/*
   Unix SMB/CIFS implementation.

   Winbind daemon - krb5 credential cache funcions

   Copyright (C) Guenther Deschner 2005
   
   This program is free software; you can redistribute it and/or modify
   it under the terms of the GNU General Public License as published by
   the Free Software Foundation; either version 2 of the License, or
   (at your option) any later version.
   
   This program is distributed in the hope that it will be useful,
   but WITHOUT ANY WARRANTY; without even the implied warranty of
   MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
   GNU General Public License for more details.
   
   You should have received a copy of the GNU General Public License
   along with this program; if not, write to the Free Software
   Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.
*/

#include "includes.h"
#include "winbindd.h"
#undef DBGC_CLASS
#define DBGC_CLASS DBGC_WINBIND

#define MAX_CCACHES 100 

static struct WINBINDD_CCACHE_ENTRY *ccache_list;

static TALLOC_CTX *mem_ctx;

const char *get_ccache_name_by_username(const char *username) 
{
	struct WINBINDD_CCACHE_ENTRY *entry;

	for (entry = ccache_list; entry; entry = entry->next) {
		if (strequal(entry->username, username)) {
			return entry->ccname;
		}
	}
	return NULL;
}

struct WINBINDD_CCACHE_ENTRY *get_ccache_by_username(const char *username)
{
	struct WINBINDD_CCACHE_ENTRY *entry;

	for (entry = ccache_list; entry; entry = entry->next) {
		if (strequal(entry->username, username)) {
			return entry;
		}
	}
	return NULL;
}

static int ccache_entry_count(void)
{
	struct WINBINDD_CCACHE_ENTRY *entry;
	int i = 0;

	for (entry = ccache_list; entry; entry = entry->next) {
		i++;
	}
	return i;
}

NTSTATUS remove_ccache_by_ccname(const char *ccname)
{
	struct WINBINDD_CCACHE_ENTRY *entry;

	for (entry = ccache_list; entry; entry = entry->next) {
		if (strequal(entry->ccname, ccname)) {
			DLIST_REMOVE(ccache_list, entry);
			TALLOC_FREE(entry->event); /* unregisters events */
#ifdef HAVE_MUNLOCK
			if (entry->pass) {	
				size_t len = strlen(entry->pass)+1;
#ifdef DEBUG_PASSWORD
				DEBUG(10,("unlocking memory: %p\n", entry->pass));
#endif
				memset(&(entry->pass), 0, len);
				if ((munlock(&entry->pass, len)) == -1) {
					DEBUG(0,("failed to munlock memory: %s (%d)\n", 
						strerror(errno), errno));
					return map_nt_error_from_unix(errno);
				}
#ifdef DEBUG_PASSWORD
				DEBUG(10,("munlocked memory: %p\n", entry->pass));
#endif
			}
#endif /* HAVE_MUNLOCK */
			TALLOC_FREE(entry);
			DEBUG(10,("remove_ccache_by_ccname: removed ccache %s\n", ccname));
			return NT_STATUS_OK;
		}
	}
	return NT_STATUS_OBJECT_NAME_NOT_FOUND;
}

static void krb5_ticket_refresh_handler(struct timed_event *te,
					const struct timeval *now,
					void *private_data)
{
	struct WINBINDD_CCACHE_ENTRY *entry =
		talloc_get_type_abort(private_data, struct WINBINDD_CCACHE_ENTRY);
	int ret;
	time_t new_start;
	struct timeval t;


	DEBUG(10,("krb5_ticket_refresh_handler called\n"));
	DEBUGADD(10,("event called for: %s, %s\n", entry->ccname, entry->username));

	TALLOC_FREE(entry->event);

#ifdef HAVE_KRB5

	/* Kinit again if we have the user password and we can't renew the old
	 * tgt anymore */

	if ((entry->renew_until < time(NULL)) && (entry->pass != NULL)) {
	     
		set_effective_uid(entry->uid);

		ret = kerberos_kinit_password_ext(entry->principal_name,
						  entry->pass,
						  0, /* hm, can we do time correction here ? */
						  &entry->refresh_time,
						  &entry->renew_until,
						  entry->ccname,
						  False, /* no PAC required anymore */
						  True,
						  WINBINDD_PAM_AUTH_KRB5_RENEW_TIME);
		gain_root_privilege();

		if (ret) {
			DEBUG(3,("could not re-kinit: %s\n", error_message(ret)));
			TALLOC_FREE(entry->event);
			return;
		}

		DEBUG(10,("successful re-kinit for: %s in ccache: %s\n", 
			entry->principal_name, entry->ccname));

		new_start = entry->refresh_time;

		goto done;
	}

	set_effective_uid(entry->uid);

	ret = smb_krb5_renew_ticket(entry->ccname, 
				    entry->principal_name,
				    entry->service,
				    &new_start);
	gain_root_privilege();

	if (ret) {
		DEBUG(3,("could not renew tickets: %s\n", error_message(ret)));
		/* maybe we are beyond the renewing window */
		return;
	}

done:

	t = timeval_set(new_start, 0);

	entry->event = add_timed_event(mem_ctx, 
				       t,
				       "krb5_ticket_refresh_handler",
				       krb5_ticket_refresh_handler,
				       entry);

