#!/bin/bash

# Easy way to obtain Kerberos tickets for University of Pittsburgh AFS cells.
# Chris Povirk -- beigetangerine (AT) gmail (DOT) com
# http://twofoos.org/content/afs/
# Last update: 2006/01/14: remove password from shell command to make use on multiuser systems at least not obviously insecure
# 2005/10/14: initial posting

error()
{
  echo ' [!!]' "$@" 1>&2
}

warn()
{
  echo ' [WW]' "$@" 1>&2
}

isAFSRunning()
{
  pgrep -u 0 afsd &> /dev/null
}

ACTION=$1

if ! isAFSRunning; then
  error "AFS is not running -- aborting"
fi

if [[ "$ACTION" != "auth" && "$ACTION" != "cache" ]]; then
  error "Valid actions are 'auth' and 'cache'"
  exit 1
fi

KLOG_DATA_DIR="$HOME/.klog-data"
echo "Scanning $KLOG_DATA_DIR ..."
for CURRENT_ID_DIR in $KLOG_DATA_DIR/*; do
  [[ -d $CURRENT_ID_DIR ]] || continue

  echo
  echo "Found $CURRENT_ID_DIR ..."

  USERNAME_FILE="$CURRENT_ID_DIR/username"
  PASSWORD_FILE="$CURRENT_ID_DIR/password"
  CELL_FILE="$CURRENT_ID_DIR/cell"

  checkConfig()
  {
    if [[ ! -f "$USERNAME_FILE" || ! -f "$PASSWORD_FILE" || ! -f "$CELL_FILE" ]] ; then
      error "$USERNAME_FILE, $PASSWORD_FILE, and $CELL_FILE must all exist."
      error "Each should be a file containing exactly only line:"
      error "$USERNAME_FILE, your Pitt username;"
      error "$PASSWORD_FILE, your Pitt password; and"
      error "$CELL_FILE, your AFS cell (pitt.edu or cs.pitt.edu)."
      error "Create them, and be sure to chmod go-r $PASSWORD_FILE."
      error "(This will prevent other users from reading it.)"
      return 1
    fi

    permissions()
    {
      stat -c "%a" "$1"
    }

    owner()
    {
      stat -c "%U" "$1"
    }

    YOU=`whoami`

    PERMISSIONS_PASSWORD_FILE=`permissions "$PASSWORD_FILE"`
    if echo $PERMISSIONS_PASSWORD_FILE | grep -v '.00$' &> /dev/null ; then
      warn "$PASSWORD_FILE should be accessible by only its owner."
      warn "Changing permissions ..."
      chmod 600 "$PASSWORD_FILE" || return 1
    fi

    OWNER_PASSWORD_FILE=`owner "$PASSWORD_FILE"`
    if [[ "$OWNER_PASSWORD_FILE" != "$YOU" ]] ; then
      warn "$PASSWORD_FILE is not owned by $YOU."
      warn "Trying to change owner ..."
      chown $YOU:users "$PASSWORD_FILE" || return 1
    fi

    return 0
  }

  cache()
  {
    if [[ "$PITT_CELL" == "pitt.edu" ]] ; then
      FIRST=`echo "$PITT_USERNAME" | sed -e 's/\(.\).*/\1/'`
      MIDDLE=`echo "$PITT_USERNAME" | sed -e 's/.\(.\).*/\1/'`
      PITT_USER_HOME="/afs/pitt.edu/home/$FIRST/$MIDDLE/$PITT_USERNAME"
    elif [[ "$PITT_CELL" == "cs.pitt.edu" ]] ; then
      PITT_USER_HOME="/afs/cs.pitt.edu/usr0/$PITT_USERNAME"
    else
      warn "Unrecognized cell $PITT_CELL."
      warn "No caching performed."

      return 0
    fi

    echo "Trying to cache home directory $PITT_USER_HOME ..."

    find "$PITT_USER_HOME" 2> /dev/null | while read F; do
      ls -l "$F" &> /dev/null
    done &> /dev/null
  }

  auth()
  {
    if [[ -z "$PITT_USERNAME" || -z "$PITT_PASSWORD" || -z "$PITT_CELL" ]] ; then
      error "Pitt username, password, or cell is not set, or one of the files is not readable."
      error "Check $USERNAME_FILE, $PASSWORD_FILE, and $CELL_FILE."
    fi

    echo "Authenticating with Kerberos ..."

#    if klog -principal "$PITT_USERNAME" -password "$PITT_PASSWORD" -cell "$PITT_CELL" ; then
    if klog -pipe -principal "$PITT_USERNAME" -cell "$PITT_CELL" < "$PASSWORD_FILE" ; then
      echo "Logged in."

      return 0
    else
      error "Failed to log in."

      return 1
    fi
  }

  go()
  {
    checkConfig || return $?

    PITT_USERNAME=`cat "$USERNAME_FILE"`
    PITT_PASSWORD=`cat "$PASSWORD_FILE"`
    PITT_CELL=`cat "$CELL_FILE"`

    $ACTION || return $?
  }

  if go $ACTION; then
    echo "Done."
  else
    error "Problem.  Fix and try again."
  fi
done