platform

var (
	App        *app.App
	TPM        tpm2.TrustedPlatformModule
	CAParams   *ca.CAParams
	InitParams *app.AppInitParams
)

var DestroyCmd = &cobra.Command{
	Use:   "destroy",
	Short: "Destroy the platform",
	Long: `This command deletes all platform data, including TPM keys,
Certificate Authority keys, certifiates, secrets, and blob storage.
A TPM2_Clear command is sent to the TPM, restoring it to the TPM
manufacturer and OEM factory settings.`,
	Run: func(cmd *cobra.Command, args []string) {

		App.Init(InitParams)

		fmt.Println("")
		color.Red(
			"Are you sure you want to delete all platform data?\n" +
				"This operation can not be reversed!")
		fmt.Println("")
		fmt.Printf("Platform Data: %s\n", App.PlatformDir)
		fmt.Println("")

		answer := prompt.Prompt("Delete platform data? (y/n)")
		YorN := strings.ToLower(strings.TrimSpace(string(answer)))

		App.Logger.Info(YorN)

		if YorN == "y" {

			lockoutAuth := prompt.PasswordPrompt("Lockout Hierarchy Password")
			endorsementAuth := prompt.PasswordPrompt("Endorsement Hierarchy Password")
			ownerAuth := prompt.PasswordPrompt("Owner Hierarchy Password")

			if err := os.RemoveAll(App.PlatformDir); err != nil {
				App.Logger.Error("Failed to delete platform data")
				App.Logger.Fatal(err)
			}
			App.Logger.Info("Platform data successfully destroyed")

			if App.TPM == nil {
				App.Logger.Fatal("TPM not initialized")
			} else {
				if err := App.TPM.Clear(lockoutAuth, tpm2.TPMRHLockout); err != nil {
					App.Logger.Error("Failed to clear Lockout hierarchy")
					App.Logger.Fatal(err)
				}
				if err := App.TPM.Clear(endorsementAuth, tpm2.TPMRHEndorsement); err != nil {
					App.Logger.Error("Failed to clear Endorsement hierarchy")
					App.Logger.Fatal(err)
				}
				if err := App.TPM.Clear(ownerAuth, tpm2.TPMRHOwner); err != nil {
					App.Logger.Error("Failed to clear Owner hierarchy")
					App.Logger.Fatal(err)
				}
				App.Logger.Info("TPM 2.0 successfully cleared")
			}

		} else {
			fmt.Println("")
			color.Green("Whew, that was close!")
		}
	},
}

var InstallCmd = &cobra.Command{
	Use:   "install",
	Short: "Safely provisions the platform",
	Long: `Perform a modified version of the TCG recommended provisioning 
guidance procedure, intended for platforms with a pre-provisioned TPM, either
from the TPM Manufacturer or Owner. Instead of clearing the hierarchies, 
setting hierarchy authorizations and provisioning new keys and certificates
from scratch, this operation will use pre-existing EK, Shared SRK and IAK keys
and certificates if they already exist. The Security Officer PIN is required
and used as Endorsement and Storage hierarchy authorization values during
installation. This operation is safe and idempotent, and will not modify or
destroy existing data.`,
	Run: func(cmd *cobra.Command, args []string) {

		InitParams.Initialize = true
		App.Init(InitParams)

		sopin := keystore.NewClearPassword(InitParams.SOPin)
		pin := keystore.NewClearPassword(InitParams.Pin)

		if err := App.OpenTPM(); err != nil {
			if err != tpm2.ErrNotInitialized {
				App.Logger.Fatal(err)
			}
		}

		if App.DebugSecretsFlag {
			App.Logger.Debugf(
				"Setting Security Officer / hierarchy authorization PIN: %s",
				InitParams.SOPin)

			App.Logger.Debugf("Setting user PIN: %s", InitParams.Pin)
		}

		if err := App.TPM.Install(sopin); err != nil {

			if err == tpm2.ErrEndorsementCertNotFound {

				if App.CA == nil {

					App.InitCA(InitParams.PlatformCA, sopin, pin)
				}

				App.ImportEndorsementKey()
			} else {
				App.Logger.Fatal(err)
			}
		}

		color.New(color.FgGreen).Printf("Platform installed successfully")
	},
}

var PasswordCmd = &cobra.Command{
	Use:   "password",
	Short: "Retrieves a sealed password",
	Long:  `Performs a TPM password unseal operation on the requested key.`,
	Run: func(cmd *cobra.Command, args []string) {

		App.Init(InitParams)

		if err := App.OpenTPM(); err != nil {
			App.Logger.Fatal(err)
		}

		store, err := keystore.ParseStoreType(storeType)
		if err != nil {
			App.Logger.Fatal(err)
		}

		keyAlg, err := keystore.ParseKeyAlgorithm(algorithm)
		if err != nil {
			App.Logger.Fatal(err)
		}

		srkAttrs := App.PlatformKS.SRKAttributes()

		if authValue != "" {
			srkAttrs.Password = keystore.NewClearPassword([]byte(authValue))
		}

		keyAttrs := &keystore.KeyAttributes{
			CN:             cn,
			KeyAlgorithm:   keyAlg,
			Parent:         srkAttrs,
			PlatformPolicy: policy,
			KeyType:        keystore.KEY_TYPE_HMAC,
			StoreType:      store,
		}
		password, err := App.TPM.Unseal(keyAttrs, nil)
		if err != nil {
			App.Logger.Fatal(err)
		}

		fmt.Println(string(password))
	},
}

var ProvisionCmd = &cobra.Command{
	Use:   "provision",
	Short: "Performs initial platform provisioning",
	Long: `Initializes the platform by establishing an initial Security
Officer whose credentials are used to take ownership of the TPM and key stores.
The TPM is provisioned per TCG recommended guidance, with an EK and SRK persisted
to their recommended storage hierarchy handle indexes. Key stores, services and
components referenced in the platform configuration file are initialized.`,
	Run: func(cmd *cobra.Command, args []string) {
		InitParams.Initialize = true
		App.Init(InitParams)
		App.InitTPM(InitParams.PlatformCA, InitParams.SOPin, InitParams.Pin)
	},
}