#!/bin/sh
export PATH="$PATH:/usr/sbin:/sbin:/bin"
[ `id -u` -eq 0 ] || exit 1

qtunpath=/rw/config/qtunnel
upfile=tunneluserpwd.txt
tmppath=/tmp/$upfile

do_userpass () {
    bash /usr/lib/qubes/qtunnel-setup --userpass-bash
}

# Need bash for password prompt
do_userpass_bash () {
   echo
    echo "Enter VPN/tunnel login credentials."
    echo "Leave blank if not required..."
    echo
    read -p  "Username: " username
    read -s -p "Password: " upassword
    echo
    if [[ -z $username && -z $upassword ]]; then
      touch $qtunpath/no-$upfile
      rm -f $qtunpath/$upfile
      echo "Password login deactivated."
    else
      rm -f $qtunpath/no-$upfile
      echo "$username" >$tmppath.tmp
      echo "$upassword" >>$tmppath.tmp
      chmod 600 $tmppath.tmp
      mv $tmppath.tmp $tmppath
      cp -a $tmppath $qtunpath/$upfile
      echo -e "\nLogin info saved to $qtunpath/$upfile"
    fi
    sleep 1s
    echo
}

# needs source dir passed as first arg
firewall_link () {
    if iptables -L QBS-FORWARD >/dev/null; then
    # firewall for Qubes 4
        mkdir -p /rw/config/qubes-firewall.d
        ln -s -f $1/tunnel-restrict-firewall \
    /rw/config/qubes-firewall.d/90_tunnel-restrict
    else
        ln -s -f -b $1/tunnel-restrict-firewall \
    /rw/config/qubes-firewall-user-script
    fi
}


case "$1" in

--pre-start)
# Check for login file and prompt if necessary.
    if [ ! -f $qtunpath/$upfile ] && [ ! -f $qtunpath/no-$upfile ]; then
        if [ ! -f /tmp/qtunnel-askpass ]; then
            systemd-run --unit=qtunnel-askpass -E DISPLAY=:0 sh -c \
            'sleep 2s; /usr/bin/xterm \
            -T "Tunnel Login" -e /usr/lib/qubes/qtunnel-setup --xterm'
        fi
    elif [ ! -f $tmppath ] && [ ! -f $qtunpath/no-$upfile ]; then
        cp -aL $qtunpath/$upfile $tmppath.tmp
        mv $tmppath.tmp $tmppath
    fi
    if [ -n "$filter_opts" ]; then
        # workaround for option parser bugs and overrides:
        # process config to remove options.
        grep -Ev '^[[:space:]]*('"$filter_opts"')[[:space:]]*' \
          $qtunpath/qtunnel.conf  >/tmp/qtunnel.conf
    else
        cp -aL $qtunpath/qtunnel.conf /tmp
    fi
    sync
    su - -c 'notify-send "$(hostname): Ready to start link."' user
;;

--start-exec)
    if [ -f $qtunpath/no-$upfile ]; then
        userpassword_opt=""
    fi
    echo EXEC  $client_cmd $client_opt1 $client_opt2 $client_opt3 $client_opt4 \
      $client_opt5 $userpassword_opt
    eval $client_cmd $client_opt1 $client_opt2 $client_opt3 $client_opt4 \
      $client_opt5 $userpassword_opt
;;

--post-start)
    echo "START-ing network forwarding!"
    echo '1' > /proc/sys/net/ipv4/ip_forward
# '0' appears to be default setting for ipv6
#    echo '1' > /proc/sys/net/ipv6/conf/all/forwarding
;;

--check-firewall)
    for i in 1 2 3; do
        if iptables -C FORWARD -o eth0 -j DROP \
        && iptables -C FORWARD -i eth0 -j DROP ; then
            exit 0
        elif [ $i = 3 ]; then
            echo "Error: Firewall rule(s) not enabled!"
            exit 1
        fi
        sleep 2s
    done
;;

--post-stop)
    echo "STOP-ing network forwarding!"
    echo '0' > /proc/sys/net/ipv4/ip_forward
    echo '0' > /proc/sys/net/ipv6/conf/all/forwarding
;;

--config)
    . /usr/lib/qubes/init/functions
    if is_proxyvm ; then
        mkdir -p $qtunpath
        firewall_link /usr/lib/qubes
        do_userpass
        echo "Done!"
        if [ ! -e $qtunpath/qtunnel.conf ]; then
            echo "Next, copy or link your config file to $qtunpath/qtunnel.conf"
        fi
    else
        echo "Error: Not a proxyVM. Please check instructions."
        exit 1
    fi
;;

--config-nm)
    . /usr/lib/qubes/init/functions
    if is_proxyvm ; then
        firewall_link /usr/lib/qubes
        echo "Done!"
    else
        echo "Error: Not a proxyVM. Please check instructions."
        exit 1
    fi
;;

--xterm)
    touch /tmp/qtunnel-askpass
    do_userpass
;;

--userpass-bash)
    do_userpass_bash
;;

--version)
    echo "1.4.0"
;;

esac

