#!/usr/bin/perl -w

#----------------------------------------------------------------------
# copyright (C) 2011-2012 Firewall Services 
# Daniel Berteaud <daniel@firewall-services.com>
# 
# This program is free software; you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation; either version 2 of the License, or
# (at your option) any later version.
#               
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
# GNU General Public License for more details.
#               
# You should have received a copy of the GNU General Public License
# along with this program; if not, write to the Free Software
# Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307  USA
#----------------------------------------------------------------------

use strict;
use esmith::templates;
use esmith::ConfigDB;
use esmith::AccountsDB;
use File::Path qw(mkpath rmtree);
use PHP::Serialization qw(serialize unserialize);

my $c = esmith::ConfigDB->open_ro;
my $a = esmith::AccountsDB->open_ro;

my $domain = $c->get('DomainName')->value;

# Remove active sessions
unlink(</var/lib/ajaxplorer/tmp/sess_*>);

# Remove plugin and i18n cache
unlink(</var/cache/ajaxplorer/plugin*.ser>);
unlink(</var/cache/ajaxplorer/i18n/*.ser>);

foreach my $user (($a->users),$a->get('admin')){
    my $name = $user->key;
    my $first = $user->prop('FirstName') || '';
    my $last = $user->prop('LastName') || $name;
    my $data;
    mkpath('/var/lib/ajaxplorer/plugins/auth.serial/' . $name);
    chmod 0770, "/var/lib/ajaxplorer/plugins/auth.serial/$name";
    chown '0', '102', "/var/lib/ajaxplorer/plugins/auth.serial/$name";
    if (-s "/var/lib/ajaxplorer/plugins/auth.serial/$name/role.ser"){
        open RROLE, "/var/lib/ajaxplorer/plugins/auth.serial/$name/role.ser";
        $data = <RROLE>;
        close RROLE;
        $data = unserialize($data);
        delete $data->{"\0*\0acls"} if (defined $data->{"\0*\0acls"});
    }
    # No role yet ? lets create it
    else{
        $data->{"\0*\0groupPath"} = undef;
        $data->{"\0*\0autoApplies"} = [];
        $data->{"\0*\0roleLabel"} = undef;
        $data->{"\0*\0actions"} = [];
        $data->{"\0*\0roleId"} = "AJXP_USR_/$name";
        $data = bless $data, 'PHP::Serialization::Object::AJXP_Role';
    }
    # In any case, re-compute the effective permissions
    foreach my $share ($a->get_all_by_prop(type => 'share')){
        my $sharename = $share->key;
        my $access = $share->prop('Ajaxplorer') || 'disabled';
        next unless ($access eq 'enabled');
        my @readgroups = split(/[;,]/, $share->prop('ReadGroups') || '');
        my @writegroups = split(/[;,]/, $share->prop('WriteGroups') || '');
        my @readusers = split(/[;,]/, $share->prop('ReadUsers') || '');
        my @writeusers = split(/[;,]/, $share->prop('WriteUsers') || '');

        foreach (@readgroups){
            $data->{"\0*\0acls"}->{$sharename} = 'r' if ( $a->is_user_in_group($name,$_) );
        }
        foreach (@writegroups){
            $data->{"\0*\0acls"}->{$sharename} = 'rw' if ( $a->is_user_in_group($name,$_) );
        }
        foreach (@readusers){
            $data->{"\0*\0acls"}->{$sharename} = 'r' if ( $_ eq $name );
        }
        foreach (@writeusers){
            $data->{"\0*\0acls"}->{$sharename} = 'rw' if ( $_ eq $name );
        }
        # Special case: admin has access to everything
        $data->{"\0*\0acls"}->{$sharename} = 'rw' if ($name eq 'admin');
    }
    # As we're here, lets update the email address and the display name
    # First, delete parameter if it's an array (meaning it's empty)
    delete $data->{"\0*\0parameters"} if (ref ($data->{"\0*\0parameters"})=~ m/ARRAY/i);

    $data->{"\0*\0parameters"}->{'AJXP_REPO_SCOPE_ALL'}->{'core.conf'}->{'email'} = "$name\@$domain";
    $data->{"\0*\0parameters"}->{'AJXP_REPO_SCOPE_ALL'}->{'core.conf'}->{'USER_DISPLAY_NAME'} = "$first $last";

    open WROLE, '+>', "/var/lib/ajaxplorer/plugins/auth.serial/$name/role.ser";
    print WROLE serialize($data);
    close WROLE;
}

my $ajxp = $c->get('ajaxplorer') || die "Couldn't find ajaxplorer entry in ConfigDB\n";
my $homedir = $ajxp->prop('HomeDir') || 'none';

if ($homedir eq 'enabled'){
    foreach ($a->users){
        my $name = $_->key;
        set_user_acl($name);
    }
}
elsif ($homedir eq 'users'){
    foreach ($a->users){
        my $name = $_->key;
        if (($_->prop('AjxpHomeDir') || 'disabled') eq 'enabled'){
            set_user_acl($name);
        }
        else{
            remove_user_acl($name);
        }
    }
}
else{
    foreach ($a->users){
        my $name = $_->key;
        remove_user_acl($name);
    }
}

sub set_user_acl{
    my $user = shift;
    my $acl = `/usr/bin/getfacl /home/e-smith/files/users/$user 2>/dev/null | egrep -c '^user:(apache|www):'`;
    chomp($acl);
    return if ($acl > 0);
    system('/usr/bin/setfacl',
           '-m',
           'u:www:x',
           "/home/e-smith/files/users/$user");
    system('/usr/bin/setfacl',
           '-R',
           '-m',
           'u:www:rX,d:u:www:rX',
           "/home/e-smith/files/users/$user/home");
}

sub remove_user_acl{
    my $user = shift;
    my $acl = `/usr/bin/getfacl /home/e-smith/files/users/$user 2>/dev/null | egrep -c '^user:(apache|www):'`;
    chomp($acl);
    return if ($acl < 1);
    system('/usr/bin/setfacl',
           '-R',
           '-x',
           'u:www,d:u:www',
           "/home/e-smith/files/users/$user/home");
    system('/usr/bin/setfacl',
           '-x',
           'u:www',
           "/home/e-smith/files/users/$user");
}