#!/bin/bash -e
#
# Copyright (c) 2019-2020 AT&T intellectual property.
# All rights reserved.
# 
# Copyright (c) 2014, 2016-2017 Brocade Communications Systems, Inc.
# All rights reserved.
#
# SPDX-License-Identifier: GPL-2.0-only

CHAIN_PRIO=$1

if [ "enforce" = "$2" ]; then
	ENFORCE="auth_err=bad user_unknown=bad"
fi

PAM_CONTROL="success=end default=ignore $ENFORCE"

PAM_SSS_PARAMS="domains=vyatta_system_tacplus"
PAM_SSS_MODULE="pam_sss.so"

cat << EOF > /usr/share/pam-configs/vyatta-sssd-tacacs
Name: Vyatta SSSD TACACS+ authentication for system users
Default: yes
Priority: $CHAIN_PRIO
Auth-Type: Primary
Auth:
        [$PAM_CONTROL] $PAM_SSS_MODULE use_first_pass $PAM_SSS_PARAMS
Auth-Initial:
        [$PAM_CONTROL] $PAM_SSS_MODULE forward_pass $PAM_SSS_PARAMS
Session-Type: Additional
Session-Interactive-Only: yes
Session:
        optional        pam_mkhomedir.so skel=/etc/skel/ umask=0022
Account-Type: Additional
Account:
EOF

if [ -z "$ENFORCE" ]; then
	cat << EOF >> /usr/share/pam-configs/vyatta-sssd-tacacs
	[default=bad success=ok user_unknown=ignore system_err=ignore authinfo_unavail=ignore] pam_sss.so domains=vyatta_system_tacplus
EOF
else
	cat << EOF >> /usr/share/pam-configs/vyatta-sssd-tacacs
	[success=2 default=ignore] pam_succeed_if.so uid < 1000 service in cron:atd
	[default=bad success=ok user_unknown=ignore system_err=1 authinfo_unavail=1] pam_sss.so domains=vyatta_system_tacplus
	[success=bad default=ignore] pam_localuser.so
EOF
fi

DEBIAN_FRONTEND=noninteractive pam-auth-update
