#!/usr/bin/env ruby

=begin

Check state of asf-banned accounts.

An account that is asf-banned due to deceased/opted out should have:
- asf-banned = yes
- loginShell = /usr/bin/false
- neither of the following attributes exist: host sshPublicKey

=end

$LOAD_PATH.unshift '/srv/whimsy/lib'

require 'whimsy/asf'
require 'whimsy/asf/mlist'
require 'wunderbar'

EXPECTED_SHELL='/usr/bin/false'
NOSHELL = %w{/usr/bin/false /bin/false /home/striker/bin/no-cla /usr/sbin/nologin /bin/nologin /sbin/nologin}

CHECKS = {
  'asf-banned' => 'yes',
  'loginShell' => EXPECTED_SHELL,
  'host' => nil,
  'sshPublicKey' => nil,
}

def singleton(attr)
  return attr.first if attr&.size == 1
  attr
end

# banned or false?
ATTRS=%w{uid cn asf-banned loginShell host sshPublicKey modifiersName modifyTimestamp createTimestamp}

if ENV['QUERY_STRING'].include? 'checkShell'
  CHECKSHELL = true
  logins=NOSHELL.map{|k| "(loginshell=#{k})"}.join('')
  FILTER = "(|(asf-banned=*)#{logins})"
else
  FILTER = '(asf-banned=*)'
  CHECKSHELL = false
end

_html do
  _style %{
    .error {background-color: yellow}
    table, th, td {border: 1px solid black}
    td {padding: 3px 6px}
    tr:hover td {background-color: azure}
    th {background-color: #a0ddf0}
  }

  _h1 'LDAP banned checks'

  _p %{
    This script compares the LDAP settings for asf-banned, loginShell and host.
    If asf-banned is set, it is expected to equal 'yes', and loginShell should be #{EXPECTED_SHELL}.
    Also host and sshPublicKey should be empty.
  }
  if CHECKSHELL
    _p %{
      Likewise, if loginShell is one of #{NOSHELL.join(' ')}, asf-banned should probably be 'yes', and the other two fields empty.
    }
  else
    _p do
      _a 'Append "?checkShell"', href: "#{ENV['SCRIPT_NAME']}?checkShell"
      _ " to the URL to check against loginShell in one of #{NOSHELL.join(' ')}"
    end
  end

  _table do
    _tr do
      _th 'UID'
      _th 'Name'
      _th 'asf-banned?'
      _th 'loginShell'
      _th 'Host'
      _th 'sshPublicKey count'
      _th 'Created'
      _th 'LastModified'
      _th 'ModifiedBy'
    end

    banned = ASF::Person.ldap_search(FILTER,ATTRS)
    banned.sort_by {|h| h['uid']}.each do |attrs|
      errs = {}
      CHECKS.each do |k,v|
        attr = attrs[k]
        if v.nil? # special handling
          errs[k] = 'error' unless attr.nil?
        else
          errs[k] = 'error' unless singleton(attr) == v
        end
      end
      if errs.size > 0 # Found an error
        _tr do
          uid = singleton attrs['uid']
          _td do
            _a uid, href: "https://whimsy.apache.org/roster/committer/#{uid}"
          end
          _td singleton attrs['cn']
          _td singleton(attrs['asf-banned']), class: errs['asf-banned']
          _td singleton(attrs['loginShell']), class: errs['loginShell']
          _td attrs['host']&.join(','), class: errs['host']
          _td attrs['sshPublicKey']&.size, class: errs['sshPublicKey']
          _td singleton attrs['createTimestamp']
          _td singleton attrs['modifyTimestamp']
          _td singleton attrs['modifiersName']
        end
      end
    end
  end

end