# -*- indent-tabs-mode: t; tab-width: 4; -*-
#####
##### This file is part of Mail-in-a-Box-LDAP which is released under the
##### terms of the GNU Affero General Public License as published by the
##### Free Software Foundation, either version 3 of the License, or (at
##### your option) any later version. See file LICENSE or go to
##### https://github.com/downtownallday/mailinabox-ldap for full license
##### details.
#####


# requirements:
#   system packages: [ ldap-utils ]
#   setup scripts:   [ functions-ldap.sh ]
#   setup artifacts: [ miab_ldap.conf ]


delete_user() {
	local email="$1"
	local domainpart="$(awk -F@ '{print $2}' <<< "$email")"
	get_attribute "$LDAP_USERS_BASE" "mail=$email" "dn"
	[ -z "$ATTR_DN" ] && return 0
	record "[delete user $email]"
	ldapdelete -H $LDAP_URL -x -D "$LDAP_ADMIN_DN" -w "$LDAP_ADMIN_PASSWORD" "$ATTR_DN" >>$TEST_OF 2>&1 || die "Unable to delete user $ATTR_DN (as admin)"
	record "deleted"
	# delete the domain if there are no more users in the domain
	get_attribute "$LDAP_USERS_BASE" "mail=*@${domainpart}" "dn"
	[ ! -z "$ATTR_DN" ] && return 0
	get_attribute "$LDAP_DOMAINS_BASE" "dc=${domainpart}" "dn"
	if [ ! -z "$ATTR_DN" ]; then
		record "[delete domain $domainpart]"
		ldapdelete -H $LDAP_URL -x -D "$LDAP_ADMIN_DN" -w "$LDAP_ADMIN_PASSWORD" "$ATTR_DN" >>$TEST_OF 2>&1 || die "Unable to delete domain $ATTR_DN (as admin)"
		record "deleted"
	fi
}

create_user() { 
	local email="$1"
	local pass="${2:-$email}"
	local priv="${3:-test}"
	local totpVal="${4:-}"  # "secret,token,label"
	local localpart="$(awk -F@ '{print $1}' <<< "$email")"
	local domainpart="$(awk -F@ '{print $2}' <<< "$email")"
	#local uid="$localpart"
	local uid="$(sha1 "$email")"
	local dn="uid=${uid},${LDAP_USERS_BASE}"
	
	delete_user "$email"

	record "[create user $email ($dn)]"
	delete_dn "$dn"

    # totpSecret: base-32 digits (see RFC 4648), qty 32
	# totpMruToken: base-10 digits, qty 6
	# note: comma is not a base32 symbol
	local totpObjectClass=""
	local totpSecret="$(awk -F, '{print $1}' <<< "$totpVal")"
	local totpMruToken="$(awk -F, '{print $2}' <<< "$totpVal")"
	local totpMruTokenTime=""
	local totpLabel="$(awk -F, '{print $3}' <<< "$totpVal")"
	if [ ! -z "$totpVal" ]; then
		local nl=$'\n'
		totpObjectClass="${nl}objectClass: totpUser"
		totpSecret="${nl}totpSecret: {0}${totpSecret}"
		totpMruToken="${nl}totpMruToken: {0}${totpMruToken}"
		totpMruTokenTime="${nl}totpMruTokenTime: $(date +%s)0000000000"
		totpLabel="${nl}totpLabel: {0}${totpLabel}"
	fi

	ldapadd -H "$LDAP_URL" -x -D "$LDAP_ADMIN_DN" -w "$LDAP_ADMIN_PASSWORD" >>$TEST_OF 2>&1 <<EOF
dn: $dn
objectClass: inetOrgPerson
objectClass: mailUser
objectClass: shadowAccount${totpObjectClass}
uid: $uid
cn: $localpart
sn: $localpart
displayName: $localpart
mail: $email
maildrop: $email
mailaccess: $priv${totpSecret}${totpMruToken}${totpMruTokenTime}${totpLabel}
userPassword: $(slappasswd_hash "$pass")
EOF
	[ $? -ne 0 ] && die "Unable to add user $dn (as admin)"

