[dotfiles.git] / base / .zprofile

# NOTE:
# our .zprofile is expensive, so we keep track of what has been run already,
# and only set up what is necessary. additionally, we want to ensure that our
# environment is set up as early as possible, so we also source .zprofile in
# .zshenv for new non-login shells.
#
# these issues are handled by using these methods:
#   * the parent shell that starts the user's session after logging in to some
#     graphical environments may not be a login shell—due to misconfiguration
#     or otherwise—which means .zprofile is not ran and the environment is not
#     properly configured for any child processes.
#   * some desktop environments/graphical terminal emulators will start new
#     terminal windows with login shells, which runs .zprofile every time and
#     leads to noticably slow startup times.
#   * switching users without wiping the environment will result in paths and
#     variables intended for the old user being used for the new user. while
#     this may be considered an edge-case that should not be supported, there
#     are legitimate reasons to want to do this, and in any case the shell
#     should not choke or cause unexpected problems should it happen anyway.

### lang
export CHARSET=UTF-8
export LANG=en_US.UTF-8
export LC_CTYPE=$LANG
### path
# NOTE: we utilize the fact that unique arrays keep the first occurrence and
#       remove any further occurences to capture elements from the old PATH
#       that we did not anticipate and shift them to the front, since they are
#       probably important to the system
if [[ ! -v _sev_setup_path || -o login ]] {
    typeset -U path fpath
    # add as many generic paths as possible to keep the order we want
    # NOTE: /usr/{local,pkg,games} are unix/bsdisms
    syspath=("$path[@]")
    path=({~/,/,/usr/}sbin /opt/{s,}bin /usr/local/{s,}bin /usr/pkg/{s,}bin
          /usr/X11R{7,6}/bin /usr/games {~/,/,/usr/}bin)
    ((len=$#path))
    path=("$path[@]" "$syspath[@]")
    # remove nonexistent and duplicate paths
    for (( i = 1; i <= $#path; i++ )) {
        if [[ ! -e $path[$i] ]] {
            path[$i]=()
            ((i <= len)) && ((len--))
            ((i--))
            continue
        }
    }
    # shift valid system paths to the front if there are any left
    ((len > 0 && len < $#path)) && path=("${(@)path[len + 1, -1]}" "${(@)path[1, len]}")
    unset syspath len i j
    # include our zsh dir in fpath. unlike above, we always prefer our paths
    fpath=(${ZDOTDIR:-~/.zsh}/functions/{*,Completions/*}(N) "$fpath[@]")
    # FPATH is not exported by default
    export FPATH
    typeset +U path fpath
    export _sev_setup_path=
}

### temp
# NOTE: it's intentional to separate POSIX tmp for each session (spec says
#       programs should not expect data there to be long-lived) and to keep the
#       same runtime dir and not create a new one if a new login shell is
#       spawned, since the XDG spec calls for the same dir to be utilized for
#       each "session".
if [[ ! -v _sev_setup_tmp ]] {
    t=${TMPDIR:-${TEMP:-${TMP:-/tmp}}}/.home-$LOGNAME
    h=~/tmp
    [[ ! -e $t ]] && mkdir -pm700 $t 2>/dev/null
    if [[ ! -d $t ]] {
        [[ -o interactive ]] &&
          print -P "%F{red}!!! Can't create temp dir $t%f"
        # fallback bare directories
        [[ -h $h ]] && unlink $h 2>/dev/null
        [[ ! -e $h ]] && mkdir -m700 $h 2>/dev/null
    }
    # [re-]create link to our tmp
    [[ -h $h || ! -e $h ]] && ln -sfn $t $h 2>/dev/null
    # finally create our subdir for this session
    export _sev_tmp=$h/.session.$$
    # ensure dir doesn't exist. if there is already something there it is
    # likely a stale directory or something is very broken—assume the former.
    # the user could also want dirs recreated by unsetting the var.
    if [[ -h $_sev_tmp ]] {
        unlink $_sev_tmp 2>/dev/null
    } elif [[ -e $_sev_tmp ]] {
        rm -rf $_sev_tmp 2>/dev/null
    }
    mkdir -m700 $_sev_tmp 2>/dev/null
    export TMPDIR=$_sev_tmp TEMP=$_sev_tmp TMP=$_sev_tmp
    unset t h
    export _sev_setup_tmp=
}

