#!/bin/sh

# Copyright (C) 2025-2026 Daniel Baumann <daniel@debian.org>
#
# SPDX-License-Identifier: GPL-3.0+
#
# This program is free software: you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation, either version 3 of the License, or
# (at your option) any later version.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program.  If not, see <https://www.gnu.org/licenses/>.

set -e

PROGRAM="$(basename "${0}")"

Usage ()
{
	echo "Usage: ${0} DN FIELD VALUE" >&2
	echo
	echo "Example:"
	echo "  ${0} cn=bad9,ou=Staff,ou=Accounts,dc=bfh sshPublicKey \"ssh-ed25519 [...] bad9@bfh.ch\""
	echo "  ${0} cn=DM.perm.storage.services_lni-team.write,ou=Security,ou=Groups,dc=bfh bfhCephDirectory Services/LNI-Team"
	echo "  ${0} cn=bad9,ou=Staff,ou=Accounts,dc=bfh bfhCephDirectory"

	exit 1
}

LDAP_DN="${1}"
LDAP_FIELD="${2}"
LDAP_VALUE="${3}"

if [ -z "${LDAP_DN}" ] || [ -z "${LDAP_FIELD}" ]
then
	Usage
fi

if [ ! -e /usr/bin/ldapmodify ] || [ ! -e /usr/bin/ldapsearch ]
then
	echo "E: ldap-utils missing - please 'sudo apt install ldap-utils'" >&2
	exit 1
fi

################################################################################
# Run command
################################################################################

for CONFIG in ldap
do
	if [ ! -e "/etc/bfh/bfh.conf.d/${CONFIG}.conf" ]
	then
		echo "E: ${CONFIG} missing - please 'sudo dpkg-reconfigure bfh-tools'" >&2
		exit 1
	else
		. "/etc/bfh/bfh.conf.d/${CONFIG}.conf"
	fi
done

# cleanup on exit
Clean ()
{
	rm -f "${_TMPFILE}"
}

trap 'Clean' EXIT HUP INT QUIT TERM

# check user is existing
DN="$(ldapsearch -LLL -o ldif-wrap=no -D ${BFH_LDAP_PRIMARY_USER} -w ${BFH_LDAP_PRIMARY_SECRET} -x -H ldaps://${BFH_LDAP_PRIMARY_HOST}:636 -b dc=bfh $(echo ${LDAP_DN} | awk -F, '{ print $1 }') | awk '/^dn: / { print $2 }')"

if [ "${DN}" != "${LDAP_DN}" ]
then
	echo "E: something went wrong (${DN} != ${LDAP_DN})" >&2
	exit 1
fi

# write ldif
_TMPFILE="$(mktemp -t ${PROGRAM}_$(basename ${0}).XXXXXXXX)"

if [ -n "${LDAP_VALUE}" ]
then

# updating field
cat > "${_TMPFILE}" << EOF
dn: ${LDAP_DN}
changetype: modify
replace: ${LDAP_FIELD}
${LDAP_FIELD}: ${LDAP_VALUE}
EOF

else

	OLD_VALUE="$(ldapsearch -LLL -o ldif-wrap=no -D ${BFH_LDAP_PRIMARY_USER} -w ${BFH_LDAP_PRIMARY_SECRET} -x -H ldaps://${BFH_LDAP_PRIMARY_HOST}:636 -b dc=bfh $(echo ${LDAP_DN} | awk -F, '{ print $1 }') | awk "/^${LDAP_FIELD}: / { print \$2 }")"

	if [ -z "${OLD_VALUE}" ]
	then
		echo "I: no old fields found, doing nothing"
		exit 0
	fi

# delete field
cat > "${_TMPFILE}" << EOF
dn: ${LDAP_DN}
changetype: modify
delete: ${LDAP_FIELD}
${LDAP_FIELD}: ${OLD_VALUE}
EOF

fi

# apply ldif
case "${SIMULATE}" in
	true)
		# do nothing
		echo "SIMULATE"
		cat "${_TMPFILE}"
		echo "SIMULATE"
		;;

	*)
		case "${QUIET}" in
			true)
				ldapmodify -x -D ${BFH_LDAP_PRIMARY_USER} -w ${BFH_LDAP_PRIMARY_SECRET} -H ldaps://${BFH_LDAP_PRIMARY_HOST}:636 -f "${_TMPFILE}" > /dev/null 2>&1 || echo "something went wrong" >&2
				;;

			*)
				ldapmodify -x -D ${BFH_LDAP_PRIMARY_USER} -w ${BFH_LDAP_PRIMARY_SECRET} -H ldaps://${BFH_LDAP_PRIMARY_HOST}:636 -f "${_TMPFILE}" || echo "something went wrong" >&2
				;;
		esac
		;;
esac
