# This source code is released into the public domain.
#
# The Unbound allow_ldap.conf is a list of "access-control: <prefix> allow".
# We also generate private_ldap.conf, which is a list of
# "private-address: <prefix>".  Usually these are used together to ensure that
# public zones don't contain internal IP addresses.

UNBOUND_ALLOW_FILE="/usr/local/etc/unbound/allow_ldap.conf"
UNBOUND_ALLOW_TEMP="${UNBOUND_ALLOW_FILE}.ldaptmp"
UNBOUND_PRIVATE_FILE="/usr/local/etc/unbound/private_ldap.conf"
UNBOUND_PRIVATE_TEMP="${UNBOUND_PRIVATE_FILE}.ldaptmp"

reload=no

update_allow()
{
	if [ ! -f "$UNBOUND_ALLOW_FILE" ]; then
		return 0
	fi

	awk <"$NETWORKS_FILE" >"$UNBOUND_ALLOW_TEMP" \
		'{ print "access-control: " $1 " allow" }'

	if cmp -s "$UNBOUND_ALLOW_TEMP" "$UNBOUND_ALLOW_FILE"; then
		rm "$UNBOUND_ALLOW_TEMP"
		return 0
	fi

	printf '%s updated:\n\n' "$UNBOUND_ALLOW_FILE"
	diff "$UNBOUND_ALLOW_FILE" "$UNBOUND_ALLOW_TEMP"
	printf '\n'

	mv "$UNBOUND_ALLOW_TEMP" "$UNBOUND_ALLOW_FILE" 
	reload=yes
}

update_private()
{
	if [ ! -f "$UNBOUND_PRIVATE_FILE" ]; then
		return 0
	fi

	awk <"$NETWORKS_FILE" >"$UNBOUND_PRIVATE_TEMP" \
		'{ print "private-address: " $1 }'

	if cmp -s "$UNBOUND_PRIVATE_TEMP" "$UNBOUND_PRIVATE_FILE"; then
		rm "$UNBOUND_PRIVATE_TEMP"
		return 0
	fi

	printf '%s updated:\n\n' "$UNBOUND_PRIVATE_FILE"
	diff "$UNBOUND_PRIVATE_FILE" "$UNBOUND_PRIVATE_TEMP"
	printf '\n'

	mv "$UNBOUND_PRIVATE_TEMP" "$UNBOUND_PRIVATE_FILE" 
	reload=yes
}

update_allow
update_private

if [ $reload = yes ]; then
	/usr/local/etc/rc.d/unbound reload
fi