package Bot::Cobalt::Plugin::Auth;
$Bot::Cobalt::Plugin::Auth::VERSION = '0.021003';
use strictures 2;

## "Standard" Auth module
##
## Commands:
## PRIVMSG:
##    login <username> <passwd>
##    chpass <oldpass> <newpass>
##    user add
##    user del
##    user list
##    user search
##    user chpass
##
##
## Fairly basic access level system:
##
## - Users can have any numeric level.
##   Generally unauthenticated users will be level 0
##   Higher levels trump lower levels.
##   SuperUsers (auth.conf) get access level 9999.
##
## - Plugins determine required levels for their respective commands
##
## Passwords are hashed via bcrypt and stored in YAML
## Location of the authdb is determined by auth.conf
##
## Loaded authdb exists in memory in $self->AccessList:
## ->AccessList = {
##   $context => {
##     $username => {
##       Masks => ARRAY,
##       Password => STRING (passwd hash),
##       Level => INT (9999 if superuser),
##       Flags => HASH,
##     },
##   },
## }
##
## Also see Bot::Cobalt::Core::ContextMeta::Auth


use Bot::Cobalt;
use Bot::Cobalt::Common;
use Bot::Cobalt::Error;
use Bot::Cobalt::Serializer;

use Scalar::Util 'reftype';
use Storable 'dclone';

use Try::Tiny;

use File::Spec;


### Constants, mostly for internal retvals:
sub ACCESS_LIST() { 0 }
sub DB_PATH()     { 1 }


sub new {
  bless [
    +{}, ## ACCESS_LIST
    '', ## DB_PATH
  ], shift
}

sub Cobalt_register {
  my ($self, $core) = splice @_, 0, 2;

  my $p_cfg = plugin_cfg( $self );

  my $relative_path = $p_cfg->{Opts}->{AuthDB} ||
    File::Spec->catfile( 'db', 'authdb.yml');

  my $authdb = File::Spec->catfile(
    $core->var,
    File::Spec->splitpath($relative_path)
  );

  logger->debug("Using authdb path $authdb");

  $self->_db_path($authdb);

  ## Read in main authdb:
  my $alist = $self->_read_access_list;

  unless ($alist) {
    die "initial _read_access_list failed, check log\n";
  }

  $self->AccessList( $alist );

  $self->_init_superusers;

  register($self, 'SERVER',
      'connected',
      'disconnected',

      'user_quit',
      'user_left',
      'self_left',

      'self_kicked',
      'user_kicked',

      'nick_changed',

      'private_msg',
  );

  ## clear any remaining auth states.
  ## (assuming the plugin unloaded cleanly, there should be none)
  $self->_clear_all;

  logger->info("Loaded");

  return PLUGIN_EAT_NONE
}

sub Cobalt_unregister {
  my ($self, $core) = splice @_, 0, 2;

  logger->info("Unregistering core IRC plugin");

  $self->_clear_all;

  return PLUGIN_EAT_NONE
}

sub _init_superusers {
  my ($self) = @_;
  my $p_cfg = plugin_cfg($self);

  ## Read in configured superusers to AccessList
  ## These will override existing usernames
  my $superusers = $p_cfg->{SuperUsers};
  unless (ref $superusers && reftype $superusers eq 'HASH') {
    logger->error("Configuration may be broken . . .");
    logger->error("SuperUsers directive is not a hash, skipping");
    return
  }

  my %su = %$superusers;

  SERVER: for my $context (keys %su) {
    unless (ref $su{$context} && reftype $su{$context} eq 'HASH') {
      logger->error("Skipping $context; configuration is not a hash");
      next SERVER
    }

    USER: for my $user (keys %{$su{$context}}) {
      unless (ref $su{$context}->{$user} 
              && reftype $su{$context}->{$user} eq 'HASH') {
        logger->error("Skipping $user; configuration is not a hash");
        next USER
      }

      ## Usernames on accesslist automatically get lowercased
      ## per rfc1459 rules, aka CASEMAPPING=rfc1459
      ## (we probably don't even know the server's CASEMAPPING= yet)
      my $lc_user = lc_irc($user);

      my $flags = ref $su{$context}->{$user}->{Flags}
                  && reftype $su{$context}->{$user}->{Flags} eq 'HASH' ?
        $su{$context}->{$user}->{Flags}
        : +{} ;

      $flags->{SUPERUSER} = 1;

      $self->AccessList->{$context}->{$lc_user} = {
        Password => $su{$context}->{$user}->{Password}
                     // $self->_mkpasswd(rand 10),
        Level => 9999,
        Flags => $flags,
      };

      ## Mask and Masks are both valid directives, Mask trumps Masks
      if (exists $su{$context}->{$user}->{Masks}
          && !exists $su{$context}->{$user}->{Mask} )
      {
        $su{$context}->{$user}->{Mask} =
          delete $su{$context}->{$user}->{Masks};
      }

      ## the Mask specification in cfg may be an array or a string:
      if (ref $su{$context}->{$user}->{Mask}) {
        unless (reftype $su{$context}->{$user}->{Mask} eq 'ARRAY') {
          logger->error(
            "Expected a string or list of masks in 'Mask:' for $user"
          );
          # FIXME currently leaves user with no Masks ...
          next USER
        }
        $self->AccessList->{$context}->{$lc_user}->{Masks} = [
          ## normalize masks into full, matchable masks:
          map {; normalize_mask($_) } @{ $su{$context}->{$user}->{Mask} }
        ];
      } else {
          $self->AccessList->{$context}->{$lc_user}->{Masks} = [
            normalize_mask( $su{$context}->{$user}->{Mask} )
          ];
      }

      logger->debug("added superuser: $user (context: $context)");
    } ## USER

  } ## SERVER

  1
}


### Bot_* events:
sub Bot_connected {
  my ($self, $core) = splice @_, 0, 2;
  ## Bot's freshly connected to a context
  ## Clear any auth entries for this pkg + context
  my $context = ${$_[0]};

