#!/bin/sh
##########################################################################
# Header: 0005.utcard_check
#
# Description:
#   This utility can be used w/ Sun Ray to ensure that a user can only
#   use a card that is registed to them.  
#
# Usage/Installation:
#   Copy this script into /usr/dt/config/Xsession.d directory onto
#   all Sun Ray server(s).  The script will execute during login
#   sequence.  
#
#   Detailed installation is as follows:
#	cp 0005.utcard_check /usr/dt/config/Xsession.d
#	chown root:root /usr/dt/config/Xsession.d/0005.utcard_check
#	chmod 0755      /usr/dt/config/Xsession.d/0005.utcard_check
#
#   Sun Ray Policy Setup: 
#	Note: This script WILL allow login if non-smartcard login is enabled.
#	Set System Policy->Card Users->Access=Users with Registered Tokens
#
#	Optional (this disables non card use): 
#	    Set System Policy->Non-Card Users->Access=None
#	
#   Registering SmartCards/Tokens:
#	1) Register SmartCards/Tokens via webadmin GUI
#	2) Place UNIX username, i.e., mhatley, into the "Owner field"
#
# Limitations/Notes/Assumptions:
#   1) echo statements below dump output to $HOME/.dt/startlog
#   2) This has been tested under the following conditions:
#      SRSSv3.1    on Solaris 10
#      SRSS 4 0907 on Solaris 10
#      SRSS 4 0907 on Nevada (B70+)
#   3) Sun Ray User DB ensures *unique* token registration (via web admin gui or CLI).
#      Therefore, this:
#         utuser -a "Payflex.500a3f0100130100,localhost,7007,guest,guest-other-info"
#      followed by this:                                     ^v^v^v
#         utuser -a "Payflex.500a3f0100130100,localhost,7007,guest2,guest-other-info"
#      produces this:
#         Token 'Payflex.500a3f0100130100' already in administration database.
#   4) When a Sun Ray user is Added/Registered, the Sun Ray "User Name" field must
#      be set equal to the Solaris username, i.e., field 1 of /etc/passwd.
#   5) This script assumes you set a Sun Ray Policy requiring the Use of Registered Card
#      otherwise, when a user inserts an unregistered card, it will just be flagged
#      as a card not registered for this user.
#   6) This script could be adapted to Tsol 8 by substituting the zenity line 
#      below w/ a call to dtksh or tcl/tk or something else on Tsol 8
#
# Revision History:
#   Date        Who     Change Description
#   01Nov2006   Hatley  Created
#   23Aug2007   Hatley  Corrections w/ assistance from D. Maher
#   24Aug2007   Hatley  Optimizations using env vars vs cmds (kudos C. Bender)
#
# Disclaimer:
#   THIS SOFTWARE IS PROVIDED "AS IS" WITHOUT WARRANTY OF ANY KIND,
#   EITHER EXPRESS OR IMPLIED, INCLUDING, BUT NOT LIMITED TO, THE
#   IMPLIED WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR
#   PURPOSE, OR NON-INFRINGEMENT.
##########################################################################

# If SUN_SUNRAY_TOKEN env variable is NOT set, the user is probably on 
# a GRAPHICAL console, i.e., a system w/ a head.  If the user remotely
# connects (via ssh, telnet, rlogin, etc.), it won't be set either.
# If SUN_SUNRAY_TOKEN ! set, bail & let user login
if [ ${SUN_SUNRAY_TOKEN:=OnTheConsole} = OnTheConsole ]; then
    # Not on a Sun Ray, exit this script & let the login sequence continue
    echo "      User ($USER) is not on a Sun Ray (probably on the console)"
    echo "      Allowing $USER to login in."
    return
else
    # We know it's a Sun Ray Session
    echo "      Current Sun Ray User:         $USER"
    echo "      Token of Current SmartCard:   $SUN_SUNRAY_TOKEN"
fi

# If the user's not using a SmartCard or the Policy isn't set to 
# require SmartCards, then the token will be: "pseudo.<MACofDTU>"
pseudo=`echo $SUN_SUNRAY_TOKEN | grep -c pseudo`
if [ "$pseudo" = "1" ]; then
    # No SmartCard, exit this script & let the login sequence continue
    echo "      User Not Using a SmartCard."
    echo "      Allowing $USER to login in."
    return
fi

# Look up the current user in the Sun Ray DB
# If unregistered, /opt/SUNWut/sbin/utuser -p $SUN_SUNRAY_TOKEN will return:
#    Error: Token ID 'Payflex.500a390200130100' not in admin database.
# to stderr.  All user will see on pop up is that the card is not registered to them.

registered_sruser=`/opt/SUNWut/sbin/utuser -p $SUN_SUNRAY_TOKEN | /usr/bin/nawk '/User Name/ {print $4}'`
echo "      SmartCard Registered to User: $registered_sruser"

# If current user logging in matches user the SR DB registered for this Token/Card Allow
# If users don't match, then the card doesn't belong to this user
if [ "$registered_sruser" = "$USER" ]; then
    echo "      Current user matches user registered to this Smart Card (Token)"
    echo "      Login allowed `date`"
else
    echo "      ERROR: SmartCard ($current_srtoken) Registered for User $registered_sruser"
    echo "      ERROR: Forcing Logout of User: $USER"
    echo "             Killing Pid of current process (\$\$): $$"

    # We'll give the user 10 seconds to respond to the zenity dialog or he dies!
    (sleep 10; kill -9 $$) &
    zenity --error --text="Error! The Smart Card you are using\nToken: $SUN_SUNRAY_TOKEN\nIs not registered for this login: $USER"

    # Kill the user's session
    kill -9 $$
fi