<?php

class ShibAuth
{

	/**
	 * Log user into master-server using the data provided by the current shibboleth session
	 * @param ?string $accessCode optional one-time access code to retreive session data via thrift
	 * @return array{status: string, firstName: string, lastName: string, mail: string, token: string, sessionId: string, userId: string, organizationId: string, url: string, error: string}
	 */
	private static function loginInternal(?string $accessCode = null): array
	{
		if ($accessCode !== null) {
			$entrop = strlen(count_chars($accessCode, 3));
			if (strlen($accessCode) < 32 || strlen($accessCode) > 64 || $entrop < 10) {
				return ['status' => 'error', 'error' => 'Malformed accessCode'];
			}
		}
		// Handle
		if (empty($_SERVER['persistent-id'])) {
			// No persistent id given, should not happen!
			file_put_contents('/tmp/shib-nopid-' . time() . '-' . $_SERVER['REMOTE_ADDR'] . '.txt', print_r($_SERVER, true));
			return ['status' => 'error', 'error' => 'Shibboleth metadata missing!'];
		}
		// Query database for user
		// First, use persistent-id as-is
		$shibId = [ md5($_SERVER['persistent-id']) ];
		// ... but we might have multiple persistent IDs, split
		if (strpos($_SERVER['persistent-id'], ';') !== false) {
			foreach (explode(';', $_SERVER['persistent-id']) as $s) {
				if (empty($s))
					continue;
				$shibId[] = md5($s);
			}
		}
		// Figure out role
		if (strpos(";{$_SERVER['entitlement']};", CONFIG_ENTITLEMENT) !== false) {
			$role = 'TUTOR';
		} else if (strpos(";{$_SERVER[CONFIG_SCOPED_AFFILIATION]};", ';employee@') !== false
			|| strpos(";{$_SERVER[CONFIG_SCOPED_AFFILIATION]};", ';staff@') !== false
			|| strpos(";{$_SERVER[CONFIG_SCOPED_AFFILIATION]};", ';faculty@') !== false) {
			$role = 'TUTOR';
		} else {
			file_put_contents('/tmp/shib-student-' . time() . '-' . $_SERVER['REMOTE_ADDR'] . '.txt', print_r($_SERVER, true));
			$role = 'STUDENT';
			// NEW: Ignore students for now
			return [
				'status' => 'error',
				'error' => "Sie wurden als Student eingestuft und können sich daher nicht an der " . CONFIG_SUITE . "-Suite anmelden."
					. "\nFalls Ihr Nutzerkonto kein Studentenkonto ist stellen Sie sicher, dass Ihr IdP für berechtigte"
					. "\nAccounts entweder das " . CONFIG_SUITE . "-Entitlement ausliefert, oder das Attribut " . CONFIG_SCOPED_AFFILIATION
					. "\nausgeliefert wird, und es entweder 'employee@..', 'staff@..' oder 'faculty@..' enthält."
					. "\n\nMehr Informationen finden Sie unter " . CONFIG_HELPURL
			];
			// end IGNORE STUDENTS
		}
		// Now we have an array of all persistent-ids, plus the raw string; see if any of those match
		$user = Database::queryFirst("SELECT user.userid, user.organizationid, user.firstname, user.lastname, user.email "
			. " FROM user "
			. " INNER JOIN organization USING (organizationid) "
			. " WHERE user.shibid IN (:shibid) LIMIT 1", array('shibid' => $shibId));
		if ($user === false) {
			// Not found, so we don't know which satellite to use
			if ($role === 'STUDENT') {
				$response['status'] = 'ok';
				$response['firstName'] = $_SERVER['givenName'] ?? 'Anonymous';
				$response['lastName'] = $_SERVER[CONFIG_SURNAME] ?? 'Student';
				$response['mail'] = $_SERVER['mail'] ?? 'void@none.invalid';
				$response['userId'] = $shibId;
				// Try to figure out orgId
				if (!isset($response['organizationId']) && isset($_SERVER[CONFIG_EPPN])) {
					if (preg_match('/@(.+)$/', $_SERVER[CONFIG_EPPN], $out)) {
						$out = Database::queryFirst("SELECT organizationid FROM organization_suffix WHERE suffix = :suffix", [
							'suffix' => $out[1]
						]);
						if ($out !== false) {
							$response['organizationId'] = $out['organizationid'];
						}
					}
				}
				if (!isset($response['organizationId']) && isset($_SERVER[CONFIG_SCOPED_AFFILIATION])) {
					if (preg_match('/(^|;)[^@]+@([^;]+)/', $_SERVER[CONFIG_SCOPED_AFFILIATION], $out)) {
						$out = Database::queryFirst("SELECT organizationid FROM organization_suffix WHERE suffix = :suffix", [
							'suffix' => $out[2]
						]);
						if ($out !== false) {
							$response['organizationId'] = $out['organizationid'];
						}
					}
				}
				// This one we send to the running master server handler
				$rpc = $response;
				$rpc['role'] = $role;
				if (isset($response['organizationId']) && $accessCode === null) {
					$response['satellites2'] = self::getSatelliteList($response['organizationId']);
				}
			} else {
				$response['status'] = 'unregistered';
				$response['error'] = 'Sie müssen sich erst für die Nutzung von ' . CONFIG_SUITE . ' registrieren';
			}
			$response['id'] = $shibId;
			$response['url'] = CONFIG_MASTERWEBIF;
			file_put_contents('/tmp/shib-unreg-' . time() . '-' . $_SERVER['REMOTE_ADDR'] . '.txt', print_r($_SERVER, true));
		} else {
			/*
			if (in_array($shibId, unserialize(CONFIG_ADMINS), true) || $shibId === '2fa5c3e020a5aca0cbf9a562268d5173-') {
				$role = 'STUDENT';
			}
			*/
			// Found, see if we got personal information, either temporarily through metadata, or from database
			$firstName = $user['firstname'];
			$lastName = $user['lastname'];
			$mail = $user['email'];
			if (empty($firstName) && isset($_SERVER['givenName']))
				$firstName = trim($_SERVER['givenName']);
			if (empty($lastName) && isset($_SERVER[CONFIG_SURNAME]))
				$lastName = trim($_SERVER[CONFIG_SURNAME]);
			if (empty($mail) && isset($_SERVER['mail']))
				$mail = trim($_SERVER['mail']);
			//
			$login = (empty($user['userid']) ? $shibId : $user['userid'] );
			if (empty($firstName) || empty($lastName) || empty($login)) {
				// This means the user did not provide personal information on signup, nor does the IdP send them
				$response['status'] = 'anonymous';
				$response['error'] = "Ihr IdP liefert nicht die erforderlichen Attribute\n"
					. CONFIG_SURNAME . ', ' . 'givenName' . ', ' . 'email';
			} else {
				// Seems ok!
				//
				$response['status'] = 'ok';
				$response['firstName'] = $firstName;
				$response['lastName'] = $lastName;
				$response['mail'] = $mail;
				$response['userId'] = $user['userid'];
				$response['organizationId'] = $user['organizationid'];
				// This one we send to the running master server handler
				$rpc = $response;
				$rpc['userId'] = $login;
				$rpc['role'] = $role;
				// This one we only send to the user
				$response['satellites2'] = self::getSatelliteList($user['organizationid']);
			}
		}

