/*
 * CDDL HEADER START
 *
 * The contents of this file are subject to the terms of the
 * Common Development and Distribution License (the "License").
 * You may not use this file except in compliance with the License.
 *
 * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
 * or http://www.opensolaris.org/os/licensing.
 * See the License for the specific language governing permissions
 * and limitations under the License.
 *
 * When distributing Covered Code, include this CDDL HEADER in each
 * file and include the License file at usr/src/OPENSOLARIS.LICENSE.
 * If applicable, add the following below this CDDL HEADER, with the
 * fields enclosed by brackets "[]" replaced with your own identifying
 * information: Portions Copyright [yyyy] [name of copyright owner]
 *
 * CDDL HEADER END
 */
/*
 * Copyright 2009 Sun Microsystems, Inc.  All rights reserved.
 * Use is subject to license terms.
 */

#include <shadow.h>
#include <stdlib.h>
#include "ldap_common.h"

/* shadow attributes filters */
#define _S_UID                  "uid"
#define _S_USERPASSWORD         "userpassword"
#define _S_LASTCHANGE           "shadowlastchange"
#define _S_MIN                  "shadowmin"
#define _S_MAX                  "shadowmax"
#define _S_WARNING              "shadowwarning"
#define _S_INACTIVE             "shadowinactive"
#define _S_EXPIRE               "shadowexpire"
#define _S_FLAG                 "shadowflag"

#define _F_GETSPNAM             "(&(objectClass=shadowAccount)(uid=%s))"
#define _F_GETSPNAM_SSD         "(&(%%s)(uid=%s))"

static const char *sp_attrs[] = {
        _S_UID,
        _S_USERPASSWORD,
        _S_LASTCHANGE,
        _S_MIN,
        _S_MAX,
        _S_WARNING,
        _S_INACTIVE,
        _S_EXPIRE,
        _S_FLAG,
        (char *)NULL
};

/*
 * _nss_ldap_shadow2str is the data marshaling method for the shadow getXbyY
 * (e.g., getspnam(), getspent()) backend processes. This method is called after
 * a successful ldap search has been performed. This method will parse the
 * ldap search values into the file format.
 * e.g.
 *
 * myname:gaBXNJuz4JDmA:6445::::::
 *
 */

static int
_nss_ldap_shadow2str(ldap_backend_ptr be, nss_XbyY_args_t *argp)
{
        int             nss_result;
        int             buflen = 0;
        int             shadow_update_enabled;
        unsigned long   len = 0L;
        char            *tmp, *buffer = NULL;
        char            *pw_passwd = NULL;
        ns_ldap_result_t        *result = be->result;
        char            **uid, **passwd, **last, **smin, **smax;
        char            **warning, **inactive, **expire, **flag;
        char            *last_str, *min_str, *max_str, *warning_str;
        char            *inactive_str, *expire_str, *flag_str;

        if (result == NULL)
                return (NSS_STR_PARSE_PARSE);
        buflen = argp->buf.buflen;

        nss_result = NSS_STR_PARSE_SUCCESS;
        (void) memset(argp->buf.buffer, 0, buflen);

        uid = __ns_ldap_getAttr(result->entry, _S_UID);
        if (uid == NULL || uid[0] == NULL || (strlen(uid[0]) < 1)) {
                nss_result = NSS_STR_PARSE_PARSE;
                goto result_spd2str;
        }
        len += strlen(uid[0]);

        passwd = __ns_ldap_getAttr(result->entry, _S_USERPASSWORD);
        if (passwd == NULL || passwd[0] == NULL) {
                /*
                 * ACL does not allow userpassword to return or
                 * userpassword is not defined
                 */
                pw_passwd = NOPWDRTR;
        } else if (strcmp(passwd[0], "") == 0) {
                /*
                 * An empty password is not supported
                 */
                nss_result = NSS_STR_PARSE_PARSE;
                goto result_spd2str;
        } else {
                if ((tmp = strstr(passwd[0], "{crypt}")) != NULL ||
                    (tmp = strstr(passwd[0], "{CRYPT}")) != NULL) {
                        if (tmp != passwd[0])
                                pw_passwd = NOPWDRTR;
                        else {
                                pw_passwd = tmp + strlen("{crypt}");
                                if (strcmp(pw_passwd,
                                    NS_LDAP_NO_UNIX_PASSWORD) == 0)
                                        *pw_passwd = '\0';
                        }
                } else {
                /* mark password as not retrievable */
                        pw_passwd = NOPWDRTR;
                }
        }
        len += strlen(pw_passwd);