  $self->_clear_context($context);

  return PLUGIN_EAT_NONE
}

sub Bot_disconnected {
  my ($self, $core) = splice @_, 0, 2;
  my $context = ${$_[0]};

  $self->_clear_context($context);

  return PLUGIN_EAT_NONE
}

sub Bot_user_left {
  my ($self, $core) = splice @_, 0, 2;
  ## User left a channel
  ## If we don't share other channels, this user can't be tracked
  ## (therefore clear any auth entries for user belonging to us)
  my $left    = ${$_[0]};
  my $context = $left->context;

  my $channel = $left->channel;
  my $nick    = $left->src_nick;

  ## Call _remove_if_lost to see if we can still track this user:
  $self->_remove_if_lost($context, $nick);

  return PLUGIN_EAT_NONE
}

sub Bot_self_left {
  my ($self, $core) = splice @_, 0, 2;
  my $context = ${$_[0]};
  my $channel = ${$_[1]};
  ## The bot left a channel. Check auth status of all users.
  ## This method may be unreliable on nets w/ busted CASEMAPPING=

  $self->_remove_if_lost($context);

  return PLUGIN_EAT_NONE
}

sub Bot_self_kicked {
  my ($self, $core) = splice @_, 0, 2;
  my $context = ${$_[0]};

  $self->_remove_if_lost($context);

  return PLUGIN_EAT_NONE
}

sub Bot_user_kicked {
  my ($self, $core) = splice @_, 0, 2;
  my $kick    = ${ $_[0] };
  my $context = $kick->context;
  my $nick    = $kick->src_nick;

  $self->_remove_if_lost($context, $nick);

  return PLUGIN_EAT_NONE
}

sub Bot_user_quit {
  my ($self, $core) = splice @_, 0, 2;
  my $quit    = ${$_[0]};
  my $context = $quit->context;
  my $nick    = $quit->src_nick;
  ## User quit, clear relevant auth entries
  ## We can call _do_logout directly here:

  $self->_do_logout($context, $nick);

  return PLUGIN_EAT_NONE
}

sub Bot_nick_changed {
  my ($self, $core) = splice @_, 0, 2;
  my $nchg = ${$_[0]};

  my $old = $nchg->old_nick;
  my $new = $nchg->new_nick;
  my $context = $nchg->context;

  ## a nickname changed, adjust Auth accordingly:
  core->auth->move($context, $old, $new);

  return PLUGIN_EAT_NONE
}


sub Bot_private_msg {
  my ($self, $core) = splice @_, 0, 2;
  my $msg = ${$_[0]};
  my $context = $msg->context;

  my $command = $msg->message_array->[0] // return PLUGIN_EAT_NONE;
  $command = lc $command;

  ## simple method check/dispatch:
  my $resp;
  my $method = "_cmd_".$command;
  if ( $self->can($method) ) {
    logger->debug("dispatching '$command' for ".$msg->src_nick);
    $resp = $self->$method($context, $msg);
  }

  if (defined $resp) {
    my $target = $msg->src_nick;
    broadcast( 'message', $context, $target, $resp );
  }

  return PLUGIN_EAT_NONE
}


### Frontends:

sub _cmd_login {
  ## interact with _do_login and set up response RPLs
  ## _do_login does the heavy lifting, we just talk to the user
  ## this is stupid, but I'm too lazy to fix
  my ($self, $context, $msg) = @_;

  my (undef, $l_user, $l_pass) = @{ $msg->message_array };

  my $origin = $msg->src;
  my $nick   = $msg->src_nick;

  unless (defined $l_user && defined $l_pass) {
    ## bad syntax resp, currently takes no args ...
    return core->rpl( q{AUTH_BADSYN_LOGIN} );
  }

  ## NOTE: usernames in accesslist are stored lowercase per rfc1459 rules:
  $l_user = lc_irc($l_user);

  ## IMPORTANT:
  ## nicknames (for auth hash) remain unmolested
  ## case changes are managed by tracking actual nickname changes
  ## (that way we don't have to worry about it when checking access levels)

  my $rplvars = {
    context => $context,
    src  => $origin,
    nick => $nick,
    user => $l_user,
  };

  my $resp;

  try {
    $self->_do_login($context, $nick, $l_user, $l_pass, $origin);

    $rplvars->{lev} = core->auth->level($context, $nick);

    $resp = core->rpl( q{AUTH_SUCCESS}, $rplvars );
  } catch {
    my %rplmap = (
      E_NOSUCH   => 'AUTH_FAIL_NO_SUCH',
      E_BADPASS  => 'AUTH_FAIL_BADPASS',
      E_BADHOST  => 'AUTH_FAIL_BADHOST',
      E_NOCHANS  => 'AUTH_FAIL_NO_CHANS',
    );

    my $rpl = $rplmap{$_};

    logger->error("BUG; unknown retval from _do_login")
      unless defined $rpl;

