#!/bin/sh

# manage FreeBSD jail users

# vars defaults
rootdir=""
user=""
groups=""
home=""
shell="/usr/local/bin/bash"
comment=""
action=""

usage() {
    echo "Usage: $0 -u user [-h home] [-s shell] [-g groups] [-d rootdir] [-c comment] -a action"
    echo "Valid actions: present, absent, locked"
    exit 1
}

getuid() {
    # resolve jail uid
    
    root="$1"
    user="$2"
    pw $root show user "$user" -7 | cut -d: -f 3
}

run() {
    # verbose exec
    
    echo "$@"
    "$@"
}

# parse commandline flags
OPTIND=1
while getopts d:u:h:g:s:c:a: opt ; do
    case $opt in
        d)
            rootdir="$OPTARG"
            ;;
        u)
            user="$OPTARG"
            ;;
        h)
            home="$OPTARG"
            ;;
        g)
            groups="$OPTARG"
            ;;
        s)
            shell="$OPTARG"
            ;;
        c)
            comment="$OPTARG"
            ;;
        a)
            action="$OPTARG"
            ;;
        *)
            usage
            ;;
    esac
done

shift $(($OPTIND - 1))

if test -z "$user" -o -z "$action"; then
    usage
fi

# setup pw flags
args=""
root=""

if test -n "$rootdir"; then
    root="-R $rootdir"
fi

if test -n "$groups"; then
    args="-G $groups"
fi

if test -n "$home"; then
    args="$args -d $home -k /etc/skel -m -M 700"
else
    args="$args -d /home/$user -k /etc/skel -m -M 700"
fi

if test -n "$shell"; then
    args="$args -s $shell"
else
    args="$args -s /usr/local/bin/bash"
fi

if test -n "$comment"; then
    args="$args -c $comment"
fi

# the horse shall work
case "$action" in
    present)
        if pw $root user show "$user" > /dev/null 2>&1; then
            if pw $root user show "$user" | grep -q LOCKED; then
                # user is present but locked
                run pw unlock "$user"
            else
                echo "$user exists."
            fi
        else
            # create user
            run pw $root user add "$user" $args
        fi

        if test -e "/usr/local/bastille/keys/$user" -a ! -e "/home/$user/.ssh/authorized_keys"; then
            # install ssh key
            uid=$(getuid "$root" "$user")
            run install -m 700 -o "$uid" -g "$uid" -d "/home/$user/.ssh"
            run install -m 600 -o "$uid" -g "$uid" "/usr/local/bastille/keys/$user" "/home/$user/.ssh/authorized_keys"

            # generate  chat  key,  which  is  required  so  login  to
            # kobayashi, so that ssh-chat works  even if the user does
            # not have their own key yet.
            run ssh-keygen -t ed25519 -f /home/$user/.ssh/id_chat_kobayashi -P ""

            (
                echo "The key id_chat_kobayashi exists so that you're able to reach"
                echo "the kobayashi chat service. Once you have generated your own"
                echo "key, you can just delete it."
            ) > "/home/$user/.ssh/README"

            if test ! -e "/home/$user/.ssh/config"; then
                (
                    echo "Host kobayashi"
                    echo "  Port 2222"
                    echo "  IdentityFile ~/.ssh/id_chat_kobayashi"
                    echo "  StrictHostKeyChecking no"
                ) > "/home/$user/.ssh/config"
            fi
            
            run chown "$uid:$uid" /home/$user/.ssh/*
        fi
        ;;
    absent)
        if pw $root user show "$user" > /dev/null 2>&1; then
            # get rid
            run pw $root user del "$user"
        fi
        ;;
    locked)
        if pw $root user show "$user" > /dev/null 2>&1; then
            if pw $root user show "$user" | grep -q LOCKED; then
                echo "$user is already locked."
            else
                # lock'em out
                run pw lock "$user"
            fi
        fi
        ;;
    *)
        usage
        ;;
esac