#!/usr/bin/perl -w

## CGI to allow people to change their SVN password
## $Id: passwd.pl 913 2005-02-20 05:54:02Z tvd $

use strict;
use CGI qw/:standard/;
$|++;

my $user_auth = '/apps/repository/SVN/svn-auth-credentials';
my $svn_repo = '/apps/repository/SVN/svn-repo-access';

my $admin_group = 'sysadmins';
my $sudo = '/usr/bin/sudo';
my $htpasswd = '/usr/bin/htpasswd';
my $curuser = $ENV{'REMOTE_USER'};

print header, start_html(-title => 'Subversion Passphrase Changing');

unless (defined $curuser) {
  print h1("Who are you !?!"),"\n";
  print end_html;
  exit 255;
}

if (param()) {
  my $pw = param('passphrase') || '';
  my $vpw = param('verify') || '';
  my $user = param('user') || '';

  if ($user ne $curuser) {
    print h1("Stop trying to crack me!"),"\n";
  }
  elsif (length($pw) < 6) {
    print "Sorry, the passphrase needs to be at least 6 characters long\n";
  }
  elsif (length($pw) > 80) {
    print "Sorry, the passphrase can only be 80 characters maximum\n";
  }
  elsif ($pw ne $vpw) {
    print "The passphrase and the verification don't match, please go back and try again.\n";
  }
  else {
    # ok, things are good, do the htpasswd call

    print "The passphrase should be changed at this point, but any errors will be displayed below.",br,
      "If you only see 'Updating password for user $user', there weren't any errors.",p,"\n",
      "<hr><pre>\n";

    # errors from htpasswd goto stderr, so shunt it to stdout before running htpasswd
    open STDERR, ">&STDOUT";

    # the braces get around a perl warning
    { exec $sudo, $htpasswd, '-b', '-m', $user_auth, $user, $pw; }

    # execution should never get here unless the exec fails horribly
    print "</pre>\n<h1>SOMETHING BAD HAPPENED, CALL THE ADMINS!</h1>\n";
    exit 255;
  }
  print end_html;
}
else {
  print p("Hello $curuser, please enter your new choice of passphrase below, and then verify it by entering it again."),"\n",
    start_form,
    hidden(-name => 'user', -default => $curuser),"\n",
    strong("Passphrase: "),password_field(-name => 'passphrase', -size => 32, -maxlength => 80),
    "(6-80 chars)",br,"\n",
    strong("Verify: "),password_field(-name => 'verify', -size => 32, -maxlength => 80),p,"\n",
    submit,
    end_form,
    "\n",hr,p("You can either use a passphrase (preferably of decent length, include punctuation, etc,) or a password.  Good passwords have these properties:"),"\n",
    ul(
     li('is not based upon a dictionary word'),
     li('does not have numbers substituted for common letters (ie. 3 for E 1 for I, 0 for O, etc) or numbers used as a suffix/prefix (ie.  4sale, 2by4, etc.)'),
     li('is at least 8 characters long (length of 6 to 80 is required)'),
     li('is made up of a combination of non-repeating upper/lower case letters, numbers, and punctuation.'),
     li('is hard to guess ;)'),
    ),
    "\n",p,"Also note that the passphrase is case-sensitive.\n",
    end_html,"\n";
}

__DATA__
# This is just "scratch" data that may be useful

sub determine_groups {
  my %groups = ();
  open(REPO, $svn_repo) || die "Can't open $svn_repo: $!";
  my $section;
  while (<REPO>) {
    s/\#.*$//;
    next unless /\S/;
    chomp;
    s/\s+//;

    if (/^\[([^\]]+)\]$/) {
      $section = $1;
      next;
    }

    if ($section eq 'groups') {
      my($k,$v) = split(/\s*=\s*/, $_, 2);
      foreach(split(/\s*,\s*/, $v)) {
        $groups{$_}->{$k}=1;
      }
    }
  }
  close(REPO);

  return %groups;
}