<?

use myPHPnotes\Microsoft\Auth;
use myPHPnotes\Microsoft\Handlers\Session;
use myPHPnotes\Microsoft\Models\User;
use Firebase\JWT\JWT;

require "vendor/autoload.php";
require "config.php";

session_start();

function checksetarray($base, $keys) {
        foreach ($keys as $key) {
                if (!isset($base[$key])) return false;
        }

        return true;
}

function fatal($string) {
	echo("error: $string\n");
	exit(1);
}

require 'db.php';

$auth = new Auth($tenant, $client_id,
	$client_secret, $callback, [ "User.Read" ]);

// this page serves two roles
// 1. the user is redirected from (for example) https://srv-ovc-linux.ovc.nl/kldv/ for authentication
//    - in this case, the user is redirected to microsoft to login
// 2. the user is redirected from microsoft with a authentication token to prove who the user is
//    - now the users is redirected back to https://srv-ovc-linux.ovc.nl/kldv/ with another token
//      to prove who the user is
// 
// Note 1: when the user is not redirected here, but visits this site by entering the URL
//         the user can still login and then he/she is presented with the contents of the
//         authentication token from microsoft
//
// Note 2: microsoft only accepts one callback, so this stuff makes it easy to use the same
//         callback for all services on srv-ovc-linux, the list of allowed callbacks
//         is in config.php

if (!isset($_GET['code'])) {
	// when $_GET['code'] is not set, we serve role 1

	db_exec('INSERT INTO attempts ( login_hint, redir, phpsessid, ipaddress, state ) VALUES ( SUBSTR(?, 1, 255), SUBSTR(?, 1, 255), ?, ?, ? )',
		isset($_GET['username'])?$_GET['username']:'',
		isset($_GET['redir'])?$_GET['redir']:'',
		session_id(), $_SERVER['REMOTE_ADDR'],
		isset($_GET['state'])?$_GET['state']:'');

	Session::set('attempt_id', db_last_insert_id());

	// a valid list of services on srv-ovc-linux on which this type of authentication is
	// supported is in the array $allowed_redir
	if (isset($_GET['redir']) && ($idx = array_search($_GET['redir'], $allowed_redir)))
		Session::set('redir', $allowed_redir[$idx]);
	else Session::set('redir', null);

	if (isset($_GET['state'])) Session::set('parentstate', $_GET['state']);
	else Session::set('parentstate', null);

	// the login page gives the user the option of keying in his/her username
	// it is then stripped (if it included @something.nl) and the the 
	// correct emaildomain is added 
	$login_hint = '';
	if (isset($_GET['username']) && ($username = trim($_GET['username']))) {
		if (!filter_var($username, FILTER_VALIDATE_EMAIL)) {
			// user did not specify an email address,
			// lookup this user in de database
			$domain = db_single_field("SELECT mail_domain FROM users WHERE mail_username = ?", $username);
			if (!$domain) { // not found, guess domain
				if (preg_match('/^[0-9]+$/', $username))
					$username .= '@ovc.asgleerling.nl';
				else if (preg_match('/^[a-z]+\.[a-z\-]+$/', $username))
					$username .= '@asg.nl';
			} else { // append domain from db
				$username .= '@'.$domain;
			}
		}
		$login_hint = '&login_hint='.urlencode("$username");
	}

	// redirect to microsoft
	header("Location: " . $auth->getAuthUrl().$login_hint);
} else {
	// when $_GET['code'] is set we assume that the user was redirected from microsoft
	// back to us, we verify the token and then either forward the information
	// to the service on srv-ovc-linux that requested the authentication or
	// just display the contents of the authentication token
	$tokens = $auth->getToken($_REQUEST['code'], $_REQUEST['state']);
	$accessToken = $tokens->access_token;
	$auth->setAccessToken($accessToken);
	$user = new User;

	$user_id = NULL;
	$email = $user->data->getUserPrincipalName();
	if (filter_var($email, FILTER_VALIDATE_EMAIL)) {
		$splitemail = explode('@', $email);
		if (db_single_field("SELECT user_id FROM users WHERE mail_username = ?", $splitemail[0])) {
			db_exec(<<<EOQ
UPDATE users
SET mail_domain = ?, user_displayname = ?, user_jobtitle = ?,
	user_givenname = ?, user_surname = ?, user_guid = ?
WHERE mail_username = ?
EOQ,
					$splitemail[1],
					$user->data->getDisplayName(),
					$user->data->getJobTitle(),
					$user->data->getGivenName(),
					$user->data->getSurname(),
					$user->data->getId(),
					$splitemail[0]);
		} else {
			db_exec(<<<EOQ
INSERT INTO users ( mail_username, mail_domain, user_displayname, user_jobtitle, user_givenname, user_surname, user_guid )
	VALUES ( ?, ?, ?, ?, ?, ?, ? )
ON DUPLICATE KEY UPDATE mail_domain = ?, user_displayname = ?, user_jobtitle = ?,
	user_givenname = ?, user_surname = ?, user_guid = ?
EOQ,
					$splitemail[0], $splitemail[1],
					$user->data->getDisplayName(),
					$user->data->getJobTitle(),
					$user->data->getGivenName(),
					$user->data->getSurname(),
					$user->data->getId(),
					$splitemail[1],
					$user->data->getDisplayName(),
					$user->data->getJobTitle(),
					$user->data->getGivenName(),
					$user->data->getSurname(),
					$user->data->getId());
		}

		$user_id = db_single_field('SELECT user_id FROM users WHERE mail_username = ?',
				$splitemail[0]);
		db_exec('UPDATE attempts SET user_id = ? WHERE attempt_id = ?',
				$user_id, Session::get('attempt_id'));
	}
	if (Session::get('redir')) {
		$payload = [
			'exp' => time() + 16,
			'userPrincipalName' => $user->data->getUserPrincipalName(),
			'jobTitle' => $user->data->getJobTitle(),
			'state' => Session::get('parentstate'),
		];
		$jwt = JWT::encode($payload, $privateKey, 'EdDSA');
		//echo('Redir: '.Session::get('redir').'jwt='.$jwt."\n");
		header('Location: '.Session::get('redir').'jwt='.$jwt);
	} else {
		echo('<pre>');
		print_r($user);
		echo('</pre>');
	}
	
}

?>