<?php

/**
 * Authentication backend using Shibboleth
 * @license    GPL 2 (http://www.gnu.org/licenses/gpl.html)
 * @author     Dominique Launay <dominique.launay AT cru.fr>
 * @author     Olivier Salaun <olivier.salaun AT cru.fr>
 * @author     Yoann Lecuyer <yoann.lecuyer AT cru.fr> 
 * Version: 1.2
 * last modified: 2009-11-27
 *
 * Work based on :
 *    ssl authentication backend:
 *       @author     Dominique Launay <dominique.launay AT cru.fr>
 *    Sympa Soap server authentication backend:
 *       @author     David Pepin<sympa-authors AT cru.fr>
 *
 * The nusoap library is required
 *
 **/


define('DOKU_AUTH', dirname(__FILE__));
require_once(DOKU_AUTH.'/basic.class.php');
define('AUTH_USERFILE',DOKU_CONF.'users.auth.php');

class auth_shibboleth extends auth_basic {
  var $users = null;
  var $sympaDefaultGroup = null;
  var $sympaSoapService = null;
  var $soap_client = null;
  var $log_file = null;

  /**
   *
   * Constructor
   *
   * @author  Yoann Lecuyer <yoann.lecuyer AT cru.fr>
   *
   **/
  // This function is run for every web access to the wiki
  // Most of the Shibboleth authentication code is run here because we never run the do_login action 
  // With Shibboleth, dokuwiki never collects user password
  function auth_shibboleth() {
    global $conf;
    //msg('auth_shibboleth');
    $this->cando['external'] = true;
    //$this->cando['getGroups']    = true;


    if (method_exists($this, 'auth_basic')){
      parent::auth_basic();
    }
    // check if the server configuration has correctly been done
    if (!isset($conf['plugin']['shibbolethauth']['shibbolethEmailAttribute']) || empty($conf['plugin']['shibbolethauth']['shibbolethEmailAttribute'])) {
      $this->success = false;
      return;
    }
    if (isset($conf['plugin']['shibbolethauth']['useSympa']) && $conf['plugin']['shibbolethauth']['useSympa'] == 1 && empty($conf['plugin']['shibbolethauth']['sympaSoapService'])) {
      $this->success = false;
      return;
    }
    if(!isset($conf['plugin']['shibbolethauth']['shibbolethLoginURL']) || empty($conf['plugin']['shibbolethauth']['shibbolethLoginURL'])) {
      $this->success = false;
      return;  
    }
    if(!isset($conf['plugin']['shibbolethauth']['shibbolethLogoutURL']) || empty($conf['plugin']['shibbolethauth']['shibbolethLogoutURL'])) {
      $this->success = false;
      return;  
    }

    if (isset($conf['defaultgroup'])) {
      $this->sympaDefaultGroup = $conf['defaultgroup'];
    }
    
    
    $this->success = true;
    return;
  }

  /**
   * Do all authentication [ OPTIONAL ]
   *
   * Set $this->cando['external'] = true when implemented
   *
   * If this function is implemented it will be used to
   * authenticate a user - all other DokuWiki internals
   * will not be used for authenticating, thus
   * implementing the functions below becomes optional.
   *
   * The function can be used to authenticate against third
   * party cookies or Apache auth mechanisms and replaces
   * the auth_login() function
   *
   * The function will be called with or without a set
   * username. If the Username is given it was called
   * from the login form and the given credentials might
   * need to be checked. If no username was given it
   * the function needs to check if the user is logged in
   * by other means (cookie, environment).
   *
   * The function needs to set some globals needed by
   * DokuWiki like auth_login() does.
   *
   * @see auth_login()
   * @author  Andreas Gohr <andi@splitbrain.org>
   * @author  Olivier Salaün <olivier.salaun AT cru.fr>
   * @author  Dominique Launay <dominique.launay AT cru.fr>
   *
   * @param   string  $user    Username
   * @param   string  $pass    Cleartext Password
   * @param   bool    $sticky  Cookie should not expire
   * @return  bool             true on successful auth
   */
  function trustExternal($user,$pass,$sticky=false){
    //msg('trust_external');
    // some example:
    
