#!/bin/sh

set -eu

deny_in_webkiosk_mode_path='/etc/polkit-1/rules.d/90-org-freedesktop-networkmanager-deny-in-webkiosk-mode.rules'

if [ "$(puavo-conf puavo.xsessions.default)" = 'puavo-webkiosk' ]; then
  cat <<'EOF' > "${deny_in_webkiosk_mode_path}.tmp"
polkit.addRule(function(action, subject) {
    if (action.id.startsWith("org.freedesktop.NetworkManager.")) {
        return polkit.Result.NO;
    }

    return null;
});
EOF
  mv "${deny_in_webkiosk_mode_path}.tmp" "$deny_in_webkiosk_mode_path"
else
  rm -f "$deny_in_webkiosk_mode_path"
fi

allow_modify_by_special_user_path='/etc/polkit-1/rules.d/90-org-freedesktop-networkmanager-allow-modify-by-special-user.rules'

primary_user=''
user_for_system_network_permissions=''
if [ "$(puavo-conf puavo.xsessions.user_registration.enabled)" = 'true' ]; then
  user_for_system_network_permissions='guest'
else
  primary_user=$(puavo-conf puavo.admin.primary_user)
  if [ -n "$primary_user" ]; then
    user_for_system_network_permissions="$primary_user"
  fi
fi

if [ -n "$user_for_system_network_permissions" ]; then
  cat <<EOF > "${allow_modify_by_special_user_path}.tmp"
polkit.addRule(function(action, subject) {
    if (subject.user !== "${user_for_system_network_permissions}") {
        return null;
    }

    if (action.id !== "org.freedesktop.NetworkManager.settings.modify.system") {
        return null;
    }

    if (subject.active) {
        return polkit.Result.YES;
    }

    return polkit.Result.NO;
});
EOF
  mv "${allow_modify_by_special_user_path}.tmp" \
     "$allow_modify_by_special_user_path"
else
  rm -f "$allow_modify_by_special_user_path"
fi

polkit_primary_user_path='/etc/polkit-1/rules.d/90-puavo-primary-user.rules'
cat <<EOF > "${polkit_primary_user_path}.tmp"
polkit.addRule(function(action, subject) {
    if (action.id !== "org.freedesktop.policykit.exec") {
        return null;
    }

    if (!subject.active || !subject.local) {
        return polkit.Result.NO;
    }

    if (subject.user === "${primary_user}" || subject.isInGroup("puavo-role-admin")) {
        return polkit.Result.AUTH_SELF;
    }

    return polkit.Result.NO;
});
EOF
mv "${polkit_primary_user_path}.tmp" "$polkit_primary_user_path"