### xdg
if [[ ! -v _sev_setup_xdg ]] {
    # merge with any existing dirs and remove duplicates using unique arrays
    # NOTE: include and then remove CONFIG_HOME and DATA_HOME to ensure they
    #       are not present in the array if it was added before we got to it
    typeset -UT XDG_CONFIG_DIRS xdg_config_dirs
    typeset -UT XDG_DATA_DIRS xdg_data_dirs
    export XDG_CONFIG_HOME=$HOME/etc
    xdg_config_dirs=($XDG_CONFIG_HOME $HOME/.config
      {/opt,/usr/local,/usr/pkg,}/etc/xdg
      "${XDG_CONFIG_DIRS:+${xdg_config_dirs[@]}}")
    export XDG_CONFIG_DIRS=${XDG_CONFIG_DIRS#$XDG_CONFIG_HOME}
    export XDG_DATA_HOME=$HOME/share
    xdg_data_dirs=($XDG_DATA_HOME $HOME/.local/share
      /{opt,usr/local,usr/pkg,usr}/share
      "${XDG_DATA_DIRS:+${xdg_data_dirs[@]}}")
    export XDG_DATA_DIRS=${XDG_DATA_DIRS#$XDG_DATA_HOME}
    # use our custom tmp for cache and runtime
    export XDG_CACHE_HOME=$_sev_tmp/.xdg.cache
    export XDG_RUNTIME_DIR=$_sev_tmp/.xdg.runtime
    # create xdg tmp dirs
    for x in $XDG_CACHE_HOME $XDG_RUNTIME_DIR; do
        # same as in temp creation, ensure it doesn't exist
        if [[ -h $x ]]; then
            unlink $x 2>/dev/null
        elif [[ -e $x ]]; then
            rm -rf $x 2>/dev/null
        fi
        mkdir -m700 $x 2>/dev/null
    done
    # source user dirs after other vars
    [[ -e $XDG_CONFIG_HOME/user-dirs.dirs ]] &&
      emulate sh -c "source $XDG_CONFIG_HOME/user-dirs.dirs"
    export _sev_setup_xdg=
}

### gpg + ssh + forwarding
# NOTE: while ssh manages its auth sock in its protocol when ForwardSsh is
#       enabled, GPG must be forwarded manually over Unix socket. to support
#       this, we forward the restricted gpg-agent extra socket to the remote
#       host with a RemoteForward rule in ~/.ssh/config that uses the
#       _GNUPG_SOCK_* env vars. to avoid conflicts with other ssh sessions
#       where the same user is connecting to the same host from different
#       machines, gpg in each environment should utilize its own forwarded
#       socket, rather than replace the sockets in GNUPGHOME which will be
#       overridden on the next connection. previously, you could provide a path
#       to the agent socket in GPG_AGENT_INFO, but that was deprecated in GPG
#       v2.1. instead, we must clone GNUPGHOME with links and replace the agent
#       sockets there with the forwarded one.
# NOTE: since Unix sockets are not supported under Windows, this will not work
#       under msys, cygwin, mingw, etc., but may work under wsl2.
# HACK: without SendEnv, which is disabled by default in most sshd configs,
#       there is no foolproof way to prevent race conditions via filename
#       collisions or to pass the desired forward path to the remote host
#       environment. we just have to guess the path we choose is good on the
#       desination, and assume the newest matching socket is the correct one
#       after connecting. in theory, we could occlude the ssh binary on PATH
#       with an alias or script that would allow us to communicate with the
#       remote host before opening a shell, so that we can have the host
#       communicate back to the client where it wants a socket created or ask
#       the host if the path the client wants to use is writable. however, this
#       would open up too many edge cases where it wouldn't work or be clunky
#       (e.g. asking for password twice) to make it worth it.
if [[ ! -v _sev_setup_agents ]] {
    function _socketpath {
        # dirs are percent-encoded: https://stackoverflow.com/a/64312099
        echo ${1//(#b)%([[:xdigit:]](#c2))/${(#):-0x$match[1]}}
    }