    global $USERINFO;
    global $conf;
    $sticky ? $sticky = true : $sticky = false; //sanity check
    // do the checking here
    //see if we got cookie
    if(isset($_SESSION['DW_SHIB'])){
      // case logout
      if($_REQUEST['do'] == 'logout'){
	unset($_SESSION['DW_SHIB']);
	unset($_SESSION[DOKU_COOKIE]['auth']['user']);
	unset($_SESSION[DOKU_COOKIE]['auth']['pass']);
	unset($_SESSION[DOKU_COOKIE]['auth']['info']);
	error_log('shibbolethauth : authenticated user redirected for logout to '.$conf['plugin']['shibbolethauth']['shibbolethLogoutURL']);
	header("Location: ".$conf['plugin']['shibbolethauth']['shibbolethLogoutURL']."?return=".urlencode($_SERVER['HTTP_REFERER']));
	exit;
      }else{
	// fill vars with cookie vars
	$_SESSION[DOKU_COOKIE]['auth']['user'] = $user = $_SESSION['DW_SHIB']['user'];
	$_SESSION[DOKU_COOKIE]['auth']['pass'] = $pass = $_SESSION['DW_SHIB']['pass'];
       	$_SESSION[DOKU_COOKIE]['auth']['info'] = $USERINFO = $_SESSION['DW_SHIB']['info'];
	$_SERVER['REMOTE_USER'] =  $_SESSION['DW_SHIB']['user'];
	return true;
      }
    }else{
      // save the Email done by a Shibboleth attribute if this attribute is set
      // we need to check if the identityProvider attribute is set, otherwise we can't distinguish 
      // normal unauthenticated access from authenticated access with a missing email address
      if(isset($_SERVER[$conf['plugin']['shibbolethauth']['shibbolethEmailAttribute']]) && $_SERVER[$conf['plugin']['shibbolethauth']['shibbolethEmailAttribute']]!=""){
	// if user wants to log out
	if($_REQUEST['do'] == 'logout'){
	  unset($_SESSION['DW_SHIB']);
	  error_log('shibbolethauth : authenticated user redirected for logout to '.$conf['plugin']['shibbolethauth']['shibbolethLogoutURL']);
	  header("Location: ".$conf['plugin']['shibbolethauth']['shibbolethLogoutURL']."?return=".urlencode($_SERVER['HTTP_REFERER']));
	  exit;
	}else{
	  //attributes set fill convenient variables
	  $USERINFO['name'] = $user = $_SERVER[$conf['plugin']['shibbolethauth']['shibbolethEmailAttribute']];
	  $USERINFO['mail'] = $mail = $_SERVER[$conf['plugin']['shibbolethauth']['shibbolethEmailAttribute']];
	  
	  
	  // load the groups of users contained on the file users.auth.php
	  if($this->users === null) $this->_loadUserData();
	  // groups the person belongs to
	  $grps = array();
	  // Test if $user is an email or not. If it is not, it is an user id
	  if(strpbrk($user, '@') != false){
	    // We are in a Shibboteth context, and we get the datas for the autorization
	    // Test if we use the autorisation with Sympa server
	    $sympaIsOK = true;
	    if(isset($conf['plugin']['shibbolethauth']['useSympa']) && $conf['plugin']['shibbolethauth']['useSympa'] == 1){
	      // Get the groups list on the Sympa server
	      //create soap client
	      try{
		$this->soap_client = new SoapClient($conf['plugin']['shibbolethauth']['sympaSoapService']);
	      }catch(SoapFault $fault){
		$sympaIsOK =  false;
		error_log("shibbolethauth : unable to establish a SOAP connection with ".$conf['plugin']['shibbolethauth']['sympaSoapService']);
		msg("No valid SOAP server",0);
	      }
	      // get the groups list
	      if($sympaIsOK){
		try{
		  $res = $this->soap_client->authenticateRemoteAppAndRun($conf['plugin']['shibbolethauth']['sympaApplicationId'],$conf['plugin']['shibbolethauth']['sympaApplicationPwd'], 'USER_EMAIL='.$user,'complexWhich');      
		}catch(SoapFault $fault){
		  $sympaIsOK =  false;
		  msg("dokuwiki groups only",0);
		  error_log("shibbolethauth : unable to authenticate on ".$conf['plugin']['shibbolethauth']['sympaSoapService']);
		}
		if($sympaIsOK){
		  if (isset($res) && gettype($res) == 'array') {
		    foreach ($res as $list) {
		      if (empty($grps[0])) { 
			$grps[0] = $list->listAddress;
		      }else{
			array_unshift($grps,$list->listAddress);
		      }
		      if($list->isOwner == 'true'){
			$listrequest = preg_replace('/@/','-request@',$list->listAddress);
			array_unshift($grps,$listrequest);
		      }
		      if ($list->isEditor == 'true') {
			$listeditor = preg_replace('/@/','-editor@',$list->listAddress);
			array_unshift($grps,$listeditor);
		      }      
		    }
		  }
		}
	      }
	    }
	    // Collect the DokuWiki's data with the Sympa's data (if we are in Sympa context)
	    $users = $this->setUserGroups($mail,$grps);
	  }
	  // set the globals if authed
	  $USERINFO['grps'] = $users['grps'];
	  $_SERVER['REMOTE_USER'] = $user;
	  $_SESSION[DOKU_COOKIE]['auth']['user'] = $user;
	  $_SESSION[DOKU_COOKIE]['auth']['pass'] = $user;
	  $_SESSION[DOKU_COOKIE]['auth']['info'] = $USERINFO;
	  $_SESSION['DW_SHIB']['user']= $user;
	  $_SESSION['DW_SHIB']['pass']= $user;
	  $_SESSION['DW_SHIB']['info'] = $USERINFO;
	  error_log('shibbolethauth : authenticated user');
	  return true;
	}
	// if this attribute is not set, we log off the system
      }else{
	if($_REQUEST['do'] == 'login'){
	  error_log('shibbolethauth: redirect user for login to '.$conf['plugin']['shibbolethauth']['shibbolethLoginURL']);
	  header("Location: ".$conf['plugin']['shibbolethauth']['shibbolethLoginURL']."?target=".urlencode($_SERVER['HTTP_REFERER']));
	  exit;
	}else{
	  error_log('shibbolethauth: no email address to log');
	  unset($_SESSION[DOKU_COOKIE]['auth']['user']);
	  unset($_SESSION[DOKU_COOKIE]['auth']['pass']);
	  unset($_SESSION[DOKU_COOKIE]['auth']['info']);
	  return false;
	}
      }
    }
  }
  
