#!/bin/bash

# encrypt unencrypted secrets or warn if a secret is unencrypted in check mode

keydir=$1
secret=$2
mode=$3

if test -z "$mode"; then
    echo "Usage: $0 keydir vault-password-file (check|encrypt)"
    exit 1
fi

err=""

for key in "$keydir"/*; do
    filetype=$(file "$key")

    case "$filetype" in
        *OpenSSH*)
            case "$mode" in
                encrypt)
                    ansible-vault encrypt --vault-password-file "$secret" --vault-id default "$key"
                    ;;
                check)
                    echo "$key is unencrypted!"
                    err=1
                    ;;
            esac
            ;;
        *Ansible*Vault*)
            case "$mode" in
                check)
                    :
                    ;;
            esac
            ;;
        *)
            case "$mode" in
                check)
                    echo "$key is an unknown clear text file!"
                    err=1
                    ;;
            esac
            ;;
                            
                            
    esac
done

if test -n "$err"; then
    exit 1
fi