    ## gpg forwarding
    if [[ ! -v _sev_gpg_forwarded && -v commands[gpg] ]] {
        export _GNUPG_SOCK_DEST_BASE=/tmp/.gpg-agent-forward
        export _GNUPG_SOCK_DEST_EXT=$(date +%s).$RANDOM
        export _GNUPG_SOCK_DEST=$_GNUPG_SOCK_DEST_BASE.$_GNUPG_SOCK_DEST_EXT
        export _sev_gpg_forward_dir=${GNUPGHOME:-~/.gnupg}/.ssh_forward
        # clean up forward dirs if its session is dead or we ask for it
        if [[ -d $_sev_gpg_forward_dir ]] {
            find $_sev_gpg_forward_dir -type d -mindepth 1 -maxdepth 1 |
              while read -r x; do
                # NOTE: the only way we can get here is if we have not been
                #       forwarded before or if the user asks for it. if our own
                #       pid already has a dir, it is most likely stale, or
                #       something is very broken—assume the former.
                p=$(basename $x)
                if [[ -v _sev_gpg_forward_clean || $$ == $p ]] ||
                      ! kill -0 $p 2>/dev/null; then
                    find $x -mindepth 1 -maxdepth 1 | while read -r y; do
                        unlink $y
                    done
                    rmdir $x
                fi
            done
            unset x p y
        }

        # find our forwarded socket
        s=($_GNUPG_SOCK_DEST_BASE*(N=oc[1]))
        if [[ -n $s && -v SSH_CLIENT ]] {
            # create new forward dir
            export _sev_gpg_forwarded=
            mkdir -pm700 $_sev_gpg_forward_dir
            h=$_sev_gpg_forward_dir/$$
            mkdir -pm700 $h
            # XXX: is it safe to link scdaemon socket? can its name be changed?
            for x in S.scdaemon gpg.conf gpg-agent.conf sshcontrol \
                     pubring.kbx trustdb.gpg private-keys-v1.d crls.d; do
                ln -s ${GNUPGHOME:-~/.gnupg}/$x $h
            done
            export GNUPGHOME=$h
            unset h
            for x in $(gpgconf --list-dirs | grep 'agent-.*-\?socket:'); do
                x=$(_socketpath ${x/#agent-*socket:})
                if [[ ! -v orig ]] {
                    # move forwarded socket to first valid agent socket path
                    # XXX: if tmp is on different filesystem this may not work
                    mv $s $x
                    orig=$x
                } else {
                    # make links to forwarded socket for any others
                    ln -s $orig $x
                }
            done
            unset x orig
        }
        unset s

        # what we will forward if we start a new ssh connection
        # NOTE: do this after setting up GNUPGHOME to pick up new socket path;
        #       if already connected over SSH, extra should be the remote one
        export _GNUPG_SOCK_SRC=$(_socketpath \
          $(gpgconf --list-dirs agent-extra-socket))
    } else {
        # required for RemoteForward to not error out if the vars are unset
        [[ ! -v _GNUPG_SOCK_SRC ]] && export _GNUPG_SOCK_SRC=/nonexistent
        [[ ! -v _GNUPG_SOCK_DEST ]] && export _GNUPG_SOCK_DEST=/nonexistent
    }

    ## gpg agent
    if [[ -v commands[gpg-connect-agent] ]] {
        [[ -o interactive ]] && print -nP '%F{blue}>>>%f GPG agent: %F{green}'
        gpg-connect-agent /bye >/dev/null 2>&1
        if [[ $? -ne 0 ]] {
            [[ -o interactive ]] &&
              print -P '%F{red}Error communicating with GPG agent%f'
        } elif [[ ! -v _sev_gpg_forward && ! -v GPG_TTY &&
                  ( -o interactive || -v DISPLAY ) ]] {
            # if we aren't forwarded, set up tty if it isn't and we're
            # in an interactive session
            export GPG_TTY=$(tty)
            export PINENTRY_USER_DATA=USE_TTY=$((!${+DISPLAY}))
            gpg-connect-agent UPDATESTARTUPTTY /bye >/dev/null 2>&1
            [[ -o interactive ]] &&
              print -P "Updated TTY%f"
        } else {
            [[ -o interactive ]] &&
              print -P 'Ready%f'
        }
    }

