#!/bin/sh
. /etc/functions.sh

key_version="v1"
key_profile=/tmp/key_profile.txt
option=$1

network_flag=0
cvmd_flag=0
cwmp_flag=0
mail_alert_flag=0
ddns_flag=0
appuser_flag=0
pptp_l2l_dout_flag=0
ipsec_remote_dialin_flag=0
radius_flag=0
snmpd_flag=0
ipsec_policy_flag=0
ldap_flag=0
config_sms_flag=0
config_mail_flag=0
ipsec_cer_config_flag=0

get_3900_network(){
	wan_all=""
	for tmp in  1 2 3 4 5
	do
		wan_name=`uci filter network port WAN$tmp`
		wan_all="${wan_all} ${wan_name}"
	done
	for tmp in $wan_all
	do
		wan_pptp_pw=$(uci -c /tmp/config/ get network.$tmp.pptp_password)
		if [ "" != "$wan_pptp_pw" ];then
			wan_pptp="network.$tmp.pptp_password"
			wan="${wan} ${wan_pptp}"
		fi
		wan_pppoe_pw=$(uci -c /tmp/config/ get network.$tmp.pppoe_password)
		if [ "" != "$wan_pppoe_pw" ];then
			wan_pppoe="network.$tmp.pppoe_password"
			wan="${wan} ${wan_pppoe}"
		fi
	done
}

get_2960_network(){
	wan_all=""
	for tmp in  1 2
	do
		wan_name=`uci filter network port WAN$tmp`
		wan_all="${wan_all} ${wan_name}"
	done
	for tmp in $wan_all
	do
		wan_pptp_pw=$(uci -c /tmp/config/ get network.$tmp.pptp_password)
		if [ "" != "$wan_pptp_pw" ];then
			wan_pptp="network.$tmp.pptp_password"
			wan="${wan} ${wan_pptp}"
		fi
		wan_pppoe_pw=$(uci -c /tmp/config/ get network.$tmp.pppoe_password)
		if [ "" != "$wan_pppoe_pw" ];then
			wan_pppoe="network.$tmp.pppoe_password"
			wan="${wan} ${wan_pppoe}"
		fi
	done
}

get_300B_network(){
	wan_all=""
	for tmp in  1 2 3 4
	do
		wan_name=`uci filter network port WAN$tmp`
		wan_all="${wan_all} ${wan_name}"
	done
	for tmp in $wan_all
	do
		wan_pptp_pw=$(uci -c /tmp/config/ get network.$tmp.pptp_password)
		if [ "" != "$wan_pptp_pw" ];then
			wan_pptp="network.$tmp.pptp_password"
			wan="${wan} ${wan_pptp}"
		fi
		wan_pppoe_pw=$(uci -c /tmp/config/ get network.$tmp.pppoe_password)
		if [ "" != "$wan_pppoe_pw" ];then
			wan_pppoe="network.$tmp.pppoe_password"
			wan="${wan} ${wan_pppoe}"
		fi
	done
}

#do this function when user not backup "all" config
get_cfg_flag(){

	for tmp in $@
	do
		case $tmp in
			"network")
				network_flag=1
				;;
			"cvmd")
				cvmd_flag=1
				;;
			"cwmp")
				cwmp_flag=1
				;;
			"mail_alert")
				mail_alert_flag=1
				;;
			"ddns")
				ddns_flag=1
				;;
			"appuser")
				appuser_flag=1
				;;
			"pptp_l2l_dout")
				pptp_l2l_dout_flag=1
				;;
			"ipsec_remote_dialin")
				ipsec_remote_dialin_flag=1
				;;
			"radius")
				radius_flag=1
				;;
			"snmpd")
				snmpd_flag=1
				;;
			"ipsec_policy")
				ipsec_policy_flag=1
				;;
			"ldap")
				ldap_flag=1
				;;
			"config_sms")
				config_sms_flag=1
				;;
			"config_mail")
				config_mail_flag=1
				;;
			"ipsec_cer_config")
				ipsec_cer_config_flag=1
				;;
			*)
				;;
		esac
	done
}

