#!/bin/sh
# Utility functions for OpenLDAP initialization

# Logging functions
log_info() {
    echo "[INFO] $(date '+%Y-%m-%d %H:%M:%S') - $1"
}

log_warn() {
    echo "[WARN] $(date '+%Y-%m-%d %H:%M:%S') - $1" >&2
}

log_error() {
    echo "[ERROR] $(date '+%Y-%m-%d %H:%M:%S') - $1" >&2
}

# Generate a random password
generate_password() {
    head -c 32 /dev/urandom | base64 | tr -dc 'a-zA-Z0-9' | head -c 24
}

# Hash password using SSHA
hash_password() {
    local password="$1"
    /usr/sbin/slappasswd -s "$password"
}

# Wait for slapd to be ready
# Args: max_attempts [socket_url]
wait_for_slapd() {
    local max_attempts="${1:-30}"
    local socket_url="${2:-ldapi://%2Frun%2Fopenldap%2Fldapi}"
    local attempt=0

    while [ $attempt -lt $max_attempts ]; do
        if ldapsearch -x -H "$socket_url" -b "" -s base "objectClass=*" >/dev/null 2>&1; then
            return 0
        fi
        attempt=$((attempt + 1))
        sleep 1
    done

    log_error "slapd did not become ready in time"
    return 1
}

# Template substitution - replaces ${VAR} with environment variable values
process_template() {
    local template="$1"
    local output="$2"

    # Use envsubst-like behavior with sed
    cp "$template" "$output"

    # Replace known variables
    sed -i "s|\${LDAP_BASE_DN}|${LDAP_BASE_DN}|g" "$output"
    sed -i "s|\${LDAP_DC}|${LDAP_DC}|g" "$output"
    sed -i "s|\${LDAP_DOMAIN}|${LDAP_DOMAIN}|g" "$output"
    sed -i "s|\${LDAP_ORGANISATION}|${LDAP_ORGANISATION}|g" "$output"
    sed -i "s|\${LDAP_ADMIN_PASSWORD_HASH}|${LDAP_ADMIN_PASSWORD_HASH}|g" "$output"
    sed -i "s|\${LDAP_CONFIG_PASSWORD_HASH}|${LDAP_CONFIG_PASSWORD_HASH}|g" "$output"
    sed -i "s|\${LDAP_TLS_CERT_FILE}|${LDAP_TLS_CERT_FILE}|g" "$output"
    sed -i "s|\${LDAP_TLS_KEY_FILE}|${LDAP_TLS_KEY_FILE}|g" "$output"
    sed -i "s|\${LDAP_TLS_CA_FILE}|${LDAP_TLS_CA_FILE}|g" "$output"
    sed -i "s|\${LDAP_TLS_VERIFY_CLIENT}|${LDAP_TLS_VERIFY_CLIENT}|g" "$output"
}

# Default LDAPI socket URL
LDAPI_SOCKET="${LDAPI_SOCKET:-ldapi://%2Frun%2Fopenldap%2Fldapi}"

# Check if a DN exists
dn_exists() {
    local dn="$1"
    ldapsearch -x -H "$LDAPI_SOCKET" -b "$dn" -s base "objectClass=*" >/dev/null 2>&1
}

# Add LDIF if it doesn't cause errors (ignore "already exists" errors)
ldif_add_safe() {
    local ldif_file="$1"
    local result

    result=$(ldapadd -x -H "$LDAPI_SOCKET" -D "cn=admin,$LDAP_BASE_DN" -w "$LDAP_ADMIN_PASSWORD" -f "$ldif_file" 2>&1) || {
        if echo "$result" | grep -q "Already exists"; then
            log_warn "Entry already exists, skipping"
            return 0
        else
            log_error "Failed to add LDIF: $result"
            return 1
        fi
    }
}