#!/usr/bin/env bash
set -euo pipefail

PROFILE_NAME="local-fprint-feedback"
PROFILE_PATH="/etc/authselect/custom/${PROFILE_NAME}"
STATE_FILE="${PROFILE_PATH}/.previous-authselect-raw"

usage() {
  cat <<USAGE
Usage: sudo $0 [--max-tries N] [--timeout SEC] [--profile NAME]

Applies an authselect custom profile that sets pam_fprintd parameters
for faster visible fingerprint failure feedback in GDM/GNOME unlock.

Options:
  --max-tries N   Fingerprint tries before failure (default: 3)
  --timeout SEC   Fingerprint timeout in seconds (default: 20)
  --profile NAME  Custom authselect profile name (default: local-fprint-feedback)
  -h, --help      Show this help
USAGE
}

MAX_TRIES=3
TIMEOUT=20

while [[ $# -gt 0 ]]; do
  case "$1" in
    --max-tries)
      MAX_TRIES="$2"
      shift 2
      ;;
    --timeout)
      TIMEOUT="$2"
      shift 2
      ;;
    --profile)
      PROFILE_NAME="$2"
      PROFILE_PATH="/etc/authselect/custom/${PROFILE_NAME}"
      STATE_FILE="${PROFILE_PATH}/.previous-authselect-raw"
      shift 2
      ;;
    -h|--help)
      usage
      exit 0
      ;;
    *)
      echo "Unknown argument: $1" >&2
      usage >&2
      exit 2
      ;;
  esac
done

if [[ "${EUID}" -ne 0 ]]; then
  echo "Please run as root (sudo)." >&2
  exit 1
fi

if ! command -v authselect >/dev/null 2>&1; then
  echo "authselect not found." >&2
  exit 1
fi

if ! [[ "$MAX_TRIES" =~ ^-?[0-9]+$ ]] || ! [[ "$TIMEOUT" =~ ^-?[0-9]+$ ]]; then
  echo "--max-tries and --timeout must be integers." >&2
  exit 2
fi

CURRENT_RAW="$(authselect current --raw)"
CURRENT_PROFILE="${CURRENT_RAW%% *}"
CURRENT_FEATURES="${CURRENT_RAW#${CURRENT_PROFILE}}"
CURRENT_FEATURES="${CURRENT_FEATURES# }"

if [[ ! -d "$PROFILE_PATH" ]]; then
  authselect create-profile "$PROFILE_NAME" -b local
fi

FP_FILE="${PROFILE_PATH}/fingerprint-auth"
if [[ ! -f "$FP_FILE" ]]; then
  echo "Expected file not found: $FP_FILE" >&2
  exit 1
fi

if [[ ! -f "$STATE_FILE" ]]; then
  printf '%s\n' "$CURRENT_RAW" > "$STATE_FILE"
fi

cp -a "$FP_FILE" "${FP_FILE}.bak.$(date +%Y%m%d%H%M%S)"
perl -0pi -e "s/pam_fprintd\\.so\\b[^\\n]*/pam_fprintd.so max-tries=${MAX_TRIES} timeout=${TIMEOUT}/" "$FP_FILE"

if [[ "$CURRENT_PROFILE" == "custom/${PROFILE_NAME}" ]]; then
  SELECT_FEATURES="$CURRENT_FEATURES"
else
  SELECT_FEATURES="$CURRENT_FEATURES"
fi

if ! grep -q 'with-fingerprint' <<<"$SELECT_FEATURES"; then
  SELECT_FEATURES="${SELECT_FEATURES:+$SELECT_FEATURES }with-fingerprint"
fi

# shellcheck disable=SC2086
authselect select "custom/${PROFILE_NAME}" $SELECT_FEATURES --force
authselect apply-changes
authselect check

echo "Applied custom authselect profile: custom/${PROFILE_NAME}"
echo "Active profile: $(authselect current --raw)"
echo "Effective pam_fprintd line:"
grep -n 'pam_fprintd' /etc/pam.d/fingerprint-auth