<?php
/* Icinga Web 2 | (c) 2013-2015 Icinga Development Team | GPLv2+ */

namespace Icinga\Protocol\Ldap;

use ArrayIterator;
use Icinga\Application\Config;
use Icinga\Application\Logger;
use Icinga\Application\Platform;
use Icinga\Data\ConfigObject;
use Icinga\Data\Selectable;
use Icinga\Data\Sortable;
use Icinga\Exception\ProgrammingError;
use Icinga\Protocol\Ldap\Exception as LdapException;

/**
 * Backend class managing all the LDAP stuff for you.
 *
 * Usage example:
 *
 * <code>
 * $lconf = new Connection((object) array(
 *     'hostname' => 'localhost',
 *     'root_dn'  => 'dc=monitoring,dc=...',
 *     'bind_dn'  => 'cn=Mangager,dc=monitoring,dc=...',
 *     'bind_pw'  => '***'
 * ));
 * </code>
 */
class Connection implements Selectable
{
    const LDAP_NO_SUCH_OBJECT = 32;
    const LDAP_SIZELIMIT_EXCEEDED = 4;
    const LDAP_ADMINLIMIT_EXCEEDED = 11;
    const PAGE_SIZE = 1000;

    /**
     * Encrypt connection using STARTTLS (upgrading a plain text connection)
     *
     * @var string
     */
    const STARTTLS = 'starttls';

    /**
     * Encrypt connection using LDAP over SSL (using a separate port)
     *
     * @var string
     */
    const LDAPS = 'ldaps';

    /**
     * Encryption for the connection if any
     *
     * @var string|null
     */
    protected $encryption;

    protected $ds;
    protected $hostname;
    protected $port = 389;
    protected $bind_dn;
    protected $bind_pw;
    protected $root_dn;
    protected $count;
    protected $reqCert = true;

    /**
     * Whether the bind on this connection was already performed
     *
     * @var bool
     */
    protected $bound = false;

    protected $root;

    /**
     * @var Capability
     */
    protected $capabilities;

    /**
     * @var bool
     */
    protected $discoverySuccess = false;

    /**
     * Constructor
     *
     * @param ConfigObject $config
     */
    public function __construct(ConfigObject $config)
    {
        $this->hostname = $config->hostname;
        $this->bind_dn  = $config->bind_dn;
        $this->bind_pw  = $config->bind_pw;
        $this->root_dn  = $config->root_dn;
        $this->port = $config->get('port', $this->port);
        $this->encryption = $config->get('encryption');
        if ($this->encryption !== null) {
            $this->encryption = strtolower($this->encryption);
        }
        $this->reqCert = (bool) $config->get('reqcert', $this->reqCert);
    }

    public function getHostname()
    {
        return $this->hostname;
    }

    public function getPort()
    {
        return $this->port;
    }

    public function getDN()
    {
        return $this->root_dn;
    }

    public function root()
    {
        if ($this->root === null) {
            $this->root = Root::forConnection($this);
        }
        return $this->root;
    }

    /**
     * Provide a query on this connection
     *
     * @return  Query
     */
    public function select()
    {
        return new Query($this);
    }

    public function query(Query $query)
    {
        return new ArrayIterator($this->fetchAll($query));
    }

    public function fetchOne($query, $fields = array())
    {
        $row = (array) $this->fetchRow($query, $fields);
        return array_shift($row);
    }

    public function hasDN($dn)
    {
        $this->connect();
        $this->bind();

        $result = ldap_read($this->ds, $dn, '(objectClass=*)', array('objectClass'));
        return ldap_count_entries($this->ds, $result) > 0;
    }

    public function deleteRecursively($dn)
    {
        $this->connect();
        $this->bind();

