#!/bin/bash
#
# LDAP Service

PATH=$HOME/.docker/cli-plugins:/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin

config_ldap() {
  echo -ne "\n* Configuring /federated/apps/ldap container.."
  spin &
  SPINPID=$!

  if [ ! -d "/federated/apps/ldap" ]; then
    mkdir -p /federated/apps/ldap/data &> /dev/null
    mkdir -p /federated/apps/ldap/data/var/lib/ldap &> /dev/null
    mkdir -p /federated/apps/ldap/data/etc/ldap/slap.d &> /dev/null
    mkdir -p /federated/apps/ldap/data/certs &> /dev/null
    mkdir -p /federated/apps/ldap/data/root &> /dev/null
    cp -rf /federated/apps/dns/data/etc/letsencrypt/archive/$DOMAIN/*.pem /federated/apps/ldap/data/certs/
  fi

  DOMAIN_ARRAY=(${DOMAIN//./ })
  DOMAIN_FIRST=${DOMAIN_ARRAY[0]}
  DOMAIN_LAST=${DOMAIN_ARRAY[1]}
  LDAPADMINPASS=`echo -n $ADMINPASS | openssl dgst -sha1 -binary | openssl enc -base64 | awk '{print "{SHA}"$0}'`

cat > /federated/apps/ldap/docker-compose.yml <<EOF
version: '3.7'

services:
  ldap:
    image: osixia/openldap:\${IMAGE_VERSION}
    container_name: ldap
    hostname: ldap.$DOMAIN
    domainname: $DOMAIN
    restart: always
    working_dir: /root
    networks:
      federated:
        ipv4_address: 172.99.0.12
    volumes:
      - ./data/var/lib/ldap:/var/lib/ldap
      - ./data/etc/ldap/slapd.d:/etc/ldap/slapd.d
      - ./data/certs:/container/service/slapd/assets/certs
      - ./data/root:/root
    env_file:
      - ./.env
    secrets:
      - federated_ldap_password

secrets:
  federated_ldap_password:
    file: ./.ldap.secret
networks:
  federated:
    external: true
EOF

cat > /federated/apps/ldap/.env <<EOF
IMAGE_VERSION="1.5.0"
LDAP_ORGANISATION=$COMPANY
LDAP_DOMAIN=$DOMAIN
LDAP_ADMIN_PASSWORD_FILE=/run/secrets/federated_ldap_password
LDAP_RFC2307BIS_SCHEMA=true
LDAP_REMOVE_CONFIG_AFTER_SETUP=true
LDAP_TLS=true
LDAP_TLS_CRT_FILENAME=fullchain1.pem
LDAP_TLS_KEY_FILENAME=privkey1.pem
LDAP_TLS_CA_CRT_FILENAME=chain1.pem
LDAP_TLS_VERIFY_CLIENT=try
EOF
chmod 600 /federated/apps/ldap/.env

LDAP_SECRET=$(create_password);
echo "$LDAP_SECRET" > /federated/apps/ldap/.ldap.secret
chmod 600 /federated/apps/ldap/.ldap.secret
 
cat > /federated/apps/ldap/data/root/ldap.ldif <<EOF
dn: ou=people,dc=$DOMAIN_FIRST,dc=$DOMAIN_LAST
ou: people
objectClass: organizationalUnit
structuralObjectClass: organizationalUnit

dn: ou=groups,dc=$DOMAIN_FIRST,dc=$DOMAIN_LAST
ou: groups
objectClass: organizationalUnit
structuralObjectClass: organizationalUnit

dn: cn=lastGID,dc=$DOMAIN_FIRST,dc=$DOMAIN_LAST
objectClass: device
objectClass: top
description: Records the last GID used to create a Posix group. This prevent
 s the re-use of a GID from a deleted group.
structuralObjectClass: device
cn: lastGID

dn: cn=lastUID,dc=$DOMAIN_FIRST,dc=$DOMAIN_LAST
objectClass: device
objectClass: top
description: Records the last UID used to create a Posix account. This preve
 nts the re-use of a UID from a deleted account.
structuralObjectClass: device
cn: lastUID

