#!/bin/bash

# Copyright 2012 Hewlett-Packard Development Company, L.P.
# Copyright 2013 OpenStack Foundation
#
# Licensed under the Apache License, Version 2.0 (the "License"); you may
# not use this file except in compliance with the License. You may obtain
# a copy of the License at
#
#      http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
# License for the specific language governing permissions and limitations
# under the License.

# Find out if jenkins has attempted to run any sudo commands by checking
# the auth.log or secure log files before and after a test run.

PATTERN="sudo.*jenkins.*:.*\(incorrect password attempts\|command not allowed\)"
case $( facter osfamily ) in
    Debian)
        OLDLOGFILE=/var/log/auth.log.1
        LOGFILE=/var/log/auth.log
        ;;
    RedHat)
        OLDLOGFILE=$( ls /var/log/secure-* | sort | tail -n1 )
        LOGFILE=/var/log/secure
        ;;
esac

case "$1" in
    pre)
        rm -fr /tmp/jenkins-sudo-log
        mkdir /tmp/jenkins-sudo-log
        if [ -f $OLDLOGFILE ]; then
            stat -c %Y $OLDLOGFILE > /tmp/jenkins-sudo-log/mtime-pre
        else
            echo "0" > /tmp/jenkins-sudo-log/mtime-pre
        fi
        grep -h "$PATTERN" $LOGFILE > /tmp/jenkins-sudo-log/pre
        exit 0
        ;;
    post)
        if [ -f $OLDLOGFILE ]; then
            stat -c %Y $OLDLOGFILE > /tmp/jenkins-sudo-log/mtime-post
        else
            echo "0" > /tmp/jenkins-sudo-log/mtime-post
        fi
        if ! diff /tmp/jenkins-sudo-log/mtime-pre /tmp/jenkins-sudo-log/mtime-post > /dev/null; then
            echo "diff"
            grep -h "$PATTERN" $OLDLOGFILE > /tmp/jenkins-sudo-log/post
        fi
        grep -h "$PATTERN" $LOGFILE >> /tmp/jenkins-sudo-log/post
        diff /tmp/jenkins-sudo-log/pre /tmp/jenkins-sudo-log/post
        ;;
esac