#!/bin/ksh

# $Id: saml2bulkfed,v 1.3 2006/01/17 22:21:09 vs125812 Exp $
# Copyright  2006 Sun Microsystems, Inc. All rights reserved.
# 
# SUN PROPRIETARY/CONFIDENTIAL.
# 
# U.S. Government Rights - Commercial software. Government users are subject to
# the Sun Microsystems, Inc. standard license agreement and applicable
# provisions of the FAR and its supplements.
# 
# Use is subject to license terms. Sun, Sun Microsystems, the Sun logo and Java
# are trademarks or registered trademarks of Sun Microsystems, Inc. in the U.S.
# and other countries. All SPARC trademarks are used under license and are
# trademarks or registered trademarks of SPARC International, Inc. in the U.S.
# and other countries.
# 
# UNIX is a registered trademark in the U.S. and other countries, exclusively
# licensed through X/Open Company, Ltd.
# 
# Copyright  2006 Sun Microsystems, Inc. Tous droits rservs.
# 
# Proprit de SUN/CONFIDENTIEL.
# 
# L'utilisation est soumise aux termes du contrat de licence.Sun, Sun
# Microsystems, le logo Sun et Java sont des marques de fabrique ou des marques
# dposes de Sun Microsystems, Inc. aux Etats-Unis et dans d'autres pays.
# 
# Toutes les marques SPARC sont utilises sous licence et sont des marques de
# fabrique ou des marques dposes de SPARC International, Inc. aux Etats-Unis
# et dans d'autres pays.
# 
# UNIX est une marque dpose aux Etats-Unis et dans d'autres pays et licencie
# exlusivement par X/Open Company, Ltd.

#########################################################################
#
# This is a convenient script for federating SAMLv2 users in a bulk manner.
#
# The script assumes that the backend user database is LDAP compliant
# and the Sun Java System Access Manager  or the Sun Java System Federation
# Manager as the federation SAML version 2 software provider. 
#
# This script expects userdn mappins file as the primary input for creating
# federation data for the users specified in the file. The userdns must be
# separated by "|" and must be in the order of localuser followed by a 
# remote user. 
# For e.g.
#   uid=spuser,dc=iplanet,dc=com | uid=idpuser,dc=iplanet,dc=com
#
# This script generates unique random identifiers for each user mapping
# and creates four different files namely:
#     localnameidentifiers.txt, remotenameidentifiers.txt,
#     localuserdata.ldif and remoteuserdata.ldif. 
#
# This will also load federation data (localuserdata.ldif file) locally.
#
# The remoteuserdata.ldif will also be kept locally for 
# convenient loading using ldapmodify command if the remote provider is 
# also an AccessManager instance.
#
# If the remote provider is not an access manager instance, the generated files
# localnameidentifies.txt/remotenameidentifies.txt can be exchanged to the 
# remote party so that it can generate federation/user specific data based on
# this input.
# 
#########################################################################

BASE=BASEDIR/PRODUCT_DIR
gettext=/bin/gettext
ECHO=/bin/echo
RM=/bin/rm
CP=/bin/cp
MV=/bin/mv
OMIT='\c'
LDAPMODIFY=/bin/ldapmodify
GENERATE_LDIF=$BASE/saml2/lib/saml2GenerateLDIF.pl
GENERATE_NI=$BASE/saml2/lib/saml2GenerateNI.pl

pdir=`dirname $0`

checkldapmodify() {
  if [ ! -f $LDAPMODIFY ]; then
	print "`$gettext 'ldapmodify command path is not correct.'`"
	print "`$gettext 'please set the ldapmodify correctly..'`"
	exit 1
  fi
}


display_help() {
   $ECHO "`$gettext 'Usage: ' `"
   $ECHO "`$gettext '   ' `$0 [ -u | --user  ] [ -w | --passfile  ] [ -h | --host ] [ -p | --port ] [ -t | --role ] [ -l | --hostid ] [ -r | --remoteid ]  [-f | --file]"
   $ECHO
   $ECHO "`$gettext 'Where:'`"
   $ECHO "`$gettext '    -f, --file`"
   $ECHO "`$gettext '          Flat file that contains userDN mappings for `"
   $ECHO "`$gettext '          the spusers and idpusers separated by | . `"
   $ECHO "`$gettext '    -u, --user'`"
   $ECHO "`$gettext '          Administrative userdn in LDAP server who has '`"
   $ECHO "`$gettext '          write priveleges for modifying user entries '`"
   $ECHO "`$gettext '    -w, --passfile` "
   $ECHO "`$gettext '          Password file` "
   $ECHO "`$gettext '    -t, --role` "
   $ECHO "`$gettext '          Host entity role. It must be either IDP or SP` "
   $ECHO "`$gettext '    -h, --host`"
   $ECHO "`$gettext '          LDAP Server HostName. Assumes localhost if not present. `"
   $ECHO "`$gettext '    -p, --port`"
   $ECHO "`$gettext '          LDAP Server Port. Assumes localport if not present. `"
   $ECHO "`$gettext '    -l, --hostid  `"
   $ECHO "`$gettext '          Host Provider Entity ID`"
   $ECHO "`$gettext '    -r, --remoteid`"
   $ECHO "`$gettext '          Remote Provider Entity ID `"
   $ECHO 
   $ECHO "`$gettext 'Options:`"
   $ECHO "`$gettext '    -H, --help`"
   $ECHO "`$gettext '          Print Help(this message) and exit. `"
   $ECHO "`$gettext '    -V, --version `"
   $ECHO "`$gettext '          Prints Version `"
}

