<?php

class Profile {

    var $ZePrijavljen;
    var $ime;
    var $priimek;
    var $email;
    var $geslo;
    var $EncPass;

    var $LoggingIn;

	function __construct() {
		global $admin_type;
		global $lang;
		global $site_path;

		global $mysql_username;
		global $mysql_password;
		global $mysql_server;
		global $mysql_database_name;

		global $cookie_domain;

		// AAI prijava na vrh.
		if ($admin_type==-1 && isset ($_SERVER['Shib-Session-Index']) && isset ($_SERVER['eduPersonPrincipalName']) && isset ($_SERVER['mail']) && isset ($_SERVER['givenName']) && isset ($_SERVER['sn']) && $_SERVER['mail']!='') {
			// se prijavljam preko eduroam!
			$this->eduroamLogin();
		}

		if ($admin_type > -1) {

			$this->ZePrijavljen = true;
			$this->LoggingIn = false;

			$sql = sisplet_query ("SELECT name, surname, lang FROM users WHERE email='" .base64_decode ($_COOKIE['uid']) ."'");
			if ($r = mysqli_fetch_row ($sql)) {
				$this->ime =	$r[0];
				$this->priimek = $r[1];

				if (is_numeric ($r[2]) && $r[2] != "0" && $r[2]!=$lang['id']) {
					unset ($lang);
					include ($site_path .'lang/' .$r[2] .'.php');
				}

				$this->ime = CleanXSS ($this->ime);
				$this->priimek = CleanXSS ($this->priimek);
			}
		}

		else {
			if (isset ($_POST['mail']))	$this->email = strtolower ($_POST['mail']);
			if (isset ($_GET['mail']))	$this->email = strtolower ($_GET['mail']);
			if (isset ($_POST['pass']))	$this->pass = $_POST['pass'];

			$this->email = CleanXSS ($this->email);
			$this->pass = CleanXSS ($this->pass);

			$this->LoggingIn = true;
		}
	}

	
	function eduroamAnotherServerLogin() {
		global $pass_salt;
		global $cookie_domain;
		global $originating_domain;
		global $keep_domain;  
		
		// Popravimo string iz geta, ker ima nekje + namesto space
		$repaired_string = str_replace(' ', '+', $_GET['s']);
		
		// malo manj varno, ampak bo OK.
		$klobasa = base64_decode($repaired_string);
		
		
		// Dobimo array parametrov iz get-a
		$data = explode ("|", $klobasa);
		
		// Pridobimo maile - mozno da jih je vec, potem vzamemo prvega
		$mails = explode(";", $data[0]);
		sort($mails);
		$mail = $mails[0];
		
		$ime = $data[1];
		$priimek = $data[2];
		
		$njegova = $data[3];
		$moja = $data[4];		


		// Preverimo ce ima veljaven token (najprej pobrisemo stare)
		sisplet_query ("DELETE FROM aai_prenosi WHERE timestamp < (UNIX_TIMESTAMP() - 600);");
		$res = sisplet_query ("SELECT * FROM aai_prenosi WHERE moja='" .$moja ."' AND njegova='" .$njegova ."'");   
		
		if (mysqli_num_rows ($res) > 0) {
		
			$pass = base64_encode((hash('SHA256', "e5zhbWRTEGW&u375ejsznrtztjhdtz%WZ&" .$pass_salt)));

			// Preverimo ce obstaja user v bazi
			$result = sisplet_query ("SELECT pass, id FROM users WHERE email='" .$mail ."'");
			if (mysqli_num_rows ($result) == 0) {

				// dodaj ga v bazo
				$pass = base64_encode(hash('SHA256', "e5zhbWRTEGW&u375ejsznrtztjhdtz%WZ&" .$pass_salt));
                sisplet_query ("INSERT INTO users  (email, name, surname, type, pass, eduroam, when_reg) VALUES ('$mail', '$ime', '$priimek', '3', '" .$pass ."', '1', NOW())");
                
                // Pridobimo id dodanega userja
                $user_id = mysqli_insert_id($GLOBALS['connect_db']);
			}            
			else {
				// potegni geslo in mu daj kuki
				$r = mysqli_fetch_row ($result);
                
                $pass = $r[0];
                $user_id = $r[1];
			}

			$result = sisplet_query ("SELECT value FROM misc WHERE what='CookieLife'");
			$row = mysqli_fetch_row ($result);
			$LifeTime = $row[0];

			// Zlogiramo login
			sisplet_query ("UPDATE users SET last_login=NOW() WHERE id='".$user_id."'");
			
