// @(#)root/auth:$Id$
// Author: Fons Rademakers   26/11/2000

 * Copyright (C) 1995-2000, Rene Brun and Fons Rademakers.               *
 * All rights reserved.                                                  *
 *                                                                       *
 * For the licensing terms see $ROOTSYS/LICENSE.                         *
 * For the list of contributors see $ROOTSYS/README/CREDITS.             *

#ifndef ROOT_TAuthenticate
#define ROOT_TAuthenticate

//                                                                      //
// TAuthenticate                                                        //
//                                                                      //
// An authentication module for ROOT based network services, like rootd //
// and proofd.                                                          //
//                                                                      //

#ifndef ROOT_TObject
#include "TObject.h"
#ifndef ROOT_TString
#include "TString.h"
#ifndef ROOT_TList
#include "TList.h"
#ifndef ROOT_TDatime
#include "TDatime.h"
#ifndef ROOT_rsafun
#include "rsafun.h"
#ifndef ROOT_AuthConst
#include "AuthConst.h"
#ifdef R__SSL
// SSL specific headers for blowfish encryption
#include <openssl/blowfish.h>

class TAuthenticate;
class THostAuth;
class TPluginHandler;
class TSocket;
class TRootSecContext;
class TVirtualMutex;

typedef Int_t (*CheckSecCtx_t)(const char *subj, TRootSecContext *ctx);
typedef Int_t (*GlobusAuth_t)(TAuthenticate *auth, TString &user, TString &det);
typedef Int_t (*Krb5Auth_t)(TAuthenticate *auth, TString &user, TString &det, Int_t version);
typedef Int_t (*SecureAuth_t)(TAuthenticate *auth, const char *user, const char *passwd,
                              const char *remote, TString &det, Int_t version);

R__EXTERN TVirtualMutex *gAuthenticateMutex;

class TAuthenticate : public TObject {

friend class TRootAuth;
friend class TRootSecContext;
friend class TSocket;

   enum ESecurity { kClear, kSRP, kKrb5, kGlobus, kSSH, kRfio }; // type of authentication

   TString      fDetails;     // logon details (method dependent ...)
   THostAuth   *fHostAuth;    // pointer to relevant authentication info
   TString      fPasswd;      // user's password
   TString      fProtocol;    // remote service (rootd, proofd)
   Bool_t       fPwHash;      // kTRUE if fPasswd is a passwd hash
   TString      fRemote;      // remote host to which we want to connect
   Int_t        fRSAKey;      // Type of RSA key used
   TRootSecContext *fSecContext;  // pointer to relevant sec context
   ESecurity    fSecurity;    // actual logon security level
   TSocket     *fSocket;      // connection to remote daemon
   Bool_t       fSRPPwd;      // kTRUE if fPasswd is a SRP passwd
   Int_t        fVersion;     // 0,1,2, ... accordingly to remote daemon version
   TString      fUser;        // user to be authenticated
   Int_t        fTimeOut;     // timeout flag

   Int_t        GenRSAKeys();
   Bool_t       GetPwHash() const { return fPwHash; }
   Int_t        GetRSAKey() const { return fRSAKey; }
   ESecurity    GetSecurity() const { return fSecurity; }
   Bool_t       GetSRPPwd() const { return fSRPPwd; }
   const char  *GetSshUser(TString user) const;
   Int_t        GetVersion() const { return fVersion; }
   Int_t        ClearAuth(TString &user, TString &passwd, Bool_t &pwhash);
   Bool_t       GetUserPasswd(TString &user, TString &passwd,
                              Bool_t &pwhash, Bool_t srppwd);
   char        *GetRandString(Int_t Opt,Int_t Len);
   Int_t        ProofAuthSetup();
   Int_t        RfioAuth(TString &user);
   void         SetEnvironment();
   Int_t        SshAuth(TString &user);
   Int_t        SshError(const char *errfile);

   static TList          *fgAuthInfo;
   static TString         fgAuthMeth[kMAXSEC];
   static Bool_t          fgAuthReUse;      // kTRUE is ReUse required
   static TString         fgDefaultUser;    // Default user information
   static TDatime         fgExpDate;        // Expiring date for new security contexts
   static GlobusAuth_t    fgGlobusAuthHook;
   static Krb5Auth_t      fgKrb5AuthHook;
   static TString         fgKrb5Principal;  // Principal for Krb5 ticket
   static TDatime         fgLastAuthrc;     // Time of last reading of fgRootAuthrc
   static TString         fgPasswd;
   static TPluginHandler *fgPasswdDialog;   // Passwd dialog GUI plugin
   static Bool_t          fgPromptUser;     // kTRUE if user prompt required
   static TList          *fgProofAuthInfo;  // Specific lists of THostAuth fro proof
   static Bool_t          fgPwHash;         // kTRUE if fgPasswd is a passwd hash
   static Bool_t          fgReadHomeAuthrc; // kTRUE to look for $HOME/.rootauthrc
   static TString         fgRootAuthrc;     // Path to last rootauthrc-like file read
   static Int_t           fgRSAKey;         // Default type of RSA key to be tried
   static Int_t           fgRSAInit;
   static rsa_KEY         fgRSAPriKey;
   static rsa_KEY         fgRSAPubKey;
   static rsa_KEY_export  fgRSAPubExport[2];
#ifdef R__SSL
   static BF_KEY          fgBFKey;          // Blowfish symmetric key
   static SecureAuth_t    fgSecAuthHook;
   static Bool_t          fgSRPPwd;         // kTRUE if fgPasswd is a SRP passwd
   static TString         fgUser;
   static Bool_t          fgUsrPwdCrypt;    // kTRUE if encryption for UsrPwd is required
   static Int_t           fgLastError;      // Last error code processed by AuthError()
   static Int_t           fgAuthTO;         // if > 0, timeout in sec
   static Int_t           fgProcessID;      // ID of the main thread as unique identifier

