# Portions of this file are derived from Pleroma:
# Pleroma: A lightweight social networking server
# Copyright © 2017-2020 Pleroma Authors <https://pleroma.social/>
# SPDX-License-Identifier: AGPL-3.0-only

defmodule Mobilizon.Service.Auth.LDAPAuthenticator do
  @moduledoc """
  Authenticate Mobilizon users through LDAP accounts
  """
  alias Mobilizon.Service.Auth.{Authenticator, MobilizonAuthenticator}
  alias Mobilizon.Users
  alias Mobilizon.Users.User

  require Logger

  import Authenticator,
    only: [fetch_user: 1]

  @behaviour Authenticator
  @base MobilizonAuthenticator

  @connection_timeout 10_000
  @search_timeout 10_000

  def login(email, password) do
    with {:ldap, true} <- {:ldap, Mobilizon.Config.get([:ldap, :enabled])},
         %User{} = user <- ldap_user(email, password) do
      {:ok, user}
    else
      {:error, {:ldap_connection_error, _}} ->
        # When LDAP is unavailable, try default authenticator
        @base.login(email, password)

      {:ldap, _} ->
        @base.login(email, password)

      error ->
        error
    end
  end

  def can_change_email?(%User{provider: provider}), do: provider != "ldap"

  def can_change_password?(%User{provider: provider}), do: provider != "ldap"

  defp ldap_user(email, password) do
    ldap = Mobilizon.Config.get(:ldap, [])
    host = Keyword.get(ldap, :host, "localhost")
    port = Keyword.get(ldap, :port, 389)
    ssl = Keyword.get(ldap, :ssl, false)
    sslopts = Keyword.get(ldap, :sslopts, [])

    options =
      [{:port, port}, {:ssl, ssl}, {:timeout, @connection_timeout}] ++
        if sslopts != [], do: [{:sslopts, sslopts}], else: []

    case :eldap.open([to_charlist(host)], options) do
      {:ok, connection} ->
        try do
          ensure_eventual_tls(connection, ldap)

          base = Keyword.get(ldap, :base)
          uid_field = Keyword.get(ldap, :uid, "cn")

          # We first need to find the LDAP UID/CN for this specif email
          with uid when is_binary(uid) <- search_user(connection, ldap, base, uid_field, email),
               # Then we can verify the user's password
               :ok <- bind_user(connection, base, uid_field, uid, password) do
            case fetch_user(email) do
              %User{disabled: false} = user ->
                user

              %User{disabled: true} = _user ->
                {:error, :disabled_user}

              _ ->
                register_user(email)
            end
          else
            {:error, err}
            when err in [:ldap_search_email_not_found, :ldap_search_missing_attributes] ->
              {:ldap, err}

            {:error, error} ->
              {:error, error}

            error ->
              {:error, error}
          end
        after
          :eldap.close(connection)
        end

      {:error, error} ->
        Logger.error("Could not open LDAP connection: #{inspect(error)}")
        {:error, {:ldap_connection_error, error}}
    end
  end

  @spec bind_user(any(), String.t(), String.t(), String.t(), String.t()) ::
          User.t() | any()
  defp bind_user(connection, base, uid, field, password) do
    bind = "#{uid}=#{field},#{base}"
    Logger.debug("Binding to LDAP with \"#{bind}\"")
    :eldap.simple_bind(connection, bind, password)
  end

  @spec search_user(any(), Keyword.t(), String.t(), String.t(), String.t()) ::
          String.t() | {:error, :ldap_registration_missing_attributes} | any()
  defp search_user(connection, ldap, base, uid, email) do
    # We may need to bind before performing the search
    res =
      if Keyword.get(ldap, :require_bind_for_search, true) do
        admin_field = Keyword.get(ldap, :bind_uid)
        admin_password = Keyword.get(ldap, :bind_password)
        bind_user(connection, base, uid, admin_field, admin_password)
      else
        :ok
      end

    if res == :ok do
      do_search_user(connection, base, uid, email)
    else
      res
    end
  end

  # Search an user by uid to find their CN
  @spec do_search_user(any(), String.t(), String.t(), String.t()) ::
          String.t() | {:error, :ldap_registration_missing_attributes} | any()
  defp do_search_user(connection, base, uid, email) do
    with {:ok, {:eldap_search_result, [{:eldap_entry, _, attributes}], _}} <-
           :eldap.search(connection, [
             {:base, to_charlist(base)},
             {:filter, :eldap.equalityMatch(to_charlist("mail"), to_charlist(email))},
             {:scope, :eldap.wholeSubtree()},
             {:attributes, [to_charlist(uid)]},
             {:timeout, @search_timeout}
           ]),
         {:uid, {_, [uid]}} <- {:uid, List.keyfind(attributes, to_charlist(uid), 0)} do
      :erlang.list_to_binary(uid)
    else
      {:ok, {:eldap_search_result, [], []}} ->
        Logger.info("Unable to find user with email #{email}")
        {:error, :ldap_search_email_not_found}

      {:cn, err} ->
        Logger.error("Could not find LDAP attribute CN: #{inspect(err)}")
        {:error, :ldap_search_missing_attributes}

      error ->
        error
    end
  end

  @spec register_user(String.t()) :: User.t() | any()
  defp register_user(email) do
    case Users.create_external(email, "ldap") do
      {:ok, %User{} = user} ->
        user

      error ->
        error
    end
  end

  @spec ensure_eventual_tls(any(), Keyword.t()) :: :ok
  defp ensure_eventual_tls(connection, ldap) do
    if Keyword.get(ldap, :tls, false) do
      :application.ensure_all_started(:ssl)

      case :eldap.start_tls(
             connection,
             Keyword.get(ldap, :tlsopts, []),
             @connection_timeout
           ) do
        :ok ->
          :ok

        error ->
          Logger.error("Could not start TLS: #{inspect(error)}")
      end
    end

    :ok
  end
end