			// določi še, od kje se je prijavil
			$hostname="";
			$headers = apache_request_headers();
			if (array_key_exists('X-Forwarded-For', $headers)){
				$hostname=$headers['X-Forwarded-For'];
			} else {
				$hostname=$_SERVER["REMOTE_ADDR"];
			}

			sisplet_query ("INSERT INTO user_login_tracker (uid, IP, kdaj) VALUES ('".$user_id."', '" .$hostname ."', NOW())");

			setcookie ("uid", base64_encode($mail), time()+$LifeTime, '/', $cookie_domain);
			setcookie ("secret", $pass, time()+$LifeTime, '/', $cookie_domain);
			// moram vedeti, da je AAI!
			setcookie ("aai", '1', '/', $cookie_domain);

			$this->ZePrijavljen = true;

            // Moramo po registraciji vrec na kak URL
            $rxx = str_replace ($originating_domain, $keep_domain, '/admin/survey/');
            header ('location: '.$rxx.'?&l=1');
		}
		else 
			header ('location: /index.php'); 
	}
	
	function eduroamLogin() {
		global $pass_salt;
		global $cookie_domain;
		global $originating_domain;
		global $keep_domain;
		
		$mail = $_SERVER['mail'];
		$ime = $_SERVER['givenName'];
		$priimek = $_SERVER['sn'];
		$pass = base64_encode((hash('SHA256', "e5zhbWRTEGW&u375ejsznrtztjhdtz%WZ&" .$pass_salt)));

		$result = sisplet_query ("SELECT pass, id FROM users WHERE email='" .$mail ."'");
		if (mysqli_num_rows ($result) == 0) {
			// dodaj ga v bazo
			$pass = base64_encode((hash('SHA256', "e5zhbWRTEGW&u375ejsznrtztjhdtz%WZ&" .$pass_salt)));
            sisplet_query ("INSERT INTO users (email, name, surname, type, pass, eduroam) VALUES ('$mail', '$ime', '$priimek', '3', '" .$pass ."', '1')");
            
            // Pridobimo id dodanega userja
            $user_id = mysqli_insert_id($GLOBALS['connect_db']);
		}            
		else {
			// potegni geslo in mu daj kuki
            $r = mysqli_fetch_row ($result);
            
			$pass = $r[0];
			$user_id = $r[1];
		}

		$result = sisplet_query ("SELECT value FROM misc WHERE what='CookieLife'");
		$row = mysqli_fetch_row ($result);
		$LifeTime = $row[0];
		
		sisplet_query ("UPDATE users SET last_login=NOW() WHERE id='" .$user_id ."'");
		// določi še, od kje se je prijavil
		
		$hostname="";
		$headers = apache_request_headers();
		if (array_key_exists('X-Forwarded-For', $headers)){
			$hostname=$headers['X-Forwarded-For'];
		} else {
			$hostname=$_SERVER["REMOTE_ADDR"];
		}
		
		sisplet_query ("INSERT INTO user_login_tracker (uid, IP, kdaj) VALUES ('" .$user_id ."', '" .$hostname ."', NOW())");

		setcookie ("uid", base64_encode($mail), time()+$LifeTime, '/', $cookie_domain);
		setcookie ("secret", $pass, time()+$LifeTime, '/', $cookie_domain);
        setcookie("unam", base64_encode($ime.' '.$priimek),time() + $LifeTime, '/', $cookie_domain);

        // moram vedeti, da je AAI!
        setcookie("aai", '1', time() + $LifeTime, '/', $cookie_domain);

        // Piškotek za cca. 10 let, da mu naslednjić ponudimo prijavno
        setcookie('external-login', '1', time()+280000000, '/', $cookie_domain);

		$this->ZePrijavljen = true;

        // Moramo po registraciji vrec na kak URL
        $rxx = str_replace ($originating_domain, $keep_domain, '/admin/survey/');
        header ('location: '.$rxx.'?&l=1');
	}
	
	function GoogleLogin () {
		
		require_once ('../function/JWT.php');

		global $site_url;
		global $lang;
		global $proxy;
		
		$oauth2_code = $_GET['code'];
		$discovery = json_decode(file_get_contents('https://accounts.google.com/.well-known/openid-configuration'));
		
		if ($proxy != "") {
			$ctx = stream_context_create(array(
				'http' => array(
					'header'  => "Content-type: application/x-www-form-urlencoded\r\n",
					'method'  => 'POST',
					'content' => http_build_query(array(
						'client_id' => AppSettings::getInstance()->getSetting('google-login_client_id'),
						'client_secret' => AppSettings::getInstance()->getSetting('google-login_client_secret'),
						'code' => $oauth2_code,
						'grant_type' => 'authorization_code',
						'redirect_uri' => $site_url .'utils/google-oauth2.php',
						'openid.realm' => $site_url,
					)),
					'proxy' => 'tcp://' .$proxy,
				),
			));
			
