<?php
/** DomFramework
    @package domframework
    @author Dominique Fournier <dominique@fournier38.fr> */

/** User authentication against Shibboleth */
class authshibboleth extends auth
{
  /** The parameters returned by Shibboleth server */
  public $lastnameParam = "sn";
  public $firstnameParam = "givenName";
  public $mailParam = "mail";
  public $otherFields = array ("ou", "o");
  public $urlAuthentificated = "";
  public $urlLogout = "";
  public $urlPasswd = "";

  /** No connection to shibboleth */
  public function connect ()
  {
    return TRUE;
  }

  /** Try to authenticate the email/password of the user
      @param string $email Email to authenticate
      @param string $password Password to authenticate */
  public function authentication ($email, $password)
  {
    if (!isset ($_SERVER["mail"]))
    {
      if ($this->urlAuthentificated !== "")
      {
        $route = new route ();
        $route->redirect ($this->urlAuthentificated);
      }
      throw new Exception ("Unable to authenticate user '$email'", 401);
    }
  }

  /** Return all the parameters recorded for the authenticate user */
  public function getdetails ()
  {
    if (! isset ($_SERVER[$this->mailParam]))
      return array ("lastname"=>"anonymous",
                    "firstname"=>"",
                    "email"=>"anonymous");
    $res = array ("lastname"=>$_SERVER[$this->lastnameParam],
                  "firstname"=>$_SERVER[$this->firstnameParam],
                  "email"=>$_SERVER[$this->mailParam]);
    foreach ($this->otherFields as $field)
    {
      if (array_key_exists ($field, $_SERVER))
        $res[$field] = $_SERVER[$field];
    }
    return $res;
  }

  /** Method to change the password : unavailable in SESSION auth
      @param string $oldpassword The old password (to check if the user have the
         rights to change the password)
      @param string $newpassword The new password to be recorded */
  public function changepassword ($oldpassword, $newpassword)
  {
    // Redirect to Shibboleth IDP
    if ($this->urlPasswdChange == "")
      throw new Exception (dgettext("domframework", 
                           "The password can't be change for Shibboleth users"),
                           405);
    $route = new route ();
    $route->redirect ($this->urlPasswdChange);
  }

  /** Method to overwrite the password (without oldpassword check)
      Must be reserved to the administrators. For the users, use changepassword
      method
      @param string $email the user identifier to select
      @param string $newpassword The new password to be recorded */
  public function overwritepassword ($email, $newpassword)
  {
    throw new exception (dgettext("domframework",
                        "The password can't be overwrite for Shibboleth users"),
                         405);
  }

  /** Remove the information from the session */
  public function logout ()
  {
    // Redirect to Shibboleth IDP
    if ($this->urlLogout === "")
      throw new \Exception (_("Shibboleth is not configured to allow logout"),
                            405);
    $route = new route ();
    $route->redirect ($this->urlLogout);
  }
}