#!/bin/sh

# Copyright (C) 2025-2026 Daniel Baumann <daniel@debian.org>
#
# SPDX-License-Identifier: GPL-3.0+
#
# This program is free software: you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation, either version 3 of the License, or
# (at your option) any later version.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program.  If not, see <https://www.gnu.org/licenses/>.

set -e

PROJECT="bfh"
SOFTWARE="bfh-tools"
PROGRAM="bfh"
COMMAND="$(basename ${0})"

HOOKS="/etc/${PROJECT}/${PROJECT}.hooks"

Parameters ()
{
	GETOPT_LONGOPTIONS="owners:,users:,type:,service:,department:,name:,role:,simulate,dry-run,verbose,quiet,help,"
	GETOPT_OPTIONS="o:,u:,t:,s:,d:,n:,r:,v,q,h,"

	PARAMETERS="$(getopt --longoptions ${GETOPT_LONGOPTIONS} --name=${COMMAND} --options ${GETOPT_OPTIONS} --shell sh -- "${@}")"

	if [ "${?}" != "0" ]
	then
		echo "'${COMMAND}': getopt exit" >&2
		exit 1
	fi

	eval set -- "${PARAMETERS}"

	while true
	do
		case "${1}" in
			-o|--owners)
				GROUP_OWNERS="${2}"
				shift 2
				;;

			-u|--users)
				GROUP_USERS="${2}"
				shift 2
				;;

			-t|--type)
				GROUP_TYPE="${2}"
				shift 2
				;;

			-s|--service)
				GROUP_SERVICE="${2}"
				shift 2
				;;

			-d|--department)
				GROUP_DEPARTMENT="${2}"
				shift 2
				;;

			-n|--name)
				GROUP_NAME="${2}"
				shift 2
				;;

			-r|--role)
				GROUP_ROLE="${2}"
				shift 2
				;;

			--simulate|--dry-run)
				SIMULATE="true"
				shift 1
				;;

			-v|--verbose)
				VERBOSE="true"
				shift 1
				;;

			-q|--quiet)
				QUIET="true"
				shift 1
				;;

			-h|--help)
				Usage
				exit 0
				;;

			--)
				shift 1
				break
				;;

			*)
				echo "'${COMMAND}': getopt error" >&2
				exit 1
				;;
		esac
	done
}

Usage ()
{
	echo "Usage: ${PROGRAM} ${COMMAND} -o|--owners OWNER|\"OWNER1 OWNER2 ...\" [-u|--users USER|\"USER1 USER2 ...\"] -t|--type {infra|perm} -s|--service {datacenter|linux|infrastructure|network|storage|compute|cloud|other} [-d|--department {AHB|BFH|G|HAFL|HKB|S|Services|TI|W}] -n|--name NAME -r|--role {sysadmin|staff|community}|{access|admin|read|write|users} [--simulate|--dry-run] [-v|--verbose] [-q|--quiet]" >&2
	echo "Usage: ${PROGRAM} ${COMMAND} -h|--help" >&2
	echo
	echo "See ${PROGRAM}_${COMMAND}(1), ${PROGRAM}(1) and ${SOFTWARE}(7) for more information."

	exit 1
}

Parameters "${@}"

if [ -z "${GROUP_OWNERS}" ] || [ -z "${GROUP_TYPE}" ] || [ -z "${GROUP_SERVICE}" ] || [ -z "${GROUP_NAME}" ] || [ -z "${GROUP_ROLE}" ]
then
	Usage
fi

case "${GROUP_TYPE}" in
	infra|perm)
		;;

	*)
		Usage
		;;
esac

case "${GROUP_SERVICE}" in
	datacenter|linux|infrastructure|network|storage|compute|cloud|other)
		;;

	*)
		Usage
		;;
esac

case "${GROUP_SERVICE}" in
	storage)
		case "${GROUP_DEPARTMENT}" in
			AHB|BFH|G|HAFL|HKB|S|Services|TI|W)
				;;

			*)
				Usage
				;;
		esac
		;;
esac

case "${GROUP_TYPE}" in
	infra)
		HIERARCHY="Services/IT Services/Infrastructure"

		case "${GROUP_ROLE}" in
			sysadmin|staff|community)
				;;

			*)
				Usage
				;;
		esac
		;;

	perm)
		HIERARCHY="Services/IT Services/Permissions"

		case "${GROUP_ROLE}" in
			access|admin|read|write|users)
				;;

			*)
				Usage
				;;
		esac
		;;
esac

# group name is subset of ascii only
case "${GROUP_NAME}" in
	*[![a-z][A-Z][0-9]'-']*)
		echo "E: group name contains non-allowed characters" >&2
		exit 1
		;;
esac

# group name is always lower case
GROUP_DEPARTMENT="$(echo ${GROUP_DEPARTMENT} | tr '[A-Z]' '[a-z]')"
GROUP_NAME="$(echo ${GROUP_NAME} | tr '[A-Z]' '[a-z]')"

case "${GROUP_SERVICE}" in
	storage)
		GROUP="IDM.${GROUP_TYPE}.${GROUP_SERVICE}.${GROUP_DEPARTMENT}_${GROUP_NAME}.${GROUP_ROLE}"

		# FIXME: also check for old group schema until data is migrated
		GROUP_OLD="IDM.${GROUP_TYPE}.${GROUP_SERVICE}.${GROUP_DEPARTMENT}-${GROUP_NAME}.${GROUP_ROLE}"
		;;