        $result = @ldap_list($this->ds, $dn, '(objectClass=*)', array('objectClass'));
        if ($result === false) {
            if (ldap_errno($this->ds) === self::LDAP_NO_SUCH_OBJECT) {
                return false;
            }
            throw new LdapException(
                'LDAP list for "%s" failed: %s',
                $dn,
                ldap_error($this->ds)
            );
        }
        $children = ldap_get_entries($this->ds, $result);
        for ($i = 0; $i < $children['count']; $i++) {
            $result = $this->deleteRecursively($children[$i]['dn']);
            if (!$result) {
                //return result code, if delete fails
                throw new LdapException('Recursively deleting "%s" failed', $dn);
            }
        }
        return $this->deleteDN($dn);
    }

    public function deleteDN($dn)
    {
        $this->connect();
        $this->bind();

        $result = @ldap_delete($this->ds, $dn);
        if ($result === false) {
            if (ldap_errno($this->ds) === self::LDAP_NO_SUCH_OBJECT) {
                return false;
            }
            throw new LdapException(
                'LDAP delete for "%s" failed: %s',
                $dn,
                ldap_error($this->ds)
            );
        }

        return true;
    }

    /**
     * Fetch the distinguished name of the first result of the given query
     *
     * @param Query $query   The query returning the result set
     * @param array $fields  The fields to fetch
     *
     * @return string        Returns the distinguished name, or false when the given query yields no results
     * @throws LdapException When the query result is empty and contains no DN to fetch
     */
    public function fetchDn(Query $query, $fields = array())
    {
        $rows = $this->fetchAll($query, $fields);
        if (count($rows) > 1) {
            throw new LdapException(
                'Cannot fetch single DN for %s',
                $query
            );
        }
        return key($rows);
    }

    /**
     * @param       $query
     * @param array $fields
     *
     * @return mixed
     */
    public function fetchRow($query, $fields = array())
    {
        $query = clone $query;
        $query->limit(1);
        $query->setUsePagedResults(false);
        $results = $this->fetchAll($query, $fields);
        return array_shift($results);
    }

    /**
     * @param Query $query
     *
     * @return int
     */
    public function count(Query $query)
    {
        $this->connect();
        $this->bind();

        // TODO: That's still not the best solution, this should probably not request any attributes
        $res = $this->runQuery($query);
        return count($res);
    }

    public function fetchAll(Query $query, $fields = array())
    {
        $this->connect();
        $this->bind();

        if ($this->pageControlAvailable($query)) {
            return $this->runPagedQuery($query, $fields);
        } else {
            return $this->runQuery($query, $fields);
        }
    }

    /**
     * Execute the given LDAP query and return the resulting entries
     *
     * @param Query $query      The query to execute
     * @param array $fields     The fields that will be fetched from the matches
     *
     * @return array            The matched entries
     * @throws LdapException
     */
    protected function runQuery(Query $query, array $fields = null)
    {
        $limit = $query->getLimit();
        $offset = $query->hasOffset() ? $query->getOffset() - 1 : 0;

        if (empty($fields)) {
            $fields = $query->getColumns();
        }

        $serverSorting = false;//$this->capabilities->hasOid(Capability::LDAP_SERVER_SORT_OID);
        if ($serverSorting && $query->hasOrder()) {
            ldap_set_option($this->ds, LDAP_OPT_SERVER_CONTROLS, array(
                array(
                    'oid'           => Capability::LDAP_SERVER_SORT_OID,
                    'value'         => $this->encodeSortRules($query->getOrder())
                )
            ));
        }

        $results = @ldap_search(
            $this->ds,
            $query->getBase() ?: $this->root_dn,
            (string) $query,
            array_values($fields),
            0, // Attributes and values
            $serverSorting && $limit ? $offset + $limit : 0
        );
        if ($results === false) {
            if (ldap_errno($this->ds) === self::LDAP_NO_SUCH_OBJECT) {
                return array();
            }

            throw new LdapException(
                'LDAP query "%s" (base %s) failed. Error: %s',
                $query,
                $query->getBase() ?: $this->root_dn,
                ldap_error($this->ds)
            );
        } elseif (ldap_count_entries($this->ds, $results) === 0) {
            return array();
        }

