// The client strips C++-style comments from this file. There are some restrictions as follows:
// - Only C++-style single line comments are allowed.
// - They must be the only thing on the line, except for leading whitespace (space and tab)
// These are in place to make it easy to strip the comments without knowledge of JSON before passing
// it to the JSON parser.
{
    // Timeout for all authentications, in seconds
    "timeout" : 30,

    // All groups known to the system, and what permissions we assign each group.
    "groups" : {
	// Each entry consists of the group's name, followed by properties for that group.
	"TEST" : {
	    // Maximum message size for this group.
	    "message_size" : 10240,

	    // Allow communicating to these groups. The empty string is the broadcast "group".
	    "groups" : [ "TEST" ]
	},

	// SSH key database.
	"KDB" : {
	    "message_size" : 102400,
	    "groups" : [ "KMGR", "AUTH" ]
	},

	// SSH key manager.
	"KMGR" : {
	    "message_size" : 102400,
	    "groups" : [ "KDB" ]
	},

	// Admin clients.
	"ADMC" : {
	    "message_size" : 1024000,
	    "groups" : [ "", "ADMC", "DB", "MS" ]
	},

	// Examiner clients.
	"EC" : {
	    "message_size" : 1024000,
	    "groups" : [ "", "MS", "EC" ]
	},

	// Student clients.
	"SC" : {
	    "message_size" : 102400,
	    "groups" : [ "MS" ]
	},

	// Message server.
	"MS" : {
	    "message_size" : 1024000,
	    "groups" : [ "", "EC", "SC" ]
	},

	// The "large" DB server.
	// Note: If using the kerberos authentication, the DB needs to be able to reply to AUTH-messages.
	"DB" : {
	    "message_size" : 1024000,
	    "groups" : [ "", "ADMC", "MS", "AUTH" ]
	},

	// The sandbox server.
	// Note: The auth server needs to be able to talk to the sandbox server when authenticating (anonymous) students.
	"SAND" : {
	    "message_size" : 102400,
	    "groups" : [ "AUTH", "ADMC", "DB" ]
	},

	// Command-line tool for sandbox management.
	"SAcl" : {
	    "message_size" : 102400,
	    "groups" : [ "SAND" ]
	}
    },

    // How should the system tie acquired identity strings to system IDs? The information here is
    // used by all authentication systems that figure out some kind of identity and need to tie that
    // to some kind of database ID.
    "identity" : {
	// Address of the server that holds all identities.
	"server" : {
	    "group" : "DB",
	    "id" : 1
	},

	// Mapping from group names to one or more categories that users in that group may belong
	// to. This lets the system know which tables to examine in a query, and roughly what
	// permissions are required for the different groups.
	"groups" : {
	    "SC" : [ "student" ],
	    "EC" : [ "staff", "admin" ],
	    "ADMC" : [ "admin" ],
	    // Note: This might not be a good idea in the long run. We should at least
	    // put "admin" here instead of "staff".
	    "KMGR" : [ "staff" ],
	    "SAcl" : [ "staff" ]
	}
    },

    // All authentication methods the auth server is going to support. Each method may appear multiple
    // times with different configuration if different groups are to be guarded with different levels
    // of security.
    "methods" : [
	{
	    // A list of groups that we allow authenticating using this method. This is mandatory
	    // for all elements in here.
	    "allow" : [ "TEST", "EC", "SC", "MS", "ADMC", "DB", "SAND" ],

	    // The debug auth is the simplest. It just allows whatever the connected client
	    // claimed. It is not good to use in production, and is always disabled unless the
	    // "--debug" flag is given on the command line.
	    "type" : "debug"
	},
	{
	    "allow" : [ "DB", "MS", "KDB", "SAND" ],

	    // File system authentication. This works for clients on the same system as the
	    // authentication server (e.g. DB, ARLA, etc.), and relies on UNIX permissions. This
	    // means we don't have to bother with certificates and the like.
	    "type" : "fs",

	    // Where to store the key files in the filesystem.
	    "path" : "/tmp",

	    // Permissions of the file.
	    "permissions" : "0770",

	    // Group of the file. If not present or null, we won't change the group.
	    "group" : "aes_local_auth"
	},
	{
	    // Slightly different requirements for ADMC and the Key manager.
	    "allow" : [ "ADMC", "KMGR", "SAcl" ],
	    "type" : "fs",
	    "path" : "/tmp",
	    "permissions" : "0777",
	    "group" : null
	},
	{
	    // Allow FS auth for the TEST group as well.
	    "allow" : [ "TEST" ],
	    "type" : "fs",
	    "path" : "/tmp",
	    "permissions" : "0777",
	    "group" : null
	},
	{
	    // Allow authenticating SC, EC and AdmC with Kerberos.
	    "allow" : [ "EC", "SC", "ADMC", "KMGR", "SAcl" ],
	    "type" : "kerberos"
	},
	{
	    // Allow TEST, EC, SC, and KMGR with SSH.
	    "allow" : [ "TEST", "EC", "SC", "KMGR", "SAcl" ],
	    "type" : "ssh",

	    "identity_db" : {
		"group" : "KDB",
		"id" : 1
	    }
	}
    ]
}