	*)
		GROUP="IDM.${GROUP_TYPE}.${GROUP_SERVICE}.${GROUP_NAME}.${GROUP_ROLE}"
		;;
esac

# group needs to be <= 64 characters for LDAP/AD compatibility
if [ "$(echo ${GROUP} | wc -m)" -ge 65 ]
then
	echo "E: group exceeds 64 characters" >&2
	exit 1
fi

if [ ! -e /usr/bin/ldapmodify ] || [ ! -e /usr/bin/ldapsearch ]
then
	echo "E: ldap-utils missing - please 'sudo apt install ldap-utils'" >&2
	exit 1
fi

if [ ! -e /usr/bin/ssh ]
then
	echo "E: openssh-client missing - please 'sudo apt install openssh-client'" >&2
	exit 1
fi

SSH_OPTIONS="-qqq -o HashKnownHosts=no -o StrictHostKeyChecking=no -o UserKnownHostsFile=/dev/null"

# Pre hooks
for FILE in "${HOOKS}/${COMMAND}.pre"* "${HOOKS}/pre.${COMMAND}".* "${HOOKS}/all.pre"* "${HOOKS}/pre.all".*
do
	if [ -x "${FILE}" ]
	then
		"${FILE}"
	fi
done

################################################################################
# Run command
################################################################################

for CONFIG in ldap idm
do
	if [ ! -e "/etc/bfh/bfh.conf.d/${CONFIG}.conf" ]
	then
		echo "E: ${CONFIG} missing - please 'sudo dpkg-reconfigure bfh-tools'" >&2
		exit 1
	else
		. "/etc/bfh/bfh.conf.d/${CONFIG}.conf"
	fi
done

BFH_IDM_DIRECTORY="/srv/${BFH_IDM_PRIMARY_HOST}/bin"

Run ()
{
	COMMANDS="${@}"

	case "${SIMULATE}" in
		true)
			echo ${COMMANDS}
			;;

		*)
			case "${QUIET}" in
				true)
					${COMMANDS} > /dev/null 2>&1
					;;

				*)
					echo ${COMMANDS}
					${COMMANDS}
					;;
			esac
			;;
	esac
}

# check if group is already existing
DN="$(ldapsearch -LLL -o ldif-wrap=no -D ${BFH_LDAP_PRIMARY_USER} -w ${BFH_LDAP_PRIMARY_SECRET} -x -H ldaps://${BFH_LDAP_PRIMARY_HOST}:636 -b dc=bfh cn=${GROUP} | awk '/^dn: / { print $2 }')"

case "${GROUP_SERVICE}" in
	storage)
		# FIXME: also check for old group schema until data is migrated
		DN_OLD="$(ldapsearch -LLL -o ldif-wrap=no -D ${BFH_LDAP_PRIMARY_USER} -w ${BFH_LDAP_PRIMARY_SECRET} -x -H ldaps://${BFH_LDAP_PRIMARY_HOST}:636 -b dc=bfh cn=${GROUP_OLD} | awk '/^dn: / { print $2 }')"
		;;

	*)
		DN_OLD=""
		;;
esac

if [ -n "${DN}" ] || [ -n "${DN_OLD}" ]
then
	echo "I: already exists (names are case-insensitive and must be unique)"
	exit 0
fi

Run ssh ${SSH_OPTIONS} -i "${BFH_IDM_PRIMARY_SECRET}" "${BFH_IDM_PRIMARY_USER}@${BFH_IDM_PRIMARY_HOST}" "${BFH_IDM_DIRECTORY}"/addGroup ${GROUP} "\"Team LNI: ${GROUP}\"" "\"${HIERARCHY}\""

for OWNER in $(echo ${GROUP_OWNERS} | sed -e 's|,| |g')
do
	# IDM only allows Staff to be group managers
	ACCOUNT_TYPE="$(ldapsearch -LLL -o ldif-wrap=no -D ${BFH_LDAP_PRIMARY_USER} -w ${BFH_LDAP_PRIMARY_SECRET} -x -H ldaps://${BFH_LDAP_PRIMARY_HOST}:636 -b dc=bfh uid=${OWNER} | awk '/^bfhAccountType: / { print $2 }')"

	case "${ACCOUNT_TYPE}" in
		Staff)
			Run ssh ${SSH_OPTIONS} -i "${BFH_IDM_PRIMARY_SECRET}" "${BFH_IDM_PRIMARY_USER}@${BFH_IDM_PRIMARY_HOST}" "${BFH_IDM_DIRECTORY}"/addGroupManager ${GROUP} ${OWNER}
			;;
	esac
done

if [ -n "${GROUP_USERS}" ]
then
	for USER in $(echo ${GROUP_USERS} | sed -e 's|,| |g')
	do
		Run ssh ${SSH_OPTIONS} -i "${BFH_IDM_PRIMARY_SECRET}" "${BFH_IDM_PRIMARY_USER}@${BFH_IDM_PRIMARY_HOST}" "${BFH_IDM_DIRECTORY}"/addGroupMember ${GROUP} ${USER}
	done
fi

################################################################################

# Post hooks
for FILE in "${HOOKS}/${COMMAND}.post"* "${HOOKS}/post.${COMMAND}".* "${HOOKS}/all.post"* "${HOOKS}/post.all".*
do
	if [ -x "${FILE}" ]
	then
		"${FILE}"
	fi
done