    $resp = core->rpl( $rpl, $rplvars );
  };

  broadcast( 'notice', $context, $nick, $resp ) if defined $resp;

  return
}

sub _cmd_chpass {
  my ($self, $context, $msg) = @_;
  ## 'self' chpass for logged-in users
  ##    chpass OLD NEW

  my $nick = $msg->src_nick;

  my $auth_for_nick = core->auth->username($context, $nick);

  unless (defined $auth_for_nick) {
    return core->rpl( q{RPL_NO_ACCESS},
      nick => $nick,
    )
  }

  my $passwd_old = $msg->message_array->[1];
  my $passwd_new = $msg->message_array->[2];
  unless (defined $passwd_old && defined $passwd_new) {
    return core->rpl( q{AUTH_BADSYN_CHPASS} );
  }

  my $user_rec = $self->_get_user_rec($context, $auth_for_nick);

  if ($user_rec->{Flags}->{SUPERUSER}) {
    return "Superusers are hard-coded and cannot chpass"
  }

  my $stored_pass = $user_rec->{Password};
  unless ( passwdcmp($passwd_old, $stored_pass) ) {
    return core->rpl( q{AUTH_CHPASS_BADPASS},
      context => $context,
      nick => $nick,
      user => $auth_for_nick,
      src => $msg->src,
    )
  }

  $user_rec->{Password} = $self->_mkpasswd($passwd_new);

  unless ( $self->_write_access_list ) {
    logger->warn(
      "Couldn't _write_access_list in _cmd_chpass",
    );

    broadcast( 'message', $context, $nick,
      "Failed access list write! Admin should check logs."
    );
  }

  return core->rpl( q{AUTH_CHPASS_SUCCESS},
    context => $context,
    nick => $nick,
    user => $auth_for_nick,
    src  => $msg->src,
  )
}

sub _cmd_whoami {
  my ($self, $context, $msg) = @_;
  ## return current auth status
  my $nick = $msg->src_nick;

  my $auth_lev = core->auth->level($context, $nick);
  my $auth_usr = core->auth->username($context, $nick)
                 // 'Not Authorized';

  return core->rpl( q{AUTH_STATUS},
    user => $auth_usr,
    nick => $nick,
    lev  => $auth_lev,
  )
}

sub _cmd_user {
  my ($self, $context, $msg) = @_;

  ## user add
  ## user del
  ## user list
  ## user search
  my $cmd = lc( $msg->message_array->[1] // '');

  my $resp;

  unless ($cmd) {
    return 'No command specified'
  }

  ## All of these need *some* access level
  ## Bail early if we don't know this user
  my $auth_lev = core->auth->level($context, $msg->src_nick);
  unless ($auth_lev) {
    return core->rpl( q{RPL_NO_ACCESS},
      nick => $msg->src_nick,
    )
  }

  my $method = "_user_".$cmd;
  if ( $self->can($method) ) {
    logger->debug("dispatching $method for ".$msg->src_nick);

    return $self->$method($context, $msg)
  }

  return
}



### Auth routines:

sub _do_login {
  ## backend handler for _cmd_login
  ## $username should've already been normalized via lc_irc:
  my ($self, $context, $nick, $username, $passwd, $host) = @_;

  my $user_rec;
  unless ($user_rec = $self->_get_user_rec($context, $username) ) {
    logger->info(
      "[$context] authfail; no such user: $username ($host)"
    );

    ## auth_failed_login ($context, $nick, $username, $host, $error_str)
    broadcast( 'auth_failed_login',
      $context,
      $nick, $username, $host,
      'NO_SUCH_USER',
    );

    die Bot::Cobalt::Error->new("E_NOSUCH")
  }

  ## fail if we don't share channels with this user
  my $irc = core->get_irc_obj($context);
  unless ($irc->nick_channels($nick)) {
    logger->info(
      "[$context] authfail; no shared chans: $username ($host)"
    );

    broadcast( 'auth_failed_login',
      $context,
      $nick, $username, $host,
      'NO_SHARED_CHANS',
    );

    die Bot::Cobalt::Error->new("E_NOCHANS")
  }

  ## masks should be normalized already:
  my @matched_masks;
  for my $mask (@{ $user_rec->{Masks} }) {
    push(@matched_masks, $mask) if matches_mask($mask, $host);
  }

  unless (@matched_masks) {
    logger->info("[$context] authfail; no host match: $username ($host)");

    broadcast( 'auth_failed_login',
      $context,
      $nick, $username, $host,
      'BAD_HOST',
    );

    die Bot::Cobalt::Error->new("E_BADHOST")
  }

  unless ( passwdcmp($passwd, $user_rec->{Password}) ) {
    logger->info("[$context] authfail; bad passwd: $username ($host)");

    broadcast( 'auth_failed_login',
      $context,
      $nick, $username, $host,
      'BAD_PASS',
    );

    die Bot::Cobalt::Error->new("E_BADPASS")
  }

  my $level = $user_rec->{Level};
  my %flags = %{ $user_rec->{Flags} // {} };

  core->auth->add(
    Context  => $context,
    Username => $username,
    Nickname => $nick,
    Host     => $host,
    Level    => $level,
    Flags    => \%flags,
    Alias    => core->get_plugin_alias($self),
  );

  logger->info(
    "[$context] successful auth: $username (lev $level) ($host)"
  );

  ## send Bot_auth_user_login ($context, $nick, $host, $username, $lev):
  broadcast( 'auth_user_login',
    $context,
    $nick, $username, $host,
    $level,
  );

  1
}


sub _user_add {
  my ($self, $context, $msg) = @_;
  my $nick = $msg->src_nick;
  my $auth_lev = core->auth->level($context, $nick);
  my $auth_usr = core->auth->username($context, $nick);

  unless ($auth_usr) {
    ## not logged in, return rpl
    logger->info("Failed user add attempt by $nick on $context");
    return core->rpl( q{RPL_NO_ACCESS},
      nick => $nick,
    )
  }

  my $pcfg = plugin_cfg($self);

  my $required_base_lev = $pcfg->{RequiredPrivs}->{AddingUsers} // 2;

  unless ($auth_lev >= $required_base_lev) {
    ## doesn't match configured required base level
    ## otherwise this user can add users with lower access levs than theirs
    logger->info(
      "Failed user add; $nick ($auth_usr) has insufficient perms"
    );

    return core->rpl( q{AUTH_NOT_ENOUGH_ACCESS},
      nick => $nick,
      lev  => $auth_lev,
    )
  }

