#!/bin/bash

# Get current status of a VPN connection with options to connect/disconnect.
# Working with OpenConnect, but can work with any executable VPN. Commands
# that require admin permissions should be whitelisted with 'visudo', e.g.:
#
#joesmith ALL=(ALL) NOPASSWD: /usr/local/bin/openconnect
#joesmith ALL=(ALL) NOPASSWD: /usr/bin/killall -2 openconnect

# <xbar.title>VPN Status</xbar.title>
# <xbar.version>v1.3</xbar.version>
# <xbar.author>Thomas Schmauder</xbar.author>
# <xbar.author.github>itssct</xbar.author.github>
# <xbar.desc>Displays status of a VPN interface with option to connect/disconnect.</xbar.desc>
# <xbar.image>http://i.imgur.com/RkmptwO.png</xbar.image>
# <xbar.dependencies>openconnect</xbar.dependencies>
# <xbar.about>https://git.bib.de/itssct/OpenFortiVPN_macOS</xbar.about>
# <swiftbar.hideAbout>true</swiftbar.hideAbout>
# <swiftbar.hideRunInTerminal>true</swiftbar.hideRunInTerminal>
# <swiftbar.hideLastUpdated>false</swiftbar.hideLastUpdated>
# <swiftbar.hideDisablePlugin>true</swiftbar.hideDisablePlugin>
# <swiftbar.hideSwiftBar>true</swiftbar.hideSwiftBar>
###################
#### Variables ####
###################
VERSION=1.3.1
WORKDIR="/Users/$USER/.openconnect"
mkdir -p $WORKDIR
logfile="$WORKDIR/bibVPN.log"
echo -e "\nStart: $(date)" >>$logfile
echo "Run $0 $@" >> $logfile
PATH=$PATH:/usr/local/bin
VPN_EXECUTABLE=$(which openconnect)
OC_PIDFILE="$WORKDIR/vpn.bib.de.pid"
SETTINGSFILE="$WORKDIR/settings.csv"
ACCOUNTFILE="$WORKDIR/accounts.csv"
VPN_USERNAME="$2"
VPN_HOST="$3"

#### Settings ####
SHOW_SETTINGS='ON'
SHOW_ICONS='ON'
NET_FILTER='inet 172.[123][0-9].1[67][80].'
FONT=( 'size=14' 'font=UbuntuMono' )


# A command that will result in your VPN password.
GET_VPN_PASSWORD="security find-generic-password -g -a $VPN_USERNAME 2>&1 >/dev/null | cut -d'\"' -f2"
# Command to determine if VPN is connected or disconnected
VPN_CONNECTED="ifconfig | egrep -A1 '$NET_FILTER' |cut -d' ' -f2"
# Command to run to disconnect VPN
VPN_DISCONNECT_CMD="sudo killall -2 openconnect"

# Get IP of Current VPN Tunnel
IP=$(ifconfig | egrep -A1 "$NET_FILTER" |cut -d' ' -f2)

###################
#### Functions ####
###################
function askFor(){
    osascript="$1 buttons {\"Cancel\",\"OK\"} default button {\"OK\"} cancel button \"Cancel\" with title \"Neuen User für das VPN anlegen\" with icon caution"
    echo $osascript
    results=$( /usr/bin/osascript -e "$osascript")
    if [[ $? != 0 ]]; then
            clmsg='display notification "" with title "OpenFortiVPN" subtitle "Beende mich" sound name "Submarine"'
            osascript -e "$clmsg"
            exit 2
    else
        echo $results >> $logfile
        theButton=$( echo "$results" | /usr/bin/awk -F "button returned:|," '{print $2}' )
        theText=$( echo "$results" | /usr/bin/awk -F "text returned:" '{print $2}' )

        if [[ $theButton == "OK" ]] ;then
            echo $theText;
        elif [[ $theButton == "Cancel" ]] ; then
            clmsg='display notification "" with title "OpenFortiVPN" subtitle "Beende mich" sound name "Submarine"'
            osascript -e "$clmsg"
            exit 2
        fi
    fi
}

