From 925cfd06112b90a8a17ba1c75973056a6e4e74f3 Mon Sep 17 00:00:00 2001
From: Thomas H Jones II <thomas.jones2@dodiis.mil>
Date: Wed, 15 Nov 2023 18:05:56 +0000
Subject: [PATCH] Add a `leave` helper-script

---
 join-domain/elx/sssd/files/leave.sh        | 61 ++++++++++++++++++++++
 join-domain/elx/sssd/files/pw-decrypt.func | 18 +++++++
 join-domain/elx/sssd/files/script.envs     | 10 ++++
 3 files changed, 89 insertions(+)
 create mode 100755 join-domain/elx/sssd/files/leave.sh
 create mode 100755 join-domain/elx/sssd/files/pw-decrypt.func
 create mode 100755 join-domain/elx/sssd/files/script.envs

diff --git a/join-domain/elx/sssd/files/leave.sh b/join-domain/elx/sssd/files/leave.sh
new file mode 100755
index 0000000..c5753d8
--- /dev/null
+++ b/join-domain/elx/sssd/files/leave.sh
@@ -0,0 +1,61 @@
+#!/bin/bash
+# shellcheck disable=SC1091
+set -eu -o pipefail
+#
+# Script to disable directory-based authentication and remove computerObject
+# from the directory-service
+#
+################################################################################
+PROGDIR="$( dirname "${0}" )"
+
+# Set envs that are common to both join and leave scripts
+source "${PROGDIR}/script.envs"
+
+# Import shared password-decrypt function
+source "${PROGDIR}/pw-decrypt.func"
+
+
+# Try to leave and remove host from domain
+function LeaveDomain {
+  local    LEAVE_CRED
+  local -a REALM_OPTS
+
+  REALM_OPTS=(
+    -U "${JOIN_USER}"
+    --unattended
+    --remove
+  )
+
+  # Get credentials used for leave operation
+  LEAVE_CRED="$( PWdecrypt )"
+
+
+  printf "Removing %s from to %s" "$( hostname -s )" "${JOIN_DOMAIN}"
+
+  if [[ $(
+    echo "${LEAVE_CRED}" |
+    realm leave \
+      "${REALM_OPTS[@]}" \
+      "${JOIN_DOMAIN}" > /dev/null 2>&1
+  )$? -eq 0 ]]
+  then
+    RET_CODE=0
+
+    echo "Success"
+
+  else
+      echo "FAILED: Getting system logs"
+      printf "\n==============================\n"
+      journalctl -u realmd | \
+        grep "$( date '+%b %d %H:%M' )" | \
+        sed 's/^.*]: /: /'
+      printf "\n==============================\n"
+
+      RET_CODE=1
+  fi
+
+  exit "${RET_CODE}"
+
+}
+
+LeaveDomain
diff --git a/join-domain/elx/sssd/files/pw-decrypt.func b/join-domain/elx/sssd/files/pw-decrypt.func
new file mode 100755
index 0000000..22b5fde
--- /dev/null
+++ b/join-domain/elx/sssd/files/pw-decrypt.func
@@ -0,0 +1,18 @@
+# Get clear-text password from crypt
+function PWdecrypt {
+  local PWCLEAR
+
+  # Get cleartext password-string
+  if PWCLEAR=$(
+    echo "${PWCRYPT}" | \
+    openssl enc -aes-256-cbc -md sha256 -a -d -salt -pass pass:"${PWUNLOCK}"
+  )
+  then
+    echo "${PWCLEAR}"
+    return 0
+  else
+    echo "Decryption FAILED!"
+    return 1
+  fi
+}
+
diff --git a/join-domain/elx/sssd/files/script.envs b/join-domain/elx/sssd/files/script.envs
new file mode 100755
index 0000000..094c2fe
--- /dev/null
+++ b/join-domain/elx/sssd/files/script.envs
@@ -0,0 +1,10 @@
+# Envs that can be set by SaltStack
+JOIN_DOMAIN="${JOIN_DOMAIN:-UNDEF}"
+JOIN_OU="${JOIN_OU:-}"
+JOIN_USER="${JOIN_USER:-Administrator}"
+JOIN_CNAME="${JOIN_CNAME:-UNDEF}"
+JOIN_TRIES="${JOIN_TRIES:-UNDEF}"
+OS_NAME_SET="${OS_NAME_SET:-False}"
+OS_VERS_SET="${OS_VERS_SET:-False}"
+PWCRYPT="${ENCRYPT_PASS:-UNDEF}"
+PWUNLOCK="${ENCRYPT_KEY:-UNDEF}"