/* URLs modified for security */

<?php 
function fnUserAuthTGST($user, &$result) {

// For some reason, the hook didn't work without "fn" on the front of the function name.

/*	This function performs the user authentication for TGSTWiki and D3000Wiki.
		It requires the following field to be added to the default {prefix}_user table in the database:
		
		user_employee_id	tinytext

		Ref:	http://www.mediawiki.org/wiki/Manual:Hooks/UserLoadFromSession
					http://svn.wikimedia.org/doc/classUser.html
					
		090203 Sam S: Changed the call from loadFromDatabase() to load() after setting mFrom to see
		              if that cures the group membership assignment problem.
		
 */
 
$fname   = "UserAuthTGST::fnUserAuthTGST";
$SAFE    = "https://x.y.com/login/sso/SSOService?app=d3wiki&returnURL=";
$errpage = "http://y.z.com/d3wikiaccess.php";
$allowed = 300; # Five minutes diff is allowed.
	
	logTGST("Page: " . $_SERVER['REQUEST_URI']);
	if (isset($_COOKIE['TGSTWiki'])) {
		$tgstcookie = $_COOKIE['TGSTWiki'];
		logTGST("TGSTWiki cookie found");

		if (isset($_REQUEST['digest'])) {
			logTGST("digest exists as well - ignoring it.");
		}

		loadFromDatabaseTGST($user, $tgstcookie);
		$result = 1; // This causes the rest of the authentication process to be skipped.
		return(false);   // As should this, according to the internal error report:
		// Detected bug in an extension! Hook fnUserAuthTGST failed to return a value; should return true to continue hook processing or false to abort.

	} elseif (isset($_REQUEST['digest'])) {
		# Just back from SAFE - validate the result.
		
		$digest      = $_REQUEST['digest'];
		$empid       = $_REQUEST['uid'];
		$email       = $_REQUEST['email'];
		$firstname   = $_REQUEST['firstname'];
		$lastname    = $_REQUEST['lastname'];
		$intime      = $_REQUEST['time'];
		$returnurl   = $_REQUEST['returnURL'];
		$thispage    = curPageURL();
		$mytime      = date("Y:m:d:H:i:s", time());

		// Get the secret ...
		$file = fopen("/usr/local/apache2/htdocs/d3wiki/TGST/conf/.SAFEkey", "r") or exit("Unable to open file!");
		$secret = chop(fgets($file),"\n"); # Drop trailing LF
		fclose($file);

		$md5string = "$empid$intime$secret";
		$mydigest  = md5($md5string);
		$indiglen  = strlen($digest);
		$mydiglen  = strlen($mydigest);
		$md5strlen = strlen($md5string);
		logTGST("  lengths: digest $indiglen; mydigest $mydiglen; md5string $md5strlen");
		if ( "$digest" != "$mydigest" ) {
			// Problem! Log secure info to file:
			logTGST("Digests don't match for $email - unable to proceed.");
			logTGST("  digest=$digest");
			logTGST("  mydigest=$mydigest");
			logTGST("  md5string=>$md5string<");			
			// ... and tell the user something interesting:
			$errpage .= "?error=Digest%20mismatch";
			$errpage .= "&digest=$digest&empid=$empid&email=$email&first=$firstname&last=$lastname&intime=$intime";
			$errpage .= "&mytime=$mytime&returnurl=$returnurl";
			// $errpage .= "&timediff=&timediff";
			// redirect to report error ...
			http_redirect($errpage, array(), true, HTTP_REDIRECT);
		}

		$diff = valtime($intime);
		if ( $diff > $allowed ) {
			logTGST("Time difference ($diff) is too great for $email");
			logTGST("  intime=$intime");
			logTGST("  mytime=$mytime");
			// ... and tell the user something interesting:
			$errpage .= "?error=Time%20difference%20too%20great.";
			$errpage .= "&digest=$digest&empid=$empid&email=$email&first=$firstname&last=$lastname&intime=$intime";
			$errpage .= "&mytime=$mytime&returnurl=$returnurl";
			$errpage .= "&timediff=&diff";
			// redirect to report error ...
			http_redirect($errpage, array(), true, HTTP_REDIRECT);
			// $result not set so that authentication continues - and should fail.
			return(true); // This should have the same effect.
		}
		
		logTGST("SAFE validation successful for $email");
		
		# Validation successful - create cookie with all SAFE fields.
		$tgstcookie = "$empid|$email|$firstname|$lastname"; 
		$tgstcookie = str_replace(' ', '%20', $tgstcookie); 
		# We'll start with a week ...
		if ( setrawcookie("TGSTWiki", $tgstcookie, time()+7*24*60*60, '/', $_SERVER['SERVER_NAME']) ) {
			logTGST("  cookie set successfully.");
		} else {
			logTGST("  cookie setting failed.");
		}
		// Now see if the user is already in the database ...
		
