#!/bin/sh

# Copyright (C) 2025-2026 Daniel Baumann <daniel@debian.org>
#
# SPDX-License-Identifier: GPL-3.0+
#
# This program is free software: you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation, either version 3 of the License, or
# (at your option) any later version.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program.  If not, see <https://www.gnu.org/licenses/>.

set -e

PROJECT="bfh"
SOFTWARE="bfh-tools"
PROGRAM="bfh"
COMMAND="$(basename ${0})"

HOOKS="/etc/${PROJECT}/${PROJECT}.hooks"

Parameters ()
{
	GETOPT_LONGOPTIONS="user:,key:,simulate,dry-run,verbose,quiet,help,"
	GETOPT_OPTIONS="u:,k:,v,q,h,"

	PARAMETERS="$(getopt --longoptions ${GETOPT_LONGOPTIONS} --name=${COMMAND} --options ${GETOPT_OPTIONS} --shell sh -- "${@}")"

	if [ "${?}" != "0" ]
	then
		echo "'${COMMAND}': getopt exit" >&2
		exit 1
	fi

	eval set -- "${PARAMETERS}"

	while true
	do
		case "${1}" in
			-u|--user)
				USER_ACCOUNT="${2}"
				shift 2
				;;

			-k|--key)
				USER_KEY="${2}"
				shift 2
				;;

			--simulate|--dry-run)
				SIMULATE="true"
				shift 1
				;;

			-v|--verbose)
				VERBOSE="true"
				shift 1
				;;

			-q|--quiet)
				QUIET="true"
				shift 1
				;;

			-h|--help)
				Usage
				exit 0
				;;

			--)
				shift 1
				break
				;;

			*)
				echo "'${COMMAND}': getopt error" >&2
				exit 1
				;;
		esac
	done
}

Usage ()
{
	echo "Usage: ${PROGRAM} ${COMMAND} -u|--user USER -k|--key \"PUBLIC KEY\"|PUBLIC_KEYFILE [--simulate|--dry-run] [-v|--verbose] [-q|--quiet]" >&2
	echo "Usage: ${PROGRAM} ${COMMAND} -h|--help" >&2
	echo
	echo "See ${PROGRAM}_${COMMAND}(1), ${PROGRAM}(1) and ${SOFTWARE}(7) for more information."

	exit 1
}

Parameters "${@}"

if [ -z "${USER_ACCOUNT}" ] || [ -z "${USER_KEY}" ]
then
	Usage
fi

if [ ! -e /usr/bin/ldapmodify ] || [ ! -e /usr/bin/ldapsearch ]
then
	echo "E: ldap-utils missing - please 'sudo apt install ldap-utils'" >&2
	exit 1
fi

# Pre hooks
for FILE in "${HOOKS}/${COMMAND}.pre"* "${HOOKS}/pre.${COMMAND}".* "${HOOKS}/all.pre"* "${HOOKS}/pre.all".*
do
	if [ -x "${FILE}" ]
	then
		"${FILE}"
	fi
done

################################################################################
# Run command
################################################################################

for CONFIG in ldap
do
	if [ ! -e "/etc/bfh/bfh.conf.d/${CONFIG}.conf" ]
	then
		echo "E: ${CONFIG} missing - please 'sudo dpkg-reconfigure bfh-tools'" >&2
		exit 1
	else
		. "/etc/bfh/bfh.conf.d/${CONFIG}.conf"
	fi
done

# cleanup on exit
Clean ()
{
	rm -f "${_TMPFILE}"
}

trap 'Clean' EXIT HUP INT QUIT TERM

# check user is existing
DN="$(ldapsearch -LLL -o ldif-wrap=no -D ${BFH_LDAP_PRIMARY_USER} -w ${BFH_LDAP_PRIMARY_SECRET} -x -H ldaps://${BFH_LDAP_PRIMARY_HOST}:636 -b dc=bfh uid=${USER_ACCOUNT} | awk '/^dn: / { print $2 }')"

if [ -z "${DN}" ]
then
	echo "E: user doesn't exist in LDAP" >&2
	exit 1
fi

# strip comments from key by using the two first parts only
if [ -e "${USER_KEY}" ]
then
	# key is a file
	USER_KEY="$(cut -d' ' -f 1-2 "${USER_KEY}")"
else
	# key is a string
	USER_KEY="$(echo "${USER_KEY}" | cut -d' ' -f 1-2)"
fi

case "${USER_KEY}" in
	disabled)
		;;

	*)
		# validate the key in tmpfile
		if ! echo "${USER_KEY}" | ssh-keygen -l -f - > /dev/null 2>&1
		then
			echo "E: key '${USER_KEY}' doesn't validate" >&2
			exit 1
		fi

		# enforce ED25519 ssh key type
		KEY_TYPE="$(echo "${USER_KEY}" | ssh-keygen -l -f - | awk '{ print $NF }' | sed -e 's|(||g' -e 's|)||g')"

		case "${KEY_TYPE}" in
			ED25519)
				;;

			*)
				echo "E: key '${USER_KEY}' is not ED22519" >&2
				exit 1
				;;
		esac

		USER_KEY="${USER_KEY} ${USER_ACCOUNT}@bfh.ch"
		;;
esac

# write ldif
_TMPFILE="$(mktemp -t ${PROGRAM}_$(basename ${0}).XXXXXXXX)"

cat > "${_TMPFILE}" << EOF
dn: ${DN}
changetype: modify
replace: sshPublicKey
sshPublicKey: ${USER_KEY}
EOF

# apply ldif
case "${SIMULATE}" in
	true)
		# do nothing
		echo "SIMULATE"
		cat "${_TMPFILE}"
		echo "SIMULATE"
		;;

	*)
		case "${QUIET}" in
			true)
				ldapmodify -x -D ${BFH_LDAP_PRIMARY_USER} -w ${BFH_LDAP_PRIMARY_SECRET} -H ldaps://${BFH_LDAP_PRIMARY_HOST}:636 -f "${_TMPFILE}" > /dev/null 2>&1 || echo "something went wrong" >&2
				;;

			*)
				ldapmodify -x -D ${BFH_LDAP_PRIMARY_USER} -w ${BFH_LDAP_PRIMARY_SECRET} -H ldaps://${BFH_LDAP_PRIMARY_HOST}:636 -f "${_TMPFILE}" || echo "something went wrong" >&2
				;;
		esac
		;;
esac

################################################################################

# Post hooks
for FILE in "${HOOKS}/${COMMAND}.post"* "${HOOKS}/post.${COMMAND}".* "${HOOKS}/all.post"* "${HOOKS}/post.all".*
do
	if [ -x "${FILE}" ]
	then
		"${FILE}"
	fi
done
