<?php
/*------------------------------------------------------------------------------

    Copyright (c) 2004 Media Development Loan Fund
 
    This file is part of the LiveSupport project.
    http://livesupport.campware.org/
    To report bugs, send an e-mail to bugs@campware.org
 
    LiveSupport is free software; you can redistribute it and/or modify
    it under the terms of the GNU General Public License as published by
    the Free Software Foundation; either version 2 of the License, or
    (at your option) any later version.
  
    LiveSupport is distributed in the hope that it will be useful,
    but WITHOUT ANY WARRANTY; without even the implied warranty of
    MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
    GNU General Public License for more details.
 
    You should have received a copy of the GNU General Public License
    along with LiveSupport; if not, write to the Free Software
    Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA  02111-1307  USA
 
 
    Author   : $Author: tomas $
    Version  : $Revision: 1.11 $
    Location : $Source: /home/paul/cvs2svn-livesupport/newcvsrepo/livesupport/modules/alib/var/alib.php,v $

------------------------------------------------------------------------------*/

require_once 'subj.php';

define('USE_ALIB_CLASSES', TRUE);
define('ALIBERR_NOTLOGGED', 30);
define('ALIBERR_NOTEXISTS', 31);

/**
 *   Alib class
 *
 *   authentication/authorization class
 *
 *  @author  $Author: tomas $
 *  @version $Revision: 1.11 $
 *  @see Subjects
 *  @see GreenBox
 */
class Alib extends Subjects{
    var $permTable;
    var $sessTable;
    var $login=NULL;
    var $userid=NULL;
    var $sessid=NULL;
    /**
     *   Constructor
     *
     *   @param dbc object, DB
     *   @param config array
     *   @return this
     */
    function Alib(&$dbc, $config)
    {
        parent::Subjects($dbc, $config);
        $this->permTable = $config['tblNamePrefix'].'perms';
        $this->sessTable = $config['tblNamePrefix'].'sess';
    }

    /* ======================================================= public methods */

    /* ----------------------------------------------- session/authentication */

    /**
     *   Authenticate and create session
     *
     *   @param login string
     *   @param pass string
     *   @return boolean/sessionId/err
     */
    function login($login, $pass)
    {
        if(FALSE === $this->authenticate($login, $pass)) return FALSE;
        $sessid = $this->_createSessid();
        if(PEAR::isError($sessid)) return $sessid;
        $userid = $this->getSubjId($login);
        $r = $this->dbc->query("INSERT INTO {$this->sessTable}
                (sessid, userid, login, ts)
            VALUES
                ('$sessid', '$userid', '$login', now())");
        if(PEAR::isError($r)) return $r;
        $this->login = $login;
        $this->userid = $userid;
        $this->sessid = $sessid;
        return $sessid;
    }
    
    /**
     *   Logout and destroy session
     *
     *   @param sessid string
     *   @return true/err
     */
    function logout($sessid)
    {
        $ct = $this->checkAuthToken($sessid);
        if($ct === FALSE)
            return PEAR::raiseError('Alib::logout: not logged ($ct)',
                ALIBERR_NOTLOGGED, PEAR_ERROR_RETURN);
        elseif(PEAR::isError($ct))
            return $ct;
        else{
            $r = $this->dbc->query("DELETE FROM {$this->sessTable}
                WHERE sessid='$sessid'");
            if(PEAR::isError($r)) return $r;
            $this->login = NULL;
            $this->userid = NULL;
            $this->sessid = NULL;
            return TRUE;
        }
    }
    
    /**
     *   Return true if the token is valid
     *
     *   @param sessid string
     *   @return boolean/err
     */
    function checkAuthToken($sessid)
    {
        $c = $this->dbc->getOne("SELECT count(*) as cnt FROM {$this->sessTable}
            WHERE sessid='$sessid'");
        return ($c == 1 ? TRUE : (PEAR::isError($c) ? $c : FALSE ));
    }
    