    ## ssh agent
    # NOTE: preferred order of agents to check: okcagent, gnupg, openssh
    #       first block takes care of okcagent and openssh, second gnupg
    [[ -o interactive ]] && print -nP '%F{blue}>>>%f SSH: %F{green}'
    if [[ ! -v SSH_AUTH_SOCK && ( -v commands[okc-ssh-agent] ||
          ( -v commands[ssh-agent] && ! -v commands[gpg] ) ) ]] {
        okc=${commands[okc-ssh-agent]:+okc-}
        agentfile=~/tmp/${okc}ssh-agent-exports
        typeset sock=
        typeset -i pid=
        if [[ -f $agentfile ]] {
            IFS=$'\0' read -r sock pid <$agentfile
        }
        if [[ -S $sock && $pid > 0 ]] && kill -0 $pid; then
            [[ -o interactive ]] && print -P "Reusing agent PID $pid%f"
            export SSH_AUTH_SOCK=$sock
            export SSH_AGENT_PID=$pid
        else
            e=${okc}ssh-agent
            # TODO: ensure ssh-agent path looks legit to avoid unsafe eval?
            # XXX: doesn't appear to be any other way to handle redirection.
            #      because eval needs to write to current scope environment
            #      subshells can't be used to capture output and print.
            if [[ -o interactive ]] {
                eval `$e`
                print -nP '%f'
            } else {
                eval `$e` >/dev/null 2>&1
            }
            echo -n $SSH_AUTH_SOCK$'\0'$SSH_AGENT_PID >!$agentfile
        fi
        unset okc agentfile sock pid
    } elif [[ ! -v SSH_AUTH_SOCK && -v commands[gpg] ]] {
        # since gpg agent was started above, we just have to export and notify
        if [[ -o interactive ]] {
            if [[ -v _sev_gpg_forwarded ]] {
                echo 'Remote GPG agent'
            } else {
                gpg-connect-agent /subst /serverpid \
                  '/echo GPG agent PID ${get serverpid}' /bye
            }
            print -nP '%f'
        }
        export SSH_AUTH_SOCK=$(_socketpath \
          $(gpgconf --list-dirs agent-ssh-socket))
    } elif [[ -v SSH_AUTH_SOCK ]] {
        [[ -o interactive ]] && print -P 'Preconfigured agent%f'
    } else {
        [[ -o interactive ]] && print -P '%F{red}No agent available%f'
    }

    ## cleanup
    unfunction _socketpath

    export _sev_setup_agents=
}

## perl local lib
# TODO: debounce this
[[ -v commands[perl] && -d $XDG_DATA_HOME/perl5/lib/perl5 ]] &&
  eval $(perl -I$XDG_DATA_HOME/perl5/lib/perl5
              -Mlocal::lib=$XDG_DATA_HOME/perl5 2>/dev/null)

