#!/bin/bash

CONTAINER_MODE=$(CreoleGet mode_conteneur_actif non)

[ "$(CreoleGet activer_workstation_manager)" == "oui" ] || exit 0

. /usr/lib/eole/ihm.sh

if [[ ${CONTAINER_MODE} == "oui" ]]; then
    container_path=$(CreoleGet container_path_domaine)
fi

if [ -f $container_path/etc/eole/samba4-vars.conf ];then
    . $container_path/etc/eole/samba4-vars.conf
    [ "$AD_SERVER_ROLE" == "controleur de domaine" ] || exit 0
    SALT_IP=$AD_HOST_IP
    # AmonÉcole
    if [[ ${CONTAINER_MODE} == "oui" ]]
    then
        AD_HOST_IP=$(CreoleGet container_ip_domaine)
    fi
elif [ -f /usr/lib/eole/eolead.sh ];then
    . /usr/lib/eole/eolead.sh
    # ScribeAD/HorusAD
    . $CONTAINER_ROOTFS/etc/eole/samba4-vars.conf
    AD_HOST_IP=$CONTAINER_IP
    SALT_IP=$(CreoleGet adresse_ip_eth0)
    SSHCMD="ssh -q -o LogLevel=ERROR -o StrictHostKeyChecking=no"
    function CreoleRun () {
        $SSHCMD root@addc "$1"
    }
else
    exit 0
fi

SALT_ADDR=$(dig @$AD_HOST_IP salt.$AD_REALM +short)
if [ "$SALT_ADDR" != "$SALT_IP" ]
then

    CreoleRun "kinit ${AD_HOST_NAME^^}@${AD_REALM^^} -k -t $AD_HOST_KEYTAB_FILE" domaine
    if [ -n "$SALT_ADDR" ]; then
        EchoOrange "Attention : Le nom d'hôte \"salt\" est résolu en $SALT_ADDR alors qu'il devrait être en $SALT_IP"
        for ADDR in $SALT_ADDR;do
            echo -n "Suppression de la résolution du nom d'hôte \"salt\" en $ADDR : "
            CreoleRun "samba-tool dns delete $AD_HOST_NAME.$AD_REALM $AD_REALM salt A $ADDR" domaine
        done
    fi
    echo -n "Résolution du nom d'hôte \"salt\" en $SALT_IP : "
    CreoleRun "samba-tool dns add $AD_HOST_NAME.$AD_REALM $AD_REALM salt A $SALT_IP" domaine
    CreoleRun "kdestroy" domaine
    echo

fi

PRIVATE_DIR=$container_path/etc/eole/private
MANAGER_PASSWORD_FILE="${PRIVATE_DIR}/eole-workstation-manager.password"
READER_PASSWORD_FILE="${PRIVATE_DIR}/eole-workstation-reader.password"

user_exists() {
    local username="${1}"
    CreoleRun "samba-tool user show ${username}" domaine > /dev/null 2>&1
}

if [ ! -s "${MANAGER_PASSWORD_FILE}" ]
then
    EchoRouge "Le fichier de mot de passe '${MANAGER_PASSWORD_FILE}' n’existe pas"
else
    MANAGER_PASSWORD=$(cat "${MANAGER_PASSWORD_FILE}")
    if ! user_exists eole-workstation-manager
    then
        echo "Ajout du compte de jonction au domaine 'eole-workstation-manager'... "
        CreoleRun "samba-tool user create --random-password eole-workstation-manager" domaine
    fi

    echo "Mise en conformité de l’utilisateur 'eole-workstation-manager'... "
    CreoleRun "samba-tool user setexpiry eole-workstation-manager --noexpiry" domaine
    CreoleRun "samba-tool user setpassword eole-workstation-manager --newpassword=${MANAGER_PASSWORD}" domaine
fi

