# Copyright (c) 2012 Tresys Technology LLC, Columbia, Maryland, USA
#
# This software was developed by Tresys Technology LLC
# with U.S. Government sponsorship.
#
# This library is free software; you can redistribute it and/or
# modify it under the terms of the GNU Lesser General Public
# License as published by the Free Software Foundation; either
# version 2.1 of the License, or (at your option) any later version.
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.

SYSTEM_AUTH=/etc/pam.d/system-auth
AUTH_FILES=`/bin/find /etc/pam.d -name "*-auth" -print|/bin/grep -P "(password|system)"`

[ -n "AUTH_FILES" ] || exit 1

. $(dirname $0)/set_general_entry

set_pam_passwdqc() {
# FIXME:
# This function used to manipulate individual arguments to pam_cracklib but with pam_passwdqc things are very different.
# Every time this is called it will do the same thing.  It sets passwdqc to meet the *all requirements*.  The problem with this
# is that someone can't run a single pam remediation script to only remediate one thing (such as only requiring digits or something).

	# by default pam_cracklib is used so drop that in favor of pam_passwdqc
	for items in $AUTH_FILES; do	
		/bin/sed -i -e 's/.*pam_cracklib.*/password    requisite     pam_passwdqc.so enforce=everyone retry=3 min=disabled,disabled,disabled,14,14/' "$items"
		/bin/grep -q pam_cracklib "$items" && exit 1

#	OPTION=$1 DESIRED=$2
		if /bin/grep -Pq "pam_passwdqc.so" "$items"; then
			/bin/sed -i -r -e 's/(^.*pam_cracklib.so.*$)/password    requisite     pam_passwdqc.so enforce=everyone\
\1/' "$items"
		fi;
	done

#	if /bin/grep -Pq "^password\s+requisite\s+pam_passwdqc.so\s+.*$OPTION=$DESIRED\b" "$SYSTEM_AUTH"; then
#		exit 0
#	else
#		/bin/sed -i -r -e "s/^(password\s+requisite\s+pam_passwdqc\.so.*)\s+$OPTION=[^\s]*\s*(.*$)/\1 \2/" "$SYSTEM_AUTH"
#		/bin/sed -i -r -e "s/^(password\s+requisite\s+pam_passwdqc\.so.*)\s+$/\1/" "$SYSTEM_AUTH"
#		/bin/sed -i -r -e "s/^(password\s+requisite\s+pam_passwdqc\.so\s+.*)/\1 $OPTION=$DESIRED/" "$SYSTEM_AUTH"
#	fi
}

set_pam_unix_option() {
# Sets the specified pam unix option to the desired value.
#
#  arguments:
#    set_pam_unix_option(OPTION,DESIRED)
#      OPTION  - pam unix option to be changed.
#      DESIRED - Desired value of pam unix option
#

	OPTION=$1 DESIRED=$2
	
	for items in $AUTH_FILES; do
		if /bin/grep -Pq "^password\s+(?:sufficient|required)\s+pam_unix\.so\s+.*$OPTION=$DESIRED\b" ""; then
			exit 0
		else
			/bin/sed -i -r -e "s/^(password\s+(sufficient|required)\s+pam_unix\.so.*)\s+$OPTION=[^\s]*\s*(.*$)/\1 \3/" "$items"
			/bin/sed -i -r -e "s/^(password\s+(sufficient|required)\s+pam_unix\.so.*)\s+$/\1/" "$items"
			/bin/sed -i -r -e "s/^(password\s+(sufficient|required)\s+pam_unix\.so\s+.*)/\1 $OPTION=$DESIRED/" "$items"
		fi
	done
}

set_pam_unix_flag() {
# Adds the desired pam unix flag if it does not already exist.
#
#  arguments:
#    set_pam_unix_flag(OPTION)
#      OPTION  - pam unix flag to add.
#

	OPTION=$1
	
	for items in $AUTH_FILES; do
		if /bin/grep -Pq "^password\s+(?:sufficient|required)\s+pam_unix\.so\s+.*$OPTION\b" "$items"; then
			exit 0
		else
			/bin/sed -i -r -e "s/^(password\s+(sufficient|required)\s+pam_unix\.so\s+.*)/\1 $OPTION/" "$items"
		fi
	done
}
