############################################################################
#	Apache::AuthbyWebAuth
#	by dana watanabe
#	dwatanab@uci.edu
#
#	This authentication module checks to see if the browser has  
#	sent a cookie titled 'ucinetid_auth.'  If it has, it checks 
#	the UCInetID Web Authentication database for the host that
#	was authenticated and the time it was authenticated.  If the
#	authenticated host and the current host are the same and
#	the authentication was in the last 15 minutes, it allows access.
#
############################################################################

package Apache::AuthbyWebAuth;

use Apache::Constants qw(:common :http);
use LWP;
use CGI::Cookie;
use strict;

sub handler {
	my $r = shift;

	return OK unless $r->is_initial_req;

	my $host='http://' INSERT HOST NAME HERE e.g. 'http://www.uci.edu/'
	
	open (LOG, ">> /tmp/log");
	my $debug=1;

	my @users=split(/[,\s]/,$r->dir_config('users'));

	print LOG " -- @users ".$r->dir_config('users')."\n";

	my $timeout= $r->dir_config('Timeout') || 3600;
	my $auth_page = 'https://login.uci.edu/ucinetid/webauth';

	my $host = $r->connection->remote_ip;
	my $url=$r->uri;
	$url=~s/&/;;38;/g;
	$url = $host.$url unless $url=~/http/;
	$auth_page .= "?return_url=$url";
	
	my %cookies=CGI::Cookie->parse($r->header_in('Cookie'));
	my $key=$cookies{'ucinetid_auth'}; $key=~s/ucinetid_auth=//;
	$key=~s/; path.*//;

	# login() only returns error messages  
	my $reason = login($r, $host, $key, $timeout, @users);
 
	if($reason) {
		#$r->note_basic_auth_failure;
	# only print reason into error_log if in debug mode
		$r->log_reason($reason, $r->filename) if $debug; 
		$auth_page = 'https://login.uci.edu/notallowed' if ($reason =~ /Authorization/);
		$r->custom_response(HTTP_UNAUTHORIZED, $auth_page);
		return HTTP_UNAUTHORIZED;
	}

	# if no error message from login(), assume everything is OK
	return OK;
}

sub login {
	my($r, $host, $key, $timeout, @users) = @_;

	my $valid_user = 1 if grep(/valid-user/,@users);

	my $auth_url='https://login.uci.edu/ucinetid/webauth_check';
	my $auth_check="$auth_url?ucinetid_auth=$key";

	my $ua = new LWP::UserAgent;
	my $req = new HTTP::Request 'GET',$auth_check;
	my $response = $ua->request($req);

	my %authcheck;
	for (split(/\n/,$response->content)) {
		my ($k,$v) = split (/=/);
		$authcheck{$k}=$v;
	}
		
	if ($authcheck{auth_fail}=~/not found/ or $authcheck{auth_fail}=~/no ucinetid_auth provided/) {
		return "Authentication Failure - $key not in database";
	}

	if ($host ne $authcheck{auth_host}) {
		return  "Authentication Failure - Host $host ($authcheck{auth_host} - $key -".$response->content.") not in database";
	}
	if ($authcheck{age_in_seconds} > $timeout) {
		return "Authentication Failure - Host $host registration expired.";
	}

	unless ($valid_user or grep(/^$authcheck{ucinetid}$/,@users)) {
		return "Authorization Failure - $authcheck{ucinetid} not allowed access.";
	}

	$r->notes->add('ucinetid' => $authcheck{ucinetid});
	return "";
}

1;
__END__