  
  /**
   * Checks if the Email attibute of Shibboleth is correctly set
   *
   * @author  Yoann Lecuyer <yoann.lecuyer AT cru.fr>
   *
   **/

  function checkPass($user,$pass){
  }

  /**
   * Return user info
   *
   * Accessing to sympa is done through the nusoap library
   * for the autorization part
   *
   * Reading the user's group on DokuWiki's files
   * for the user manager part
   *
   * The returned field are :
   *
   * name string  full name of the user 
   * mail string  email addres of the user 
   * groups array   list of groups the user is in
   *
   * @author  Yoann Lecuyer <yoann.lecuyer AT cru.fr>
   *
   **/

  function getUserData( $user ) {
    $userData = false;
    $userData['name'] = $user;
    $userData['mail'] = $user;
    $userData['grps'] = $this->getUserGroups($user);
    return $userData;
  }

  /**
   * Return user groups
   *
   **/

  function getUserGroups($user) {
    global $conf;
    $mail=$user;
    // load the groups of users contained on the file users.auth.php
    if($this->users === null) $this->_loadUserData();
    // groups the person belongs to
    $grps = array();
    // Test if $user is an email or not. If it is not, it is an user id
    if(strpbrk($user, '@') != false){
      // We are in a Shibboteth context, and we get the datas for the autorization
      // Test if we use the autorisation with Sympa server
      $sympaIsOK = true;
      if(isset($conf['plugin']['shibbolethauth']['useSympa']) && $conf['plugin']['shibbolethauth']['useSympa'] == 1){
	// Get the groups list on the Sympa server
	//create soap client
	try{
	  $this->soap_client = new SoapClient($conf['plugin']['shibbolethauth']['sympaSoapService']);
	}catch(SoapFault $fault){
	  $sympaIsOK =  false;
	  error_log("shibbolethauth : unable to establish a SOAP connection with ".$conf['plugin']['shibbolethauth']['sympaSoapService']);
	}
	// get the groups list
	if($sympaIsOK){
	  try{
	    $res = $this->soap_client->authenticateRemoteAppAndRun($conf['plugin']['shibbolethauth']['sympaApplicationId'],$conf['plugin']['shibbolethauth']['sympaApplicationPwd'], 'USER_EMAIL='.$user,'complexWhich');      
	  }catch(SoapFault $fault){
	    $sympaIsOK =  false;
	    msg("dokuwiki groups only",0);
	    error_log("shibbolethauth : unable to authenticate on ".$conf['plugin']['shibbolethauth']['sympaSoapService']);
	  }
	  if($sympaIsOK){
	  if (isset($res) && gettype($res) == 'array') {
	      foreach ($res as $list) {
		if (empty($grps[0])) { 
		  $grps[0] = $list->listAddress;
		}else{
		  array_unshift($grps,$list->listAddress);
		}
		if($list->isOwner == 'true'){
		  $listrequest = preg_replace('/@/','-request@',$list->listAddress);
		  array_unshift($grps,$listrequest);
		}
		if ($list->isEditor == 'true') {
		  $listeditor = preg_replace('/@/','-editor@',$list->listAddress);
		  array_unshift($grps,$listeditor);
		}      
	      }
	    }
	  }
	}
      }
      
