# @summary Concourse LDAP authentication
# Most attributes maps directly to concourse's options, but with
# `CONCOURSE_LDAP_` prefixed.
#
# @param host
#   LDAP host to bind to, e.x. ldap.example.com
# @param bind_dn
#   Distinguished name used when binding to the ldap server.
#   e.x. `cn=read-only-admin,dc=example,dc=com`
# @param bind_pw
#   Password used when binding to the ldap server.
# @param user_search_base_dn
#   Base distinguished name when searching for user, together with
#   `user_search_username` creates the query:
#   `${user_search_username}=%,${user_search_base_dn}`.
#
#   Should be something along the lines of `cn=users,dc=example,dc=com`.
# @param user_search_username
#   See `user_search_base_dn`.
#
#   Should probably be `uid` or `cn`.
# @param display_name
#   Fancy name to display for this authentication method.
# @param user_search_filter
#   LDAP filter to limit which users are queried
# @param user_search_id_attr
#   LDAP attribute used to specify the users id
# @param user_search_email_attr
#   LDAP attribute used to specify the users email address
# @param user_search_name_attr
#   LDAP attribute used to specify the users name.
# @param ca_cert
#   Path to a CA CERT used when connecting to the LDAP server.
#   Probably mutually exclusive  with `insecure_no_ssl`.
# @param insecure_no_ssl
#   Allow unencrypted connections to the ldap server.
# @param group_search_base_dn
#   Base for LDAP search for groups. If this is set then LDAP groups
#   are mapped to teams in Concourse.
#
#   e.x. `cn=group,dc=example,dc=com`
# @param group_search_name_attr
#   LDAP attribute to use as key when searching for groups under
#   `group_search_base_dn`.
# @param group_search_user_attr
#   LDAP attribute used to get the "name" of a given user.
#   Should match with what is used in `group_search_group_attr`.
# @param group_search_group_attr
#   LDAP attribute used to determine which users are part of which group.
#   Should match with what is used in `group_search_user_attr`
# @param group_search_filter
#   LDAP filter to limit which users are returned when searching
#   for who is part of which group
# @param main_team_user
# @param main_team_group
# @param ensure
class concourse::auth::ldap (
  String $host,
  String $bind_dn,
  Variant[String, Sensitive[String]] $bind_pw,
  String $user_search_base_dn,
  String $user_search_username                 = 'uid',
  Optional[String] $display_name               = undef,
  Optional[String] $user_search_filter         = undef,
  Optional[String] $user_search_id_attr         = undef,
  Optional[String] $user_search_email_attr     = undef,
  Optional[String] $user_search_name_attr      = undef,
  Optional[Stdlib::Absolutepath] $ca_cert      = undef,
  Boolean $insecure_no_ssl                     = false,
  Optional[String] $group_search_base_dn       = undef,
  String $group_search_name_attr               = 'ou',
  String $group_search_user_attr               = 'uid',
  String $group_search_group_attr              = 'members',
  Optional[String] $group_search_filter        = undef,
  Optional[Array[String]] $main_team_user      = undef,
  Optional[Array[String]] $main_team_group     = undef,
  Enum['absent', 'present'] $ensure            = 'present',
) {
  $env_file = "${concourse::web::conf_dir}/auth-ldap"

  $environment = {
    'CONCOURSE_LDAP_HOST'                    => $host,
    'CONCOURSE_LDAP_BIND_DN'                 => $bind_dn,
    'CONCOURSE_LDAP_BIND_PW'                 => $bind_pw,
    'CONCOURSE_LDAP_USER_SEARCH_BASE_DN'     => $user_search_base_dn,
    'CONCOURSE_LDAP_USER_SEARCH_USERNAME'    => $user_search_username,
    'CONCOURSE_LDAP_DISPLAY_NAME'            => $display_name,
    'CONCOURSE_LDAP_USER_SEARCH_FILTER'      => $user_search_filter,
    'CONCOURSE_LDAP_USER_SEARCH_ID_ATTR'     => $user_search_id_attr,
    'CONCOURSE_LDAP_USER_SEARCH_EMAIL_ATTR'  => $user_search_email_attr,
    'CONCOURSE_LDAP_USER_SEARCH_NAME_ATTR'   => $user_search_name_attr,
    'CONCOURSE_LDAP_CA_CERT'                 => $ca_cert,
    'CONCOURSE_LDAP_INSECURE_NO_SSL'         => $insecure_no_ssl,
    'CONCOURSE_LDAP_GROUP_SEARCH_BASE_DN'    => $group_search_base_dn,
    'CONCOURSE_LDAP_GROUP_SEARCH_NAME_ATTR'  => $group_search_name_attr,
    'CONCOURSE_LDAP_GROUP_SEARCH_USER_ATTR'  => $group_search_user_attr,
    'CONCOURSE_LDAP_GROUP_SEARCH_GROUP_ATTR' => $group_search_group_attr,
    'CONCOURSE_LDAP_GROUP_SEARCH_FILTER'     => $group_search_filter,
    'CONCOURSE_LDAP_MAIN_TEAM_LDAP_USER'     => $main_team_user ? {
      Array   => $main_team_user.join(','),
      default => undef,
    },
    'CONCOURSE_LDAP_MAIN_TEAM_LDAP_GROUP'    => $main_team_group ? {
      Array   => $main_team_user.join(','),
      default => undef,
    },
  }

  file { $env_file:
    ensure    => $ensure,
    content   => epp("${module_name}/env.epp", { 'entries' => $environment }),
    # To not show new password
    show_diff => false,
    mode      => '0600',
  }

  $dropin_content = @("EOF")
    [Service]
    EnvironmentFile=${env_file}
    | EOF

  systemd::dropin_file { 'concourse-ldap-auth.conf':
    ensure  => $ensure,
    unit    => $concourse::web::service_unit,
    content => $dropin_content,
  }
}