#!/usr/bin/perl
# ---------------------------------------------------------------------------
# Copyright (C) 2000 TJ Saunders <tj@digisle.net>
#
# This program is free software; you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation; either version 2 of the License, or
# (at your option) any later version.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program; if not, write to the Free Software
# Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA  02111-1307, USA.
#
# Based on MacGuyver's genuser.pl script, this script generates password
# files suitable for use with proftpd's AuthUserFile directive, in passwd(5)
# format, or AuthGroupFile, in group(5) format.  The idea is somewhat similar
# to Apache's htpasswd program.
#
#  $Id: ftpasswd,v 1.4 2001/01/11 00:17:21 tj Exp $
#  $Source: /home/tj/proftpd/scripts/ftpasswd/RCS/ftpasswd,v $
#
# ---------------------------------------------------------------------------

use strict;

use File::Basename qw(basename);
use Getopt::Long;

my $program = basename($0);
my $default_passwd_file = "./ftpd.passwd";
my $default_group_file = "./ftpd.group";
my $shell_file = "/etc/shells";
my $default_cracklib_dict = "/usr/lib/cracklib_dict";
my $cracklib_dict;

my @data;

my %opts = ();
GetOptions(\%opts, "enable-group-passwd", "F|file=s", "f|force", "gid=n",
  "group", "h|help", "home=s", "m|member=s@", "name=s", "passwd", "shell=s",
  "uid=n", "use-cracklib:s");

usage() if (defined($opts{'h'}));

my $output_file = $ARGV[0];

# check if "use-cracklib" was given as an option, and whether a path
# to other dictionary files was given.
if (defined($opts{'use-cracklib'})) {

  # make sure that Crypt::Cracklib is installed before trying to use
  # it later
  eval { require Crypt::Cracklib };
  die "$program: --use-cracklib requires Crypt::Cracklib to be installed\n" if $@;

  if ($opts{'use-cracklib'} ne "") {
    $cracklib_dict = $opts{'use-cracklib'};

  } else {
    $cracklib_dict = $default_cracklib_dict;
  }
}

# make sure that both passwd and group modes haven't been simultaneously
# requested

if (exists($opts{'passwd'}) && exists($opts{'group'})) {
  die "$program: please use either --passwd or --group, not both\n";

} elsif (defined($opts{'passwd'})) {

  # make sure that the required arguments are present
  die "$program: --passwd: missing required argument: --home\n"
    unless (defined($opts{'home'}));

  die "$program: --passwd: missing required argument: --name\n"
    unless (defined($opts{'name'}));

  die "$program: --passwd: missing required argument: --shell\n"
    unless (defined($opts{'shell'}));

  die "$program: --passwd: missing required argument: --uid\n"
    unless (defined($opts{'uid'}));

  # As per Flying Hamster's suggestion, have $opts{'gid'} default to --uid
  # if none are specified on the command-line via --gid
  unless (defined($opts{'gid'})) {
    $opts{'gid'} = $opts{'uid'};
    warn "$program: --passwd: missing --gid argument: default gid set to uid\n";
  }

  # determine to which file to write the passwd entry
  if (defined($opts{'F'})) {
    $output_file = $opts{'F'};
  } else {
    $output_file = $default_passwd_file;
  }

  open_output_file();

  handle_passwd_entry(gid => $opts{'gid'}, home => $opts{'home'},
    name => $opts{'name'}, shell => $opts{'shell'}, uid => $opts{'uid'});

  close_output_file();

  # NOTE: if this process is not running as root, then the file generated
  # is not owned by root.  Issue a warning reminding the user to make the
  # generated file mode 0400, owned by root, before using it.

} elsif (defined($opts{'group'})) {

  # make sure the required options are present
  die "$program: -group: missing required argument: --gid\n"
    unless (defined($opts{'gid'}));

  die "$program: -group: missing required argument: --name\n"
    unless (defined($opts{'name'}));

  # determine to which file to write the group entry
  if (defined($opts{'F'})) {
    $output_file = $opts{'F'};
  } else {
    $output_file = $default_group_file;
  }

  open_output_file();

  handle_group_entry(gid => $opts{'gid'}, members => $opts{'member'},
    name => $opts{'name'});

  close_output_file();

} else {
  die "$program: missing required --passwd or --group\n$program: use $program --help for details on usage\n\n";
}

# done
exit 0;

# ----------------------------------------------------------------------------
sub check_shell {
	my %args = @_;

  my $shell = $args{'shell'};
  my $result = 0;

