From 6485e09cb3de164d0200b1c01acf2a09683622e5 Mon Sep 17 00:00:00 2001
From: Andrew Engelbrecht <andrew@engelbrecht.io>
Date: Thu, 14 Oct 2021 23:02:02 -0400
Subject: [PATCH] verify .htpasswd every time, update it if needed

the authoritative password lives in repo-password-keep, and if the
.htpasswd file is later deleted, is missing an entry for a host, or
contains invalid information, then the right thing to do is to add /
update the entry in .htpasswd. the script now does this.
---
 kaya | 21 ++++++++++++++++-----
 1 file changed, 16 insertions(+), 5 deletions(-)

diff --git a/kaya b/kaya
index 9087669..4c130d1 100755
--- a/kaya
+++ b/kaya
@@ -95,7 +95,7 @@ get-params() {
     esac
 }
 
-## create restic backup repo, store the new password in plaintext, and hash it in .htpasswd
+## create restic backup repo, store the new password in plaintext
 create-backup-dir() {
     echo "kaya: Creating backup directory..."
 
@@ -103,13 +103,22 @@ create-backup-dir() {
     touch "${password_file}"; chmod 600 "${password_file}"; pwgen 30 1 > "${password_file}"
 
     RESTIC_PASSWORD="$(cat "${password_file}")" restic -r "${backup_dir}" init > /dev/null
+}
 
+# check / create the hashed password in .htpasswd
+update-htpasswd-file() {
     touch "${htpasswd_file}"; chmod 600 "${htpasswd_file}"
-    flock -w 10 "${htpasswd_file}.flock" -c "htpasswd -i -B '${htpasswd_file}' '${hostname}'" < "${password_file}" \
-        |& { grep -E -v "(Adding|Updating) password for user" >&2 ||:; }
 
-    echo "kaya: Waiting > 30 seconds for rest-server file reload (first snapshot only)..."
-    sleep 32
+    # check to see if the password is already there and correct
+    # otherwise, update it
+    if ! grep -q "^${hostname}" "${htpasswd_file}" || ! htpasswd -i -v "${htpasswd_file}" "${hostname}" < "${password_file}" &> /dev/null ; then
+
+        flock -w 10 "${htpasswd_file}.flock" -c "htpasswd -i -B '${htpasswd_file}' '${hostname}'" < "${password_file}" \
+            |& { grep -E -v "(Adding|Updating) password for user" >&2 ||:; }
+
+        echo "kaya: Waiting > 30 seconds for rest-server file reload (first snapshot only)..."
+        sleep 32
+    fi
 }
 
 start-backup() {
@@ -159,6 +168,8 @@ main() {
         create-backup-dir
     fi
 
+    update-htpasswd-file
+
     if [[ $action == backup ]]; then
         start-backup
     fi
-- 
2.25.1