# -*- coding: utf-8 -*-
##############################################################################
#
# Copyright (c) 2012 Nexedi SA and Contributors. All Rights Reserved.
#
# WARNING: This program as such is intended to be used by professional
# programmers who take the whole responsibility of assessing all potential
# consequences resulting from its eventual inadequacies and bugs
# End users who are looking for a ready-to-use solution with commercial
# guarantees and support are strongly advised to contract a Free Software
# Service Company
#
# This program is Free Software; you can redistribute it and/or
# modify it under the terms of the GNU General Public License
# as published by the Free Software Foundation; either version 2
# of the License, or (at your option) any later version.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program; if not, write to the Free Software
# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA.
#
##############################################################################

from Products.ERP5Type.Globals import InitializeClass
from AccessControl import ClassSecurityInfo

from Products.PageTemplates.PageTemplateFile import PageTemplateFile
from Products.PluggableAuthService.interfaces import plugins
from Products.PluggableAuthService.utils import classImplements
from Products.PluggableAuthService.plugins.BasePlugin import BasePlugin
from Products.ERP5Security.ERP5UserManager import SUPER_USER
from Products.PluggableAuthService.PluggableAuthService import DumbHTTPExtractor

from AccessControl.SecurityManagement import getSecurityManager,\
    setSecurityManager, newSecurityManager
from DateTime import DateTime
from Products.ZSQLCatalog.SQLCatalog import SimpleQuery

#Form for new plugin in ZMI
manage_addERP5BearerExtractionPluginForm = PageTemplateFile(
  'www/ERP5Security_addERP5BearerExtractionPlugin', globals(),
  __name__='manage_addERP5BearerExtractionPluginForm')

def addERP5BearerExtractionPlugin(dispatcher, id, token_portal_type,
  title=None, REQUEST=None):
  """ Add a ERP5BearerExtractionPlugin to a Pluggable Auth Service. """

  plugin = ERP5BearerExtractionPlugin(id, token_portal_type, title)
  dispatcher._setObject(plugin.getId(), plugin)

  if REQUEST is not None:
      REQUEST['RESPONSE'].redirect(
          '%s/manage_workspace'
          '?manage_tabs_message='
          'ERP5BearerExtractionPlugin+added.'
          % dispatcher.absolute_url())

class ERP5BearerExtractionPlugin(BasePlugin):
  """
  Plugin to authenicate as machines.
  """

  meta_type = "ERP5 Bearer Extraction Plugin"
  security = ClassSecurityInfo()

  def __init__(self, id, token_portal_type, title=None):
    #Register value
    self._setId(id)
    self.title = title
    self.token_portal_type = token_portal_type

  ####################################
  #ILoginPasswordHostExtractionPlugin#
  ####################################
  security.declarePrivate('extractCredentials')
  def extractCredentials(self, request):
    """ Extract credentials from the request header. """
    creds = {}
    authorisation = request._auth
    if authorisation is not None:
      if 'Bearer' in authorisation:
        l = authorisation.split()
        if len(l) == 2:
          token = l[1]
          sm = getSecurityManager()
          if sm.getUser().getId() != SUPER_USER:
            newSecurityManager(self, self.getUser(SUPER_USER))
          try:
            now = DateTime()
            token_document = self.portal_catalog.getResultValue(
              portal_type=self.token_portal_type,
              reference=token,
              query=SimpleQuery(comparison_operator='<=', expiration_date=now),
              validation_state='validated'
            )
            if token_document is not None:
              if token_document.getReference() == token and \
                token_document.getExpirationDate() <= now and \
                token_document.getValidationState() == 'validated' and \
                token_document.getDestinationReference() is not None:
                  creds['external_login'] = \
                    token_document.getDestinationReference()
          finally:
            setSecurityManager(sm)
          if 'external_login' in  creds:
            creds['external_login'] = token
            creds['remote_host'] = request.get('REMOTE_HOST', '')
            try:
              creds['remote_address'] = request.getClientAddr()
            except AttributeError:
              creds['remote_address'] = request.get('REMOTE_ADDR', '')
            return creds


    # fallback to default way
    return DumbHTTPExtractor().extractCredentials(request)

#List implementation of class
classImplements( ERP5BearerExtractionPlugin,
                plugins.ILoginPasswordHostExtractionPlugin
               )
InitializeClass(ERP5BearerExtractionPlugin)