### load site-specific
if [[ -f ~/.zprofile.local ]] { source ~/.zprofile.local }

# vim: et sts=4 sw=4 ts=8 tw=79
Commit	Line	Data
79d4a356	1	# NOTE:
	2	# our .zprofile is expensive, so we keep track of what has been run already,
	3	# and only set up what is necessary. additionally, we want to ensure that our
	4	# environment is set up as early as possible, so we also source .zprofile in
	5	# .zshenv for new non-login shells.
	6	#
	7	# these issues are handled by using these methods:
	8	# * the parent shell that starts the user's session after logging in to some
	9	# graphical environments may not be a login shell—due to misconfiguration
	10	# or otherwise—which means .zprofile is not ran and the environment is not
	11	# properly configured for any child processes.
	12	# * some desktop environments/graphical terminal emulators will start new
	13	# terminal windows with login shells, which runs .zprofile every time and
	14	# leads to noticably slow startup times.
	15	# * switching users without wiping the environment will result in paths and
	16	# variables intended for the old user being used for the new user. while
	17	# this may be considered an edge-case that should not be supported, there
	18	# are legitimate reasons to want to do this, and in any case the shell
	19	# should not choke or cause unexpected problems should it happen anyway.
	20
833b2af3	21	### lang
79d4a356	22	export CHARSET=UTF-8
	23	export LANG=en_US.UTF-8
	24	export LC_CTYPE=$LANG
833b2af3	25	### path
79d4a356	26	# NOTE: we utilize the fact that unique arrays keep the first occurrence and
	27	# remove any further occurences to capture elements from the old PATH
	28	# that we did not anticipate and shift them to the front, since they are
	29	# probably important to the system
	30	if [[ ! -v _sev_setup_path \|\| -o login ]] {
79d4a356	31	typeset -U path fpath
	32	# add as many generic paths as possible to keep the order we want
	33	# NOTE: /usr/{local,pkg,games} are unix/bsdisms
	34	syspath=("$path[@]")
	35	path=({~/,/,/usr/}sbin /opt/{s,}bin /usr/local/{s,}bin /usr/pkg/{s,}bin
	36	/usr/X11R{7,6}/bin /usr/games {~/,/,/usr/}bin)
833b2af3	37	((len=$#path))
79d4a356	38	path=("$path[@]" "$syspath[@]")
	39	# remove nonexistent and duplicate paths
	40	for (( i = 1; i <= $#path; i++ )) {
	41	if [[ ! -e $path[$i] ]] {
	42	path[$i]=()
833b2af3	43	((i <= len)) && ((len--))
79d4a356	44	((i--))
	45	continue
	46	}
79d4a356	47	}
833b2af3	48	# shift valid system paths to the front if there are any left
	49	((len > 0 && len < $#path)) && path=("${(@)path[len + 1, -1]}" "${(@)path[1, len]}")
	50	unset syspath len i j
79d4a356	51	# include our zsh dir in fpath. unlike above, we always prefer our paths
	52	fpath=(${ZDOTDIR:-~/.zsh}/functions/{,Completions/}(N) "$fpath[@]")
	53	# FPATH is not exported by default
	54	export FPATH
	55	typeset +U path fpath
	56	export _sev_setup_path=
	57	}
	58
833b2af3	59	### temp
	60	# NOTE: it's intentional to separate POSIX tmp for each session (spec says
	61	# programs should not expect data there to be long-lived) and to keep the
	62	# same runtime dir and not create a new one if a new login shell is
	63	# spawned, since the XDG spec calls for the same dir to be utilized for
	64	# each "session".
	65	if [[ ! -v _sev_setup_tmp ]] {
	66	t=${TMPDIR:-${TEMP:-${TMP:-/tmp}}}/.home-$LOGNAME
	67	h=~/tmp
	68	[[ ! -e $t ]] && mkdir -pm700 $t 2>/dev/null
	69	if [[ ! -d $t ]] {
	70	[[ -o interactive ]] &&
	71	print -P "%F{red}!!! Can't create temp dir $t%f"