# list all password in config =================
get_pw_cfg() {

	mkdir /tmp/short_cfg
	
	if [ "$network_flag" == "1" ];then
		usb="network.usb1.password network.usb1.pincode network.usb2.password network.usb2.pincode"
		wan=""
		version=`head -n 1 /etc/version`
		case $version in
			"Vigor3900")
				get_3900_network
				;;
			"Vigor2960")
				get_2960_network
				;;
			"Vigor300B")
				get_300B_network
				;;
			*)
				;;
		esac
	fi
	
	if [ "$cvmd_flag" == "1" ];then
		cvmd="cvmd.general.password"
	fi
	
	if [ "$cwmp_flag" == "1" ];then
		cwmp="cwmp.tr069.password cwmp.tr069.connectionrequestpassword"
	fi
	
	if [ "$mail_alert_flag" == "1" ];then
		mail_alert="mail_alert.config.user_password"
	fi
	
	if [ "$ipsec_remote_dialin_flag" == "1" ];then
		ipsec_rdi="ipsec_remote_dialin.ipsecremotedialin.psk"
	fi
	
	if [ "$radius_flag" == "1" ];then
		radius="radius.radius_client.secret"
	fi
	
	if [ "$snmpd_flag" == "1" ];then
		snmpd="snmpd.snmpd.auth_password snmpd.snmpd.privacy_password"
	fi
	
	if [ "$ddns_flag" == "1" ];then
		ddns=""
		ddns_enable=`uci filter ddns status enable`
		ddns_disable=`uci filter ddns status disable`
		ddns_all="${ddns_enable} ${ddns_disable}"
		for tmp in $ddns_all
		do
			tmp_pw=$(uci -c /tmp/config/ get ddns.$tmp.login_pw)
			if [ "" != "$tmp_pw" ];then
				ddns_tmp="ddns.$tmp.login_pw"
				ddns="${ddns} ${ddns_tmp}"
			fi
		done
	fi
	
	if [ "$appuser_flag" == "1" ];then
		appuser=""
		app_enable=`uci filter appuser state enable`
		app_disable=`uci filter appuser state disable`
		app_all="${app_enable} ${app_disable}"
		for tmp in $app_all
		do
			app_tmp="appuser.$tmp.pass appuser.$tmp.motp_pin appuser.$tmp.motp_secret"
			appuser="${appuser} ${app_tmp}"
		done
		cat /tmp/config/appuser | grep "config 'userprofile'\|option 'pass'\|option 'motp_pin'\|option 'motp_secret'" >/tmp/short_cfg/appuser
	fi
	
	if [ "$pptp_l2l_dout_flag" == "1" ];then
		pptp=""
		pptp_enable=`uci filter pptp_l2l_dout state enable`
		pptp_disable=`uci filter pptp_l2l_dout state disable`
		pptp_all="${pptp_enable} ${pptp_disable}"
		for tmp in $pptp_all
		do
			pptp_tmp="pptp_l2l_dout.$tmp.password"
			pptp="${pptp} ${pptp_tmp}"
		done
		cat /tmp/config/pptp_l2l_dout | grep "config 'pptp-l2l-dout'\|option 'password'" >/tmp/short_cfg/pptp_l2l_dout
	fi
	
	if [ "$ipsec_policy_flag" == "1" ];then
		ipsec=""
		ipsec_enable=`uci filter ipsec_policy state enable`
		ipsec_disable=`uci filter ipsec_policy state disable`
		ipsec_all="${ipsec_enable} ${ipsec_disable}"
		for tmp in $ipsec_all
		do
			ipsec_tmp="ipsec_policy.$tmp.psk"
			ipsec="${ipsec} ${ipsec_tmp}"
		done
		cat /tmp/config/ipsec_policy | grep "config 'ipsec-rule'\|option 'psk'" >/tmp/short_cfg/ipsec_policy
	fi
	
