halfway working idm server and laptop hostclasses

2 files changed, 78 insertions, 7 deletions

diff --git a/lib/10-core b/lib/10-core
index a97340d..bd4e80a 100644
--- a/lib/10-core
+++ b/lib/10-core
@@ -81,6 +81,19 @@ _boxconf_decrypt(){
   fi
 }
 
+_boxconf_decrypt_key(){
+  # Decrypt an OpenSSL key file using the vault password.
+  # $1 = encrypted key file
+  # $2 = plaintext output file (or stdout if unset)
+  _boxconf_get_vault_password
+
+  if [ $# -gt 1 ]; then
+    PASS=$BOXCONF_VAULT_PASSWORD openssl ec -in "$1" -out "$2" -passin env:PASS
+  else
+    PASS=$BOXCONF_VAULT_PASSWORD openssl ec -in "$1" -passin env:PASS
+  fi
+}
+
 _boxconf_is_encrypted(){
   # Check if a given file is encrypted.
   head -n1 "$1" | grep -q '^Salted__'
@@ -144,7 +157,7 @@ _boxconf_stage(){
   set -f
   _bcs_relevant_files=$(find -L "$BOXCONF_ROOT" -type f -and \( \
     -path "${BOXCONF_CA_DIR}/ca.crt" \
-    -or -path "${BOXCONF_CA_DIR}/${_bcs_hostname}" \
+    -or -path "${BOXCONF_CA_DIR}/${_bcs_hostname}/*" \
     -or -path "${BOXCONF_VAR_DIR}/common" \
     -or -path "${BOXCONF_VAR_DIR}/common/*" \
     -or -path "${BOXCONF_VAR_DIR}/os/*" \
@@ -202,18 +215,20 @@ _boxconf_stage(){
   set -- $_bcs_relevant_files
   IFS=$OIFS
 
-  for _bc_stage_fullpath; do
+  for _bcs_fullpath; do
     # Calculate the file's path relative to the BOXCONF_ROOT.
-    _bc_stage_relpath=${_bc_stage_fullpath#${BOXCONF_ROOT}/}
+    _bcs_relpath=${_bcs_fullpath#${BOXCONF_ROOT}/}
 
     # Create the file's parent directories (if any) in the stage dir.
-    mkdir -p "${_bcs_stagedir}/$(dirname "$_bc_stage_relpath")"
+    mkdir -p "${_bcs_stagedir}/$(dirname "$_bcs_relpath")"
 
     # Copy the file to the stage dir, decrypting if necessary.
-    if _boxconf_is_encrypted "$_bc_stage_fullpath"; then
-      _boxconf_decrypt "$_bc_stage_fullpath" "${_bcs_stagedir}/${_bc_stage_relpath}"
+    if _boxconf_is_encrypted "$_bcs_fullpath"; then
+      _boxconf_decrypt "$_bcs_fullpath" "${_bcs_stagedir}/${_bcs_relpath}"
+    elif head -n1 "$_bcs_fullpath" | grep -Fxq -- '-----BEGIN ENCRYPTED PRIVATE KEY-----'; then
+      _boxconf_decrypt_key "$_bcs_fullpath" "${_bcs_stagedir}/${_bcs_relpath}"
     else
-      cp -p "$_bc_stage_fullpath" "${_bcs_stagedir}/${_bc_stage_relpath}"
+      cp -p "$_bcs_fullpath" "${_bcs_stagedir}/${_bcs_relpath}"
     fi
   done
 }
diff --git a/lib/60-ldap b/lib/60-ldap
new file mode 100644
index 0000000..bc5bcff
--- /dev/null
+++ b/lib/60-ldap
@@ -0,0 +1,56 @@
+#!/bin/sh
+
+ldap_add(){
+  # Add a DN if it doesn't already exist. Takes ldif-formatted attributes on stdin.
+  # $1 = the DN
+  _ldap_add_dn=$1; shift
+  if ldapsearch -QLLL -s base -b "$_ldap_add_dn" dn > /dev/null 2>&1; then
+    log "${_ldap_add_dn} already exists"
+  else
+    { printf 'dn: %s\n' "$_ldap_add_dn"; cat; } | ldapadd -Q "$@"
+  fi
+}
+
+ldap_modify(){
+  # Modify a DN. Takes ldif-formatted attributes on stdin.
+  # $1 = the DN
+  _ldap_modify_dn=$1; shift
+  { printf 'dn: %s\nchangetype: modify\n' "$_ldap_modify_dn"; cat; } | ldapmodify -Q "$@"
+}
+
+ldap_delete(){
+  # Delete a DN.
+  # $1 = the DN
+  ldapdelete -Q "$@"
+}
+
+ldap_add_attribute(){
+  # Add a single attribute value to an object if it's not already present.
+  # $1 = DN
+  # $2 = attribute
+  # $3 = value
+  ldap_search -b "$1" -s base "(${2}=${3})" dn | grep -q '^dn:' || ldap_modify "$1" <<EOF
+add: ${2}
+${2}: ${3}
+EOF
+}
+
+ldap_replace_attribute(){
+  # Replace all values for a single attribute.
+  # $1 = DN
+  # $2 = attribute
+  # $3..$N = values
+  _ldap_replattr_dn=$1; shift
+  _ldap_replattr_attr=$1; shift
+
+  ldap_modify "$_ldap_replattr_dn" <<EOF
+replace: ${ldap_replattr_attr}
+$(printf "${ldap_replattr_attr}: %s\n" "$@")
+EOF
+}
+
+ldap_rdn_value(){
+  # Get the leftmost attribute value from a DN.
+  # $1 = DN
+  echo "$1" | sed -E 's/^[^=]+=([^,]+),.*$/\1/'
+}