#!/bin/ksh

# Copyright  2005 Sun Microsystems, Inc.  All rights reserved.
#
# Sun Microsystems, Inc. has intellectual property rights relating to
# technology embodied in the product that is described in this document.
# In particular, and without limitation, these intellectual property rights
# may include one or more of the U.S. patents listed at
# http://www.sun.com/patents and one or more additional patents or pending
# patent applications in the U.S. and in other countries.
#
# U.S. Government Rights - Commercial software.  Government users are subject
# to the Sun Microsystems, Inc. standard license agreement and applicable
# provisions of the FAR and its supplements.
#
# Use is subject to license terms.
#
# This distribution may include materials developed by third parties.Sun,
# Sun Microsystems and  the Sun logo are trademarks or registered trademarks
# of Sun Microsystems, Inc. in the U.S. and other countries.  
#
# Copyright  2005 Sun Microsystems, Inc. Tous droits rservs.
# Sun Microsystems, Inc. dtient les droits de proprit intellectuels relatifs
#  la technologie incorpore dans le produit qui est dcrit dans ce document.
# En particulier, et ce sans limitation, ces droits de proprit
# intellectuelle peuvent inclure un ou plus des brevets amricains lists
#  l'adresse http://www.sun.com/patents et un ou les brevets supplmentaires
# ou les applications de brevet en attente aux Etats - Unis et dans les
# autres pays.
#
# L'utilisation est soumise aux termes du contrat de licence.
#
# Cette distribution peut comprendre des composants dvelopps par des
# tierces parties.
#
# Sun,  Sun Microsystems et  le logo Sun sont des marques de fabrique ou des
# marques dposes de Sun Microsystems, Inc. aux Etats-Unis et dans
# d'autres pays.


#########################################################################
#
# This is a convenient script for federating users in a bulk manner.
#
# The script assumes that the backend user database is LDAP compliant
# and the Sun Java System Access Manager as the federation software provider. 
#
# This script expects userdn mappins file as the primary input for creating
# federation data for the users specified in the file. The userdns must be
# separated by "|" and must be in the order of spuser followed by an idpuser. 
# For e.g.
#   uid=spuser,dc=iplanet,dc=com | uid=idpuser,dc=iplanet,dc=com
#
# This script generates unique random identifiers for each user mapping
# and creates four different files namely:
#     spnameidentifiers.txt, idpnameidentifiers.txt,
#     spuserdata.ldif and idpuserdata.ldif. 
#
# This will also load federation data (*.ldif file) locally based on the
# given provider role. For e.g. if the local provider role is "SP", this
# will load spuserdata.ldif locally or idpuserdata.ldif for IDP role.
#
# The idpuserdata.ldif/spuserdata.ldif files  will also be stored locally for 
# convenient loading using ldapmodify command if the remote provider is 
# also an AccessManager instance.
#
# If the remote provider is not an access manager instance, the generated files
# spnameidentifies.txt/idpnameidentifies.txt can be exchanged to the second
# party so that it can generate federation/user specific data based on
# this input.
# 
#########################################################################

BASE=BASEDIR/PRODUCT_DIR
gettext=/usr/bin/gettext
ECHO=/usr/bin/echo
RM=/usr/bin/rm
OMIT='\c'
GENERATE_LDIF=$BASE/bin/amGenerateLDIF.pl
GENERATE_NI=$BASE/bin/amGenerateNI.pl
LDAPMODIFY=$BASE/bin/ldapmodify
export LD_LIBRARY_PATH=$BASE/ldaplib/ldapsdk:TAG_NSS_SO_PATH



display_help() {
   $ECHO "`$gettext 'Usage: ' `"
   $ECHO "`$gettext '   ' `$0 [ -u | --user  ] [ -w | --passfile  ] [ -h | --host ] [ -p | --port ] [ -r | --role ] [ -s | --spid ] [ -i | --idpid ]  [-f | --file]"
   $ECHO
   $ECHO "`$gettext 'Where:'`"
   $ECHO "`$gettext '    -f, --file`"
   $ECHO "`$gettext '          Flat file that contains userDN mappings for `"
   $ECHO "`$gettext '          the spusers and idpusers separated by | . `"
   $ECHO "`$gettext '    -u, --user'`"
   $ECHO "`$gettext '          Administrative userdn in LDAP server who has '`"
   $ECHO "`$gettext '          write priveleges for modifying user entries '`"
   $ECHO "`$gettext '    -w, --passfile` "
   $ECHO "`$gettext '          Password file` "
   $ECHO "`$gettext '    -r, --role` "
   $ECHO "`$gettext '          Provider Role. It must be either IDP or SP` "
   $ECHO "`$gettext '    -h, --host`"
   $ECHO "`$gettext '          LDAP Server HostName. Assumes localhost if not present. `"
   $ECHO "`$gettext '    -p, --port`"
   $ECHO "`$gettext '          LDAP Server Port. Assumes localport if not present. `"
   $ECHO "`$gettext '    -s, --spid  `"
   $ECHO "`$gettext '          Service Provider ID `"
   $ECHO "`$gettext '    -i, --idpid`"
   $ECHO "`$gettext '          Identity Provider ID `"
   $ECHO 
   $ECHO "`$gettext 'Options:`"
   $ECHO "`$gettext '    -H, --help`"
   $ECHO "`$gettext '          Print Help(this message) and exit. `"
   $ECHO "`$gettext '    -V, --version `"
   $ECHO "`$gettext '          Prints Version `"
}