    /**
     *   Set valid token in alib object
     *
     *   @param sessid string
     *   @return boolean/err
     */
    function setAuthToken($sessid)
    {
        $r = checkAuthToken($sessid);
        if(PEAR::isError($r)) return $r;
        if(!$r)
            return PEAR::raiseError("ALib::setAuthToken: invalid token ($sessid)");
        $this->sessid = $sessid;
        return TRUE;
    }
    
    /* -------------------------------------------------------- authorization */
    /**
     *   Insert permission record
     *
     *   @param sid int
     *   @param action string
     *   @param oid int
     *   @param type char
     *   @return int/err
     */
    function addPerm($sid, $action, $oid, $type='A')
    {
        $permid = $this->dbc->nextId("{$this->permTable}_id_seq");
        $r = $this->dbc->query($q = "
            INSERT INTO {$this->permTable} (permid, subj, action, obj, type)
            VALUES ($permid, $sid, '$action', $oid, '$type')
        ");
        if(PEAR::isError($r)) return($r);
        return $permid;
    }

    /**
     *   Remove permission record
     *
     *   @param permid int OPT
     *   @param subj int OPT
     *   @param obj int OPT
     *   @return null/error
     */
    function removePerm($permid=NULL, $subj=NULL, $obj=NULL)
    {
        $ca = array();
        if($permid) $ca[] = "permid=$permid";
        if($subj) $ca[] = "subj=$subj";
        if($obj) $ca[] = "obj=$obj";
        $cond = join(" AND ", $ca);
        if(!$cond) return TRUE;
        return $this->dbc->query("DELETE FROM {$this->permTable} WHERE $cond");
    }

    /**
     *  Check if specified subject have permission to specified action
     *  on specified object
     *
     *  Look for sequence of correnponding permissions and order it by
     *  relevence, then test the most relevant for result.
     *  High relevence have direct permission (directly for specified subject
     *  and object. Relevance order is done by level distance in the object
     *  tree, level distance in subjects (user/group system).
     *  Similar way is used for permissions related to object classes.
     *  But class-related permissions have lower priority then
     *  object-tree-related.
     *  Support for object classes can be disabled by USE_ALIB_CLASSES const.
     *
     *  @param sid int, subject id (user or group id)
     *  @param action string, from set defined in config
     *  @param oid int, object id, optional (default: root node)
     *  @return boolean/err
     */
    function checkPerm($sid, $action, $oid=NULL)
    {
        if(!is_numeric($sid)) return FALSE;
        if(is_null($oid) or $oid=='') $oid = $this->getObjId($this->RootNode);
        if(PEAR::isError($oid)) return $oid;
        if(!is_numeric($oid)) return FALSE;
        // query construction
        //      shortcuts:
        //          p: permTable, 
        //          s: subjTable, m smembTable,
        //          t: treeTable ts: structTable,
        //          c: classTable, cm: cmembTable
        // main query elements:
        $q_flds = "m.level , p.subj, s.login, action, p.type, p.obj";
        $q_from = "{$this->permTable} p ";
        // joins for solving users/groups:
        $q_join = "LEFT JOIN {$this->subjTable} s ON s.id=p.subj ";
        $q_join .= "LEFT JOIN {$this->smembTable} m ON m.gid=p.subj ";
        $q_cond = "p.action in('_all', '$action') AND
            (s.id=$sid OR m.uid=$sid) ";
        // coalesce -1 for higher priority of nongroup rows:
        // action DESC order for lower priority of '_all':
        $q_ordb = "ORDER BY coalesce(m.level,-1), action DESC, p.type DESC";
        $q_flds0 = $q_flds;
        $q_from0 = $q_from;
        $q_join0 = $q_join;
        $q_cond0 = $q_cond;
        $q_ordb0 = $q_ordb;
        //  joins for solving object tree:
        $q_flds .= ", t.name, ts.level as tlevel";
        $q_join .= "LEFT JOIN {$this->treeTable} t ON t.id=p.obj ";
        $q_join .= "LEFT JOIN {$this->structTable} ts ON ts.parid=p.obj ";
        $q_cond .= " AND (t.id=$oid OR ts.objid=$oid)";
        // action DESC order is hack for lower priority of '_all':
        $q_ordb = "ORDER BY coalesce(ts.level,0), m.level, action DESC, p.type DESC";
        // query by tree:
        $query1 = "SELECT $q_flds FROM $q_from $q_join WHERE $q_cond $q_ordb";
        $r1 = $this->dbc->getAll($query1);
        if(PEAR::isError($r1)) return($r1);
        //  if there is row with type='A' on the top => permit
        $AllowedByTree =
            (is_array($r1) && count($r1)>0 && $r1[0]['type']=='A');
        $DeniedByTree =
            (is_array($r1) && count($r1)>0 && $r1[0]['type']=='D');
        
