#!/usr/bin/env sh
# SPDX-FileCopyrightText: Daniel Pätzold
# SPDX-License-Identifier: AGPL-3.0-or-later
#
# Kwallet Setup to Secure Directory
#
# Kwallet will be used for storing passwords for most KDE- Applications, like for Nextcloud- Client, Talk app and many more.
# Usually Kwallet will ask for a password to have good security in your encrypted file, but this will make Logon non Interactive and is annoying for the user.
# Or, even worse, the first time you logon, the wallet will be created with your current password. But when it changes on the Domain, after new logon you will be asked
# and you must enter the OLD password, breaking all apps, that are needing password if the old password was lost. This is a very bad situation.
# Instead we will check to have the Passwords opened without a seperate password set, but to have them encrypted at a secure place by the domain-encryption.
#
# Basically, this script checks, if the Walletfile can be used without password and if it is located in the encrypted directory for security.
# Otherwise it will setup a the Walletfile into the encrypted Data-Directory and make it useable.
#
echo "Setup KWallet Password- Service."

#Check for root
if [ "$EUID" -ne 0 ]; then
    echo "Error: Script requires root. Please check if ${SCRIPTPATH}/${SCRIPTNAME} is in sudoers rules and if you are a member. And if executed via sudo."
    exit 1
fi

#Check Token
if [ "${DAVTOKEN_USER}." == "." ]; then
    echo "Error: Script cannot be executed standalone and needs a prereserved Environment. Quit."
    exit 1
fi

#Local Vars
#SYNCCMD="$BASECMD --userid ${DAVTOKEN_USER} --apppassword ${DAVTOKEN_PASS} --localdirpath ${CLIENT_DATA_DST} --remotedirpath ${CLIENT_DATA_SRC} --serverurl https://${SERVERFQDN_NC}"
#SYNCCMD_HIDDENPW=$( echo "${SYNCCMD/${DAVTOKEN_PASS}/***HIDDEN***}" )
WALLETNAME="kdewallet"
WALLETFILE="${WALLETNAME}.kwl"
WALLETPATH="${DECRYPTEDDATADIR}/kwallet"
WALLETPATH_CFG="$SUDO_HOME/.local/share/kwalletd"

# Stop the daemon anyway if running
WALLET_PID=$( pgrep -u $USER kwalletd6 )
if [[ ! -z ${WALLET_PID} ]]; then
  kill ${WALLET_PID} && sleep 0.5
  if [[ $? -ne 0 ]]; then
    echo "Kwallet Service could not be stopped, please check why."
    exit 1
  fi
fi

#Setup encrypted path if not existing already
mkdir -p ${WALLETPATH}
#Check, if wallet ist already setup in encryted dir. If not, copy our empty deafult wallets to it
if [ ! -f "${WALLETPATH}/${WALLETNAME}.kwl" ]; then
  echo "Wallet ${WALLETNAME} was not found, setting it up from scratch."
  rm -f ${WALLETPATH}/*
  cp ${WALLETNAME}.* ${WALLETPATH}
  if [[ $? -ne 0 ]]; then
    echo "Error: Copy of files for Wallet ${WALLETNAME} failed."
    exit 1
  fi
fi
chown $SUDO_USER:$SUDO_USER ${WALLETPATH} -R
chmod u=rwX,og-rwx ${WALLETPATH} -R

#Unmount to have free vision to Directory
umount ${WALLETPATH_CFG} >/dev/null 2>&1

#With every new start of KDE the Files will be recreated in ${WALLETPATH_CFG} containing no passwords but enrcypted with current user Password.
#We cannot use this wallet, so drop it
rm -f ${WALLETPATH_CFG}/*.*

#Always restore configuration with defaults
cp -f kwalletrc $HOME/.config/
chown $SUDO_USER:$SUDO_USER $HOME/.config/kwalletrc
chmod u=rw,og-rwx $HOME/.config/kwalletrc

#Bind mount secure folder to wallet directory
echo "Mounting secure ${WALLETPATH} to wallet-directory ${WALLETPATH_CFG}"
mount --bind ${WALLETPATH} ${WALLETPATH_CFG}
if [[ $? -ne 0 ]]; then
  echo "Error bind mounting secure Files to Wallet. Please check what went wrong."
  exit 1
fi

#Restart the service
su -c 'nohup kwalletd6 >/dev/null 2>&1 &' $SUDO_USER
sleep 1

#Check if kwalletd is enabled now
su -c "$(dirname $0)/qbus_wallet_exec.sh reconfigure" $SUDO_USER
QB_RESULT=$( su -c "$(dirname $0)/qbus_wallet_exec.sh isEnabled 2>/dev/null || true" $SUDO_USER )
if [[ "$QB_RESULT" != "true" ]]; then
  echo "Error checking if kWallet service is activated. Cannot continue. Return of Check was:"
  echo "$QB_RESULT"
  exit 1
fi

#It should be possible to open the wallet without having to enter the password now.
echo "Checking if Wallet can be opened by the user. The Program should not ask for a password, maybe for confirmation to access the wallet which is ok."
echo "Please check to NOT have any Password asked now - if so, open kwalletmanager and change the password for wallet ${WALLETNAME} to nothing (by entering nothing when asked for new password)!"
WALLETAPPID="sys_config_wallet_script"
QB_RESULT=$( su -c "$(dirname $0)/qbus_wallet_exec.sh open ${WALLETNAME} 0 $WALLETAPPID" $SUDO_USER )
if [[ $? -ne 0 ]]; then
  echo "Some Error opening Wallet ${WALLETNAME}. Please check."
  exit 1
fi
echo "Sucessfully opened Wallet ${WALLETNAME} with ID ${QB_RESULT}."
exit 0