	# create domain entry, if needed
	get_attribute "$LDAP_DOMAINS_BASE" "dc=${domainpart}" dn
	if [ -z "$ATTR_DN" ]; then
		record "[create domain entry $domainpart]"
		ldapadd -H $LDAP_URL -x -D "$LDAP_ADMIN_DN" -w "$LDAP_ADMIN_PASSWORD" >>$TEST_OF 2>&1 <<EOF
dn: dc=${domainpart},$LDAP_DOMAINS_BASE
objectClass: domain
objectClass: mailDomain
dc: ${domainpart}
dcIntl: ${domainpart}
businessCategory: mail
EOF
		[ $? -ne 0 ] && die "Unable to add domain ${domainpart} (as admin)"
	fi
	
	ATTR_DN="$dn"
}


delete_dn() {
	local dn="$1"
	get_attribute "$dn" "objectClass=*" "dn" base
	[ -z "$ATTR_DN" ] && return 0
	record "delete dn: $dn"
	ldapdelete -H $LDAP_URL -x -D "$LDAP_ADMIN_DN" -w "$LDAP_ADMIN_PASSWORD" "$dn" >>$TEST_OF 2>&1 || die "Unable to delete $dn (as admin)"
}	 

create_service_account() {
	local cn="$1"
	local pass="${2:-$cn}"
	local dn="cn=${cn},${LDAP_SERVICES_BASE}"

	record "[create service account $cn]"
	delete_dn "$dn"
	
	ldapadd -H "$LDAP_URL" -x -D "$LDAP_ADMIN_DN" -w "$LDAP_ADMIN_PASSWORD" >>$TEST_OF 2>&1 <<EOF
dn: $dn
objectClass: simpleSecurityObject
objectClass: organizationalRole
cn: $cn
description: TEST ${cn} service account
userPassword: $(slappasswd_hash "$pass")
EOF
	[ $? -ne 0 ] && die "Unable to add service account $dn (as admin)"
	ATTR_DN="$dn"
}

delete_service_account() {
	local cn="$1"
	local dn="cn=${cn},${LDAP_SERVICES_BASE}"
	record "[delete service account $cn]"
	delete_dn "$dn"
}

create_alias_group() {
	local alias="$1"
	shift
	record "[Create new alias group $alias]"
	# add alias group with dn's as members
	get_attribute "$LDAP_ALIASES_BASE" "mail=$alias" "dn"
	if [ ! -z "$ATTR_DN" ]; then
		delete_dn "$ATTR_DN"
	fi
	
	ATTR_DN="cn=$(generate_uuid),$LDAP_ALIASES_BASE"
	of="/tmp/create_alias.$$.ldif"
	cat >$of 2>>$TEST_OF <<EOF
dn: $ATTR_DN
objectClass: mailGroup
mail: $alias
EOF
	local member
	for member; do
		case $member in
			*@* )
				echo "mailMember: $member" >>$TEST_OF
				echo "mailMember: $member" >>$of 2>>$TEST_OF
				;;
			* )
				echo "member: $member" >>$TEST_OF
				echo "member: $member" >>$of 2>>$TEST_OF
				;;
		esac
	done
	ldapadd -H "$LDAP_URL" -x -D "$LDAP_ADMIN_DN" -w "$LDAP_ADMIN_PASSWORD" -f $of >>$TEST_OF 2>&1 || die "Unable to add alias group $alias"
	rm -f $of
}

delete_alias_group() {
	record "[delete alias group $1]"
	get_attribute "$LDAP_ALIASES_BASE" "(mail=$1)" dn
	[ ! -z "$ATTR_DN" ] && delete_dn "$ATTR_DN"
}


add_alias() {
	local user_dn="$1"
	local alias="$2"
	local type="${3:-group}"
	if [ $type == user ]; then
		# add alias as additional 'mail' attribute to user's dn
		record "[Add alias $alias to $user_dn]"
		ldapmodify -H "$LDAP_URL" -x -D "$LDAP_ADMIN_DN" -w "$LDAP_ADMIN_PASSWORD" >>$TEST_OF 2>&1 <<EOF
dn: $user_dn
add: mail
mail: $alias
EOF
		local r=$?
		[ $r -ne 0 ] && die "Unable to modify $user_dn"
		
	elif [ $type == group ]; then
		# add alias as additional 'member" to a mailGroup alias list
		record "[Add member $user_dn to alias $alias]"
		get_attribute "$LDAP_ALIASES_BASE" "mail=$alias" "dn"
		if [ -z "$ATTR_DN" ]; then
			# don't automatically add because it should be cleaned
			# up by the caller
			die "Alias grour $alias does not exist"
		else
			ldapmodify -H "$LDAP_URL" -x -D "$LDAP_ADMIN_DN" -w "$LDAP_ADMIN_PASSWORD" >>$TEST_OF 2>&1 <<EOF
dn: $ATTR_DN
add: member
member: $user_dn
EOF
			local code=$?
			if [ $code -ne 20 -a $code -ne 0 ]; then
				# 20=Type or value exists
				die "Unable to add user $user_dn to alias $alias"
			fi
		fi
	else
		die "Invalid type '$type' to add_alias"
	fi

