#! /bin/sh
#
# ldapCAConfig - Configure ldap SSL certificate validation.
#

applicationHome="/home/embedded/library"
corePersistence="${applicationHome}/CoreService/dat"
. ${applicationHome}/AppManager/bin/include.sh

LDAP_CONFIG_FILE="${corePersistence}/ldaprc"
PEM_FILE="${corePersistence}/ldap.pem"

usage () {
   echo -e "Usage: $0 <action>

actions:

  -g\t- Get current certificate setup
  -d\t- Disable certificate validation
  -e [CA Cert]\t- Install and enable a CA Cert
  -h\t- Print this message

return:

  During any operation the return code of the shell will be set to '0'
  upon success.

  During a get operation, if a ca certificate is configured you will receive
  'on' from stdout or 'off' conversely.";
   exit 1
}

get_config () {
   EXIT_STATUS=1

   if [ ! -r ${LDAP_CONFIG_FILE} ]; then
      LogError "Installing default configuration."
      echo -e "#TLS_CACERT ${PEM_FILE}\nTLS_REQCERT never" > ${LDAP_CONFIG_FILE}
   fi

   local tls_reqcert=`grep TLS_REQCERT ${LDAP_CONFIG_FILE} | awk '{print $2}'`
   if [ -z "${tls_reqcert}" ]; then
      LogError "No TLS_REQCERT entry! Default is 'demand'."
      echo 'on'
   elif [ ${tls_reqcert} = 'demand' ]; then
      #LogInfo "Certificate Validation is on."
      echo 'on'
   elif [ ${tls_reqcert} = 'never' ]; then
      #LogInfo "Certificate Validation is off."
      echo 'off'
   else
      LogError "Bad configuration entry!"
      return
   fi

   EXIT_STATUS=0
}

set_config () {
   EXIT_STATUS=1
   LogInfo "Setting LDAP CA Configuration."

   # This fixes the case where for some reason the config doesn't already exist.
   local tls_cacertdir=`grep TLS_CACERT ${LDAP_CONFIG_FILE} | awk '{print $2}'`
   if [ -z "${tls_cacertdir}" ]; then
      LogInfo "No TLS_CACERT entry!."
      echo -e "#TLS_CACERT ${PEM_FILE}\nTLS_REQCERT never" > ${LDAP_CONFIG_FILE}
   fi

   if [ "$SET_CONFIG" = 'on' ]; then
      if [ -e "$CA" ]; then
         if ! mv $CA ${PEM_FILE}; then
            LogError "Failed to install CA Certificate!"
            return
         else
            chown root.root ${PEM_FILE}
            chmod 644 ${PEM_FILE}
            sed -i 's,TLS_REQCERT .*,TLS_REQCERT demand,' ${LDAP_CONFIG_FILE}
            sed -i "s,^#TLS_CACERT,TLS_CACERT," ${LDAP_CONFIG_FILE}
         fi
      else
         LogError "Certificate file is non-existent!"
         return
      fi
   elif [ "$SET_CONFIG" = 'off' ]; then
      sed -i 's,TLS_REQCERT .*,TLS_REQCERT never,' ${LDAP_CONFIG_FILE}
      sed -i "s,^TLS_CACERT,#TLS_CACERT," ${LDAP_CONFIG_FILE}
      rm -f ${PEM_FILE}
   else
      LogError "Unknown parameter...bailing out!"
      return
   fi

   EXIT_STATUS=0
}

[ $# -lt 1 ] && usage

SET_CONFIG='0'
EXIT_STATUS=0
CA=''

GETOPT=`getopt -o ge:dh --longoptions get,enable,disable,help -n 'ldapCAConfig' -- "$@"`

eval set -- "$GETOPT"
while true; do
    case $1 in
        -g|--get)  shift; break;;
        -e|--enable)  shift; SET_CONFIG='on'; CA=$1; shift; break;;
        -d|--disable)  SET_CONFIG='off'; shift; break;;
        -h|--help) usage;;
        --)        shift; break;;
        *)         echo "Unrecognized FLAG: $1"; usage;;
    esac
done
shift

InitLogFile '/var/log/appManager.log'

if [ ${SET_CONFIG} = '0' ]; then
   get_config
else
   set_config
fi

exit ${EXIT_STATUS}
