#!/usr/bin/env python
#
# ::copy::
# ::maintainer::
#
# validate user / password using PAM
#
# - user as argument
# - password read from tty (not stdin, use validatepwd-wrap for this)
#
import sys
import PAM
from getpass import getpass

def pam_conv(auth, query_list, userData):

	resp = []

	for i in range(len(query_list)):
		query, type = query_list[i]
		if type == PAM.PAM_PROMPT_ECHO_ON:
			val = raw_input(query)
			resp.append((val, 0))
		elif type == PAM.PAM_PROMPT_ECHO_OFF:
			val = getpass(query)
			resp.append((val, 0))
		elif type == PAM.PAM_PROMPT_ERROR_MSG or type == PAM.PAM_PROMPT_TEXT_INFO:
			print query
			resp.append(('', 0))
		else:
			return None

	return resp

service = 'passwd'

auth = PAM.pam()
auth.start(service)

if len(sys.argv) == 2:
	auth.set_item(PAM.PAM_USER, sys.argv[1])

if len(sys.argv) == 3:
	auth.set_item(PAM.PAM_PASSWORD, sys.argv[2])

auth.set_item(PAM.PAM_CONV, pam_conv)

try:
	auth.authenticate()
	auth.acct_mgmt()
except PAM.error, resp:
	print 'error (%s)' % resp
	sys.exit( resp[1] )
except:
	print 'Internal error'
	sys.exit( 127 )
else:
	print 'OK'
	sys.exit( 0 )
