#!/usr/bin/env sh
# SPDX-FileCopyrightText: Daniel Pätzold
# SPDX-License-Identifier: AGPL-3.0-or-later
#
# Kwallet Setup to Secure Directory
#
# Kwallet will be used for storing passwords for most KDE- Applications, like for Nextcloud- Client, Talk app and many more.
# Usually Kwallet will set your first logon password for the wallet to have good encryption of your wallet file.
# But when the logon Password changes on the Domain, after new logon you will be asked and you need to know the OLD password
# If the old password was lost. This is a very bad situation, because you cannot recover your passwords.
# Instead we will use Walletfiles without a password, so stored data won't be lost.
# This requires to have them encrypted at a secure place by the domain-encryption that we always use for our Data
#
# Basically, this script checks, if the Walletfile can be used without password and if it is located in the encrypted directory for security.
# Otherwise it will setup a the Walletfile into the encrypted Data-Directory and make it useable.
#
echo "Setup KWallet Password- Service."

#Check for root
if [ "$EUID" -ne 0 ]; then
    echo "Error: Script requires root. Please check if ${SCRIPTPATH}/${SCRIPTNAME} is in sudoers rules and if you are a member. And if executed via sudo."
    exit 1
fi

#Check Token
if [ "${DAVTOKEN_USER}." == "." ]; then
    echo "Error: Script cannot be executed standalone and needs a prereserved Environment. Quit."
    exit 1
fi

if [[ -z $(wmctrl -m | grep "KWin") ]]; then
  # No KDE here - Cinnamon in Test
  exit 0
fi

#Local Vars
WALLETNAME="kdewallet"
WALLETFILE="${WALLETNAME}.kwl"
WALLETPATH="${DECRYPTEDDATADIR}/kwallet"
WALLETPATH_CFG="$SUDO_HOME/.local/share/kwalletd"

# Stop the daemon anyway if running
# kwallet and kwalletmanager are optional and only started when an app has been using them already
WALLET_PID=$( pgrep -u $SUDO_USER kwalletd6 )
if [[ ! -z ${WALLET_PID} ]]; then
  MANAGER_PID=$( pgrep -u $SUDO_USER kwalletmanager5 )
  if [[ ! -z ${MANAGER_PID} ]]; then
    echo "Stopping kwalletmanager5 with PID ${MANAGER_PID}"
    kill ${MANAGER_PID}
    if [[ $? -ne 0 ]]; then
      echo "Service could not be stopped, please check why."
      exit 1
    fi
  fi
  kill ${WALLET_PID} && sleep 0.5 && echo "Service kwalletd6 (${WALLET_PID}) was stopped."
  if [[ $? -ne 0 ]]; then
    echo "Kwallet Service could not be stopped, please check why."
    exit 1
  fi
fi
# ksecret is the basic daemon now, it needs to be stopped last
SECTRETS_PID=$( pgrep -u $SUDO_USER ksecretd )
if [[ ! -z ${SECTRETS_PID} ]]; then
  echo "Stopping ksecretd with PID ${SECTRETS_PID}"
  kill ${SECTRETS_PID} && sleep 0.5
  if [[ $? -ne 0 ]]; then
    echo "Service could not be stopped, please check why."
    exit 1
  fi
fi

#Setup encrypted path if not existing already
mkdir -p ${WALLETPATH}
#Check, if wallet ist already setup in encryted dir. If not, copy our empty deafult wallets to it
if [ ! -f "${WALLETPATH}/${WALLETNAME}.kwl" ]; then
  echo "Wallet ${WALLETNAME} was not found, setting it up from scratch."
  rm -f ${WALLETPATH}/*
  cp ${WALLETNAME}.* ${WALLETPATH}
  if [[ $? -ne 0 ]]; then
    echo "Error: Copy of files for Wallet ${WALLETNAME} failed."
    exit 1
  fi
else
  echo "Will use existing encrypted Wallet in ${WALLETPATH}/${WALLETNAME}.kwl"
fi
chown $SUDO_USER:$SUDO_USER ${WALLETPATH} -R
chmod u=rwX,og-rwx ${WALLETPATH} -R

#Unmount to have free vision to Directory
if grep -q ""${WALLETPATH_CFG}"" "/etc/mtab"; then
  echo "Umount of Wallet-Config ${WALLETPATH_CFG}"
  umount ${WALLETPATH_CFG}
  if [[ $? -ne 0 ]]; then
    echo "Error in unmount. Please check."
    exit 1
  fi
fi

#With every new start of KDE the Files will be recreated in ${WALLETPATH_CFG} containing no passwords but enrcypted with current user password
#We cannot use this wallet, so drop it
rm -f ${WALLETPATH_CFG}/*.*

#Always restore configuration with defaults
cp -f kwalletrc $HOME/.config/
chown $SUDO_USER:$SUDO_USER $HOME/.config/kwalletrc
chmod u=rw,og-rwx $HOME/.config/kwalletrc

#Bind mount secure folder to wallet directory
echo "Mounting secure ${WALLETPATH} to wallet-directory ${WALLETPATH_CFG}"
mount --bind ${WALLETPATH} ${WALLETPATH_CFG}
if [[ $? -ne 0 ]]; then
  echo "Error bind mounting secure Files to Wallet. Please check what went wrong."
  exit 1
fi

exit 0