#!/bin/bash

TMPDIR=~iworx/tmp/support
IW_SUPPORT=iworx_support_user
IW_UID=62221
HOME=/home/iworx_support_user
SSH_CONFIG=/etc/ssh/sshd_config
SUDOERS=/etc/sudoers
HOSTS_ALLOW=/etc/hosts.allow

IW_VERIFY="-----BEGIN PUBLIC KEY-----
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDzDvEk4YNUmU3KAbm5C1QNNqHQ
/kuy79tooBU1kZaso+5ALQJPTFY83InFR2+9GAiDtZOpjr4tVvCqcWDE06MXtNCq
u0ubetU21GiVlYQo+wutvJFu5v3vsvhowVZZbiSd7IHTcl7Pr0DP05H3EPi4GLjf
mtDJ6Q2NtzW02gODQwIDAQAB
-----END PUBLIC KEY-----"

function prep {
    [ -e $TMPDIR ] && rm -rf $TMPDIR
    mkdir $TMPDIR
    echo "$IW_VERIFY" > $TMPDIR/build.pub
    wget https://license.interworx.info:2443/keys/authorized_keys -O $TMPDIR/authorized_keys > /dev/null 2>&1
    [ "$?" -ne "0" ] && echo "wget https://license.interworx.info:2443/keys/authorized_keys failed. Cannot continue." && exit 1
    dig TXT +short _support_authkey_sig.interworx.com | tr -d '"' | tr '|' "\n" | openssl enc -base64 -d > $TMPDIR/authorized_keys.sig
    [[ "${PIPESTATUS[0]}" -ne "0" || "${PIPESTATUS[3]}" -ne "0" ]] && echo "Retreiving authorized_keys signature failed.  Cannot continue." && exit 1
}

function verify {
    ok=`openssl sha1 -verify $TMPDIR/build.pub -signature $TMPDIR/authorized_keys.sig $TMPDIR/authorized_keys 2>&1`
    [[ "$?" -ne "0" || "$ok" != "Verified OK" ]] && echo "Verification of iworx support public key failed.  ${ok}. Cannot continue." && exit 1
    echo $ok
}

function setup_user {
    id $IW_SUPPORT > /dev/null 2>&1
    [ "$?" -eq "0" ] && /usr/sbin/userdel -r -f $IW_SUPPORT
    # create the user with NO PASSWORD (NP)
    /usr/sbin/useradd -u $IW_UID $IW_SUPPORT -p NP
    mkdir $HOME/.ssh && chown $IW_SUPPORT.$IW_SUPPORT $HOME/.ssh && chmod 700 $HOME/.ssh
    cp $TMPDIR/authorized_keys $HOME/.ssh
    chown $IW_SUPPORT.$IW_SUPPORT $HOME/.ssh/authorized_keys && chmod 600 $HOME/.ssh/authorized_keys && echo "Authorized Keys Setup"
}

function setup_hosts {
    hosts_allow=""
    grep '^sshd: 208.69.120.3$' $HOSTS_ALLOW > /dev/null 2>&1 || hosts_allow="\n#ip for $IW_SUPPORT - login.interworx.com\nsshd: 208.69.120.3"
    [ -z "$hosts_allow" ] || { echo -e "$hosts_allow" >> $HOSTS_ALLOW && echo "Added login.interworx.com IP to $HOSTS_ALLOW for sshd"; }
}

function setup_ssh {
    sshd_config="\n"
    grep '^AllowGroups' $SSH_CONFIG > /dev/null 2>&1 && { grep "^AllowGroups $IW_SUPPORT" $SSH_CONFIG > /dev/null 2>&1 || sshd_config="${sshd_config}AllowGroups $IW_SUPPORT\n"; }
    grep '^AllowUsers'  $SSH_CONFIG > /dev/null 2>&1 && { grep "^AllowUsers $IW_SUPPORT"  $SSH_CONFIG > /dev/null 2>&1 || sshd_config="${sshd_config}AllowUsers $IW_SUPPORT\n"; }
    [ "$sshd_config" != "\n" ] && echo -e "$sshd_config" >> $SSH_CONFIG && echo "SSH Config file $SSH_CONFIG modified to allow $IW_SUPPORT" && service sshd reload > /dev/null 2>&1
}

function setup_sudo {
    rpm -q sudo > /dev/null 2>&1 || { yum install -y sudo && echo "SUDO rpm installed"; }
    sudoers=""
    grep "^%$IW_SUPPORT" $SUDOERS > /dev/null 2>&1 || sudoers="\n#allow $IW_SUPPORT root access (temporarily)\n%$IW_SUPPORT       ALL=(ALL)       NOPASSWD: ALL\n"
    [ -z "$sudoers" ] || { echo -e "$sudoers" >> $SUDOERS && echo "Allow $IW_SUPPORT temporary sudo access"; }
}

function setup_firewall {
    fwlines=`/sbin/iptables --list -n | wc -l`
    if [ $fwlines -gt 8 ]; then
        /usr/local/sbin/apf -a 208.69.120.3 iworx-support-login > /dev/null 2>&1
        echo "Allowed login.interworx.com IP through firewall"
    fi
}

function finish {
    rm -rf $TMPDIR
    touch ~iworx/tmp/.ssh-support-enabled
    chown iworx.iworx ~iworx/tmp/.ssh-support-enabled
    echo "Done!  SSH for $IW_SUPPORT now enabled"
}

prep
verify
setup_user
setup_hosts
setup_ssh
setup_sudo
setup_firewall
finish