function showSettings()
{
    if [[ $SHOW_SETTINGS == "ON" ]]; then
        echo "---"
        echo "Settings"
        echo "--Farbige Icons aus (not ready) | tooltip='Vielleicht klappt es irgendwann :)' checked=false"
        echo "--Neues VPN Profil anlegen | shell='$0' param1=newuser terminal=false refresh=true"
        echo "---"
        echo "-- --- INFOS ---"
        echo "--Logfile: $logfile | shell='$0' param1=openlog terminal=false refresh=true tooltip='Das Logfile öffnen'"
        echo "--__${SETTINGSFILE}__ | md=true"
        echo "--Script: $(basename -- "$0") Version: **v$VERSION** | href="https://git.bib.de/itssct/OpenFortiVPN_macOS" terminal=false refresh=true tooltip='Die Projektwebsite im Browser öffnen' md=true"
    fi
}
###################
###### MAIN #######
###################
case "$1" in
    connect)
        echo "$GET_VPN_PASSWORD"  >> $logfile 2>&1
        VPN_PASSWORD=$(eval "$GET_VPN_PASSWORD")
        # Passwort checken
        if [[ $VPN_PASSWORD =~ 'item could not be found in the keychain.' ]] ; then
            
            echo "Es konnte kein Passwort für $VPN_USERNAME gefunden werden"  >> $logfile 2>&1
            #errmsg_noPass='display notification "Es konnte kein Passwort für '$VPN_USERNAME' gefunden werden" with title "OpenFortiVPN" subtitle "Verbindungsversuch nicht erfolgreich" sound name "Brise"'
            #osascript -e "$errmsg_noPass"
            NEW_VPN_PASSWORD=$(askFor 'display dialog "Es ist kein Passwort im Schlüsselbund vorhanden. Wie lautet das Passwort für '$VPN_USERNAME'? " default answer "Mein Passwort..." with hidden answer')
            echo $VPN_PASSWORD
            if [[ $? != 0 ]]; then exit 2 ; fi # Beim Abbruch der Maske, gesamte Script beenden.
            echo "security add-generic-password -a $VPN_USERNAME -s openconnect -w '$VPN_PASSWORD'"  >> $logfile 2>&1
            security add-generic-password -a $VPN_USERNAME -s "openconnect" -T /usr/bin/security -w "$NEW_VPN_PASSWORD"
            VPN_PASSWORD=$NEW_VPN_PASSWORD
        #else 
            #echo $VPN_PASSWORD >> $logfile 2>&1 
        fi
        VPN_EXECUTABLE_PARAMS="--passwd-on-stdin --servercert $4 --protocol=fortinet --pid-file=$OC_PIDFILE --background" # Optional

        # Verbindung aufbauen
        echo "$VPN_PASSWORD | sudo $VPN_EXECUTABLE $VPN_EXECUTABLE_PARAMS --user $VPN_USERNAME $VPN_HOST" >> $logfile 2>&1
        echo "$VPN_PASSWORD" | sudo $VPN_EXECUTABLE $VPN_EXECUTABLE_PARAMS --user $VPN_USERNAME  $VPN_HOST>> $logfile 2>&1
        if [[ $? != 0 ]]; then 
            osascript -e 'display altert "Verbindungsaufbau Fehlgeschlagen. Bitte im Log prüfen, was die Ursache ist."'
        fi 
        IP=$(ifconfig | egrep -A1 "$NET_FILTER" |cut -d' ' -f2)
        ii=0
        while [ -z $IP ] && [[ $ii != 20 ]]; do echo "noch keine IP" ; sleep 0.5 ; IP=$(ifconfig | egrep -A1 "$NET_FILTER"|cut -d' ' -f2) ; ((ii++)) ; done
        msg='display notification "Erfolgreich verbunden \nConnected User: '$VPN_USERNAME'" with title "OpenFortiVPN" subtitle "Deine IP lautet: '$IP'" sound name "Brise"'
        errmsg='display notification "Verbindungsversuch nicht erfolgreich" with title "OpenFortiVPN" subtitle "Schade" sound name "Brise"'
        if  [[ $IP =~ 172 ]] ; then osascript -e "$msg" ; else osascript -e "$errmsg" ; exit 5 ; fi
        # Wait for connection so menu item refreshes instantly
        until eval "$VPN_CONNECTED"; do sleep 1; done
        ;;
    disconnect)
        eval "$VPN_DISCONNECT_CMD"
        # Wait for disconnection so menu item refreshes instantly
        until [ -z "$(eval "$VPN_CONNECTED")" ]; do sleep 1; eval "$VPN_CONNECTED" ;done
        osascript -e 'display notification "VPN Tunnel erfolgreich geschlossen" with title "OpenFortiVPN" subtitle "Mach Feierabend" sound name "Submarine"'
        ;;
    newuser)
        echo "Sie wollen einen weiteren Benutzer für das VPN anlegen. Geben Sie dazu die folgenden Dinge ein."
        askFor 'display dialog "Sie wollen einen weiteren Benutzer für das VPN anlegen. Geben Sie dazu die folgenden Dinge ein."'
        NEW_VPN_NAME=$(askFor 'display dialog "Wie soll die neue Verbindung heißen?" default answer "bib | eduUP | FHDW"' )
        NEW_VPN_USERNAME=$(askFor 'display dialog "Wie lautet die E-Mail des Benutzers, der zum Verbinden verwendet werden soll?" default answer "vorname.nachname@bib.de"' )
        NEW_VPN_HOST=$(askFor 'display dialog "Wie lautet der Servername?" default answer "vpn.bib.de"')
        if [[ -z $NEW_VPN_NAME ]] ; then echo -n "Wie lautet der Name der neuen Verbindung? " ; read NEW_VPN_NAME ; fi
        if [[ -z $NEW_VPN_HOST ]] ; then echo -n "Wie lautet der VPN-Server? "; read NEW_VPN_HOST ; fi
        if [[ -z $NEW_VPN_USERNAME ]] ; then echo -n "Wie lautet die E-Mail des Benutzers? " ; read NEW_VPN_USERNAME ; fi