#endif
}

NTSTATUS add_ccache_to_list(const char *princ_name,
			    const char *ccname,
			    const char *service,
			    const char *username, 
			    const char *sid_string,
			    const char *pass,
			    uid_t uid,
			    time_t create_time, 
			    time_t ticket_end, 
			    time_t renew_until, 
			    BOOL schedule_refresh_event)
{
	struct WINBINDD_CCACHE_ENTRY *new_entry = NULL;
	struct WINBINDD_CCACHE_ENTRY *old_entry = NULL;
	NTSTATUS status;

	if ((username == NULL && sid_string == NULL && princ_name == NULL) || 
	    ccname == NULL) {
		return NT_STATUS_INVALID_PARAMETER;
	}

	status = init_ccache_list();
	if (!NT_STATUS_IS_OK(status)) {
		return status;
	}

	if (mem_ctx == NULL) {
		return NT_STATUS_NO_MEMORY;
	}

	if (ccache_entry_count() + 1 > MAX_CCACHES) {
		DEBUG(10,("add_ccache_to_list: max number of ccaches reached\n"));
		return NT_STATUS_NO_MORE_ENTRIES;
	}

	/* get rid of old entries */
	old_entry = get_ccache_by_username(username);
	if (old_entry) {
		status = remove_ccache_by_ccname(old_entry->ccname);
		if (!NT_STATUS_IS_OK(status)) {
			DEBUG(10,("add_ccache_to_list: failed to delete old ccache entry\n"));
			return status;
		}
	}
	
	new_entry = TALLOC_P(mem_ctx, struct WINBINDD_CCACHE_ENTRY);
	if (new_entry == NULL) {
		return NT_STATUS_NO_MEMORY;
	}

	ZERO_STRUCTP(new_entry);

	if (username) {
		new_entry->username = talloc_strdup(mem_ctx, username);
		NT_STATUS_HAVE_NO_MEMORY(new_entry->username);
	}
	if (sid_string) {
		new_entry->sid_string = talloc_strdup(mem_ctx, sid_string);
		NT_STATUS_HAVE_NO_MEMORY(new_entry->sid_string);
	}
	if (princ_name) {
		new_entry->principal_name = talloc_strdup(mem_ctx, princ_name);
		NT_STATUS_HAVE_NO_MEMORY(new_entry->principal_name);
	}
	if (service) {
		new_entry->service = talloc_strdup(mem_ctx, service);
		NT_STATUS_HAVE_NO_MEMORY(new_entry->service);
	}

	if (schedule_refresh_event && pass) {
#ifdef HAVE_MLOCK
		size_t len = strlen(pass)+1;
		
		new_entry->pass = TALLOC_ZERO(mem_ctx, len);
		NT_STATUS_HAVE_NO_MEMORY(new_entry->pass);
		
#ifdef DEBUG_PASSWORD
		DEBUG(10,("mlocking memory: %p\n", new_entry->pass));
#endif		
		if ((mlock(new_entry->pass, len)) == -1) {
			DEBUG(0,("failed to mlock memory: %s (%d)\n", 
				strerror(errno), errno));
			return map_nt_error_from_unix(errno);
		} 
		
#ifdef DEBUG_PASSWORD
		DEBUG(10,("mlocked memory: %p\n", new_entry->pass));
#endif		
		memcpy(new_entry->pass, pass, len);
#else
		new_entry->pass = talloc_strdup(mem_ctx, pass);
		NT_STATUS_HAVE_NO_MEMORY(new_entry->pass);
#endif /* HAVE_MLOCK */
	}

	new_entry->create_time = create_time;
	new_entry->renew_until = renew_until;
	new_entry->ccname = talloc_strdup(mem_ctx, ccname);
	if (new_entry->ccname == NULL) {
		return NT_STATUS_NO_MEMORY;
	}
	new_entry->uid = uid;


	if (schedule_refresh_event && renew_until > 0) {

		struct timeval t = timeval_set((ticket_end -1 ), 0);

		new_entry->event = add_timed_event(mem_ctx, 
						   t,
						   "krb5_ticket_refresh_handler",
						   krb5_ticket_refresh_handler,
						   new_entry);
	}

	DLIST_ADD(ccache_list, new_entry);

	DEBUG(10,("add_ccache_to_list: added ccache [%s] for user [%s] to the list\n", ccname, username));

	return NT_STATUS_OK;
}

NTSTATUS destroy_ccache_list(void)
{
#ifdef HAVE_MUNLOCKALL
	if ((munlockall()) == -1) {
		DEBUG(0,("failed to unlock memory: %s (%d)\n", 
			strerror(errno), errno));
		return map_nt_error_from_unix(errno);
	}
#endif /* HAVE_MUNLOCKALL */
	return talloc_destroy(mem_ctx) ? NT_STATUS_OK : NT_STATUS_UNSUCCESSFUL;
}

NTSTATUS init_ccache_list(void)
{
	if (ccache_list) {
		return NT_STATUS_OK;
	}

	mem_ctx = talloc_init("winbindd_ccache_krb5_handling");
	if (mem_ctx == NULL) {
		return NT_STATUS_NO_MEMORY;
	}

	ZERO_STRUCTP(ccache_list);

	return NT_STATUS_OK;
}