	72	# fallback bare directories
	73	[[ -h $h ]] && unlink $h 2>/dev/null
	74	[[ ! -e $h ]] && mkdir -m700 $h 2>/dev/null
	75	}
	76	# [re-]create link to our tmp
	77	[[ -h $h \|\| ! -e $h ]] && ln -sfn $t $h 2>/dev/null
	78	# finally create our subdir for this session
	79	export _sev_tmp=$h/.session.$$
	80	# ensure dir doesn't exist. if there is already something there it is
	81	# likely a stale directory or something is very broken—assume the former.
	82	# the user could also want dirs recreated by unsetting the var.
	83	if [[ -h $_sev_tmp ]] {
	84	unlink $_sev_tmp 2>/dev/null
	85	} elif [[ -e $_sev_tmp ]] {
	86	rm -rf $_sev_tmp 2>/dev/null
	87	}
	88	mkdir -m700 $_sev_tmp 2>/dev/null
	89	export TMPDIR=$_sev_tmp TEMP=$_sev_tmp TMP=$_sev_tmp
	90	unset t h
	91	export _sev_setup_tmp=
	92	}
	93
	94	### xdg
79d4a356	95	if [[ ! -v _sev_setup_xdg ]] {
79d4a356	96	# merge with any existing dirs and remove duplicates using unique arrays
833b2af3	97	# NOTE: include and then remove CONFIG_HOME and DATA_HOME to ensure they
833b2af3	98	# are not present in the array if it was added before we got to it
79d4a356	99	typeset -UT XDG_CONFIG_DIRS xdg_config_dirs
	100	typeset -UT XDG_DATA_DIRS xdg_data_dirs
	101	export XDG_CONFIG_HOME=$HOME/etc
	102	xdg_config_dirs=($XDG_CONFIG_HOME $HOME/.config
	103	{/opt,/usr/local,/usr/pkg,}/etc/xdg
	104	"${XDG_CONFIG_DIRS:+${xdg_config_dirs[@]}}")
	105	export XDG_CONFIG_DIRS=${XDG_CONFIG_DIRS#$XDG_CONFIG_HOME}
	106	export XDG_DATA_HOME=$HOME/share
	107	xdg_data_dirs=($XDG_DATA_HOME $HOME/.local/share
	108	/{opt,usr/local,usr/pkg,usr}/share
	109	"${XDG_DATA_DIRS:+${xdg_data_dirs[@]}}")
	110	export XDG_DATA_DIRS=${XDG_DATA_DIRS#$XDG_DATA_HOME}
	111	# use our custom tmp for cache and runtime
833b2af3	112	export XDG_CACHE_HOME=$_sev_tmp/.xdg.cache
	113	export XDG_RUNTIME_DIR=$_sev_tmp/.xdg.runtime
	114	# create xdg tmp dirs
	115	for x in $XDG_CACHE_HOME $XDG_RUNTIME_DIR; do
	116	# same as in temp creation, ensure it doesn't exist
	117	if [[ -h $x ]]; then
	118	unlink $x 2>/dev/null
	119	elif [[ -e $x ]]; then
	120	rm -rf $x 2>/dev/null
	121	fi
	122	mkdir -m700 $x 2>/dev/null
	123	done
79d4a356	124	# source user dirs after other vars
	125	[[ -e $XDG_CONFIG_HOME/user-dirs.dirs ]] &&
	126	emulate sh -c "source $XDG_CONFIG_HOME/user-dirs.dirs"
	127	export _sev_setup_xdg=
d569f3f7	128	}
79d4a356	129
833b2af3	130	### gpg + ssh + forwarding
79d4a356	131	# NOTE: while ssh manages its auth sock in its protocol when ForwardSsh is
	132	# enabled, GPG must be forwarded manually over Unix socket. to support
	133	# this, we forward the restricted gpg-agent extra socket to the remote
	134	# host with a RemoteForward rule in ~/.ssh/config that uses the
	135	# _GNUPG_SOCK_* env vars. to avoid conflicts with other ssh sessions
	136	# where the same user is connecting to the same host from different
	137	# machines, gpg in each environment should utilize its own forwarded
	138	# socket, rather than replace the sockets in GNUPGHOME which will be
	139	# overridden on the next connection. previously, you could provide a path
	140	# to the agent socket in GPG_AGENT_INFO, but that was deprecated in GPG
833b2af3	141	# v2.1. instead, we must clone GNUPGHOME with links and replace the agent
833b2af3	142	# sockets there with the forwarded one.
79d4a356	143	# NOTE: since Unix sockets are not supported under Windows, this will not work
833b2af3	144	# under msys, cygwin, mingw, etc., but may work under wsl2.