        $count = 0;
        $entries = array();
        $entry = ldap_first_entry($this->ds, $results);
        do {
            $count += 1;
            if (! $serverSorting || $offset === 0 || $offset < $count) {
                $entries[ldap_get_dn($this->ds, $entry)] = $this->cleanupAttributes(
                    ldap_get_attributes($this->ds, $entry), array_flip($fields)
                );
            }
        } while (
            (! $serverSorting || $limit === 0 || $limit !== count($entries))
            && ($entry = ldap_next_entry($this->ds, $entry))
        );

        if (! $serverSorting && $query->hasOrder()) {
            uasort($entries, array($query, 'compare'));
            if ($limit && $count > $limit) {
                $entries = array_splice($entries, $query->hasOffset() ? $query->getOffset() : 0, $limit);
            }
        }

        ldap_free_result($results);
        return $entries;
    }

    /**
     * Returns whether requesting the page control is available
     */
    protected function pageControlAvailable(Query $query)
    {
        return $this->capabilities->hasPagedResult() &&
               $query->getUsePagedResults() &&
               version_compare(PHP_VERSION, '5.4.0') >= 0;
    }

    /**
     * Execute the given LDAP query while requesting pagination control to separate
     * big responses into smaller chunks
     *
     * @param Query $query      The query to execute
     * @param array $fields     The fields that will be fetched from the matches
     * @param int   $pageSize   The maximum page size, defaults to Connection::PAGE_SIZE
     *
     * @return array            The matched entries
     * @throws LdapException
     * @throws ProgrammingError When executed without available page controls (check with pageControlAvailable() )
     */
    protected function runPagedQuery(Query $query, array $fields = null, $pageSize = null)
    {
        if (! isset($pageSize)) {
            $pageSize = static::PAGE_SIZE;
        }

        $limit = $query->getLimit();
        $offset = $query->hasOffset() ? $query->getOffset() - 1 : 0;
        $queryString = (string) $query;
        $base = $query->getBase() ?: $this->root_dn;

        if (empty($fields)) {
            $fields = $query->getColumns();
        }

        $serverSorting = false;//$this->capabilities->hasOid(Capability::LDAP_SERVER_SORT_OID);
        if ($serverSorting && $query->hasOrder()) {
            ldap_set_option($this->ds, LDAP_OPT_SERVER_CONTROLS, array(
                array(
                    'oid'           => Capability::LDAP_SERVER_SORT_OID,
                    'value'         => $this->encodeSortRules($query->getOrder())
                )
            ));
        }

        $count = 0;
        $cookie = '';
        $entries = array();
        do {
            // do not set controlPageResult as a critical extension, since we still want the
            // possibillity  server to return an answer in case the pagination extension is missing.
            ldap_control_paged_result($this->ds, $pageSize, false, $cookie);

            $results = @ldap_search(
                $this->ds,
                $base,
                $queryString,
                array_values($fields),
                0, // Attributes and values
                $serverSorting && $limit ? $offset + $limit : 0
            );
            if ($results === false) {
                if (ldap_errno($this->ds) === self::LDAP_NO_SUCH_OBJECT) {
                    break;
                }

                throw new LdapException(
                    'LDAP query "%s" (base %s) failed. Error: %s',
                    $queryString,
                    $base,
                    ldap_error($this->ds)
                );
            } elseif (ldap_count_entries($this->ds, $results) === 0) {
                if (in_array(
                    ldap_errno($this->ds),
                    array(static::LDAP_SIZELIMIT_EXCEEDED, static::LDAP_ADMINLIMIT_EXCEEDED)
                )) {
                    Logger::warning(
                        'Unable to request more than %u results. Does the server allow paged search requests? (%s)',
                        $count,
                        ldap_error($this->ds)
                    );
                }

                break;
            }

            $entry = ldap_first_entry($this->ds, $results);
            do {
                $count += 1;
                if (! $serverSorting || $offset === 0 || $offset < $count) {
                    $entries[ldap_get_dn($this->ds, $entry)] = $this->cleanupAttributes(
                        ldap_get_attributes($this->ds, $entry), array_flip($fields)
                    );
                }
            } while (
                (! $serverSorting || $limit === 0 || $limit !== count($entries))
                && ($entry = ldap_next_entry($this->ds, $entry))
            );

            if (false === @ldap_control_paged_result_response($this->ds, $results, $cookie)) {
                // If the page size is greater than or equal to the sizeLimit value, the server should ignore the
                // control as the request can be satisfied in a single page: https://www.ietf.org/rfc/rfc2696.txt
                // This applies no matter whether paged search requests are permitted or not. You're done once you
                // got everything you were out for.
                if ($serverSorting && count($entries) !== $limit) {