      // Collect the DokuWiki's data with the Sympa's data (if we are in Sympa context)
      $users = $this->setUserGroups($mail,$grps);
    }


    // set the globals if authed
    return $users['grps'];
  }


  /**
   * Set the DokuWiki's groups and the Sympa's groups together
   *
   * @author  Yoann Lecuyer <yoann.lecuyer AT cru.fr>
   *
   **/

  function setUserGroups($mail,$grps){
    foreach ($this->users as $user){
      if($user['mail'] == $mail){
        // Add or set the groups of the user
        if(!empty($grps[0])){
          foreach($grps as $group){
            array_unshift($user['grps'],$group);
          }
        }
        // Verify if the table contains the sympaDefaultGroup value
        $defaultgroupset = false;
        foreach ($user['grps'] as $group){
          if($group == $this->sympaDefaultGroup) $defaultgroupset = true;
        }
        // Put the sympaDefaultGroup value if it is not on the table
        if(!$defaultgroupset) array_unshift($user['grps'],$this->sympaDefaultGroup);
        return $user;
      }
    }
    // the mail is not on the table of DokuWiki's users, we create an other user

    // Verify if the table contains the sympaDefaultGroup value
    $defaultgrpset = false;
    foreach ($grps as $grp){
      if($grp == $this->sympaDefaultGroup) $defaultgrpset = true;
    }
    // Put the sympaDefaultGroup value if it is not on the table
    if(!$defaultgrpset) array_unshift($grps,$this->sympaDefaultGroup);

    $this->users[$mail]['name'] = $mail;
    $this->users[$mail]['mail'] = $mail;
    $this->users[$mail]['grps'] = $grps;
    return $this->users[$mail];
  }

  /**
   * Logoff user : 
   *
   * everything that was about the session is unset
   *
   * @author  Yoann Lecuyer <yoann.lecuyer AT cru.fr>
   *
   **/

  function logOff() {
    if(isset($_SESSION[DOKU_COOKIE]['auth']['info'])) {
      unset($_SESSION[DOKU_COOKIE]['auth']['info']);
    }
    unset($this->soap_client);
    unset($_REQUEST['u']);
    return;
  }

  function server() {
    return($this->sympaSoapService);
  }

  /**
   * Create a new User
   *
   * Returns false if the user already exists, null when an error
   * occured and true if everything went well.
   *
   * The new user will be added to the default group by this
   * function if grps are not specified (default behaviour).
   *
   * @author  Andreas Gohr <andi@splitbrain.org>
   * @author  Chris Smith <chris@jalakai.co.uk>
   */
  function createUser($user,$pwd,$name,$mail,$grps=null){
    global $conf;

    // user mustn't already exist
    if ($this->getUserData($user) !== false) return false;

    $pass = auth_cryptPassword($pwd);
    $name = $user;
    // set default group if no groups specified
    if (!is_array($grps)) $grps = array($conf['defaultgroup']);

    // prepare user line
    $groups = join(',',$grps);
    $userline = join(':',array($user,$pass,$name,$mail,$groups))."\n";

    if (io_saveFile(AUTH_USERFILE,$userline,true)) {
      $this->users[$user] = compact('pass','name','mail','grps');
      return $pass;
    }

    msg('The '.AUTH_USERFILE.' file is not writable. Please inform the Wiki-Admin',-1);
    return null;
  }

  /**
   * Modify user data
   *
   * @author  Chris Smith <chris@jalakai.co.uk>
   * @param   $user      nick of the user to be changed
   * @param   $changes   array of field/value pairs to be changed (password will be clear text)
   * @return  bool
   */

  function modifyUser($user, $changes) {
    global $conf;
    global $ACT;
    global $INFO;

    // sanity checks, user must already exist and there must be something to change
    if (($userinfo = $this->getUserData($user)) === false) return false;
    if (!is_array($changes) || !count($changes)) return true;

    // update userinfo with new data, remembering to encrypt any password
    $newuser = $user;
    foreach ($changes as $field => $value) {
      if ($field == 'user') {
        $newuser = $value;
        continue;
      }
      if ($field == 'pass') $value = auth_cryptPassword($value);
      $userinfo[$field] = $value;
    }

