<?
require_once("inc/common.php");
require_once("inc/io.php");

# some ACL level defines
define('AUTH_NONE',0);
define('AUTH_READ',1);
define('AUTH_EDIT',2);
define('AUTH_CREATE',4);
define('AUTH_UPLOAD',8);
define('AUTH_GRANT',255);

# try alternative source of auth credentials
if (!isset($_SERVER['PHP_AUTH_USER']) &&
    !isset($_SERVER['PHP_AUTH_PW'])){

    list($_SERVER['PHP_AUTH_USER'],$_SERVER['PHP_AUTH_PW']) =
     explode(":", base64_decode(substr($_SERVER['HTTP_AUTHORIZATION'], 6)));
}

# now see if the credentials are okay else clean all auth vars
if(isset($_SERVER['PHP_AUTH_USER'])){
  if (auth_checkPass($_SERVER['PHP_AUTH_USER'],
                      $_SERVER['PHP_AUTH_PW'])){
    //make username available as REMOTE_USER
    $_SERVER['REMOTE_USER'] = $_SERVER['PHP_AUTH_USER'];
    //set global user info
    $USERINFO = auth_getUserData($_SERVER['REMOTE_USER']);
  }else{
    auth_logoff();
  }
}

# load ACL into a global array if used
if($conf['useacl']){
  $AUTH_ACL = file('conf/acl.auth');
}

# this isn't a real logoff - it just clears all auth variables so the
# script will think there is no user logged in
function auth_logoff(){
  unset($_SERVER['PHP_AUTH_USER']);
  unset($_SERVER['PHP_AUTH_PW']);
  unset($_SERVER['REMOTE_USER']);
  unset($_SERVER['AUTH_PASSWORD']);
  unset($USERINFO);
}

/**
 * Convinience function for auth_aclcheck
 */
function auth_quickaclcheck($id){
  global $conf;
  global $USERINFO;
  # if no ACL is used always return upload rights
  if(!$conf['useacl']) return AUTH_UPLOAD;
  return auth_aclcheck($id,$_SERVER['REMOTE_USER'],$USERINFO['grps']);
}

/**
 * Returns the maximum rights a user has for
 * the given ID or its namespace
 *
 * FIXME this could be more efficient
 */
function auth_aclcheck($id,$user,$groups){
  global $conf;
  global $AUTH_ACL;

  # if no ACL is used always return upload rights
  if(!$conf['useacl']) return AUTH_UPLOAD;

  $ns    = getNS($id);
  $perm  = 0;

  if($user){
    //prepend groups with @
    for($i=0; $i<count($groups); $i++){
      $groups[$i] = '@'.$groups[$i];
    }
    //add ALL group
    $groups[] = '@ALL';
    //add User
    $groups[] = $user;
    //build regexp
    $regexp   = join('|',$groups);
  }else{
    $regexp = '@ALL';
  }

  
  //first check on id and ns:*
  if($ns){
    $path = '('.$id.'|'.$ns.':\*)';
  }else{
    $path = '('.$id.'|\*)'; //root document
  }

  do{
    $matches = preg_grep('/^'.$path.'\s+('.$regexp.')\s+/',$AUTH_ACL);
    if(count($matches)){
      foreach($matches as $match){
        $match = preg_replace('/#.*$/','',$match); //ignore comments
        $acl   = preg_split('/\s+/',$match);
        if($acl[2] > $perm){
          $perm = $acl[2];
        }
      }
      //we had a match - return it
      return $perm;
    }

    //get next higher namespace
    $ns   = getNS($ns);

    if($path != '\*'){
      $path = $ns.':\*';
      if($path == ':\*') $path = '\*';
    }else{
      //we did this already
      //looks like there is something wrong with the ACL
      //break here
      return $perm;
    }
  }while(1); //this should never loop endless
}

/**
 * Create a pronouncable password
 *
 * @see: http://www.phpbuilder.com/annotate/message.php3?id=1014451
 */
function auth_pwgen(){
  $pw = '';
  $c  = 'bcdfghjklmnprstvwz'; //vowels except hard to speak ones
  $v  = 'aeiou';              //consonants
  $a  = $c.$v;                //both

  //use two syllables...
  for($i=0;$i < 2; $i++){
    $pw .= $c[rand(0, strlen($c)-1)];
    $pw .= $v[rand(0, strlen($v)-1)];
    $pw .= $a[rand(0, strlen($a)-1)];
  }
  //... and add a nice number
  $pw .= rand(10,99);

  return $pw;
}

/**
 * If you want to authenticate against something
 * else then the builtin flatfile auth system
 * You have to reimplement the "required auth
 * functions"
 */


/**
 * required auth function
 *
 * Checks if the given user exists and the given
 * plaintext password is correct
 */
function auth_checkPass($user,$pass){
  $users = auth_loadUserData();
  $pass = md5($pass); //encode pass

  if($users[$user]['pass'] == $pass){
    return true;
  }else{
    return false;
  }
}

/**
 * required auth function
 * 
 * Checks if the given user is in the given group
 */
/*
function auth_checkGroup($user,$group){
  $users = auth_loadUserData();
  $pass = md5($pass); //encode pass

  if(!count($users[$user]['grps'])){
    return false;
  }

  return in_array($group,$users[$user]['grps']);
}
*/

/**
 * Required auth function
 *
 * Returns info about the given user needs to contain
 * at least these fields:
 *
 * name string  full name of the user
 * mail string  email addres of the user
 * grps array   list of groups the user is in
 */
function auth_getUserData($user){
  $users = auth_loadUserData();
  return $users[$user];
}

/**
 * used by the plaintext auth functions
 * loads the user file into a datastructure
 */
function auth_loadUserData(){
  $data = array();
  $lines = file('conf/users.auth');
  foreach($lines as $line){
    $line = preg_replace('/#.*$/','',$line); //ignore comments
    $line = trim($line);
    if(empty($line)) continue;

    $row    = split(":",$line,5);
    $groups = split(",",$row[4]);
    $data[$row[0]]['pass'] = $row[1];
    $data[$row[0]]['name'] = urldecode($row[2]);
    $data[$row[0]]['mail'] = $row[3];
    $data[$row[0]]['grps'] = $groups;
  }
  return $data;
}

function auth_saveUserData($data){

}
?>