#!/usr/bin/env bash

# uninstall.sh
# part of ssh-notify from server-toolset
# 2025 © Yigid BALABAN <fyb@fybx.dev>

# This script must be run as root. It uninstalls the SSH login notification script,
# example config, updates PAM, and uninstalls the logrotate config in a transactional manner.

set -euo pipefail

# Ensure running as root
if [[ "$(id -u)" -ne 0 ]]; then
  echo "Error: This script must be run as root." >&2
  exit 1
fi

# Create temporary directory for backups
TMPDIR="$(mktemp -d)"
BACKUP_DIR="${TMPDIR}/backup"
mkdir -p "$BACKUP_DIR"

# Rollback function on error
rollback() {
  echo "Error encountered. Rolling back changes..." >&2
  [[ -f "$BACKUP_DIR/sshd.bak" ]] && mv "$BACKUP_DIR/sshd.bak" /etc/pam.d/sshd
  [[ -f "$BACKUP_DIR/ssh-notify.sh.bak" ]] && mv "$BACKUP_DIR/ssh-notify.sh.bak" /usr/local/sbin/ssh-notify.sh
  [[ -f "$BACKUP_DIR/config.conf.bak" ]] && mv "$BACKUP_DIR/config.conf.bak" /etc/ssh-notify/config.conf
  [[ -f "$BACKUP_DIR/ssh-notify.logrotate.bak" ]] && mv "$BACKUP_DIR/ssh-notify.logrotate.bak" /etc/logrotate.d/ssh-notify
  rm -rf "$TMPDIR"
  exit 1
}
trap rollback ERR

# Determine project root and destinations
_project_root="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)"
SCRIPT_DEST="/usr/local/sbin/ssh-notify.sh"
CONF_DIR="/etc/ssh-notify"
CONF_DEST="${CONF_DIR}/config.conf"
PAM_FILE="/etc/pam.d/sshd"
LOGROTATE_FILE="/etc/logrotate.d/ssh-notify"

# Step 1: Remove PAM exec entry and associated comment
if [[ -f "$PAM_FILE" ]]; then
  cp "$PAM_FILE" "$BACKUP_DIR/sshd.bak"
  # Filter out ssh‑notify lines and trim any trailing blank lines
  awk '
    # skip the install.sh comment
    $0 ~ /^# Send notification upon successful login \(added by ssh‑notify install\.sh\)/ { next }
    # skip the pam_exec line
    $0 ~ /^session[[:space:]]+optional[[:space:]]+pam_exec\.so.*ssh‑notify\.sh/ { next }
    # collect other lines
    { buf[++n] = $0 }
    END {
      # drop trailing empty lines
      while (n > 0 && buf[n] == "") n--
      for (i = 1; i <= n; i++) print buf[i]
    }
  ' "$PAM_FILE" > "$PAM_FILE.tmp"

  if ! cmp -s "$PAM_FILE" "$PAM_FILE.tmp"; then
      mv "$PAM_FILE.tmp" "$PAM_FILE"
      echo "Removed PAM exec entry for ssh-notify from $PAM_FILE"
  else
      rm -f "$PAM_FILE.tmp"
      echo "PAM exec entry for ssh-notify not found in $PAM_FILE (no changes made)"
  fi
else
    echo "PAM file $PAM_FILE not found."
fi

# Step 2: Remove main script
if [[ -f "$SCRIPT_DEST" ]]; then
  cp "$SCRIPT_DEST" "$BACKUP_DIR/ssh-notify.sh.bak"
  rm "$SCRIPT_DEST"
  echo "Removed script $SCRIPT_DEST"
fi

# Step 3: Remove configuration
depart_dir_config() {
  if [[ -f "$CONF_DEST" ]]; then
    cp "$CONF_DEST" "$BACKUP_DIR/config.conf.bak"
    rm "$CONF_DEST"
    echo "Removed config $CONF_DEST"
  fi
  if [[ -d "$CONF_DIR" ]]; then
    rmdir "$CONF_DIR" 2>/dev/null || true
    echo "Removed directory $CONF_DIR"
  fi
}
depart_dir_config

# Step 4: Remove logrotate configuration
if [[ -f "$LOGROTATE_FILE" ]]; then
  cp "$LOGROTATE_FILE" "$BACKUP_DIR/ssh-notify.logrotate.bak"
  rm "$LOGROTATE_FILE"
  echo "Removed logrotate file $LOGROTATE_FILE"
fi

trap - ERR
echo "Uninstallation completed successfully."
echo "Backup files are located in $BACKUP_DIR. You may delete this directory manually."