#!/usr/bin/python

# Copyright (c) 2010 Peter Palfrader <peter@palfrader.org>

# This script, non-interactively, sets a great many accounts to
# 'retiring', locking their password, removing keys, setting shadow
# information to expired and setting accountstatus appropriatly.


#   This program is free software; you can redistribute it and/or modify
#   it under the terms of the GNU General Public License as published by
#   the Free Software Foundation; either version 2 of the License, or
#   (at your option) any later version.
#
#   This program is distributed in the hope that it will be useful,
#   but WITHOUT ANY WARRANTY; without even the implied warranty of
#   MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
#   GNU General Public License for more details.
#
#   You should have received a copy of the GNU General Public License
#   along with this program; if not, write to the Free Software
#   Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.

import sys
import optparse
import os
import pwd
import time
from userdir_ldap import *;

dry_run = False

def connect(user):
    l = connectLDAP()
    binddn = "uid=%s,%s"%(user, BaseDn)
    bindpw = None
    if 'LDAP_PASSWORD' in os.environ:
        bindpw = os.environ['LDAP_PASSWORD']
    else:
        bindpw = getpass.getpass(user + "'s password: ")

    try:
       l.simple_bind_s(binddn, bindpw)
    except ldap.LDAPError, e:
       sys.stderr.write("LDAP error: %s\n"%(e.args[0]['desc']))
       sys.exit(1)
    return l


class Account:
    def __init__(self, user):
        searchresult = lc.search_s(BaseDn,ldap.SCOPE_SUBTREE, 'uid=%s'%(user))
        if len(searchresult) < 1:
            sys.stderr.write("No such user: %s\n"%(user))
            return
        elif len(searchresult) > 1:
            sys.stderr.write("More than one hit when getting %s\n"%(user))
            return

        self.dn, self.attributes = searchresult[0]


    def has_mail(self):
        if 'mailDisableMessage' in self.attributes:
            return False
        return True

    # not locked locked,  just reset to something invalid like {crypt}*SSLRESET* is still active
    def pw_active(self):
        if self.attributes['userPassword'][0] == '{crypt}*LK*':
            return False
        return True

    # not expired
    def shadow_active(self):
        if 'shadowExpire' in self.attributes and \
            int(self.attributes['shadowExpire'][0]) < (time.time() / 3600 / 24):
            return False
        return True

    def numkeys(self):
        if 'keyFingerPrint' in self.attributes:
            return len(self.attributes['keyFingerPrint'])
        return 0

    def account_status(self):
        if 'accountStatus' in self.attributes:
            return self.attributes['accountStatus'][0]
        return 'active'


    def verbose_status(self):
        status = []
        status.append('mail: %s'  %(['disabled', 'active'][ self.has_mail() ]))
        status.append('pw: %s'    %(['locked', 'active'][ self.pw_active() ]))
        status.append('shadow: %s'%(['expired', 'active'][ self.shadow_active() ]))
        status.append('keys: %d'  %( self.numkeys() ))
        status.append('status: %s'%( self.account_status() ))

        return '(%s)'%(', '.join(status))

    def get_dn(self):
        return self.dn

def do_one_user(lc, user, ticket):
    u = Account(user)
    if not u.account_status() == 'active':
        sys.stderr.write('%s: Account is not active, skipping.  (details: %s)\n'%(user, u.verbose_status()))
        return

    print '%s: Setting to retiring:'%(user)
    set = {}
    set['userPassword'] = '{crypt}*LK*'
    set['shadowLastChange'] = str(int(time.time()/24/60/60))
    set['shadowExpire'] = '1'
    set['accountStatus'] = 'retiring %s'%(time.strftime('%Y-%m-%d'))
    if not ticket is None:
        set['accountComment'] = "RT#%s"%(ticket)

    rec = []
    for key in set:
        print '  %s: %s'%(key, set[key])
        rec.append( (ldap.MOD_REPLACE, key, set[key]) )

    print '  %s: deleting keyFingerPrint'%(user)
    rec.append( (ldap.MOD_DELETE, 'keyFingerPrint', None) )


    if dry_run:
        print '(not committing)'
    else:
        lc.modify_s(u.get_dn(), rec)
        print '%s: done.'%(user)

    sys.stdout.flush()


parser = optparse.OptionParser()
parser.set_usage("%prog [--admin-user <binduser>] [--no-do] <account> [<account> ...]")
parser.add_option("-a", "--admin-user", dest="admin", metavar="admin",
  help="User to bind as.",
  default=pwd.getpwuid(os.getuid()).pw_name)
parser.add_option("-n", "--no-do", action="store_true",
  help="Do not actually change anything.")
parser.add_option("-r", "--rt-ticket", dest="ticket", metavar="ticket#",
  help="Ticket number for accountComment.")

(options, args) = parser.parse_args()

if options.no_do:
    dry_run = True

lc = connect(options.admin)
for user in args:
    do_one_user(lc, user, options.ticket)


# vim:set et:
# vim:set ts=4:
# vim:set shiftwidth=4: