#!/bin/perl -wT

use strict;

$ENV{PATH} = "/usr/sbin:/usr/bin:/bin";

my ($username) = getpwuid $<;
if ($username ne "{{ ansible_user }}") {
  { exec ("sudo", "-u", "{{ ansible_user }}",
	  "/usr/local/bin/passwd", $username) };
  print STDERR "Could not exec sudo: $!\n";
  exit 1;
}

$username = $ARGV[0];
my $passwd;
{
  my $SHADOW = new IO::File;
  open $SHADOW, "</etc/shadow" or die "Cannot read /etc/shadow: $!\n";
  my ($line) = grep /^$username:/, <$SHADOW>;
  close $SHADOW;
  die "No /etc/shadow record found: $username\n" if ! defined $line;
  (undef, $passwd) = split ":", $line;
}

system "stty -echo";
END { system "stty echo"; }

print "Current password: ";
my $pass = <STDIN>; chomp $pass;
print "\n";
my $hash = crypt($pass, $passwd);
die "Sorry...\n" if $hash ne $passwd;

print "New password: ";
$pass = <STDIN>; chomp($pass);
die "Passwords must be at least 10 characters long.\n"
  if length $pass < 10;
print "\nRetype password: ";
my $pass2 = <STDIN>; chomp($pass2);
print "\n";
die "New passwords do not match!\n"
  if $pass2 ne $pass;

use MIME::Base64;
my $epass = encode_base64 $pass;

use File::Temp qw(tempfile);
my ($TMP, $tmp) = tempfile;
close $TMP;

my $O = new IO::File;
open $O, ("| gpg --encrypt --armor"
	  ." --recipient-file /etc/root-pub.pem"
	  ." > $tmp") or die "Error running gpg > $tmp: $!\n";
print $O <<EOD;
username: $username
password: $epass
EOD
close $O or die "Error closing pipe to gpg: $!\n";

use File::Copy;
open ($O, "| sendmail root");
print $O <<EOD;
From: root
To: root
Subject: New password.

EOD
$O->flush;
copy $tmp, $O;
#print $O `cat $tmp`;
close $O or die "Error closing pipe to sendmail: $!\n";

print "
Your request was sent to Root.  PLEASE WAIT for email confirmation
that the change was completed.\n";
exit;