  ## user add <username> <lev> <mask> <passwd> ?
  my @message = @{ $msg->message_array };
  my @args = @message[2 .. $#message];
  my ($target_usr, $target_lev, $mask, $passwd) = @args;
  unless ($target_usr && $target_lev && $mask && $passwd) {
    return "Usage: user add <username> <level> <mask> <initial_passwd>"
  }

  $target_usr = lc_irc($target_usr);

  unless ($target_lev =~ /^\d+$/) {
    return "Usage: user add <username> <level> <mask> <initial_passwd>"
  }

  if ( exists $self->AccessList->{'-ALL'}->{$target_usr} ) {
    logger->warn(
      "Failed user add ($nick); $target_usr already exists in -ALL"
    );

    return core->rpl( q{AUTH_USER_EXISTS},
      nick => $nick,
      user => $target_usr,
    )
  }

  if ( exists $self->AccessList->{$context}->{$target_usr} ) {
    logger->warn(
      "Failed user add ($nick); $target_usr already exists on $context"
    );

    return core->rpl( q{AUTH_USER_EXISTS},
      nick => $nick,
      user => $target_usr,
    )
  }

  unless ($target_lev < $auth_lev) {
    ## user doesn't have enough access to add this level
    ## (superusers have to be hardcoded in auth.conf)
    logger->info(
      "Failed user add; lev ($target_lev) too high for $auth_usr ($nick)"
    );

    return core->rpl( q{AUTH_NOT_ENOUGH_ACCESS},
      nick => $nick,
      lev  => $auth_lev,
    )
  }

  $mask = normalize_mask($mask);

  ## add to AccessList
  $self->AccessList->{$context}->{$target_usr} = {
    Masks    => [ $mask ],
    Password => $self->_mkpasswd($passwd),
    Level    => $target_lev,
    Flags    => {},
  };

  logger->info("New user added by $nick ($auth_usr)");
  logger->info("New user $target_usr ($mask) level $target_lev");

  unless ( $self->_write_access_list ) {
    ## added to AccessList but couldn't be written out
    logger->warn("Couldn't _write_access_list in _user_add");

    broadcast( 'message', $context, $nick,
      "Failed access list write! Admin should check logs."
    );
  }

  return core->rpl( q{AUTH_USER_ADDED},
    nick => $nick,
    user => $target_usr,
    mask => $mask,
    lev  => $target_lev,
  )
}

sub _user_delete { _user_del(@_) }
sub _user_del {
  my ($self, $context, $msg) = @_;
  my $nick = $msg->src_nick;
  my $auth_lev = core->auth->level($context, $nick);
  my $auth_usr = core->auth->username($context, $nick);

  unless ($auth_usr) {
    logger->info("Failed user del attempt by $nick on $context");
    return core->rpl( q{RPL_NO_ACCESS},
      nick => $nick,
    )
  }

  my $pcfg = plugin_cfg($self);

  my $required_base_lev = $pcfg->{RequiredPrivs}->{DeletingUsers} // 2;

  unless ($auth_lev >= $required_base_lev) {
    logger->info(
      "Failed user del; $nick ($auth_usr) has insufficient perms"
    );

    return core->rpl( q{AUTH_NOT_ENOUGH_ACCESS},
      nick => $nick,
      lev  => $auth_lev,
    )
  }

  ## user del <username>
  my $target_usr = $msg->message_array->[2];
  unless ($target_usr) {
    return "Usage: user del <username>"
  }

  $target_usr = lc_irc($target_usr);

  ## check if exists
  my $this_alist = $self->AccessList->{$context};
  unless (exists $this_alist->{$target_usr}) {
    return core->rpl( q{AUTH_USER_NOSUCH},
      nick => $nick,
      user => $target_usr
    )
  }

  ## get target user's auth_level
  ## check if authed user has a higher identified level
  my $target_lev = $this_alist->{$target_usr}->{Level};
  unless ($target_lev < $auth_lev) {
    logger->info(
      "Failed user del; $nick ($auth_usr) has insufficient perms"
    );

    return core->rpl( q{AUTH_NOT_ENOUGH_ACCESS},
      nick => $nick,
      lev  => $auth_lev
    )
  }

  ## delete users from AccessList
  delete $this_alist->{$target_usr};

  logger->info("User deleted: $target_usr ($target_lev) on $context");
  logger->info("Deletion issued by $nick ($auth_usr)");

  ## see if user is logged in, log them out if so
  my $auth_context = core->auth->list($context);
  for my $authnick (keys %$auth_context) {
    my $this_username = $auth_context->{$authnick}->{Username};

    next unless $this_username eq $target_usr;

    $self->_do_logout($context, $authnick);
  }

  unless ( $self->_write_access_list ) {
    logger->warn("Couldn't _write_access_list in _user_add");

    broadcast( 'message', $context, $nick,
      "Failed access list write! Admin should check logs."
    );
  }

  return core->rpl( q{AUTH_USER_DELETED},
    nick => $nick,
    user => $target_usr
  )
}

sub _user_list {
  my ($self, $context, $msg) = @_;

  my $nick = $msg->src_nick;
  my $auth_lev = core->auth->level($context, $nick);
  my $auth_usr = core->auth->username($context, $nick);

  return core->rpl( q{RPL_NO_ACCESS}, nick => $nick )
    unless $auth_lev;

