<?php
//--------------------------------------------------------------------------
// Copyright 2016, RIoT International Pty Ltd
//
// @author Aaron Ardiri
//--------------------------------------------------------------------------

date_default_timezone_set("Europe/Stockholm");

class constants
{
  const ERR_OK             = 200;
  const ERR_BAD_REQUEST    = 400;
  const ERR_UNAUTHORIZED   = 401;
  const ERR_SERVER_ERROR   = 500;
}
$code = constants::ERR_OK;

// no status
$status = 0;

//--------------------------------------------------------------------------
// global function extensions
//--------------------------------------------------------------------------

$func_index   = array();
$func_hash    = array();
$func_prime   = array();
$func_encrypt = array();
$func_decrypt = array();

include "security.none.inc";
include "security.rot13.inc";

//--------------------------------------------------------------------------
// session initialization
//--------------------------------------------------------------------------

if ($_SERVER['REQUEST_METHOD'] === 'POST')
{
  // grab the contents of the request
  $data = file_get_contents("php://input");

  // lets try and parse the raw JSON and make sense of it
  $json = json_decode($data);
  if (json_last_error() == JSON_ERROR_NONE)
  {
    // pre-requisites
    if ((!isset($json->guid)) ||
        (!isset($json->security->protocol)) ||
        (!isset($json->security->response)) ||
        (!isset($json->security->protocol_sub))) goto bad_request;

    // what is the global unique identifier of the resource
    $guid = $json->guid;

    // generate a session id based on the guid + server timestamp
    $ses = md5($guid).uniqid();

    //----------------------------------------------------------------------
    // perform client validation
    //----------------------------------------------------------------------

    // what security protocol has been defined for client validation
    $sec = $json->security->protocol;
    if (array_key_exists($sec, $func_index))
    {
      // the security protocol uses a token and hash
      $tok  = base64_decode($json->security->token);
      $hash = base64_decode($json->security->thash);

      // call the appropriate hash validation function
      if (!call_user_func_array($func_hash[$sec], 
                                array($ses, $tok, $hash)))
      {
        $code = constants::ERR_UNAUTHORIZED;
        goto request_done;
      }

      // we are done with the variables now
      unset($tok);
      unset($hash);
    }
    else 
      goto bad_request;

    //----------------------------------------------------------------------
    // client-server communication initialization
    //----------------------------------------------------------------------

    // what protocol has the client requested for future communications
    $sec = $json->security->protocol_sub;
    if (array_key_exists($sec, $func_index))
    {
      // we need to initialize the future communications protocol
      if (!call_user_func_array($func_prime[$sec], 
                                array($ses, &$par, &$tok)))
      {
        $code = constants::ERR_SERVER_ERROR;
        goto request_done;
      }
    }
    else
      goto bad_request;

    // how was the client expecting the server to return the information?
    $res = $json->security->response;
    if (array_key_exists($res, $func_index))
    {
      // encrypt the contents of the initial communication protocol
      if (!call_user_func_array($func_encrypt[$res], 
                                array($ses, NULL, $tok, &$buf)))
      {
        $code = constants::ERR_SERVER_ERROR;
        goto request_done;
      }
    }
    else
      goto bad_request;

    //----------------------------------------------------------------------
    // populate the JSON response
    //----------------------------------------------------------------------

    // we always pass the server time in EPOC
    $ts = time();

    // build the JSON stream
    $data  = '{';
      $data .= '"session": "'.$ses.'",';
      $data .= '"security": { ';
        $data .= '"response": "'.$res.'",';   
        $data .= '"protocol": "'.$sec.'"';   
      $data .= '},';
      $data .= '"data": { ';
        $data .= '"ts": "'.$ts.'"';   
        if (isset($par)) $data .= ',"params": "'.$par.'"';
        if (isset($buf)) $data .= ',"buffer": "'.base64_encode($buf).'"';
      $data .= '}';
    $data .= '}';

    $mesg = json_encode(json_decode($data), 
                        JSON_PRETTY_PRINT | JSON_UNESCAPED_SLASHES);
    $status = 1;
  }
}
else

//--------------------------------------------------------------------------
// session update (exchange information between client/server)
//--------------------------------------------------------------------------

if ($_SERVER['REQUEST_METHOD'] === 'PUT')
{
  // grab the contents of the request
  $data = file_get_contents("php://input");

  // lets try and parse the raw JSON and make sense of it
  $json = json_decode($data);
  if (json_last_error() == JSON_ERROR_NONE)
  {
    // pre-requisites
    if ((!isset($json->session)) ||
        (!isset($json->security->protocol)) ||
        (!isset($json->security->response)) ||
        (!isset($json->data->buffer))) goto bad_request;

    // we must obtain a reference to our session 
    $ses = $json->session;

    //----------------------------------------------------------------------
    // decode the client message
    //----------------------------------------------------------------------

    // what security protocol has been defined for client messaging
    $sec = $json->security->protocol;
    if (array_key_exists($sec, $func_index))
    {
      // if we need to provide some params; we obtain them now
      $par = $json->data->params;
      $buf = base64_decode($json->data->buffer);

      // encrypt the contents of the initial communication protocol
      if (!call_user_func_array($func_decrypt[$sec], 
                                array($ses, $par, $buf, &$tok)))
      {
        $code = constants::ERR_SERVER_ERROR;
        goto request_done;
      }

      // we are done with the variables now
      unset($par);
      unset($buf);
    }
    else
      goto bad_request;

    //----------------------------------------------------------------------
    // process the data 
    //----------------------------------------------------------------------

    // TODO:
    // the message from the client is in $tok

    echo $tok.PHP_EOL;

    //----------------------------------------------------------------------
    // prepare a response
    //----------------------------------------------------------------------

    // we are done with these, we can unset them now
    unset($tok);

    // TODO:
    // the message we want to send the to client should be stored in $tok

    // how was the client expecting the server to return the information?
    $res = $json->security->response;
    if (array_key_exists($res, $func_index))
    {
      // encrypt the contents of the initial communication protocol
      if (!call_user_func_array($func_encrypt[$res], 
                                array($ses, &$par, $tok, &$buf)))
      {
        $code = constants::ERR_SERVER_ERROR;
        goto request_done;
      }
    }
    else
      goto bad_request;

    //----------------------------------------------------------------------
    // populate the JSON response
    //----------------------------------------------------------------------

    // we always pass the server time in EPOC
    $ts = time();

    // build the JSON stream
    $data  = '{';
      $data .= '"session": "'.$ses.'",';
      $data .= '"security": { ';
        $data .= '"response": "'.$res.'",';   
        $data .= '"protocol": "'.$sec.'"';   
      $data .= '},';
      $data .= '"data": { ';
        $data .= '"ts": "'.$ts.'"';   
        if (isset($par)) $data .= ',"params": "'.$par.'"';
        if (isset($buf)) $data .= ',"buffer": "'.base64_encode($buf).'"';
      $data .= '}';
    $data .= '}';

    $mesg = json_encode(json_decode($data), 
                        JSON_PRETTY_PRINT | JSON_UNESCAPED_SLASHES);
    $status = 1;
  }
}

//--------------------------------------------------------------------------

// catch-all for bad_requests
if ($status == 0)
{
bad_request:
  $code = constants::ERR_BAD_REQUEST;
}

request_done:;

// set the HTTP response code and show a message if applicable
http_response_code($code);
header('Content-Type: application/json');
echo $mesg.PHP_EOL;

//--------------------------------------------------------------------------
?>