    $groups = join(',',$userinfo['grps']);
    $userline = join(':',array($newuser, $userinfo['pass'], $userinfo['name'], $userinfo['mail'], $groups))."\n";

    if (!$this->deleteUsers(array($user))) {
      msg('Unable to modify user data. Please inform the Wiki-Admin',-1);
      return false;
    }

    if (!io_saveFile(AUTH_USERFILE,$userline,true)) {
      msg('There was an error modifying your user data. You should register again.',-1);
      // FIXME, user has been deleted but not recreated, should force a logout and redirect to login page
      $ACT == 'register';
      return false;
    }

    $this->users[$newuser] = $userinfo;
    return true;
  }

  /**
   *  Remove one or more users from the list of registered users
   *
   *  @author  Christopher Smith <chris@jalakai.co.uk>
   *  @param   array  $users   array of users to be deleted
   *  @return  int             the number of users deleted
   */

  function deleteUsers($users) {

    if (!is_array($users) || empty($users)) return 0;

    if ($this->users === null) $this->_loadUserData();

    $deleted = array();
    foreach ($users as $user) {
      if (isset($this->users[$user])) $deleted[] = preg_quote($user,'/');
    }

    if (empty($deleted)) return 0;

    $pattern = '/^('.join('|',$deleted).'):/';

    if (io_deleteFromFile(AUTH_USERFILE,$pattern,true)) {
      foreach ($deleted as $user) unset($this->users[$user]);
      return count($deleted);
    }

    // problem deleting, reload the user list and count the difference
    $count = count($this->users());
    $this->_loadUserData();
    $count -= $count($this->users());
    return $count;
  }

  /**
   * Return a count of the number of user which meet $filter criteria
   *
   * @author  Chris Smith <chris@jalakai.co.uk>
   */

  function getUserCount($filter=array()) {

    if($this->users === null) $this->_loadUserData();

    if (!count($filter)) return count($this->users);

    $count = 0;
    $this->_constructPattern($filter);

    foreach ($this->users as $user => $info) {
      $count += $this->_filter($user, $info);
    }

    return $count;
  }

  /**
   * Bulk retrieval of user data
   *
   * @author  Chris Smith <chris@jalakai.co.uk>
   * @param   start     index of first user to be returned
   * @param   limit     max number of users to be returned
   * @param   filter    array of field/pattern pairs
   * @return  array of userinfo (refer getUserData for internal userinfo details)
   */
  function retrieveUsers($start=0,$limit=0,$filter=array()) {

    if ($this->users === null) $this->_loadUserData();

    ksort($this->users);

    $i = 0;
    $count = 0;
    $out = array();
    $this->_constructPattern($filter);

    foreach ($this->users as $user => $info) {
      if ($this->_filter($user, $info)) {
        if ($i >= $start) {
          $out[$user] = $info;
          $count++;
          if (($limit > 0) && ($count >= $limit)) break;
        }
        $i++;
      }
    }

    return $out;
  }

  /**
   * Load all user data
   *
   * loads the user file into a datastructure
   *
   * @author  Andreas Gohr <andi@splitbrain.org>
   */

  function _loadUserData(){
    $this->users = array();

    if(!@file_exists(AUTH_USERFILE)) return;

    $lines = file(AUTH_USERFILE);
    foreach($lines as $line){
      $line = preg_replace('/#.*$/','',$line); //ignore comments
      $line = trim($line);
      if(empty($line)) continue;

      $row    = split(":",$line,5);
      $groups = split(",",$row[4]);
      $this->users[$row[0]]['pass'] = $row[1];
      $this->users[$row[0]]['name'] = urldecode($row[2]);
      $this->users[$row[0]]['mail'] = $row[3];
      $this->users[$row[0]]['grps'] = $groups;
    }
  }

  /**
   * return 1 if $user + $info match $filter criteria, 0 otherwise
   *
   * @author   Chris Smith <chris@jalakai.co.uk>
   */

  function _filter($user, $info) {
    // FIXME
    foreach ($this->_pattern as $item => $pattern) {
      if ($item == 'user') {
        if (!preg_match($pattern, $user)) return 0;
      } else if ($item == 'grps') {
        if (!count(preg_grep($pattern, $info['grps']))) return 0;
      } else {
        if (!preg_match($pattern, $info[$item])) return 0;
      }
    }
    return 1;
  }

  function _constructPattern($filter) {
    $this->_pattern = array();
    foreach ($filter as $item => $pattern) {
//      $this->_pattern[$item] = '/'.preg_quote($pattern,"/").'/';          // don't allow regex characters
      $this->_pattern[$item] = '/'.str_replace('/','\/',$pattern).'/';    // allow regex characters
    }
  }
}