#!/bin/sh
# prefix command to run stuff from our programs directory
# Copyright (C) 1998-2002  Henry Spencer.
# Copyright (C) 2013       Tuomo Soini <tis@foobar.fi>
# 
# This program is free software; you can redistribute it and/or modify it
# under the terms of the GNU General Public License as published by the
# Free Software Foundation; either version 2 of the License, or (at your
# option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
# 
# This program is distributed in the hope that it will be useful, but
# WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
# or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
# for more details.
#

test ${IPSEC_INIT_SCRIPT_DEBUG} && set -v -x

# where the private directory and the config files are
IPSEC_CONF="${IPSEC_CONF:-/etc/ipsec.conf}"
IPSEC_EXECDIR="${IPSEC_EXECDIR:-/usr/libexec/ipsec}"
IPSEC_LIBDIR="${IPSEC_LIBDIR:-/usr/libexec/ipsec}"
IPSEC_SBINDIR="${IPSEC_SBINDIR:-/usr/sbin}"
IPSEC_CONFDDIR="${IPSEC_CONFDDIR:-/etc/ipsec.d}"

IPSEC_DIR="${IPSEC_LIBDIR}"
export IPSEC_DIR IPSEC_LIBDIR IPSEC_EXECDIR IPSEC_CONF

# standardize PATH, and export it for everything else's benefit
PATH="${IPSEC_SBINDIR}":/sbin:/usr/sbin:/usr/local/bin:/bin:/usr/bin
export PATH

# things not to be listed in --help command list
DONTMENTION='^(ipsec|_.*|.*\.old|.*~)$'

# version numbering (details filled in by build)
# Possibly should call a C program to invoke the version_code() function
# instead, but for performance's sake, we inline it here (and only here).
version="3.8"

# export the version information
IPSEC_VERSION="${version}"
export IPSEC_VERSION

# function for the funky user/kernel version stuff
fixversion() {
    if [ -f /proc/net/ipsec_version ]; then
	stack=" (klips)"
	kv="$(awk '{print $NF}' /proc/net/ipsec_version)"
    else
	if [ -f /proc/net/pfkey ]; then
	    stack=" (netkey)"
	    kv=${version}
	else
	    if [ -f /mach_kernel ]; then
		stack=" (OSX)"
		kv="$(uname -r)"
	    else
		kv="(no kernel code presently loaded)"
	    fi
	fi
    fi
    if [ "${kv}" != "${version}" ]; then
	version="U${version}/K${kv}"
    fi
    version="${version}${stack} on $(uname -r)"
}

if [ $(id -u) -ne 0 ]; then
    echo "permission denied (must be superuser)"
    exit 4
fi

case "${1}" in
    '')
	echo "Usage: ipsec <command> <argument ...>"
	echo "Use --help for a list of commands, or see the ipsec(8) manual page"
	echo "Most commands have their own manual pages, e.g. ipsec_auto(8)."
	echo "See <http://www.libreswan.org> for more general info."
	fixversion
	echo "Linux Libreswan ${version}"
	exit 0
	;;
    status|--status)
	exec ipsec auto --status
	;;
    start|--start)
	exec ipsec setup start
	;;
    stop|--stop)
	exec ipsec setup stop
	;;
    restart|--restart)
	# restart does not work when stoped in systemd - it's dumb
	ipsec setup stop 
	exec ipsec setup start
	;;
    help|--help)
	echo "Usage: ipsec <command> <argument ...>"
	echo "where <command> is one of:"
	echo ""
	if [ -x /bin/printf -o -x /usr/bin/printf ]; then
	    DOCOLS="1"
	else
	    DOCOLS=""
	fi
	for f in $(ls ${IPSEC_LIBDIR} ${IPSEC_EXECDIR} | egrep -v -i "${DONTMENTION}"); do
	    if [ -x ${IPSEC_LIBDIR}/${f} -o -x ${IPSEC_EXECDIR}/${f} ]; then
		if [ -z "${DOCOLS}" ]; then
		    # we can only produce a simply list, which scrolls beyond 24 lines
		    echo "	${f}"
		elif [ -z "${GOTTWO}" ]; then
		    # first of two entries
		    GOTTWO=${f}
		else
		    # second of two entries, we can print
		    printf "   %-10s   %15s\n" ${GOTTWO} ${f}
		    GOTTWO=""
		fi
	    fi
	done
	echo
	echo "See also: ipsec <command> --help"
	echo "Most commands have their own manual pages, e.g. ipsec_auto(8)."
	echo "ipsec stop|start|restart is an alias for ipsec setup stop|start|restart"
	echo "See <http://www.libreswan.org> for more general info."
	fixversion
	echo "Linux Libreswan ${version}"
	exit 0
	;;
    # some ubuntu/debian scripts use --versioncode, so let's keep the alias
    version|--version|--versioncode)
	fixversion
	echo "Linux Libreswan ${version}"
	exit 0
	;;
    --directory)
	echo "${IPSEC_DIR}"
	exit 0
	;;
    import|--import)
	if [ -z "${2}" ]; then
	    echo >&2 "usage: ipsec import /path/to/pkcs.12"
	    exit 1
	else
	    if [ ! -f ${2} ]
	    then
		echo >&2 "usage: ipsec import /path/to/pkcs.12"
		exit 1
	    fi
	fi
	# this hardcoded ipsec.d needs to get fixed once we pass IPSECD properly
	pk12util -i ${2} -d ${IPSEC_CONFDDIR}
	if [ -x /usr/sbin/restorecon ]; then
	    restorecon  -Rv ${IPSEC_CONFDDIR}
	fi
	exit 0
	;;
    initnss|--initnss)
	if [ -f "${IPSEC_CONFDDIR}/cert8.db" -o -f "${IPSEC_CONFDDIR}/key3.db" -o -f "${IPSEC_CONFDDIR}/secmod.db" ]; then
	    echo "NSS database already initialised - aborted"
	    echo "To wipe the old NSS database, issue: rm ${IPSEC_CONFDDIR}/*.db"
	    exit 42
	fi

	echo "Initializing NSS database"
	echo "If you want to ensure the IPsec subsystem can start unattended,"
	echo "   use an empty password"
	echo ""

	certutil -N -d ${IPSEC_CONFDDIR}
	if [ -x /usr/sbin/restorecon ]; then
	    restorecon -Rv ${IPSEC_CONFDDIR}
	fi
	exit 0
	;;
    --*)
	echo "${0}: unknown option \"${1}\" (perhaps command name was omitted?)" >&2
	exit 1
	;;
esac

cmd="${1}"
shift

path="${IPSEC_EXECDIR}/${cmd}"

if [ ! -x "${path}" ]; then
    path="${IPSEC_LIBDIR}/${cmd}"
    if [ ! -x "${path}" ]; then
	echo "${0}: unknown IPsec command \"${cmd}\" (\"ipsec --help\" for list)" >&2
	exit 1
    fi
fi

exec ${path} "$@"
