# ------------------------------------------------------------------------------
# Add local or remote users
# This file is part of the init.sh project
# Copyright (c) 2019-2021 Geoffray Levasseur <fatalerrors@geoffray-levasseur.org>
# ------------------------------------------------------------------------------
# This file is distributed under 3-clause BSD license.
# The complete license agreement can be obtained at:
# https://opensource.org/licenses/BSD-3-Clause
# ------------------------------------------------------------------------------
# Variable:
#  * WITH_LDAP_KERB: Shall we install requirements for LDAP/Kerberos auth ?
#  * REMOTE_USERS: List of remote users to add
#  * LOCAL_USERS: List of local users to create
#  * REMOVE_USERS: List of username to remove
#  * DEFAULT_SHELL: The shell to use when creating new users
# ------------------------------------------------------------------------------

export VER_authnz=0.1.4
export DEP_authnz="upgrade_dist"

# Users (from Ldap)
add_remote_user()
{
    echo "+$1::::::" >> /etc/passwd
    echo "+$1::::::::" >> /etc/shadow
}

# Remove users
remove_user()
{
    # Using sed is more universal than any distro commands
    sed -i -e "/^$1/d" /etc/passwd /etc/shadow /etc/group
}

# Create a local user
create_user()
{
    if [[ $(noerror --noout id $1) != 0 ]]; then
        prnt I "Creating user $1..."
        useradd --create-home --shell $DEFAULT_SHELL --user-group $1
    else
        prnt W "The user $1 already exists. Nothing to do..."
    fi
}

# Authentication
authnz()
{
    backupdist /etc/passwd /etc/shadow /etc/group
    for usr in $REMOVE_USERS; do
        prnt I "Removing user $usr..."
        remove_user $usr
    done

    if [[ $WITH_LDAP_KERB == yes ]]; then
        pkginst krb5-user libpam-krb5 libnss-ldap libpam-ldap nscd

        backupdist /etc/krb5.conf /etc/libnss-ldap.conf /etc/pam_ldap.conf \
            /etc/nsswitch.conf /etc/pam.d/common-session \
            /etc/pam.d/common-account /etc/pam.d/common-password \
            /etc/pam.d/common-auth
        installfile krb5.conf libnss-ldap.conf pam_ldap.conf nsswitch.conf /etc
        installfile common-session common-account common-password common-auth \
            /etc/pam.d

        scv_restart nscd

        for usr in $REMOTE_USERS; do
            prnt I "Adding remote user $usr..."
            add_remote_user $usr
        done
    fi

    if [[ -z $LOCAL_USERS ]]; then
        return 0
    fi

    for usr in $LOCAL_USERS; do
        prnt I "Creating user $usr..."
        create_user $usr
    done
}

precheck_authnz()
{
    if [[ $WITH_LDAP_KERB == "yes" ]]; then
        if [[ -n $REMOTE_USERS ]]; then
            prnt I "The following distant users will be accessible:"
            prnt m "\t* $REMOTE_USERS"
        else
            prnt W "No distant user but LDAP/Kerberos is activated!"
        fi
        file_exists auth/{krb5,libnss-ldap,pam_ldap,nsswitch}.conf
            pam/common-{session,account,password,auth}
    else
        if [[ -n $REMOTE_USERS ]]; then
            prnt E "Impossible to add distant users authentication mechanism."
            die 109
        fi
    fi
    if [[ -n $LOCAL_USERS ]]; then
        prnt I "The following local users will be created:"
        prnt m "\t* $LOCAL_USERS"
    fi
    if [[ -n $REMOvE_USERS ]]; then
        prnt I "The following users will be removed:"
        prnt m "\t* $REMOVE_USERS"
    fi
}

export -f authnz
export -f precheck_authnz

# EOF