#!/bin/bash
#
# Univention Samba4
#  helper script to create objects in UDM/OpenLDAP for S-1-18-1 to S-1-18-6 
#
# Like what you see? Join us!
# https://www.univention.com/about-us/careers/vacancies/
#
# Copyright 2004-2023 Univention GmbH
#
# https://www.univention.de/
#
# All rights reserved.
#
# The source code of this program is made available
# under the terms of the GNU Affero General Public License version 3
# (GNU AGPL V3) as published by the Free Software Foundation.
#
# Binary versions of this program provided by Univention to you as
# well as other copyrighted, protected or trademarked materials like
# Logos, graphics, fonts, specific documentations and configurations,
# cryptographic keys etc. are subject to a license agreement between
# you and Univention and not subject to the GNU AGPL V3.
#
# In the case you use this program under the terms of the GNU AGPL V3,
# the program is provided in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU Affero General Public License for more details.
#
# You should have received a copy of the GNU Affero General Public
# License with the Debian GNU/Linux or Univention distribution in file
# /usr/share/common-licenses/AGPL-3; if not, see
# <https://www.gnu.org/licenses/>.

. /usr/share/univention-lib/all.sh
. /usr/share/univention-samba4/lib/all.sh

eval "$(univention-config-registry shell)"

### --- BEGIN helper functions ---

_create_group_with_special_sid()
{
	local name="$1"
	local sid="$2"
	local position="$3"
	local ldif

	shift 3

	group_dn="$(univention-ldapsearch "(&(objectClass=univentionGroup)(cn=$name))" | ldapsearch-wrapper | sed -ne 's|dn: ||p')"

	if [ -z "$group_dn" ]; then

		udm groups/group create "$@" --ignore_exists --option=posix \
				--position "$position,$ldap_base" \
				--set name="$name"

		ldif="dn: cn=$name,$position,$ldap_base
changetype: modify
add: objectClass
objectClass: sambaGroupMapping
-
add: sambaSID
sambaSID: $sid
-
replace: univentionObjectFlag
univentionObjectFlag: hidden
-
add: univentionGroupType
univentionGroupType: -2147483643
-
add: sambaGroupType
sambaGroupType: 5"

		echo "$ldif" | ldapmodify -x -h "$ldap_master" -p "${ldap_master_port:-7389}" -D "cn=admin,$ldap_base" -y "/etc/ldap.secret"
	fi
}

## Step one: Add new group names to S4-C ignorelist
ucr set connector/s4/mapping/group/ignorelist="$connector_s4_mapping_group_ignorelist,Authentication authority asserted identity,Service asserted identity,Fresh Public Key identity,Key trust,MFA key property,Attested key property"
systemctl restart univention-s4-connector

## Step two: Create them in OpenLDAP with their respective special SIDs
_create_group_with_special_sid "Authentication authority asserted identity" "S-1-18-1" "cn=Builtin" "$@"
_create_group_with_special_sid "Service asserted identity" "S-1-18-2" "cn=Builtin" "$@"
_create_group_with_special_sid "Fresh Public Key identity" "S-1-18-3" "cn=Builtin" "$@"
_create_group_with_special_sid "Key trust" "S-1-18-4" "cn=Builtin" "$@"
_create_group_with_special_sid "MFA key property" "S-1-18-5" "cn=Builtin" "$@"
_create_group_with_special_sid "Attested key property" "S-1-18-6" "cn=Builtin" "$@"

## Step three (Optional, but may make Windows clients happy): Create them as foreignSecurityPrincipal in Samba/AD
ldbadd -H /var/lib/samba/private/sam.ldb --controls=provision:0 <<%EOF
dn: CN=Authentication Authority Asserted Identity,CN=WellKnown Security Principals,CN=Configuration,$samba4_ldap_base
objectClass: foreignSecurityPrincipal
showInAdvancedViewOnly: TRUE
objectSid: S-1-18-1

dn: CN=Service Asserted Identity,CN=WellKnown Security Principals,CN=Configuration,$samba4_ldap_base
objectClass: foreignSecurityPrincipal
showInAdvancedViewOnly: TRUE
objectSid: S-1-18-2

dn: CN=Fresh public key identity,CN=WellKnown Security Principals,CN=Configuration,$samba4_ldap_base
objectClass: foreignSecurityPrincipal
showInAdvancedViewOnly: TRUE
objectSid: S-1-18-3

dn: CN=Key Trust,CN=WellKnown Security Principals,CN=Configuration,$samba4_ldap_base
objectClass: foreignSecurityPrincipal
showInAdvancedViewOnly: TRUE
objectSid: S-1-18-4

dn: CN=MFA Key Property,CN=WellKnown Security Principals,CN=Configuration,$samba4_ldap_base
objectClass: foreignSecurityPrincipal
showInAdvancedViewOnly: TRUE
objectSid: S-1-18-5

dn: CN=Attested Key Property,CN=WellKnown Security Principals,CN=Configuration,$samba4_ldap_base
objectClass: foreignSecurityPrincipal
showInAdvancedViewOnly: TRUE
objectSid: S-1-18-6
%EOF