package main

import (
	"fmt"
	"gopkg.in/jcmturner/gokrb5.v5/client"
	"gopkg.in/jcmturner/gokrb5.v5/config"
	"os/exec"
	"strings"
)

var suffixMap map[string]string = map[string]string{
	"SSO":     "",
	"EDUROAM": "/ppp",
	"TACACS":  "/net",
}

func CheckDuplicatePw(username, password string) error {
	for suffix, _ := range suffixMap {
		err := checkKerberosDuplicatePw(suffix, username, password)
		if err != nil {
			return err
		}
	}
	return nil
}

func checkKerberosDuplicatePw(suffix, username, password string) error {
	principal := username + suffixMap[suffix]

	config, err := config.Load(pwman.Krb5Conf)
	kclient := client.NewClientWithPassword(principal, "NORDU.NET", password)
	kclient.WithConfig(config)
	err = kclient.Login()
	if err != nil {
		// error either means bad password or no connection etc.
		if strings.Contains(err.Error(), "KDC_ERR_PREAUTH_REQUIRED") {
			// Password did not match
			return nil
		}
		fmt.Println("ERROR", err)
		return err
	}
	return fmt.Errorf("Password already used with: %s account", suffix)
}

func ChangeKerberosPw(suffix, username, new_password string) error {
	kerberos_uid := fmt.Sprintf("%s%s", username, suffixMap[suffix])
	// call script
	cmd := exec.Command(pwman.ChangePwScript)
	stdin, err := cmd.StdinPipe()
	if err != nil {
		return fmt.Errorf("Unable to open pipe for kerberos script: %v", err)
	}
	go func() {
		defer stdin.Close()
		fmt.Fprintf(stdin, "%s@NORDU.NET %s", kerberos_uid, new_password)
	}()

	err = cmd.Run()
	if err != nil {
		return fmt.Errorf("Error running change password script, got error: %v", err)
	}

	return nil
}