#!/bin/sh

set -e

dest="/homepages/config/cron"

#
# Can customer edit crontabs from a login shell or a web application?
CCRON_USERS_CAN_EDIT=${CCRON_USERS_CAN_EDIT:-yes}
#
# Access Control via allow (whitelist) or deny (blacklist)?
CCRON_ACCESS_CONTROL=${CCRON_ACCESS_CONTROL:-allow}
#
# User/Shell patterns for access control
CCRON_USER_PATTERN=${CCRON_USER_PATTERN:-'^([pu]|www\\.).+'}
CCRON_SHELL_PATTERN=${CCRON_SHELL_PATTERN:-'^/bin/bash$'}
#
# Minimum UID for access control
CCRON_MIN_UID=${CCRON_MIN_UID:-1000}

CRONTAB_GROUP=crontab
CRONTAB_DIR_PERMS=1710
[ "$CCRON_USERS_CAN_EDIT" = yes ] && CRONTAB_DIR_PERMS=1730
AWK_USERS_FILTER='$3 >= '${CCRON_MIN_UID}' && $7 ~ "'${CCRON_SHELL_PATTERN}'" && $1 ~ "'${CCRON_USER_PATTERN}'"'

#
# couple of things, we have to consider
#

# self explanatory
if ! ischroot
then

    echo "Not running un-chrooted"
    exit 1

fi

# this cbi chroot has no writeable (bind-mounted) spool dir
if ! mountpoint "/var/spool"
then

    exit 1

fi

#
# ensure directory structure in /homepages/config/cron
#

install -o root -g root     -m 0711 -d $dest
install -o root -g ${CRONTAB_GROUP} -m ${CRONTAB_DIR_PERMS} -d ${dest}/crontabs
install -o root -g root     -m 0700 -d ${dest}/tabak

if [ ! -h ${dest}/tabs ] && [ -d ${dest}/tabs ]; then
    for file in `find ${dest}/tabs/ -type f`
    do
        tab=${file##*/}
        if [ -f ${dest}/crontabs/$tab ]; then
            mv $file ${dest}/tabak/
        else
            mv $file ${dest}/crontabs/
        fi
    done
    rmdir ${dest}/tabs
fi

[   -c ${dest}/log  ] && rm ${dest}/log
[ ! -e ${dest}/tabs ] && ln -s crontabs ${dest}/tabs

#
# link cron spool dir to /homepages/config
#

src="/var/spool/cron"

if [ ! -L $src -o "$(readlink $src)" != "$dest" ]
then

    rm -rf $src && ln -sf $dest $src
    
fi

#
# fetch passwd entries
#

i=10
while [ "$i" -gt 0 ]; do
    if ! passwd=$(getent passwd); then
        i=$((i-1))
        sleep 0.1
        continue
    else
        break
    fi
done

if [ "$i" -eq 0 ]; then
    printf "$0: getent passwd failed multiple times.\n" >&2
    exit 1
fi

#
# create allow
#

allow="$dest/allow"
deny="$dest/deny"

case "$CCRON_ACCESS_CONTROL" in
    deny)     # manage blacklist of users
	deny_new=$( mktemp -p "$dest" deny.XXXXX )
	# deny users NOT complying to the AWK_USERS_FILTER (shell, username pattern, ...)
	echo "$passwd" | awk -F: '{ if (!('"${AWK_USERS_FILTER}"')) { print $1 } }' >> ${deny_new}
	chown root:${CRONTAB_GROUP} ${deny_new}
	chmod 0640 ${deny_new}
	mv ${deny_new} ${deny}
	rm -f ${allow}
	;;
    allow|*)   # manage whitelist of users (default)
	allow_new=$( mktemp -p "$dest" allow.XXXXX )
	# allow users complying to the AWK_USERS_FILTER (shell, username pattern, ...)
	echo "$passwd" | awk -F: '{ if ('"${AWK_USERS_FILTER}"') { print $1 } }' >> ${allow_new}
	chown root:${CRONTAB_GROUP} ${allow_new}
	chmod 0640 ${allow_new}
	mv ${allow_new} ${allow}
	rm -f ${deny}
	;;
esac