#!/usr/bin/bash

# Verify all the config files were not touched by the user. Do not try to
# enable oslogin if the user has messed with them

if [ -e '/etc/pam.d/sshd' ]; then
	echo '/etc/pam.d/sshd already exists. Not enabling OS Login'
	exit 0
fi

if [ "$(readlink -f /etc/nsswitch.conf)" != '/usr/share/baselayout/nsswitch.conf' ]; then
	echo '/etc/nsswitch.conf is not a symlink to /usr/share/baselayout/nsswitch.conf. Not enabling OS Login'
	exit 0
fi

if [[ ! -d '/etc/ssh/sshd_config.d' ]]; then
	echo 'No /etc/ssh/sshd_config.d directory. Not enabling OS Login'
	exit 0
fi

if ! grep --fixed-strings --no-messages --silent 'Include "/etc/ssh/sshd_config.d/*.conf"' '/etc/ssh/sshd_config'; then
	echo '/etc/ssh/sshd_config does not include configuration snippets in /etc/ssh/sshd_config.d. Not enabling OS Login'
	exit 0
fi

# Actually start enabling things. Die if we fail.
set -e

mkdir -m 0750 -p '/var/lib/google-sudoers.d'
mkdir -m 0750 -p '/var/lib/google-users.d'
ln -f -s '/usr/share/google-oslogin/pam_sshd' '/etc/pam.d/sshd'
ln -f -s '/usr/share/google-oslogin/nsswitch.conf' '/etc/nsswitch.conf'
ln -f -s '/usr/share/google-oslogin/60-flatcar-google-oslogin.conf' '/etc/ssh/sshd_config.d/60-flatcar-google-oslogin.conf'
ln -f -s '/usr/share/google-oslogin/oslogin-sudoers' '/etc/sudoers.d/oslogin-sudoers'
ln -f -s '/usr/share/google-oslogin/group.conf' '/etc/security/group.conf'