		if (isset($rpc)) {
			if ($accessCode !== null) {
				$rpc['accessCode'] = $accessCode;
			}
			$reply = RPC::submit($rpc);
			if (preg_match('/^TOKEN:(\w+) SESSIONID:(\w+)$/', $reply, $out)) {
				// For talking to the sat server, also referred to as userToken in Java
				$response['token'] = $out[1];
				// For talking to the master server - not known by satellite server, referred to as masterToken in Java
				$response['sessionId'] = $out[2];
			} else {
				if (empty($rpc['mail'])) {
					$reply .= ' (No email given)';
				}
				if (empty($rpc['firstName'])) {
					$reply .= ' (No first name given)';
				}
				if (empty($rpc['lastName'])) {
					$reply .= ' (No last name given)';
				}
				if (empty($rpc['organizationId'])) {
					$reply .= ' (No organization id found)';
				}
				$response['error'] = $reply;
				$response['status'] = 'error';
			}
		}
		return $response;
	}

	public static function login(?string $accessCode = null): array
	{
		$res = self::loginInternal($accessCode);
		if ($res['status'] !== 'ok' && isset($res['error']) && $accessCode !== null) {
			RPC::submit(['status' => 'error', 'error' => $res['error'], 'accessCode' => $accessCode]);
		}
		return $res;
	}

	private static function getSatelliteList($orgId)
	{
		// Determine satellite(s)
		$res = Database::simpleQuery("SELECT satellitename, addresses, certsha256 FROM satellite"
			. " WHERE organizationid = :organizationid AND userid IS NULL", array('organizationid' => $orgId));
		$sat2 = array();
		while ($row = $res->fetch(PDO::FETCH_ASSOC)) {
			$addrs = json_decode($row['addresses'], true);
			if (!is_array($addrs) || empty($addrs))
				continue;
			$sat2[$row['satellitename']] = array(
				'addresses' => $addrs,
				'certHash' => $row['certsha256']
			);
		}
		return $sat2;
	}

}