/*
 * UserConfigBackendKrb5.cpp
 *
 * Copyright (C) 2009 Matthias Schiffer <matthias@gamezock.de>
 *
 * This program is free software: you can redistribute it and/or modify it
 * under the terms of the GNU Lesser General Public License as published by the
 * Free Software Foundation, either version 3 of the License, or
 * (at your option) any later version.
 *
 * This program is distributed in the hope that it will be useful, but
 * WITHOUT ANY WARRANTY; without even the implied warranty of
 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.
 * See the GNU Lesser General Public License for more details.
 *
 * You should have received a copy of the GNU Lesser General Public License along
 * with this program. If not, see <http://www.gnu.org/licenses/>.
 */

#include "UserConfigBackendKrb5.h"
#include <Core/ConfigEntry.h>
#include <Core/ThreadManager.h>

#include <boost/thread/locks.hpp>

#include <cstring>

namespace Mad {
namespace Modules {
namespace UserConfigBackendKrb5 {

void UserConfigBackendKrb5::_connect() {
  if(principal.isEmpty()) {
    application->log(Core::Logger::LOG_USER, Core::Logger::LOG_ERROR, "UserConfigBackendKrb5: no principal given");
    return;
  }

  if(realm.isEmpty()) {
    application->log(Core::Logger::LOG_USER, Core::Logger::LOG_ERROR, "UserConfigBackendKrb5: no realm given and no default realm available");
    return;
  }

  if(!context)
    return;

  if(handle) {
    kadm5_destroy(handle);
    handle = 0;
  }

  kadm5_config_params params;
  std::string realmStr = realm.toLocale();
  params.realm = const_cast<char*>(realmStr.c_str());
  params.mask = KADM5_CONFIG_REALM;

  std::string serverStr = server.toLocale();
  if(!serverStr.empty()) {
    params.admin_server = const_cast<char*>(serverStr.c_str());
    params.mask |= KADM5_CONFIG_ADMIN_SERVER;
  }

  Core::String princ = principal;
  if(princ.indexOf('@') < 0)
    princ += "@" + realm;

  if(!password.isEmpty() && keytab.isEmpty()) {
    krb5_error_code err = kadm5_init_with_password(const_cast<char*>(princ.toLocale().c_str()), const_cast<char*>(password.toLocale().c_str()),
        const_cast<char*>(KADM5_ADMIN_SERVICE), &params, KADM5_STRUCT_VERSION, KADM5_API_VERSION_2, 0, &handle);

    if(err) {
      application->log(Core::Logger::LOG_USER, Core::Logger::LOG_ERROR, Core::Format("kadm5_init_with_password: %1%") % krb5_get_error_message(context, err));
      return;
    }
  }
  else {
    char *keytabName = 0;

    std::string keytabStr = keytab.toLocale();
    if(!keytabStr.empty()) {
      keytabName = const_cast<char*>(keytabStr.c_str());
    }

    krb5_error_code err = kadm5_init_with_skey(const_cast<char*>(princ.toLocale().c_str()), keytabName,
        const_cast<char*>(KADM5_ADMIN_SERVICE), &params, KADM5_STRUCT_VERSION, KADM5_API_VERSION_2, 0, &handle);

    if(err) {
      application->log(Core::Logger::LOG_USER, Core::Logger::LOG_ERROR, Core::Format("kadm5_init_with_skey: %1%") % krb5_get_error_message(context, err));
      return;
    }
  }

  application->log(Core::Logger::LOG_USER, Core::Logger::LOG_VERBOSE, "Connected to kerberos admin server.");
  return;
}

void UserConfigBackendKrb5::configure() {
  boost::lock_guard<boost::mutex> lock(mutex);

  realm = application->getConfigManager()->get("UserManager.Krb5.Realm", realm);
  principal = application->getConfigManager()->get("UserManager.Krb5.Principal");
  server = application->getConfigManager()->get("UserManager.Krb5.Server");
  password = application->getConfigManager()->get("UserManager.Krb5.Password");
  keytab = application->getConfigManager()->get("UserManager.Krb5.Keytab");

  _connect();
}


void UserConfigBackendKrb5::checkUserInfo(const Common::UserInfo &userInfo) throw(Core::Exception) {
  std::string username = userInfo.getUsername().toLocale();

  if(std::strcspn(username.c_str(), "/@") != username.length())
    throw Core::Exception(Core::Exception::INVALID_INPUT);
}

void UserConfigBackendKrb5::addUser(const Common::UserInfo &userInfo) throw(Core::Exception) {
  application->getThreadManager()->detach();

  boost::lock_guard<boost::mutex> lock(mutex);

  if(!context || !handle)
    throw Core::Exception(Core::Exception::NOT_AVAILABLE);