        NEW_VPN_PUBKEY=$(gnutls-cli --print-cert $NEW_VPN_HOST |grep -e 'pin-.*:'|awk '{$1=$1;print}')
        NEW_VPN_PASSWORD=$(security find-generic-password -g -a $NEW_VPN_USERNAME 2>&1 >>$logfile) #>/dev/null)
        if [[ $NEW_VPN_PASSWORD =~ password ]] ; then
            echo "Es ist bereits ein Passwort im Schlüsselbund für $NEW_VPN_USERNAME hinterlegt."
        else
            echo -n "Es ist noch kein Passwort im Schlüsselbund hinterlegt. Bitte einmal das Passwort angeben : " ;
            NEW_VPN_PASSWORD=$(askFor 'display dialog "Es ist kein Passwort im Schlüsselbund vorhanden. Wie lautet das Passwort? " default answer "Mein Passwort..."')
            security add-generic-password -a $NEW_VPN_USERNAME -s openconnect -w $NEW_VPN_PASSWORD
        fi
        echo "$NEW_VPN_NAME,$NEW_VPN_USERNAME,$NEW_VPN_HOST,$NEW_VPN_PUBKEY" >> $logfile # $ACCOUNTFILE
        ;;
    openlog)
        open -a console $logfile
        ;;
esac

if [ -f $OC_PIDFILE ]; then
    if [ $SHOW_ICONS == 'ON' ]; then echo "| sfimage=firewall.fill | sfcolor=green" ; else echo "VPN ✔ |$FONT color=green" ; fi
    echo '---'
    echo "Disconnect VPN | bash='$0' param1=disconnect terminal=false refresh=true"
    aUser=$(ps -ef | grep -e '--user\ ' | cut -d' ' -f 32)
    if [[ $aUser =~ .*@.* ]]; then echo "User: $aUser" ; fi
    echo "IP: $IP"
    echo "Verbunden seit: $(stat $OC_PIDFILE | cut -d'"' -f4)"
    showSettings
    exit
else
    if [ $SHOW_ICONS == 'ON' ] ; then echo "| sfimage=firewall" ; else echo "VPN ❌ | $FONT color=Crimson" ; fi
    echo '---'
    # Alle User aus der accounts.csv auslesen und dann zur Auswahl anbieten.
    cat "$ACCOUNTFILE" | while IFS= read config; 
    do
        [[ $config =~ ^#.* ]] && continue
        cfgName=$(echo $config|cut -d',' -f1)
        cfgMail=$(echo $config|cut -d',' -f2)
        cfgHost=$(echo $config|cut -d',' -f3)
        cfgPubKey=$(echo $config|cut -d',' -f4)
        echo "Connect $cfgName VPN | shell='$0' param1=connect param2=$cfgMail param3=$cfgHost param4=$cfgPubKey terminal=false refresh=true"
    done
    showSettings
    exit
fi