}


create_permitted_senders_group() {
	# add a permitted senders group. specify the email address that
	# the members may MAIL FROM as the first argument, followed by all
	# member dns. If the group already exists, it is deleted first.
	#
	# on return, the global variable ATTR_DN is set to the dn of the
	# created mailGroup
	local mail_from="$1"
	shift
	record "[create permitted sender list $mail_from]"
	get_attribute "$LDAP_PERMITTED_SENDERS_BASE" "(&(objectClass=mailGroup)(mail=$mail_from))" dn
	if [ ! -z "$ATTR_DN" ]; then
		delete_dn "$ATTR_DN"
	fi

	local tmp="/tmp/tests.$$.ldif"
	ATTR_DN="cn=$(generate_uuid),$LDAP_PERMITTED_SENDERS_BASE"
	cat >$tmp <<EOF
dn: $ATTR_DN
objectClass: mailGroup
mail: $mail_from
EOF
	local member
	for member; do
		echo "member: $member" >>$tmp
		echo "member: $member" >>$TEST_OF
	done
	
	ldapadd -H "$LDAP_URL" -x -D "$LDAP_ADMIN_DN" -w "$LDAP_ADMIN_PASSWORD" -f $tmp >>$TEST_OF 2>&1
	local r=$?
	rm -f $tmp
	[ $r -ne 0 ] && die "Unable to add permitted senders group $mail_from"
}

delete_permitted_senders_group() {
	local mail_from="$1"
	record "[delete permitted sender list $mail_from]"
	get_attribute "$LDAP_PERMITTED_SENDERS_BASE" "(&(objectClass=mailGroup)(mail=$mail_from))" dn
	if [ ! -z "$ATTR_DN" ]; then
		delete_dn "$ATTR_DN"
	fi
}


test_r_access() {
	# tests read or unreadable access
	# sets global variable FAILURE on return
	local user_dn="$1"
	local login_dn="$2"
	local login_pass="$3"
	local access="${4:-no-read}"  # should be "no-read" or "read"
	shift; shift; shift; shift

	if ! array_contains $access read no-read; then
		die "Invalid parameter '$access' to function test_r_access"
	fi

	# get all attributes using login_dn's account
	local attr
	local search_output result=()
	record "[Get attributes of $user_dn by $login_dn]"
	search_output=$(ldapsearch -LLL -o ldif-wrap=no -H "$LDAP_URL" -b "$user_dn" -s base -x -D "$login_dn" -w "$login_pass" 2>>$TEST_OF)
	local code=$?
	# code 32: No such object (doesn't exist or login can't see it)
	[ $code -ne 0 -a $code -ne 32 ] && die "Unable to find entry $user_dn by $login_dn"
	while read attr; do
		record "line: $attr"
		attr=$(awk -F: '{print $1}' <<< "$attr")
		[ "$attr" != "dn" -a "$attr" != "objectClass" ] && result+=($attr)
	done <<< "$search_output"
	record "check for $access access to ${@:-ALL}"
	record "comparing to actual: ${result[@]}"

	
	local failure=""
	if [ $access == "no-read" -a $# -eq 0 ]; then
		# check that no attributes are readable
		if [ ${#result[*]} -gt 0 ]; then
			failure="Attributes '${result[*]}' of $user_dn should not be readable by $login_dn"
		fi
	else
		# check that specified attributes are/aren't readable
		for attr; do
			if [ $access == "no-read" ]; then
				if array_contains $attr ${result[@]}; then
					failure="Attribute $attr of $user_dn should not be readable by $login_dn"
					break
				fi
			else
				if ! array_contains $attr ${result[@]}; then
					failure="Attribute $attr of $user_dn should be readable by $login_dn got (${result[*]})"
					break
				fi
			fi
		done
	fi

