/* SASL LDAP auxprop implementation
 * Portions Copyright (C) 2004, Brian Alliet <brian@brianwe.net>
 *
 * This is a modified version of Howard Chu's ldapdb.c 
 *
 * - FIXME: Document this better
 * - Uses a search filter/search base to find userPassword 
 *   rather than SASL authzid.
 * - Only fills in userPassword property
 * - Can read from attributes other than userPassword
 *
 * -Brian Alliet
 * brian@brianweb.net
 */

/* SASL LDAP auxprop implementation
 * Copyright (C) 2002,2003 Howard Chu, All rights reserved. <hyc@symas.com>
 *
 * Permission is granted to anyone to use this software for any purpose
 * on any computer system, and to alter it and redistribute it, subject
 * to the following restrictions:
 *
 * 1. The author is not responsible for the consequences of use of this
 *    software, no matter how awful, even if they arise from flaws in it.
 *
 * 2. The origin of this software must not be misrepresented, either by
 *    explicit claim or by omission.  Since few users ever read sources,
 *    credits should appear in the documentation.
 *
 * 3. Altered versions must be plainly marked as such, and must not be
 *    misrepresented as being the original software.  Since few users
 *    ever read sources, credits should appear in the documentation.
 *
 * 4. This notice may not be removed or altered.
 */

#include <stdio.h>
#include <string.h>

#include <sasl.h>
#include <saslutil.h>
#include <saslplug.h>

#include <ldap.h>

static char ldapdb[] = "ldapdb";

typedef struct ldapctx {
	const char *uri;	/* URI of LDAP server */
	struct berval id;	/* SASL authcid to bind as */
	struct berval pw;	/* password for bind */
	struct berval mech;	/* SASL mech */
	int use_tls;		/* Issue StartTLS request? */
    const char *filter_pattern;  /* Filter to find userPassword (%u==uid) */
    const char *pw_attr; /* Password attr */
    const char *search_base;
} ldapctx;

typedef struct gluectx {
	ldapctx *lc;
	sasl_server_params_t *lp;
} gluectx;

static int ldapdb_interact(LDAP *ld, unsigned flags __attribute__((unused)),
	void *def, void *inter)
{
	sasl_interact_t *in = inter;
	gluectx *gc = def;
	struct berval p;

    if(ld == NULL || flags == LDAP_SASL_INTERACTIVE) return LDAP_PARAM_ERROR;
    
	for (;in->id != SASL_CB_LIST_END;in++)
	{
		p.bv_val = NULL;
		switch(in->id)
		{
			case SASL_CB_GETREALM:
				ldap_get_option(ld, LDAP_OPT_X_SASL_REALM, &p.bv_val);
				if (p.bv_val) p.bv_len = strlen(p.bv_val);
				break;		
			case SASL_CB_AUTHNAME:
				p = gc->lc->id;
				break;
			case SASL_CB_PASS:
				p = gc->lc->pw;
				break;
		}
		if (p.bv_val)
		{
			in->result = p.bv_val;
			in->len = p.bv_len;
		}
	}
	return LDAP_SUCCESS;
}

static void ldapdb_auxprop_lookup(void *glob_context,
				  sasl_server_params_t *sparams,
				  unsigned flags,
				  const char *user,
				  unsigned ulen)
{
    ldapctx *ctx = glob_context;
    int ret, i;
    const struct propval *pr;
    LDAP *ld = NULL;
    gluectx gc;
    struct berval **bvals;
    LDAPMessage *msg, *res;
    int pw_attr_idx = -1;
    char *filter = NULL;
    const char *p;
    char *p2;
    char *attrs[2];
    
    if(!ctx || !sparams || !user) return;

    pr = sparams->utils->prop_get(sparams->propctx);
    if(!pr) return;

    for(i=0;pr[i].name;i++) {
        // CHECKME: What does the * mean?
        if(strcmp(pr[i].name,"*userPassword")==0 && !(flags & SASL_AUXPROP_AUTHZID) && (!pr[i].values || (flags & SASL_AUXPROP_OVERRIDE))) {
            pw_attr_idx = i;
            break;
        }
    }
    
    if(pw_attr_idx < 0) return;
        
    if(ldap_initialize(&ld, ctx->uri) != 0) return;

    i = LDAP_VERSION3;
    ret = ldap_set_option(ld, LDAP_OPT_PROTOCOL_VERSION, &i);

