/*
 * UserConfigBackendKrb5.cpp
 *
 * Copyright (C) 2009 Matthias Schiffer <matthias@gamezock.de>
 *
 * This program is free software: you can redistribute it and/or modify it
 * under the terms of the GNU Lesser General Public License as published by the
 * Free Software Foundation, either version 3 of the License, or
 * (at your option) any later version.
 *
 * This program is distributed in the hope that it will be useful, but
 * WITHOUT ANY WARRANTY; without even the implied warranty of
 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.
 * See the GNU Lesser General Public License for more details.
 *
 * You should have received a copy of the GNU Lesser General Public License along
 * with this program. If not, see <http://www.gnu.org/licenses/>.
 */

#include "UserConfigBackendKrb5.h"
#include <Core/ConfigEntry.h>

#include <cstring>

namespace Mad {
namespace Modules {
namespace UserConfigBackendKrb5 {

bool UserConfigBackendKrb5::connect() {
  if(principal.empty()) {
    application->log(Core::LoggerBase::USER, Core::LoggerBase::ERROR, "UserConfigBackendKrb5: no principal given");
    return false;
  }

  if(realm.empty()) {
    application->log(Core::LoggerBase::USER, Core::LoggerBase::ERROR, "UserConfigBackendKrb5: no realm given and no default realm available");
    return false;
  }

  if(handle) {
    kadm5_destroy(handle);
    handle = 0;
  }

  kadm5_config_params params;
  params.realm = const_cast<char*>(realm.c_str());
  params.mask = KADM5_CONFIG_REALM;

  if(!server.empty()) {
    params.admin_server = const_cast<char*>(server.c_str());
    params.mask |= KADM5_CONFIG_ADMIN_SERVER;
  }

  std::string princ = principal;
  if(princ.find('@') == std::string::npos)
    princ += "@" + realm;

  if(!password.empty() && keytab.empty()) {
    krb5_error_code err = kadm5_init_with_password(const_cast<char*>(princ.c_str()), const_cast<char*>(password.c_str()),
        const_cast<char*>(KADM5_ADMIN_SERVICE), &params, KADM5_STRUCT_VERSION, KADM5_API_VERSION_2, 0, &handle);

    if(err) {
      application->logf(Core::LoggerBase::USER, Core::LoggerBase::ERROR, "kadm5_init_with_password: %s", std::strerror(err));
      return false;
    }
  }
  else {
    char *keytabName = 0;
    if(!keytab.empty())
      keytabName = const_cast<char*>(keytab.c_str());

    krb5_error_code err = kadm5_init_with_skey(const_cast<char*>(princ.c_str()), keytabName,
        const_cast<char*>(KADM5_ADMIN_SERVICE), &params, KADM5_STRUCT_VERSION, KADM5_API_VERSION_2, 0, &handle);

    if(err) {
      application->logf(Core::LoggerBase::USER, Core::LoggerBase::ERROR, "kadm5_init_with_skey: %s", std::strerror(err));
      return false;
    }
  }

  application->log(Core::LoggerBase::USER, Core::LoggerBase::VERBOSE, "Connected to kerberos admin server.");
  return true;
}

bool UserConfigBackendKrb5::handleConfigEntry(const Core::ConfigEntry &entry, bool /*handled*/) {
  if(!entry[0].getKey().matches("UserManager"))
    return false;

  if(entry[1].empty())
    return true;

  if(!entry[1].getKey().matches("Krb5"))
    return false;

  if(entry[2].getKey().matches("Realm")) {
    if(entry[3].empty())
      realm = entry[2][0];
  }
  else if(entry[2].getKey().matches("Principal")) {
    if(entry[3].empty())
      principal = entry[2][0];
  }
  else if(entry[2].getKey().matches("Server")) {
    if(entry[3].empty())
      server = entry[2][0];
  }
  else if(entry[2].getKey().matches("Password")) {
    if(entry[3].empty())
      password = entry[2][0];
  }
  else if(entry[2].getKey().matches("Keytab")) {
    if(entry[3].empty())
      keytab = entry[2][0];
  }
  else if(!entry[2].empty())
    return false;

  return true;
}


void UserConfigBackendKrb5::checkUserInfo(const Common::UserInfo &userInfo) throw(Core::Exception) {
  if(std::strcspn(userInfo.getUsername().c_str(), "/@") != userInfo.getUsername().length())
    throw Core::Exception(Core::Exception::INVALID_INPUT);
}

void UserConfigBackendKrb5::addUser(const Common::UserInfo &userInfo) throw(Core::Exception) {
  std::string princStr = userInfo.getUsername() + "@" + realm;

  kadm5_principal_ent_rec princ;

  krb5_error_code err = krb5_parse_name(context, princStr.c_str(), &princ.principal);
  if(err)
    throw Core::Exception("krb5_parse_name", Core::Exception::INTERNAL_ERRNO, err);

  princ.attributes = KRB5_KDB_DISALLOW_ALL_TIX;

  char dummybuf[128];
  for(int i = 0; i < 128; ++i)
    dummybuf[i] = (i+1)%128;

  err = kadm5_create_principal(handle, &princ, KADM5_PRINCIPAL|KADM5_ATTRIBUTES, dummybuf);
  if(err) {
    krb5_free_principal(context, princ.principal);
    throw Core::Exception("kadm5_create_principal", Core::Exception::INTERNAL_ERRNO, err);
  }

  err = kadm5_randkey_principal(handle, princ.principal, 0, 0);
  if(err) {
    krb5_free_principal(context, princ.principal);
    throw Core::Exception("kadm5_randkey_principal", Core::Exception::INTERNAL_ERRNO, err);
  }

  princ.attributes = 0;
  err = kadm5_modify_principal(handle, &princ, KADM5_ATTRIBUTES);

  krb5_free_principal(context, princ.principal);

  if(err)
    throw Core::Exception("kadm5_modify_principal", Core::Exception::INTERNAL_ERRNO, err);
}

void UserConfigBackendKrb5::updateUser(const Common::UserInfo &oldUserInfo, const Common::UserInfo &userInfo) throw(Core::Exception) {
  if(oldUserInfo.getUsername() == userInfo.getUsername())
    return;

  deleteUser(oldUserInfo);
  addUser(userInfo);
}

void UserConfigBackendKrb5::deleteUser(const Common::UserInfo &userInfo) throw(Core::Exception) {
  std::string princStr = userInfo.getUsername() + "@" + realm;
  krb5_principal princ;

  krb5_error_code err = krb5_parse_name(context, princStr.c_str(), &princ);
  if(err)
    throw Core::Exception("krb5_parse_name", Core::Exception::INTERNAL_ERRNO, err);

  /*err = */kadm5_delete_principal(handle, princ);

  krb5_free_principal(context, princ);

  //if(err)
  //  throw Core::Exception("kadm5_delete_principal", Core::Exception::INTERNAL_ERRNO, err);
}

}
}
}