display_version() {
   cat $pdir/../lib/version
}

get_password() {
   while [ 1 ]
   do
     eval $ECHO "`$gettext 'Enter user password : ${OMIT}'`" 
     stty -echo
     read password
     $ECHO
     eval $ECHO "`$gettext 'Re-enter user password : ${OMIT}'`" 
     stty -echo
     read password1
     $ECHO
     if [ $password = $password1 ];then
          return
     else
       $ECHO "\a`$gettext 'Password does not match!'`"
     fi
   done
}



# Main starts here.
role=""
user=""
pfile=""
file=""
host=""
port=""
hostentityid=""
remoteentityid=""

if [ $# -eq 0 ]
then
   display_help 
   exit 1
fi


while [ $# -ne 0 ]
do
   case "$1" in
       "-t" | "--role")
           if [ "$2" != "SP" ] && [ "$2" != "IDP" ]; then
              display_help
              exit 1
           else
              role=$2
           fi 
           shift
           ;;

       "-u" | "--user")
          if [ "$2" = "" ]; then
              display_help
              exit 1
          fi
          user=$2
          shift
          ;;

       "-w" | "--passfile")
          if [ "$2" = "" ]; then
               display_help
               exit 1
          fi 
          pfile=$2
          shift
          ;;

       "-h" | "--host")
          if [ "$2" = "" ]; then
               display_help
               exit 1
          fi 
          host=$2
          shift
          ;;

       "-p" | "--port")
          if [ "$2" = "" ]; then
               display_help
               exit 1
          fi 
          port=$2
          shift
          ;;

        "-V" | "--version")
          display_version
          exit 0
          shift
          ;;

        "-l" | "--hostid")
          if [ "$2" = "" ]; then
               display_help
               exit 1
          fi 
          hostentityid=$2
          shift
          ;;

        "-r" | "--remoteid")
          if [ "$2" = "" ]; then
               display_help
               exit 1
          fi 
          remoteentityid=$2
          shift
          ;;

        "-f" | "--file")
          if [ "$2" = "" ]; then
               display_help
               exit 1
          fi 
          file=$2
          shift
          ;;
    *)
       display_help
       exit 1
       ;;
   esac
shift
done

if [ "$pfile" = "" ]; then
     get_password
else
    password=`cat $pfile`
    if [ $? != 0 ]; then
         exit 1
    fi
fi


# Check for the non-null values
if [ "$remoteentityid" = "" ] && [ "$hostentityid" = "" ]; then
      display_help
      exit 1
fi

if [ "$host" = "" ]; then
     host="localhost" 
fi

if [ "$port" = "" ]; then
     port="389" 
fi

if [ "$file" = "" ] && [ "$user" = "" ] && [ "$password" = "" ]; then
      display_help
      exit 1
fi

if [ ! -f $GENERATE_NI ] && [ ! -f $GENERATE_LDIF ]; then
     print "\a `$gettext 'Missing saml2GenerateNI.pl and saml2GenerateLDIF.pl scripts'`"
     exit 1
fi

checkldapmodify

print "\n"
print "`$gettext 'Generating name identifier mappings ..'`"
print "\n"

$GENERATE_NI $file
if [ $? != 0 ]; then
   print "\a `$gettext 'Failed in generating name identifier mappings'`"
   exit 1
fi
if [ -f userdata.ldif ]; then
        $RM userdata.ldif
fi

print "`$gettext 'Generating LDIF files ..'`"
print "\n"
$GENERATE_LDIF localnameidentifiers.txt $hostentityid $remoteentityid $role 
if [ $? != 0 ]; then
     print "\a `$gettext 'Failed in generating LOCAL LDIF files'`"
     exit 1
fi

if [ -f userdata.ldif ]; then
    $MV userdata.ldif localuserdata.ldif
fi

# This is for the remote party consumption. Just generate LDIF incase if the
# remote party is an access manager/federation manager can leverage this
# generated ldif file.

if [ "$role" = "SP" ]
then
     role="IDP"
else
     role="SP"
fi

$GENERATE_LDIF remotenameidentifiers.txt $remoteentityid $hostentityid $role
if [ $? != 0 ]; then
     print "\a `$gettext 'Failed in generating REMOTE LDIF files'`"
     exit 1
fi

if [ -f userdata.ldif ]; then
    $MV userdata.ldif remoteuserdata.ldif
fi

# Update user accounts locally.
print "`$gettext 'Updating user accounts ..'`"
print "\n"
$LDAPMODIFY -D "$user" -w "$password" -h $host -p $port -c -f localuserdata.ldif
if [ $? != 0 ]; then
     print "\a `$gettext 'Failed in modifying users data'`"
     exit 1
fi
