#! /bin/sh

. /etc/control.d/functions-local-policy

CONFIG=/etc/sssd/sssd.conf

new_help disabled 'SSSD GPO-based access control rules are neither evaluated nor enforced'
new_help enforced 'SSSD GPO-based access control rules are evaluated and enforced'
new_help permissived 'SSSD GPO-based access control rules are evaluated, but not enforced'
new_help default 'SSSD GPO-based access control rules are evaluated and enforced'

REQUEST="$(echo "$*" | sed -e 's/^enforcing$/enforced/' -e 's/^permissive$/permissived/')"

new_subst default \
	'^\s*[#;]?\s*ad_gpo_access_control\s*=\s*([Dd][Ii][Ss][Aa][Bb][Ll][Ee][Dd]|[Pp][Ee][Rr][Mm][Ii][Ss][Ss][Ii][Vv][Ee]|[Ee][Nn][Ff][Oo][Rr][Cc][Ii][Nn][Gg])\s*' \
	's/^\s*[#;]\?\s*\(ad_gpo_access_control\)\s*=.*/; \1 = enforcing/'

new_subst enforced \
	'^\s*ad_gpo_access_control\s*=\s*[Ee][Nn][Ff][Oo][Rr][Cc][Ii][Nn][Gg]\s*' \
	's/^\s*[#;]\?\s*\(ad_gpo_access_control\)\s*\=.*/\1 = enforcing/'

new_subst permissived \
	'^\s*ad_gpo_access_control\s*=\s*[Pp][Ee][Rr][Mm][Ii][Ss][Ss][Ii][Vv][Ee]\s*' \
	's/^\s*[#;]\?\s*\(ad_gpo_access_control\)\s*\=.*/\1 = permissive/'

new_subst disabled \
	'^\s*ad_gpo_access_control\s*=\s*[Dd][Ii][Ss][Aa][Bb][Ll][Ee][Dd]\s*' \
	's/^\s*[#;]\?\s*\(ad_gpo_access_control\)\s*=.*/\1 = disabled/'

new_summary 'SSSD option specifies the operation mode for GPO-based access control functionality'

check_default_sssd_ad_option "$CONFIG" "$REQUEST" "ad_gpo_access_control" "enforced" "enforced permissived disabled default" || exit $?
control_subst_with_file_check "$CONFIG" "$REQUEST" "enforced permissived disabled default"

