# --
# Kernel/System/Auth/CAS.pm - provides the CAS authentication through Jasig
#
# Copyright (C) 2015-2017 - Rodrigo Gonçalves - rodrigo@goncalves.pro.br
# --
# $Id: CAS.pm,v 2.0 2015/01/05 15:16:05 mb Exp $
#
# Version 2015/01/15 - RG - Adjusts for OTRS4
# Version 2016-01-18 - RG - Fixes for OTRS 5.0.6
# Version 2017-12-07 - RG - Fixes for OTRS 6.0.1
#
#
# --
# This software comes with ABSOLUTELY NO WARRANTY. For details, see
# the enclosed file COPYING for license information (AGPL). If you
# did not receive this file, see http://www.gnu.org/licenses/agpl.txt.
# --
# Note:
#
# If you use this module, you should use as fallback the following config settings:
#
# If use isn't login through apache ($ENV{REMOTE_USER} or $ENV{HTTP_REMOTE_USER})
# $Self->{CustomerPanelLoginURL} = 'http://host.example.com/not-authorised-for-otrs.html';
#
# $Self->{CustomerPanelLogoutURL} = 'http://host.example.com/thanks-for-using-otrs.html';
#
# --
package Kernel::System::Auth::CAS;

use strict;
use warnings;
use CGI;
use AuthCAS;
use Data::Dumper;
use CGI::Carp qw( fatalsToBrowser );
use URI::Escape;

our @ObjectDependencies = ( "Kernel::Config", "Kernel::System::Log", "Kernel::System::DB" );

sub new {
	my ( $Type, %Param ) = @_;

	# allocate new hash for object
	my $Self = {};
	bless( $Self, $Type );

	# Debug 0=off 1=on
	$Self->{Debug} = 1;
	$Self->{Count} = $Param{Count} || '';

	return $Self;
}

sub GetOption {
	my ( $Self, %Param ) = @_;

	# check needed stuff
	if ( !$Param{What} ) {
		$Kernel::OM->Get('Kernel::System::Log')->Log( Priority => 'error', Message => "Need What!" );
		return;
	}

	# module options
	my %Option = ( PreAuth => 1, );

	# return option
	return $Option{ $Param{What} };
}

sub Auth {
	my ( $Self, %Param ) = @_;
	
	my $QueryString = $ENV{"HTTP_REFERER"} || '';

	my $ConfigObject = $Kernel::OM->Get("Kernel::Config");

	my $cas     = new AuthCAS( casUrl => $ConfigObject->Get('AuthModule::CAS::CASUrl') );
	my $app_url = $ConfigObject->Get('AuthModule::CAS::ServiceUrl');
	my $Gateway = $ConfigObject->Get('AuthModule::CAS::Gateway');
	my $User    = '';

	if ( $Gateway == 1 ) {
		
		# TEST MODE
		if ( $QueryString =~ /ticket/ ) {
			$QueryString =~ /ticket%3D([^&]+)/;
			my $ST = $1;
			my $User = $cas->validateST( $app_url, $ST );
			return $User;
		}

		if ( $QueryString =~ /checked_cas/ ) {
			return '';
		}

		my $login_url = $cas->getServerLoginGatewayURL( $app_url . '?checked_cas=1' );
		my $q         = CGI->new();
		print $q->redirect( -URL => $login_url );
	}
	else {
		$Self->Debug("Autenticando: " . $QueryString);
		
		# If no ticket passed, redirect to CAS to authenticate/get token
		unless ( $QueryString =~ /ticket=/ || $QueryString =~ /ticket%3D/ ) {
			my $redurl = $app_url . "?" . $Param{RequestedURL};
			$redurl = uri_escape($redurl);
			my $login_url = $cas->getServerLoginURL( $redurl );
			my $q         = CGI->new();
			print $q->redirect( -URL => $login_url );
		}
		else {
			$Self->Debug("Recebida URL com ticket: " . $QueryString);
			
			# CAS session created - record id
			$QueryString =~ /ticket=([^&]+)/;
			my $ST = $1;
			if (! $ST) {
			  $QueryString =~ /ticket%3D([^&]+)/;	
			  $ST = $1;
			}
			
			my $requrl = $Param{RequestedURL};
			my $substring = substr($requrl, 0, index($requrl, "&ticket=ST"));

			my $redurl = $app_url . "?" . $substring;
			$redurl = uri_escape($redurl);

			$Self->Debug("Validando URL $redurl  com ticket $ST");
			$User = $cas->validateST( $redurl, $ST );
			
			$Self->Debug("Autenticou... $User");
			if ($User) {				
				$Kernel::OM->Get("Kernel::System::DB")->Do(
					SQL  => 'DELETE FROM cas_session WHERE UserLogin=?',
					Bind => [ \$User ],
				);
				
				$Kernel::OM->Get("Kernel::System::DB")->Do(
					SQL  => 'INSERT INTO cas_session (UserLogin,Ticket) VALUES (?, ?)',
					Bind => [ \$User, \$ST, ],
				);
			}
		}
	}
	return $User;
}

sub Debug {
	my $Self = shift;
	my $msg = shift;
	$Kernel::OM->Get("Kernel::System::Log")->Log( Priority => 'debug', Message => $msg );		
}

1;