#!/usr/bin/perl
# Optima <-> Shibboleth glue

use strict;
use CGI;
use lib '../learning/bin';
use Tconfig;
use GUser;
use Digest::HMAC_SHA1 qw(hmac_sha1_hex);
use Digest::SHA1 qw(sha1_hex);
use MIME::Base64;

my $conf = new Tconfig;
my $req = new CGI;
my $eppname = $ENV{'eppn'} || '';
my $logouturl = $ENV{'HTTP_SHIB_LOGOUT_URL'} || '';
my $now = time();
my $timestring = scalar localtime;
my $namespace = $req->param('ns') || 4;
my $mode = $req->param('mode') || '';

if ($eppname eq '') {
  # This should never be reached. Incorrect shibboleth usernames and passwords
  # should generate an error in the IdP login page, not here
  print $req->header;
  print <<"EOT";
<html>
<head>
<title>Shibboleth login</title>
</head>
<body>
<h1>Did not receive eduPersonPrincipalName</h1>
<p>The Shibboleth IdP server did not send an eduPersonPrincipalName attribute for some reason. Please contact your IdP maintainer to sort this out. Tell them this happened in $timestring</p>
</body>
</html>
EOT

}
else {
  my $guser = new GUser(handle => $eppname, namespace => $namespace);
  my ($domain) = $eppname =~ /@(.*)$/;
  if ($logouturl ne '') {
    $guser->hakalogout_sync(domain => $domain, url => $logouturl);
  }
   if (($guser->{id} eq '') || ($guser->{passwd} ne '**shibboleth**')) {
     # The shibboleth edupersonprincipalname of this successfully authenticated account
     # does not exist as a handle in Optima, or it exists but its password is not the
     # shibboleth token. Offer a chance to login to Optima
     # and change the Optima handle to be the same as edupersonprincipalname and password
     # to be the shibboleth token.

     my $cs_key = $conf->{'cs_key'};
     my $dval = sha1_hex("$eppname,$cs_key");

     print $req->header;
     print <<"EOT";
 <html>
 <head>
 <title>No matching Optima account</title>
 </head>
 <body>
 <h1>No matching Optima account</h1>
 <p>
 You have successfully authenticated with a Shibboleth account $eppname. However, there is no such account in Optima. Please contact the administrator of your Optima environment and ask them to provide you with an account.
 </p>
  </body>
 </html>
EOT
   }
  else {
    # User authenticated successfully to shibboleth, edupersonprincipalname exists as 
    # a Optima handle, and the password of this account is the shibboleth token.
    # Everything is OK, create an Optima cookien and redirect the user to loginmenu
    my $envlist = $guser->{'envs'};
    $envlist =~ s/,/!/g;
    my $taikina = $guser->{'id'} . ':' . $now . ':' . $guser->{namespace} . ':' . $envlist . ':0';
    my $hmac = new Digest::HMAC_SHA1($conf->{'key'});
    $hmac->add($taikina);
    my $leivonnainen = $hmac->b64digest;
    my $prevuri = $req->param('prevuri');
    $prevuri = decode_base64($prevuri);
    if ($prevuri eq '') { $prevuri = "https://$conf->{host}/loginmenu" }
    if ($mode eq 'mobile') { $prevuri =~ s/loginmenu/loginmobmenu/ }
#    warn "PREVURI: $prevuri";
    print $req->redirect(-uri => "$prevuri",
			 -cookie => "OpAuth_Optima=$taikina:$leivonnainen;path=/");
  }
}