#!/bin/bash
#
# LDAP Service

PATH=$HOME/.docker/cli-plugins:/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin

config_ldap() {
  echo -ne "* Configuring ldap container.."

  if [ ! -d "/federated/apps/ldap" ]; then
    mkdir -p /federated/apps/ldap/data/certs &> /dev/null
    mkdir -p /federated/apps/ldap/data/root &> /dev/null
    mkdir -p /federated/apps/ldap/data/var/lib/ldap &> /dev/null
    mkdir -p /federated/apps/ldap/data/etc/ldap/slap.d &> /dev/null
    cp /federated/certs/certs/$DOMAIN.crt /federated/certs/private/$DOMAIN.key /federated/apps/ldap/data/certs/
  fi

  LDAPADMINPASS=`echo -n $ADMINPASS | openssl dgst -sha1 -binary | openssl enc -base64 | awk '{print "{SHA}"$0}'`
  LDAPFCOREPASS=`echo -n $ADMINPASS | openssl dgst -sha1 -binary | openssl enc -base64 | awk '{print "{SHA}"$0}'`

cat > /federated/apps/ldap/docker-compose.yml <<EOF
services:
  ldap:
    image: osixia/openldap:\${IMAGE_VERSION}
    container_name: ldap
    hostname: ldap.$DOMAIN
    restart: always
    working_dir: /root
    networks:
      core:
        ipv4_address: 192.168.0.15
    volumes:
      - ./data/var/lib/ldap:/var/lib/ldap
      - ./data/etc/ldap/slapd.d:/etc/ldap/slapd.d
      - ./data/certs:/container/service/slapd/assets/certs
      - ./data/root:/root
    env_file:
      - ./.env
    secrets:
      - federated_ldap_password

secrets:
  federated_ldap_password:
    file: ./.ldap.secret
networks:
  core:
    external: true
EOF

cat > /federated/apps/ldap/.env <<EOF
IMAGE_VERSION="$(current_version ldap)"
LDAP_ORGANISATION=$COMPANY
LDAP_DOMAIN=federatedcomputer.cloud
LDAP_ADMIN_PASSWORD_FILE=/run/secrets/federated_ldap_password
LDAP_RFC2307BIS_SCHEMA=true
LDAP_REMOVE_CONFIG_AFTER_SETUP=true
LDAP_TLS=true
LDAP_TLS_CRT_FILENAME=$DOMAIN.crt
LDAP_TLS_KEY_FILENAME=$DOMAIN.key
LDAP_TLS_CA_CRT_FILENAME=$DOMAIN.crt
LDAP_TLS_VERIFY_CLIENT=try
EOF
chmod 600 /federated/apps/ldap/.env

LDAP_SECRET=$(create_password);
echo "$LDAP_SECRET" > /federated/apps/ldap/.ldap.secret
chmod 600 /federated/apps/ldap/.ldap.secret
 
cat > /federated/apps/ldap/data/root/ldap.ldif <<EOF
dn: ou=people,dc=federatedcomputer,dc=cloud
ou: people
objectClass: organizationalUnit
structuralObjectClass: organizationalUnit

dn: ou=groups,dc=federatedcomputer,dc=cloud
ou: groups
objectClass: organizationalUnit
structuralObjectClass: organizationalUnit

dn: cn=lastGID,dc=federatedcomputer,dc=cloud
objectClass: device
objectClass: top
description: Records the last GID used to create a Posix group. This prevent
 s the re-use of a GID from a deleted group.
structuralObjectClass: device
cn: lastGID

dn: cn=lastUID,dc=federatedcomputer,dc=cloud
objectClass: device
objectClass: top
description: Records the last UID used to create a Posix account. This preve
 nts the re-use of a UID from a deleted account.
structuralObjectClass: device
cn: lastUID

dn: cn=everybody,ou=groups,dc=federatedcomputer,dc=cloud
objectClass: top
objectClass: posixGroup
objectClass: groupOfUniqueNames
cn: everybody
uniqueMember: uid=admin,ou=people,dc=federatedcomputer,dc=cloud
gidNumber: 2001
structuralObjectClass: groupOfUniqueNames

dn: cn=admins,ou=groups,dc=federatedcomputer,dc=cloud
objectClass: top
objectClass: posixGroup
objectClass: groupOfUniqueNames
cn: admins
uniqueMember: uid=admin,ou=people,dc=federatedcomputer,dc=cloud
gidNumber: 2002
structuralObjectClass: groupOfUniqueNames

dn: uid=admin,ou=people,dc=federatedcomputer,dc=cloud
givenName: admin
sn: admin
uid: admin
mail: admin@$DOMAIN
mailAlias: admin@$DOMAIN
mailAlias: abuse@$DOMAIN
mailAlias: postmaster@$DOMAIN
mailAlias: hostmaster@$DOMAIN
cn: admin
mailEnabled: true
objectClass: person
objectClass: inetOrgPerson
objectClass: PostfixBookMailAccount
objectClass: posixAccount
userPassword: $LDAPADMINPASS
uidNumber: 2001
gidNumber: 2001
loginShell: /bin/bash
homeDirectory: /home/admin
structuralObjectClass: inetOrgPerson
memberOf: cn=admins,ou=groups,dc=federatedcomputer,dc=cloud
memberOf: cn=everybody,ou=groups,dc=federatedcomputer,dc=cloud

dn: uid=fcore,ou=people,dc=federatedcomputer,dc=cloud
givenName: fcore
sn: fcore 
uid: fcore
mail: fcore@$DOMAIN
cn: fcore
mailEnabled: false
objectClass: person
objectClass: inetOrgPerson
objectClass: PostfixBookMailAccount
objectClass: posixAccount
userPassword: $LDAPADMINPASS
uidNumber: 2002
gidNumber: 2002
loginShell: /bin/bash
homeDirectory: /home/fcore
structuralObjectClass: inetOrgPerson
memberOf: cn=admins,ou=groups,dc=federatedcomputer,dc=cloud
memberOf: cn=everybody,ou=groups,dc=federatedcomputer,dc=cloud
EOF

cat > /federated/apps/ldap/data/root/ldap.sh <<'EOF'
#!/bin/sh

PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin

if [ ! -f .initialized ]; then
  echo "Importing default scheme ldap.ldif into LDAP"

  slapadd -v -l /root/ldap.ldif
  [ $? -ne 0 ] && echo "FAILED importing ldap.dif" && exit 2

  touch .initialized
fi 
EOF

chmod +x /federated/apps/ldap/data/root/ldap.sh

echo -ne "done.\n"
}
start_ldap() {
  # Start service with command to make sure it's up before proceeding
  start_service "ldap" "nc -z 192.168.0.15 636 &> /dev/null" "60"

  # Run our ldap.sh script inside the ldap container
  # This imports the inital LDAP configuration
  docker exec ldap /root/ldap.sh &> /dev/null
  [ $? -ne 0 ] && fail "Couldn't run ldap.sh inside ldap container"

  echo -ne "done.\n"
}