	if [ "$ldap_flag" == "1" ];then
		ldap=""
		ldap_enable=`uci filter ldap status enable`
		ldap_disable=`uci filter ldap status disable`
		ldap_all="${ldap_enable} ${ldap_disable}"
		for tmp in $ldap_all
		do
			ldap_tmp="ldap.$tmp.regular_pwd"
			ldap="${ldap} ${ldap_tmp}"
		done
		cat /tmp/config/ldap | grep "config 'ldap'\|option 'regular_pwd'" >/tmp/short_cfg/ldap
	fi

	if [ "$config_sms_flag" == "1" ];then
		config_sms=""
		config_sms_enable=`uci filter config_sms status enable`
		config_sms_disable=`uci filter config_sms status disable`
		config_sms_all="${config_sms_enable} ${config_sms_disable}"
		for tmp in $config_sms_all
		do
			config_sms_tmp="config_sms.$tmp.password"
			config_sms="${config_sms} ${config_sms_tmp}"
		done
		cat /tmp/config/config_sms | grep "config 'profile'\|option 'password'" >/tmp/short_cfg/config_sms
	fi

	if [ "$config_mail_flag" == "1" ];then
		config_mail=""
		config_mail_enable=`uci filter config_mail status enable`
		config_mail_disable=`uci filter config_mail status disable`
		config_mail_all="${config_mail_enable} ${config_mail_disable}"
		for tmp in $config_mail_all
		do
			config_mail_tmp="config_mail.$tmp.user_password"
			config_mail="${config_mail} ${config_mail_tmp}"
		done
		cat /tmp/config/config_mail | grep "config 'profile'\|option 'user_password'" >/tmp/short_cfg/config_mail
	fi

	if [ "$ipsec_cer_config_flag" == "1" ];then
		ipsec_cer_config="ipsec_cer_config.RootCA.rootcapass"
		ipsec_cer_config_enable=`uci filter ipsec_cer_config selfsign enable`
		ipsec_cer_config_disable=`uci filter ipsec_cer_config selfsign disable`
		ipsec_cer_config_all="${ipsec_cer_config_enable} ${ipsec_cer_config_disable}"
		for tmp in $ipsec_cer_config_all
		do
			ipsec_cer_config_tmp="ipsec_cer_config.$tmp.pass"
			ipsec_cer_config="${ipsec_cer_config} ${ipsec_cer_config_tmp}"
		done
		cat /tmp/config/ipsec_cer_config | grep "config 'certificate-config'\|option 'pass'\|config 'certificate-rootca'\|option 'rootcapass'" >/tmp/short_cfg/ipsec_cer_config
	fi

	pw_cfg="${usb} ${wan} ${cvmd} ${cwmp} ${mail_alert} ${ddns} ${appuser} ${pptp} ${ipsec_rdi} ${ipsec} ${ldap} ${radius} ${snmpd} ${config_sms} ${config_mail} ${ipsec_cer_config}"

}

#encrypt==========================================
if [ "$option" == "encrypt" ]; then
	rm $key_profile >/dev/null 2>/dev/null
	touch $key_profile
	profile=""
	
	#for "user select" or "all"
	if [ "$2" == "" ];then
		network_flag=1
		cvmd_flag=1
		cwmp_flag=1
		mail_alert_flag=1
		ddns_flag=1
		appuser_flag=1
		pptp_l2l_dout_flag=1
		ipsec_remote_dialin_flag=1
		radius_flag=1
		snmpd_flag=1
		ipsec_policy_flag=1
		ldap_flag=1
		config_sms_flag=1
		config_mail_flag=1
		ipsec_cer_config_flag=1
	else
		get_cfg_flag $@
	fi
	#find the passwords to encode
	get_pw_cfg
	
