<?php

/**
 * Kolab Authentication (based on ldap_authentication plugin)
 *
 * Authenticates on LDAP server, finds canonized authentication ID for IMAP
 * and for new users creates identity based on LDAP information.
 *
 * Supports impersonate feature (login as another user). To use this feature
 * imap_auth_type/smtp_auth_type must be set to DIGEST-MD5 or PLAIN.
 *
 * @version 0.1
 * @author Aleksander Machniak <machniak@kolabsys.com>
 *
 * Copyright (C) 2011, Kolab Systems AG
 *
 * This program is free software; you can redistribute it and/or modify
 * it under the terms of the GNU General Public License version 2
 * as published by the Free Software Foundation.
 *
 * This program is distributed in the hope that it will be useful,
 * but WITHOUT ANY WARRANTY; without even the implied warranty of
 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
 * GNU General Public License for more details.
 *
 * You should have received a copy of the GNU General Public License along
 * with this program; if not, write to the Free Software Foundation, Inc.,
 * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
 */

class kolab_auth extends rcube_plugin
{
    private $ldap;
    private $data = array();

	public function init()
	{
		$this->add_hook('authenticate', array($this, 'authenticate'));
		$this->add_hook('user_create', array($this, 'user_create'));

        // Hooks related to "Login As" feature
		$this->add_hook('template_object_loginform', array($this, 'login_form'));
		$this->add_hook('imap_connect', array($this, 'imap_connect'));
		$this->add_hook('managesieve_connect', array($this, 'imap_connect'));
		$this->add_hook('smtp_connect', array($this, 'smtp_connect'));
	}

    /**
     * Sets defaults for new user.
     */
	public function user_create($args)
	{
		if (!empty($this->data['user_email']))
    		$args['user_email'] = $this->data['user_email'];
		if (!empty($this->data['user_name']))
	    	$args['user_name'] = $this->data['user_name'];
		if (!empty($this->data['user_alias']))
	    	$args['user_alias'] = $this->data['user_alias'];

		return $args;
	}

    /**
     * Modifies login form adding additional "Login As" field
     */
    public function login_form($args)
    {
        $this->load_config();
        $this->add_texts('localization/');

        $rcmail      = rcmail::get_instance();
        $admin_login = $rcmail->config->get('kolab_auth_admin_login');
        $group       = $rcmail->config->get('kolab_auth_group');
        $role_attr   = $rcmail->config->get('kolab_auth_role');

        // Show "Login As" input
        if (empty($admin_login) || (empty($group) && empty($role_attr))) {
            return $args;
        }

        $input = new html_inputfield(array('name' => '_loginas', 'id' => 'rcmloginas',
            'type' => 'text', 'autocomplete' => 'off'));
        $row = html::tag('tr', null,
            html::tag('td', 'title', html::label('rcmloginas', Q($this->gettext('loginas'))))
            . html::tag('td', 'input', $input->show(trim(get_input_value('_loginas', RCUBE_INPUT_POST))))
        );
        $args['content'] = preg_replace('/<\/tbody>/i', $row . '</tbody>', $args['content']);

        return $args;
    }

    /**
     * Find user credentials In LDAP.
     */
    public function authenticate($args)
    {
        $this->load_config();

        if (!$this->init_ldap()) {
            return $args;
        }

        $rcmail      = rcmail::get_instance();
        $admin_login = $rcmail->config->get('kolab_auth_admin_login');
        $login_attr  = $rcmail->config->get('kolab_auth_login');
        $alias_attr  = $rcmail->config->get('kolab_auth_alias');
        $name_attr   = $rcmail->config->get('kolab_auth_name');

        // get username and host
        $host    = rcube_parse_host($args['host']);
        $user    = $args['user'];
        $pass    = $args['pass'];
        $loginas = trim(get_input_value('_loginas', RCUBE_INPUT_POST));

        if (empty($user) || empty($pass)) {
            return $args;
        }

        // Find user record in LDAP
        $record = $this->get_user_record($user, $host);

        if (empty($record)) {
            return $args;
        }

        // Login As...
        if (!empty($loginas) && $admin_login) {
            // Authenticate to LDAP
            $dn     = $this->ldap->dn_decode($record['ID']);
            $result = $this->ldap->bind($dn, $pass);

            if (!$result) {
                return $args;
            }

            // check if the original user has/belongs to administrative role/group
            $isadmin   = false;
            $group     = $rcmail->config->get('kolab_auth_group');
            $role_attr = $rcmail->config->get('kolab_auth_role');
            $role_dn   = $rcmail->config->get('kolab_auth_role_value');

            // check role attribute
            if (!empty($role_attr) && !empty($role_dn) && !empty($record[$role_attr])) {
                $role_dn = $this->parse_vars($role_dn, $user, $host);
                foreach ((array)$record[$role_attr] as $role) {
                    if ($role == $role_dn) {
                        $isadmin = true;
                        break;
                    }
                }
            }

