#
# ident "@(#)patch_postinstall	1.3 03/02/11 SMI"
#
# Copyright 2002 Sun Microsystems, Inc.  All rights reserved.
#

# This script deletes the used backout data for a patch package
# and removes the deletes file entries.
#
# directory format options.

# XXXXX patch specific preremove stuff went in here. XXXXX

# This script enables and disables sunray usage for CDE
# (dtlogin and dtsession). It modifies CDE X properties to
# add or remove properties that specify whether or not to use
# sunray, and it edits /etc/pam.conf to add or remove
# pam_sunray.so actions.
#
# This script requires that the following CDE patches be installed:
#
#	108919 (minimum -14)
#	109354 (minimum -13)
#

BASENAME="/bin/basename"
     MOD="`$BASENAME $0`"
SHOWREV="/bin/showrev"
PATCH_NUM="111891"

EGREP="/bin/egrep"
   RM="/bin/rm -f"
  AWK="/bin/awk"
   MV="/bin/mv"
 ECHO="/bin/echo"
MKDIR="/bin/mkdir"
   CP="/bin/cp"
  SED="/bin/sed"
 GREP="/bin/grep"

STRING="# Commented out by the patch 111891 "

   # if PKG_INSTALL_ROOT is not assigned from the env then
   # set it to an empty string, set -u in effect below
   #
   if [ -z "$PKG_INSTALL_ROOT" ]; then
	PKG_INSTALL_ROOT=""
   fi

   set -u

   SUNWUTLIB="${PKG_INSTALL_ROOT}${BASEDIR}/SUNWut/lib"

   # override these variables for debugging
   SCETC="/etc"
   SCTMP="/var/run"

     TMP="$SCTMP/$MOD.$$"
 TMP_SR="$TMP.PAMsr"
TMP_CONF="$TMP.pam.conf"

# CDE application names in pam.conf
  DTLOGIN="dtlogin-SunRay"
DTSESSION="dtsession-SunRay"

PAM_CONF="$SCETC/pam.conf"

# PAM client name X server class (dtlogin/dtsession)
# requires fix for 4452627
XCONFIG_ETC_DIR="/etc/dt/config"
PROTO_XCONFIG="Xconfig.SUNWut.prototype"
VALID_PAM_CLASS_TAG="Dtlogin.validPAMclasses"
SUNRAY_XSERVER_CLASS_TYPE="SunRay"

# dtsession autounlock from PAM
# requires fix for 4430559
USR_CDE_DEFAULTS_DIR="/usr/dt/app-defaults/C"
ETC_CDE_DEFAULTS_DIR="/etc/dt/app-defaults/C"
DTSESSION_DEFAULTSFILE="Dtsession"
PAM_PROMPT_NOLOCK_PROP="noPamPromptNoLock"

# PAM modules info
SRLIB="${SUNWUTLIB}/pam_sunray.so"
SRLIBso="`$BASENAME $SRLIB | $AWK -F. '{print $1\".\"$2}'`"

SRTAG="SunRay Server Software"

#
# Remove the appname from the passed file
#
#    Usage: remove_PAM_prop {filename} {appname}
#
remove_PAM_prop ()
{

    FNAME="$1"
    APPNAME="$2"

    $AWK "{
	if (!(\$1 == \"$APPNAME\"))
	    printf( \$0 \"\n\" );
	}" $FNAME >$TMP_SR 2>/dev/null

    if [ "$?" = 0 ] ; then
	$EGREP -v "$SRTAG" $TMP_SR >$FNAME
	$RM $TMP_SR
    else
	$RM $TMP_SR
	$ECHO "$MOD: error updating $FNAME"
	exit 1
    fi

}

#
# Remove sunray authentication for CDE from $PAM_CONF
#
remove_sr_from_PAM ()
{

    remove_PAM_prop $PAM_CONF $DTLOGIN		# `$BASENAME $SRLIBso`
    remove_PAM_prop $PAM_CONF $DTSESSION	# `$BASENAME $SRLIBso`

}

########################################################################
#                                                                      #
#			Main code starts here.                         #
#                                                                      #
########################################################################

# XXXXX patch revision specific stuff went here. XXXXX
 #
 # Need to know what revision of the 111891 patch are we backing out to.
 # Since SmartCard Framework was introduced as part of rev-07, we need
 # some changes to remain here, if the new rev is to be 7 or more.
 #

 #
 # Get the list of 111891 patches installed on this system.
 # Get only the revision number.
 #
 PATCH_LIST=`$SHOWREV -p |$GREP -ws $PATCH_NUM |$AWK -F' ' '{print $2}' | $AWK -F- '{print $2}'`
  

