sysadmin-chronicles/tools/vm/repair-workstation-launchers.sh

#!/usr/bin/env bash
# Repair trusted desktop launcher metadata in an existing sc-workstation VM.

set -euo pipefail

SCRIPT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)"
source "$SCRIPT_DIR/lib/common.sh"

DOMAIN="${SC_WORKSTATION_DOMAIN:-sc-workstation}"

tmp_script="$(mktemp)"
trap 'rm -f "$tmp_script"' EXIT

cat > "$tmp_script" <<'GUESTEOF'
set -euo pipefail

install -d -o player -g player /home/player/Desktop /home/player/.local/bin /home/player/.config/autostart
find /home/player/Desktop -maxdepth 1 -type f -name '*.desktop' -exec chown player:player {} +
find /home/player/Desktop -maxdepth 1 -type f -name '*.desktop' -exec chmod 0755 {} +
if [ -f /home/player/.config/chromium/Default/Bookmarks ]; then
  sudo -u player sed -i 's#http://www\.axiomworks\.corp/#https://www.axiomworks.corp/#g' /home/player/.config/chromium/Default/Bookmarks
fi

cat > /usr/local/bin/trust-desktop-launchers <<'SCRIPTEOF'
#!/bin/bash
set -u
PATH=/usr/local/bin:/usr/bin:/bin
player_uid="$(id -u player)"
desktop_dir=/home/player/Desktop
export HOME=/home/player
export USER=player
export LOGNAME=player
export DISPLAY="${DISPLAY:-:0}"
export XAUTHORITY="${XAUTHORITY:-/home/player/.Xauthority}"
export XDG_RUNTIME_DIR="/run/user/$player_uid"
if [ -S "$XDG_RUNTIME_DIR/bus" ]; then
  export DBUS_SESSION_BUS_ADDRESS="unix:path=$XDG_RUNTIME_DIR/bus"
fi

metadata_daemon=""
for candidate in /usr/libexec/gvfsd-metadata /usr/lib/gvfs/gvfsd-metadata /usr/lib/x86_64-linux-gnu/gvfs/gvfsd-metadata; do
  if [ -x "$candidate" ]; then
    metadata_daemon="$candidate"
    break
  fi
done
if [ -n "$metadata_daemon" ] && ! /usr/bin/pgrep -u "$player_uid" -x gvfsd-metadata >/dev/null 2>&1; then
  "$metadata_daemon" >/dev/null 2>&1 &
  sleep 1
fi

for i in $(/usr/bin/seq 1 20); do
  trusted_any=false
  failed=false
  for launcher in "$desktop_dir"/*.desktop; do
    [ -e "$launcher" ] || continue
    chmod 0755 "$launcher" 2>/dev/null || true
    checksum="$(/usr/bin/sha256sum "$launcher" | /usr/bin/awk '{print $1}')" || {
      failed=true
      continue
    }
    if /usr/bin/gio set -t string "$launcher" metadata::xfce-exe-checksum "$checksum" 2>/dev/null; then
      actual_checksum="$(/usr/bin/gio info -a metadata::xfce-exe-checksum "$launcher" 2>/dev/null | /usr/bin/awk -F': ' '/metadata::xfce-exe-checksum:/ {print $2; exit}')"
      owner_mode="$(/usr/bin/stat -c '%U:%G %a' "$launcher" 2>/dev/null || true)"
      if [ "$actual_checksum" != "$checksum" ] || [ "$owner_mode" != "player:player 755" ]; then
        failed=true
        continue
      fi
      trusted_any=true
    else
      failed=true
    fi
  done
  if [ "$trusted_any" = true ] && [ "$failed" = false ]; then
    /usr/bin/xfdesktop --reload >/dev/null 2>&1 || /usr/bin/pkill -HUP xfdesktop 2>/dev/null || true
    rm -f /home/player/.config/autostart/trust-launchers.desktop
    exit 0
  fi
  sleep 1
done
exit 1
SCRIPTEOF
chmod 0755 /usr/local/bin/trust-desktop-launchers

cat > /home/player/.local/bin/trust-desktop-launchers.sh <<'SCRIPTEOF'
#!/bin/bash
exec /usr/local/bin/trust-desktop-launchers
SCRIPTEOF
chown player:player /home/player/.local/bin/trust-desktop-launchers.sh
chmod 0755 /home/player/.local/bin/trust-desktop-launchers.sh

cat > /home/player/.config/autostart/trust-launchers.desktop <<'DESKTOPEOF'
[Desktop Entry]
Type=Application
Name=Trust Desktop Launchers
Exec=/usr/local/bin/trust-desktop-launchers
Terminal=false
X-GNOME-Autostart-enabled=true
Hidden=false
NoDisplay=true
DESKTOPEOF
chown player:player /home/player/.config/autostart/trust-launchers.desktop
chmod 0644 /home/player/.config/autostart/trust-launchers.desktop

if [ -S "/run/user/$(id -u player)/bus" ]; then
  sudo -u player env HOME=/home/player /usr/local/bin/trust-desktop-launchers
else
  echo "Player DBus session is not active; repair will retry on next graphical login." >&2
fi
GUESTEOF

guest_run_sudo_script "$DOMAIN" "$tmp_script"
ok "Desktop launcher repair applied to $DOMAIN"