  # check the given shell against the list in /etc/shells.  If not present
  # there, issue a message recognizing this, and suggesting that
  # RequireValidShell be set to off, and that any necessary PAM modules be
  # adjusted.

  unless (open(SHELLS, "< $shell_file")) {
    warn "$program: unable to open $shell_file: $!\n";
    warn "$program: skipping check of $shell_file\n";
    return;
  }

  while(my $line = <SHELLS>) {
    chomp($line);

    if ($line eq $shell) {
      $result = 1;
      last;
    } 
  }

  close(SHELLS);

  unless ($result) {
    print STDOUT "\n$program: $shell is not among the valid system shells.  Use of\n";
    print STDOUT "$program: the RequireValidShell may be required, and the PAM\n";
    print STDOUT "$program: module configuration may need to be adjusted.\n\n";
  }

  return $result;
}

# ----------------------------------------------------------------------------
sub close_output_file {
  my %args = @_;

  # set the permissions appropriately, ie 0444, before closing the file
  chmod 0444, $output_file;

  close(OUTPUT) or die "$program: unable to close $output_file: $!\n";
}

# ----------------------------------------------------------------------------
sub get_passwd {
  my %args = @_;
  my ($passwd, $passwd2);

  # prompt for the password to be used
  system "stty -echo";
  print STDOUT "\nPassword:";
  chomp($passwd = <STDIN>);
  print STDOUT "\n";
  system "stty echo";

  # prompt again, to make sure the user typed in the password correctly
  system "stty -echo";
  print STDOUT "Re-type password:";
  chomp($passwd2 = <STDIN>);
  print STDOUT "\n\n";
  system "stty echo";

  if ($passwd2 ne $passwd) {
    print STDOUT "Passwords do not match.  Please try again.\n";
    return get_passwd();
  }

  if ($args{'allow_blank'} and $passwd eq "") {
    return "";
  }

  # check for BAD passwords, BLANK passwords, etc, if requested
  if (defined($opts{'use-cracklib'})) {
    require Crypt::Cracklib;
    if (!Crypt::Cracklib::check($passwd, $cracklib_dict)) {
      print STDOUT "Bad password: ", Crypt::Cracklib::fascist_check($passwd,
        $cracklib_dict), "\n";
      return get_passwd();
    }
  }

  # generate a random DES salt
  my $salt = join '', ('.', '/', 0..9, 'A'..'Z', 'a'..'z')[rand 64, rand 64];

  # NOTE: how to generate MD5 passwords, if the system's library permits it?

  # now encrypt the given passwd, using the salt
  return crypt($passwd, $salt);
}

# ----------------------------------------------------------------------------
sub handle_group_entry {
  my %args = @_;

  my $gid = $args{'gid'};
  my $members = "";
  if (defined($args{'members'})) {
    $members = join(',', @{ $args{'members'} });
  }
  my $name = $args{'name'};
  my $passwd;

  # check to see whether we should update the fields for this group (because
  # it already exists), or to create a new entry

  my $found = 0;
  for (my $index = 0; $index <= $#data; $index++) {
    my @entry = split(':', $data[$index]);

    if ($name eq $entry[0]) {
      print STDOUT "$program: updating group entry for group $name\n";

      # remove the entry to be updated
      splice(@data, $index, 1);

      $found = 1;
    }
  }

  unless ($found) {
    print STDOUT "$program: creating group entry for group $name\n";
  }

  # if present, add the members given to the group.  If none, just leave that
  # field blank

  # prompt for the group password, if requested
  if (defined($opts{'enable-group-passwd'})) {
    $passwd = get_passwd(allow_blank => 1);

  } else {
    $passwd = "x";
  }

  # format: $name:$passwd:$gid:$members
  push(@data, "$name:$passwd:$gid:$members");

  # always sort by GIDs before printing out the file
  @data = map { $_->[0] }
          sort {
                $a->[3] <=> $b->[3]
               }
          map { [ $_, (split /:/)[0, 1, 2, 3] ] }
          @data;
 
  foreach my $line (@data) {
    print OUTPUT "$line\n";
  }

  unless ($found) {
    print STDOUT "$program: entry created\n";

  } else {
    print STDOUT "$program: entry updated\n";
  }
}

# ----------------------------------------------------------------------------
sub handle_passwd_entry {
  my %args = @_;

  my $gid = $args{'gid'};
  my $home = $args{'home'};
  my $name = $args{'name'};
  my $shell = $args{'shell'};
  my $uid = $args{'uid'};

  # trim any trailing slashes in $home
  $home =~ s/(.*)\/$/$1/ if ($home =~ /\/$/);

  # leave the gecos field blank -- the user can add their own comments
  # to the generated file later; proftpd doesn't check or use this field.
  my $gecos = "";

