From cd1ce69f104686bbb33e049c2c4c112e78febd36 Mon Sep 17 00:00:00 2001
From: Cullum Smith <cullum@sacredheartsc.com>
Date: Wed, 25 Sep 2024 21:38:13 -0400
Subject: finish idm client stuff

---
 lib/40-user     | 111 ++++++++++++++++++++++++++++++++++++--------------------
 lib/60-kerberos |  51 ++++++++++++++++++++++++++
 lib/60-ldap     |  30 ++++++++++++---
 3 files changed, 147 insertions(+), 45 deletions(-)
 create mode 100644 lib/60-kerberos

(limited to 'lib')

diff --git a/lib/40-user b/lib/40-user
index 305fab6..bb3fc05 100644
--- a/lib/40-user
+++ b/lib/40-user
@@ -29,61 +29,92 @@ add_user(){
   # Add a local user if it doesn't exist.
   # options: mostly same as `pw useradd`
   # $1 = username
-  _bcalu_homedir_mode=700
-  _bcalu_create_homedir=
-  _bcalu_homedir=
-  _bcalu_comment=
-  _bcalu_shell=/sbin/nologin
-  _bcalu_pgroup=
-  _bcalu_grouplist=
-  _bcalu_uid=
-  _bcalu_password=
-
-  while getopts c:d:G:g:mM:p:s:u: _bcalu_opt; do
-    case $_bcalu_opt in
-      c) _bcalu_comment=$OPTARG ;;
-      d) _bcalu_homedir=$OPTARG ;;
-      G) _bcalu_grouplist=$OPTARG ;;
-      g) _bcalu_pgroup=$OPTARG ;;
-      M) _bcalu_homedir_mode=$OPTARG ;;
-      m) _bcalu_create_homedir=true ;;
-      p) _bcalu_password=$OPTARG ;;
-      s) _bcalu_shell=$OPTARG ;;
-      u) _bcalu_uid=$OPTARG ;;
+  _bcau_homedir_mode=700
+  _bcau_create_homedir=
+  _bcau_homedir=
+  _bcau_comment=
+  _bcau_shell=/sbin/nologin
+  _bcau_pgroup=
+  _bcau_grouplist=
+  _bcau_uid=
+  _bcau_password=
+
+  while getopts c:d:G:g:mM:p:s:u: _bcau_opt; do
+    case $_bcau_opt in
+      c) _bcau_comment=$OPTARG ;;
+      d) _bcau_homedir=$OPTARG ;;
+      G) _bcau_grouplist=$OPTARG ;;
+      g) _bcau_pgroup=$OPTARG ;;
+      M) _bcau_homedir_mode=$OPTARG ;;
+      m) _bcau_create_homedir=true ;;
+      p) _bcau_password=$OPTARG ;;
+      s) _bcau_shell=$OPTARG ;;
+      u) _bcau_uid=$OPTARG ;;
     esac
   done
   shift $((OPTIND - 1))
 
-  _bcalu_username=$1
-  : ${_bcalu_homedir:="/home/${_bcalu_username}"}
-  : ${_bcalu_comment:="${_bcalu_username} user"}
+  _bcau_username=$1
+  : ${_bcau_homedir:="/home/${_bcau_username}"}
+  : ${_bcau_comment:="${_bcau_username} user"}
 
   case $BOXCONF_OS in
     freebsd)
-      if pw usershow "$_bcalu_username" > /dev/null 2>&1; then
-        log "local user ${_bcalu_username} already exists"
+      if pw usershow "$_bcau_username" > /dev/null 2>&1; then
+        log "local user ${_bcau_username} already exists"
         return 0
       fi
 
       pw useradd \
-        -n "$_bcalu_username" \
-        -c "$_bcalu_comment" \
-        -s "$_bcalu_shell" \
-        -M "$_bcalu_homedir_mode" \
-        -d "$_bcalu_homedir" \
-        ${_bcalu_create_homedir:+-m} \
-        ${_bcalu_grouplist:+-G ${_bcalu_grouplist}} \
-        ${_bcalu_pgroup:+-g ${_bcalu_pgroup}} \
-        ${_bcalu_uid:+-u ${_bcalu_uid}}
-
-        log "added local user ${_bcalu_username}"
+        -n "$_bcau_username" \
+        -c "$_bcau_comment" \
+        -s "$_bcau_shell" \
+        -M "$_bcau_homedir_mode" \
+        -d "$_bcau_homedir" \
+        ${_bcau_create_homedir:+-m} \
+        ${_bcau_grouplist:+-G ${_bcau_grouplist}} \
+        ${_bcau_pgroup:+-g ${_bcau_pgroup}} \
+        ${_bcau_uid:+-u ${_bcau_uid}}
+
+        log "added local user ${_bcau_username}"
       ;;
     *)
-      die "add_local_user unimplemented for ${BOXCONF_OS}"
+      die "add_user unimplemented for ${BOXCONF_OS}"
       ;;
   esac
 
