#!/bin/bash

[ "$(CreoleGet activer_workstation_manager)" == "oui" ] || exit 0

. /usr/lib/eole/ihm.sh

if [ -f /etc/eole/samba4-vars.conf ];then
    . /etc/eole/samba4-vars.conf
    [ "$AD_SERVER_ROLE" == "controleur de domaine" ] || exit 0
    # Seth DC
    SALT_IP=$AD_HOST_IP
    CONTAINER_EXEC=''
elif [ -f /usr/lib/eole/eolead.sh ];then
    . /usr/lib/eole/eolead.sh
    # ScribeAD/HorusAD
    . $CONTAINER_ROOTFS/etc/eole/samba4-vars.conf
    AD_HOST_IP=$CONTAINER_IP
    SALT_IP=$(CreoleGet adresse_ip_eth0)
    CONTAINER_EXEC='lxc-attach -n addc --'
else
    exit 0
fi

SALT_ADDR=$(dig @$AD_HOST_IP salt.$AD_REALM +short)
if [ "$SALT_ADDR" != "$SALT_IP" ]
then

    $CONTAINER_EXEC kinit ${AD_HOST_NAME^^}@${AD_REALM^^} -k -t $AD_HOST_KEYTAB_FILE
    if [ -n "$SALT_ADDR" ]; then
        EchoOrange "Attention : Le nom d'hôte \"salt\" est résolu en $SALT_ADDR alors qu'il devrait être en $SALT_IP"
        for ADDR in $SALT_ADDR;do
            echo -n "Suppression de la résolution du nom d'hôte \"salt\" en $ADDR : "
            $CONTAINER_EXEC samba-tool dns delete $AD_HOST_NAME.$AD_REALM $AD_REALM salt A $ADDR
        done
    fi
    echo -n "Résolution du nom d'hôte \"salt\" en $SALT_IP : "
    $CONTAINER_EXEC samba-tool dns add $AD_HOST_NAME.$AD_REALM $AD_REALM salt A $SALT_IP
    $CONTAINER_EXEC kdestroy
    echo

fi

PRIVATE_DIR=/etc/eole/private
MANAGER_PASSWORD_FILE="${PRIVATE_DIR}/eole-workstation-manager.password"
READER_PASSWORD_FILE="${PRIVATE_DIR}/eole-workstation-reader.password"

user_exists() {
    local username="${1}"
    $CONTAINER_EXEC samba-tool user show "${username}" > /dev/null 2>&1
}

if [ ! -s "${MANAGER_PASSWORD_FILE}" ]
then
    EchoRouge "Le fichier de mot de passe '${MANAGER_PASSWORD_FILE}' n’existe pas"
else
    MANAGER_PASSWORD=$(cat "${MANAGER_PASSWORD_FILE}")
    if ! user_exists eole-workstation-manager
    then
	echo "Ajout du compte de jonction au domaine 'eole-workstation-manager'... "
	$CONTAINER_EXEC samba-tool user create --random-password eole-workstation-manager
    fi

    echo "Mise en conformité de l’utilisateur 'eole-workstation-manager'... "
    $CONTAINER_EXEC samba-tool user setexpiry eole-workstation-manager --noexpiry
    $CONTAINER_EXEC samba-tool user setpassword eole-workstation-manager --newpassword="${MANAGER_PASSWORD}"
fi

# cf. https://dev-eole.ac-dijon.fr/issues/32237
ACCOUNT_JONCTION=eole-workstation-manager

# suppression du group Domain Admins si le compte en fait parti !
$CONTAINER_EXEC samba-tool group removemembers 'Domain Admins' $ACCOUNT_JONCTION >/dev/null 2>&1 || true

declare -a SID_ET_NAME
SID_ET_NAME=($($CONTAINER_EXEC wbinfo --name-to-sid=$ACCOUNT_JONCTION))
SID_ACCOUNT_JONCTION="${SID_ET_NAME[0]}"
#echo "SID_ACCOUNT_JONCTION=$SID_ACCOUNT_JONCTION"
DSACL_COMPUTER="$($CONTAINER_EXEC samba-tool dsacl get --objectdn=CN=Computers,$BASEDN)"
if [[ "$DSACL_COMPUTER" == *"$SID_ACCOUNT_JONCTION"* ]]
then
    echo "Délégation pour '$ACCOUNT_JONCTION' présente sur CN=Computers"
else
    echo "Délégation pour '$ACCOUNT_JONCTION' absentes sur CN=Computers"
    # cf.: https://docs.microsoft.com/fr-fr/windows/win32/adschema/c-computer
    COMPUTER_OBJECT="{BF967A86-0DE6-11D0-A285-00AA003049E2}"
    # cf.: https://docs.microsoft.com/fr-fr/windows/win32/adschema/c-applicationversion
    APPLICATION_VERSION="{DDC790AC-AF4D-442A-8F0F-A1D4CAA7DD92}"
    # extrait de la délégation réalisée manuellement + dsacl get + diff
    SDDL="ARAI(OA;CI;CC;${COMPUTER_OBJECT};;${SID_ACCOUNT_JONCTION})(OA;CIIO;CC;${APPLICATION_VERSION};${COMPUTER_OBJECT};${SID_ACCOUNT_JONCTION})(OA;CIIO;CC;;${COMPUTER_OBJECT};${SID_ACCOUNT_JONCTION})"
    # tips: dsacl set n'ecrase pas toutes la conf DACL !
    if >/var/log/samba/dsacl_cn_computers.log $CONTAINER_EXEC samba-tool dsacl set --objectdn "CN=Computers,$BASEDN" --sddl "${SDDL}"
    then
        echo "Délégation pour '$ACCOUNT_JONCTION' activée sur CN=Computers"
    else
        EchoRouge "Impossible de positionner la délégation pour '$ACCOUNT_JONCTION' sur CN=Computers"
        # je continue malgré l'erreur.
    fi
fi

if [ ! -s "${READER_PASSWORD_FILE}" ]
then
    EchoRouge "Le fichier de mot de passe '${READER_PASSWORD_FILE}' n’existe pas"
else
    READER_PASSWORD=$(cat "${READER_PASSWORD_FILE}")
    if ! user_exists eole-workstation-reader
    then
	echo "Ajout du compte de lecture 'eole-workstation-reader'... "
	$CONTAINER_EXEC samba-tool user create --random-password eole-workstation-reader
    fi

    echo "Mise en conformité de l’utilisateur 'eole-workstation-reader'... "
    $CONTAINER_EXEC samba-tool user setexpiry eole-workstation-reader --noexpiry
    $CONTAINER_EXEC samba-tool user setpassword eole-workstation-reader --newpassword="${READER_PASSWORD}"
fi

# Mask salt-minion service
systemctl mask salt-minion

exit 0
