#!/bin/bash
# Get an AFS token for the given user.
#
# This is used to deliver mail with the appropriate credentials.
#
# Usage:
#
# get-token $USER
# - If user is root, call this script as $USER
#
# get-token $USER norecurse
# - Don't recursively call this script, even if user if root

REALUSER=$(whoami)
USER=$1
LOGFILE=/var/local/mail-tokens/weird-error.log

echo "`date` $REALUSER $USER (`groups`): $@" >> $LOGFILE
#ps -eo euser,ruser,suser,fuser,comm,pid --ppid=$PPID --pid=$PPID --forest >> $LOGFILE

if test "$REALUSER" = "root"; then
    if test "$2" = "norecurse"; then
        echo "Error: running as root even after trying to change to $USER" \
            >> $LOGFILE
        exit 1
    fi

    # Decide whether the user exists: getent returns 0 error code if so
    getent passwd "$USER" >/dev/null
    if test $? -ne 0; then
        echo "$USER is not a local user, so ignoring them" \
            >> $LOGFILE
        exit 1
    else
        USER=$(getent passwd "$1" | cut -d':' -f 1)
        exec sudo -u $USER -- $0 $1 norecurse
    fi
fi

# Make sure USER exists, and resolve UIDs to a login name
USER=$(getent passwd "$USER" | cut -d':' -f 1)
LOGFILE=/var/local/mail-tokens/get-token-log.$USER

if test -z "$USER"; then
    echo "$USER is not a local user, so ignoring them" \
        >> /var/local/mail-tokens/weird-error.log
    exit 1
fi

# fuse stdin and stderr
exec 2>&1

# all future output goes to this file
exec >& $LOGFILE

# print name of user
echo "Running as user $REALUSER"

# debugging output
if test "$2" = "debug"; then
    shift; shift
    echo "Debugging output: $*"
fi

date
groups

# set the credentials cache
export KRB5CCNAME=FILE:/var/local/mail-tokens/krb5cc_$USER.email

# eliminate any previous tokens
#kdestroy
#unlog
KEYTAB=/etc/keytabs/user.daemon/$USER

# display command-to-be-invoked as a sanity check
set -x

(
flock -s 666
krenew -vtH 30 || (kinit -V -kt $KEYTAB $USER/daemon@HCOOP.NET && aklog)

# list tokens, for the sake of debugging
tokens

) 666>/var/local/mail-tokens/lock.$USER