#!/usr/bin/python
# -*- coding: utf8 -*-

import sys, os, cgi
appbase = os.path.dirname(os.path.abspath(__file__))
sys.path.append(appbase)

import threading
import cherrypy
from tmpl import expose, render, _
from lxml import etree
from lxml.html import formfill
from StringIO import StringIO
import ldap
import mx.DateTime, urllib
from accountservice import accountservice
import ticket

tgt_sites = ['wiki']

class ldapobj(object):
	def __init__(s, data):
		if len(data) != 1:
			raise ValueError, "invalid number of results"
		dn, fields = data[0]
		s._keys = fields.keys()
		for k, v in fields.iteritems():
			s.__dict__[k] = v
		s.dn = dn
	def __getitem__(s, key):
		l = s.__dict__[key]
		if len(l) != 1:
			raise IndexError, "invalid number of attributes"
		return l[0]
	def keys(s):
		return s._keys

class LoginError(Exception):
	pass

class SubdapSite(object):
	def __init__(s):
		cherrypy.config.update({'error_page.404': s.http_404})

	@expose('error.html')
	def http_404(s, status, message, **kwargs):
		return render(details = status + ' - ' + message)

	@expose('login.html')
	def index(s):
		return render(errors = {})

	@expose('8021x.html')
	def cfg8021x(s, username = "username"):
		return render(errors = {}, username = username)

	def login_perform(s, username, password):
		dn = "cn=%s,ou=people,dc=sublab,dc=org" % (username)
		try:
			l = ldap.initialize('ldap://oberon.local.sublab.org/')
			l.start_tls_s()
			l.simple_bind_s(dn, password)
		except ldap.INVALID_CREDENTIALS:
			raise LoginError(_('Login incorrect'))
		except ldap.LDAPError, e:
			raise LoginError(_('Login incorrect'))
			#	e.message['info']
		return (l, dn)

	@expose('login.html')
	def login(s, username = None, password = None):
		if cherrypy.request.method.upper() == 'GET':
			return render(errors = {})

		if username == None or password == None:
			return render(errors = {'password': _('Login incorrect')})
		if username == '' or password == '':
			return render(errors = {'password': _('Login incorrect')})

		try:	l, dn = s.login_perform(username, password)
		except LoginError, e:
			return render(errors = {'password': str(e)})

		return s.selectpage(l, dn)
	
	def selectpage(s, l, dn, message = {}):
		user = ldapobj(l.search_s(dn, ldap.SCOPE_BASE, '(objectclass=*)', []))

		tgts = {}
		for site in tgt_sites:
			tgts[site] = urllib.urlencode(ticket.tgt_create(site, user['cn']))

		return render('select.html', user = user, tgts = tgts, message = message)

##		x = ''
#		for r in data:
#			if r[0] != dn:
#				continue
##			x += '<tr><th>%s</th></tr>\n' % (r[0])
#			for k, v in r[1].iteritems():
#				for value in v:
#					details.append([k, value])
##				x += '<tr><td>%s</td><td><pre>%s</pre></td></tr>\n' % (k, "<hr>".join(v))

	def newpass_validate(s, username, password, password2, expectstate):
		errors = {}
		if username == None or username == '':
			errors['username'] = _('please specify an user name')
		elif accountservice.name_valid(username) != expectstate:
			errors['username'] = _('username invalid')
		if password == None or len(password) < 6:
			errors['password'] = _('please specify a password of at least 6 characters')
		if password2 != password:
			errors['password2'] = _('passwords did not match')
		if len(errors) > 0:
			return errors
		return None

	@expose('create.html')
	def create(s, username = None, password = None, password2 = None):
		if cherrypy.request.method.upper() == 'GET':
			return render(errors = {}, username = '')

		errors = s.newpass_validate(username, password, password2, 'valid')
		if errors is not None:
			return render(errors = errors, username = username)

		accountservice.name_create(username, password)
		if os.fork() == 0:
			accountservice.kprop()
			os._exit(0)
		return s.login(username, password)

	@expose('pwchange.html')
	def pwchange(s, username = None, oldpassword = None, password = None, password2 = None):
		if cherrypy.request.method.upper() == 'GET':
			return render(errors = {}, username = username)

		errors = s.newpass_validate(username, password, password2, 'exists')
		if errors is not None:
			return render(errors = errors, username = username)

		try:	l, dn = s.login_perform(username, oldpassword)
		except LoginError, e:
			return render(errors = {'oldpassword': str(e)}, username = username)

		import kerberos
		try:
			assert kerberos.changePassword(username + '@SUBLAB.ORG', oldpassword, password) == True
		except kerberos.PwdChangeError, e:
			return render(errors = {'password2': str(e[0])}, username = username)

		if os.fork() == 0:
			accountservice.kprop()
			os._exit(0)

		return s.selectpage(l, dn, {'pwchangeok': True})

	@cherrypy.expose
	def kill(s):
		import sys
		sys.exit(0)

config = {
	'global': {
		'server.socket_port': 8080,
		'server.socket_host': '0.0.0.0',
#		'server.socket_host': '::1',
		'tools.staticdir.root': appbase,
	},
	'/': {
		'tools.decode.on': True,
		'tools.encode.on': True,
		'tools.encode.encoding': 'utf-8',
		'tools.encode.add_charset': True,
		'tools.gzip.on': True,
		'tools.proxy.on': True,
	},
	'/static': {
		'tools.staticdir.on': True,
		'tools.staticdir.dir': 'static',
		'tools.caching.on': True,
		'tools.expires.secs': 3600,
#		'tools.expires.force': True,
	},
}

if len(sys.argv) >= 2 and sys.argv[1] == 'standalone':
	import tmpl
	tmpl.myurl = lambda x: x

	cherrypy.quickstart(SubdapSite(), "/", config)
else:
	cherrypy.config.update({'environment': 'embedded'})
	application = cherrypy.Application(SubdapSite(), script_name = None, config = config)