40-setup-pre-secret-max-len-patch

#!/bin/bash
# https://forge.univention.org/bugzilla/show_bug.cgi?id=52575
[[ $(ucr get machine/password/length) -ge 28 ]] || exit 0
[[ $(ucr get version/version | awk '{ split($1,V,"."); print V[1] }') -ge 5 ]] || {
	ucr set machine/password/length=27
	exit 0
}
#
# Univention Container Mode - setup-pre-secret-max-len-patch
#
# Copyright 2020-2021 Univention GmbH
#
# http://www.univention.de/
#
# All rights reserved.
#
# The source code of this program is made available
# under the terms of the GNU Affero General Public License version 3
# (GNU AGPL V3) as published by the Free Software Foundation.
#
# Binary versions of this program provided by Univention to you as
# well as other copyrighted, protected or trademarked materials like
# Logos, graphics, fonts, specific documentations and configurations,
# cryptographic keys etc. are subject to a license agreement between
# you and Univention and not subject to the GNU AGPL V3.
#
# In the case you use this program under the terms of the GNU AGPL V3,
# the program is provided in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU Affero General Public License for more details.
#
# You should have received a copy of the GNU Affero General Public
# License with the Debian GNU/Linux or Univention distribution in file
# /usr/share/common-licenses/AGPL-3; if not, see
# <http://www.gnu.org/licenses/>.

## util(s)
source /usr/lib/univention-container-mode/utils.sh || exit 1

## function(s)
# function name() { # name: (IN)[>(OUT)]
# 	echo function
# }

## ucr shell
# eval "$(ucr shell hostname domainname)"

## declare
declare -a ucrchanges
# ucrchanges+=("key=value")
declare -a ucrremoves
# ucrremoves+=("key")

declare -A ucrcounter
# ucrcounter[<STRING>]=<INT>

declare -A ucrcommit
# ucrcommit+=/<PATH>/<FILE> OR ucrcommit[<FILE>]=/<PATH>/<FILE>

debug "### START SCRIPT($(pwd)/$0) ###"
## Setup system patches univention-(licence/license) and univention-policy for container mode environment
#
UniventionPackagePrefix="libunivention-"
UniventionPackageSuffix="0"
#
UniventionPackageLintian="lintian devscripts build-essential"
#
declare -a ucspatch
declare -a packages
#
declare -A location
location[license]="https://raw.githubusercontent.com/univention/univention-corporate-server/master/base/univention-licence/lib/license_ldap.c"
location[policy]="https://raw.githubusercontent.com/univention/univention-corporate-server/master/base/univention-policy/lib/ldap.c"
#
# https://en.wiktionary.org/wiki/licence vs https://en.wiktionary.org/wiki/license
# https://www.grammar-monster.com/easily_confused/licence_license.htm
lizenz=licence
#
curl=curl
#
command -v ${curl} >/dev/null 2>&1 || UniventionInstallNoRecommends ${curl}
#
# check packages for secret max length and add to patch them
for package in ${!location[*]}; do
	${curl} --fail --silent --location ${location[${package}]} |
		egrep --quiet -- "^#define\s(_UNIVENTION_LDAP_MACHINE_SECRET_LEN_MAX|_UNIVENTION_LDAP_SECRET_LEN_MAX)\s[[:digit:]]{2}$" || exit 1 &&
		ucspatch+=(${package})
done
#
# setup and install dependses if we have to patch
[[ ${#ucspatch} -eq 0 ]] || {
	ucr set repository/online/sources=true
	UniventionDistUpdate

	UniventionInstall ${UniventionPackageLintian}
}
#
for package in ${ucspatch[@]}; do
	cd /tmp && {
		# set the package name
		UniventionPackage=$(
			apt-cache search ${package} | egrep -- "^${UniventionPackagePrefix}${package}${UniventionPackageSuffix}\s" |
				awk '\
			 /^'${UniventionPackagePrefix}${package}${UniventionPackageSuffix}'/{ printf $1 } \
			!/^'${UniventionPackagePrefix}${package}${UniventionPackageSuffix}'/{ printf "" }'
		)
		# check package name
		[[ ${#UniventionPackage} -eq 0 ]] && continue || packages+=(${UniventionPackage})
		# get source package, max 3 times ( connection timeout to repository mirror server )
		apt-get --download-only source ${UniventionPackage} ||
			apt-get --download-only source ${UniventionPackage} ||
			apt-get --download-only source ${UniventionPackage}
		# install build dependses for package ${UniventionPackage}
		apt-get --assume-yes build-dep ${UniventionPackage}
		# get source package full name
		SourcePackage=$(ls -1 univention-${package/license/${lizenz}}*dsc)
		# extract the package
		dpkg-source --extract ${SourcePackage} ${package}
		# fix secret max length
		find \
			${package} \
			-type f \
			-regextype posix-egrep -regex ".*ldap.c$" \
			-exec sed -i --regexp-extended 's/^(#define\s\_UNIVENTION\_LDAP.*SECRET\_LEN\_MAX)\s[[:digit:]]{2}$/\1 256/g' {} \; || /bin/true
		cd ${package} &&
			debuild --unsigned-source --unsigned-changes
		cd ..
		# get package full name
		BuildPackage=$(ls -1 ${UniventionPackage}_*deb)
		# move all *.deb into archive cache
		mv --force --verbose *.deb /var/cache/apt/archives/
		# install the modified package
		UniventionInstall --allow-downgrades /var/cache/apt/archives/${BuildPackage}
		apt-mark hold ${UniventionPackage}
		rm --force --recursive --verbose ${package}* univention-${package/license/${lizenz}}* ${UniventionPackage}*
	}
done
#
# force clean up ...
[[ ${#ucspatch} -eq 0 ]] || {
	ucr set repository/online/sources=false
	UniventionDistUpdate

	apt-get --assume-yes remove ${UniventionPackageLintian}
	apt-get --assume-yes autoremove
}
#
## Setup system patches univention-(licence/license) and univention-policy for container mode environment
debug "### STOPP SCRIPT($(pwd)/$0) ###"

## ucr removes
UniventionConfigRegistryUnSet ${ucrremoves[@]}

## ucr changes
UniventionConfigRegistrySet ${ucrchanges[@]}

## ucr commit
UniventionConfigCommit ${ucrcommit[@]}

## cleanup
unset \
	location ucspatch \
	ucrchanges ucrremoves ucrcounter ucrcommit

debug "### CLEAN SCRIPT($(pwd)/$0) ###"