   static Bool_t          CheckHost(const char *Host, const char *host);

   static void            FileExpand(const char *fin, FILE *ftmp);
   static Int_t           ProofAuthSetup(TSocket *sock, Bool_t client);
   static void            RemoveSecContext(TRootSecContext *ctx);

   TAuthenticate(TSocket *sock, const char *remote, const char *proto,
                 const char *user = "");
   virtual ~TAuthenticate() { }

   Bool_t             Authenticate();
   Int_t              AuthExists(TString User, Int_t method, const char *Options,
                          Int_t *Message, Int_t *Rflag, CheckSecCtx_t funcheck);
   void               CatchTimeOut();
   Bool_t             CheckNetrc(TString &user, TString &passwd);
   Bool_t             CheckNetrc(TString &user, TString &passwd,
                                 Bool_t &pwhash, Bool_t srppwd);
   THostAuth         *GetHostAuth() const { return fHostAuth; }
   const char        *GetProtocol() const { return fProtocol; }
   const char        *GetRemoteHost() const { return fRemote; }
   Int_t              GetRSAKeyType() const { return fRSAKey; }
   TRootSecContext       *GetSecContext() const { return fSecContext; }
   TSocket           *GetSocket() const { return fSocket; }
   const char        *GetUser() const { return fUser; }
   Int_t              HasTimedOut() const { return fTimeOut; }
   void               SetRSAKeyType(Int_t key) { fRSAKey = key; }
   void               SetSecContext(TRootSecContext *ctx) { fSecContext = ctx; }

   static void        AuthError(const char *where, Int_t error);
   static Bool_t      CheckProofAuth(Int_t cSec, TString &det);

   static Int_t       DecodeRSAPublic(const char *rsapubexport, rsa_NUMBER &n,
                                      rsa_NUMBER &d, char **rsassl = 0);

   static TList      *GetAuthInfo();
   static const char *GetAuthMethod(Int_t idx);
   static Int_t       GetAuthMethodIdx(const char *meth);
   static Bool_t      GetAuthReUse();
   static Int_t       GetClientProtocol();
   static char       *GetDefaultDetails(Int_t method, Int_t opt, const char *user);
   static const char *GetDefaultUser();
   static TDatime     GetGlobalExpDate();
   static Bool_t      GetGlobalPwHash();
   static Bool_t      GetGlobalSRPPwd();
   static const char *GetGlobalUser();
   static GlobusAuth_t GetGlobusAuthHook();
   static THostAuth  *GetHostAuth(const char *host, const char *user="",
                                  Option_t *opt = "R", Int_t *Exact = 0);
   static const char *GetKrb5Principal();
   static Bool_t      GetPromptUser();
   static TList      *GetProofAuthInfo();
   static Int_t       GetRSAInit();
   static const char *GetRSAPubExport(Int_t key = 0);
   static THostAuth  *HasHostAuth(const char *host, const char *user,
                                  Option_t *opt = "R");
   static void        InitRandom();
   static void        MergeHostAuthList(TList *Std, TList *New, Option_t *Opt = "");
   static char       *PromptPasswd(const char *prompt = "Password: ");
   static char       *PromptUser(const char *remote);
   static Int_t       ReadRootAuthrc();
   static void        RemoveHostAuth(THostAuth *ha, Option_t *opt = "");
   static Int_t       SecureRecv(TSocket *Socket, Int_t dec,
                                 Int_t KeyType, char **Out);
   static Int_t       SecureSend(TSocket *Socket, Int_t enc,
                                 Int_t KeyType, const char *In);
   static Int_t       SendRSAPublicKey(TSocket *Socket, Int_t key = 0);
   static void        SetAuthReUse(Bool_t authreuse);
   static void        SetDefaultUser(const char *defaultuser);
   static void        SetGlobalExpDate(TDatime expdate);
   static void        SetGlobalPasswd(const char *passwd);
   static void        SetGlobalPwHash(Bool_t pwhash);
   static void        SetGlobalSRPPwd(Bool_t srppwd);
   static void        SetGlobalUser(const char *user);
   static void        SetGlobusAuthHook(GlobusAuth_t func);
   static void        SetKrb5AuthHook(Krb5Auth_t func);
   static void        SetPromptUser(Bool_t promptuser);
   static void        SetDefaultRSAKeyType(Int_t key);
   static void        SetReadHomeAuthrc(Bool_t readhomeauthrc); // for PROOF
   static void        SetRSAInit(Int_t init = 1);
   static Int_t       SetRSAPublic(const char *rsapubexport, Int_t klen);
   static void        SetSecureAuthHook(SecureAuth_t func);
   static void        SetTimeOut(Int_t to);
   static void        Show(Option_t *opt="S");

   ClassDef(TAuthenticate,0)  // Class providing remote authentication service