From 6455bd5f4f2644867d30f5ade54386418dfff609 Mon Sep 17 00:00:00 2001
From: Alexandre Aubin <alex.aubin@mailoo.org>
Date: Sun, 23 Feb 2025 15:14:53 +0100
Subject: [PATCH] ldap: is an the worst kind of DB ever -_-

---
 conf/slapd/permission.ldif                    |  4 ++
 hooks/conf_regen/06-slapd                     |  7 ++-
 .../0033_rework_permission_infos.py           | 47 +++++++++++--------
 3 files changed, 37 insertions(+), 21 deletions(-)

diff --git a/conf/slapd/permission.ldif b/conf/slapd/permission.ldif
index 7ab5e0af5b..5e42efa0e9 100644
--- a/conf/slapd/permission.ldif
+++ b/conf/slapd/permission.ldif
@@ -24,15 +24,19 @@ olcAttributeTypes: ( 1.3.6.1.4.1.17953.9.1.5 NAME 'additionalUrls'
   SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{128} )
 olcAttributeTypes: ( 1.3.6.1.4.1.17953.9.1.6 NAME 'authHeader'
   DESC 'YunoHost application, enable authentication header' OBSOLETE
+  EQUALITY booleanMatch
   SYNTAX 1.3.6.1.4.1.1466.115.121.1.7 SINGLE-VALUE )
 olcAttributeTypes: ( 1.3.6.1.4.1.17953.9.1.7 NAME 'label'
   DESC 'YunoHost permission label, also used for the tile name in the SSO' OBSOLETE
+  EQUALITY caseExactMatch
   SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{128} SINGLE-VALUE )
 olcAttributeTypes: ( 1.3.6.1.4.1.17953.9.1.8 NAME 'showTile'
   DESC 'YunoHost application, show/hide the tile in the SSO for this permission' OBSOLETE
+  EQUALITY booleanMatch
   SYNTAX 1.3.6.1.4.1.1466.115.121.1.7 SINGLE-VALUE )
 olcAttributeTypes: ( 1.3.6.1.4.1.17953.9.1.9 NAME 'isProtected'
   DESC 'YunoHost application permission protection' OBSOLETE
+  EQUALITY booleanMatch
   SYNTAX 1.3.6.1.4.1.1466.115.121.1.7 SINGLE-VALUE )
 # OBJECTCLASS
 # For Applications
diff --git a/hooks/conf_regen/06-slapd b/hooks/conf_regen/06-slapd
index ba934e11c9..773c5a509a 100755
--- a/hooks/conf_regen/06-slapd
+++ b/hooks/conf_regen/06-slapd
@@ -186,4 +186,9 @@ objectClass: top"
     systemctl force-reload slapd
 }
 
-do_$1_regen ${@:2}
+if [[ "$1" == _regenerate_slapd_conf ]]
+then
+    _regenerate_slapd_conf
+else
+    do_$1_regen ${@:2}
+fi
diff --git a/src/migrations/0033_rework_permission_infos.py b/src/migrations/0033_rework_permission_infos.py
index e6bce3e947..bfd2a79b1e 100644
--- a/src/migrations/0033_rework_permission_infos.py
+++ b/src/migrations/0033_rework_permission_infos.py
@@ -146,24 +146,31 @@ def read_legacy_permissions(self):
 
     def delete_legacy_permissions(self):
 
-        ldap = _get_ldap_interface()
-        permissions_infos = ldap.search(
-            "ou=permission",
-            "(objectclass=permissionYnh)",
-            ["cn"],
-        )
-        for infos in permissions_infos:
-            # LDAP won't delete the old, obsolete info,
-            # we have to do it ourselves ~_~
-            ldap.update(
-                f'cn={infos["cn"][0]},ou=permission',
-                {
-                    "label": [],
-                    "authHeader": [],
-                    "showTile": [],
-                    "isProtected": [],
-                    "URL": [],
-                    "additionalUrls": [],
-                    "groupPermission": [],
-                },
+        try:
+            ldap = _get_ldap_interface()
+            permissions_infos = ldap.search(
+                "ou=permission",
+                "(objectclass=permissionYnh)",
+                ["cn"],
             )
+            # LDAP is fucking stupid, therefore we have to un-mark the attributes as obsolete
+            # to be able to empty them ...
+            # (and yeah why is this all so fucking complex why can't we just drop the column like a real DB or something...)
+            os.system("sed -i 's@ OBSOLETE$@@g' /etc/ldap/schema/permission.ldif")
+            os.system("/usr/share/yunohost/hooks/conf_regen/06-slapd _regenerate_slapd_conf")
+            os.system("systemctl restart slapd")
+            for infos in permissions_infos:
+                ldap.update(
+                    f'cn={infos["cn"][0]},ou=permission',
+                    {
+                        "label": [],
+                        "authHeader": [],
+                        "showTile": [],
+                        "isProtected": [],
+                        "URL": [],
+                        "additionalUrls": [],
+                        "groupPermission": [],
+                    },
+                )
+        finally:
+            regen_conf(["slapd"], force=True)