#!/usr/bin/python3
# -*- coding: utf-8 -*-
#
# Update script for SAML2.0 service provider metadata of UMC
#
# Like what you see? Join us!
# https://www.univention.com/about-us/careers/vacancies/
#
# Copyright 2015-2024 Univention GmbH
#
# https://www.univention.de/
#
# All rights reserved.
#
# The source code of this program is made available
# under the terms of the GNU Affero General Public License version 3
# (GNU AGPL V3) as published by the Free Software Foundation.
#
# Binary versions of this program provided by Univention to you as
# well as other copyrighted, protected or trademarked materials like
# Logos, graphics, fonts, specific documentations and configurations,
# cryptographic keys etc. are subject to a license agreement between
# you and Univention and not subject to the GNU AGPL V3.
#
# In the case you use this program under the terms of the GNU AGPL V3,
# the program is provided in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU Affero General Public License for more details.
#
# You should have received a copy of the GNU Affero General Public
# License with the Debian GNU/Linux or Univention distribution in file
# /usr/share/common-licenses/AGPL-3; if not, see
# <https://www.gnu.org/licenses/>.

import json
import subprocess
import sys

from ldap.dn import escape_dn_chars
from saml2.metadata import create_metadata_string

from univention.config_registry import ucr
from univention.lib.misc import primaryVersionGreaterEqual


metadata = create_metadata_string('/usr/share/univention-management-console/saml/sp.py', None, valid=None, cert=None, keyfile=None, mid=None, name=None, sign=False)
if not metadata:
    sys.exit(2)

# write file for below and for the joinscript
with open('/usr/share/univention-management-console/saml/sp/metadata.xml', 'wb') as fd:
    fd.write(metadata)

fqdn = ucr['umc/saml/sp-server'] if ucr.get('umc/saml/sp-server') else '%(hostname)s.%(domainname)s' % ucr
entity_id = f'https://{fqdn}/univention/saml/metadata'
if not primaryVersionGreaterEqual('5.2-0'):
    subprocess.check_call([
        'univention-directory-manager', 'saml/serviceprovider', 'modify'] + sys.argv[1:] + [
        '--dn', f'SAMLServiceProviderIdentifier={escape_dn_chars(entity_id)},cn=saml-serviceprovider,cn=univention,{ucr["ldap/base"]}',
        '--set', 'assertionLifetime=%d' % ucr.get_int('umc/saml/assertion-lifetime', 300),
        '--set', 'serviceProviderMetadata=%s' % (metadata.decode('UTF-8'),),
    ])
# ignore failure, keycloak might not yet be installed or this is the first time and the entry doesn't yet exists in keycloak (added later by the joinscript)
ucr.get('keycloak/server/sso/fqdn') and subprocess.call([
    'univention-keycloak',
    'saml/sp',
    'update',
    '--metadata-file',
    '/usr/share/univention-management-console/saml/sp/metadata.xml',
    entity_id,
    json.dumps({'attributes': {'saml.assertion.lifespan': ucr.get_int('umc/saml/assertion-lifetime', 300)}}),
])