	FAILURE="$failure"
}


domain_exists() {
	get_attribute "$LDAP_DOMAINS_BASE" "dc=$1" dn
	[ -z "$ATTR_DN" ] && return 1
	return 0
}

assert_r_access() {
	# asserts read or unreadable access
	FAILURE=""
	test_r_access "$@"
	[ ! -z "$FAILURE" ] && test_failure "$FAILURE"
}


test_w_access() {
	# tests write or unwritable access
	# sets global variable FAILURE on return
	# if no attributes given, test user attributes
	#	uuid, cn, sn, mail, maildrop, mailaccess
	local user_dn="$1"
	local login_dn="$2"
	local login_pass="$3"
	local access="${4:-no-write}"  # should be "no-write" or "write"
	shift; shift; shift; shift
	local moddn=""
	local attrs=( $@ )
	
	if ! array_contains $access write no-write; then
		die "Invalid parameter '$access' to function test_w_access"
	fi

	if [ ${#attrs[*]} -eq 0 ]; then
		moddn=uid
		attrs=("cn=alice fiction" "sn=fiction" "mail" "maildrop" "mailaccess=admin")
	fi

	local failure=""
	
	# check that select attributes are not writable
	if [ ! -z "$moddn" ]; then
		record "[Change attribute ${moddn}]"
		delete_dn "${moddn}=some-uuid,$LDAP_USERS_BASE"
		ldapmodify -H "$LDAP_URL" -x -D "$login_dn" -w "$login_pass" >>$TEST_OF 2>&1 <<EOF
dn: $user_dn
changetype: moddn
newrdn: ${moddn}=some-uuid
deleteoldrdn: 1
EOF
		local r=$?
		if [ $r -eq 0 ]; then
			if [ "$access" == "no-write" ]; then
				failure="Attribute $moddn of $user_dn should not be changeable by $login_dn"
			fi
		elif [ $r -eq 50 ]; then
			if [ "$access" == "write" ]; then
				failure="Attribute $moddn of $user_dn should be changeable by $login_dn"
			fi
		else
			die "Error attempting moddn change of $moddn (code $?)"
		fi
	fi
	

	if [ -z "$failure" ]; then
		local attrvalue attr value
		for attrvalue in "${attrs[@]}"; do
			attr="$(awk -F= '{print $1}' <<< "$attrvalue")"
			value="$(awk -F= '{print substr($0,length($1)+2)}' <<< "$attrvalue")"
			[ -z "$value" ] && value="alice2@abc.com"
			record "[Change attribute $attr]"
			ldapmodify -H "$LDAP_URL" -x -D "$login_dn" -w "$login_pass" >>$TEST_OF 2>&1 <<EOF
dn: $user_dn
replace: $attr
$attr: $value
EOF
			r=$?
			if [ $r -eq 0 ]; then
				if [ $access == "no-write" ]; then
					failure="Attribute $attr of $user_dn should not be changeable by $login_dn"
					break
				fi
			elif [ $r -eq 50 ]; then
				if [ $access == "write" ]; then
					failure="Attribute $attr of $user_dn should be changeable by $login_dn"
					break
				fi
			else
				die "Error attempting change of $attr to '$value'"
			fi
		done
	fi

	FAILURE="$failure"
}

assert_w_access() {
	# asserts write or unwritable access
	FAILURE=""
	test_w_access "$@"
	[ ! -z "$FAILURE" ] && test_failure "$FAILURE"
}


test_search() {
	# test if access to search something is allowed
	# sets global variable SEARCH_DN_COUNT on return
	local base_dn="$1"
	local login_dn="$2"
	local login_pass="$3"
	local scope="${4:-sub}"
	local filter="$5"

	let SEARCH_DN_COUNT=0

	local line search_output
	record "[Perform $scope search of $base_dn by $login_dn]"
	search_output=$(ldapsearch -H $LDAP_URL -o ldif-wrap=no -b "$base_dn" -s "$scope" -LLL -x -D "$login_dn" -w "$login_pass" $filter 2>>$TEST_OF)
	local code=$?
	# code 32: No such object (doesn't exist or login can't see it)
	[ $code -ne 0 -a $code -ne 32 ] && die "Unable to search $base_dn by $login_dn"
	
	while read line; do
		record "line: $line"
		case $line in
			dn:*)
				let SEARCH_DN_COUNT+=1
				;;
		esac
	done <<< "$search_output"
	record "$SEARCH_DN_COUNT entries found"
}


record_search() {
	local dn="$1"
	record "[Contents of $dn]"
	debug_search "$dn" >>$TEST_OF 2>&1
	return 0
}