#!/usr/bin/perl -w

#----------------------------------------------------------------------
# copyright (C) 2002-2005 Mitel Networks Corporation
# copyright (C) 2024 Koozali Foundation inc.
# 
# This program is free software; you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation; either version 2 of the License, or
# (at your option) any later version.
# 		
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
# GNU General Public License for more details.
# 		
# You should have received a copy of the GNU General Public License
# along with this program; if not, write to the Free Software
# Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307  USA
# 
# Technical support for this program is available from Mitel Networks 
# Please visit our web site www.mitel.com/sme/ for details.
#----------------------------------------------------------------------

package esmith;

use strict;
use Errno;
use esmith::ConfigDB;
use esmith::AccountsDB;
use esmith::util;
use utf8;
use esmith::util::ldap;

my $c = esmith::ConfigDB->open_ro || die "Couldn't open config db\n";
my $a = esmith::AccountsDB->open_ro || die "Couldn't open accounts db\n";

my $ldapauth = $c->get('ldap')->prop('Authentication') || 'disabled';
my $x = 0; # exit value
my $result;

# prepare LDAP bind
my $ldap=esmith::util::ldap->new();

my $event = shift || die "Event name arg missing\n";;
my @groups;

if ( scalar @ARGV ) 
{
    @groups = map { $a->get($_); } @ARGV;
}
else
{
    @groups = $a->groups;
}

# fix www missing in shared
my ( $name,   $passwd,   $gid,       $members  ) = getgrnam('shared');
my @mb= split(/ /, $members);
system("usermod -a -G shared www") unless ( grep(/^www$/, @mb) ) ;

foreach my $group (@groups)
{
    my $groupName = $group->key;
    unless ($group->prop('type') eq 'group')
    {
	warn "Account $groupName is not a group account.\n";
	next;
    }
    my %properties = $group->props;

    #------------------------------------------------------------
    # Modify the group. We do it the hard way - by removing all the
    # current group members and adding the new ones (rather than
    # deleting the group and recreating it). That guarantees that
    # we keep the same group ID so that files associated with this
    # group are unaffected.
    #------------------------------------------------------------

    my $groupDesc = $properties{'Description'}
	if (defined $properties{'Description'});

    if ($ldapauth ne 'enabled')
    {
        system("/usr/sbin/usermod", "-c", "$groupDesc", "$groupName") == 0
            or ( $x = 255, warn "Failed to modify (unix) group description for $groupName.\n" );
    }

    # modify group dedicated user cn
    $result = $ldap->ldapmoduser($group);
    $result && ( $x = $ldapauth ne 'enabled' ? $x : 255, warn "Failed to modify (ldap) group description for $groupName.\n" );
    # modify Group description and mail
    $result = $ldap->ldapmodgroup($group);
    $result  && ( $x = $ldapauth ne 'enabled' ? $x : 255, warn "Failed to modify (ldap) group description/email for $groupName.\n" );

    my ($name, $passwd, $gid, $members) = getgrnam ($groupName);
    my @oldMembers = split (/\s+/, $members);
    my @newMembers = split (/,/, $properties {'Members'});

    # Add in ibay group membership
    push @newMembers, (map { $_->key } $a->get_all_by_prop(Group => $groupName));

    # "admin" and "www" are implicit members of all groups
    push @newMembers, qw(www admin);

    my (%oldMembers, %newMembers);

    my $member;
    foreach $member (@newMembers)
    {
	$newMembers{$member} = 1;
    }
    foreach $member (@oldMembers)
    {
	$oldMembers{$member} = 1;
    }

    # applying list of user memberUid for LDAP for this group
    $result = $ldap->ldapsetgroupmembers($groupName,\@newMembers);
    # error code 20 is entry already exits.
    $result &&  ( $result->code != 20 ) && ( $x = $ldapauth ne 'enabled' ? $x : 255, warn "Failed to modify supplementary (ldap) group membership for $groupName.\n" );

    foreach $member (@newMembers, @oldMembers)
    {
	# skip this member if not being added or removed
	next if ($oldMembers{$member} and $newMembers{$member});
	# This next step is redundant!
	next if (!$oldMembers{$member} and !$newMembers{$member});

	# We need to add or remove this member from the group
	# Get the supplementary group list for the member we are adding or
	# deleting.
	#my $cmd = "/usr/bin/id -G -n '$member'";
  # this will not fail in case of apache before www in passwd
  my $cmd = "/usr/bin/groups '$member'"; 
	my $groups = `$cmd 2>/dev/null`; 
	if ($? != 0)
	{
	    die "Failed to get supplementary group list for $member.\n";
	}
  $groups =~ s/^.*:\s+//;
	chomp ($groups);

	my @groupList = split (/\s+/, $groups);
	@groupList = grep (!/^$member$/, @groupList);
	# Apache is an alias for www
	@groupList = map { $_ =~ s/^apache$/www/g; $_ } @groupList;
  # www needs to be in shared
  push(@groupList,'shared') if ( ($member eq 'www') and (! grep{$_ eq 'shared'} @groupList));

	if ($oldMembers{$member})
	{
	    @groupList = grep (!/^$groupName$/, @groupList);
	}
	else
	{
	    push @groupList, $groupName;
	}
	$groups = join (',', sort (@groupList));

        if ($ldapauth ne 'enabled')
        {
            system("/usr/sbin/usermod", "-G", "$groups", "$member") == 0
                or ( $x = 255, warn "Failed to modify supplementary (unix) group list for $member.\n" );
        }

    }

} # end of list of groups

exit ($x);