# cf. https://dev-eole.ac-dijon.fr/issues/32237
ACCOUNT_JONCTION=eole-workstation-manager

# suppression du group Domain Admins si le compte en fait parti !
CreoleRun "samba-tool group removemembers 'Domain Admins' $ACCOUNT_JONCTION" domaine >/dev/null 2>&1 || true

declare -a SID_ET_NAME
SID_ET_NAME=($(CreoleRun "wbinfo --name-to-sid=$ACCOUNT_JONCTION" domaine))
SID_ACCOUNT_JONCTION="${SID_ET_NAME[0]}"
#echo "SID_ACCOUNT_JONCTION=$SID_ACCOUNT_JONCTION"
DSACL_COMPUTER=$(CreoleRun "samba-tool dsacl get --objectdn=CN=Computers,$BASEDN" domaine)
if [[ "$DSACL_COMPUTER" == *"$SID_ACCOUNT_JONCTION"* ]]
then
    echo "Délégation pour '$ACCOUNT_JONCTION' présente sur CN=Computers"
else
    echo "Délégation pour '$ACCOUNT_JONCTION' absentes sur CN=Computers"
    # cf.: https://docs.microsoft.com/fr-fr/windows/win32/adschema/c-computer
    COMPUTER_OBJECT="bf967a86-0de6-11d0-a285-00aa003049e2"
    # cf.: https://docs.microsoft.com/fr-fr/windows/win32/adschema/c-applicationversion
    APPLICATION_VERSION="ddc790ac-af4d-442a-8f0f-a1d4caa7dd92"
    # extrait de la délégation réalisée manuellement + dsacl get + diff
    SDDL="ARAI(OA;CI;CC;${COMPUTER_OBJECT};;${SID_ACCOUNT_JONCTION})(OA;CIIO;CC;${APPLICATION_VERSION};${COMPUTER_OBJECT};${SID_ACCOUNT_JONCTION})(OA;CIIO;CC;;${COMPUTER_OBJECT};${SID_ACCOUNT_JONCTION})"
    # tips: dsacl set n'ecrase pas toutes la conf DACL !
    if >/var/log/samba/dsacl_cn_computers.log CreoleRun "samba-tool dsacl set --objectdn 'CN=Computers,$BASEDN' --sddl '${SDDL}'" domaine
    then
        echo "Délégation pour '$ACCOUNT_JONCTION' activée sur CN=Computers"
    else
        EchoRouge "Impossible de positionner la délégation pour '$ACCOUNT_JONCTION' sur CN=Computers"
        # je continue malgré l'erreur.
    fi
fi

if [ ! -s "${READER_PASSWORD_FILE}" ]
then
    EchoRouge "Le fichier de mot de passe '${READER_PASSWORD_FILE}' n’existe pas"
else
    READER_PASSWORD=$(cat "${READER_PASSWORD_FILE}")
    if ! user_exists eole-workstation-reader
    then
        echo "Ajout du compte de lecture 'eole-workstation-reader'... "
        CreoleRun "samba-tool user create --random-password eole-workstation-reader" domaine
    fi

    echo "Mise en conformité de l’utilisateur 'eole-workstation-reader'... "
    CreoleRun "samba-tool user setexpiry eole-workstation-reader --noexpiry" domaine
    CreoleRun "samba-tool user setpassword eole-workstation-reader --newpassword=${READER_PASSWORD}" domaine
fi

####
#### Copy the Amon proxy CA to be deployed
####
if [ "$(CreoleGet eole_workstation_enable_firefox non)" = "oui" ]
then
    if [ "$(CreoleGet activer_proxy_client_mitm non)" = "oui" ]
    then
        # Scribe
        PROXY_CA_PATH=/usr/local/share/ca-certificates/ca_proxy.crt
    elif [ "$(CreoleGet activer_squid_mitm non)" = "oui" ]
    then
        # Amonecole
        container_path_proxy=$(CreoleGet container_path_proxy)
        PROXY_CA_PATH=${container_path_proxy}/etc/squid/signingCA.crt
    fi

    if [ -n "${PROXY_CA_PATH}" ]
    then
        echo "Mise à disposition du certificat CA du proxy"
        cp ${PROXY_CA_PATH} \
           ${container_path}/usr/share/eole/saltstack/salt/eole-workstation/firefox/files/default/proxy-ca.crt
    fi
fi

if [ ! -f $container_path/var/lib/eole/config/veyon.yaml ]
then
    # Restart the salt-master if the veyon configuration is not
    # generated.
    # It's most of the time during instance because AD is not
    # populated
    CreoleService eole-workstation-manager restart
fi

if [ "$(CreoleGet eole_workstation_autoaccept non)" = "oui" ]; then
  ACTION=enable
else
  ACTION=disable
fi
/usr/bin/CreoleRun "systemctl $ACTION --now autoaccept.timer" domaine

# Mask salt-minion service
/usr/bin/CreoleRun "systemctl mask salt-minion" domaine

exit 0
