#!/bin/bash

. ${HOME}/.bashtools/bashtools.sh
if [[ -z $HAVE_BASHTOOLS ]]; then
    echo "ERROR: bashtools not installed download from https://git.nethack.net/rob/bashtools" >/dev/stderr
    exit 1
fi

inform "Sign in to Okta, click on add a new device, and paste the text from the"
inform "provided QR code.  This should be a 'oktaverify://' URL."
echo
ask "Enter oktaverify URL:" "" verifyurl
echo

RE_VERIFY="^oktaverify:\/\/.*\?t=(.*)\&s=.*okta.com.*$"
if [[ ! $verifyurl =~ $RE_VERIFY ]]; then
    error "Invalid URL."
    exit 1
fi


inform "Enter name of new application to register with OKTA."
inform "This can be any meaningful string (eg. 'FreeOTP'), and"
inform "will be used in an Okta API to register a new 'device'"
inform "with its own shared secret."
echo
ask "Enter app name [^bmyapp^p]:" "myapp" appname

auth_string=$(echo "$verifyurl" | sed 's/.*t=\([^&]*\)&.*/\1/'  )
authenticator_id=$(echo "$verifyurl" | sed 's/.*f=\([^&]*\)&.*/\1/'  )
okta_host=$(echo "$verifyurl" | sed 's/.*issuer=\([^&]*\)&.*/\1/'  )
okta_host_base=$(echo "$okta_host" | sed 's/\..*//')
inform "Application to add:    [${appname}]"
echo
inform "Auth string is:        [${auth_string}]"
inform "Authenticator ID is:   [${authenticator_id}]"
inform "Okta host is:          [${okta_host_base}]"
echo
ask "Does this look okay (^by^p/n)? " "y" yn
if [[ $yn != "y" ]]; then
    echo "Aborted."
    exit 1
fi

res=$(
curl --request POST \
  --url "https://${okta_host_base}.okta.com/idp/authenticators" \
  --header 'Accept: application/json; charset=UTF-8' \
  --header 'Accept-Encoding: gzip, deflate' \
  --header "Authorization: OTDT ${auth_string}" \
  --header 'Content-Type: application/json; charset=UTF-8' \
  --header 'User-Agent: D2DD7D3915.com.okta.android.auth/6.8.1 DeviceSDK/0.19.0 Android/7.1.1 unknown/Google' \
  --data "{
	\"authenticatorId\": \"${authenticator_id}\",
	\"device\": {
		\"clientInstanceBundleId\": \"com.okta.android.auth\",
		\"clientInstanceDeviceSdkVersion\": \"DeviceSDK 0.19.0\",
		\"clientInstanceVersion\": \"6.8.1\",
		\"clientInstanceKey\": {
			\"alg\": \"RS256\",
			\"e\": \"AQAB\n\",
			\"okta:isFipsCompliant\": false,
			\"okta:kpr\": \"SOFTWARE\",
			\"kty\": \"RSA\",
			\"use\": \"sig\",
			\"kid\": \"OpSRC6wLx4oPnqGBUuLz-WL7_knbK_UhClzjvt1cpOw\",
			\"n\": \"u0Y1ygDJ61AghDiEqeGW7lCv4iW2gLOON0Aw-Tm53xQW7qB94MUNVjua8KuYyxS-1pxf58u0pCpVhQxSgZJGht5Z7Gmc0geVuxRza3B_TFLd90SFlEdE3te6IkH28MqDu2rQtonYowVedHXZpOii6QBLPjqP6Zm3zx9r7WokpSvY9fnp8zjixuAUuA0XYhv6EwedfvSiz3t84N-nV0R1cN5Ni8os6sG4K6F8ZSr7E4aXTzvOfJIWa9MC1Lx_J4M7HIUuUH7LV7PN_h5yYk8b-2fW4g3_3h13mQ-blx2qMXclr6uuBc13tLLks7LzY3S34y2K060gHMMWCM4MQ77Mrw\"
		},
		\"deviceAttestation\": {},
		\"displayName\": \"${appname}\",
		\"fullDiskEncryption\": false,
		\"isHardwareProtectionEnabled\": false,
		\"manufacturer\": \"unknown\",
		\"model\": \"Google\",
		\"osVersion\": \"25\",
		\"platform\": \"ANDROID\",
		\"rootPrivileges\": true,
		\"screenLock\": false,
		\"secureHardwarePresent\": false
	},
	\"key\": \"okta_verify\",
	\"methods\": [
		{
			\"isFipsCompliant\": false,
			\"supportUserVerification\": false,
			\"type\": \"totp\"
		}
	]
}"
)

sec=$(echo "$res" | sed 's/^.*\("sharedSecret\)/\1/g;s/\}.*//;s/"//g;s/sharedSecret://g')

inform "You should now have a new device named '$appname' registered in okta."
echo
inform "In your TOTP application of choice, use the following shared secret:"
inform "        ^b$sec^p"
echo
exit 0