		}
		else {
			$ctx = stream_context_create(array(
				'http' => array(
					'header'  => "Content-type: application/x-www-form-urlencoded\r\n",
					'method'  => 'POST',
					'content' => http_build_query(array(
						'client_id' => AppSettings::getInstance()->getSetting('google-login_client_id'),
						'client_secret' => AppSettings::getInstance()->getSetting('google-login_client_secret'),
						'code' => $oauth2_code,
						'grant_type' => 'authorization_code',
						'redirect_uri' => $site_url .'utils/google-oauth2.php',
						'openid.realm' => $site_url,
					)),
				),
			));
			
		}
		
		$resp = file_get_contents($discovery->token_endpoint, false, $ctx);
		if (!$resp) {
			// $http_response_header here got magically populated by file_get_contents(), surprise
			echo '<h1>' .$lang['oid_auth_rejected'] .'</h1>';
			echo '<p>' .$lang['google_auth_rejected'] .'</p>';

			echo '<ul><li>' .$lang['oid_maybe_you_rejected'] .'<a href="' .$site_url .'index.php?fl=8&lact=40">' .$lang['try_again'] .'</a></li><li>' .$lang['oid_maybe_local1'] .'<a href="' .$site_url .'index.php?fl=8&lact=20">' .$lang['oid_maybe_local2'] .'</a></li></ul>';
		}
		$resp = json_decode($resp);
		$access_token = $resp->access_token;
		$id_token = $resp->id_token;

		// Skip JWT verification: we got it directly from Google via https, nothing could go wrong.
		$id_payload = JWT::decode($resp->id_token, null, false);
		if (!$id_payload->sub) {
			echo '<h1>' .$lang['oid_auth_rejected'] .'</h1>';
			echo '<p>' .$lang['google_auth_rejected'] .'</p>';

			echo '<ul><li>' .$lang['oid_maybe_you_rejected'] .'<a href="' .$site_url .'index.php?fl=8&lact=40">' .$lang['try_again'] .'</a></li><li>' .$lang['oid_maybe_local1'] .'<a href="' .$site_url .'index.php?fl=8&lact=20">' .$lang['oid_maybe_local2'] .'</a></li></ul>';
		}

		$user_id = 'google+' . $id_payload->sub;
		$user_email = $id_payload->email;

		if ($user_email != '' && $user_id != '') {
			$this->email = $user_email;
			
			$res = sisplet_query ("SELECT pass FROM users WHERE email='" .$user_email ."'");
			
			// Je noter, ga samo prijavim...
			if (mysqli_num_rows ($res) > 0) {
				$r = mysqli_fetch_row ($res);

				$this->EncPass = $r[0];
					
				$this->Login();
			}
			// Ni se registriran, ga je potrebno dodati na prijavno formo
			else {
				// geslo med 00000 in zzzzz
				$this->pass = base_convert(mt_rand(0x19A100, 0x39AA3FF), 10, 36); 
				$this->EncPass = base64_encode((hash('SHA256', $this->pass .$pass_salt)));
				$this->email = $user_email;
							$fn = explode ("@", $user_email);
							
				sisplet_query ("INSERT INTO users 
								(name, surname, email, pass, lang, when_reg) 
								VALUES 
								('".$fn[0]."', '', '".$user_email."', '".$this->EncPass."', '".(isset ($_GET['regFromEnglish']) && $_GET['regFromEnglish']=="1"?'2':'1')."', NOW())");
				$uid = mysqli_insert_id($GLOBALS['connect_db']);

				sisplet_query ("INSERT INTO oid_users (uid) VALUES ('$uid')");

				// prijavi
				$this->Login();
			}
		}
	}
	
        
	function Login () {
		global $mysql_database_name;
		global $site_url;
		global $lang;
		global $pass_salt;

		global $cookie_domain;

		global $originating_domain;
		global $keep_domain;


		// if ($this->LoggingIn == true) {
		$mini = $this->email .$this->pass;

		for ($Stevec=0; $Stevec<strlen ($mini); $Stevec++)
		{
			$mini = str_replace ("'", "", $mini);
		}

		$result = sisplet_query ("SELECT value FROM misc WHERE what='CookieLife'");
		$row = mysqli_fetch_row ($result);
		$LifeTime = $row[0];

        if ((isset($_POST['remember']) && $_POST['remember'] == "1") || (isset($_COOKIE['remember-me']) && $_COOKIE['remember-me'] == 1)) {
            $LifeTime = 3600 * 24 * 365;
        } else {
            $LifeTime = $LifeTime;
        }

		$sql = sisplet_query("SELECT type, pass, status, id, name, surname, email FROM users WHERE email='" .$this->email ."'");
		if (mysqli_num_rows($sql) > 0)
		{
			$r = mysqli_fetch_row ($sql);

			// BAN
			if ($r[2] == 0)
			{
				header('Location: ' .$site_url .'index.php?fl=8&lact=12&ban=1&em=' .$this->email);
				die();
			}

			if (base64_encode((hash('SHA256', $this->pass .$pass_salt))) == $r[1] || $this->EncPass == $r[1])
			{

				sisplet_query ("UPDATE users SET last_login=NOW() WHERE id='" .$r[3] ."'");


