<?php

/**
 * LDAP Authentication
 *
 * Authenticate on LDAP server, finds canonized authentication ID for IMAP
 * and for new users create identity based on LDAP information.
 *
 * @version @package_version@
 * @author Aleksander Machniak <machniak@kolabsys.com>
 *
 * Copyright (C) 2011, Kolab Systems AG <contact@kolabsys.com>
 *
 * This program is free software: you can redistribute it and/or modify
 * it under the terms of the GNU Affero General Public License as
 * published by the Free Software Foundation, either version 3 of the
 * License, or (at your option) any later version.
 *
 * This program is distributed in the hope that it will be useful,
 * but WITHOUT ANY WARRANTY; without even the implied warranty of
 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
 * GNU Affero General Public License for more details.
 *
 * You should have received a copy of the GNU Affero General Public License
 * along with this program. If not, see <http://www.gnu.org/licenses/>.
 */

class ldap_authentication extends rcube_plugin
{
    public $task = 'login';

    private $ldap;
    private $data = [];

    public function init()
    {
        $this->add_hook('authenticate', [$this, 'authenticate']);
        $this->add_hook('user_create', [$this, 'user_create']);
    }

    public function user_create($args)
    {
        if (!empty($this->data['user_email'])) {
            $args['user_email'] = $this->data['user_email'];
        }
        if (!empty($this->data['user_name'])) {
            $args['user_name'] = $this->data['user_name'];
        }

        return $args;
    }

    public function authenticate($args)
    {
        if ($this->init_ldap()) {
            $rcmail = rcube::get_instance();
            $filter = $rcmail->config->get('ldap_authentication_filter');
            $domain = $rcmail->config->get('username_domain');

            // get username and host
            $user = $args['user'];
            $host = rcube_utils::parse_host($args['host']);

            if (!empty($domain) && strpos($user, '@') === false) {
                if (is_array($domain) && isset($domain[$args['host']])) {
                    $user .= '@' . rcube_utils::parse_host($domain[$host], $host);
                } elseif (is_string($domain)) {
                    $user .= '@' . rcube_utils::parse_host($domain, $host);
                }
            }

            // replace variables in filter
            [$u, $d] = explode('@', $user);
            $dc = 'dc=' . strtr($d, ['.' => ',dc=']); // hierarchal domain string
            $replaces = ['%dc' => $dc, '%d' => $d, '%fu' => $user, '%u' => $u];

            $filter = strtr($filter, $replaces);

            // get record
            $this->ldap->set_filter($filter);
            $results = $this->ldap->list_records();

            if (count($results->records) == 1) {
                $record = $results->records[0];

                $login_attr = $rcmail->config->get('ldap_authentication_login');
                $name_attr  = $rcmail->config->get('ldap_authentication_name');

                if ($login_attr) {
                    $this->data['user_login'] = is_array($record[$login_attr]) ? $record[$login_attr][0] : $record[$login_attr];
                }
                if ($name_attr) {
                    $this->data['user_name'] = is_array($record[$name_attr]) ? $record[$name_attr][0] : $record[$name_attr];
                }

                if ($this->data['user_login']) {
                    $args['user'] = $this->data['user_login'];
                }
            }
        }

        return $args;
    }

    private function init_ldap()
    {
        if ($this->ldap) {
            return $this->ldap->ready;
        }

        $this->load_config();
        $rcmail = rcube::get_instance();

        $addressbook = $rcmail->config->get('ldap_authentication_addressbook');

        if (!is_array($addressbook)) {
            $ldap_config = (array)$rcmail->config->get('ldap_public');
            $addressbook = $ldap_config[$addressbook];
        }

        if (empty($addressbook)) {
            return false;
        }

        $this->ldap = new ldap_authentication_ldap_backend(
            $addressbook,
            $rcmail->config->get('ldap_debug'),
            $rcmail->config->mail_domain($_SESSION['imap_host'])
        );

        return $this->ldap->ready;
    }
}

class ldap_authentication_ldap_backend extends rcube_ldap
{
    public function set_filter($filter)
    {
        if ($filter) {
            $this->prop['filter'] = $filter;
        }
    }
}