		$user = loadFromDatabaseTGST($user, $tgstcookie);
		$result = 1; // This causes the rest of the authentication process to be skipped.
		return(false); // Ditto (see above)
		
	} else {	// No cookie, so we go to SAFE.
//		logTGST("$fname: No tgstcookie found - redirecting to SAFE.");
		logTGST("TGSTWiki cookie not found - redirecting to SAFE.");

		$SAFE .= curPageURL(); // Append this page's name
		http_redirect($SAFE, array(), true, HTTP_REDIRECT);
	}	// No cookie
}

function loadFromDatabaseTGST($user, $tgstcookie) {
	$fname   = "UserAuthTGST::loadFromDatabaseTGST";
	
	// Check whether user is in the database - if so, complete User.
	logTGST("Entering $fname ...");
	// Explode the cookie:
	list ($empid, $email, $first, $last) = explode("|", $tgstcookie, 4);
	logTGST("Cookie exploded: $empid, $email, $first, $last");
	
	// Now see if the user is known ...
	
	$dbr =& wfGetDB( DB_SLAVE );
	$s = $dbr->selectRow( 'user', array('user_id', 'user_name'), array('user_employee_id' => $empid), $fname);
	if ($s === false) {
		logTGST("No entry found in db for employee id $empid - creating one ...");
		$user = new User();
		// MediaWiki requires names to start with a capital, so we have a stab at a reasonably formed name:
		$temp = explode(".", substr($email,0,strpos($email,'@')));
		$i   = 0;
		$lim = sizeof($temp);
		while ( $i < $lim) {
			$temp[$i] = ucwords($temp[$i]);
			$i++;
		}
		$userName = implode(".", $temp);
		$user->loadDefaults($userName);         // Added as it's done this way in CentralAuth.
		
		$user->mEmail              = $email;
		$user->mName               = $userName; // Redundant given use of loadDefaults...?
		$user->mEmployeeId         = $empid;
		$user->mRealName           = "$first $last";
		$user->mEmailAuthenticated = wfTimestamp();
		$user->mTouched            = wfTimestamp();
		
		logTGST("  mName               = $user->mName");
		logTGST("  mEmployeeId         = $user->mEmployeeId");
		logTGST("  mRealName           = $user->mRealName");
		logTGST("  mEmailAuthenticated = $user->mEmailAuthenticated");
		logTGST("  mTouched            = $user->mTouched");
		
		$user->addToDatabase();
		logTGST("User added to database with ID $user->mId and name $user->mName.");
		
	} else {
		$user->mId = $s->user_id;
		$user->mName = $s->user_name;
		logTGST("DB entry found for employee id $empid with user id $user->mId and name $user->mName");
	} 
	
	// Load the existing or newly-created user from the database ...

	$user->mFrom = 'id';	
	if ( !$user->loadFromId() ) {
		logTGST("loadfromId failed for user ID $user->mId and name $user->mName");
	} else { // Additional debugging ...
		logTGST("loadFromId succeeded for user ID $user->mId and name $user->mName");
	}
	return $user;
}

function curPageURL() {
 $pageURL = 'http';
 if (isset($_SERVER['HTTPS'])) {$pageURL .= "s";}
 $pageURL .= "://";
 if ($_SERVER['SERVER_PORT'] != "80") {
  $pageURL .= $_SERVER['SERVER_NAME'].':'.$_SERVER['SERVER_PORT'].$_SERVER['REQUEST_URI'];
 } else {
  $pageURL .= $_SERVER['SERVER_NAME'].$_SERVER['REQUEST_URI'];
 }
 return $pageURL;
}

function curPageName() {
 return substr($_SERVER['SCRIPT_NAME'],strrpos($_SERVER['SCRIPT_NAME'],'/')+1);
}

function valtime($intime) {

	// Check whether supplied time is within five minutes of now.

	$time1   = implode(explode(":", $intime)); // Colonic irrigation!

	// Play at being a Time Lord here for testing.

	$inepoch = strtotime($time1); // Convert to epoch
	$myepoch = time();

	$diff = $myepoch - $inepoch;
	return($diff);
}

function logTGST($message) {

	// Log significant events during authentication if the log file exists.

	$day = gmdate("Ymd");
	$authlog = "/radt/local/log/TGSTWiki.authlog.$day";
	$now = gmdate("Y-m-d H:i:s ");
	
	if (file_exists($authlog)) {
		if ($file = fopen($authlog, "a")) {
			fputs($file, $now . $message . "\n");
			fclose($file);
			return(true);
		} else {
			return(false);
		}
	} else {
		return(true);
	}
}
?>