#!/usr/bin/env bash

# Delete user
# - Backup
# - delete user
# - delete home
# - remove ssh-keygen-created-pub files
# - remove ssh central auth data if exits
# - update user_list.txt and comment (#) line for this user
# - write delete log

# This will permaently remove the user

TEST=0; # do not run any actions
GO=1; # without this flag the script will exit with an info box
BACKUP=1;
while getopts ":tih:" opt; do
	case "${opt}" in
		g|go)
			GO=1;
			;;
		t|test)
			TEST=1;
			;;
		b|nobackup)
			BACKUP=0;
			;;
		\?)
			echo -e "\n Option does not exist: ${OPTARG}\n";
			echo "Use -t for test";
			echo "Use -g for actually creation run";
			echo "Use -b to not make a backup of the home folder and public key"
			exit 1;
			;;
	esac;
done;
shift "$((OPTIND-1))"

if [ $(whoami) != "root" ]; then
	if [ ${TEST} -eq 0 ]; then
		echo "Script must be run as root user";
		exit;
	else
		echo "!!!! Script must be run as root user !!!!";
	fi;
fi;

if [ $# -eq 0 ]; then
	echo "Must give at least one user name";
	exit;
fi;

# check tar, bzip2 is installed if backup = 1

host=$(hostname);
timestamp=$(date +%Y%m%d-%H%M%S)
# character to set getween info blocks
separator="#";
# base folder for all data
BASE_FOLDER=$(dirname $(readlink -f $0))"/";
root_folder="${BASE_FOLDER}../";
backup_folder="${BASE_FOLDER}../backup/";
SSH_KEYGEN_FOLDER_CREATED_PUB='ssh-keygen-created-pub/';
input_file='user_list.txt';
user_list_file="${root_folder}${input_file}";
# log file
LOG="${BASE_FOLDER}/../log/delete_user."$(date +"%F_%H%m%S");
if [ ${TEST} -eq 0 ]; then
	LOG="${LOG}.log";
else
	LOG="${LOG}.test.log";
fi;
# ignore users (root and admin users)
ignore_users=('root' 'ec2-user' 'ubuntu' 'admin');
# detect ssh authorized_keys setting
SSH_CENTRAL_AUTHORIZED_FILE_FOLDER='';
SSH_AUTHORIZED_FILE='';
for cf in $(grep "^AuthorizedKeysFile" /etc/ssh/sshd_config | grep "%u"); do
	if [ ! -z $(echo "${cf}" | grep "%u") ]; then
		SSH_CENTRAL_AUTHORIZED_FILE_FOLDER=$(echo "${cf}" | sed -e 's/%u//');
		if [ ! -d "${SSH_CENTRAL_AUTHORIZED_FILE_FOLDER}" ]; then
			echo "ssh central authorized_file folder could not be found: ${SSH_CENTRAL_AUTHORIZED_FILE_FOLDER}";
			exit;
		fi;
	fi;
done;

if [ ! -f "${user_list_file}" ]; then
	echo "${input_file} is missing";
	exit;
fi;

# $1 ... $n
for username in "$@"; do
	# skip if there is an option hidden
	if [[ ${_arg:0:1} = "-" ]]; then
		continue;
	fi;
	# skip ignore users, note that if a user is not in the sshallow list anyway
	# we skip them too, this is just in case check
	if [[ " ${ignore_users[*]} " =~ " ${username} " ]]; then
		echo "[!] User ${username} is in the ignore user list";
		continue;
	fi;

	# user must exist in user_list.txt and /etc/passwd
	# if missing in or another do not continue
	if ! id "${username}" &>/dev/null; then
		# not in passwd
		echo "[!!!] User ${username} does not exist in /etc/passwd";
		if [ ${TEST} -eq 0 ]; then
			break;
		fi;
	fi;
	user_list_entry=$(grep "${username}" "${user_list_file}");
	if [ -z "${user_list_entry}" ]; then
		echo "[!!!] User ${username} does not exist in user_list.txt file";
		if [ ${TEST} -eq 0 ]; then
			break;
		fi;
	elif [[ "${user_list_entry}" =~ ^#DELETED ]]; then
		echo "[!!!] User ${username} is flagged as deleted in user_list.txt file";
		if [ ${TEST} -eq 0 ]; then
			break;
		fi;
	fi;

	echo "=> Delete: ${username}";
	# ssh authorized file
	SSH_AUTHORIZED_FILE="${SSH_CENTRAL_AUTHORIZED_FILE_FOLDER}${username}";

	# make backup from /home
	if [ ${BACKUP} -eq 1 ]; then
		home_folder=$(getent passwd ${username} | cut -d ":" -f 6);
		backup_file="${backup_folder}${host}${separator}${username}.${timestamp}.tar.bz2";
		files_list="${home_folder}";
		if [ -f "${SSH_AUTHORIZED_FILE}" ]; then
			files_list="${files_list} ${SSH_AUTHORIZED_FILE}";
		fi;
		echo "[0] Backup ${files_list} to ${backup_file}";
		if [ ${TEST} -eq 0 ]; then
			tar cfjp "${backup_file}" ${file_list};
		else
			echo "$> tar cfjp \"${backup_file}\" ${files_list};";
		fi;
	fi;

	echo "[1] Remove user + home dir";
	if [ ${TEST} -eq 0 ]; then
		userdel -r ${username}
	else
		echo "$> userdel -r ${username}";
	fi;

	# remove ssh files in pub
	echo "[2] Remove SSH Public key";
	# Note, we keep the public key in the -created-pub folder
	if [ -f "${SSH_AUTHORIZED_FILE}" ]; then
		if [ ${TEST} -eq 0 ]; then
			chattr -i "${SSH_AUTHORIZED_FILE}";
			rm "${SSH_AUTHORIZED_FILE}";
		else
			echo "$> chattr -i \"${SSH_AUTHORIZED_FILE}\";";
			echo "$> rm \"${SSH_AUTHORIZED_FILE}\";"
		fi;
	else
		# Not critical error
		echo "[?] Cannot find ${SSH_AUTHORIZED_FILE}";
	fi;

	# Update user_list.txt file and add # for the line
	echo "[3] Update user_list.txt file";
	# eg n;foo -> #DELETED-YYYYMMDD_HHmmss:n;foo ...
	delete_date=$(date +%Y%m%d_%H%M%S)
	if [ ${TEST} -eq 0 ]; then
		sed -i -e "s/^\([A-Za-z0-9]\{1,\};${username};\)/#DELETED-${delete_date}:\1/" "${user_list_file}";
	else
		echo "$> sed -i -e \"s/^\([A-Za-z0-9]\{1,\};${username};\)/#DELETED-${delete_date}:\1/\" \"${user_list_file}\";";
	fi;

	echo $(date +"%F %T")";${host};${username}" >> "${LOG}";

done;

# __END__