# Copyright © 2018 Maël Kervella
#
# This program is free software; you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation; either version 2 of the License, or
# (at your option) any later version.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License along
# with this program; if not, write to the Free Software Foundation, Inc.,
# 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
#
import subprocess
from base64 import decodebytes

from django.core.management.base import BaseCommand, CommandError
from django.conf import settings

from users.models import User, ListRight


def split_lines(lines):
    """
    Split LDIF lines. They can span over multiple system lines if the
    following system lines begins with a space.
    """
    ret = []
    for line in lines.split(b"\n"):
        if line.startswith(b" ") and len(ret) > 1:
            ret[-1] += line[len(b" ") :]
        else:
            ret.append(line)
    return ret


def flush_ldap(binddn, bindpass, server, usersdn, groupsdn):
    """
    Perform the python (and more understandable) equivalent of the following commands:

    ldapsearch -LLL -s one -D $binddn -w $bindpass -H $server -b $usersdn dn \
            | grep "dn: " | sed -e 's/dn: //g' \
            | ldapdelete -v -D $binddn -w $bindpass -H $server --
    ldapsearch -LLL -s one -D $binddn -w $bindpass -H $server -b $usersdn dn \
            | grep "dn:: " | sed -e 's/dn:: //g' \
            | while read x; do echo "$x" | base64 -d; echo ""; done \
            | ldapdelete -v -D $binddn -w $bindpass -H $server --
    ldapsearch -LLL -s one -D $binddn -w $bindpass -H $server -b $groupsdn dn \
            | grep "dn: " | sed -e 's/dn: //g' \
            | ldapdelete -v -D $binddn -w $bindpass -H $server --
    ldapsearch -LLL -s one -D $binddn -w $bindpass -H $server -b $groupsdn dn \
            | grep "dn:: " | sed -e 's/dn:: //g' \
            | while read x; do echo "$x" | base64 -d; echo ""; done \
            | ldapdelete -v -D $binddn -w $bindpass -H $server --
    """

    to_remove = []

    for lookup in (usersdn, groupsdn):
        search_cmd = [
            "ldapsearch",
            "-LLL",
            "-s",
            "one",
            "-D",
            binddn,
            "-w",
            bindpass,
            "-H",
            server,
            "-b",
            lookup,
            "dn",
        ]
        for line in split_lines(subprocess.check_output(search_cmd)):
            if line.startswith(b"dn: "):
                to_remove.append(line[len(b"dn: ") :])
            elif line.startswith(b"dn:: "):
                # Non ASCII value ares are base64-encoded
                to_remove.append(decodebytes(line[len(b"dn:: ") :]))

    delete_cmd = ["ldapdelete", "-D", binddn, "-w", bindpass, "-H", server] + to_remove
    subprocess.check_call(delete_cmd)


def sync_ldap():
    """Syncrhonize the whole LDAP with the DB."""
    for u in User.objects.all():
        u.ldap_sync()
    for lr in ListRight.objects.all():
        lr.ldap_sync()


class Command(BaseCommand):
    help = (
        "Destroy the current LDAP data and rebuild it from the DB data."
        " Use with caution."
    )

    def handle(self, *args, **options):

        usersdn = settings.LDAP["base_user_dn"]
        groupsdn = settings.LDAP["base_usergroup_dn"]
        binddn = settings.DATABASES["ldap"]["USER"]
        bindpass = settings.DATABASES["ldap"]["PASSWORD"]
        server = settings.DATABASES["ldap"]["NAME"]

        flush_ldap(binddn, bindpass, server, usersdn, groupsdn)
        self.stdout.write("LDAP emptied.")
        sync_ldap()
        self.stdout.write("LDAP rebuilt.")