/**
 * $RCSfile$
 * $Revision$
 * $Date$
 *
 * Copyright (C) 2004 Jive Software. All rights reserved.
 *
 * This software is published under the terms of the GNU Public License (GPL),
 * a copy of which is included in this distribution.
 */

package org.jivesoftware.messenger.ldap;

import org.jivesoftware.messenger.auth.AuthProvider;
import org.jivesoftware.messenger.auth.UnauthorizedException;

/**
 * Implementation of auth provider interface for LDAP
 * authentication service plug-in.
 *
 * @author Jim Berrettini
 */
public class LdapAuthProvider implements AuthProvider {
    private LdapManager manager;

    public LdapAuthProvider() {
        manager = LdapManager.getInstance();
    }

    /**
     * <p>Determines if the authentication system supports the use of
     * plain-text passwords.</p>
     *
     * @return true - plain text passwords are supported.
     */
    public boolean isPlainSupported() {
        return true;
    }

    /**
     * <p>Determines if the authentication system supports the use
     * of digest authentication.</p>
     *
     * @return false - digest authentication is not currently supported.
     */
    public boolean isDigestSupported() {
        return false;
    }

    /**
     * <p>Validates username and password against data in LDAP store. Returns if the username and password are valid otherwise the method throws an
     * UnauthorizedException.<p>
     *
     * @param username
     * @param password
     * @throws UnauthorizedException
     */
    public void authenticate(String username, String password) throws UnauthorizedException {
        if (username == null || password == null) {
            throw new UnauthorizedException();
        }
        String userDN = null;
        try {
            // The username by itself won't help us much with LDAP since we
            // need a fully qualified dn. We could make the assumption that
            // the baseDN would always be the location of user profiles. For
            // example if the baseDN was set to "ou=People, o=jivesoftare, o=com"
            // then we would be able to directly load users from that node
            // of the LDAP tree. However, it's a poor assumption that only a
            // flat structure will be used. Therefore, we search all subtrees
            // of the baseDN for the username. So, if the baseDN is set to
            // "o=jivesoftware, o=com" then a search will include the "People"
            // node as well all the others under the base.
            userDN = manager.findUserDN(username);

            // See if the user authenticates.
            if (!manager.checkAuthentication(userDN, password)) {
                throw new UnauthorizedException("Username and password don't match");
            }
        }
        catch (Exception e) {
            throw new UnauthorizedException(e);
        }
    }

    /**
     * <p>Validates username, unique session token, and digest generated from the
     * password and token according to the Jabber digest auth protocol against data in LDAP store.
     * Since Digest authentication is not currently supported, throws UnsupportedOperationsException.</p>
     *
     * @param username
     * @param token
     * @param digest
     * @throws UnsupportedOperationException
     */
    public void authenticate(String username, String token, String digest) throws UnsupportedOperationException {
        throw new UnsupportedOperationException("Digest authentication not currently supported.");
    }

    /**
     * <p>Updates username and password. Throws UnsupportedOperationException, as LDAP store is accessed in read-only
     * mode.</p>
     *
     * @param username
     * @param password
     * @throws UnsupportedOperationException
     */
    public void updatePassword(String username, String password) throws UnsupportedOperationException {
        throw new UnsupportedOperationException("Cannot update password in LDAP");
    }
}