qusal/salt/sys-bitcoin/files/server/rpc/qusal.BitcoinAuthGet

#!/bin/sh

# SPDX-FileCopyrightText: 2024 Benjamin Grande M. S. <ben.grande.b@gmail.com>
#
# SPDX-License-Identifier: AGPL-3.0-or-later
#
# Creates a new rpcauth for the client qube if it does not exist. If bitcoind
# is running remotely, there is no way to set a new option with bitcoin-cli.

set -eu

bitcoin_conf="/home/user/.bitcoin/conf.d/rpcauth.conf"
bitcoin_pass="/home/user/.bitcoin/rpcclient.pass"
# shellcheck disable=SC2154
user="${QREXEC_REMOTE_DOMAIN}"

if ! systemctl is-active bitcoind >/dev/null 2>&1; then
  printf '%s\n' "systemd service 'bitcoind' is not active" >&2
  printf '%s\n' "cannot add credentials with remote RPC" >&2
  exit 1
fi

if test -r "${bitcoin_conf}"; then
  if grep -qs -e "^\s*rpcauth=${user}:" -- "${bitcoin_conf}"; then
    grep -m1 -e "^${user}:" -- "${bitcoin_pass}"
    exit
  fi
fi

if ! command -v bitcoin-rpcauth >/dev/null; then
  printf '%s\n' "command not found: bitcoin-rpcauth" >&2
  exit 127
fi

full_auth="$(bitcoin-rpcauth "${user}" | sed -n -e '2p;4p')"
rpcauth="$(printf '%s\n' "${full_auth}" | head -1)"
user="$(printf '%s\n' "${rpcauth}" | cut -d "=" -f2 | cut -d ":" -f1)"
password="$(printf '%s\n' "${full_auth}" | tail -1)"

printf '%s\n' "${rpcauth}" | \
  sudo -u user -- tee -a -- "${bitcoin_conf}" >/dev/null
printf '%s\n' "${user}:${password}" | \
  sudo -u user -- tee -a -- "${bitcoin_pass}" >/dev/null
printf '%s\n' "${user}:${password}"

## Restart bitcoind to apply the configuration changes. Currently, there is no
## prevention of DDoS besides when the client already has an authentication
## configured, it is printed and returned before getting to this part.
systemctl restart bitcoind