79d4a356	145	# HACK: without SendEnv, which is disabled by default in most sshd configs,
	146	# there is no foolproof way to prevent race conditions via filename
	147	# collisions or to pass the desired forward path to the remote host
	148	# environment. we just have to guess the path we choose is good on the
	149	# desination, and assume the newest matching socket is the correct one
	150	# after connecting. in theory, we could occlude the ssh binary on PATH
	151	# with an alias or script that would allow us to communicate with the
	152	# remote host before opening a shell, so that we can have the host
	153	# communicate back to the client where it wants a socket created or ask
	154	# the host if the path the client wants to use is writable. however, this
	155	# would open up too many edge cases where it wouldn't work or be clunky
	156	# (e.g. asking for password twice) to make it worth it.
833b2af3	157	if [[ ! -v _sev_setup_agents ]] {
79d4a356	158	function _socketpath {
833b2af3	159	# dirs are percent-encoded: https://stackoverflow.com/a/64312099
833b2af3	160	echo ${1//(#b)%([[:xdigit:]](#c2))/${(#):-0x$match[1]}}
79d4a356	161	}
79d4a356	162
833b2af3	163	## gpg forwarding
79d4a356	164	if [[ ! -v _sev_gpg_forwarded && -v commands[gpg] ]] {
	165	export _GNUPG_SOCK_DEST_BASE=/tmp/.gpg-agent-forward
	166	export _GNUPG_SOCK_DEST_EXT=$(date +%s).$RANDOM
	167	export _GNUPG_SOCK_DEST=$_GNUPG_SOCK_DEST_BASE.$_GNUPG_SOCK_DEST_EXT
	168	export _sev_gpg_forward_dir=${GNUPGHOME:-~/.gnupg}/.ssh_forward
833b2af3	169	# clean up forward dirs if its session is dead or we ask for it
79d4a356	170	if [[ -d $_sev_gpg_forward_dir ]] {
	171	find $_sev_gpg_forward_dir -type d -mindepth 1 -maxdepth 1 \|
	172	while read -r x; do
	173	# NOTE: the only way we can get here is if we have not been
833b2af3	174	# forwarded before or if the user asks for it. if our own
	175	# pid already has a dir, it is most likely stale, or
	176	# something is very broken—assume the former.
79d4a356	177	p=$(basename $x)
	178	if [[ -v _sev_gpg_forward_clean \|\| $$ == $p ]] \|\|
	179	! kill -0 $p 2>/dev/null; then
	180	find $x -mindepth 1 -maxdepth 1 \| while read -r y; do
	181	unlink $y
	182	done
	183	rmdir $x
	184	fi
	185	done
	186	unset x p y
	187	}
	188
	189	# find our forwarded socket
	190	s=($_GNUPG_SOCK_DEST_BASE*(N=oc[1]))
	191	if [[ -n $s && -v SSH_CLIENT ]] {
	192	# create new forward dir
	193	export _sev_gpg_forwarded=
	194	mkdir -pm700 $_sev_gpg_forward_dir
	195	h=$_sev_gpg_forward_dir/$$
	196	mkdir -pm700 $h
	197	# XXX: is it safe to link scdaemon socket? can its name be changed?
	198	for x in S.scdaemon gpg.conf gpg-agent.conf sshcontrol \
	199	pubring.kbx trustdb.gpg private-keys-v1.d crls.d; do
	200	ln -s ${GNUPGHOME:-~/.gnupg}/$x $h
	201	done
	202	export GNUPGHOME=$h
	203	unset h
	204	for x in $(gpgconf --list-dirs \| grep 'agent-.*-\?socket:'); do
	205	x=$(_socketpath ${x/#agent-*socket:})
	206	if [[ ! -v orig ]] {
833b2af3	207	# move forwarded socket to first valid agent socket path
833b2af3	208	# XXX: if tmp is on different filesystem this may not work
79d4a356	209	mv $s $x
	210	orig=$x
	211	} else {
833b2af3	212	# make links to forwarded socket for any others
79d4a356	213	ln -s $orig $x
	214	}
	215	done
	216	unset x orig
	217	}
	218	unset s
	219
	220	# what we will forward if we start a new ssh connection
	221	# NOTE: do this after setting up GNUPGHOME to pick up new socket path;
	222	# if already connected over SSH, extra should be the remote one
	223	export _GNUPG_SOCK_SRC=$(_socketpath \
