#!/bin/bash

set -ue
PATH="/usr/sbin:/sbin:/usr/bin:/bin"
export PATH

try_reload_apparmor_profile() {
    local apparmor_profile="$1" arch vendor
    local -i rc=0

    apparmor_parser -r -W -T "$apparmor_profile" 2>&1 || rc=$?
    if [ $rc -ne 0 ]; then
        # This can fail on armhf in the Ubuntu DEP8 infrastructure
        # because that environment restricts changing apparmor profiles.
        # (See LP: #2008393)
        arch="$(dpkg --print-architecture)"
        vendor="$(dpkg-vendor --query Vendor)"
        if [ "$arch" = "armhf" ] && [ "$vendor" = "Ubuntu" ]; then
            echo "WARNING: Failed to enforce apparmor profile."
            echo "On armhf and Ubuntu DEP8 infrastructure, this is not a fatal error."
            echo "See LP#2008393 for details."
            rc=0
        else
            echo "ERROR: Failed to adjust the slapd apparmor profile for this test."
        fi
    fi
    return $rc
}

for ((i = 0; i < 10; i++)); do
    if [ -S "/run/ldapi" ]; then
        break
    fi
    echo "Waiting for slapd ldapi:// socket..."
    sleep 1
done

apparmor_profile="/etc/apparmor.d/usr.sbin.slapd"
if [ -f "$apparmor_profile" ]; then
    if aa-status --enabled 2>/dev/null; then
        # Adjust apparmor so slapd can read the heimdal master key
        echo " $AUTOPKGTEST_TMP/** rwk, " >> /etc/apparmor.d/local/usr.sbin.slapd
        try_reload_apparmor_profile "$apparmor_profile"
    fi
fi

# see tests/HOWTO_SETUP_OPENLDAP_TESTCASE.txt and tests/ldapconfig.ini.dist
SLAPD_ADDRESS="127.0.0.1"
SLAPD_PORT=389
BASEDN="dc=example,dc=com"
ROOTDN="cn=admin,$BASEDN"
ROOTPW="test"

DBDIR="$(mktemp --tmpdir="$AUTOPKGTEST_TMP" --directory ldap.XXXXXXXXXX)"
openssl genrsa -out "$AUTOPKGTEST_TMP/ldap.key"
openssl req -x509 \
    -key "$AUTOPKGTEST_TMP/ldap.key" \
    -subj "/CN=localhost" \
    -addext "subjectAltName=IP:$SLAPD_ADDRESS" \
    -out "$AUTOPKGTEST_TMP/ldap.pem"
chown openldap: -- "$DBDIR" "$AUTOPKGTEST_TMP/ldap.key"
chmod og-rwx    -- "$DBDIR" "$AUTOPKGTEST_TMP/ldap.key"

# configure certificates for STARTTLS
ldapmodify -Y EXTERNAL -H ldapi:/// -Q <<-EOF
	dn: cn=config
	changetype: modify
	replace: olcTLSCACertificateFile
	olcTLSCACertificateFile: $AUTOPKGTEST_TMP/ldap.pem
	-
	replace: olcTLSCertificateFile
	olcTLSCertificateFile: $AUTOPKGTEST_TMP/ldap.pem
	-
	replace: olcTLSCertificateKeyFile
	olcTLSCertificateKeyFile: $AUTOPKGTEST_TMP/ldap.key
EOF

# configure new database with $BASEDN as suffix
ldapadd -Y EXTERNAL -H ldapi:/// -Q <<-EOF
	dn: olcDatabase=mdb,cn=config
	objectClass: olcDatabaseConfig
	objectClass: olcMdbConfig
	olcDbDirectory: $DBDIR
	olcSuffix: $BASEDN
	olcAccess: {0}to attrs=userPassword by self write by anonymous auth by * none
	olcAccess: {1}to * by * read
	olcRootDN: $ROOTDN
	olcRootPW: $ROOTPW
	olcDbIndex: objectClass eq
	olcDbIndex: cn,uid eq
	olcDbIndex: uidNumber,gidNumber eq
	olcDbIndex: member,memberUid eq
EOF

# populate database with test data
ldapadd -D "$ROOTDN" -w "$ROOTPW" -H ldapi:/// \
    -f tests/ldif_data/base.ldif
ldapadd -D "$ROOTDN" -w "$ROOTPW" -H ldapi:/// \
    -f tests/ldif_data/INITIAL_TESTDATA.ldif

# dump database (using STARTTLS to make sure that works)
cat >>/etc/ldap/ldap.conf <<-EOF
	TLS_CACERT $AUTOPKGTEST_TMP/ldap.pem
	TLS_REQCERT hard
EOF
ldapsearch -D "$ROOTDN" -w "$ROOTPW" -H "ldap://$SLAPD_ADDRESS:$SLAPD_PORT/" \
    -LLZZ -b "$BASEDN"

# configure the test suite
cp -vfT tests/ldapconfig.ini.dist tests/ldapconfig.ini
sed -ri "s/^(\\s*server_cap_tls)\\s*=.*/\\1 = true/;
         s/^(\\s*server_address)\\s*=.*/\\1 = $SLAPD_ADDRESS/;
         s/^(\\s*server_port)\\s*=.*/\\1 = $SLAPD_PORT/" \
        tests/ldapconfig.ini
cat tests/ldapconfig.ini

# the test suite tries to connect to 0.0.0.1 and 0.0.0.2 in order to
# test the fallback logic, so nullroute these so we don't have to wait
# for the timeout
ip route add blackhole "0.0.0.0/30"

cd ./tests
${AUTOPKGTEST_NORMAL_USER+runuser -u "$AUTOPKGTEST_NORMAL_USER" --} phpunit \
    --no-configuration --cache-result-file=../.phpunit.result.cache --fail-on-skipped .