        if(!USE_ALIB_CLASSES) return $AllowedbyTree;
        
        // joins for solving object classes:
        $q_flds = $q_flds0.", c.cname ";
        $q_join = $q_join0."LEFT JOIN {$this->classTable} c ON c.id=p.obj ";
        $q_join .= "LEFT JOIN {$this->cmembTable} cm ON cm.cid=p.obj ";
        $q_cond = $q_cond0." AND (c.id=$oid OR cm.objid=$oid)";
        $q_ordb = $q_ordb0;
        // query by class:
        $query2 = "SELECT $q_flds FROM $q_from $q_join WHERE $q_cond $q_ordb";
        $r2 = $this->dbc->getAll($query2);
        if(PEAR::isError($r2)) return($r2);
        $AllowedByClass =
            (is_array($r2) && count($r2)>0 && $r2[0]['type']=='A');
        // not used now:
        // $DeniedByClass =
        //    (is_array($r2) && count($r2)>0 && $r2[0]['type']=='D');
        $res = ($AllowedByTree || (!$DeniedByTree && $AllowedByClass));
#        echo"<pre>\nsid=$sid, action=$action, oid=$oid\n"; var_dump($r1); echo"\n---\n$query1\n---\n\n"; var_dump($r2); echo"\n---\n$query2\n---\n\n"; exit;
        return $res;
    }

    /* ---------------------------------------------------------- object tree */

    /**
     *   Remove all permissions on object and then remove object itself
     *
     *   @param id int
     *   @return void/error
     */
    function removeObj($id)
    {
        $r = $this->removePerm(NULL, NULL, $id);
        if(PEAR::isError($r)) return $r;
        return parent::removeObj($id);
    }

    /* --------------------------------------------------------- users/groups */

    /**
     *   Remove all permissions of subject and then remove subject itself
     *
     *   @param login string
     *   @return void/error
     */
    function removeSubj($login)
    {
        $uid = $this->getSubjId($login);    if(PEAR::isError($uid)) return $uid;
        if(is_null($uid)){
            return $this->dbc->raiseError("Alib::removeSubj: Subj not found ($login)",
                ALIBERR_NOTEXISTS,  PEAR_ERROR_RETURN);
        }
        $r = $this->removePerm(NULL, $uid); if(PEAR::isError($r)) return $r;
        return parent::removeSubj($login, $uid);
    }
    
    /* ------------------------------------------------------------- sessions */
    /**
     *   Get login from session id (token)
     *
     *   @param sessid string
     *   @return string/error
     */
    function getSessLogin($sessid)
    {
        return $this->dbc->getOne("
            SELECT login FROM {$this->sessTable} WHERE sessid='$sessid'");
    }

    /**
     *   Get user id from session id
     *
     *   @param sessid string
     *   @return int/error
     */
    function getSessUserId($sessid)
    {
        return $this->dbc->getOne("
            SELECT userid FROM {$this->sessTable} WHERE sessid='$sessid'");
    }

    /* --------------------------------------------------------- info methods */
    /**
     *   Get all permissions on object
     *
     *   @param id int
     *   @return array/null/err
     */
    function getObjPerms($id)
    {
        return $this->dbc->getAll("
            SELECT s.login, p.* FROM {$this->permTable} p, {$this->subjTable} s
            WHERE s.id=p.subj AND p.obj=$id");
    }