            // check group
            if (!$isadmin && !empty($group)) {
                $groups = $this->ldap->get_record_groups($record['ID']);
                foreach ($groups as $g) {
                    if ($group == $this->ldap->dn_decode($g)) {
                        $isadmin = true;
                        break;
                    }
                }

            }

            // Save original user login for log (see below)
            if ($login_attr)
                $origname = is_array($record[$login_attr]) ? $record[$login_attr][0] : $record[$login_attr];
            else
                $origname = $user;

            $record = null;

            // user has the privilage, get "login as" user credentials
            if ($isadmin) {
                $record = $this->get_user_record($loginas, $host);
            }

            if (empty($record)) {
                $args['valid'] = false;
                return $args;
            }

            $args['user'] = $loginas;
            // Mark session to use SASL proxy for IMAP authentication
            $_SESSION['kolab_auth_admin'] = true;
        }

        // Set credentials
        if ($record) {
            if ($login_attr)
                $this->data['user_login'] = is_array($record[$login_attr]) ? $record[$login_attr][0] : $record[$login_attr];
            if ($alias_attr)
                $this->data['user_alias'] = is_array($record[$alias_attr]) ? $record[$alias_attr][0] : $record[$alias_attr];
            if ($name_attr)
                $this->data['user_name'] = is_array($record[$name_attr]) ? $record[$name_attr][0] : $record[$name_attr];

            if ($this->data['user_login'])
                $args['user'] = $this->data['user_login'];
        }

        // Log "Login As" usage
        if (!empty($origname)) {
            write_log('userlogins', sprintf('Admin login for %s by %s from %s',
                $args['user'], $origname, rcmail_remote_ip()));
        }

        return $args;
    }

    /**
     * Sets SASL Proxy login/password for IMAP and Managesieve auth
     */
    public function imap_connect($args)
    {
        if (!empty($_SESSION['kolab_auth_admin'])) {
            $this->load_config();

            $rcmail      = rcmail::get_instance();
            $admin_login = $rcmail->config->get('kolab_auth_admin_login');
            $admin_pass  = $rcmail->config->get('kolab_auth_admin_password');

            $args['auth_cid'] = $admin_login;
            $args['auth_pw']  = $admin_pass;
        }

        return $args;
    }

    /**
     * Sets SASL Proxy login/password for SMTP auth
     */
    public function smtp_connect($args)
    {
        if (!empty($_SESSION['kolab_auth_admin'])) {
            $this->load_config();

            $rcmail      = rcmail::get_instance();
            $admin_login = $rcmail->config->get('kolab_auth_admin_login');
            $admin_pass  = $rcmail->config->get('kolab_auth_admin_password');

            $args['options']['smtp_auth_cid'] = $admin_login;
            $args['options']['smtp_auth_pw']  = $admin_pass;
        }

        return $args;
    }

    /**
     * Initializes LDAP object and connects to LDAP server
     */
    private function init_ldap()
    {
        if ($this->ldap)
            return $this->ldap->ready;

        $rcmail = rcmail::get_instance();

        $addressbook = $rcmail->config->get('kolab_auth_addressbook');

        if (!is_array($addressbook)) {
            $ldap_config = (array)$rcmail->config->get('ldap_public');
            $addressbook = $ldap_config[$addressbook];
        }

        if (empty($addressbook)) {
            return false;
        }

        $this->ldap = new kolab_auth_ldap_backend(
            $addressbook,
            $rcmail->config->get('ldap_debug'),
            $rcmail->config->mail_domain($_SESSION['imap_host'])
        );

        return $this->ldap->ready;
    }

    /**
     * Fetches user data from LDAP addressbook
     */
    private function get_user_record($user, $host)
    {
        $rcmail = rcmail::get_instance();
        $filter = $rcmail->config->get('kolab_auth_filter');

        $filter = $this->parse_vars($filter, $user, $host);

        // reset old result
        $this->ldap->reset();

        // get record
        $this->ldap->set_filter($filter);
        $results = $this->ldap->list_records();

        if (count($results->records) == 1)
            return $results->records[0];
    }

    /**
     * Prepares filter query for LDAP search
     */
    private function parse_vars($str, $user, $host)
    {
        $rcmail = rcmail::get_instance();
        $domain = $rcmail->config->get('username_domain');

        if (!empty($domain) && strpos($user, '@') === false) {
            if (is_array($domain) && isset($domain[$host]))
                $user .= '@'.rcube_parse_host($domain[$host], $host);
            else if (is_string($domain))
                $user .= '@'.rcube_parse_host($domain, $host);
        }

        // replace variables in filter
        list($u, $d) = explode('@', $user);
        $dc = 'dc='.strtr($d, array('.' => ',dc=')); // hierarchal domain string
        $replaces = array('%dc' => $dc, '%d' => $d, '%fu' => $user, '%u' => $u);

        return strtr($str, $replaces);
    }
}

/**
 * Wrapper class for rcube_ldap addressbook
 */
class kolab_auth_ldap_backend extends rcube_ldap
{
    function set_filter($filter)
    {
        if ($filter)
            $this->prop['filter'] = $filter;
    }
}