<?php

/**
 * ProcessWire Module Template
 *
 * Demonstrates the Module interface and how to add hooks.
 *
 * ProcessWire 2.x
 * Copyright (C) 2010 by Ryan Cramer
 * Licensed under GNU/GPL v2, see LICENSE.TXT
 *
 * http://www.processwire.com
 * http://www.ryancramer.com
 *
 */

class ShibbolethLogin extends WireData implements Module {

	/**
	 * getModuleInfo is a module required by all modules to tell ProcessWire about them
	 *
	 * @return array
	 *
	 */
	public static function getModuleInfo() {

		return array(
			'title' => 'ShibbolethLogin',
			'version' => 100,
			'summary' => '',
			'href' => '',
			'singular' => true,
			'autoload' => true
			);
	}


	public function init() {

		// add a hook after each page is rendered and modify the output
		//$this->addHookAfter('Page::render', $this, 'example2');
		$this->session->addHookAfter('ProcessLogin::execute', $this, 'login');
	}


	public function login($event) {

		if(!$this->user->isLoggedin()) {

			// Check remote user for existence of shibboleth session.
			$bind = $_SERVER["HTTP_REMOTE_USER"];

			if ($bind) {
				$this->is_authorized_user();
			}
			else {
				// No shibboleth session, send them off to authenticate.
				//$this->session->redirect('/Shibboleth.sso/Login?target='.$this->page->httpUrl.'');
			}

			if ($this->is_authorized_user() == true) {
				$name = "shibbloted_user2"; // Get username
				$active_roles = $this->get_user_roles(); // Get roles
				$user = wire('users')->get("name=$name"); // do they have a PW user account?

				if ($user->name) {
					$this->update_user($name, $user, $active_roles);
				} else {
					$this->create_user($name, $active_roles);
				}
			}

		}

	}


	public function is_authorized_user() {
		$nmb = "130";
		$allowed = "130"; // 130 prefix is for CFA employees

		if ($nmb == $allowed) {
			return true;
		}
		else {
			// not a CFA employee or intern, display error page.
			header("Location: http://dev.arts.ufl.edu/404");
			die();
		}
	}

	public function get_user_roles() {
		// read $_SERVER['HTTP_EDUPERSON_AFFILIATIONS']; to find primary roles (faculty, staff, student)
		// read $_SERVER['HTTP_UFADGROUPSDN']; to find additional roles based on AD Groups

		$user_roles ="faculty-staff";
		$user_roles = explode(',', $user_roles);
		return $user_roles;
	}

	public function update_user($name, $user, $active_roles) {

		$user->of(false);
		$pass = uniqid(); // generate random pass
		$user->pass = $pass; // Update PW with random pass

		// Remove all roles except guest
		foreach($user->roles as $role) {
			if ($role != "guest") {
				$user->removeRole($role);
			}
		}
		// Update roles each time user authenticates
		foreach($active_roles as $role) {
			$user->addRole($role);
		}

		$user->save();
		wire('session')->login($name, $pass); // login user
		$this->session->redirect($this->pages->get($this->config->adminRootPageID)->url);
	}

	public function create_user($name, $active_roles) {
		$user = new User();
		$user->name = $name;
		$pass = uniqid(); // generate random pass
		$user->pass = $pass; // Update PW with random pass
		$user->addRole('guest'); // Guest role is required
		$user->save();

		// Update roles each time user authenticates
		foreach($active_roles as $role) {
			$user->addRole($role);
		}
		$user->save();
		wire('session')->login($name, $pass); // login user
		$this->session->redirect($this->pages->get($this->config->adminRootPageID)->url);
	}

}