#!/bin/bash

SETTINGS="/var/efw/openvpn/ldap/settings"
GROUPS_FILE="/var/efw/openvpn/ldap/groups"
CONF="/etc/openvpn/auth-ldap.conf"
TMPL="/etc/openvpn/openvpn.conf.tmpl"
BKP="/etc/openvpn/openvpn.conf.tmpl.bkp"

########################################
# Verifica arquivos necessários
########################################
[ -f "$SETTINGS" ] || exit 1
[ -f "$GROUPS_FILE" ] || exit 1

########################################
# Lê settings
########################################
while IFS='=' read -r k v; do
    case "$k" in
        ENABLE)      ENABLE="$v" ;;
        PASSWORD)    PASSWORD="$v" ;;
        BIND_DN)     BIND_DN="$v" ;;
        BASE_DN)     BASE_DN="$v" ;;
        SERVER_LDAP) SERVER_LDAP="$v" ;;
    esac
done < "$SETTINGS"

########################################
# Função: Restaurar autenticação local
########################################
restore_local_auth() {

    if [ -f "$BKP" ]; then
        cp "$BKP" "$TMPL"
    else
        sed -i '/openvpn-auth-ldap.so/c\auth-user-pass-verify "/usr/bin/openvpn-auth-env via-env"' "$TMPL"
    fi

    rm -f "$CONF"
}

########################################
# Função: Habilitar LDAP
########################################
enable_ldap_auth() {

    [ -f "$BKP" ] || cp "$TMPL" "$BKP"

    if grep -q 'auth-user-pass-verify' "$TMPL"; then
        sed -i 's|^.*auth-user-pass-verify.*$|plugin /lib/openvpn-auth-ldap.so /etc/openvpn/auth-ldap.conf|' "$TMPL"
    else
        sed -i '/^client-cert-not-required/ a plugin /lib/openvpn-auth-ldap.so /etc/openvpn/auth-ldap.conf' "$TMPL"
    fi
}

########################################
# LDAP desligado
########################################
if [ "$ENABLE" != "on" ]; then
    restore_local_auth
    /sbin/jobcontrol restart openvpnjob -force &>/dev/null
    exit 0
fi

########################################
# Validação mínima
########################################
[ -z "$SERVER_LDAP" ] && exit 1
[ -z "$BIND_DN" ]     && exit 1
[ -z "$BASE_DN" ]     && exit 1

########################################
# Normaliza arquivo de grupos
########################################
sed -i 's/\r//g' "$GROUPS_FILE"
sed -i 's/^[[:space:]]*//; /^[[:space:]]*$/d' "$GROUPS_FILE"

########################################
# Monta filtro LDAP corretamente
########################################
GROUPS_VPN=$(awk '{printf "(cn=%s)", $0}' "$GROUPS_FILE")

# Se não houver grupos, aborta
[ -z "$GROUPS_VPN" ] && exit 1

########################################
# Gera auth-ldap.conf
########################################
cat > "$CONF" <<EOF
<LDAP>
    URL             ldap://$SERVER_LDAP:389
    TLSEnable       no
    BindDN          "$BIND_DN"
    Password        "$PASSWORD"
    Timeout         15
    FollowReferrals yes
</LDAP>

<Authorization>
    BaseDN          "$BASE_DN"
    SearchFilter    "(&(sAMAccountName=%u))"
    RequireGroup    true
    <Group>
        BaseDN          "$BASE_DN"
        SearchFilter    "(|$GROUPS_VPN)"
        MemberAttribute "member"
    </Group>
</Authorization>
EOF

########################################
# Ativa LDAP
########################################
enable_ldap_auth

/sbin/jobcontrol restart openvpnjob -force &>/dev/null