<?php
namespace CorpusParole\Libraries\Handle;

use Log;


use Illuminate\Pagination\LengthAwarePaginator;
use Illuminate\Pagination\Paginator;

use phpseclib\Crypt\RSA;

// current_date = datetime.now()
// current_date_format = unicode(current_date.strftime('%Y-%m-%dT%H:%M:%SZ'))
// handle_record = {u'values': [
//     {u'index': 1, u'ttl': 86400, u'type': u'URL', u'timestamp': current_date_format, u'data': {u'value': u'http://www.ribaenterprises.com', u'format': u'string'}},
//     {u'index': 2, u'ttl': 86400, u'type': u'EMAIL', u'timestamp': current_date_format, u'data': {u'value': u'info@ribaenterprises.com', u'format': u'string'}},
//     {u'index': 100, u'ttl': 86400, u'type': u'HS_ADMIN', u'timestamp': current_date_format, u'data': {u'value': {u'index': 200, u'handle': unicode(auth_id), u'permissions': u'011111110011'}, u'format': u'admin'}}
// ], u'handle': unicode(handle), u'responseCode': 1}



// class to handle communication with Handle server API.
// inspired by : https://github.com/theNBS/handleserver-samples
class HandleClient {

    public function __construct($privateKeyOrCert, $pkpass, $adminId, $handleHost, $handlePort, $httpClient) {
        $this->session = null;
        $this->cert = null;
        $this->adminId = $adminId;
        $this->privateKeyRes = null;
        $this->privateKeyOrCert = $privateKeyOrCert;
        $this->pkpass = $pkpass;
        $this->handleHost = $handleHost;
        $this->handlePort = $handlePort;
        $this->httpClient = $httpClient;
        $this->guzzleOptions = ['verify' => false,];
    }

    public function __destruct () {
        $this->close();
    }

    public function close() {
        $this->deleteSession();
        $this->freeResources();
    }

    private function getBaseUrl() {
        return "https://$this->handleHost:$this->handlePort/api/";
    }

    private function getSessionAuthHeader() {
        return "Handle sessionId=$this->session";
    }

    private function generateClientNonce() {
        return openssl_random_pseudo_bytes(16);
    }

    private function getPrivateKeyRes() {
        if(is_null($this->privateKeyRes)) {
            $this->privateKeyRes = openssl_pkey_get_private($this->privateKeyOrCert, $this->pkpass);
        }
        return $this->privateKeyRes;
    }

    private function freeResources() {
        if(!empty($this->privateKeyRes)) {
            $privateKeyRes = $this->privateKeyRes;
            $this->privateKeyRes = null;
            openssl_free_key($privateKeyRes);
        }
    }

    private function signBytesDsa($str) {

        openssl_sign($str, $signature, $this->getPrivateKeyRes(), OPENSSL_ALGO_DSS1);

        return $signature;

    }

    private function signBytesRsa($str) {

        $rsa = new RSA();
        $rsa->setHash('sha256');
        if(!empty($this->pkpass)) {
            $rsa->setPassword($this->pkpass);
        }
        $keyContent = $this->privateKeyOrCert;
        if(is_file($keyContent)) {
            $keyContent = file_get_contents($keyContent);
        }
        $rsa->loadKey($keyContent);
        $rsa->setSignatureMode(RSA::SIGNATURE_PKCS1);

        return $rsa->sign($str);

    }



    private function createAuthorisationHeaderFromJson($jsonresp) {
        # Unpick number once (nonce) and session id from server response (this is the challenge)
        $serverNonce = base64_decode($jsonresp['nonce']);
        $this->sessionId = $jsonresp['sessionId'];

        # Generate a client number once (cnonce)
        $clientNonce = $this->generateClientNonce();
        $clientNonceStr = base64_encode($clientNonce);

        # Our response has to be the signature of server nonce + client nonce
        $combinedNonce = $serverNonce . $clientNonce;
        if($this->getPrivateKeyRes() === false) {
            throw new \Exception("HandleClient: can not read private res");
        }
        $keyDetails = openssl_pkey_get_details($this->getPrivateKeyRes());
        if($keyDetails === false) {
            throw new \Exception("HandleClient: can not read private key");
        }
        if($keyDetails['type']===OPENSSL_KEYTYPE_RSA) {
            $signature = $this->signBytesRsa($combinedNonce);
            $signAlg = 'SHA256';
        } elseif ($keyDetails['type']===OPENSSL_KEYTYPE_DSA) {
            $signature = $this->signBytesDsa($combinedNonce);
            $signAlg = 'SHA1';
        } else {
            throw new \Exception("HandleClient: $keyDetails[type] Format unknown");
        }
        $signatureStr = base64_encode($signature);

        $this->freeResources();
        # Build the authorisation header to send with the request
        # Use SHA1 for DSA keys; SHA256 can be used for RSA keys
        return $this->buildComplexAuthorizationString($signatureStr, $signAlg, $clientNonceStr);

