#!/bin/bash
SESSIONS=($(loginctl list-sessions --no-legend | awk '{ print $1 }'))

for SESSION_ID in "${SESSIONS[@]}"
do
  USERNAME=$(loginctl show-session ${SESSION_ID} -p Name --value)
  SESSION_TYPE=$(loginctl show-session ${SESSION_ID} -p Type --value) # should be x11 or wayland
  SESSION_LOCKED=$(loginctl show-session ${SESSION_ID} -p LockedHint --value) # yes/no
  USER_DIR=$(getent passwd "$USERNAME" | cut -d: -f6)
  KEY_FILE="$USER_DIR/.yubikeys"

  if ! [[ "$SESSION_TYPE" == "x11" || "$SESSION_TYPE" == "wayland" ]]; then
    continue
  fi
  if ! [ -e "$KEY_FILE" ]; then
    continue
  fi

  MATCHING_KEYS=$(comm -12 <(ykman list --serials | sort) <(sort $KEY_FILE))

  if [[ $MATCHING_KEYS == "" ]]; then
    if [[ $SESSION_LOCKED == "no" ]]; then
      logger "All YubiKeys Removed ($USERNAME)"
      loginctl lock-session ${SESSION_ID}
    fi
  else
    if [[ $SESSION_LOCKED == "yes" ]]; then
      logger "YubiKey Found, Unlocking ($USERNAME)"
      loginctl activate ${SESSION_ID}
      loginctl unlock-session ${SESSION_ID}
    fi
  fi
done