#!/usr/bin/env bash
#
# iSight CLI Disabler
#
# MIT LICENSE - Copyright (c) May 2015 Jesse Doyle
#
# Permission is hereby  granted, free of charge, to  any person obtaining a copy
# of this software and associated documentation files (the "Software"), to  deal
# in  the Software without restriction, including  without limitation the rights
# to use,  copy,  modify,  merge,  publish, distribute, sublicense,  and/or sell
# copies  of  the  Software, and  to permit  persons  to  whom  the  Software is
# furnished to do so, subject to the following conditions:
#
# The above copyright notice and this permission notice shall be included in all
# copies or substantial portions of the Software.
#
# THE SOFTWARE IS  PROVIDED  "AS IS",  WITHOUT WARRANTY  OF ANY KIND, EXPRESS OR
# IMPLIED, INCLUDING BUT  NOT  LIMITED  TO  THE  WARRANTIES  OF MERCHANTABILITY,
# FITNESS FOR  A  PARTICULAR PURPOSE  AND NONINFRINGEMENT. IN NO EVENT SHALL THE
# AUTHORS  OR  COPYRIGHT  HOLDERS  BE LIABLE FOR  ANY  CLAIM,  DAMAGES  OR OTHER
# LIABILITY,  WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
# OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE  OR OTHER DEALINGS IN THE
# SOFTWARE.
#
# Acknowledgements:
#
# This script is based off of the work completed by http://techslaves.org on
# their great AppleScript "iSight Disabler".
#
# Please visit: http://techslaves.org/isight-disabler/ to see the original
# AppleScript implementation.

APP_NAME='iSight CLI Disabler'
APP_SHORT='isight'
VERSION="0.5.1"
USER=$(whoami)

OIFS=$IFS
IFS+="\n\n" # Double newline IFS for readability

# Various iSight driver locations in OSX < 10.12
DRIVERS=(
"/System/Library/QuickTime/QuickTimeUSBVDCDigitizer.component/Contents/MacOS/QuickTimeUSBVDCDigitizer"

"/System/Library/PrivateFrameworks/CoreMediaIOServicesPrivate.framework/Versions/A/Resources/VDC.plugin/Contents/MacOS/VDC"

"/System/Library/PrivateFrameworks/CoreMediaIOServices.framework/Versions/A/Resources/VDC.plugin/Contents/MacOS/VDC"

"/System/Library/Frameworks/CoreMediaIO.framework/Versions/A/Resources/VDC.plugin/Contents/MacOS/VDC"

"/Library/CoreMediaIO/Plug-Ins/DAL/AppleCamera.plugin/Contents/MacOS/AppleCamera"

"/Library/CoreMediaIO/Plug-Ins/FCP-DAL/AppleCamera.plugin/Contents/MacOS/AppleCamera"

"/System/Library/PrivateFrameworks/CoreMediaIOServicesPrivate.framework/Versions/A/Resources/AVC.plugin/Contents/MacOS/AVC"
)

IFS=$OIFS

# With system integrity protection enabled, we have to use system profiles to
# disable the camera on OSX >= 10.11 with system integrity protection enabled.
read -d '' ISD_EL_CAPITAN_CONFIG <<EOF
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
<key>PayloadIdentifier</key>
<string>com.apple.mdm.mba.263c7450-4ae1-0133-5b68-68a86d032b5e.alacarte</string>
<key>PayloadRemovalDisallowed</key>
<false/>
<key>PayloadScope</key>
<string>System</string>
<key>PayloadType</key>
<string>Configuration</string>
<key>PayloadUUID</key>
<string>263c7450-4ae1-0133-5b68-68a86d032b5e</string>
<key>PayloadOrganization</key>
<string>iSight CLI Disabler</string>
<key>PayloadVersion</key>
<integer>1</integer>
<key>PayloadDisplayName</key>
<string>Disable Camera</string>
<key>PayloadDescription</key>
<string>Adds a restriction profile to OS X that disables access to the camera drivers.</string>
<key>PayloadContent</key>
<array>
<dict>
<key>PayloadType</key>
<string>com.apple.coremediaio.support</string>
<key>PayloadVersion</key>
<integer>1</integer>
<key>PayloadIdentifier</key>
<string>com.apple.mdm.mba.263c7450-4ae1-0133-5b68-68a86d032b5e.alacarte.macosxrestrictions.26341050-4ae1-0133-5b67-68a86d032b5e.support</string>
<key>PayloadEnabled</key>
<true/>
<key>PayloadUUID</key>
<string>82807313-a6ee-8f6a-34a3-060c3fc6ec24</string>
<key>PayloadDisplayName</key>
<string>Disable Camera</string>
<key>Device Access Allowed</key>
<false/>
</dict>
</array>
</dict>
</plist>
EOF

function help() {
cat <<EOS
--------------------------------------------------------------------------------