    }

    private function buildComplexAuthorizationString($signatureString, $signAlg, $clientNonceString) {
        return "Handle " .
              "version=\"0\", " .
              "sessionId=\"$this->sessionId\", " .
              "cnonce=\"$clientNonceString\", " .
              "id=\"$this->adminId\", " .
              "type=\"HS_PUBKEY\", " .
              "alg=\"$signAlg\", " .
              "signature=\"$signatureString\"";
    }

    public function initSession() {

        if(!empty($this->session) || !empty($this->cert)) {
            return;
        }

        $headers = key_exists('headers', $this->guzzleOptions)?$this->guzzleOptions['headers']:[];
        $headers = array_merge($headers, [
            'Content-Type' => 'application/json;charset=UTF-8',
        ]);

        $certContent = $this->privateKeyOrCert;
        if(is_file($certContent)) {
            $certContent = file_get_contents($certContent);
        }
        if(openssl_x509_parse($certContent) !== false) {
            if(!empty($this->pkpass)) {
                $this->cert = [$this->privateKeyOrCert, $this->pkpass];
            } else {
                $this->cert = $this->privateKeyOrCert;
            }
            $headers['Authorization'] =  "Handle clientCert=\"true\"";
        } else {
            $url = $this->getBaseUrl()."sessions/";
            $challengeRes = $this->httpClient->post($url, ['verify' => false]);

            $jsonResp = json_decode($challengeRes->getBody(), true);
            $pkheaders = [
                'Content-Type' => 'application/json;charset=UTF-8',
                'Authorization' => $this->createAuthorisationHeaderFromJson($jsonResp)
            ];
            # Send the request again with a valid correctly signed Authorization header
            $sessionResp = $this->httpClient->put($url.'this', ['headers' => $pkheaders, 'verify' => false]);
            Log::debug('Create session with auth: '.$sessionResp->getStatusCode().' : '.$sessionResp->getReasonPhrase());

            $jsonResp = json_decode($sessionResp->getBody(), true);

            $this->session = $jsonResp['authenticated']?$jsonResp['sessionId']:"";
            $headers['Authorization'] = "Handle version=\"0\", sessionId=\"$this->session\"";

        }

        $this->guzzleOptions = array_merge($this->guzzleOptions, ['headers' => $headers, 'cert' => $this->cert]);

    }

    // will call a async method. Apart logging we do not really care in the result
    public function deleteSession() {
        if(empty($this->session)) {
            return;
        }
        $headers = [
            'Content-Type' => 'application/json;charset=UTF-8',
            'Authorization' => $this->getSessionAuthHeader()
        ];
        $url = $this->getBaseUrl()."sessions/this";
        // Do not really care of the response...
        $this->httpClient->deleteAsync($url, ['headers' => $headers, 'verify' => false]);
        $this->session = null;

    }

    /**
     * Paginate all handle as a paginator.
     *
     * @param  int  $perPage
     * @param  string  $pageName
     * @return \Illuminate\Contracts\Pagination\LengthAwarePaginator
     */
    public function paginateAll($prefix, $perPage = 15, $pageName = 'page', $page = null) {

        $this->initSession();

        $url = $this->getBaseUrl()."handles";

        $params = [
            'prefix' => $prefix,
            'page' => is_null($page)?0:$page-1,
            'pageSize' => $perPage
        ];

        $paginateRes = $this->httpClient->get($url, array_merge($this->guzzleOptions, ['query' => $params]));


        $paginateJson = json_decode($paginateRes->getBody(), true);

        $total = (int)$paginateJson['totalCount'];

        $results = $paginateJson['handles'];

        return new LengthAwarePaginator($results, $total, $perPage, $page, [
            'path' => Paginator::resolveCurrentPath(),
            'pageName' => $pageName,
        ]);

    }

    public function deleteHandle($handle) {
        $this->initSession();

        if($handle === $this->adminId) {
            throw new \Exception("HandleClient: can not delete admin handle");
        }
        $delUrl = $this->getBaseUrl()."handles/$handle";
        $delRes = $this->httpClient->delete($delUrl, $this->guzzleOptions);

        Log::debug('Delete Handle: '.$delRes->getStatusCode().': '.$delRes->getReasonPhrase());
    }

    public function createHandleUrlRecord($handle, $url) {
        $this->initSession();
        $currentDate = gmstrftime('%Y-%m-%dT%H:%M:%SZ');
        $handleRecord = [
          'values' => [
            ['index' => 1, 'ttl' => 86400, 'type' => 'URL', 'timestamp' => $currentDate, 'data' => ['value'=> $url, 'format'=> 'string']],
            ['index' => 100, 'ttl' => 86400, 'type' => 'HS_ADMIN', 'timestamp' => $currentDate, 'data' => [
                'value' => ['index' => 200, 'handle' => $this->adminId],
                'permissions' => '011111110011',
                'format' => 'admin'
              ]
            ]
          ],
          'handle' => $handle,
        ];

        $submitUrl = $this->getBaseUrl()."handles/$handle";

        $submitRes = $this->httpClient->put($submitUrl, array_merge($this->guzzleOptions, ['json' => $handleRecord, ]));

        Log::debug('Create Handle Url: '.$submitRes->getStatusCode().' : '.$submitRes->getReasonPhrase());
    }

}