dn: cn=everybody,ou=groups,dc=$DOMAIN_FIRST,dc=$DOMAIN_LAST
objectClass: top
objectClass: posixGroup
objectClass: groupOfUniqueNames
cn: everybody
uniqueMember: uid=admin,ou=people,dc=$DOMAIN_FIRST,dc=$DOMAIN_LAST
gidNumber: 2001
structuralObjectClass: groupOfUniqueNames

dn: cn=admins,ou=groups,dc=$DOMAIN_FIRST,dc=$DOMAIN_LAST
objectClass: top
objectClass: posixGroup
objectClass: groupOfUniqueNames
cn: admins
uniqueMember: uid=admin,ou=people,dc=$DOMAIN_FIRST,dc=$DOMAIN_LAST
gidNumber: 2002
structuralObjectClass: groupOfUniqueNames

dn: uid=admin,ou=people,dc=$DOMAIN_FIRST,dc=$DOMAIN_LAST
givenName: admin
sn: admin
uid: admin
mail: admin@$DOMAIN
mailalias: admin@$DOMAIN
cn: admin
mailEnabled: true
objectClass: person
objectClass: inetOrgPerson
objectClass: PostfixBookMailAccount
objectClass: posixAccount
userPassword: $LDAPADMINPASS
uidNumber: 2001
gidNumber: 2001
loginShell: /bin/bash
homeDirectory: /home/admin
structuralObjectClass: inetOrgPerson
memberOf: cn=admins,ou=groups,dc=$DOMAIN_FIRST,dc=$DOMAIN_LAST
memberOf: cn=everybody,ou=groups,dc=$DOMAIN_FIRST,dc=$DOMAIN_LAST
EOF

cat > /federated/apps/ldap/data/root/ldap.sh <<'EOF'
#!/bin/sh

PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin

if [ ! -f .initialized ]; then
  echo "Importing default scheme ldap.ldif into LDAP"

  slapadd -v -l /root/ldap.ldif
  [ $? -ne 0 ] && echo "FAILED importing ldap.dif" && exit 2

  touch .initialized
fi 
EOF

chmod +x /federated/apps/ldap/data/root/ldap.sh

kill -9 $SPINPID &> /dev/null
echo -ne "done."
}

start_ldap() {
  # Start /federated/apps/ldap with output to /dev/null
  echo -ne "\n* Starting /federated/apps/ldap service.."
  spin &
  SPINPID=$!

  if [ $DEBUG ]; then
    # Start /federated/apps/ldap with output to console for debug
    docker-compose -f /federated/apps/ldap/docker-compose.yml -p ldap up
    [ $? -eq 0 ] && echo -ne "done.\n" || fail "There was a problem starting service /federated/apps/ldap"
  else
    docker-compose -f /federated/apps/ldap/docker-compose.yml -p ldap up -d &> /dev/null

    # Keep trying ldap port to make sure it's up
    # before we proceed
    RETRY="35"
    while [ $RETRY -gt 0 ]; do
      nc -z 172.99.0.12 636 &> /dev/null
      if [ $? -eq 0 ]; then
        break
      else
        if [ "$RETRY" == 1 ]; then
          docker-compose -f /federated/apps/ldap/docker-compose.yml -p ldap down &> /dev/null
          kill -9 $SPINPID &> /dev/null
          fail "There was a problem starting service /federated/apps/ldap\nCheck the output of 'docker logs ldap' or turn on\ndebug with -d"
        fi
        ((RETRY--))
        sleep 7
      fi
    done
  fi

  # Run our ldap.sh script inside the ldap container
  # This imports the inital LDAP configuration
  docker exec -it ldap /root/ldap.sh &> /dev/null
  [ $? -ne 0 ] && fail "Couldn't run ldap.sh inside ldap container"

  kill -9 $SPINPID &> /dev/null
  echo -ne "done."
}