#!/usr/bin/perl -w

###
##
# login
#
# The CGI that does the deed.
#
#  * Present a form
#  * Check it when filled in
#  * Notify the connecting IP of the outcome
#  * Inform and optionally redirect the user
#
# RJF & SDE, 7.4.01 
#
# License: GPL.
##
###

#use lib '/usr/local/nocat'; # or wherever.
use lib '../lib/';
use NoCat qw( ANONYMOUS );
use strict;

my $authserv	= NoCat->auth_service( ConfigFile => $ENV{NOCAT} );
my $cgi		= $authserv->cgi;
my $params	= $cgi->Vars;

# Debug configuration setup.
$authserv->check_config(qw( 
    LoginForm FatalForm RenewForm LoginOKForm ExpiredForm
    LoginGreeting LoginMissing LoginBadUser LoginBadPass
));

# <dme26>: added to deal with the session cookie
sub get_CRSID {
  my(%cookies) = map { split /=/, $_, 2 } split /; /, $ENV{'HTTP_COOKIE'} ;
  my(@ravenData) = split /!/, $cookies{'Ucam-WebAuth-Session-S'};
  return $ravenData[7]; # should be CRSID
}
sub check_CRSID {
  my $fh;
  my $ret=0;
  open $fh,"</etc/nocat/permittedCRSIDs.txt";
  while(<$fh>){
    if(/^$_[0]/) {
      $ret=1;
    }
  }
  close $fh;
  return $ret;
}

$params->{user} = get_CRSID;
# </dme26>

$authserv->log( 7, sprintf( "User %s from %s requests %s", 
    $params->{user} || "UNKNOWN", $cgi->remote_host, 
    lc( $params->{mode} ) || "form" ) 
);

# Figure out which image button was clicked (since they don't have value="" attributes).
if (my ($button) = grep { defined $params->{"mode_$_.x"} } qw( login skip logout )) {
    delete $params->{$_} for ( "mode_$button.x", "mode_$button.y" );
    $params->{mode} = $button;
}

# Have we filled in the form yet?  No?  If not, present one.
$authserv->display( LoginForm => "LoginGreeting" ) unless $params->{mode};

# Verify prerequisites.
$authserv->display( FatalForm => "Your MAC address is undefined.  Problem with the gateway?" )
    unless $params->{mac};
$authserv->display( FatalForm => "Your gateway token is undefined.  Problem with the gateway?" )
    unless $params->{token};

# <dme26>
# Uncomment these two lines if you want a dynamic CRSID list check performed after
# successful Raven authentication, but before allowing users onto your network.
#$authserv->display( FatalForm => "Please contact <a href=\"mailto:computer.officer\@kings.cam.ac.uk\">computer.officer\@kings.cam.ac.uk</a> to be added to the list of authorised wifi users" )
#    unless check_CRSID $params->{user};
# </dme26>

# If the user skipped authentication...
if ( $params->{user} eq ANONYMOUS or $params->{mode} =~ /^skip/io ) {
    $params->{user} = ANONYMOUS;
    delete $params->{member};

# Otherwise, attempt to authenticate the user.
} else {
    # Are we just missing required fields?
    $authserv->display( LoginForm => "LoginMissing"   )
	unless $params->{user} and $params->{pass};

    # Does the login info match what we have on file?
    my $user = $authserv->user->fetch( $params->{user} );

# <dme26>
# bypass authentication
#    $authserv->display( LoginForm => "LoginBadUser" ) unless $user->id;
#    $authserv->display( LoginForm => "LoginBadPass" ) unless $user->authenticate( $params->{pass} );
    # Set the service class based on the user's authorization (if any).
#    my $member = join( " ", $user->groups );
#    $params->{member} = $member if $member;	
    $params->{member} = "guest";
# </dme26>
}

# Finally, notify the gateway (and the user) as to the outcome.
my ( $form, $gw );

# Either we're requesting the renewal popup box...
if ( $params->{mode} =~ /^popup/io ) {
    $form = ( $params->{gateway} ? "PassiveRenewForm" : "RenewForm" );
    $params->{redirect} = $authserv->renew_url;

# Or we're either logging in, or renewing, in which case, notify the gateway.
} elsif ($gw = $authserv->notify( Permit => $params )) {
    if ( $gw->{Error} ) {
	# Oddly enough, this isn't really success.
	$form = "ExpiredForm";

    } elsif ( $params->{mode} =~ /^renew/io ) {
	if ( $params->{gateway} ) {
	    $form = "PassiveRenewForm";
	    # $params->{redirect} = $gw->{redirect};
	} else {
	    $form = "RenewForm";
	    $params->{redirect} = $authserv->renew_url( $gw );
	}

    } else {
	$form = "LoginOKForm";
	# $params->{redirect} = $gw->{redirect} if $gw->{redirect};
	$params->{popup} = $authserv->popup_url( $gw ); 
	    # set the javascript *link* to the popup box.
	# warn "+ redirect:[$params->{redirect}] popup:[$params->{popup}]\n";
    }

# Or something's really wrong.
} else {
    my $err = $!;
    if ($err =~ /Connection refused/io) { 
	$authserv->display( LoginForm => "Can't connect to your gateway. If it's behind a NAT'ed firewall, it needs to run in Passive Mode." );
    } else {
	$authserv->display( LoginForm => "Authentication error for connection $params->{token}: $!" );
    }
}

$params->{logout} = $authserv->logout_url; # Make a logout link.

# Execute on the plan and tell a compelling story to the user.
$authserv->success( $form => $params );

# Fin