#!/usr/bin/sh
# cern-linuxsupport-access: v2 2010/07/13 KELEMEN Peter <Peter.Kelemen@cern.ch>

SELF=${0##*/}

usage () {
	error "Usage: $SELF <enable|disable>"
}

cleanup () {
	if [ -n "$TEMPFILE" -a -f "$TEMPFILE" ]; then
		rm -f $TEMPFILE
	fi
        if [ -e "$K5LOGIN" -a -x "/sbin/restorecon" ]; then
                /sbin/restorecon $K5LOGIN
        fi
}

error () {
	echo "E: $@"
	cleanup
	exit 90
}

detect_root () {
	if [ "$(id -u)" -ne 0 ]; then
                error "To make modifications, please run this tool as the root user, or alternatively via sudo :)"
	fi
}

detect_puppet () {
	grep environment /etc/puppetlabs/puppet/puppet.conf &>/dev/null
	if [ $? -eq 0 ]; then
		echo
		echo -e "\e[1m\e[33m          *** WARNING ***\e[0m"
		echo "  This machine is puppet-managed."
		echo
		echo "  $1"
		echo
	fi
}

enable_kerberos () {
	touch $K5LOGIN
	cat $K5LOGIN $KRB_FILE | sort -u > $TEMPFILE
	if [ $? != 0 ]; then
		error "Cannot merge Kerberos access info"
	fi
	mv $K5LOGIN ${K5LOGIN}.old
	mv $TEMPFILE $K5LOGIN
	if [ $? != 0 ]; then
		error "Cannot write $K5LOGIN"
	fi
	echo "Enabled Kerberos access for CERN Linux.Support personnel."
}

disable_kerberos () {
	if [ -s $K5LOGIN ]; then
		fgrep -v -f $KRB_FILE $K5LOGIN > $TEMPFILE
		if [ $? = 2 ]; then
			error "Cannot filter Kerberos access info"
		fi
		if [ $? = 1 ]; then
			cmp -s $KRB_FILE $K5LOGIN
			if [ $? != 0 ]; then
				error "Cannot filter Kerberos access info"
			fi
		fi
		mv $K5LOGIN ${K5LOGIN}.old
		mv $TEMPFILE $K5LOGIN
		if [ $? != 0 ]; then
			error "Cannot write $K5LOGIN"
		fi
		echo "Disabled Kerberos access for CERN Linux.Support personnel."
	fi
}

enable_ssh () {
	if [ $IS_ROOT_SSH_DIR = 0 ]; then
		mkdir $ROOT_SSH_DIR
		chmod 0700 $ROOT_SSH_DIR
	fi
	touch $AUTHKEYS
	cat $AUTHKEYS $SSH_FILE | sort -u > $TEMPFILE
	if [ $? != 0 ]; then
		error "Cannot merge SSH access info"
	fi
	mv $AUTHKEYS ${AUTHKEYS}.old
	mv $TEMPFILE $AUTHKEYS
	if [ $? != 0 ]; then
		error "Cannot write $AUTHKEYS"
	fi
	echo "Enabled SSH public key access for CERN Linux.Support personnel."
}

disable_ssh () {
	if [ -s $AUTHKEYS ]; then
		fgrep -v -f $SSH_FILE $AUTHKEYS > $TEMPFILE
		if [ $? = 2 ]; then
			error "Cannot filter SSH access info"
		fi
		if [ $? = 1 ]; then
			cmp -s $SSH_FILE $AUTHKEYS
			if [ $? != 0 ]; then
				error "Cannot filter SSH access info"
			fi
		fi
		mv $AUTHKEYS ${AUTHKEYS}.old
		mv $TEMPFILE $AUTHKEYS
		if [ $? != 0 ]; then
			error "Cannot write $AUTHKEYS"
		fi
		echo "Disabled SSH public key access for CERN Linux.Support personnel."
	fi
}

### MAIN

if [ -z "$1" ]; then
	usage
	# WONTREACH
fi

TEMPFILE=$( mktemp /tmp/${SELF}.XXXXXXXX )
if [ -z "$TEMPFILE" ]; then
	error "E: Cannot create temporary file"
fi
trap cleanup 2 3

PREFIX=/usr/share/$SELF
KRB_FILE=${PREFIX}/k5login
SSH_FILE=${PREFIX}/authorized_keys

ROOT_HOME=/root
ROOT_SSH_DIR=${ROOT_HOME}/.ssh
K5LOGIN=${ROOT_HOME}/.k5login
AUTHKEYS=${ROOT_SSH_DIR}/authorized_keys

IS_ROOT_SSH_DIR=0
if [ -d $ROOT_SSH_DIR ]; then
	IS_ROOT_SSH_DIR=1
fi

case "$1" in
	enable)
		detect_root
		detect_puppet "Please disable puppet before it reverts the changes made by this tool."
		enable_kerberos
		enable_ssh
		break
		;;
	disable)
		detect_root
		detect_puppet "Please don't forget to re-enable puppet."
		disable_kerberos
		disable_ssh
		break
		;;
	*)
		usage
		# WONTREACH
		;;
esac
cleanup

# End of file.
