package PVE::API2::Domains;

use strict;
use warnings;
use PVE::Cluster qw (cfs_read_file cfs_write_file);
use PVE::AccessControl;
use PVE::JSONSchema qw(get_standard_option);

use PVE::SafeSyslog;
use PVE::RESTHandler;

my $domainconfigfile = "domains.cfg";

use base qw(PVE::RESTHandler);

__PACKAGE__->register_method ({
    name => 'index', 
    path => '', 
    method => 'GET',
    description => "Authentication domain index.",
    permissions => { user => 'world' },
    parameters => {
	additionalProperties => 0,
	properties => {},
    },
    returns => {
	type => 'array',
	items => {
	    type => "object",
	    properties => {
		realm => { type => 'string' },
		comment => { type => 'string', optional => 1 },
	    },
	},
	links => [ { rel => 'child', href => "{realm}" } ],
    },
    code => sub {
	my ($param) = @_;
    
	my $res = [];

	my $cfg = cfs_read_file($domainconfigfile);
 
	foreach my $realm (keys %$cfg) {
	    my $d = $cfg->{$realm};
	    my $entry = { realm => $realm, type => $d->{type} };
	    $entry->{comment} = $d->{comment} if $d->{comment};
	    $entry->{default} = 1 if $d->{default};
	    push @$res, $entry;
	}

	return $res;
    }});

__PACKAGE__->register_method ({
    name => 'create', 
    protected => 1,
    path => '', 
    method => 'POST',
    permissions => { 
	check => ['perm', '/access', ['Sys.Modify']],
    },
    description => "Add an authentication server.",
    parameters => {
   	additionalProperties => 0,
	properties => {
	    realm =>  get_standard_option('realm'),
	    type => {
		description => "Server type.",
		type => 'string', 
		enum => [ 'ad', 'ldap' ],
	    },
	    server1 => { 
		description => "Server IP address (or DNS name)",		
		type => 'string',
	    },
	    server2 => { 
		description => "Fallback Server IP address (or DNS name)",
		type => 'string',
		optional => 1,
	    },
	    secure => { 
		description => "Use secure LDAPS protocol.",
		type => 'boolean', 
		optional => 1,
	    },
	    default => { 
		description => "Use this as default realm",
		type => 'boolean', 
		optional => 1,
	    },
	    comment => { 
		type => 'string', 
		optional => 1,
	    },
	    port => {
		description => "Server port. Use '0' if you want to use default settings'",
		type => 'integer',
		minimum => 0,
		maximum => 65535,
		optional => 1,
	    },
	    domain => {
		description => "AD domain name",
		type => 'string',
		optional => 1,
	    },
	    base_dn => {
		description => "LDAP base domain name",
		type => 'string',
		optional => 1,
	    },
	    user_attr => {
		description => "LDAP user attribute name",
		type => 'string',
		optional => 1,
	    },
	},
    },
    returns => { type => 'null' },
    code => sub {
	my ($param) = @_;

	PVE::AccessControl::lock_domain_config(
	    sub {
			
		my $cfg = cfs_read_file($domainconfigfile);

		my $realm = $param->{realm};
	
		die "domain '$realm' already exists\n" 
		    if $cfg->{$realm};

		die "unable to use reserved name '$realm'\n"
		    if ($realm eq 'pam' || $realm eq 'pve');

		if (defined($param->{secure})) {
		    $cfg->{$realm}->{secure} = $param->{secure} ? 1 : 0;
		}

		if ($param->{default}) {
		    foreach my $r (keys %$cfg) {
			delete $cfg->{$r}->{default};
		    }
		}

		foreach my $p (keys %$param) {
		    next if $p eq 'realm';
		    $cfg->{$realm}->{$p} = $param->{$p} if $param->{$p};
		}

		# port 0 ==> use default
		# server2 == '' ===> delete server2
		for my $p (qw(port server2)) { 
		    if (defined($param->{$p}) && !$param->{$p}) { 
			delete $cfg->{$realm}->{$p};
		    }
		}

		cfs_write_file($domainconfigfile, $cfg);
	    }, "add auth server failed");

	return undef;
    }});

