FILE" "$AUTH_KEYS_FILE" | sort -u > "$AUTH_KEYS_FILE.new"
mv "$AUTH_KEYS_FILE.new" "$AUTH_KEYS_FILE"

# Cleanup
rm -f "$TEMP_KEYS_FILE"

# Set proper permissions
chmod 600 "$AUTH_KEYS_FILE"

echo "Successfully updated authorized_keys file"
echo "Backup saved as: $BACKUP_FILE"
echo "New keys added from: $GITHUB_USER"
echo "WARNING: $GITHUB_USER now has SSH access to your machine"