# ------------------------------------------------------------------------------
# Add local or remote users
# This file is part of the init.sh project
# Copyright (c) 2019-2021 Geoffray Levasseur <fatalerrors@geoffray-levasseur.org>
# ------------------------------------------------------------------------------
# This file is distributed under 3-clause BSD license.
# The complete license agreement can be obtained at:
# https://opensource.org/licenses/BSD-3-Clause
# ------------------------------------------------------------------------------
# Variable:
#  * WITH_LDAP_KERB: Shall we install requirements for LDAP/Kerberos auth ?
#  * REMOTE_USERS: List of remote users to add
#  * LOCAL_USERS: List of local users to create
#  * DEFAULT_SHELL: The shell to use when creating new users
# ------------------------------------------------------------------------------

export VER_authnz=0.1.3
export DEP_authnz="upgrade_dist"

# Users (from Ldap)
add_remote_user()
{
    backupdist /etc/passwd /etc/shadow /etc/group
    #sed -i -e '/^fatal/d' /etc/passwd /etc/shadow /etc/group
    echo "+$1::::::" >> /etc/passwd
    echo "+$1::::::::" >> /etc/shadow
}

# Create a local user
create_user()
{
    if [[ $(noerror --noout id $1) != 0 ]]; then
        prnt I "Création de l'utilisateur $1 ..."
        useradd --create-home --skel --shell $DEFAULT_SHELL --user-group $1
    else
        prnt W "L'utilisateur $1 existe déjà. Rien à faire..."
    fi
}

# Authentication
authnz()
{
    if [[ $WITH_LDAP_KERB == yes ]]; then
        pkginst krb5-user libpam-krb5 libnss-ldap libpam-ldap nscd

        backupdist /etc/krb5.conf /etc/libnss-ldap.conf /etc/pam_ldap.conf \
            /etc/nsswitch.conf /etc/pam.d/common-session \
            /etc/pam.d/common-account /etc/pam.d/common-password \
            /etc/pam.d/common-auth
        installfile krb5.conf libnss-ldap.conf pam_ldap.conf nsswitch.conf /etc
        installfile common-session common-account common-password common-auth \
            /etc/pam.d

        scv_restart nscd

        for usr in $REMOTE_USERS; do
            add_remote_user $usr
        done
    fi

    if [[ -z $LOCAL_USERS ]]; then
        return 0
    fi

    for usr in $LOCAL_USERS; do
        prnt I "Création de l'utilisateur $usr..."
        create_user $usr
    done
}

precheck_authnz()
{
    if [[ $WITH_LDAP_KERB == "yes" ]]; then
        if [[ -n $REMOTE_USERS ]]; then
            prnt I "Les utilisateurs distants suivants seront accessible :"
            prnt m "\t* $REMOTE_USERS"
        else
            prnt W "Pas d'utilisateur distant bien que LDAP/Kerberos soit activé !"
        fi
    else
        if [[ -n $REMOTE_USERS ]]; then
            prnt E "Impossible d'ajouter des utilisateurs distants sans les méchanismes d'authentication."
            die 109
        fi
    fi
    if [[ -n $LOCAL_USERS ]]; then
        prnt I "Les utilisateurs locaux suivants seront créés :"
        prnt m "\t* $LOCAL_USERS"
    fi
}

export -f authnz
export -f precheck_authnz

# EOF