 #
 # Get the previous patch revision number.
 #
 if [ -n "$PATCH_LIST" ]
  then
    PATCH_REV_LIST=`echo $PATCH_LIST | awk '{ if (NF == 1) print 0; \
			else print $(NF - 1); }'`
    if [ -n "$PATCH_REV_LIST" -a $PATCH_REV_LIST -lt 7 ]
      then
       
   	# Check for some files and directories that we must have
    	# to make this all work.
    	#
    	if test ! -f $PAM_CONF ; then
	    $ECHO "$MOD: $PAM_CONF does not exist"
	    exit 1
    	fi

    	#
    	# CDE is considered disabled for sunray authentication
    	# if the token $SRLIBso is not in $PAM_CONF
    	#
    	remove_sr_from_PAM

    	# Restore the old $SRLIBso entries.
    	$SED "/^$STRING/s///" $PAM_CONF > $TMP_SR
    	$MV $TMP_SR $PAM_CONF

    	#
    	# Remove $SUNRAY_XSERVER_CLASS_TYPE from Xconfig.
    	#
    	# This requires the following bugfix to be installed:
    	#	4452627 dtlogin should register with PAM using a different
    	#		client name when on SunRay
    	#
    	# XXX Note that this will only look for the valid class property
    	# XXX which may or may not contain $SUNRAY_XSERVER_CLASS_TYPE.
    	# XXX It is possible that other classes are in that property as
    	# XXX well and we should preserve those.
    	# XXX This is a bug which should be fixed.
    	#
    	# XXX Should we do a diff between the config file in /etc and
    	# XXX the one in /usr, and if they are the same, then remove
    	# XXX the file in /etc?
    	#
    	if test -f $XCONFIG_ETC_DIR/$PROTO_XCONFIG ; then
	    $EGREP -is $VALID_PAM_CLASS_TAG $XCONFIG_ETC_DIR/$PROTO_XCONFIG
	    if [ $? -ne 1 ]; then
	        $EGREP -vi "$VALID_PAM_CLASS_TAG" $XCONFIG_ETC_DIR/$PROTO_XCONFIG >$TMP_SR
	        $MV $TMP_SR $XCONFIG_ETC_DIR/$PROTO_XCONFIG
	    fi
    	fi

    	#
    	# Remove the property that tells dtsession that it's OK to
    	# unlock the screen without requiring user input if the PAM
    	# module has validated the user.
    	#
    	# This requires the following bugfix to be installed:
    	#	4430559 dtsession requires user input even if PAM says user
    	#		is authenticated
    	#
    	# XXX How do we know what "language" to use for the dtsession
    	# XXX defaults file? This is $LANG???
    	#
    	# XXX Should we do a diff between the config file in /etc and
    	# XXX the one in /usr, and if they are the same, then remove
    	# XXX the file in /etc?
    	#
    	# XXX Note that this makes the assumption that the property we
    	# XXX want to remove is only in the /etc config file. Is this
    	# XXX the best approach to take? This package's postinstall
    	# XXX script only adds the property to the /etc file.
    	#
    	if test -f $ETC_CDE_DEFAULTS_DIR/$DTSESSION_DEFAULTSFILE ; then
	    $EGREP -vi "$PAM_PROMPT_NOLOCK_PROP" $ETC_CDE_DEFAULTS_DIR/$DTSESSION_DEFAULTSFILE >$TMP_SR
	    $MV $TMP_SR $ETC_CDE_DEFAULTS_DIR/$DTSESSION_DEFAULTSFILE
    	fi
    fi
 fi
# XXXXX patch revision specific stuff ended here. XXXXX

# XXXXX patch specific preremove stuff ended here. XXXXX
PATH=/usr/sadm/bin:$PATH
THIS_DIR=`dirname $0`

Our_Deletes=$THIS_DIR/deletes

#
# Delete the used backout data
#
if [ -f $Our_Deletes ]; then
	cat $Our_Deletes | while read path; do
		if valpath -l $path; then
			Client_Path=`echo "$CLIENT_BASEDIR/$path" | sed "s|//|/|"`
		else	# It's an absolute path
			Client_Path=$path
		fi
		rm `removef $PKGINST $Client_Path`
	done
	removef -f $PKGINST

	rm $Our_Deletes
fi

#
# Remove the deletes file, checkinstall and the postinstall
#
rm -r $PKGSAV/$ACTIVE_PATCH
rm -f $THIS_DIR/checkinstall $THIS_DIR/postinstall

exit 0
