#!/bin/sh

pamdir=/etc/pam.d
pamcommon="login"
pamappset="fly-dm fly-dm-np"
pamstub="xrdp-sesman"
pampasswd="passwd"

install_pam_mac()
{
	for el in $pamappset; do
		if [ "$1" = "$el" ]; then
			appset="labelselect=appset";
		fi
	done
	if grep -q 'session required pam_parsec_cap.so' $pamdir/$1; then
		pam_parsec_cap_present=1
	else
		pam_parsec_cap_present=0
	fi
	if grep -q 'session required pam_parsec_aud.so' $pamdir/$1; then
		pam_parsec_aud_present=1
	else
		pam_parsec_aud_present=0
	fi
	awk 'BEGIN{ \
			is_mac_auth=0; \
			is_mac_account=0; \
			is_mac_session=0; \
			is_env_session=0; \
		} \
		{ \
			if (is_env_session == 0 && $1 ~ "session") { \
				print "session required pam_parsec_mac.so unshare_root_only"; \
				is_env_session = 1 \
			} \
			if (is_mac_auth == 0 && $1 !~ "#") { \
				print "auth required pam_parsec_mac.so"; \
				is_mac_auth = 1 \
			} \
			print $0; \
			if (is_mac_account == 0 && $1 ~ "@include" && $2 ~ "common-account") { \
				print "account required pam_parsec_mac.so '$appset'"; \
				is_mac_account = 1 \
			} \
			if ('$pam_parsec_aud_present' == 1)  { \
				if (is_mac_session == 0 && $1 ~ "session" && $2 ~ "required" && $3 ~ "pam_parsec_aud.so") { \
					print "session required pam_parsec_mac.so"; \
					is_mac_session = 1 \
				} \
			} \
			else if ('$pam_parsec_cap_present' == 1)  { \
				if (is_mac_session == 0 && $1 ~ "session" && $2 ~ "required" && $3 ~ "pam_parsec_cap.so") { \
					print "session required pam_parsec_mac.so"; \
					is_mac_session = 1 \
				} \
			} \
			else { \
				if (is_mac_session == 0 && $1 ~ "@include" && $2 ~ "common-session") { \
					print "session required pam_parsec_mac.so"; \
					is_mac_session = 1 \
				} \
			} \
		}' $pamdir/$1
}

install_pam_mac_stub()
{
	if grep -q 'session required pam_parsec_cap.so' $pamdir/$1; then
		pam_parsec_cap_present=1
	else
		pam_parsec_cap_present=0
	fi
	if grep -q 'session required pam_parsec_aud.so' $pamdir/$1; then
		pam_parsec_aud_present=1
	else
		pam_parsec_aud_present=0
	fi
	awk 'BEGIN{ \
			is_mac_session=0; \
		} \
		{ \
			print $0; \
			if ('$pam_parsec_aud_present' == 1)  { \
				if (is_mac_session == 0 && $1 ~ "session" && $2 ~ "required" && $3 ~ "pam_parsec_aud.so") { \
					print "session required pam_parsec_mac.so stub"; \
					is_mac_session = 1 \
				} \
			} \
			else if ('$pam_parsec_cap_present' == 1)  { \
				if (is_mac_session == 0 && $1 ~ "session" && $2 ~ "required" && $3 ~ "pam_parsec_cap.so") { \
					print "session required pam_parsec_mac.so stub"; \
					is_mac_session = 1 \
				} \
			} \
			else { \
				if (is_mac_session == 0 && $1 ~ "@include" && $2 ~ "common-session") { \
					print "session required pam_parsec_mac.so stub"; \
					is_mac_session = 1 \
				} \
			} \
		}' $pamdir/$1
}

install_pam_mac_passwd()
{
	awk 'BEGIN{ \
			is_mac_password=0; \
		} \
		{ \
			if (is_mac_password == 0 && $1 ~ "@include" && $2 ~ "common-password") { \
				print "password required pam_parsec_mac.so"; \
				is_mac_password = 1 \
			} \
			print $0; \
		}' $pamdir/$1
}

uninstall_pam_mac()
{
	egrep -v 'pam_parsec_mac.so' $pamdir/$1
}

del()
{
	for cfg in $pamcommon $pamappset $pamstub $pampasswd; do
		if [ ! -w $pamdir/$cfg ]; then
			continue
		fi
		uninstall_pam_mac $cfg > $pamdir/$cfg.parsec
		mv $pamdir/$cfg.parsec $pamdir/$cfg
	done
}

add()
{
	for cfg in $pamcommon $pamappset; do
		if [ ! -w $pamdir/$cfg ]; then
			continue
		elif grep -q 'pam_parsec_mac.so' $pamdir/$cfg; then
			echo -e "$0: has already been added into $pamdir/$cfg"
			continue
		fi
		install_pam_mac $cfg > $pamdir/$cfg.parsec
		mv $pamdir/$cfg.parsec $pamdir/$cfg
	done

	for cfg in $pamstub; do
		if [ ! -w $pamdir/$cfg ]; then
			continue
		elif grep -q 'pam_parsec_mac.so' $pamdir/$cfg; then
			echo -e "$0: has already been added into $pamdir/$cfg"
			continue
		fi
		install_pam_mac_stub $cfg > $pamdir/$cfg.parsec
		mv $pamdir/$cfg.parsec $pamdir/$cfg
	done

	for cfg in $pampasswd; do
		if [ ! -w $pamdir/$cfg ]; then
			continue
		elif grep -q 'pam_parsec_mac.so' $pamdir/$cfg; then
			echo -e "$0: has already been added into $pamdir/$cfg"
			continue
		fi
		install_pam_mac_passwd $cfg > $pamdir/$cfg.parsec
		mv $pamdir/$cfg.parsec $pamdir/$cfg
	done
}

fix()
{
	del
	add
}

case "$1" in
  add)
	add
	errcode=$?
	;;
  del)
	del
	errcode=$?
        ;;
  fix)
	fix
	errcode=$?
	;;
  *)
	echo "Usage: $0 {add|del|fix}" >&2
	exit 1
	;;
esac

exit $errcode