__PACKAGE__->register_method ({
    name => 'update', 
    path => '{realm}', 
    method => 'PUT',
    permissions => { 
	check => ['perm', '/access', ['Sys.Modify']],
    },
    description => "Update authentication server settings.",
    protected => 1,
    parameters => {
   	additionalProperties => 0,
	properties => {
	    realm =>  get_standard_option('realm'),
	    server1 => { 
		description => "Server IP address (or DNS name)",		
		type => 'string',
		optional => 1,
	    },
	    server2 => { 
		description => "Fallback Server IP address (or DNS name)",
		type => 'string',
		optional => 1,
	    },
	    secure => { 
		description => "Use secure LDAPS protocol.",
		type => 'boolean', 
		optional => 1,
	    },
	    default => { 
		description => "Use this as default realm",
		type => 'boolean', 
		optional => 1,
	    },
	    comment => { 
		type => 'string', 
		optional => 1,
	    },
	    port => {
		description => "Server port. Use '0' if you want to use default settings'",
		type => 'integer',
		minimum => 0,
		maximum => 65535,
		optional => 1,
	    },
	    domain => {
		description => "AD domain name",
		type => 'string',
		optional => 1,
	    },
	    base_dn => {
		description => "LDAP base domain name",
		type => 'string',
		optional => 1,
	    },
	    user_attr => {
		description => "LDAP user attribute name",
		type => 'string',
		optional => 1,
	    },
	},
    },
    returns => { type => 'null' },
    code => sub {
	my ($param) = @_;

	PVE::AccessControl::lock_domain_config(
	    sub {
			
		my $cfg = cfs_read_file($domainconfigfile);

		my $realm = $param->{realm};
		delete $param->{realm};

		die "unable to modify bultin domain '$realm'\n"
		    if ($realm eq 'pam' || $realm eq 'pve');

		die "domain '$realm' does not exist\n" 
		    if !$cfg->{$realm};

		if (defined($param->{secure})) {
		    $cfg->{$realm}->{secure} = $param->{secure} ? 1 : 0;
		}

		if ($param->{default}) {
		    foreach my $r (keys %$cfg) {
			delete $cfg->{$r}->{default};
		    }
		}

		foreach my $p (keys %$param) {
		    if ($param->{$p}) {
			$cfg->{$realm}->{$p} = $param->{$p};
		    } else {
			delete $cfg->{$realm}->{$p};
		    }
		}

		cfs_write_file($domainconfigfile, $cfg);
	    }, "update auth server failed");

	return undef;
    }});

# fixme: return format!
__PACKAGE__->register_method ({
    name => 'read', 
    path => '{realm}', 
    method => 'GET',
    description => "Get auth server configuration.",
    permissions => { 
	check => ['perm', '/access', ['Sys.Audit']],
    },
    parameters => {
   	additionalProperties => 0,
	properties => {
	    realm =>  get_standard_option('realm'),
	},
    },
    returns => {},
    code => sub {
	my ($param) = @_;

	my $cfg = cfs_read_file($domainconfigfile);

	my $realm = $param->{realm};
	
	my $data = $cfg->{$realm};
	die "domain '$realm' does not exist\n" if !$data;

	return $data;
    }});


__PACKAGE__->register_method ({
    name => 'delete', 
    path => '{realm}', 
    method => 'DELETE',
    permissions => { 
	check => ['perm', '/access', ['Sys.Modify']],
    },
    description => "Delete an authentication server.",
    protected => 1,
    parameters => {
   	additionalProperties => 0,
	properties => {
	    realm =>  get_standard_option('realm'),
	}
    },
    returns => { type => 'null' },
    code => sub {
	my ($param) = @_;

	PVE::AccessControl::lock_user_config(
	    sub {

		my $cfg = cfs_read_file($domainconfigfile);

		my $realm = $param->{realm};
	
		die "domain '$realm' does not exist\n" if !$cfg->{$realm};

		delete $cfg->{$realm};

		cfs_write_file($domainconfigfile, $cfg);
	    }, "delete auth server failed");
	
	return undef;
    }});

1;