    /* If TLS is set and it fails, continue or bail out as requested */
    if (ctx->use_tls && ldap_start_tls_s(ld, NULL, NULL) != LDAP_SUCCESS) {
    	if (ctx->use_tls > 1) goto done;
    }

    gc.lc = ctx;
    gc.lp = sparams;
    ret = ldap_sasl_interactive_bind_s(ld, NULL, ctx->mech.bv_val, NULL, NULL,
    	LDAP_SASL_QUIET, ldapdb_interact, &gc);
    if (ret != LDAP_SUCCESS) goto done;
    
    filter = sparams->utils->malloc(ulen + strlen(ctx->filter_pattern) + 1);
    if(!filter) goto done;
    
    for(p=ctx->filter_pattern,p2=filter;*p;p++) {
        if(*p == '%' && p[1])  {
            p++;
            switch(*p) {
                case '%': *p2++ = '%'; break;
                case 'u': memcpy(p2,user,ulen); p2 += ulen; break;
                default: *p2++ = *p; break;
            }
        } else { *p2++ = *p; }
    }
    *p2 = '\0';
    
    attrs[0] = (char*)ctx->pw_attr;
    attrs[1] = NULL;
    ret = ldap_search_s(ld,ctx->search_base,LDAP_SCOPE_SUBTREE,filter,attrs,0,&res);
    if(ret != LDAP_SUCCESS) goto done;
    
    for(msg = ldap_first_message(ld,res); msg; msg = ldap_next_message(ld,msg)) {
        if (ldap_msgtype(msg) == LDAP_RES_SEARCH_ENTRY) {
            bvals = ldap_get_values_len(ld,msg,ctx->pw_attr);
            if(!bvals) continue;
            if(pr[pw_attr_idx].values) sparams->utils->prop_erase(sparams->propctx, pr[pw_attr_idx].name);
            sparams->utils->prop_set(sparams->propctx,pr[pw_attr_idx].name,bvals[0]->bv_val, bvals[0]->bv_len);
            ber_bvecfree(bvals);
            break;
        }
    }
    ldap_msgfree(res);

 done:
    if(filter) sparams->utils->free(filter);
    if(ld) ldap_unbind(ld);
}

static void ldapdb_auxprop_free(void *glob_ctx, const sasl_utils_t *utils)
{
	utils->free(glob_ctx);
}

static sasl_auxprop_plug_t ldapdb_auxprop_plugin = {
    0,           /* Features */
    0,           /* spare */
    NULL,        /* glob_context */
    ldapdb_auxprop_free,	/* auxprop_free */
    ldapdb_auxprop_lookup, /* auxprop_lookup */
    ldapdb,    /* name */
    NULL         /* spare */
};

static int ldapdb_auxprop_plug_init(const sasl_utils_t *utils,
                             int max_version,
                             int *out_version,
                             sasl_auxprop_plug_t **plug,
                             const char *plugname __attribute__((unused))) 
{
    ldapctx tmp, *p;
    const char *s;
    unsigned len;

    if(!out_version || !plug) return SASL_BADPARAM;

    if(max_version < SASL_AUXPROP_PLUG_VERSION) return SASL_BADVERS;
    
    memset(&tmp, 0, sizeof(tmp));

    utils->getopt(utils->getopt_context, ldapdb, "ldapdb_uri", &tmp.uri, NULL);
    if(!tmp.uri) return SASL_BADPARAM;

    utils->getopt(utils->getopt_context, ldapdb, "ldapdb_id",
    	(const char **)&tmp.id.bv_val, &len);
    tmp.id.bv_len = len;
    utils->getopt(utils->getopt_context, ldapdb, "ldapdb_pw",
    	(const char **)&tmp.pw.bv_val, &len);
    tmp.pw.bv_len = len;
    utils->getopt(utils->getopt_context, ldapdb, "ldapdb_mech",
    	(const char **)&tmp.mech.bv_val, &len);
    tmp.mech.bv_len = len;
    utils->getopt(utils->getopt_context, ldapdb, "ldapdb_starttls", &s, NULL);
    if (s)
    {
    	if (!strcasecmp(s, "demand")) tmp.use_tls = 2;
        else if (!strcasecmp(s, "try")) tmp.use_tls = 1;
        else return SASL_BADPARAM;
    }
    
    utils->getopt(utils->getopt_context, ldapdb, "ldapdb_filter", &tmp.filter_pattern, NULL);
    if(!tmp.filter_pattern) tmp.filter_pattern = "(uid=%u)";

    utils->getopt(utils->getopt_context, ldapdb, "ldapdb_password_attr", &tmp.pw_attr, NULL);
    if(!tmp.pw_attr) tmp.pw_attr = "userPassword";

    utils->getopt(utils->getopt_context, ldapdb, "ldapdb_search_base", &tmp.search_base, NULL);
    if(!tmp.search_base) tmp.search_base = "";

    p = utils->malloc(sizeof(ldapctx));
    if (!p) return SASL_NOMEM;
    *p = tmp;
    ldapdb_auxprop_plugin.glob_context = p;

    *out_version = SASL_AUXPROP_PLUG_VERSION;

    *plug = &ldapdb_auxprop_plugin;

    return SASL_OK;
}

int sasl_auxprop_plug_init(
    const sasl_utils_t *utils, int maxversion, int *out_version,
    sasl_auxprop_plug_t **plug,const char *plugname)
{
    return ldapdb_auxprop_plug_init(utils, maxversion, out_version, plug, plugname); 
}