#!/usr/bin/env bash

# disable a user by removing them from the sshallow/sshforward group
# and move them to the sshreject group

# SET TO 1 to TEST [will not move user in groups]
TEST=0; # no creation except ssh keys
INFO=0; # no creation of anything, just print info strings
while getopts ":ti" opt; do
	case "${opt}" in
		t|test)
			TEST=1;
			;;
		i|info)
			INFO=1;
			;;
	esac;
done;

if [ $# -eq 0 ]; then
	echo "Must give at least one user name";
	exit;
fi;

# ssh reject group
ssh_reject_group="sshreject";
if [ -z $(cat /etc/group | grep "${ssh_reject_group}:") ]; then
	echo "Missing ssh reject group: ${ssh_reject_group}";
	exit;
fi;
ssh_allow_group="sshallow";
ssh_forward_group="sshfoward";
delete_accounts="";
user_group_tpl="gpasswd -d %s %s;gpasswd -a %s %s;";

echo "--------------------->"
# $1 ... $n
for username in "$@"; do
	# check that user exists in passwd
	if [ -z $(cat /etc/passwd | grep "${username}:") ]; then
		echo "[!] User $username does not exists in /etc/passwd file";
		continue;
	fi;
	# if not check if in reject list
	if id -nGz "${username}" | grep -qzxF "${ssh_reject}"; then
		echo "[.] User $username already in the ${ssh_reject} list";
		continue;
	fi;
	# check if user is in sshallow/forward list
	ssh_remove_group='';
	if id -nGz "${username}" | grep -qzxF "${ssh_allow_group}"; then
		ssh_remove_group="${ssh_allow_group}";
	fi;
	# if user is in ssh allow group and ALSO in ssh forward group -> bad
	if id -nGz "${username}" | grep -qzxF "${ssh_forward_group}"; then
		if [ ! -z "${ssh_remove_group}" ]; then
			echo "[!!!! ERROR !!!!] User $username exists in both ${ssh_allow_group} and ${ssh_forward_group} group which should not be allowed. Remove user from one group and run script again.";
			break;
		fi;
		ssh_remove_group="${ssh_forward_group}";
	fi;
	if [ ! -z "${ssh_remove_group}" ]; then
		# remove user from ssh group and add to reject groups
		echo "[*] User $username will be removed from ${ssh_remove_group}";
		delete_accounts="${delete_accounts}"$(printf "${user_group_tpl}" "${username}" "${ssh_remove_group}" "${username}" "${ssh_reject_group}")$'\n';
	else
		# skip not ssh user
		echo "[?] User $username not in any ssh allow/foward groups";
	fi;
done;
if [ ! -z "${delete_accounts}" ]; then
	echo "--------------------->"
	echo "% Run list below to move users to reject ssh group";
	echo "";
	echo "${delete_accounts}";
fi;

# __END__