<?php
/**
 *    Copyright (C) 2015 Deciso B.V.
 *
 *    All rights reserved.
 *
 *    Redistribution and use in source and binary forms, with or without
 *    modification, are permitted provided that the following conditions are met:
 *
 *    1. Redistributions of source code must retain the above copyright notice,
 *       this list of conditions and the following disclaimer.
 *
 *    2. Redistributions in binary form must reproduce the above copyright
 *       notice, this list of conditions and the following disclaimer in the
 *       documentation and/or other materials provided with the distribution.
 *
 *    THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES,
 *    INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY
 *    AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
 *    AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,
 *    OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
 *    SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
 *    INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
 *    CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
 *    ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
 *    POSSIBILITY OF SUCH DAMAGE.
 *
 */

namespace OPNsense\Auth;

use OPNsense\Core\Config;

/**
 * Class API key/secret database connector (connect to legacy xml structure).
 * @package OPNsense\Auth
 */
class API implements IAuthConnector
{
    /**
     * @var array internal list of authentication properties
     */
    private $lastAuthProperties = array();

    /**
     * set connector properties
     * @param array $config connection properties
     */
    public function setProperties($config)
    {
        // local api authenticator doesn't use any additional settings.
    }

    /**
     * unused
     * @return array mixed named list of authentication properties
     */
    public function getLastAuthProperties()
    {
        return $this->lastAuthProperties;
    }


    /**
     * generate a new api key for an existing user
     * @param $username username
     * @return array|null apikey/secret pair
     */
    public function createKey($username)
    {
        $configObj = Config::getInstance()->object();
        foreach ($configObj->system->children() as $key => $value) {
            if ($key == 'user' && (string)$username == (string)$value->name) {
                if (!isset($value->apikeys)) {
                    $apikeys = $value->addChild('apikeys');
                } else {
                    $apikeys = $value->apikeys;
                }
                $item = $apikeys->addChild('item');

                $newKey = base64_encode(openssl_random_pseudo_bytes(60));
                $newSecret = base64_encode(openssl_random_pseudo_bytes(60));

                $item->addChild('key', $newKey);
                $item->addChild('secret', crypt($newSecret, '$6$'));
                Config::getInstance()->save();
                $response = array('key' => $newKey, 'secret' => $newSecret);
                return $response;
            }
        }
        return null;
    }

    /**
     * remove user api key
     * @param string $username username
     * @param string $apikey api key
     * @return bool key found
     */
    public function dropKey($username, $apikey)
    {
        $configObj = Config::getInstance()->object();
        foreach ($configObj->system->children() as $key => $value) {
            if ($key == 'user' && (string)$username == (string)$value->name) {
                if (isset($value->apikeys)) {
                    $indx=0;
                    foreach ($value->apikeys->children() as $apiNodeId => $apiNode) {
                        if ($apiNodeId == 'item' && (string)$apiNode->key == $apikey) {
                            unset($value->apikeys->item[$indx]);
                            Config::getInstance()->save();
                            return true;
                        }
                        $indx++;
                    }
                }
            }
        }
        return false;
    }

    /**
     * authenticate user against local database (in config.xml)
     * @param string $username username to authenticate
     * @param string $password user password
     * @return bool authentication status
     */
    public function authenticate($username, $password)
    {
        // reset auth properties
        $this->lastAuthProperties = array();

        // search local user in database
        $configObj = Config::getInstance()->object();
        $userObject = null;
        $apiKey = null;
        $apiSecret = null;
        foreach ($configObj->system->children() as $key => $value) {
            if ($key == 'user') {
                if (!empty($value->apikeys)) {
                    foreach ($value->apikeys->children() as $apikey) {
                        if (!empty($apikey->key) &&  (string)$apikey->key == $username) {
                            // api key found, stop search
                            $userObject = $value;
                            $apiSecret = (string)$apikey->secret;
                            break;
                        }
                    }
                }
            }
        }

        if ($userObject != null) {
            if (isset($userObject->disabled)) {
                // disabled user
                return false;
            }
            if (!empty($userObject->expires)
                && strtotime("-1 day") > strtotime(date("m/d/Y", strtotime((string)$userObject->expires)))) {
                // expired user
                return false;
            }
            $passwd = crypt($password, $apiSecret);
            if ($passwd == $apiSecret) {
                // password ok, return successfully authentication
                $this->lastAuthProperties['username'] = (string)$userObject->name;
                return true;
            }
        }

        return false;
    }
}