	224	$(gpgconf --list-dirs agent-extra-socket))
	225	} else {
	226	# required for RemoteForward to not error out if the vars are unset
	227	[[ ! -v _GNUPG_SOCK_SRC ]] && export _GNUPG_SOCK_SRC=/nonexistent
	228	[[ ! -v _GNUPG_SOCK_DEST ]] && export _GNUPG_SOCK_DEST=/nonexistent
	229	}
	230
	231	## gpg agent
	232	if [[ -v commands[gpg-connect-agent] ]] {
	233	[[ -o interactive ]] && print -nP '%F{blue}>>>%f GPG agent: %F{green}'
	234	gpg-connect-agent /bye >/dev/null 2>&1
	235	if [[ $? -ne 0 ]] {
	236	[[ -o interactive ]] &&
	237	print -P '%F{red}Error communicating with GPG agent%f'
	238	} elif [[ ! -v _sev_gpg_forward && ! -v GPG_TTY &&
	239	( -o interactive \|\| -v DISPLAY ) ]] {
	240	# if we aren't forwarded, set up tty if it isn't and we're
	241	# in an interactive session
	242	export GPG_TTY=$(tty)
	243	export PINENTRY_USER_DATA=USE_TTY=$((!${+DISPLAY}))
	244	gpg-connect-agent UPDATESTARTUPTTY /bye >/dev/null 2>&1
	245	[[ -o interactive ]] &&
	246	print -P "Updated TTY%f"
	247	} else {
	248	[[ -o interactive ]] &&
	249	print -P 'Ready%f'
	250	}
	251	}
	252
	253	## ssh agent
	254	# NOTE: preferred order of agents to check: okcagent, gnupg, openssh
	255	# first block takes care of okcagent and openssh, second gnupg
	256	[[ -o interactive ]] && print -nP '%F{blue}>>>%f SSH: %F{green}'
	257	if [[ ! -v SSH_AUTH_SOCK && ( -v commands[okc-ssh-agent] \|\|
	258	( -v commands[ssh-agent] && ! -v commands[gpg] ) ) ]] {
	259	okc=${commands[okc-ssh-agent]:+okc-}
	260	agentfile=~/tmp/${okc}ssh-agent-exports
	261	typeset sock=
	262	typeset -i pid=
	263	if [[ -f $agentfile ]] {
	264	IFS=$'\0' read -r sock pid <$agentfile
	265	}
	266	if [[ -S $sock && $pid > 0 ]] && kill -0 $pid; then
	267	[[ -o interactive ]] && print -P "Reusing agent PID $pid%f"
	268	export SSH_AUTH_SOCK=$sock
	269	export SSH_AGENT_PID=$pid
	270	else
	271	e=${okc}ssh-agent
	272	# TODO: ensure ssh-agent path looks legit to avoid unsafe eval?
	273	# XXX: doesn't appear to be any other way to handle redirection.
	274	# because eval needs to write to current scope environment
	275	# subshells can't be used to capture output and print.
	276	if [[ -o interactive ]] {
277	eval `$e`
278	print -nP '%f'
279	} else {
280	eval `$e` >/dev/null 2>&1
281	}
282	echo -n $SSH_AUTH_SOCK$'\0'$SSH_AGENT_PID >!$agentfile
283	fi
284	unset okc agentfile sock pid
285	} elif [[ ! -v SSH_AUTH_SOCK && -v commands[gpg] ]] {
286	# since gpg agent was started above, we just have to export and notify
287	if [[ -o interactive ]] {
288	if [[ -v _sev_gpg_forwarded ]] {
289	echo 'Remote GPG agent'
290	} else {
291	gpg-connect-agent /subst /serverpid \
292	'/echo GPG agent PID ${get serverpid}' /bye
293	}
294	print -nP '%f'
295	}
296	export SSH_AUTH_SOCK=$(_socketpath \
297	$(gpgconf --list-dirs agent-ssh-socket))
298	} elif [[ -v SSH_AUTH_SOCK ]] {
299	[[ -o interactive ]] && print -P 'Preconfigured agent%f'
300	} else {
301	[[ -o interactive ]] && print -P '%F{red}No agent available%f'
302	}
303
304	## cleanup
79d4a356	305	unfunction _socketpath
79d4a356	306
833b2af3	307	export _sev_setup_agents=
79d4a356	308	}
79d4a356	309
833b2af3	310	## perl local lib
	311	# TODO: debounce this
	312	[[ -v commands[perl] && -d $XDG_DATA_HOME/perl5/lib/perl5 ]] &&
	313	eval $(perl -I$XDG_DATA_HOME/perl5/lib/perl5
	314	-Mlocal::lib=$XDG_DATA_HOME/perl5 2>/dev/null)
79d4a356	315
833b2af3	316	### load site-specific
8eb81f95	317	if [[ -f ~/.zprofile.local ]] { source ~/.zprofile.local }
8eb81f95	318
79d4a356	319	# vim: et sts=4 sw=4 ts=8 tw=79