  ## FIXME extra opt for users w/ add perms to list -ALL ?
  my $alist = $self->AccessList->{$context} // {};

  my $respstr = "Users ($context): ";

  USER: for my $username (keys %$alist) {
    my $lev = $alist->{$username}->{Level};
    $respstr .= "$username ($lev)   ";

    if ( length($respstr) > 250 ) {
      broadcast( 'message', $context, $nick,
        $respstr
      );

      $respstr = '';
    }

  } ## USER

  return $respstr if $respstr
}

sub _user_whois {
  my ($self, $context, $msg) = @_;
  my $nick = $msg->src_nick;

  my $auth_lev = core->auth->level($context, $nick);
  my $auth_usr = core->auth->username($context, $nick);

  return core->rpl( q{RPL_NO_ACCESS}, nick => $nick )
    unless $auth_lev;

  my $target_nick = $msg->message_array->[2];

  if ( my $target_lev = core->auth->level($context, $target_nick) ) {
    my $target_usr = core->auth->username($context, $target_nick);

    return "$target_nick is user $target_usr with level $target_lev"
  } else {
    return "$target_nick is not currently logged in"
  }
}

sub _user_info {
  my ($self, $context, $msg) = @_;
  my $nick = $msg->src_nick;

  my $auth_lev = core->auth->level($context, $nick);
  my $auth_usr = core->auth->username($context, $nick);

  unless ($auth_lev) {
    return core->rpl( q{RPL_NO_ACCESS}, nick => $nick );
  }

  my $target_usr = $msg->message_array->[2];
  unless (defined $target_usr) {
    return 'Usage: user info <username>'
  }

  $target_usr = lc_irc($target_usr);

  my $user_rec;
  unless ( $user_rec = $self->_get_user_rec($context, $target_usr) ) {
    return core->rpl( q{AUTH_USER_NOSUCH},
      nick => $nick,
      user => $target_usr
    );
  }

  my $usr_lev     = $user_rec->{Level};
  my $usr_maskref = $user_rec->{Masks};

  my $maskcount = @$usr_maskref;

  broadcast( 'message', $context, $nick,
    "User $target_usr is level $usr_lev, $maskcount masks listed"
  );

  my @flags = keys %{ $user_rec->{Flags} };

  my $flag_repl = "Flags: ";

  while (my $this_flag = shift @flags) {
    $flag_repl .= "  ".$this_flag;

    if (length $flag_repl > 300 || !@flags) {
      broadcast('message', $context, $nick, $flag_repl);
      $flag_repl = '';
    }
  }

  my $mask_repl = "Masks: ";
  my @masks = @$usr_maskref;

  while (my $this_mask = shift @masks) {
    $mask_repl .= "  ".$this_mask;
    if (length $mask_repl > 300 || !@masks) {
      broadcast('message', $context, $nick, $mask_repl);
      $mask_repl = '';
    }
  }

  return
}

sub _user_search {
  my ($self, $context, $msg) = @_;
  my $nick = $msg->src_nick;

  ## Auth should've already been checked in user_* dispatcher

  ## FIXME

  ## search by: username, host, ... ?
  ## limit results ?

}

sub _user_chflags {
  my ($self, $context, $msg) = @_;
  my $nick = $msg->src_nick;

  my $auth_lev = core->auth->level($context, $nick);
  my $auth_usr = core->auth->username($context, $nick);

  my $pcfg = plugin_cfg($self);
  my $req_lev = $pcfg->{RequiredPrivs}->{DeletingUsers};

  my @message = @{ $msg->message_array };
  my $target_usr = $message[2];
  my @flags = @message[3 .. $#message];

  unless ($target_usr && @flags) {
    return "Syntax: user chflags <username> <+/-flag> ..."
  }

  my $alist_ref;
  unless ($alist_ref = $self->_get_user_rec($context, $target_usr) ) {
    return core->rpl( q{AUTH_USER_NOSUCH},
      nick => $nick,
      user => $target_usr,
    )
  }

  my $target_usr_lev = $alist_ref->{Level};

  my $auth_flags = core->auth->flags($context, $nick);

  unless ($auth_lev >= $req_lev
    && ($auth_lev > $target_usr_lev || $auth_usr eq $target_usr
        || $auth_flags->{SUPERUSER}) )  {

    my $src = $msg->src;
    logger->warn(
      "Access denied in chflags: $src tried to chflags $target_usr"
    );

    return core->rpl( q{AUTH_NOT_ENOUGH_ACCESS},
      nick => $nick,
      lev  => $auth_lev,
    )
  }

  my $resp;
  FLAG: for my $this_flag (@flags) {
    my $first = substr($this_flag, 0, 1, '');
    $this_flag = uc($this_flag||'');

    unless ($first && $this_flag) {
      return "Bad syntax; flags should be in the form of -/+FLAG"
    }

    if ($this_flag eq 'SUPERUSER') {
      return "Cannot set SUPERUSER flag manually"
    }

    if ($first eq '+') {
      logger->debug("$nick ($auth_usr) flag add $target_usr $this_flag");
      $alist_ref->{Flags}->{$this_flag} = 1;
      next FLAG
    } elsif ($first eq '-') {
      logger->debug("$nick ($auth_usr) flag drop $target_usr $this_flag");
      delete $alist_ref->{Flags}->{$this_flag};
      next FLAG
    }

    return "Bad syntax; flags should be prefixed by + or -"
  }  ## FLAG

  if ( $self->_write_access_list ) {
    broadcast( 'message', $context, $nick,
      "Adjusted flags for $target_usr"
    );
  } else {
    broadcast( 'message', $context, $nick,
      "List write failed in _user_chflags, admin should check logs"
    );
  }

  return
}

sub _user_chmask {
  my ($self, $context, $msg) = @_;
  my $nick = $msg->src_nick;
  my $auth_lev = core->auth->level($context, $nick);
  my $auth_usr = core->auth->username($context, $nick);

  my $pcfg = plugin_cfg($self);
  ## If you can't delete users, you probably shouldn't be permitted
  ## to delete their masks, either
  my $req_lev = $pcfg->{RequiredPrivs}->{DeletingUsers};

