#!/bin/sh

set -ue
PATH="/usr/sbin:/sbin:/usr/bin:/bin"
export PATH

debconf-set-selections <<-EOF
	roundcube-core roundcube/restart-webserver boolean false
EOF

assert_stat() {
    local p="$1" st1="$2" st2
    if ! st2="$(stat -c "%U:%G %#a" -- "$p")" || [ "$st1" != "$st2" ]; then
        printf "%s has ownership/mode \"%s\", expected \"%s\"\\n" "$p" "$st2" "$st1" >&2
        exit 1
    fi
}

assert_stat "/var/lib/roundcube/temp" "www-data:www-data 0750"
assert_stat "/var/log/roundcube" "www-data:adm 0750"
assert_stat "/etc/roundcube/config.inc.php" "root:www-data 0640"
assert_stat "/etc/roundcube/debian-db.php" "root:www-data 0640"

# add obsolete setting (see program/include/rcmail_install.php)
SEED="$(head -c18 /dev/urandom | base64)"
echo "\$config['debug_level'] = '$SEED';" >>/etc/roundcube/config.inc.php

OUT="$(mktemp --tmpdir)"
xgrep() {
    local rv=0
    grep -q "$@" <"$OUT" || rv=$?
    if [ $rv -ne 0 ]; then
        printf "ERROR: \`grep %s\` failed (exit status %d)\n" "$*" $rv >&2
        exit 1
    fi
}
check_reinstall() {
    local rv=0 u="$1" own="$2" mode="$3" p key1 key2
    chown -c "$own" /etc/roundcube/config.inc.php /etc/roundcube/debian-db.php
    chmod -c "$mode" /etc/roundcube/config.inc.php /etc/roundcube/debian-db.php

    # force ucf to register a new version and generate a new .ucf-*
    rm -f /etc/roundcube/config.inc.php.ucf-*
    debconf-set-selections <<-EOF
		roundcube-core roundcube/hosts string $(date +"%s %N")
	EOF

    DEBIAN_FRONTEND="noninteractive" apt-get install --reinstall -y roundcube-core >"$OUT" || rv=$?
    cat <"$OUT"
    [ $rv -eq 0 ] || exit 1

    if grep -Fi -e "Failed to write config file" -e "Possible security leak" <"$OUT"; then
        exit 1
    fi

    if [ "$u" = "root" ]; then
        xgrep -F "WARN: Running /usr/share/roundcube/bin/update.sh as root!"
    else
        xgrep -F "INFO: Running /usr/share/roundcube/bin/update.sh as user '$u'"
    fi

    xgrep -Fe "NOTICE: Obsolete config options:"
    xgrep -Fe "- 'debug_level'"
    xgrep -Fe "writing /var/lib/roundcube/config/config.inc.php.dpkg-new..."

    for p in config.inc.php config.inc.php.ucf-dist debian-db.php; do
        assert_stat "/etc/roundcube/$p" "$own $mode"
    done

    if ! grep -Fq "/* Local configuration for Roundcube Webmail */" /etc/roundcube/config.inc.php.ucf-dist || \
            ! grep -Fq -e "$SEED" /etc/roundcube/config.inc.php || \
            grep -Fq -e "$SEED" /etc/roundcube/config.inc.php.ucf-dist; then
        echo "ERROR: /etc/roundcube/config.inc.php.ucf-dist has unpected content:" >&2
        echo ">>>" >&2
        cat /etc/roundcube/config.inc.php.ucf-dist >&2
        echo "<<<" >&2
        exit 1
    fi

    if ! key1="$(grep -Fw "des_key" /etc/roundcube/config.inc.php)" || \
            ! key2="$(grep -Fw "des_key" /etc/roundcube/config.inc.php.ucf-dist)" || \
            [ "$key1" != "$key2" ] || [ ${#key1} -lt 48 ]; then
        echo "Key not preserved on upgrade! (${key1-[unset]} != ${key2-[unset]})" >&2
        exit 1
    fi
}

# root:www-data 0640 where www-data is primary group for multiple users
useradd -p\* -Ngwww-data -Md/nonexistent -s/usr/sbin/nologin \
  --system _roundcube
check_reinstall "root" "root:www-data" "0640"

# root:www-data 0640 where www-data is primary group for a single user
usermod -gnogroup _roundcube
check_reinstall "www-data" "root:www-data" "0640"

# root:www-data 0600
check_reinstall "root" "root:www-data" "0600"

# _roundcube:root 0600
check_reinstall "_roundcube" "_roundcube:root" "0600"

# _roundcube:root 0644
check_reinstall "www-data" "_roundcube:root" "0644"
xgrep -F "WARN: /etc/roundcube/config.inc.php is word-readable!"

exit 0
