/*
   SMArT

   Check username/password combination using PAM and require membership in
   the configured SMArT administrator Unix group.

   Copyright 2001 Wilmer van der Gaast
   Updated for MARS_NWE SMArT group-restricted login.

   This program is free software; you can redistribute it and/or modify
   it under the terms of the GNU General Public License as published by
   the Free Software Foundation; either version 2 of the License, or
   (at your option) any later version.
*/

#include <errno.h>
#include <grp.h>
#include <pwd.h>
#include <security/pam_appl.h>
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <sys/types.h>
#include <unistd.h>

int my_conv(int num_msg, const struct pam_message **msg, struct pam_response **resp, void *appdata_ptr);
static int user_in_group(const char *username, const char *groupname);

static struct pam_conv conv = {
	my_conv,
	NULL
};

char *user;
char *pass;

int main( int argc, char **argv )
{
	pam_handle_t *pamh = NULL;
	int retval, st = 1;
	const char *admin_group;

	if( argc < 4 )
	{
		fprintf( stderr, "Usage: %s <user> <password> <admin-group>\n", argv[0] );
		return( 3 );
	}

	user = argv[1];
	pass = argv[2];
	admin_group = argv[3];

	if( user == NULL || user[0] == '\0' ||
	    pass == NULL ||
	    admin_group == NULL || admin_group[0] == '\0' )
	{
		return( 3 );
	}

	retval = pam_start( "smart", user, &conv, &pamh );
	if( retval == PAM_SUCCESS )
		retval = pam_authenticate( pamh, PAM_SILENT );
	if( retval == PAM_SUCCESS )
		st = retval = pam_acct_mgmt( pamh, PAM_SILENT );

	if( pamh != NULL && pam_end( pamh, retval ) != PAM_SUCCESS )
		return( 1 );

	if( st != PAM_SUCCESS )
		return( 1 );

	if( ! user_in_group( user, admin_group ) )
		return( 2 );

	return( 0 );
}

static int user_in_group(const char *username, const char *groupname)
{
	struct passwd *pw;
	struct group *gr;
	int ngroups = 0;
	gid_t *groups;
	int i;

	if( username == NULL || username[0] == '\0' ||
	    groupname == NULL || groupname[0] == '\0' )
	{
		return( 0 );
	}

	pw = getpwnam( username );
	gr = getgrnam( groupname );

	if( pw == NULL || gr == NULL )
	{
		return( 0 );
	}

	if( pw->pw_gid == gr->gr_gid )
	{
		return( 1 );
	}

#if defined(__linux__) || defined(__GLIBC__)
	/*
	   getgrouplist() asks NSS for supplementary groups, so files, LDAP, SSSD,
	   NIS, etc. follow the local nsswitch.conf configuration.
	*/
	getgrouplist( username, pw->pw_gid, NULL, &ngroups );

	if( ngroups > 0 )
	{
		groups = calloc( (size_t) ngroups, sizeof( gid_t ) );

		if( groups != NULL )
		{
			if( getgrouplist( username, pw->pw_gid, groups, &ngroups ) >= 0 )
			{
				for( i = 0; i < ngroups; i++ )
				{
					if( groups[i] == gr->gr_gid )
					{
						free( groups );
						return( 1 );
					}
				}
			}

			free( groups );
		}
	}
#endif

	/*
	   Portable fallback: check the group's explicit member list.
	*/
	if( gr->gr_mem != NULL )
	{
		for( i = 0; gr->gr_mem[i] != NULL; i++ )
		{
			if( strcmp( gr->gr_mem[i], username ) == 0 )
			{
				return( 1 );
			}
		}
	}

	return( 0 );
}

int my_conv(int num_msg, const struct pam_message **msg, struct pam_response **resp, void *appdata_ptr)
{
	struct pam_response *reply;
	int i;

	(void) msg;
	(void) appdata_ptr;

	reply = (struct pam_response *) calloc( (size_t) num_msg, sizeof( struct pam_response ) );
	if( reply == NULL )
	{
		return( PAM_BUF_ERR );
	}

	for( i = 0; i < num_msg; i ++ )
	{
		reply[i].resp = (char *) strdup( pass );	/* Just give the password... It's all we know */
		reply[i].resp_retcode = 0;
	}

	*resp = reply;

	return( PAM_SUCCESS );
}