#!/bin/bash
trap '' INT KILL

# don't run as operators 
if ! groups | grep -q vyattacfg; then
  exit 0
fi

# don't run if we've already done this, 
# the commit system will handle the invalid password
if [ -e /opt/vyatta/etc/.nofirstpasswd ]; then
  exit 0
fi

# don't run on livecd installer will do the check
if grep -q -e '^unionfs.*/filesystem.squashfs' /proc/mounts; then
  exit 0
fi

API=/bin/cli-shell-api

session_env=$($API getSessionEnv $PPID)
eval $session_env
$API setupSession

exit_configure ()
{
  $API teardownSession
  echo -n 'export -n VYATTA_CONFIG_TMP; '
  echo -n 'export -n VYATTA_CHANGES_ONLY_DIR; '
  echo -n 'export -n VYATTA_ACTIVE_CONFIGURATION_DIR; '
  echo -n 'export -n VYATTA_TEMPLATE_LEVEL; '
  echo -n 'export -n VYATTA_CONFIG_TEMPLATE; '
  echo -n 'export -n VYATTA_TEMP_CONFIG_DIR; '
  echo -n 'export -n VYATTA_EDIT_LEVEL; '
}

set ()
{
  /opt/vyatta/sbin/my_set $*
}

commit ()
{
  /opt/vyatta/sbin/my_commit "$@"
}

save ()
{
  # do this the same way that vyatta-cfg does it
  local save_cmd=/opt/vyatta/sbin/vyatta-save-config.pl
  eval "sudo sg vyattacfg \"umask 0002 ; $save_cmd\""
}

show ()
{
  $API showCfg "$@"
}

change_password() {
  local user=$1
  local pwd1="1"
  local pwd2="2"

  echo "Invalid password detected for user $user"
  echo "Please enter a new password"
  until [[ "$pwd1" == "$pwd2" && "$pwd1" != "vyatta" ]]; do
    read -p "Enter $user password:" -r -s pwd1 <>/dev/tty 2>&0
    echo
    if [[ "$pwd1" == "" ]]; then
      echo "'' is not a valid password"
      continue
    fi
    read -p "Retype $user password:" -r -s pwd2 <>/dev/tty 2>&0
    echo

    if [[ "$pwd1" != "$pwd2" ]]; then 
      echo "Passwords do not match"
      continue
    fi
    if [[ "$pwd1" == "vyatta" ]]; then
      echo "'vyatta' is not a vaild password"
      continue
    fi 
  done

  # escape any slashes in resulting password
  local epwd=$(mkpasswd -H md5 "$pwd1" | sed 's:/:\\/:g')
  set system login user $user authentication plaintext-password "$pwd1"
  commit
  save
}

for user in $($API listEffectiveNodes system login user); do
  user=${user//\'/}
  epwd=$(show system login user $user authentication encrypted-password)
  epwd=$(awk '{ print $2 }' <<<$epwd)
  salt=$(awk 'BEGIN{ FS="$" }; { print $3 }' <<<$epwd)
  vyatta_epwd=$(mkpasswd -H md5 -S $salt vyatta)
  if [[ $epwd == $vyatta_epwd ]]; then
     change_password $user
  fi
done
eval $(exit_configure)
sudo touch /opt/vyatta/etc/.nofirstpasswd