#!/bin/bash

echo "$0: $PAM_TYPE $PAM_USER"

if [ "$PAM_TYPE" == 'auth' ] ; then
	if [ "$PAM_SERVICE" = 'web2' ] ; then
		PAM_FILE="/etc/pam-auth2/$PAM_USER"
	else
		PAM_FILE="/etc/pam-auth/$PAM_USER"
	fi
	if ! [ -f $PAM_FILE ] ; then
		echo "No [$PAM_FILE] for user [$PAM_USER]" >&2
		exit 2
	fi
	# For auth, we compare the passwords
	read PASSWORD
	read CHECK_PASSWORD < $PAM_FILE
	if [ "$PASSWORD" == "$CHECK_PASSWORD" ] ; then
		echo "$0: auth [$PAM_USER] ok"
		exit 0
	fi
	echo "Provided password [$PASSWORD] does not match expected [$CHECK_PASSWORD]" >&2
	exit 3
fi

if [ "$PAM_TYPE" == 'account' ] ; then
	if [ "$PAM_SERVICE" = 'web2' ] ; then
		PAM_FILE="/etc/pam-account2/$PAM_USER"
	else
		PAM_FILE="/etc/pam-account/$PAM_USER"
	fi
	if ! [ -f $PAM_FILE ] ; then
		echo "No [$PAM_FILE] for user [$PAM_USER]" >&2
		exit 2
	fi
	# For account check, existing file is enough to allow access
	echo "$0: account [$PAM_USER] ok"
	exit 0
fi

echo "Unsupported PAM_TYPE [$PAM_TYPE]" >&2
exit 4