  ## You also should have higher access than your target
  ## (unless you're a superuser)
  my $target_usr    = $msg->message_array->[2];
  my $mask_specified = $msg->message_array->[3];

  unless ($target_usr && $mask_specified) {
    return "Usage: user chmask <user> [+/-]<mask>"
  }

  my $alist_ref;
  unless ( $alist_ref = $self->_get_user_rec($context, $target_usr) ) {
    return core->rpl( q{AUTH_USER_NOSUCH},
      nick => $nick,
      user => $target_usr,
    )
  }

  my $target_usr_lev = $alist_ref->{Level};
  my $flags = core->auth->flags($context, $nick);

  ## Must be:
  ##  higher than target user's lev
  ##   or adjusting your own mask
  ##   or superuser
  unless ($auth_lev >= $req_lev
    && ($auth_lev > $target_usr_lev || $auth_usr eq $target_usr
        || $flags->{SUPERUSER}) )  {

    my $src = $msg->src;

    logger->warn(
      "Access denied in chmask: $src tried to chmask $target_usr"
    );

    return core->rpl( q{AUTH_NOT_ENOUGH_ACCESS},
      nick => $nick,
      lev  => $auth_lev
    );
  }

  my ($oper, $host) = $mask_specified =~ /^(\+|\-)(\S+)/;
  unless ($oper && $host) {
    return "Bad mask specification, should be operator (+ or -) followed by mask"
  }

  $host = normalize_mask($host);

  my $resp;
  if ($oper eq '+') {
    push(@{ $alist_ref->{Masks} }, $host)
      unless grep { $_ eq $host } @{ $alist_ref->{Masks} };
    $resp = core->rpl( q{AUTH_MASK_ADDED},
      nick => $nick,
      user => $target_usr,
      mask => $host,
    );
  } else {
    ## Remove a mask (the inefficient way, at the moment - lazy)

    my @masks = grep { $_ ne $host } @{ $alist_ref->{Masks} };
    if (@masks == @{$alist_ref->{Masks}}) {
      return "Mask not found."
    }

    $alist_ref->{Masks} = \@masks;
    $resp = core->rpl( q{AUTH_MASK_DELETED},
      nick => $nick,
      user => $target_usr,
      mask => $host
    );
  }

  ## call a list sync
  if ( $self->_write_access_list ) {
    broadcast( 'message', $context, $nick, $resp );
  } else {
    broadcast( 'message', $context, $nick,
      "List write failed in _user_chmask, admin should check logs"
    );
  }

  return
}

sub _user_chpass {
  my ($self, $context, $msg) = @_;
  my $nick = $msg->src_nick;
  my $auth_lev = core->auth->level($context, $nick);
  my $auth_usr = core->auth->username($context, $nick);

  unless (core->auth->has_flag($context, $nick, 'SUPERUSER')) {
    return "Must be flagged SUPERUSER to use user chpass"
  }

  my $target_usr = $msg->message_array->[2];
  my $new_passwd  = $msg->message_array->[3];

  unless ($target_usr && $new_passwd) {
    return "Usage: user chpass <username> <new_passwd>"
  }

  my $user_rec;
  unless ($user_rec = $self->_get_user_rec($context, $target_usr) ) {
    return core->rpl( q{AUTH_USER_NOSUCH},
      nick => $nick,
      user => $target_usr,
    )
  }

  my $hashed = $self->_mkpasswd($new_passwd);

  logger->info(
    "$nick ($auth_usr) CHPASS for $target_usr"
  );

  $user_rec->{Password} = $hashed;

  if ( $self->_write_access_list ) {
    return core->rpl( q{AUTH_CHPASS_SUCCESS},
      nick => $nick,
      user => $target_usr,
    );
  } else {
    logger->warn(
      "Couldn't _write_access_list in _cmd_chpass",
    );

    return "Failed access list write! Admin should check logs."
  }
}


### Utility methods:

sub _get_user_rec {
  my ($self, $context, $user) = @_;

  ## Return user AccessList record, preferring hardcoded -ALL:

  confess "_get_user_rec called without required arguments"
    unless defined $context and defined $user;

  return unless exists $self->AccessList->{'-ALL'}->{$user}
    or  exists $self->AccessList->{$context}
    and exists $self->AccessList->{$context}->{$user};

  exists $self->AccessList->{'-ALL'}->{$user} ?
    $self->AccessList->{'-ALL'}->{$user}
    : $self->AccessList->{$context}->{$user}
}

sub _remove_if_lost {
  my ($self, $context, $nick) = @_;
  ## $self->_remove_if_lost( $context );
  ## $self->_remove_if_lost( $context, $nickname );
  ##
  ## called by event handlers that track users (or the bot) leaving
  ##
  ## if a nickname is specified, ask _check_for_shared if we still see
  ## this user, otherwise remove relevant Auth
  ##
  ## if no nickname is specified, do the above for all Auth'd users
  ## in the specified context
  ##
  ## return list of removed users