    /**
     *   Get all permissions of subject
     *
     *   @param sid int
     *   @return array
     */
    function getSubjPerms($sid)
    {
        $a1 = $this->dbc->getAll("
            SELECT t.name, t.type as otype , p.*
            FROM {$this->permTable} p, {$this->treeTable} t
            WHERE t.id=p.obj AND p.subj=$sid");
        if(PEAR::isError($a1)) return $a1;
        $a2 = $this->dbc->getAll("
            SELECT c.cname as name, 'C'as otype, p.*
            FROM {$this->permTable} p, {$this->classTable} c
            WHERE c.id=p.obj AND p.subj=$sid");
        if(PEAR::isError($a2)) return $a2;
        return array_merge($a1, $a2);
    }

    /* ------------------------ info methods related to application structure */
    /* (this part should be added/rewritten to allow defining/modifying/using
     * application structure)
     * (only very simple structure definition - in $config - supported now)
     */
    
    /**
     *   Get all actions
     *
     *   @return array
     */
    function getAllActions()
    {
        return $this->config['allActions'];
    }

    /**
     *   Get all allowed actions on specified object type
     *
     *   @param type string
     *   @return array
     */
    function getAllowedActions($type)
    {
        return $this->config['allowedActions'][$type];
    }

    /* ====================================================== private methods */
    
    /**
     *   Create new session id
     *
     *   @return string sessid
     */
    function _createSessid()
    {
        for($c=1; $c>0;){
            $sessid = md5(uniqid(rand()));
            $c = $this->dbc->getOne("SELECT count(*) FROM {$this->sessTable}
                WHERE sessid='$sessid'");
            if(PEAR::isError($c)) return $c;
        }
        return $sessid;
    }
    
    /* =============================================== test and debug methods */

    /**
     *   Dump all permissions for debug
     *
     *   @param indstr string    // indentation string
     *   @param ind string       // aktual indentation
     *   @return string
     */
    function dumpPerms($indstr='    ', $ind='')
    {
        $arr = $this->dbc->getAll("
            SELECT s.login, p.action, p.type
            FROM {$this->permTable} p, {$this->subjTable} s
            WHERE s.id=p.subj
            ORDER BY p.permid
        ");
        if(PEAR::isError($arr)) return $arr;
        $r = $ind.join(', ', array_map(create_function('$v',
                'return "{$v[\'login\']}/{$v[\'action\']}/{$v[\'type\']}";'
            ),
            $arr
        ))."\n";
        return $r;
    }
    
    /**
     *   deleteData
     *
     *   @return void
     */
    function deleteData()
    {
        $this->dbc->query("DELETE FROM {$this->permTable}");
        $this->dbc->query("DELETE FROM {$this->sessTable}");
        parent::deleteData();
    }
    /**
     *   Insert test permissions
     *
     *   @return array
     */
    function testData()
    {
        parent::testData();
        $t =& $this->tdata['tree'];
        $c =& $this->tdata['classes'];
        $s =& $this->tdata['subjects'];
        $this->dbc->setErrorHandling(PEAR_ERROR_PRINT);
        $perms = array(
            array($s['root'], '_all', $t['root'], 'A'),
            array($s['test1'], '_all', $t['pa'], 'A'),
            array($s['test1'], 'read', $t['s2b'], 'D'),
            array($s['test2'], 'addChilds', $t['pa'], 'D'),
            array($s['test2'], 'read', $t['i2'], 'A'),
            array($s['test2'], 'edit', $t['s1a'], 'A'),
            array($s['test1'], 'addChilds', $t['s2a'], 'D'),
            array($s['test1'], 'addChilds', $t['s2c'], 'D'),
            array($s['gr2'], 'addChilds', $t['i2'], 'A'),
            array($s['test3'], '_all', $t['t1'], 'D'),
        );
        if(USE_ALIB_CLASSES){
            $perms[] = array($s['test3'], 'read', $c['cl_sa'], 'D');
            $perms[] = array($s['test4'], 'editPerms', $c['cl2'], 'A');
        }
        foreach($perms as $p){
            $o[] = $r = $this->addPerm($p[0], $p[1], $p[2], $p[3]);
            if(PEAR::isError($r)) return $r;
        }
        $this->tdata['perms'] = $o;
    }
    
