#!/usr/bin/env python
#
# Copyright 2005 Branko Cibej <brane@xbc.nu>
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
#     http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.

'''mod_python authorization handler for mod_authz_svn groups.

   This handler reads group definitions from a mod_authz_svn access
   configuration file and does an authz check against that information.

   Supported Require directives:

     - Require valid-user
       Checks if the authenticated user is mentioned in any of the groups.
       Note that this is authorization, not authentication; so, a user may
       have been authenticated correctly, yet still fail this test if
       she is not mentioned in the authz config file.

     - Require group name...
       Check if the authenticated user is a member of any of the named
       groups.

     - Require user name...
       Ignored. The authentication handlers are supposed to check this.

   Configuration:

     <Location ...>
       PythonAuthzHandler authz_svn_group
       PythonOption AuthzSVNGroupFile /path/to/file
       PythonOption AuthzSVNGroupAuthoritative Yes/On/1|No/Off/0
       ...
     </Location>

     AuthzSVNGroupFile: Path to the mod_authz_svn configuration file.
     AuthzSVNGroupAuthoritative: If turned off, authz_svn_group.py will
       return DECLINED rather than HTTP_FORBIDDEN if a Require
       directive is not satisfied.
'''

import os, sys
import ConfigParser
from mod_python import apache

class __authz_info:
  '''Encapsulation of group info from the mod_authz_svn access file.'''

  def __init__(self, authz_file):
    '''Parse the SVN access file.'''
    self.__groups = {}
    self.__users = {}
    cfg = ConfigParser.ConfigParser()
    cfg.read(authz_file)
    if cfg.has_section('groups'):
      self.__init_groups(cfg)

  def __init_groups(self, cfg):
    '''Compute user and group membership.'''
    group_list = cfg.options('groups')
    group_map = {}
    for group in group_list:
      names = map(lambda x: x.strip(),
                  cfg.get('groups', group).split(','))
      group_map[group] = names
      for name in names:
        if not name.startswith('@'):
          self.__users[name] = None
    for group in group_list:
      self.__groups[group] = self.__expand_group_users(group, group_map)

  def __expand_group_users(self, group, group_map):
    '''Return the complete (recursive) list of users that belong to
    a particular group, as a map.'''
    users = {}
    for name in group_map[group]:
      if not name.startswith('@'):
        users[name] = None
      else:
        users.update(self.__expand_group_users(name[1:], group_map))
    return users

  def is_valid_user(self, user):
    '''Return True if the user is valid.'''
    return self.__users.has_key(user)

  def is_user_in_group(self, user, group):
    '''Return True if the user is in a particular group.'''
    return (self.__groups.has_key(group)
            and self.__groups[group].has_key(user))


class __config:
  '''Handler configuration'''

  AUTHZ_FILE = 'AuthzSVNGroupFile'
  AUTHORITATIVE = 'AuthzSVNGroupAuthoritative'

  def __init__(self, req):
    self.__authz_file = None
    self.__authoritative = True
    cfg = req.get_options()

    if cfg.has_key(self.AUTHZ_FILE):
      self.__authz_file = cfg[self.AUTHZ_FILE]
      if not os.path.exists(self.__authz_file):
        req.log_error(('%s: "%s" not found'
                       % (self.AUTHZ_FILE, self.__authz_file)),
                      apache.APLOG_ERR)
        raise apache.SERVER_RETURN, apache.HTTP_INTERNAL_SERVER_ERROR

    if cfg.has_key(self.AUTHORITATIVE):
      authcfg = cfg[self.AUTHORITATIVE].lower()
      if authcfg in ['yes', 'on', '1']:
        self.__authoritative = True
      elif authcfg in ['no', 'off', '0']:
        self.__authoritative = False
      else:
        req.log_error(('%s: invalid value "%s"'
                       % (self.AUTHORITATIVE, cfg[self.AUTHORITATIVE])),
                      apache.APLOG_ERR)
        raise apache.SERVER_RETURN, apache.HTTP_INTERNAL_SERVER_ERROR
    pass

  def authz_file(self):
    return self.__authz_file

  def authoritative(self):
    return self.__authoritative


def __init_authz_info(req, cfg):
  '''Initialize the global authz info if it is not available yet.
  Return False if this module is disabled.'''
  if not globals().has_key('__authz_svn_group_info'):
    if cfg.authz_file() is None:
      return False
    global __authz_svn_group_info
    __authz_svn_group_info = __authz_info(cfg.authz_file())
  return True


def authzhandler(req):
  '''The authorization handler.'''
  cfg = __config(req)
  if not __init_authz_info(req, cfg):
    return apache.DECLINED

  if cfg.authoritative():
    forbidden = apache.HTTP_FORBIDDEN
  else:
    forbidden = apache.DECLINED

  req.get_basic_auth_pw()
  for requires in req.requires():
    if requires == 'valid-user':
      if not __authz_svn_group_info.is_valid_user(req.user):
        return forbidden
    elif requires.startswith('group '):
      for group in requires.split()[1:]:
        if __authz_svn_group_info.is_user_in_group(req.user, group):
          break
      else:
        return forbidden
    elif requires.startswith('user '):
      pass                             # Handled by the authen handler
    else:
      req.log_error('Unknown directive "Require %s"' % requires,
                    apache.APLOG_ERR)
      return apache.HTTP_INTERNAL_SERVER_ERROR

  return apache.OK