#!/bin/bash
# Temporary admin promote

# Modify these strings to change the verbiage in the badge notification.
title="Admin Status Enabled"
description="Once you've authenticated your installer, settings change, or update, please click Restore"
#acceptText="Restore"
closeText="Restore"
# Time before the notification times out, in seconds
timeOut="600"

#find current user
loggedInUser="$(stat -f "%Su" /dev/console)"
uid=$(id -u "$loggedInUser")
echo "$loggedInUser is the current user"

# Bailout if user already admin - this is checked in condition, but being added as a failsafe

if id -Gn $loggedInUser | grep -q -w admin; then
    echo "Requester is an admin, script should not have run. Bailout."
    exit 1
fi

#Set current user to admin
sudo dscl . -merge /Groups/admin GroupMembership $loggedInUser
echo "[Promotion complete]"

# SETUP SAFEGUARDS
# Create failsafe flag. If flag detected in maintenance script, account will be demoted.
touch /Users/$loggedInUser/.tempPromoted
echo "Created flag file"

# Create the demotion shellscript
shellscriptPath="/Users/$loggedInUser/Library/Application Support/maintenance_demotion.sh"

echo '#!/bin/bash
# Remove temporary admin status if detected
# Ross Matsuda | Ntiva, Inc | December 2020

# Perform action on all detected user accounts
for user in $(dscl . list /Users UniqueID | awk '$2 >= 500 {print $1}'); do
    userHome=$(dscl . read /Users/"$user" NFSHomeDirectory | sed 's/NFSHomeDirectory://' | grep "/" | sed 's/^[ \t]*//')
    echo "$user:$userHome"
    FILE="$userHome/.tempPromoted"
    if [[ -f "$FILE" ]]; then
        echo "$FILE exists, demoting and removing flag"
        sudo dseditgroup -o edit -d $user -t user admin
        rm "$FILE"
        launchctl unload "$pathPlist" &>/dev/null
        rm "$shellscriptPath"
        rm "$pathPlist"
      else
        echo "$FILE not found"
    fi
done
' > "$shellscriptPath"

# Set the correct permissions for shell script

chmod 777 "$shellscriptPath"
chmod a+x "$shellscriptPath"
echo "Created shellscript"

# Create LaunchAgent
pathPlist="/Users/$loggedInUser/Library/LaunchAgents/com.user.tempPromoted.plist"

# Ensure destination directory exists
userLA="/Users/$loggedInUser/Library/LaunchAgents"
if [ -d "$userLA" ]; then
    echo "User launchAgent directory detected"
else
    echo "User launchAgent directory not detected, creating"
    mkdir -p "$userLA"
    chmod 777 "$userLA"
fi

# Create the LaunchAgent.

cat >> "$pathPlist" <<EOF
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple Computer//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
   <key>Label</key>
   <string>com.user.loginscript</string>
   <key>ProgramArguments</key>
   <array><string>$shellscriptPath</string></array>
   <key>RunAtLoad</key>
   <true/>
</dict>
</plist>
EOF

# Set the correct permissions and load current LaunchAgent.
chmod 644 "$pathPlist"
launchctl load "$pathPlist" &>/dev/null
echo "Created launchagent"
### END SAFEGUARDS

# This if statement should not need to be changed. It simply uses the variables
#   above.
if /Library/Addigy/macmanage/MacManage.app/Contents/MacOS/MacManage action=notify title="${title}" description="${description}"  closeLabel="${closeText}" forefront="true" timeout="$timeOut"; then
    # These commands can be changed to detemine what happens when the user
    #   clicks the "Accept" label.
    sudo dseditgroup -o edit -d $loggedInUser -t user admin
    rm /Users/$loggedInUser/.tempPromoted
    launchctl unload "$pathPlist" &>/dev/null
    rm "$shellscriptPath"
    rm "$pathPlist"
    echo "[Demotion complete]"
    exit 0
else
    # These commands can be changed to detemine what happens when the user
    #   clicks the "Close" label.
    sudo dseditgroup -o edit -d $loggedInUser -t user admin
    rm /Users/$loggedInUser/.tempPromoted
    launchctl unload "$pathPlist" &>/dev/null
    rm "$shellscriptPath"
    rm "$pathPlist"
    echo "[Demotion complete]"
    exit 0
fi