#!/usr/bin/env python3

# ------- imports -----------------------------------
import os

# ------- constants -----------------------------------
KNOWN_USER_SHELLS = ["sh", "bash", "zsh", "fish", "xonsh", "tcsh", "csh"]
ADMIN_GROUPS = ["sudo", "adm", "wheel"]


# ------- inputs -----------------------------------
with open("/root/birch/nonadmin_users.txt", "r") as f:
  nonadmin_user_list = [i.strip("\n") for i in f.readlines()]

with open("/root/birch/admin_users.txt", "r") as f:
  admin_user_list = [i.strip("\n") for i in f.readlines()]

valid_user_list = nonadmin_user_list + admin_user_list
admin_user_list = ",".join(admin_user_list)

# ------- main -----------------------------------
def main():
  # confirmation = input("snapshotted? ")
  # if confirmation != "y":
  #   return
  
  user_audit()
  group_audit()
  pwd_audit()
  lock_users()
  return


# ------- group -----------------------------------
def group_audit():
  with open("/etc/group", "r") as file:
    groups = file.readlines()
  
  for i in range(len(groups)):
    group = groups[i]
    info = group.split(":")

    if info[0] in ADMIN_GROUPS:
      info[-1] = admin_user_list + "\n"
    if info[0] == "adm":
      info[-1] = "syslog," + info[-1]
    if info[0] == "root":
      info[-1] = "\n"
    if info[0] in valid_user_list:
      info[-1] = "\n"
    
    group = ":".join(info)
    groups[i] = group

  with open("/etc/group", "w") as file:
    file.writelines(groups)

  return
    

# ------- user -----------------------------------
def user_audit():  
  with open("/etc/passwd", "r") as file:
    passwd = file.readlines()
  
  for i in range(len(passwd)):
    user = passwd[i]
    info = user.split(":")
    if int(info[2]) in [0, 65534]: continue
    elif int(info[2]) < 1000:
      if info[-1].split("/")[-1].strip() in KNOWN_USER_SHELLS:
        user = "#" + user
        print(f"hidden user {info[0]} was removed")
    else:
      if info[0] not in valid_user_list:
        user = "#" + user
        print(f"unknown user {info[0]} was removed")
      else:
        if info[-1].split("/")[-1].strip() not in KNOWN_USER_SHELLS:
          info[-1] = "/bin/bash\n"
          user = ":".join(info)
          print(f"gave user {info[0]} a known shell")
    passwd[i] = user
  
  with open("/etc/passwd", "w") as file:
    file.writelines(passwd)

  return

# ------- password -----------------------------------
def pwd_audit():
  for uname in valid_user_list:
    os.system('echo "' + uname + ':LNoBirches1337=(" | sudo chpasswd')
    os.system('chage -m 7 ' + uname)
    os.system('chage -M 15 ' + uname)
    os.system('chage -W 7 ' + uname)
    os.system('chage -I 5 ' + uname)

    os.system(f'chown {uname} /home/{uname}')
    os.system(f'chgrp {uname} /home/{uname}')
  return 

# ------- locking -----------------------------------
def lock_users():
  os.system("awk -F ':' '{print $3}' /etc/passwd > /root/birch/uids.txt")
  with open("/root/birch/uids.txt", "r") as f:
    for uid in [int(i.strip("\n")) for i in f.readlines()]:
      if uid < 1000:
        os.system("passwd -l $(id -nu " + str(uid) + ")")
      else:
        os.system("passwd -u $(id -nu " + str(uid) + ")")

main()