#!/bin/sh

PREFIX=@PREFIX@
: ${LIBDIR=$PREFIX/lib}
. "$LIBDIR/libalpine.sh"

usage() {
	cat <<-__EOF__
		usage: setup-user [-h] [-a] [-u] [-f FULLNAME] [-g GROUPS] [-k SSHKEY] [USERNAME]

		Create user account

		options:
		 -a  Create admin user. Add to wheel group and set up doas
		 -h  Show this help
		 -f  Set full name for user
		 -g  Comma or space separated list of groups to add user to
		 -k  ssh key or URL to ssh key (eg. https://gitlab.alpinelinux.org/user.keys)
		     or 'none' for no key
		 -u  Unlock the user automatically (eg. creating the user non-interactively
		     with an ssh key for login)

		If USERNAME is not specified user will be prompted.
	__EOF__
	exit $1
}

while getopts "af:g:hk:u" opt; do
	case $opt in
		a) admin=1;;
		h) usage 0;;
		f) fullnameopt="$OPTARG";;
		g) groups="$OPTARG";;
		k) keysopt="$OPTARG";;
		u) forceunlock=1;;
		'?') usage "1" >&2;;
	esac
done
shift $(($OPTIND - 1))

if [ -z "$admin$fullnameopt$groups$keysopt$forceunlock" ] && [ "$1" = "none" ]; then
	exit 0
fi

if [ $# -gt 1 ]; then
	usage "1" >&2
elif [ $# -eq 1 ]; then
	username="$1"
	nopassword="-D"
else
	interactive=1
fi

while true; do
	fullname="$fullnameopt"
	if [ -n "$interactive" ] && [ -z "$username" ]; then
		if [ -n "$fullname" ]; then
			suggest=${fullname:+$(echo "$fullname" | sed -E 's/^(.).*\s+(.*)/\1\2/' | tr '[:upper:]' '[:lower:]')}
		else
			suggest=no
		fi
		# dont suggest something that has failed before
		if [ "$suggest" = "$failed_username" ]; then
			suggest=
		fi
		ask "Setup a user? (enter a lower-case loginname, or 'no')" $suggest
		case "$resp" in
			no) exit 0;;
			*) username="$resp";;
		esac
	fi

	if [ -n "$interactive" ] && [ -z "$fullnameopt" ]; then
		ask "Full name for user $username" ${lastfullname:-$username}
		fullname="$resp"
		lastfullname="$resp"
	fi

	if [ -n "$fullname" ]; then
		adduser -g "$fullname" $nopassword "$username" && break
	else
		adduser $nopassword "$username" && break
	fi
	if ! [ -n "$interactive" ]; then
		exit 1
	fi
	failed_username="$username"
	username=
done

if [ -n "$interactive" ] && [ -z "$keysopt" ]; then
	suggest=none
	while true; do
		ask "Enter ssh key or URL for $username (or 'none')" $suggest
		case "$resp" in
			al)
				suggest="https://gitlab.alpinelinux.org/$username.keys"
				continue
				;;
			gl)
				suggest="https://gitlab.com/$username.keys"
				continue
				;;
			gh)
				suggest="https://github.com/$username.keys"
				continue
				;;
			none)
				break
				;;
			https://*|http://*)
				sshkeys=$(wget -q -O- $resp | grep ^ssh-)
				;;
			*)	sshkeys="$resp"
				;;
		esac
		if echo "$sshkeys" | grep -q ^ssh-; then
			break
		fi
		echo "Did not find any key in '$resp'"
	done
else
	case "$keysopt" in
		https://*|http://*)
			sshkeys=$(wget -q -O- "$keysopt" | grep ^ssh-);;
		none)
			sshkeys="" ;;
		*)
			sshkeys="$keysopt";;
	esac
	if [ -n "$sshkeys" ] && ! echo "$sshkeys" | grep -q ^ssh-; then
		echo "Could not find any keys in '$resp'" >&2
		exit 1
	fi
fi

if [ -n "$sshkeys" ] && [ "$sshkeys" != "none" ]; then
	ssh_directory="$ROOT"/home/$username/.ssh
	(
		umask 077
		mkdir -p "$ssh_directory"
		echo "$sshkeys" > "$ssh_directory"/authorized_keys
	)
	$MOCK chown -R $username:$username "$ssh_directory"
fi

if [ -n "$groups" ] && [ "$groups" != "none" ]; then
	for i in $(echo $groups | tr ',' ' '); do
		$MOCK addgroup "$username" "$i" || exit
	done
fi

if [ -n "$admin" ]; then
	apk add doas
	mkdir -p "$ROOT"/etc/doas.d
	echo "permit persist :wheel" >> "$ROOT"/etc/doas.d/doas.conf
	$MOCK addgroup "$username" "wheel" || exit
fi

if [ -n "$forceunlock" ]; then
	$MOCK passwd -u "$username" || exit
fi