<?php //$Id$
//Copyright (c) 2012-2016 Pierre Pronchery <khorben@defora.org>
//This file is part of DeforaOS Web DaPortal
//
//This program is free software: you can redistribute it and/or modify
//it under the terms of the GNU General Public License as published by
//the Free Software Foundation, version 3 of the License.
//
//This program is distributed in the hope that it will be useful,
//but WITHOUT ANY WARRANTY; without even the implied warranty of
//MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
//GNU General Public License for more details.
//
//You should have received a copy of the GNU General Public License
//along with this program.  If not, see <http://www.gnu.org/licenses/>.


//SessionAuth
class SessionAuth extends Auth
{
	//protected
	//methods
	//SessionAuth::match
	protected function match(Engine $engine)
	{
		//return the result cached if called twice
		if($this->match_score !== FALSE)
			return $this->match_score;
		if(!function_exists('session_get_cookie_params')
				|| !isset($_SERVER['SCRIPT_NAME'])
				|| !isset($_SERVER['SERVER_PROTOCOL']))
		{
			$this->match_score = 0;
			return 0;
		}
		@ini_set('session.use_only_cookies', 1);
		@ini_set('session.use_trans_sid', 0);
		$params = session_get_cookie_params();
		//XXX probably not always as strict as it could be
		$params['path'] = dirname($_SERVER['SCRIPT_NAME']);
		if(isset($_SERVER['HTTP_HOST']))
		{
			$domain = $_SERVER['HTTP_HOST'];
			if(($pos = strpos($domain, ':', 1)) !== FALSE)
				$domain = substr($domain, 0, $pos);
			$params['domain'] = $domain;
		}
		if(isset($_SERVER['HTTPS']))
			$params['secure'] = 1;
	       	//XXX we may have to set it to 0 later
		$params['httponly'] = 1;
		session_set_cookie_params($params['lifetime'], $params['path'],
				$params['domain'], $params['secure'],
				$params['httponly']);
		$this->match_score = @session_start() ? 100 : 0;
		session_write_close();
		return $this->match_score;
	}


	//SessionAuth::attach
	protected function attach(Engine $engine)
	{
		//attaching depends on the code in match()
		$this->match($engine);
	}


	//public
	//accessors
	//SessionAuth::getCredentials
	public function getCredentials(Engine $engine)
	{
		$uid = $this->getVariable($engine, 'SessionAuth::uid');
		$username = $this->getVariable($engine,
				'SessionAuth::username');

		if($uid === FALSE || $uid == 0 || $username === FALSE)
			return parent::getCredentials($engine);
		$user = User::lookup($engine, $username, $uid);
		if($user === FALSE || $user->isLocked())
			return parent::getCredentials($engine);
		$cred = new AuthCredentials($user->getUserID(),
				$user->getUsername(), $user->getGroupID(),
				$user->getGroupname(), $user->isAdmin());
		parent::setCredentials($engine, $cred);
		return parent::getCredentials($engine);
	}


	//SessionAuth::getVariable
	public function getVariable(Engine $engine, $variable)
	{
		if(isset($_SESSION[$variable]))
			return $_SESSION[$variable];
		return FALSE;
	}


	//SessionAuth::setCredentials
	public function setCredentials(Engine $engine,
			AuthCredentials $credentials = NULL)
	{
		global $config;

		if(is_null($credentials))
			$credentials = new AuthCredentials();
		//avoid session-fixation attacks
		session_start();
		$message = 'Could not regenerate the session';
		if($config->get('auth::session', 'regenerate') == 1
				&& session_regenerate_id(TRUE) !== TRUE)
			$engine->log(LOG_WARNING, $message);
		$this->_setVariable($engine, 'SessionAuth::uid',
				$credentials->getUserID());
		$this->_setVariable($engine, 'SessionAuth::username',
				$credentials->getUsername());
		session_write_close();
		return parent::setCredentials($engine, $credentials);
	}


	//SessionAuth::setIdempotent
	public function setIdempotent(Engine $engine, Request &$request,
			$idempotent)
	{
		if($idempotent === TRUE)
		{
			$request->setIdempotent(TRUE);
			return;
		}
		//prevent CSRF attacks
		$idempotent = TRUE;
		if(($token = $request->get('_token')) === FALSE)
			return TRUE;
		//remove token from the request
		$parameters = $request->getParameters();
		unset($parameters['_token']);
		$request = new Request($request->getModule(),
			$request->getAction(), $request->getID(),
			$request->getTitle(), $parameters);
		//check for the availability of tokens
		if(!isset($_SESSION['tokens'])
				|| !is_array($_SESSION['tokens']))
			return TRUE;
		//delete old tokens
		foreach($_SESSION['tokens'] as $k => $v)
			if($v < time())
				unset($_SESSION['tokens'][$k]);
		if(isset($_SESSION['tokens'][$token]))
		{
			//the request is not idempotent
			unset($_SESSION['tokens'][$token]);
			$idempotent = FALSE;
		}
		$request->setIdempotent($idempotent);
	}


	//SessionAuth::setVariable
	public function setVariable(Engine $engine, $variable, $value)
	{
		//XXX errors when output has already started can be ignored
		@session_start();
		$ret = $this->_setVariable($engine, $variable, $value);
		session_write_close();
		return $ret;
	}
	private function _setVariable(Engine $engine, $variable, $value)
	{
		$_SESSION[$variable] = $value;
		return TRUE;
	}


	//private
	//properties
	private $match_score = FALSE;
}

?>