#!/bin/bash
set -e

function echoonerror {
   LOG=`tempfile`
   if ! "$@" >$LOG 2>&1; then
       STATUS="$?"
       cat $LOG
       return $STATUS
   fi
}

function confirm {
	echo -n Voulez-vous $1 ? "(y/n) "
	read OK
	if [ "$OK" = "y" ]; then
		return 0
	else
		return 1
	fi
}

if [ "x$1" = "x" ]; then
	echo Suffix de la base à réinitialiser ?
	echo -ne "> "
	read SUFFIX
else
	SUFFIX="$1"
fi

DN=`ldapsearch -H ldapi:// -Y EXTERNAL -b cn=config "olcSuffix=$SUFFIX" "" 2>/dev/null | grep ^dn | head -n1 | sed 's/^dn: //'`
DN2=`ldapsearch -H ldapi:// -Y EXTERNAL -b $DN "objectClass=olcConstraintConfig" "" 2>/dev/null | grep ^dn | head -n1 | sed 's/^dn: //'`

if [ "x$DN" != "" ]; then
	LDIF=`tempfile`
cat <<EOF
La réinitialisation des ACLs supprimera vos ACLs locales les remplaçant par le
standard PSL, à ne faire qu'en connaissance de cause.
EOF
	if confirm "remettre à zéro les ACLs"; then
		cat <<EOF >$LDIF
dn: $DN
changetype: modify
replace: olcAccess
# Accès super-utilisateur
olcAccess: {0}to *
  by dn.exact="gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth" manage
  by group.exact="cn=admin,ou=groups,$SUFFIX" manage
  by * break
# Structure du DIT: tout le monde peut voir
olcAccess: {1}to dn.base="$SUFFIX"
  by anonymous read
  by * +rs break
olcAccess: {2}to dn.one="$SUFFIX"
  by anonymous read
  by * +rs break
# Branche people
olcAccess: {3}to dn.regex="uid=[^,]+,ou=people,$SUFFIX" attrs=userPassword
  by self write
  by anonymous auth
  by * none
olcAccess: {4}to dn.regex="uid=[^,]+,ou=people,$SUFFIX" attrs=supannAliasLogin,supannListeRouge,eduPersonNickname,supannMailPerso,labeledURI
  by self write
  by * break
olcAccess: {5}to dn.one="ou=people,$SUFFIX"
  by self read
  by users read
  by anonymous auth
  by * none
# Branche groups
olcAccess: {6}to dn.one="ou=groups,$SUFFIX"
  by set="this/owner & user" manage
  by * break
olcAccess: {7}to dn.one="ou=groups,$SUFFIX" attrs=member
  by set="this/supannGroupeAdminDN/member* & user" write
  by set="this/supannGroupeAdminDN & user" write
  by set="this/supannGroupeLecteurDN/member* & user" read
  by set="this/supannGroupeLecteurDN & user" read
  by group.exact="cn=reader,ou=groups,$SUFFIX" read
  by dnattr=member selfread
  by * none
olcAccess: {8}to dn.one="ou=groups,$SUFFIX"
  by users read
  by * none
# Branche structure, tout le monde peut lire
olcAccess: {9}to dn.subtree="ou=structures,$SUFFIX"
  by * read
olcAccess: {10}to *
  by group.exact="cn=reader,ou=groups,$SUFFIX" +r
  by users +s
EOF
		echoonerror ldapmodify -H ldapi:// -Y EXTERNAL -f $LDIF && echo "- directives olcAccess réinitialisées"
	fi
cat <<EOF
La réinitialisation des directives olcDBIndex supprimera vos règles
d'indexation locales, si vous utilisez des attributs locaux qui nécessitent une
indexation cela pourrait produire des ralentissements.
EOF
	if confirm "réinitialiser les directives olcDbIndex"; then
		cat <<EOF >$LDIF
dn: $DN
changetype: modify
replace: olcDbIndex
olcDbIndex: objectClass,contextCSN,member,eduPersonPrincipalName,owner,supannRefId,pslBadgeCSN eq
olcDbIndex: supannAliasLogin,mail,givenName,uid,cn,sn,supannMailPerso,displayName pres,eq,approx,sub
-
replace: olcDbMaxSize
olcDbMaxSize: 1073741824
EOF
		echoonerror ldapmodify -H ldapi:// -Y EXTERNAL -f $LDIF
		echo "- directives olcDBIndex réinitialisées"
	fi

	# remove the displayname constraint
        if ldapsearch -H ldapi:// -Y EXTERNAL -b "$DN2" "olcConstraintAttribute=displayName,sn,givenName set \"\\28this/givenName + [ ] + this/sn\\29 & this/displayName\" restrict=\"ldap:///ou=people,$SUFFIX??sub?\\28objectClass=\\2a\\29\"" 2>/dev/null | grep -q ^olcConstraintAttribute ; then
		cat <<EOF >$LDIF
dn: $DN2
changetype: modify
delete: olcConstraintAttribute
olcConstraintAttribute: displayName,sn,givenName set "(this/givenName + [ ] + this/sn) & this/displayName" restrict="ldap:///ou=people,$SUFFIX??sub?(objectClass=*)"
EOF
		echoonerror ldapmodify -H ldapi:// -Y EXTERNAL -f $LDIF && echo "- contrainte displayName retiré"
	fi
	# remove the supannAliasLogin constraint
        if ldapsearch -H ldapi:// -Y EXTERNAL -b "$DN2" olcConstraintAttribute='supannAliasLogin regex "^[[:alnum:]]+$"' 2>/dev/null | grep -q ^olcConstraintAttribute ; then
		cat <<EOF >$LDIF
dn: $DN2
changetype: modify
delete: olcConstraintAttribute
olcConstraintAttribute: supannAliasLogin regex "^[[:alnum:]]+$"
EOF
		echoonerror ldapmodify -H ldapi:// -Y EXTERNAL -f $LDIF && echo "- contrainte supannAliasLogin retiré"
	fi
	# add the pslBadgeCSN constraint
        if ! (ldapsearch -H ldapi:// -Y EXTERNAL -b "$DN2" 'olcConstraintAttribute=pslBadgeCSN regex "^[0-9A-F]{8,14}$"' 2>/dev/null | grep -q ^olc); then
		cat <<EOF >$LDIF
dn: $DN2
changetype: modify
add: olcConstraintAttribute
olcConstraintAttribute: pslBadgeCSN regex "^[0-9A-F]{8,14}$"
EOF
		echoonerror ldapmodify -H ldapi:// -Y EXTERNAL -f $LDIF && echo "- contrainte pslBadgeCSN ajouté"
	fi
	rm $LDIF
	echo "Réinitialisation de la base $DN pour le suffixe $SUFFIX effectuée."
else
	echo "ERREUR: Le suffixe $SUFFIX n'a pas été trouvé"
fi