<?php

/** DomFramework
  * @package domframework
  * @author Dominique Fournier <dominique@fournier38.fr>
  * @license BSD
  */

namespace Domframework;

/** User authentication against Shibboleth */
class Authshibboleth extends Auth
{
    /** The Lastname parameter returned by Shibboleth server */
    public $lastnameParam = "sn";
    /** The Firstname parameter returned by Shibboleth server */
    public $firstnameParam = "givenName";
    /** The mail parameter returned by Shibboleth server */
    public $mailParam = "mail";
    /** The others parameters returned by Shibboleth server */
    public $otherFields = array("ou", "o");
    /** The optional URL use to authenticate the users */
    public $urlAuthentificated = "";
    /** The optional URL to disconnect the users */
    public $urlLogout = "";
    /** The optional URL to change the user password */
    public $urlPasswd = "";

    /** No connection to shibboleth */
    public function connect()
    {
        return true;
    }

    /** Try to authenticate the email/password of the user
        @param string $email Email to authenticate
        @param string $password Password to authenticate */
    public function authentication($email, $password)
    {
        if (!isset($_SERVER["mail"])) {
            if ($this->urlAuthentificated !== "") {
                $route = new Route();
                $route->redirect($this->urlAuthentificated);
            }
            throw new \Exception("Unable to authenticate user '$email'", 401);
        }
    }

    /** Return all the parameters recorded for the authenticate user */
    public function getdetails()
    {
        if (! isset($_SERVER[$this->mailParam])) {
            return array("lastname" => "anonymous",
                    "firstname" => "",
                    "email" => "anonymous");
        }
        $res = array("lastname" => $_SERVER[$this->lastnameParam],
                  "firstname" => $_SERVER[$this->firstnameParam],
                  "email" => $_SERVER[$this->mailParam]);
        foreach ($this->otherFields as $field) {
            if (array_key_exists($field, $_SERVER)) {
                $res[$field] = $_SERVER[$field];
            }
        }
        return $res;
    }

    /** Method to change the password : unavailable in SESSION auth
        @param string $oldpassword The old password (to check if the user have the
           rights to change the password)
        @param string $newpassword The new password to be recorded */
    public function changepassword($oldpassword, $newpassword)
    {
        // Redirect to Shibboleth IDP
        if ($this->urlPasswdChange == "") {
            throw new \Exception(
                dgettext(
                    "domframework",
                    "The password can't be change for Shibboleth users"
                ),
                405
            );
        }
        $route = new Route();
        $route->redirect($this->urlPasswdChange);
    }

    /** Method to overwrite the password (without oldpassword check)
        Must be reserved to the administrators. For the users, use changepassword
        method
        @param string $email the user identifier to select
        @param string $newpassword The new password to be recorded */
    public function overwritepassword($email, $newpassword)
    {
        throw new \Exception(
            dgettext(
                "domframework",
                "The password can't be overwrite for Shibboleth users"
            ),
            405
        );
    }

    /** Remove the information from the session */
    public function logout()
    {
        // Redirect to Shibboleth IDP
        if ($this->urlLogout === "") {
            throw new \Exception(dgettext(
                "domframework",
                "Shibboleth is not configured to allow logout"
            ), 405);
        }
        $route = new Route();
        $route->redirect($this->urlLogout);
    }
}