	#write "key" and "encoded passwords" to key_profile
	profile="${key_version}=${pw_cfg}"
	echo "$profile" >$key_profile
	
	cfg=""
	old_config=""
	for tmp in $pw_cfg
	do
		#get "configure name" and "password parameter name"
		config=`echo $tmp|awk -F '.' '{print $1}'"`
		
		#collect configure files
		if [ "$config" != "$old_config" ]; then
			old_config=$config
			cfg="${cfg} ${config}"
		fi
		
		#get old password value
		if [ -f "/tmp/short_cfg/$config" ];then
			old_value=$(uci -c /tmp/short_cfg/ get $tmp)
		else
			old_value=$(uci -c /tmp/config/ get $tmp)
		fi
		
		#block empty password
		if [ "" == "$old_value"  ];then
			continue
		fi
		
		#encode password
		new_value=$(/sbin/dray-fwup cfg_pw encode $key_version $old_value)
		
		# if openssl error ,no change
		if [ "$?" == "1" ];then
			new_value=$old_value
		fi

		#set
		uci -c /tmp/config/ set $tmp=$new_value
	done
	rm -r /tmp/short_cfg
	
	#commit
	for tmp_cfg in $cfg
	do
		uci -c /tmp/config/ commit $tmp_cfg
	done

#decrypt==========================================
elif [ "$option" == "decrypt" ]; then
	#get "key version" and "the list of encoded password"
	profile=$(cat $key_profile)
	key_ver=`echo $profile|awk -F '=' '{print $1}'"`
	
	de_pw_cfg="${profile##$key_ver=}"
	
	#make small config for quickly get value
	mkdir /tmp/short_cfg
	cat /tmp/config/appuser | grep "config 'userprofile'\|option 'pass'\|option 'motp_pin'\|option 'motp_secret'" >/tmp/short_cfg/appuser
	cat /tmp/config/pptp_l2l_dout | grep "config 'pptp-l2l-dout'\|option 'password'" >/tmp/short_cfg/pptp_l2l_dout
	cat /tmp/config/ipsec_policy | grep "config 'ipsec-rule'\|option 'psk'" >/tmp/short_cfg/ipsec_policy
	cat /tmp/config/ldap | grep "config 'ldap'\|option 'regular_pwd'" >/tmp/short_cfg/ldap
	cat /tmp/config/config_sms | grep "config 'profile'\|option 'password'" >/tmp/short_cfg/config_sms
	cat /tmp/config/config_mail | grep "config 'profile'\|option 'user_password'" >/tmp/short_cfg/config_mail
	cat /tmp/config/ipsec_cer_config | grep "config 'certificate-config'\|option 'pass'\|config 'certificate-rootca'\|option 'rootcapass'" >/tmp/short_cfg/ipsec_cer_config
	
	cfg=""
	old_config=""
	for tmp in $de_pw_cfg
	do
		#get "configure name" and "password parameter name"
		config=`echo $tmp|awk -F '.' '{print $1}'"`
		
		#collect configure files
		if [ "$config" != "$old_config" ]; then
			old_config=$config
			cfg="${cfg} ${config}"
		fi
		
		#get old password value
		if [ -f "/tmp/short_cfg/$config" ];then
			old_value=$(uci -c /tmp/short_cfg/ get $tmp)
		else
			old_value=$(uci -c /tmp/config/ get $tmp)
		fi

		#block empty password
		if [ "" == "$old_value"  ];then
			continue
		fi
		
		#decode password
		new_value=$(/sbin/dray-fwup cfg_pw decode $key_ver $old_value)
		
		# if openssl error ,no change
		if [ "$?" == "1" ];then
			new_value=$old_value
		fi

		#set
		uci -c /tmp/config/ set $tmp=$new_value
	done
	rm -r /tmp/short_cfg
	
	#commit
	for tmp_cfg in $cfg
	do
		uci -c /tmp/config/ commit $tmp_cfg
	done
#=================================================
else
	return 1
fi

