package Lemonldap::NG::Portal::Auth::GPG;

use strict;
use File::Temp 'tempdir';
use IPC::Run;
use Mouse;
use Lemonldap::NG::Portal::Main::Constants qw(
  PE_BADCREDENTIALS
  PE_ERROR
  PE_FORMEMPTY
  PE_NOTOKEN
  PE_OK
);

our $VERSION = '2.0.12';

extends 'Lemonldap::NG::Portal::Auth::_WebForm';

has db => ( is => 'rw' );
has tmp => (
    is      => 'rw',
    default => sub {
        tempdir( CLEANUP => 1 );
    },
);

sub init {
    my $self = shift;

    $self->db( $self->conf->{gpgDb} );
    unless ( $self->db ) {
        $self->error("gpgDb not set");
        return 0;
    }
    unless ( -r $self->db ) {
        $self->error( "Unable to read " . $self->db );
        return 0;
    }

    return $self->SUPER::init();
}

sub extractFormInfo {
    my ( $self, $req ) = @_;

    unless ( $self->ottRule->( $req, {} ) ) {
        $self->error("OTT isn't set, unable to use GPG");
    }

    # Keep token data for later use
    my ( $token, $gpgToken );
    if ( $token = $req->param('token') ) {
        $gpgToken = $self->ott->getToken($token);
        $req->data->{tokenVerified} = 1 if ($gpgToken);
    }
    my $res = $self->SUPER::extractFormInfo($req);
    return $res if ($res);
    my $signed = $req->data->{password};
    unless ( $signed =~ /SIGNATURE/s ) {
        $self->userLogger->error("Bad signature content");
        $self->userLogger->debug($signed);
        $self->setSecurity($req);
        return PE_BADCREDENTIALS;
    }
    unless ( $signed =~ /\b\Q$token\E\b/ ) {
        $self->userLogger->error("User replayed a bad token in GPG !");
        $self->setSecurity($req);
        return PE_BADCREDENTIALS;
    }
    my ( $out, $err );
    $self->logger->debug(
"Launching:\ngpgv --homedir /dev/null --keyring $self->{db} <<EOF\n$signed\nEOF"
    );
    my ( $lang, $language ) = ( $ENV{LANG}, $ENV{LANGUAGE} );
    $ENV{LANG} = $ENV{LANGUAGE} = 'C';
    IPC::Run::run( [ 'gpgv', '--homedir', '/dev/null', '--keyring', $self->db ],
        \$signed, \$out, \$err, IPC::Run::timeout(10) );
    if ( $? >> 8 != 0 ) {
        $self->userLogger->error("GPG verification fails:\n$out\n# # #\n$err");
        $self->setSecurity($req);
        return PE_BADCREDENTIALS;
    }
    $self->setSecurity($req);
    $self->userLogger->notice("Good GPG signature");
    $self->userLogger->debug("GPG out:\n$out\n$err");
    my $key;
    if ( $err =~ /using .*? key (.*)$/m ) {
        $key = $1;
        chomp $key;
    }
    else {
        $self->logger->error("Unable to parse gpgv result:\n$err");
        return PE_ERROR;
    }
    $self->logger->debug("GPG full sign key: $key");
    my $in;
    IPC::Run::run( [
            'gpg',     '--homedir',  $self->tmp, '--keyring',
            $self->db, '--list-key', $key
        ],
        \$in,
        \$out,
        \$err,
        IPC::Run::timeout(10)
    );
    ( $ENV{LANG}, $ENV{LANGUAGE} ) = ( $lang, $language );
    if ( $? >> 8 != 0 ) {
        $self->logger->error("gpg --list-key return an error:\n$err");
        return PE_ERROR;
    }

    if ( $out =~ /pub [^\n]*\r?\n +([^\n]+)\n/ ) {
        $key = $1;
        chomp $key;
    }
    else {
        $self->logger->error(
            "Unable to parse gpg --list-key result:\n$out\n$err\n");
        return PE_ERROR;
    }
    $self->logger->debug("GPG full master key: $key");

    # Keep only gpgKeyLength characters
    my $length = $self->conf->{gpgKeyLength} || 8;
    $length = 8 if ( $length < 8 );
    $key =~ s/.*?(.{8,$length})$/$1/;
    $self->logger->info("User key: $key");

    my @identities = ( $out =~ /uid\s+(.*)$/gm );
    my $mail       = $req->param('user');
    foreach (@identities) {
        if (/^(.*)\s+<\Q$mail\E>/) {
            $req->data->{gpgFullName} = $1;
            $req->data->{gpgMail}     = $mail;
            $req->user($mail);
            $self->userLogger->notice("GPG user $mail authenticated");
            return PE_OK;
        }
    }
    $self->userLogger->warn("Given mail does not match with gpg key");
    $self->setSecurity($req);
    return PE_BADCREDENTIALS;
}

sub authenticate {
    return PE_OK;
}

sub setAuthSessionInfo {
    my ( $self, $req ) = @_;
    $req->sessionInfo->{gpgMail}             = $req->data->{gpgMail};
    $req->sessionInfo->{authenticationLevel} = $self->conf->{gpgAuthnLevel};
    return PE_OK;
}

sub authLogout {
    return PE_OK;
}

sub getDisplayType {
    return "gpgform";
}

1;