#!/usr/bin/python
# -*- coding: utf-8 -*-

from django.contrib.auth.backends import ModelBackend as DefaultModelBackend
from django.contrib.auth.models import User
from gdata.apps.service import AppsService
from gdata.service import BadAuthentication, CaptchaRequired
from django.conf import settings

"""
add to settings.py
# Google Apps specific for module auth
# The user needs Adminitrative rights to your domain to be able to do the sync
GOOGLE_APPS_ADMIN_EMAIL = 'login@yourdomain.com'
GOOGLE_APPS_DOMAIN = 'yourdomain.com'
GOOGLE_APPS_ADMIN_SECRET = 'yourpassworld'

# Replace the path to where you put the file
AUTHENTICATION_BACKENDS = ('path.to.backends.GoogleAppsModelBackend',)
"""


class GoogleAppsModelBackend(DefaultModelBackend):
  """
    Using Google Apps Provisioning API to authenticate and create users.
  """
  def authenticate(self, username=None, password=None):
    # Using correct username or password here does not matter since we're using ClientLogin further down 
    service = AppsService(email=settings.GOOGLE_APPS_ADMIN_EMAIL, domain=settings.GOOGLE_APPS_DOMAIN, password=settings.GOOGLE_APPS_ADMIN_SECRET)
    check_local_password = False
    try:
      service.ClientLogin(username, password)
    except BadAuthentication: # If username is within domain but fails because of username or password
      return None
    except CaptchaRequired:
      # Google asks for captcha if the email is outside your domain. This can be used to create 'local'
      # administrator accounts, wallmounted statistics accounts etc.
      check_local = True

    try:
      user = User.objects.get(username=username)
      if check_local and not user.check_password(password):
        # Not in google and not local. Go away!
        return None
    except User.DoesNotExist:
      if not check_local:
        user = User.objects.create_user(username=username,email=username)
        user.save()
      else:
        return None

    if not check_local:
      # Here we need to us a super user
      service = AppsService(email=settings.GOOGLE_APPS_ADMIN_EMAIL, domain=settings.GOOGLE_APPS_DOMAIN, password=settings.GOOGLE_APPS_ADMIN_SECRET)
      service.ProgrammaticLogin()
      # When a user logs in is a good idea to sync if the user is actually still allowed in the domain
      guser = service.RetrieveUser(username.replace('@%s' % settings.GOOGLE_APPS_DOMAIN,''))
      if not self.google_apps_sync(guser, user): return None
    return user

  def google_apps_sync(self, guser, user):
    # Sync with google apps
    # We assume that username and email does not change
    user.first_name = guser.name.given_name
    user.last_name = guser.name.family_name
    user.is_superuser = guser.login.admin == 'true'
    user.is_active = guser.login.suspended == 'false'

    user.save()
    return user.is_active