<?php
/**
 * The following options may be specified in config.php:
 *
 *   putenv('TTRSS_AUTH_IDM_URI=ldap://ldap.idm.example.com');
 *   putenv('TTRSS_AUTH_IDM_BASEDN=ou=users,dc=idm,dc=example,dc=com');
 *   putenv('TTRSS_AUTH_IDM_FILTER=(memberOf=cn=ttrss-users,ou=groups,dc=idm,dc=example,dc=com)');
 *   putenv('TTRSS_AUTH_IDM_ADMIN_FILTER=(memberOf=cn=ttrss-admins,ou=groups,dc=idm,dc=example,dc=com)');
 *   putenv('TTRSS_AUTH_IDM_FULLNAME_ATTRIBUTE=cn');
 *   putenv('TTRSS_AUTH_IDM_EMAIL_ATTRIBUTE=mail');
 */

class Auth_Idm extends Auth_Base {

  const AUTH_IDM_URI           = 'AUTH_IDM_URI';
  const AUTH_IDM_STARTTLS      = 'AUTH_IDM_STARTTLS';
  const AUTH_IDM_BASEDN        = 'AUTH_IDM_BASEDN';
  const AUTH_IDM_SCOPE         = 'AUTH_IDM_SCOPE';
  const AUTH_IDM_FILTER        = 'AUTH_IDM_FILTER';
  const AUTH_IDM_ADMIN_FILTER  = 'AUTH_IDM_ADMIN_FILTER';
  const AUTH_IDM_USERNAME_ATTR = 'AUTH_IDM_USERNAME_ATTRIBUTE';
  const AUTH_IDM_FULLNAME_ATTR = 'AUTH_IDM_FULLNAME_ATTRIBUTE';
  const AUTH_IDM_EMAIL_ATTR    = 'AUTH_IDM_EMAIL_ATTRIBUTE';

  function about() {
    return array(null,
      'Authenticates against REMOTE_USER variable and LDAP server',
      'cullum@sacredheartsc.com',
      true);
  }

  function init($host) {
    $host->add_hook($host::HOOK_AUTH_USER, $this);

    Config::add(self::AUTH_IDM_URI,           '',            Config::T_STRING);
    Config::add(self::AUTH_IDM_STARTTLS,      false,         Config::T_BOOL);
    Config::add(self::AUTH_IDM_BASEDN,        '',            Config::T_STRING);
    Config::add(self::AUTH_IDM_SCOPE,         'sub',         Config::T_STRING);
    Config::add(self::AUTH_IDM_FILTER,        '',            Config::T_STRING);
    Config::add(self::AUTH_IDM_ADMIN_FILTER,  '',            Config::T_STRING);
    Config::add(self::AUTH_IDM_USERNAME_ATTR, 'uid',         Config::T_STRING);
    Config::add(self::AUTH_IDM_FULLNAME_ATTR, 'cn',          Config::T_STRING);
    Config::add(self::AUTH_IDM_EMAIL_ATTR,    'mail',        Config::T_STRING);
  }

  private function ldap_get_user($username, $filter = null) {
    switch ($this->scope) {
    case 'sub':
      $searchfunc = 'ldap_search'; break;
    case 'one':
      $searchfunc = 'ldap_list'; break;
    case 'base':
      $searchfunc = 'ldap_read'; break;
    default:
      Logger::log(E_USER_ERROR, "auth_idm: invalid search scope: $scope");
      return null;
    }

    $uid_filter = '('
      . ldap_escape($this->username_attr, '', LDAP_ESCAPE_FILTER)
      . '='
      . ldap_escape($username, '', LDAP_ESCAPE_FILTER)
      . ')';

    if (empty($filter)) {
      $filter = $uid_filter;
    } else {
      $filter = "(&$filter$uid_filter)";
    }

    $results = $searchfunc($this->conn, $this->basedn, $filter, [$this->fullname_attr, $this->email_attr]);
    if ($results && ldap_count_entries($this->conn, $results) == 1) {
      if ($entry = ldap_first_entry($this->conn, $results)) {
        if ($dn = ldap_get_dn($this->conn, $entry)) {
          if ($attrs = ldap_get_attributes($this->conn, $entry)) {
            return array(
              'dn'       => $dn,
              'email'    => $attrs[$this->email_attr][0],
              'fullname' => $attrs[$this->fullname_attr][0]
            );
          }
        }
      }
    }
    return null;
  }

  function authenticate($username = null, $password = null, $service = '') {
    $this->basedn        = Config::get(self::AUTH_IDM_BASEDN);
    $this->scope         = Config::get(self::AUTH_IDM_SCOPE);
    $this->username_attr = Config::get(self::AUTH_IDM_USERNAME_ATTR);
    $this->fullname_attr = Config::get(self::AUTH_IDM_FULLNAME_ATTR);
    $this->email_attr    = Config::get(self::AUTH_IDM_EMAIL_ATTR);
    $uri                 = Config::get(self::AUTH_IDM_URI);
    $starttls            = Config::get(self::AUTH_IDM_STARTTLS);
    $filter              = Config::get(self::AUTH_IDM_FILTER);
    $admin_filter        = Config::get(self::AUTH_IDM_ADMIN_FILTER);

    // Get ldap connection handle.
    if (!$this->conn = ldap_connect($uri)) {
      return false;
    }

    // Set protocol version 3.
    if (!ldap_set_option($this->conn, LDAP_OPT_PROTOCOL_VERSION, 3)) {
      return false;
    }

    // Bind using kerberos credentials from the environment.
    if (!ldap_sasl_bind($this->conn, null, null, 'GSSAPI')) {
      return false;
    }

    // Initiate STARTTLS (if requested)
    if ($starttls and !ldap_start_tls($this->conn)) {
      return false;
    }

    // If REMOTE_USER was set by the webserver, use that.
    if (!empty($_SERVER['REMOTE_USER'])) {
      $username = $_SERVER['REMOTE_USER'];
    } elseif (empty($username)) {
      return false;
    }

    $is_admin = false;
    $user = null;

    // First, check if the ADIN_FILTER matches (if set).
    if (!empty($admin_filter)) {
      $user = $this->ldap_get_user($username, $admin_filter);
      isset($user) && $is_admin = true;
    }

    // If ADMIN_FILTER didn't match, try FILTER.
    if (!isset($user)) {
      $user = $this->ldap_get_user($username, $filter);
    }

    // If no matching user from LDAP, reject.
    if (!isset($user)) {
      return false;
    }

    // If webserver didn't validate the password, try an LDAP bind with the provided creds.
    if (empty($_SERVER['REMOTE_USER']) and !ldap_bind($this->conn, $user['dn'], $password)) {
      return false;
    }

    // Get the TTRSS internal user ID.
    if (!($userid = $this->auto_create_user($username))) {
      return false;
    }

    // Populate user details using the LDAP attributes.
    if (Config::get(Config::AUTH_AUTO_CREATE)) {
      if (!empty($user['fullname'])) {
        $sth = $this->pdo->prepare('UPDATE ttrss_users SET full_name = ? WHERE id = ?');
        $sth->execute([$user['fullname'], $userid]);
      }

      if (!empty($user['email'])) {
        $sth = $this->pdo->prepare('UPDATE ttrss_users SET email = ? WHERE id = ?');
        $sth->execute([$user['email'], $userid]);
      }

      $sth = $this->pdo->prepare('UPDATE ttrss_users SET access_level = ? WHERE id = ?');
      $sth->execute([$is_admin ? 10 : 0, $userid]);
    }

    return $userid;
  }

  function api_version() {
    return 2;
  }
}