  ## no auth for specified context? then we don't care:
  my $authref;
  return unless $authref = core->auth->list($context);

  my @removed;

  if ($nick) {
    ## ...does auth for this nickname in this context?
    return unless exists $authref->{$nick};

    unless ( $self->_check_for_shared($context, $nick) ) {
      ## we no longer share channels with this user
      ## if they're auth'd and their authorization is "ours", kill it
      ## call _do_logout to log them out and notify the pipeline
      ##
      ## _do_logout handles the messy details, incl. checking to make sure
      ## that we are the "owner" of this auth:
      push(@removed, $nick) if $self->_do_logout($context, $nick);
    }

  } else {
    ## no nickname specified
    ## check trackable status for all known
    for $nick (keys %$authref) {
      unless ( $self->_check_for_shared($context, $nick) ) {
        push(@removed, $nick) if $self->_do_logout($context, $nick);
      }
    }

  }

  return @removed
}

sub _check_for_shared {
  ## $self->_check_for_shared( $context, $nickname );
  ##
  ## Query the IRC component to see if we share channels with a user.
  ## Actually just a simple frontend to get_irc_obj & PoCo::IRC::State
  ##
  ## Returns boolean true or false.
  ## Typically called after either the bot or a user leave a channel
  ## ( normally by _remove_if_lost() )
  ##
  ## Tells Auth whether or not we can sanely track this user.
  ## If we don't share channels it's difficult to get nick change
  ## notifications and generally validate authenticated users.
  my ($self, $context, $nick) = @_;
  my $irc = core->get_irc_obj( $context );
  my @shared = $irc->nick_channels( $nick );
  return @shared ? 1 : 0 ;
}

sub _clear_context {
  my ($self, $context) = @_;

  ## $self->_clear_context( $context )
  for my $nick ( core->auth->list($context) ) {
    $self->_do_logout($context, $nick);
  }
}

sub _clear_all {
  my ($self) = @_;
  ## $self->_clear_all()
  ## clear any states belonging to us
  for my $context ( core->auth->list() ) {

    NICK: for my $nick ( core->auth->list($context) ) {

      next NICK unless core->auth->alias($context, $nick)
                    eq core->get_plugin_alias($self);

      logger->debug("clearing: $nick [$context]");
      $self->_do_logout($context, $nick)
    }

  }
}

sub _do_logout {
  my ($self, $context, $nick) = @_;
  ## $self->_do_logout( $context, $nick )
  ## handles logout routines for 'lost' users
  ## normally called by method _remove_if_lost
  ##
  ## sends auth_user_logout event in addition to clearing auth hash
  ##
  ## returns the deleted user auth hash (or nothing)
  my $auth_context = core->auth->list($context);

  if (exists $auth_context->{$nick}) {
    my $auth_pkg    = core->auth->alias($context, $nick);
    my $current_pkg = core->get_plugin_alias($self);

    if ($auth_pkg eq $current_pkg) {
      my $host     = core->auth->host($context, $nick);
      my $username = core->auth->username($context, $nick);
      my $level    = core->auth->level($context, $nick);

      ## Bot_auth_user_logout ($context, $nick, $host, $username, $lev, $pkg):
      broadcast( 'auth_user_logout',
        $context,
        $nick, $host, $username,
        $level,
        $auth_pkg,
      );

      logger->debug(
        "cleared auth state: $username ($nick on $context)"
      );

      return core->auth->del($context, $nick)
    } else {
      logger->debug(
        "skipped auth state, not ours: $nick [$context]"
      );
    }
  }
  return
}

sub _mkpasswd {
  my ($self, $passwd) = @_;
  return unless $passwd;
  ## $self->_mkpasswd( $passwd );
  ## simple frontend to Bot::Cobalt::Utils::mkpasswd()
  ## handles grabbing cfg opts for us:

  my $cfg = plugin_cfg( $self );

  my $crypt_method = $cfg->{Method} // 'bcrypt';
  my $bcrypt_cost  = $cfg->{Bcrypt_Cost} || '08';

  mkpasswd($passwd, $crypt_method, $bcrypt_cost)
}

sub _db_path {
  my ($self, $dbpath) = @_;

  return $self->[DB_PATH] = $dbpath if defined $dbpath;

  $self->[DB_PATH]
}

sub AccessList {
  my ($self, $alist) = @_;

  if (defined $alist) {
    confess "AccessList is not a hashref"
      unless ref $alist 
      and reftype $alist eq 'HASH';

    return $self->[ACCESS_LIST] = $alist
  }

  $self->[ACCESS_LIST]
}


### Access list rw methods (serialize to YAML)
### These can also be used to read/write arbitrary authdbs

sub _read_access_list {
  my ($self, $authdb) = @_;
  ## Default to $self->_db_path
  $authdb = $self->_db_path unless $authdb;
  ## read authdb, spit out hash

  unless (-f $authdb) {
    logger->debug("did not find authdb at $authdb");
    logger->info("No existing authdb, creating empty access list.");

    return { }
  }

  my $serializer = Bot::Cobalt::Serializer->new();

  my $accesslist;
  try {
    $accesslist = $serializer->readfile($authdb);
  } catch {
    logger->error("readfile() failure; $authdb $_");
  };

  return $accesslist
}

sub _write_access_list {
  my ($self, $authdb, $alist) = @_;
  $authdb = $self->_db_path unless $authdb;
  $alist  = $self->AccessList unless $alist;

  ## we don't want to write superusers back out
  ## copy from ref to a fresh hash:
  my $cloned = dclone($alist);
  delete $cloned->{'-ALL'};

  for my $context (keys %$cloned) {
    for my $user (keys %{ $cloned->{$context} }) {
      if ( $cloned->{$context}->{$user}->{Flags}->{SUPERUSER} ) {
        ## FIXME
        ##  sync superusers too so we can preserve flags?
        ##  need to check/delete them at load time if there's a change
        delete $cloned->{$context}->{$user};
      }
    }
    ## don't need to write empty contexts either:
    delete $cloned->{$context} unless keys %{ $cloned->{$context} };
  }

