#!/bin/sh

. caterva-alterator.sh
. verborum-caterva-valtable
. alterator-openldap-functions

# Print access configuration based on a number of ACLs
# args: policy acl policy acl ...
print_access()
{
  local ap="$1"
  printf "http_access %s" "$ap"
  while [ $# -ge 2 ]; do
    if [ -n "$2" ]; then
      if [ "$ap" != "$1" ]; then
        printf " !"
      fi
      printf " $2"
    fi
    shift; shift
  done
  printf "\n"
}

get_realm()
{
    dnsdomainname | tr '[[:lower:]]' '[[:upper:]]'
}

get_base_dn()
{
    host_2_dn "`dnsdomainname`"
}

#REALM="`get_realm`"
BASE_DN="`get_base_dn`"

print_group()
{
    if [ "$name" = "___all" ] || [ "$name" = "___authenticated" ]; then
      return 0
    fi

    if [ -z "$(read_val SQ_acltype_group)" ] || [ "$(read_val SQ_acltype_group)" != "yes" ]; then
	cat <<EOF
# Define ACL type to test a system group membership
external_acl_type unix_group %LOGIN /usr/lib/squid/squid_ldap_group -P -B "ou=People,$BASE_DN" -F "(&(uid=%s)(objectClass=posixAccount))" -b "ou=Group,$BASE_DN" -f "(&(cn=%g)(objectClass=posixGroup))" -K
EOF
	print_info "Define ACL type to test a system group membership"
	def_val SQ_acltype_group yes
    fi

    local group_label=
    if [ -z "$label" ] || [ "$label" = "#f" ]; then
      group_label="$name"
    else
      group_label="$label"
    fi

    local group_acl="${name}-group"
    print_info "Adding access for group $group_label"
    echo "# Access policy for the group $group_label"
    echo "acl $group_acl external unix_group $name"
    
    local group_domains=
    if [ "$suffix" != "#f" ]; then
      group_domains="$suffix"
    fi
    local group_policy=
    if [ "$deny" != "#f" ]; then
      group_policy="deny"
    else
      group_policy="allow"
    fi
    local group_domain_acl=
    if [ -n "$group_domains" ]; then
      group_domain_acl="${name}-domains"
      echo "acl ${name}-domains dstdomain $group_domains"
    fi
    
    if [ -n "$group_domain_acl" ] || [ "$group_policy" = "deny" ]; then
      print_access "$group_policy" "$AUTH_ACL" \
                   "$group_policy" "$group_acl" \
                   "$group_policy" "$group_domain_acl"
    fi

    def_val SQ_HAS_GROUP 1
}

ALL_ACL="all"
set_all_params()
{
  if [ -n "$suffix" ] && [ "$suffix" != "#f" ]; then
    def_val SQ_ALL_DOMAINS "$suffix"
  else
    def_val SQ_ALL_DOMAINS ""
  fi
  if [ "$deny" != "#f" ]; then
    def_val SQ_ALL_POLICY "deny"
  else
    def_val SQ_ALL_POLICY "allow"
  fi
}

AUTH_ACL="$(read_val SQ_AUTHENTICATED)"
set_auth_params()
{
  if [ -n "$suffix" ] && [ "$suffix" != "#f" ]; then
    def_val SQ_AUTH_DOMAINS "$suffix"
  else
    def_val SQ_AUTH_DOMAINS
  fi
  if [ "$deny" != "#f" ]; then
    def_val SQ_AUTH_POLICY "deny"
  else
    def_val SQ_AUTH_POLICY "allow"
  fi
}

ALL_DOMAIN_ACL=
metalterator-cmdline "/squid/groups/___all" action "read" \
  deny "deny" suffix "suffix" | on_object set_all_params
ALL_POLICY="$(read_val SQ_ALL_POLICY)"
ALL_DOMAINS="$(read_val SQ_ALL_DOMAINS)"
if [ -n "$ALL_DOMAINS" ]; then
  ALL_DOMAIN_ACL="${ALL_ACL}-domains"
  echo "# Domain list for all users"
  echo "acl $ALL_DOMAIN_ACL dstdomain $ALL_DOMAINS"
fi

if [ "$ALL_POLICY" = "deny" ]; then
	echo "# Access policy for all users"
	print_access "$ALL_POLICY" "$ALL_ACL" \
             	     "$ALL_POLICY" "$ALL_DOMAIN_ACL"
fi

AUTH_DOMAIN_ACL=
if [ -n "$AUTH_ACL" ]; then
  metalterator-cmdline "/squid/groups/___authenticated" action "read" \
    deny "deny" suffix "suffix" | on_object set_auth_params
  AUTH_POLICY="$(read_val SQ_AUTH_POLICY)"
  AUTH_DOMAINS="$(read_val SQ_AUTH_DOMAINS)"
  if [ -n "$AUTH_DOMAINS" ]; then
    AUTH_DOMAIN_ACL="${AUTH_ACL}-domains"
    echo "# Domain list for authenticated users"
    echo "acl $AUTH_DOMAIN_ACL dstdomain $AUTH_DOMAINS"
  fi

  if [ "$AUTH_POLICY" = "deny" ]; then
	  echo "# Access policy for authenticated users"
	  print_access "$AUTH_POLICY" "$AUTH_ACL" \
	  	       "$AUTH_POLICY" "$AUTH_DOMAIN_ACL"
  fi

  metalterator-cmdline /squid/groups action "list" \
    deny "deny" suffix "suffix" comment "label" | on_object print_group

  if [ "$AUTH_POLICY" = "deny" ]; then
	echo "# In the case of a deny policy for authenticated users"
	echo "# allow access to all sites that are not denied"
	print_access 'allow' "$AUTH_ACL" 'allow' "!$AUTH_DOMAIN_ACL"
  else
	  echo "# Access policy for authenticated users"
	  print_access "$AUTH_POLICY" "$AUTH_ACL" \
	  	       "$AUTH_POLICY" "$AUTH_DOMAIN_ACL"
  fi
fi

if [ "$ALL_POLICY" = "deny" ]; then
	echo "# In the case of a deny policy for all users"
	echo "# allow access to all sites that are not denied"
	print_access 'allow' "$ALL_ACL" 'allow' "!$ALL_DOMAIN_ACL"
else
	echo "# Access policy for all users"
	print_access "$ALL_POLICY" "$ALL_ACL" \
             	     "$ALL_POLICY" "$ALL_DOMAIN_ACL"
fi