                // določi še, od kje se je prijavil

                $hostname="";
                $headers = apache_request_headers();
                if (array_key_exists('X-Forwarded-For', $headers)){
                    $hostname=$headers['X-Forwarded-For'];
                } else {
                    $hostname=$_SERVER["REMOTE_ADDR"];
                }

                sisplet_query ("INSERT INTO user_login_tracker (uid, IP, kdaj) VALUES ('" .$r[3] ."', '" .$hostname ."', NOW())");

                                
				setcookie ("uid", base64_encode($this->email), time()+$LifeTime, '/', $cookie_domain);
                setcookie("unam", base64_encode($r[4].' '.$r[5]),time() + $LifeTime, '/', $cookie_domain);
				setcookie ("secret", $r[1], time()+$LifeTime, '/', $cookie_domain);

				if ($r[2] == "2" || $r[2] == "6"){
					setcookie ("P", time(), time()+$LifeTime, '/', $cookie_domain);
				}

				$this->ZePrijavljen = true;

                if (isset ($_POST['l']) && $_POST['l']!=''){
					header ('location: ' .$site_url .str_replace (base64_decode($_POST['l']), $site_url, ""));
				}

				// Moramo po registraciji vrec na kak URL
				$rxx = str_replace ($originating_domain, $keep_domain, '/admin/survey/');
				header ('location: '.$rxx.'?&l=1');
			}
			else{
				// Password prompt
				header ('location: ' .$site_url .'index.php?fl=8&lact=20&em=' .$this->email .(isset ($_GET['l'])?'&l=' .$_GET['l']:''));
				die();
			}
		}
		else{
			// Ni kul mail
			header ('location: ' .$site_url .'index.php?fl=8&lact=10&em=' .$this->email .(isset ($_GET['l'])?'&l=' .$_GET['l']:''));
			die();
		}
	}

	function Logout ($gohome='1') {
		global $site_url;
		global $cookie_domain;
		global $global_user_id;

		setcookie ('uid', '', time()-3600, '/', $cookie_domain);
		setcookie ('secret', '', time()-3600, '/', $cookie_domain);
		setcookie ('ME', '', time()-3600, '/', $cookie_domain);
		setcookie ('P', '', time()-3600, '/', $cookie_domain);
		setcookie ("AN", '', time()-3600, '/', $cookie_domain);
		setcookie ("AS", '', time()-3600, '/', $cookie_domain);
		setcookie ("AT", '', time()-3600, '/', $cookie_domain);
		
		setcookie("DP", $p, time()-3600*24*365, "/", $cookie_domain);
		setcookie("DC", $p, time()-3600*24*365, "/", $cookie_domain);
		setcookie("DI", $p, time()-3600*24*365, "/", $cookie_domain);
		setcookie("SO", $p, time()-3600*24*365, "/", $cookie_domain);
		setcookie("SPO", $p, time()-3600*24*365, "/", $cookie_domain);
		setcookie("SL", $p, time()-3600*24*365, "/", $cookie_domain);
		

		// pobrisi se naddomeno! (www.1ka.si naj pobrise se 1ka.si)
		if (substr_count ($cookie_domain, ".") > 1) {
			$nd = substr ($cookie_domain, strpos ($cookie_domain, ".")+1);

			setcookie ('uid', '', time()-3600, '/', $nd);
			setcookie ('secret', '', time()-3600, '/', $nd);
			setcookie ('ME', '', time()-3600, '/', $nd);
			setcookie ('P', '', time()-3600, '/', $nd);
			setcookie ("AN", '', time()-3600, '/', $nd);
			setcookie ("AS", '', time()-3600, '/', $nd);
			setcookie ("AT", '', time()-3600, '/', $nd);
		
			setcookie("DP", $p, time()-3600*24*365, "/", $nd);
			setcookie("DC", $p, time()-3600*24*365, "/", $nd);
			setcookie("DI", $p, time()-3600*24*365, "/", $nd);
			setcookie("SO", $p, time()-3600*24*365, "/", $nd);
			setcookie("SPO", $p, time()-3600*24*365, "/", $nd);
			setcookie("SL", $p, time()-3600*24*365, "/", $nd);
		}

        if (isset($_COOKIE['aai']) && !empty ($_COOKIE['aai']) && $_COOKIE['aai']=="1") {
            setcookie ("aai", '', time()-3600, '/', $cookie_domain);
            header ('location: https://aai.1ka.si/Shibboleth.sso/Logout?return=https://www.1ka.si');
            die();
        }                
		
		// Preusmerimo na domaco stran
		if ($gohome=='1') 	
			header('Location:' .$site_url);
    }

}