# gp_sudoers_ext samba gpo policy
# Copyright (C) David Mulder <dmulder@suse.com> 2020
#
# This program is free software; you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation; either version 3 of the License, or
# (at your option) any later version.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program.  If not, see <http://www.gnu.org/licenses/>.

import os
from samba.gpclass import gp_pol_ext
from base64 import b64encode
from tempfile import NamedTemporaryFile
from subprocess import Popen, PIPE
from distutils.spawn import find_executable

intro = '''
### autogenerated by samba
#
# This file is generated by the gp_sudoers_ext Group Policy
# Client Side Extension. To modify the contents of this file,
# modify the appropriate Group Policy objects which apply
# to this machine. DO NOT MODIFY THIS FILE DIRECTLY.
#

'''
visudo = find_executable('visudo',
        path='%s:%s' % (os.environ['PATH'], '/usr/sbin'))

class gp_sudoers_ext(gp_pol_ext):
    def __str__(self):
        return 'Unix Settings/Sudo Rights'

    def process_group_policy(self, deleted_gpo_list, changed_gpo_list,
            sdir='/etc/sudoers.d'):
        for gpo in deleted_gpo_list:
            self.gp_db.set_guid(gpo[0])
            if str(self) in gpo[1]:
                for attribute, sudoers in gpo[1][str(self)].items():
                    os.unlink(sudoers)
                    self.gp_db.delete(str(self), attribute)
            self.gp_db.commit()

        for gpo in changed_gpo_list:
            if gpo.file_sys_path:
                section = 'Software\\Policies\\Samba\\Unix Settings\\Sudo Rights'
                self.gp_db.set_guid(gpo.name)
                pol_file = 'MACHINE/Registry.pol'
                path = os.path.join(gpo.file_sys_path, pol_file)
                pol_conf = self.parse(path)
                if not pol_conf:
                    continue
                for e in pol_conf.entries:
                    if e.keyname == section and e.data.strip():
                        attribute = b64encode(e.data.encode()).decode()
                        old_val = self.gp_db.retrieve(str(self), attribute)
                        if not old_val:
                            contents = intro
                            contents += '%s\n' % e.data
                            with NamedTemporaryFile() as f:
                                with open(f.name, 'w') as w:
                                    w.write(contents)
                                sudo_validation = \
                                        Popen([visudo, '-c', '-f', f.name],
                                            stdout=PIPE, stderr=PIPE).wait()
                            if sudo_validation == 0:
                                with NamedTemporaryFile(prefix='gp_',
                                                        delete=False,
                                                        dir=sdir) as f:
                                    with open(f.name, 'w') as w:
                                        w.write(contents)
                                    self.gp_db.store(str(self),
                                                     attribute,
                                                     f.name)
                            else:
                                self.logger.warn('Sudoers apply "%s" failed'
                                        % e.data)
                        self.gp_db.commit()