module Propellor.Property.OpenId where

import Propellor.Base
import qualified Propellor.Property.File as File
import qualified Propellor.Property.Apt as Apt
import qualified Propellor.Property.Apache as Apache

import Data.List

-- | Openid provider, using the simpleid PHP CGI, with apache.
--
-- Runs on usual port by default. When a nonstandard port is specified,
-- apache is limited to listening only on that port. Warning: Specifying
-- a port won't compose well with other apache properties on the same
-- host.
--
-- It's probably a good idea to put this property inside a docker or
-- systemd-nspawn container.
providerFor :: [User] -> HostName -> Maybe Port -> Property (HasInfo + DebianLike)
providerFor users hn mp = propertyList desc $ props
        & Apt.serviceInstalledRunning "apache2"
        & apacheconfigured
        & Apt.installed ["simpleid"]
                `onChange` Apache.restarted
        & File.fileProperty (desc ++ " configured")
                (map setbaseurl) "/etc/simpleid/config.inc"
        & propertyList desc (toProps $ map identfile users)
  where
        baseurl = hn ++ case mp of
                Nothing -> ""
                Just p -> ':' : val p
        url = "http://"++baseurl++"/simpleid"
        desc = "openid provider " ++ url
        setbaseurl l
                | "SIMPLEID_BASE_URL" `isInfixOf` l =
                        "define('SIMPLEID_BASE_URL', '"++url++"');"
                | otherwise = l

        apacheconfigured = case mp of
                Nothing -> setupRevertableProperty $
                        Apache.virtualHost hn (Port 80) "/var/www/html"
                Just p -> propertyList desc $ props
                        & Apache.listenPorts [p]
                        & Apache.virtualHost hn p "/var/www/html"

        -- the identities directory controls access, so open up
        -- file mode
        identfile (User u) = File.hasPrivContentExposed
                (concat [ "/var/lib/simpleid/identities/", u, ".identity" ])
                (Context baseurl)