    /**
     *   Make basic test
     *
     *   @return boolean/error
     */
    function test()
    {
        if(PEAR::isError($p = parent::test())) return $p;
        $this->deleteData();
        $r = $this->testData();
        if(PEAR::isError($r)) return $r;
        $this->test_correct = "root/_all/A, test1/_all/A, test1/read/D,".
            " test2/addChilds/D, test2/read/A, test2/edit/A,".
            " test1/addChilds/D, test1/addChilds/D, gr2/addChilds/A,".
            " test3/_all/D";
        if(USE_ALIB_CLASSES){
            $this->test_correct .= ", test3/read/D, test4/editPerms/A";
        }
        $this->test_correct .= "\nno, yes\n";
        $r = $this->dumpPerms();
        if(PEAR::isError($r)) return $r;
        $this->test_dump = $r.
            ($this->checkPerm(
                $this->tdata['subjects']['test1'], 'read',
                $this->tdata['tree']['t1']
            )? 'yes':'no').", ".
            ($this->checkPerm(
                $this->tdata['subjects']['test1'], 'addChilds',
                $this->tdata['tree']['i2']
            )? 'yes':'no')."\n"
        ;
        $this->removePerm($this->tdata['perms'][1]);
        $this->removePerm($this->tdata['perms'][3]);
        $this->test_correct .= "root/_all/A, test1/read/D,".
            " test2/read/A, test2/edit/A,".
            " test1/addChilds/D, test1/addChilds/D, gr2/addChilds/A,".
            " test3/_all/D";
        if(USE_ALIB_CLASSES){
            $this->test_correct .= ", test3/read/D, test4/editPerms/A";
        }
        $this->test_correct .= "\n";
        $this->test_dump .= $this->dumpPerms();
        $this->deleteData();
        if($this->test_dump==$this->test_correct)
        { $this->test_log.="alib: OK\n"; return TRUE;
        }else return PEAR::raiseError('Alib::test', 1, PEAR_ERROR_DIE, '%s'.
            "<pre>\ncorrect:\n{$this->test_correct}\n".
            "dump:\n{$this->test_dump}\n</pre>\n");
    }

    /**
     *   Create tables + initialize
     *
     *   @return void
     */
    function install()
    {
        parent::install();
        $this->dbc->query("CREATE TABLE {$this->permTable} (
            permid int not null PRIMARY KEY,
            subj int REFERENCES {$this->subjTable} ON DELETE CASCADE,
            action varchar(20),
            obj int,
            type char(1)
        )");
        $this->dbc->query("CREATE UNIQUE INDEX {$this->permTable}_permid_idx
            ON {$this->permTable} (permid)");
        $this->dbc->query("CREATE INDEX {$this->permTable}_subj_obj_idx
            ON {$this->permTable} (subj, obj)");
        $this->dbc->query("CREATE UNIQUE INDEX {$this->permTable}_all_idx
            ON {$this->permTable} (subj, action, obj)");
        $this->dbc->createSequence("{$this->permTable}_id_seq");

        $this->dbc->query("CREATE TABLE {$this->sessTable} (
            sessid char(32) not null PRIMARY KEY,
            userid int REFERENCES {$this->subjTable} ON DELETE CASCADE,
            login varchar(255),
            ts timestamp
        )");
        $this->dbc->query("CREATE UNIQUE INDEX {$this->sessTable}_sessid_idx
            ON {$this->sessTable} (sessid)");
        $this->dbc->query("CREATE INDEX {$this->sessTable}_userid_idx
            ON {$this->sessTable} (userid)");
        $this->dbc->query("CREATE INDEX {$this->sessTable}_login_idx
            ON {$this->sessTable} (login)");
    }

    /**
     *   Drop tables etc.
     *
     *   @return void
     */
    function uninstall()
    {
        $this->dbc->query("DROP TABLE {$this->permTable}");
        $this->dbc->dropSequence("{$this->permTable}_id_seq");
        $this->dbc->query("DROP TABLE {$this->sessTable}");
        parent::uninstall();
    }
}
?>