/* passwd.c - Program to update user password.
 *
 * Copyright 2012 Ashwini Kumar <ak.ashwini@gmail.com>
 * Modified 2012 Jason Kyungwan Han <asura321@gmail.com>
 *
 * http://refspecs.linuxfoundation.org/LSB_4.1.0/LSB-Core-generic/LSB-Core-generic/passwd.html

USE_PASSWD(NEWTOY(passwd, ">1a:dlu", TOYFLAG_STAYROOT|TOYFLAG_USR|TOYFLAG_BIN))

config PASSWD
  bool "passwd"
  default y
  depends on TOYBOX_SHADOW
  help
    usage: passwd [-a ALGO] [-dlu] <account name>

    update user's authentication tokens. Default : current user

    -a ALGO	Encryption method (des, md5, sha256, sha512) default: des
    -d		Set password to ''
    -l		Lock (disable) account
    -u		Unlock (enable) account

config PASSWD_SAD
  bool "Add sad password checking heuristics"
  default n
  depends on PASSWD
  help
    Password changes are checked to make sure they don't include the entire
    username (but not a subset of it), and the entire previous password
    (but changing password1, password2, password3 is fine). This heuristic
    accepts "aaaaaa" as a password.
*/

#define FOR_passwd
#include "toys.h"

GLOBALS(
  char *algo;
)

static int str_check(char *s, char *p)
{
  if (strnstr(s, p) || strnstr(p, s)) return 1;
  return 0;
}

// Insane heuristic won't find password1 password2 password3...?
static void strength_check(char *newp, char *oldp, char *user)
{
  char *msg = NULL;

  if (strlen(newp) < 6) { //Min passwd len
    msg = "too short";
    xprintf("BAD PASSWORD: %s\n",msg);
  }
  if (!newp[0]) return; //passwd is empty

  if (str_check(newp, user)) {
    msg = "user based password";
    xprintf("BAD PASSWORD: %s\n",msg);
  }

  if (oldp[0] && str_check(newp, oldp)) {
    msg = "based on old passwd";
    xprintf("BAD PASSWORD: %s\n",msg);
  }
}

static int verify_passwd(char * pwd)
{
  char * pass;

  if (!pwd) return 1;
  if (pwd[0] == '!' || pwd[0] == '*') return 1;

  pass = crypt(toybuf, pwd);
  if (pass  && !strcmp(pass, pwd)) return 0;

  return 1;
}

static char *new_password(char *oldp, char *user)
{
  char *newp = NULL;

  if (read_password(toybuf, sizeof(toybuf), "New password:"))
    return NULL; //may be due to Ctrl-C

  newp = xstrdup(toybuf);
  if (CFG_PASSWD_SAD) strength_check(newp, oldp, user);
  if (read_password(toybuf, sizeof(toybuf), "Retype password:")) {
    free(newp);
    return NULL; //may be due to Ctrl-C
  }

  if (!strcmp(newp, toybuf)) return newp;
  else error_msg("Passwords do not match.\n");
  // Failure Case
  free(newp);
  return NULL;
}

void passwd_main(void)
{
  uid_t myuid;
  struct passwd *pw;
  struct spwd *sp;
  char *name = NULL, *pass = NULL, *encrypted = NULL, *newp = NULL,
       *orig = (char *)"", salt[MAX_SALT_LEN];
  int ret = -1;

  myuid = getuid();
  if (myuid && (toys.optflags & (FLAG_l | FLAG_u | FLAG_d)))
    error_exit("Not root");

  pw = xgetpwuid(myuid);

  if (*toys.optargs) name = toys.optargs[0];
  else name = xstrdup(pw->pw_name);

  pw = xgetpwnam(name);

  if (myuid && (myuid != pw->pw_uid)) error_exit("Not root");

  pass = pw->pw_passwd;
  if (pw->pw_passwd[0] == 'x') {
    //get shadow passwd
    sp = getspnam(name);
    if (sp) pass = sp->sp_pwdp;
  }


  if (!(toys.optflags & (FLAG_l | FLAG_u | FLAG_d))) {
    
    if (!(toys.optflags & FLAG_a)) TT.algo = "des";
    if (get_salt(salt, TT.algo) == -1)
      error_exit("Error: Unkown encryption algorithm\n");

    printf("Changing password for %s\n",name);
    if (myuid && pass[0] == '!')
      error_exit("Can't change, password is locked for %s",name);
    if (myuid) {
      //Validate user 

      if (read_password(toybuf, sizeof(toybuf), "Origial password:")) {
        if (!toys.optargs[0]) free(name);
        return;
      }
      orig = toybuf;
      if (verify_passwd(pass)) error_exit("Authentication failed\n");
    }

    orig = xstrdup(orig);

    // Get new password
    newp = new_password(orig, name);
    if (!newp) {
      free(orig);
      if (!toys.optargs[0]) free(name);
      return; //new password is not set well.
    }

    encrypted = crypt(newp, salt);
    free(newp);
    free(orig);
  } else if (toys.optflags & FLAG_l) {
    if (pass[0] == '!') error_exit("password is already locked for %s",name);
    printf("Locking password for %s\n",name);
    encrypted = xmprintf("!%s",pass);
  } else if (toys.optflags & FLAG_u) {
    if (pass[0] != '!') error_exit("password is already unlocked for %s",name);

    printf("Unlocking password for %s\n",name);
    encrypted = xstrdup(&pass[1]);
  } else if (toys.optflags & FLAG_d) {
    printf("Deleting password for %s\n",name);
    encrypted = xstrdup(""); //1 = "", 2 = '\0'
  }

  // Update the passwd
  if (pw->pw_passwd[0] == 'x')
    ret = update_password("/etc/shadow", name, encrypted);
  else ret = update_password("/etc/passwd", name, encrypted);

  if ((toys.optflags & (FLAG_l | FLAG_u | FLAG_d))) free(encrypted);

  if (!toys.optargs[0]) free(name);
  if (!ret) error_msg("Success");
  else error_msg("Failure");
}