#!/bin/sh

set -e

. /usr/share/debconf/confmodule


handle_profiles_with_removed_modules() {
    removed_modules="$1"
    profiles=""
    modules=""
    test -x /usr/sbin/pam-auth-update ||return 0
    test -r /var/lib/pam/auth ||return 0
    for module in $removed_modules; do
        new_profiles=$( perl -nle 'BEGIN {$removed = shift;} /^Module: (.*)$/&&($profile = $1); /^[^#]*$removed/&&$profile&&($profiles{$profile} = 1); END {print join("\n",keys %profiles) if %profiles;}' \
                        $module \
                        /var/lib/pam/auth /var/lib/pam/account \
                        /var/lib/pam/password /var/lib/pam/session \
                        /var/lib/pam/session-noninteractive)
        if [ "$new_profiles" != "" ]; then
            modules="$modules $module"
            profiles="${profiles}${new_profiles}"
        fi
    done
    profiles=$( echo "$profiles" |sort |uniq)
    if [ "$profiles" != "" ]; then
        db_reset libpam-modules/profiles-disabled
        db_subst libpam-modules/profiles-disabled modules "$modules"
        db_input critical libpam-modules/profiles-disabled ||true
        db_go ||true
        pam-auth-update --remove $profiles
    fi
}

        

if dpkg --compare-versions "$2" lt-nl 1.4.0-5; then
    db_version 2.0
    handle_profiles_with_removed_modules pam_tally
    # We have a generic template for removing pam-profiles because
    # there is a sane automatic action.  If we detect the modules in
    # user configurations we want a specific template so we can
    # recommend a replacement
    # /dev/null reference is to make sure we don't grep stdin if
    # somehow ls returns empty
    if grep -qe '^[^#]*pam_tally' $(ls -1d /etc/pam.d/* | grep -e '^/etc/pam.d/[0-9a-zA-Z/-]*$' ) /dev/null ; then
        db_input critical libpam-modules/deprecate-tally ||true
        db_go ||true
        exit 2
    fi

	if pidof xscreensaver xlockmore >/dev/null; then
		db_input critical libpam-modules/disable-screensaver || true
		db_go || true
	fi
fi