#! /usr/bin/env perl
# vim: set filetype=perl ts=4 sw=4 sts=4 et:
use common::sense;

use File::Basename;
use lib dirname(__FILE__) . '/../../../lib/perl';
use OVH::Result;
use OVH::Bastion;
use OVH::Bastion::Plugin qw( :DEFAULT help );
use OVH::Bastion::Plugin::generatePassword;

my $remainingOptions = OVH::Bastion::Plugin::begin(
    argv    => \@ARGV,
    header  => "generating a new egress password for the group",
    options => {
        "size=i"  => \my $size,
        "group=s" => \my $group,
        "do-it"   => \my $doIt,
    },
    helptext => <<'EOF'
Generate a new egress password for the group

Usage: --osh SCRIPT_NAME --group GROUP [--size SIZE] --do-it

  --group GROUP  Specify which group you want to generate a password for
  --size  SIZE   Specify the number of characters of the password to generate
  --do-it        Required for the password to actually be generated, BEWARE: please read the note below

Generate a new egress password to be used for ssh or telnet

NOTE: this is only needed for devices that don't support key-based SSH,
in most cases you should ignore this command completely, unless you
know that devices you need to access only support telnet or password-based SSH.

BEWARE: once a new password is generated this way, it'll be set as the new
egress password to use right away for the group, for any access that requires it.
A fallback mechanism exists that will auto-try the previous password if this one
doesn't work, but please ensure that this new password is deployed on the remote
devices as soon as possible.
EOF
);

# code
my $fnret;

$size = 16 if not defined $size;

if (not $group) {
    help();
    osh_exit 'ERR_MISSING_PARAMETER', "Expected a --group argument";
}

$fnret = OVH::Bastion::Plugin::generatePassword::preconditions(
    self    => $self,
    context => 'group',
    group   => $group,
    size    => $size
);
$fnret or osh_exit($fnret);

# get returned untainted value
$group = $fnret->value->{'group'};
my $shortGroup = $fnret->value->{'shortGroup'};

$fnret = OVH::Bastion::plugin_config(plugin => $scriptName, key => "minPasswordSize");
if ($fnret && $fnret->value && $size < $fnret->value) {
    osh_exit('ERR_INVALID_PARAMETER',
            "The minimum allowed password size defined by policy is "
          . $fnret->value
          . " characters, you asked only $size");
}

if (not $doIt) {
    help();
    osh_exit('ERR_MISSING_PARAMETER', "Missing mandatory parameter: please read the BEWARE note above.");
}

my @command = qw{ sudo -n -u };
push @command, $group;
push @command, qw{ -- /usr/bin/env perl -T };
push @command, $OVH::Bastion::BASEPATH . '/bin/helper/osh-groupGeneratePassword';
push @command, "--group", $group, "--size", $size;

$fnret = OVH::Bastion::helper(cmd => \@command);
$fnret or osh_exit($fnret);

osh_info "Generated a new password of length $size for group $shortGroup, hashes follow:\n\n";
my $hashes = $fnret->value->{'hashes'};
foreach my $type (qw{ md5crypt sha256crypt sha512crypt type8 type9 }) {
    osh_info(sprintf("%11s: %s\n", $type, $hashes->{$type})) if $hashes->{$type};
}
osh_info "\nThis new password will now be used by default.";
osh_exit $fnret;
