# This Source Code Form is subject to the terms of the Mozilla Public
# License, v. 2.0. If a copy of the MPL was not distributed with this
# file, You can obtain one at http://mozilla.org/MPL/2.0/.
#
# This Source Code Form is "Incompatible With Secondary Licenses", as
# defined by the Mozilla Public License, v. 2.0.

package Bugzilla::Config::Auth;

use 5.10.1;
use strict;
use warnings;

use Bugzilla::Config::Common;
use Types::Standard qw(Tuple Maybe);
use Types::Common::Numeric qw(PositiveInt);

our $sortkey = 300;

sub get_param_list {
  my $class      = shift;
  my @param_list = (
    {name => 'auth_env_id', type => 't', default => '',},

    {name => 'auth_env_email', type => 't', default => '',},

    {name => 'auth_env_realname', type => 't', default => '',},

    # XXX in the future:
    #
    # user_verify_class and user_info_class should have choices gathered from
    # whatever sits in their respective directories
    #
    # rather than comma-separated lists, these two should eventually become
    # arrays, but that requires alterations to editparams first

    {
      name    => 'user_info_class',
      type    => 's',
      choices => ['CGI', 'Env', 'Env,CGI'],
      default => 'CGI',
      checker => \&check_multi
    },

    {
      name    => 'user_verify_class',
      type    => 'o',
      choices => ['DB', 'RADIUS', 'LDAP'],
      default => 'DB',
      checker => \&check_user_verify_class
    },

    {
      name    => 'rememberlogin',
      type    => 's',
      choices => ['on', 'defaulton', 'defaultoff', 'off'],
      default => 'on',
      checker => \&check_multi
    },

    {name => 'requirelogin', type => 'b', default => '0'},

    {name => 'webservice_email_filter', type => 'b', default => 0},

    {
      name    => 'emailregexp',
      type    => 't',
      default => q:^[\\w\\.\\+\\-=]+@[\\w\\.\\-]+\\.[\\w\\-]+$:,
      checker => \&check_regexp
    },

    {
      name    => 'emailregexpdesc',
      type    => 'l',
      default => 'A legal address must contain exactly one \'@\', and at least '
        . 'one \'.\' after the @.'
    },

    {name => 'emailsuffix', type => 't', default => ''},

    {
      name    => 'createemailregexp',
      type    => 't',
      default => q:.*:,
      checker => \&check_regexp
    },

    {
      name    => 'password_complexity',
      type    => 's',
      choices => ['no_constraints', 'bmo'],
      default => 'no_constraints',
      checker => \&check_multi
    },

    {name => 'password_check_on_login', type => 'b', default => '1'},

    {
      name    => 'passwdqc_min',
      type    => 't',
      default => 'undef, 24, 11, 8, 7',
      checker => \&_check_passwdqc_min,
    },

    {
      name    => 'passwdqc_max',
      type    => 't',
      default => '40',
      checker => \&_check_passwdqc_max,
    },

    {
      name    => 'passwdqc_passphrase_words',
      type    => 't',
      default => '3',
      checker => \&check_numeric,
    },

    {
      name    => 'passwdqc_match_length',
      type    => 't',
      default => '4',
      checker => \&check_numeric,
    },

    {
      name    => 'passwdqc_random_bits',
      type    => 't',
      default => '47',
      checker => \&_check_passwdqc_random_bits,
    },

    {
      name    => 'passwdqc_desc',
      type    => 'l',
      default => 'The password must be complex.',
    },

    {name => 'auth_delegation', type => 'b', default => 0,},

    {name => 'duo_host', type => 't', default => '',},
    {name => 'duo_akey', type => 't', default => '',},
    {name => 'duo_ikey', type => 't', default => '',},
    {name => 'duo_skey', type => 't', default => '',},

    {
      name    => 'mfa_group',
      type    => 's',
      choices => \&get_all_group_names,
      default => '',
      checker => \&check_group,
    },

    {
      name    => 'mfa_group_grace_period',
      type    => 't',
      default => '7',
      checker => \&check_numeric,
    }
  );
  return @param_list;
}

my $passwdqc_min = Tuple [
  Maybe [PositiveInt],
  Maybe [PositiveInt],
  Maybe [PositiveInt],
  Maybe [PositiveInt],
  Maybe [PositiveInt],
];

sub _check_passwdqc_min {
  my ($value) = @_;
  my @values = map { $_ eq 'undef' ? undef : $_ } split(/\s*,\s*/, $value);

  unless ($passwdqc_min->check(\@values)) {
    return "must be list of five values, that are either integers > 0 or undef";
  }

  my ($max, $max_pos);
  my $pos = 0;
  foreach my $value (@values) {
    if (defined $max && defined $value) {
      if ($value > $max) {
        return "Int$pos is larger than Int$max_pos ($max)";
      }
    }
    elsif (defined $value) {
      $max     = $value;
      $max_pos = $pos;
    }
    $pos++;
  }
  return "";
}

sub _check_passwdqc_max {
  my ($value) = @_;
  return "must be a positive integer" unless PositiveInt->check($value);
  return "must be greater than 8" unless $value > 8;
  return "";
}

sub _check_passwdqc_random_bits {
  my ($value) = @_;
  return "must be a positive integer" unless PositiveInt->check($value);
  return "must be between 24 and 85 inclusive"
    unless $value >= 24 && $value <= 85;
  return "";
}

1;