#!/usr/local/bin/php
<?php
#
# ***** BEGIN GPL LICENSE BLOCK *****
#
# This program is free software; you can redistribute it and/or
# modify it under the terms of the GNU General Public License
# as published by the Free Software Foundation; either version 2
# of the License, or (at your option) any later version.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program; if not, write to the Free Software Foundation,
# Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA.
#
# The Original Code is Copyright (C) 2019, Blender Foundation
# All rights reserved.
#
# Contributor(s): Sergey Sharybin.
#
# ***** END GPL LICENSE BLOCK *****
#
# This scripts implements external AuthBasicProvider which can be used
# to authentificate users using Phabricator's database.
#
# Example configuration:
#
# .htaccess file:
#
#   AuthType Basic
#   AuthName "Please Enter Password"
#   AuthBasicProvider external
#   AuthExternal phabricator
#   Require valid-user
#
# It is also required to have the following provider registered in the
# configuration. There are two ways to do it:
#
#  1. Separate conf file in /etc/apache2/conf-enabled
#     Create a file (say, authz_external_phabricator.conf) with the following
#     content:
#
#       DefineExternalAuth phabricator pipe /path/to/auth_provider.php
#
#     This method allows to use provider in any VHOST.
#
#     Downside: from local tests .htaccess file picks the provider nicely,
#     but attempts to specifu the provider in virtual host configuration
#     resulted in issues (seems to be different initialization order between
#     global config in those files and virtual hosts).
#
#  2. Define provider in the virtual host definition:
#
#       <IfModule mod_authnz_external.c>
#         AddExternalAuth phabricator /path/to/auth_provider.php
#         SetExternalAuthMethod phabricator pipe
#       </IfModule>
#
#     This method allowed to use this auth provider for SVN DAV.

$IS_DEBUG = false;
$PHABRICATOR_ROOT = dirname(dirname(dirname(__FILE__)));
require_once $PHABRICATOR_ROOT.'/scripts/__init_script__.php';

function initLogging() {
  global $IS_DEBUG;
  global $argv;
  for ($i = 1; $i < count($argv); ++$i) {
    if ($argv[$i] == '--debug') {
      $IS_DEBUG = true;
    }
  }
}

function debugLog(string $text) {
  global $IS_DEBUG;
  if (!$IS_DEBUG) {
    return;
  }
  print("${text}\n");
}

function removeSingleTrailingNewline(string $string) {
  if ($string === '') {
    return $string;
  }
  $length = strlen($string);
  if ($string[$length - 1] == "\n") {
    return substr($string, 0, -1);
  }
  return $string;
}

class AuthRequest {
  public $user_name;
  public $password;

  static function fromStdin() {
    $auth_request = new AuthRequest();
    $stdin = fopen('php://stdin', 'r');
    $auth_request->user_name = removeSingleTrailingNewline(fgets($stdin));
    $auth_request->password = removeSingleTrailingNewline(fgets($stdin));
    return $auth_request;
  }
};

function getUserForAuthRequest(AuthRequest $auth_request) {
  if ($auth_request->user_name === '') {
    return null;
  }

  $username_or_email = $auth_request->user_name;

  $user = id(new PhabricatorUser())->loadOneWhere(
    'username = %s',
    $username_or_email);

  if (!$user) {
    $user = PhabricatorUser::loadOneWithEmailAddress(
    $username_or_email);
  }

  return $user;
}

function createContentSourceForAuth() {
  return PhabricatorContentSource::newForSource(
      PhabricatorUnitTestContentSource::SOURCECONST);
}

function isValidAuth(AuthRequest $auth_request) {
  debugLog("Begin authentification check for user '$auth_request->user_name'");
  $user = getUserForAuthRequest($auth_request);
  if (!$user) {
    debugLog("No PhabricatorUser() object found for requested user.");
    return false;
  }

  $content_source = createContentSourceForAuth();
  $envelope = new PhutilOpaqueEnvelope($auth_request->password);

  $engine = id(new PhabricatorAuthPasswordEngine())
      ->setViewer($user)
      ->setContentSource($content_source)
      ->setPasswordType(PhabricatorAuthPassword::PASSWORD_TYPE_ACCOUNT)
      ->setObject($user);

  if (!$engine->isValidPassword($envelope)) {
    debugLog('Engine reported invalid password.');
    return false;
  }

  debugLog('Authentirfication passed.');

  return true;
}

function main() {
  initLogging();
  $auth_request = AuthRequest::fromStdin();
  if (!isValidAuth($auth_request)) {
    exit(1);
  }
  exit(0);
}

main();
?>