  Core::String princStr = userInfo.getUsername() + "@" + realm;

  kadm5_principal_ent_rec princ;

  krb5_error_code err = krb5_parse_name(context, princStr.toLocale().c_str(), &princ.principal);
  if(err)
    throw Core::Exception("krb5_parse_name", Core::Exception::INTERNAL_ERRNO, err);

  princ.attributes = KRB5_KDB_DISALLOW_ALL_TIX;

  char dummybuf[128];
  for(int i = 0; i < 128; ++i)
    dummybuf[i] = (i+1)%128;

  int retryCount = 3;

  do {
    err = kadm5_create_principal(handle, &princ, KADM5_PRINCIPAL|KADM5_ATTRIBUTES, dummybuf);
    if(err == KADM5_RPC_ERROR && retryCount > 0) {
      application->log(Core::Logger::LOG_USER, Core::Logger::LOG_VERBOSE, "Connection to kerberos admin server lost. Reconnecting...");
      _connect();
      --retryCount;
    }
  } while(err == KADM5_RPC_ERROR && retryCount >= 0);
  if(err) {
    krb5_free_principal(context, princ.principal);
    throw Core::Exception("kadm5_create_principal", Core::Exception::INTERNAL_ERRNO, err);
  }

  do {
    err = kadm5_randkey_principal(handle, princ.principal, 0, 0);
    if(err == KADM5_RPC_ERROR && retryCount > 0) {
      application->log(Core::Logger::LOG_USER, Core::Logger::LOG_VERBOSE, "Connection to kerberos admin server lost. Reconnecting...");
      _connect();
      --retryCount;
    }
  } while(err == KADM5_RPC_ERROR && retryCount >= 0);
  if(err) {
    krb5_free_principal(context, princ.principal);
    throw Core::Exception("kadm5_randkey_principal", Core::Exception::INTERNAL_ERRNO, err);
  }

  princ.attributes = 0;
  do {
    err = kadm5_modify_principal(handle, &princ, KADM5_ATTRIBUTES);
    if(err == KADM5_RPC_ERROR && retryCount > 0) {
      application->log(Core::Logger::LOG_USER, Core::Logger::LOG_VERBOSE, "Connection to kerberos admin server lost. Reconnecting...");
      _connect();
      --retryCount;
    }
  } while(err == KADM5_RPC_ERROR && retryCount >= 0);

  krb5_free_principal(context, princ.principal);

  if(err)
    throw Core::Exception("kadm5_modify_principal", Core::Exception::INTERNAL_ERRNO, err);
}

void UserConfigBackendKrb5::updateUser(const Common::UserInfo &oldUserInfo, const Common::UserInfo &userInfo) throw(Core::Exception) {
  application->getThreadManager()->detach();

  {
    boost::lock_guard<boost::mutex> lock(mutex);

    if(!context || !handle)
      throw Core::Exception(Core::Exception::NOT_AVAILABLE);

    if(oldUserInfo.getUsername() == userInfo.getUsername())
      return;
  }

  deleteUser(oldUserInfo);
  addUser(userInfo);
}

void UserConfigBackendKrb5::deleteUser(const Common::UserInfo &userInfo) throw(Core::Exception) {
  application->getThreadManager()->detach();

  boost::lock_guard<boost::mutex> lock(mutex);

  if(!context || !handle)
    throw Core::Exception(Core::Exception::NOT_AVAILABLE);

  Core::String princStr = userInfo.getUsername() + "@" + realm;
  krb5_principal princ;

  krb5_error_code err = krb5_parse_name(context, princStr.toLocale().c_str(), &princ);
  if(err)
    throw Core::Exception("krb5_parse_name", Core::Exception::INTERNAL_ERRNO, err);


  int retryCount = 3;

  do {
    err = kadm5_delete_principal(handle, princ);
    if(err == KADM5_RPC_ERROR && retryCount > 0) {
      application->log(Core::Logger::LOG_USER, Core::Logger::LOG_VERBOSE, "Connection to kerberos admin server lost. Reconnecting...");
      _connect();
      --retryCount;
    }
  } while(err == KADM5_RPC_ERROR && retryCount >= 0);

  krb5_free_principal(context, princ);

  if(err)
    application->log(Core::Logger::LOG_USER, Core::Logger::LOG_WARNING, Core::Format("kadm5_delete_principal: %1%") % krb5_get_error_message(context, err));
}

void UserConfigBackendKrb5::setPassword(const Common::UserInfo &userInfo, const Core::String &password) throw(Core::Exception) {
  application->getThreadManager()->detach();

  boost::lock_guard<boost::mutex> lock(mutex);

  if(!context || !handle)
    throw Core::Exception(Core::Exception::NOT_AVAILABLE);

  Core::String princStr = userInfo.getUsername() + "@" + realm;
  krb5_principal princ;

  krb5_error_code err = krb5_parse_name(context, princStr.toLocale().c_str(), &princ);
  if(err)
    throw Core::Exception("krb5_parse_name", Core::Exception::INTERNAL_ERRNO, err);

  int retryCount = 3;

  do {
    err = kadm5_chpass_principal(handle, princ, const_cast<char*>(password.toLocale().c_str()));
    if(err == KADM5_RPC_ERROR && retryCount > 0) {
      application->log(Core::Logger::LOG_USER, Core::Logger::LOG_VERBOSE, "Connection to kerberos admin server lost. Reconnecting...");
      _connect();
      --retryCount;
    }
  } while(err == KADM5_RPC_ERROR && retryCount >= 0);

  krb5_free_principal(context, princ);

  if(err)
    throw Core::Exception("kadm5_chpass_principal", Core::Exception::INTERNAL_ERRNO, err);
}

}
}
}