# -*- coding: utf-8 -*-

"""

    rhodecode.controllers.changelog

    ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

    RhodeCode authentication library for LDAP

    :created_on: Created on Nov 17, 2010

    :author: marcink

    :copyright: (C) 2009-2011 Marcin Kuzminski <marcin@python-works.com>

    :license: GPLv3, see COPYING for more details.

"""

# This program is free software: you can redistribute it and/or modify

# it under the terms of the GNU General Public License as published by

# the Free Software Foundation, either version 3 of the License, or

# (at your option) any later version.

#

# This program is distributed in the hope that it will be useful,

# but WITHOUT ANY WARRANTY; without even the implied warranty of

# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the

# GNU General Public License for more details.

#

# You should have received a copy of the GNU General Public License

# along with this program.  If not, see <http://www.gnu.org/licenses/>.

import logging

from rhodecode.lib.exceptions import LdapConnectionError, LdapUsernameError, \

    LdapPasswordError

log = logging.getLogger(__name__)

try:

    import ldap

except ImportError:

    # means that python-ldap is not installed

    pass

class AuthLdap(object):

    def __init__(self, server, base_dn, port=389, bind_dn='', bind_pass='',

                 tls_kind='PLAIN', tls_reqcert='DEMAND', ldap_version=3,

                 ldap_filter='(&(objectClass=user)(!(objectClass=computer)))',

        self.ldap_version = ldap_version

        ldap_server_type = 'ldap'

        self.TLS_KIND = tls_kind

        if self.TLS_KIND == 'LDAPS':

            port = port or 689

            ldap_server_type = ldap_server_type + 's'

        OPT_X_TLS_DEMAND = 2

        self.TLS_REQCERT = getattr(ldap, 'OPT_X_TLS_%s' % tls_reqcert, 

                                   OPT_X_TLS_DEMAND)

        self.LDAP_SERVER_ADDRESS = server

        self.LDAP_SERVER_PORT = port

        self.LDAP_BIND_DN = bind_dn

        self.LDAP_BIND_PASS = bind_pass

        self.LDAP_SERVER = "%s://%s:%s" % (ldap_server_type,

                                           self.LDAP_SERVER_ADDRESS,

                                           self.LDAP_SERVER_PORT)

        self.BASE_DN = base_dn

        self.LDAP_FILTER = ldap_filter

        self.SEARCH_SCOPE = getattr(ldap, 'SCOPE_%s' % search_scope)

        self.attr_login = attr_login

    def authenticate_ldap(self, username, password):

        """Authenticate a user via LDAP and return his/her LDAP properties.

        Raises AuthenticationError if the credentials are rejected, or

        EnvironmentError if the LDAP server can't be reached.

        :param username: username

        :param password: password

        """

        from rhodecode.lib.helpers import chop_at

        uid = chop_at(username, "@%s" % self.LDAP_SERVER_ADDRESS)

        if not password:

            log.debug("Attempt to authenticate LDAP user with blank password rejected.")

            raise LdapPasswordError()

        if "," in username:

            raise LdapUsernameError("invalid character in username: ,")

        try:

            if hasattr(ldap,'OPT_X_TLS_CACERTDIR'):

                ldap.set_option(ldap.OPT_X_TLS_CACERTDIR, 

                                '/etc/openldap/cacerts')

            ldap.set_option(ldap.OPT_REFERRALS, ldap.OPT_OFF)

            ldap.set_option(ldap.OPT_RESTART, ldap.OPT_ON)

            ldap.set_option(ldap.OPT_TIMEOUT, 20)

            ldap.set_option(ldap.OPT_NETWORK_TIMEOUT, 10)

            ldap.set_option(ldap.OPT_TIMELIMIT, 15)

            if self.TLS_KIND != 'PLAIN':

                ldap.set_option(ldap.OPT_X_TLS_REQUIRE_CERT, self.TLS_REQCERT)

            server = ldap.initialize(self.LDAP_SERVER)

            if self.ldap_version == 2:

                server.protocol = ldap.VERSION2

            else:

                server.protocol = ldap.VERSION3

        :param email:

        :param active:

        :param name:

        :param lastname:

        :param active:

        :param admin:

        :param ldap_dn:

        """

        from rhodecode.lib.auth import get_crypt_password

        log.debug('Checking for %s account in RhodeCode database', username)

        user = User.get_by_username(username, case_insensitive=True)

        if user is None:

            log.debug('creating new user %s', username)            

            new_user = User()

        else:

            log.debug('updating user %s', username)            

            new_user = user

        try:

            new_user.username = username

            new_user.admin = admin

            new_user.password = get_crypt_password(password)

            new_user.api_key = generate_api_key(username)

            new_user.email = email

            new_user.active = active

            new_user.ldap_dn = safe_unicode(ldap_dn) if ldap_dn else None

            new_user.name = name

            new_user.lastname = lastname

            self.sa.add(new_user)

            self.sa.commit()

            return new_user

        except (DatabaseError,):

            log.error(traceback.format_exc())

            self.sa.rollback()

            raise

    def create_for_container_auth(self, username, attrs):

        """

        Creates the given user if it's not already in the database

        :param username:

        :param attrs:

        """

        if self.get_by_username(username, case_insensitive=True) is None:

            try:

                new_user = User()

                new_user.username = username

                new_user.password = None

                new_user.api_key = generate_api_key(username)

                new_user.email = attrs['email']

                new_user.active = attrs.get('active', True)

                new_user.lastname = attrs['lastname']

                self.sa.add(new_user)

                self.sa.commit()

                return new_user

            except (DatabaseError,):

                log.error(traceback.format_exc())

                self.sa.rollback()

                raise

        log.debug('User %s already exists. Skipping creation of account'

                  ' for container auth.', username)

        return None

    def create_ldap(self, username, password, user_dn, attrs):

        """

        Checks if user is in database, if not creates this user marked

        as ldap user

        :param username:

        :param password:

        :param user_dn:

        :param attrs:

        """

        from rhodecode.lib.auth import get_crypt_password

        log.debug('Checking for such ldap account in RhodeCode database')

        if self.get_by_username(username, case_insensitive=True) is None:

            # autogenerate email for ldap account without one

            generate_email = lambda usr: '%s@ldap.account' % usr

            try:

                new_user = User()

                username = username.lower()

                # add ldap account always lowercase

                new_user.username = username

                new_user.password = get_crypt_password(password)

                new_user.api_key = generate_api_key(username)

                new_user.email = attrs['email'] or generate_email(username)

                new_user.active = attrs.get('active', True)

                new_user.ldap_dn = safe_unicode(user_dn)

                new_user.name = attrs['name']

                new_user.lastname = attrs['lastname']

                self.sa.add(new_user)

                self.sa.commit()

                return new_user

            except (DatabaseError,):

                log.error(traceback.format_exc())