NAME
  $APP_NAME - enable and disable the built-in iSight camera

VERSION
  v$VERSION

USAGE
  $APP_SHORT [(on|off)]

ARGUMENTS
  on:
    enable iSight camera (requires sudo).
    alias: enable

  off:
    disable iSight camera (requires sudo).
    alias: disable

  help:
    display this message.
    alias: -h

  version:
    print application version.
    alias: -v

--------------------------------------------------------------------------------
EOS
exit 0
}

function error() {
  echo "$0: error - $1" 1>&2
  exit 1
}

function version() {
  echo "$APP_NAME: v$VERSION"
  exit 0
}

function parse_args() {
  while [ $# -gt 0 ]
  do
      case "$1" in
      (on)        enable_camera;;
      (enable)    enable_camera;;
      (off)       disable_camera;;
      (disable)   disable_camera;;
      (help)      help;;
      (-h)        help;;
      (version)   version;;
      (-v)        version;;
      (status)    break;;
      ("")        break;;
      (*)         error "unrecognized option(s): $1";;
      esac
      shift
  done
  echo $(camera_status)
  exit 0
}

# Scan through each element in the DRIVERS array to determine if the path
# matches a file in the filesystem. If the driver file exists, append it
# to the returned string.
function scan_drivers() {
  for driver in ${DRIVERS[@]}; do
    if [ -e "$driver" ]; then
      [[ -z "$found" ]] && found="$driver" || found="$found $driver"
    fi
  done

  if [ -z "$found" ]; then
    error "unable to find valid drivers"
  fi

  echo "$found"
}

# Determine the status of the individual driver files passed in as the first
# argument. Determine if the driver is active using the octal filesystem
# permissions.
function stat_drivers() {
  found=$1
  IFS=$' '
  read -a drivers <<< "$found"

  for driver in ${drivers[@]}; do
    octal=$(/usr/bin/stat -f "%p" "$driver")
    octal=$(echo "$octal" | /usr/bin/awk '{print substr($0, length($0))}')
    [[ $octal -lt 5 ]] && \
    v="iSight Status: Disabled" || v="iSight Status: Enabled"
  done

  IFS=$OIFS
  echo "$v"
}

# Change the file permissions for the drivers supplied as the first argument
# to be more permissive/restrictive based on the second argument ('yes/no').
function chmod_drivers() {
  sanity_check
  drivers=$1
  [[ "$2" = "yes" ]] && c="/bin/chmod a+r" || c="/bin/chmod a-r"
  eval "$c $drivers"
}

# Print the status of the camera to stdout.
function camera_status() {
  version=$(sw_vers -productVersion | awk -F '.' '{print $1$2}')
  status=$(system_integrity)

  if [ "$version" -ge "1011" ] && [ "$status" == "enabled" ]; then
    found=$(profiles -L | grep 'com.apple.mdm.mba.263c7450-4ae1-0133-5b68-68a86d032b5e.alacarte')
    [[ -z "$found" ]] && v="iSight Status: Enabled" || v="iSight Status: Disabled"
    echo $v
  else
    found=$(scan_drivers)
    echo $(stat_drivers $found)
  fi
}

# Enable the iSight camera by allowing the current user read access
# to the driver files.
function enable_camera() {
  version=$(sw_vers -productVersion | awk -F '.' '{print $1$2}')
  status=$(system_integrity)

  if [ "$version" -ge "1011" ] && [ "$status" == "enabled" ]; then
    echo "System Integrity Protection is enabled!"
    echo "Enabling iSight..."
    $(echo "$ISD_EL_CAPITAN_CONFIG" | profiles -R $USER -F -)
  else
    found=$(scan_drivers)
    echo $(stat_drivers $found)
    echo "Enabling iSight..."
    chmod_drivers "$found" "yes"
  fi

  exit 0
}

# Disable the iSight camera by restricting the current user read access
# to the driver files.
function disable_camera() {
  version=$(sw_vers -productVersion | awk -F '.' '{print $1$2}')
  status=$(system_integrity)

  if [ "$version" -ge "1011" ] && [ "$status" == "enabled" ]; then
    echo "System Integrity Protection is enabled!"
    echo "Disabling iSight..."
    $(echo "$ISD_EL_CAPITAN_CONFIG" | profiles -I $USER -F -)
  else
    found=$(scan_drivers)
    echo $(stat_drivers "$found")
    echo "Disabling iSight..."
    chmod_drivers "$found" "no"
  fi

  exit 0
}

# Determine if the current user is root - display an error
# if the user is not root.
function sanity_check() {
  if [ "$(whoami)" != "root" ]; then
    error "must be run as root (sudo) to enable/disable the camera"
  fi
}

# Query for system integrity protection status on MacOS >= 10.11.
# Returns "enabled" or "disabled".
function system_integrity() {
  csrutil status | grep --quiet enabled
  [[ $? == 0 ]] && s="enabled" || s="disabled"
  echo "$s"
}

parse_args "$*"