                    // The server does not support pagination, but still returned a response by ignoring the
                    // pagedResultsControl. We output a warning to indicate that the pagination control was ignored.
                    Logger::warning('Unable to request paged LDAP results. Does the server allow paged search requests?');
                }
            }

            ldap_free_result($results);
        } while ($cookie && (! $serverSorting || $limit === 0 || count($entries) < $limit));

        if ($cookie) {
            // A sequence of paged search requests is abandoned by the client sending a search request containing a
            // pagedResultsControl with the size set to zero (0) and the cookie set to the last cookie returned by
            // the server: https://www.ietf.org/rfc/rfc2696.txt
            ldap_control_paged_result($this->ds, 0, false, $cookie);
            ldap_search($this->ds, $base, $queryString); // Returns no entries, due to the page size
        } else {
            // Reset the paged search request so that subsequent requests succeed
            ldap_control_paged_result($this->ds, 0);
        }

        if (! $serverSorting && $query->hasOrder()) {
            uasort($entries, array($query, 'compare'));
            if ($limit && $count > $limit) {
                $entries = array_splice($entries, $query->hasOffset() ? $query->getOffset() : 0, $limit);
            }
        }

        return $entries;
    }

    protected function cleanupAttributes($attributes, array $requestedFields)
    {
        // In case the result contains attributes with a differing case than the requested fields, it is
        // necessary to create another array to map attributes case insensitively to their requested counterparts.
        // This does also apply the virtual alias handling. (Since an LDAP server does not handle such)
        $loweredFieldMap = array();
        foreach ($requestedFields as $name => $alias) {
            $loweredFieldMap[strtolower($name)] = is_string($alias) ? $alias : $name;
        }

        $cleanedAttributes = array();
        for ($i = 0; $i < $attributes['count']; $i++) {
            $attribute_name = $attributes[$i];
            if ($attributes[$attribute_name]['count'] === 1) {
                $attribute_value = $attributes[$attribute_name][0];
            } else {
                $attribute_value = array();
                for ($j = 0; $j < $attributes[$attribute_name]['count']; $j++) {
                    $attribute_value[] = $attributes[$attribute_name][$j];
                }
            }

            $requestedAttributeName = isset($loweredFieldMap[strtolower($attribute_name)])
                ? $loweredFieldMap[strtolower($attribute_name)]
                : $attribute_name;
            $cleanedAttributes[$requestedAttributeName] = $attribute_value;
        }

        // The result may not contain all requested fields, so populate the cleaned
        // result with the missing fields and their value being set to null
        foreach ($requestedFields as $name => $alias) {
            if (! is_string($alias)) {
                $alias = $name;
            }

            if (! array_key_exists($alias, $cleanedAttributes)) {
                $cleanedAttributes[$alias] = null;
                Logger::debug('LDAP query result does not provide the requested field "%s"', $name);
            }
        }

        return (object) $cleanedAttributes;
    }

    /**
     * Encode the given array of sort rules as ASN.1 octet stream according to RFC 2891
     *
     * @param   array   $sortRules
     *
     * @return  string
     *
     * @todo    Produces an invalid stream, obviously
     */
    protected function encodeSortRules(array $sortRules)
    {
        if (count($sortRules) > 127) {
            throw new ProgrammingError(
                'Cannot encode more than 127 sort rules. Only length octets in short form are supported'
            );
        }