-  if [ -n "${_bcalu_password}" ]; then
-    set_password "$_bcalu_user" "$_bcalu_password"
+  if [ -n "${_bcau_password}" ]; then
+    set_password "$_bcau_user" "$_bcau_password"
   fi
 }
+
+add_group(){
+  # Add a local group if it doesn't exist.
+  # options: mostly same as `pw groupadd`
+  # $1 = groupname
+  _bcag_gid=
+
+  while getopts g: _bcag_opt; do
+    case $_bcag_opt in
+      g) _bcag_gid=$OPTARG ;;
+    esac
+  done
+  shift $((OPTIND - 1))
+
+  _bcag_groupname=$1
+
+  case $BOXCONF_OS in
+    freebsd)
+      if pw groupshow "$_bcag_groupname" > /dev/null 2>&1; then
+        log "local group ${_bcag_groupname} already exists"
+        return 0
+      fi
+
+      pw groupadd -n "$_bcag_groupname" ${_bcag_gid:+-g ${_bcag_gid}}
+      log "added local group ${_bcag_groupname}"
+      ;;
+    *)
+      die "add_group unimplemented for ${BOXCONF_OS}"
+      ;;
+  esac
+}
diff --git a/lib/60-kerberos b/lib/60-kerberos
new file mode 100644
index 0000000..a323e94
--- /dev/null
+++ b/lib/60-kerberos
@@ -0,0 +1,51 @@
+#!/bin/sh
+
+_boxconf_kadmin() {
+  case $BOXCONF_OS in
+    freebsd) _boxconf_kadmin=/usr/local/bin/kadmin ;;
+    *)       _boxconf_kadmin=kadmin ;;
+  esac
+
+  "$_boxconf_kadmin" -p "$boxconf_username" -w "$boxconf_password" "$@"
+}
+
+_boxconf_kinit(){
+  case $BOXCONF_OS in
+    freebsd) /usr/local/bin/kinit "$@" ;;
+    *)       kinit "$@" ;;
+  esac
+}
+
+add_principal(){
+  # Create a kerberos principal, if it doesn't already exist.
+  # Arguments are the same as MIT kadmin' add_principal.
+  # Final argument must be the principal name.
+  eval "_kap_princ=\$$#"
+  _boxconf_kadmin get_principal "$_kap_princ" \
+    || _boxconf_kadmin add_principal "$@"
+}
+
+ktadd(){
+  # Add a principal's keys to a keytab.
+  # Arguments are the same as MIT kadmin's ktadd.
+  _kkta_ktarg=false
+  _kkta_keytab=/etc/krb5.keytab
+  eval "_kkta_princ=\$$#"
+
+  # Extract the keytab argument from $@.
+  for _kkta_arg; do
+    if [ "$_kkta_ktarg" = true ]; then
+      _kkta_keytab=$_kkta_arg
+      break
+    else
+      case $_kkta_arg in
+        -k|-keytab) _kkta_ktarg=true ;;
+      esac
+    fi
+  done
+
+  # Check if we can kinit with the keytab. If not, get fresh keys.
+  if ! _boxconf_kinit -kt "$_kkta_keytab" -c MEMORY: "$_kkta_princ" 2>/dev/null; then
+    _boxconf_kadmin ktadd "$@"
+  fi
+}
diff --git a/lib/60-ldap b/lib/60-ldap
index 37c0c0a..d262849 100644
--- a/lib/60-ldap
+++ b/lib/60-ldap
@@ -4,10 +4,16 @@ ldap_add(){
   # Add a DN if it doesn't already exist. Takes ldif-formatted attributes on stdin.
   # $1 = the DN
   _ldap_add_dn=$1; shift
-  if ldapsearch -QLLL -s base -b "$_ldap_add_dn" dn > /dev/null 2>&1; then
+  if ldap_search -s base -b "$_ldap_add_dn" dn > /dev/null 2>&1; then
     log "${_ldap_add_dn} already exists"
   else
-    { printf 'dn: %s\n' "$_ldap_add_dn"; cat; } | ldapadd -Q "$@"
+    { printf 'dn: %s\n' "$_ldap_add_dn"; cat; } | {
+      if [ "${BOXCONF_LDAP_SASL:-}" = true ]; then
+        ldapadd -Q "$@"
+      else
+        ldapadd -ZZ -D "$boxconf_dn" -w "$boxconf_password" "$@"
+      fi
+    }
   fi
 }
 
@@ -15,19 +21,33 @@ ldap_modify(){
   # Modify a DN. Takes ldif-formatted attributes on stdin.
   # $1 = the DN
   _ldap_modify_dn=$1; shift
-  { printf 'dn: %s\nchangetype: modify\n' "$_ldap_modify_dn"; cat; } | ldapmodify -Q "$@"
+  { printf 'dn: %s\nchangetype: modify\n' "$_ldap_modify_dn"; cat; } | {
+    if [ "${BOXCONF_LDAP_SASL:-}" = true ]; then
+      ldapmodify -Q "$@"
+    else
+      ldapmodify -ZZ -D "$boxconf_dn" -w "$boxconf_password" "$@"
+    fi
+  }
 }
 
 ldap_delete(){
   # Delete a DN.
   # $1 = the DN
-  ldapdelete -Q "$@"
+  if [ "${BOXCONF_LDAP_SASL:-}" = true ]; then
+    ldapdelete -Q "$@"
+  else
+    ldapdelete -ZZ -D "$boxconf_dn" -w "$boxconf_password" "$@"
+  fi
 }
 
 ldap_search(){
   # Perform an LDAP search
   # $1..$N = same as ldapsearch.
-  ldapsearch -QLLL "$@"
+  if [ "${BOXCONF_LDAP_SASL:-}" = true ]; then
+    ldapsearch -QLLL "$@"
+  else
+    ldapsearch -o ldif_wrap=no -LLLZZ -D "$boxconf_dn" -w "$boxconf_password" "$@"
+  fi
 }
 
 ldap_add_attribute(){
-- 
cgit v1.2.3