  # check to see whether we should update the fields for this user (because
  # they already exist), or create a new entry

  my $found = 0;
  for (my $index = 0; $index <= $#data; $index++) {
    my @entry = split(':', $data[$index]);

    if ($name eq $entry[0]) {
      print STDOUT "$program: updating passwd entry for user $name\n";

      # remove the entry to be updated
      splice(@data, $index, 1);

      $found = 1;
    }
  }

  unless ($found) {
    print STDOUT "$program: creating passwd entry for user $name\n";
  }

  # check the requested shell against the list in /etc/shells
  check_shell(shell => $shell);

  # prompt the user for the password
  my $passwd = get_passwd();

  # format: $name:$passwd:$uid:$gid:$gecos:$home:$shell
  push(@data, "$name:$passwd:$uid:$gid:$gecos:$home:$shell");

  # always sort by UIDs before printing out the file
  @data = map { $_->[0] }
          sort {
                $a->[3] <=> $b->[3]
               }
          map { [ $_, (split /:/)[0, 1, 2, 3, 4, 5, 6] ] }
          @data;

  foreach my $line (@data) {
    print OUTPUT "$line\n";
  }

  unless ($found) {
    print STDOUT "$program: entry created\n";

  } else {
    print STDOUT "$program: entry updated\n";
  }
}

# ----------------------------------------------------------------------------
sub open_output_file {
  my %args = @_;

  # open $output_file, paying attention to the --force command-line option
  # If the file already exists, slurp up its contents for later updating.

  if (-f $output_file) {
    open(INPUT, "< $output_file") or
      die "$program: unable to open $output_file: $!\n";
    chomp(@data = <INPUT>);
    close(INPUT);
  }

  open(OUTPUT, "> $output_file") or
    die "$program: unable to open $output_file: $!\n";

  # if the --force option was given, just zero out any data that might have
  # been read in, effectively erasing whatever contents there were.  A new
  # file is generated, anyway -- it's just a question of what data goes into
  # it

  @data = () if (defined($opts{'f'}));
}

# ----------------------------------------------------------------------------
sub usage {

	print STDOUT <<END_OF_USAGE;

usage: $program [ -h ] [ --group | --passwd ]

  If used with --passwd, $program creates a file in the passwd(5) format,
  suitable for use with proftpd's AuthUserFile configuration directive.
  You will be prompted for the password to use of the user, which will be
  encrypted, and written out as the encrypted string.
 
  By default, using --passwd will write output to "$default_passwd_file".
 
  Options:
    -F          write output to specified file, rather than "$default_passwd_file"
    --file

    -f          if the file to be used already exists, delete it and write a
    --force     new one.

    --gid       primary group ID for this user (optional, will default to
                given --uid value if absent)

    -h          displays this message
    --help

    --home      home directory for the user (required)

    --name      name of the user account (required).  If the name does not
                exist in the specified output-file, an entry will be created
                for her.  Otherwise, the given fields will be updated.

    --shell     shell for the user (required).  Recommended: /bin/false

    --uid       numerical user ID (required)

    --use-cracklib
                causes $program to use Alec Muffet's cracklib routines in
                order to determine and prevent the use of bad or weak
                passwords.  The optional path to this option specifies
                the path to the dictionary files to use -- default path
                is "$default_cracklib_dict".  This requires the Perl
                Crypt::Cracklib module to be installed on your system.

  If used with --group, $program creates a file in the group(5) format,
  suitable for use with proftpd's AuthGroupFile configuration directive.

  By default, using --group will write output to "$default_group_file".

  Options:
    --enable-group-passwd
                prompt for a group password.  This is disabled by default.

    -F          write output to specified file, rather than "$default_group_file"
    --file

    -f          if the file be used already exists, delete it and write a new
    --force     one.

    --gid       numerical group ID (required)

    -h
    --help      displays this message

    -m
    --member    user to be a member of the group.  This argument may be used
                multiple times to specify the full list of users to be members
                of this group.

    --name      name of the group (required).  If the name does not exist in
                the specified output-file, an entry will be created for them.
                Otherwise, the given fields will be updated.

    --use-cracklib
                causes $program to use Alec Muffet's cracklib routines in
                order to determine and prevent the use of bad or weak
                passwords.  The optional path to this option specifies
                the path to the dictionary files to use -- default path
                is "$default_cracklib_dict".  This requires the Perl
                Crypt::Cracklib module to be installed on your system.

END_OF_USAGE

  exit 0;
}

# ---------------------------------------------------------------------------