  ## don't need to write empty access lists to disk ...
  return $authdb unless keys %$cloned;

  my $serializer = Bot::Cobalt::Serializer->new();

  return $authdb if try {
    $serializer->writefile($authdb, $cloned);

    my $p_cfg = plugin_cfg( $self );
    my $perms = oct( $p_cfg->{Opts}->{AuthDB_Perms} // '0600' );
    chmod($perms, $authdb);
    1
  };

  logger->error("writefile() failure; $authdb $_");
  return
}

1;
__END__


=pod

=head1 NAME

Bot::Cobalt::Plugin::Auth -- User management and auth plugin

=head1 DESCRIPTION

This plugin provides the standard authorization and access control
functionality for L<Bot::Cobalt>.

=head1 CONFIGURATION

=head2 plugins.conf

A basic plugins.conf entry for this plugin:

  Auth:
    Module: Bot::Cobalt::Plugin::Auth
    Config: auth.conf

=head2 auth.conf

C<auth.conf> is the central configuration file for this plugin, 
including statically-configured superuser auth entries.

=head3 SuperUsers

The B<SuperUsers> directive specifies statically configured superusers, 
who receive access level 9999 by default and typically have access to 
the totality of the bot's functionality.

Users are specified per-context. Multiple masks can be specified as a 
list:

  SuperUsers:
    Main:
      'avenj':
        Mask:
          - '*avenj@*.oppresses.us'
          - '*avenj@*.cobaltirc.org'
        Password: '$2a$08$W19087w4d(. . . .)'

B<Password> should be a hashed password. You can create them from the 
command line via C<bmkpasswd> from L<App::bmkpasswd>, which this 
distribution depends on.

=head3 Opts

B<Opts> defines a small set of password and database related options:

  Opts:
    Method: 'bcrypt'
    Bcrypt_Cost: '08'
    AuthDB: 'db/authdb.yml'

=head4 Method

B<Method> is a string describing the preferred password hashing method 
for new passwords. Hashes are created via L<App::bmkpasswd> -- C<bcrypt> 
is the recommended method and guaranteed to be available.

C<sha256> and C<sha512> methods may be available, although you might 
need L<Crypt::Passwd::XS> on certain platforms. Consult the 
L<App::bmkpasswd> documentation for details.

=head4 Bcrypt_Cost

If using bcrypt (see L</Method>), the 'work cost factor' is 
configurable. Must be a two digit power of 2. Lower is faster (less 
secure), higher is slower (more secure). 

The default work cost factor is '08' -- you can probably leave this 
alone.

=head4 AuthDB

Path (relative to the bot's C<var/> directory) used to store user 
information (except for superusers).

Defaults to 'db/authdb.yml'

=head3 RequiredPrivs

Required base access levels for specific operations.

  RequiredPrivs:
    AddingUsers: 2
    DeletingUsers: 2

=head1 IRC USAGE

=head2 Logging in

  /msg cobalt login <username> <password>

You must share at least one channel with the bot in order to log in.

=head2 Changing your password

You can change your own password at any time:

  /msg cobalt chpass <oldpasswd> <newpasswd>

=head2 User administration

=head3 user add

  /msg cobalt user add <username> <level> <mask> <passwd>

New users can be added by anyone with at least C<AddingUsers> level (see 
L</RequiredPrivs>). Users can only be added at levels below your own.

=head3 user del

  /msg cobalt user del <username>

Users can only be removed below your own access level (and you must have 
at least C<DeletingUsers> permissions -- see L</RequiredPrivs>)

=head3 user chflags

  /msg cobalt user chflags <username> +FLAG -FLAG [...]

Alter a user's marked flags; flags must be prefixed with + or - to 
indicate an addition or removal.

(As of this writing, flags are under-utilized in the Cobalt core 
distribution)

=head3 user chpass

  /msg cobalt user chpass <username> <passwd>

Alter a user's password manually. Only usable by superusers.

=head3 user chmask

  /msg cobalt user chmask <username> +*!*some@*.mask.example.org
  /msg cobalt user chmask <username> -*!*some@*.mask.example.org

Add or remove authorized masks for a particular user.

You can add or remove masks for yourself at any time, so long as you 
have at least B<DeletingUsers> level (see L</RequiredPrivs>). Altering 
masks for other users requires a higher access level than theirs.

Only one mask can be added or deleted at a time.

=head3 user whois

  /msg cobalt user whois <nickname>

Find out if a nickname is currently logged in to the bot (and under what 
username / access level)

=head3 user info

  /msg cobalt user info <username>

Display user record information for a username.

=head3 user list

  /msg cobalt user list

Display the current user list.

=head3 user search

FIXME

=head1 EMITTED EVENTS

=head2 Bot_auth_user_login

Broadcast when a login is successful.

Arguments are:

  $context, $nickname, $username, $hostname, $authorized_level

=head2 Bot_auth_failed_login

Broadcast when a login fails.

Arguments are:

  $context, $nickname, $username, $hostname, "ERR_STR"

Where 'ERR_STR' is one of the following strings:

  "NO_SUCH_USER"
  "NO_SHARED_CHANS"
  "BAD_HOST"
  "BAD_PASS"

=head2 Bot_auth_user_logout

Broadcast when a user is logged out, either manually or because the user 
was "lost" (no longer visible by the bot).

Arguments are:

  $context, $nickname, $hostname, $username, $authorized_level

=head1 AUTHOR

Jon Portnoy <avenj@cobaltirc.org>

=cut