        /*
         * If shadow update is not enabled, ignore the following
         * password aging related attributes:
         * -- shadowlastchange
         * -- shadowmin
         * -- shadowmax
         * -- shadowwarning
         * -- shadowinactive
         * -- shadowexpire
         * When shadow update is not enabled, the LDAP naming
         * service does not support the password aging fields
         * defined in the shadow structure. These fields, sp_lstchg,
         * sp_min, sp_max, sp_warn, sp_inact, and sp_expire,
         * will be set to -1 by the front end marshaller.
         */

        shadow_update_enabled = __ns_ldap_is_shadow_update_enabled();
        if (shadow_update_enabled) {
                last = __ns_ldap_getAttr(result->entry, _S_LASTCHANGE);
                if (last == NULL || last[0] == NULL)
                        last_str = _NO_VALUE;
                else
                        last_str = last[0];
                len += strlen(last_str);

                smin = __ns_ldap_getAttr(result->entry, _S_MIN);
                if (smin == NULL || smin[0] == NULL)
                        min_str = _NO_VALUE;
                else
                        min_str = smin[0];
                len += strlen(min_str);

                smax = __ns_ldap_getAttr(result->entry, _S_MAX);
                if (smax == NULL || smax[0] == NULL)
                        max_str = _NO_VALUE;
                else
                        max_str = smax[0];
                len += strlen(max_str);

                warning = __ns_ldap_getAttr(result->entry, _S_WARNING);
                if (warning == NULL || warning[0] == NULL)
                        warning_str = _NO_VALUE;
                else
                        warning_str = warning[0];
                len += strlen(warning_str);

                inactive = __ns_ldap_getAttr(result->entry, _S_INACTIVE);
                if (inactive == NULL || inactive[0] == NULL)
                        inactive_str = _NO_VALUE;
                else
                        inactive_str = inactive[0];
                len += strlen(inactive_str);

                expire = __ns_ldap_getAttr(result->entry, _S_EXPIRE);
                if (expire == NULL || expire[0] == NULL)
                        expire_str = _NO_VALUE;
                else
                        expire_str = expire[0];
                len += strlen(expire_str);
        }

        flag = __ns_ldap_getAttr(result->entry, _S_FLAG);
        if (flag == NULL || flag[0] == NULL)
                flag_str = _NO_VALUE;
        else
                flag_str = flag[0];

        /* 9 = 8 ':' + 1 '\0' */
        len += strlen(flag_str) + 9;

        if (len > buflen) {
                nss_result = NSS_STR_PARSE_ERANGE;
                goto result_spd2str;
        }

        if (argp->buf.result != NULL) {
                be->buffer = calloc(1, len);
                if (be->buffer == NULL) {
                        nss_result = NSS_STR_PARSE_PARSE;
                        goto result_spd2str;
                }
                buffer = be->buffer;
        } else
                buffer = argp->buf.buffer;

        if (shadow_update_enabled) {
                (void) snprintf(buffer, len, "%s:%s:%s:%s:%s:%s:%s:%s:%s",
                    uid[0], pw_passwd, last_str, min_str, max_str, warning_str,
                    inactive_str, expire_str, flag_str);
        } else {
                (void) snprintf(buffer, len, "%s:%s:::::::%s",
                    uid[0], pw_passwd, flag_str);
        }

        /* The front end marhsaller doesn't need the trailing null */
        if (argp->buf.result != NULL)
                be->buflen = strlen(be->buffer);
result_spd2str:

        (void) __ns_ldap_freeResult(&be->result);
        return ((int)nss_result);
}

/*
 * getbynam gets a passwd entry by uid name. This function constructs an ldap
 * search filter using the name invocation parameter and the getspnam search
 * filter defined. Once the filter is constructed we search for a matching
 * entry and marshal the data results into struct shadow for the frontend
 * process. The function _nss_ldap_shadow2ent performs the data marshaling.
 */

static nss_status_t
getbynam(ldap_backend_ptr be, void *a)
{
        nss_XbyY_args_t *argp = (nss_XbyY_args_t *)a;
        char            searchfilter[SEARCHFILTERLEN];
        char            userdata[SEARCHFILTERLEN];
        char            name[SEARCHFILTERLEN + 1];
        int             ret;

        if (_ldap_filter_name(name, argp->key.name, sizeof (name)) != 0)
                return ((nss_status_t)NSS_NOTFOUND);

        ret = snprintf(searchfilter, sizeof (searchfilter), _F_GETSPNAM, name);
        if (ret >= sizeof (searchfilter) || ret < 0)
                return ((nss_status_t)NSS_NOTFOUND);

        ret = snprintf(userdata, sizeof (userdata), _F_GETSPNAM_SSD, name);
        if (ret >= sizeof (userdata) || ret < 0)
                return ((nss_status_t)NSS_NOTFOUND);

        return (_nss_ldap_lookup(be, argp, _SHADOW, searchfilter, NULL,
            _merge_SSD_filter, userdata));
}

static ldap_backend_op_t sp_ops[] = {
    _nss_ldap_destr,
    _nss_ldap_endent,
    _nss_ldap_setent,
    _nss_ldap_getent,
    getbynam
};


/*
 * _nss_ldap_passwd_constr is where life begins. This function calls the
 * generic ldap constructor function to define and build the abstract
 * data types required to support ldap operations.
 */

/*ARGSUSED0*/
nss_backend_t *
_nss_ldap_shadow_constr(const char *dummy1, const char *dummy2,
                        const char *dummy3)
{

        return ((nss_backend_t *)_nss_ldap_constr(sp_ops,
            sizeof (sp_ops)/sizeof (sp_ops[0]),
            _SHADOW, sp_attrs, _nss_ldap_shadow2str));
}