        $seq = '30' . str_pad(dechex(count($sortRules)), 2, '0', STR_PAD_LEFT);
        foreach ($sortRules as $rule) {
            $hexdAttribute = unpack('H*', $rule[0]);
            $seq .= '3002'
                . '04' . str_pad(dechex(strlen($rule[0])), 2, '0', STR_PAD_LEFT) . $hexdAttribute[1]
                . '0101' . ($rule[1] === Sortable::SORT_DESC ? 'ff' : '00');
        }

        return $seq;
    }

    public function testCredentials($username, $password)
    {
        $this->connect();

        $r = @ldap_bind($this->ds, $username, $password);
        if ($r) {
            Logger::debug(
                'Successfully tested LDAP credentials (%s / %s)',
                $username,
                '***'
            );
            return true;
        } else {
            Logger::debug(
                'Testing LDAP credentials (%s / %s) failed: %s',
                $username,
                '***',
                ldap_error($this->ds)
            );
            return false;
        }
    }

    /**
     * @param null $sub
     *
     * @return string
     */
    protected function getConfigDir($sub = null)
    {
        $dir = Config::$configDir . '/ldap';
        if ($sub !== null) {
            $dir .= '/' . $sub;
        }
        return $dir;
    }

    /**
     * Connect to the given ldap server and apply settings depending on the discovered capabilities
     *
     * @return resource        A positive LDAP link identifier
     * @throws LdapException   When the connection is not possible
     */
    protected function prepareNewConnection()
    {
        if ($this->encryption === static::STARTTLS || $this->encryption === static::LDAPS) {
            $this->prepareTlsEnvironment();
        }

        $hostname = $this->hostname;
        if ($this->encryption === static::LDAPS) {
            $hostname = 'ldaps://' . $hostname;
        }

        $ds = ldap_connect($hostname, $this->port);
        try {
            $this->capabilities = $this->discoverCapabilities($ds);
            $this->discoverySuccess = true;
        } catch (LdapException $e) {
            Logger::debug($e);
            Logger::warning('LADP discovery failed, assuming default LDAP settings.');
            $this->capabilities = new Capability(); // create empty default capabilities
        }
        if ($this->encryption === static::STARTTLS) {
            $force_tls = false;
            if ($this->capabilities->hasStartTls()) {
                if (@ldap_start_tls($ds)) {
                    Logger::debug('LDAP STARTTLS succeeded');
                } else {
                    Logger::error('LDAP STARTTLS failed: %s', ldap_error($ds));
                    throw new LdapException('LDAP STARTTLS failed: %s', ldap_error($ds));
                }
            } elseif ($force_tls) {
                throw new LdapException('STARTTLS is required but not announced by %s', $this->hostname);
            } else {
                Logger::warning('LDAP STARTTLS enabled but not announced');
            }
        }

        // ldap_rename requires LDAPv3:
        if ($this->capabilities->hasLdapV3()) {
            if (! ldap_set_option($ds, LDAP_OPT_PROTOCOL_VERSION, 3)) {
                throw new LdapException('LDAPv3 is required');
            }
        } else {
            // TODO: remove this -> FORCING v3 for now
            ldap_set_option($ds, LDAP_OPT_PROTOCOL_VERSION, 3);
            Logger::warning('No LDAPv3 support detected');
        }

        // Not setting this results in "Operations error" on AD when using the whole domain as search base
        ldap_set_option($ds, LDAP_OPT_REFERRALS, 0);
        // ldap_set_option($ds, LDAP_OPT_DEREF, LDAP_DEREF_NEVER);
        return $ds;
    }

    protected function prepareTlsEnvironment()
    {
        // TODO: allow variable known CA location (system VS Icinga)
        if (Platform::isWindows()) {
            putenv('LDAPTLS_REQCERT=never');
        } else {
            if ($this->reqCert) {
                $ldap_conf = $this->getConfigDir('ldap_ca.conf');
            } else {
                $ldap_conf = $this->getConfigDir('ldap_nocert.conf');
            }
            putenv('LDAPRC=' . $ldap_conf); // TODO: Does not have any effect
            if (getenv('LDAPRC') !== $ldap_conf) {
                throw new LdapException('putenv failed');
            }
        }
    }