display_version() {
   $ECHO "`$gettext 'Sun Java System Access Manager version 2005Q3. `"
}

get_password() {
   while [ 1 ]
   do
     eval $ECHO "`$gettext 'Enter user password : ${OMIT}'`" 
     stty -echo
     read password
     $ECHO
     eval $ECHO "`$gettext 'Re-enter user password : ${OMIT}'`" 
     stty -echo
     read password1
     $ECHO
     if [ $password = $password1 ];then
          return
     else
       $ECHO "\a`$gettext 'Password does not match!'`"
     fi
   done
}



# Main starts here.
role=""
user=""
pfile=""
file=""
host=""
port=""
spproviderid=""
idpproviderid=""

if [ $# -eq 0 ]
then
   display_help 
   exit 1
fi


while [ $# -ne 0 ]
do
   case "$1" in
       "-r" | "--role")
           if [ "$2" != "SP" ] && [ "$2" != "IDP" ]; then
              display_help
              exit 1
           else
              role=$2
           fi 
           shift
           ;;

       "-u" | "--user")
          if [ "$2" = "" ]; then
              display_help
              exit 1
          fi
          user=$2
          shift
          ;;

       "-w" | "--passfile")
          if [ "$2" = "" ]; then
               display_help
               exit 1
          fi 
          pfile=$2
          shift
          ;;

       "-h" | "--host")
          if [ "$2" = "" ]; then
               display_help
               exit 1
          fi 
          host=$2
          shift
          ;;

       "-p" | "--port")
          if [ "$2" = "" ]; then
               display_help
               exit 1
          fi 
          port=$2
          shift
          ;;

        "-V" | "--version")
          display_version
          exit 0
          shift
          ;;

        "-s" | "--spid")
          if [ "$2" = "" ]; then
               display_help
               exit 1
          fi 
          spproviderid=$2
          shift
          ;;

        "-i" | "--idpid")
          if [ "$2" = "" ]; then
               display_help
               exit 1
          fi 
          idpproviderid=$2
          shift
          ;;

        "-f" | "--file")
          if [ "$2" = "" ]; then
               display_help
               exit 1
          fi 
          file=$2
          shift
          ;;
    *)
       display_help
       exit 1
       ;;
   esac
shift
done

if [ "$pfile" = "" ]; then
     get_password
else
    password=`cat $pfile`
fi


# Check for the non-null values
if [ "$idpproviderid" = "" ] && [ "$spproviderid" = "" ]; then
      display_help
      exit 1
fi

if [ "$host" = "" ]; then
     host="localhost" 
fi

if [ "$port" = "" ]; then
     host="389" 
fi

if [ "$file" = "" ] && [ "$user" = "" ] && [ "$password" = "" ]; then
      display_help
      exit 1
fi

if [ ! -f $GENERATE_NI ] && [ ! -f $GENERATE_LDIF ]; then
     print "\a `$gettext 'Missing amGenerateNI.pl and amGenerateLDIF.pl scripts'`"
     exit 1
fi

$GENERATE_NI $file
if [ $? != 0 ]; then
   print "\a `$gettext 'Failed in generating name identifier mappings'`"
   exit 1
fi
if [ -f spuserdata.ldif ]; then
        $RM spuserdata.ldif
fi

if [ -f idpuserdata.ldif ]; then
    $RM idpuserdata.ldif
fi

if [ "$role" = "SP" ]; then
    $GENERATE_LDIF spnameidentifiers.txt $spproviderid $idpproviderid SP
    if [ $? != 0 ]; then
        print "\a `$gettext 'Failed in generating SP LDIF files'`"
        exit 1
    fi
    $GENERATE_LDIF idpnameidentifiers.txt $spproviderid $idpproviderid IDP 
    if [ $? != 0 ]; then
        print "\a `$gettext 'Failed in generating IDP LDIF files'`"
        exit 1
    fi
    $LDAPMODIFY -D "$user" -w "$password" -h $host -p $port -c -f spuserdata.ldif
    if [ $? != 0 ]; then
        print "\a `$gettext 'Failed in modifying spusers data'`"
        exit 1
    fi
    exit 0 
fi

if [ "$role" = "IDP" ];then
    $GENERATE_LDIF idpnameidentifiers.txt $spproviderid $idpproviderid IDP
    if [ $? != 0 ]; then
        print "\a `$gettext 'Failed in generating LDIF files'`"
        exit 1
    fi
    $GENERATE_LDIF spnameidentifiers.txt $spproviderid $idpproviderid SP
    if [ $? != 0 ]; then
        print "\a `$gettext 'Failed in generating SP LDIF files'`"
        exit 1
    fi
    $LDAPMODIFY -D "$user" -w "$password" -h $host -p $port -c -f idpuserdata.ldif 
    if [ $? != 0 ]; then
        print "\a `$gettext 'Failed in modifying idpusers data'`"
        exit 1
    fi
    exit 0 
fi