    /**
     * Get the capabilities of the connected server
     *
     * @return Capability   The capability object
     */
    public function getCapabilities()
    {
        if ($this->capabilities === null) {
            $this->connect(); // Populates $this->capabilities
        }

        return $this->capabilities;
    }

    /**
     * Whether service discovery was successful
     *
     * @return boolean  True when ldap settings were discovered, false when
     *                   settings were guessed
     */
    public function discoverySuccessful()
    {
        return $this->discoverySuccess;
    }

    /**
     * Discover the capabilities of the given ldap-server
     *
     * @param  resource     $ds     The link identifier of the current ldap connection
     *
     * @return Capability           The capabilities
     * @throws LdapException        When the capability query fails
     */
    protected function discoverCapabilities($ds)
    {
        $fields = array(
            'defaultNamingContext',
            'namingContexts',
            'vendorName',
            'vendorVersion',
            'supportedSaslMechanisms',
            'dnsHostName',
            'schemaNamingContext',
            'supportedLDAPVersion', // => array(3, 2)
            'supportedCapabilities',
            'supportedControl',
            'supportedExtension',
            '+'
        );

        $result = @ldap_read($ds, '', (string) $this->select()->from('*', $fields), $fields);
        if (! $result) {
            throw new LdapException(
                'Capability query failed (%s:%d): %s. Check if hostname and port of the'
                . ' ldap resource are correct and if anonymous access is permitted.',
                $this->hostname,
                $this->port,
                ldap_error($ds)
            );
        }

        $entry = ldap_first_entry($ds, $result);
        if ($entry === false) {
            throw new LdapException(
                'Capabilities not available (%s:%d): %s. Discovery of root DSE probably not permitted.',
                $this->hostname,
                $this->port,
                ldap_error($ds)
            );
        }

        return new Capability($this->cleanupAttributes(ldap_get_attributes($ds, $entry), array_flip($fields)));
    }

    /**
     * Try to connect to the given ldap server
     *
     * @throws LdapException   When connecting is not possible
     */
    public function connect()
    {
        if ($this->ds !== null) {
            return;
        }
        $this->ds = $this->prepareNewConnection();
    }

    /**
     * Try to bind to the current ldap domain using the provided bind_dn and bind_pw
     *
     * @throws LdapException   When binding is not possible
     */
    public function bind()
    {
        if ($this->bound) {
            return;
        }

        $r = @ldap_bind($this->ds, $this->bind_dn, $this->bind_pw);
        if (! $r) {
            throw new LdapException(
                'LDAP connection to %s:%s (%s / %s) failed: %s',
                $this->hostname,
                $this->port,
                $this->bind_dn,
                '***' /* $this->bind_pw */,
                ldap_error($this->ds)
            );
        }
        $this->bound = true;
    }

    /**
     * Create an ldap entry
     *
     * @param   string  $dn     DN to add
     * @param   array   $entry  Entry description
     *
     * @return bool             True on success
     */
    public function addEntry($dn, array $entry)
    {
        return ldap_add($this->ds, $dn, $entry);
    }

    /**
     * Modify a ldap entry
     *
     * @param string $dn        DN of the entry to change
     * @param array  $entry     Change values
     *
     * @return bool             True on success
     */
    public function modifyEntry($dn, array $entry)
    {
        return ldap_modify($this->ds, $dn, $entry);
    }

    /**
     * Move entry to a new DN
     *
     * @param   string $dn          DN of the object
     * @param   string $newRdn      Relative DN identifier
     * @param   string $newParentDn Parent or superior entry
     * @throws  LdapException       Thrown then rename failed
     *
     * @return bool                 True on success
     */
    public function moveEntry($dn, $newRdn, $newParentDn)
    {
        $returnValue = ldap_rename($this->ds, $dn, $newRdn, $newParentDn, false);

        if ($returnValue === false) {
            throw new LdapException('Could not move entry: ' . ldap_error($this->ds));
        }

        return $returnValue;
    }

    public function __destruct()
    {
        putenv('LDAPRC');
    }
}