<?php

/**
* Abstract OAuth consumer
* @author Ben Tadiar <ben@handcraftedbyben.co.uk>
* @link https://github.com/benthedesigner/dropbox
* @package Dropbox\OAuth
* @subpackage Consumer
*/

abstract class Dropbox_ConsumerAbstract
{
    // Dropbox web endpoint. v2 API has just dropped the 1/ suffix to the below.
    const WEB_URL = 'https://www.dropbox.com/';
    
    // OAuth flow methods
    const AUTHORISE_METHOD = 'oauth2/authorize';
    // Beware - the documentation in one place says oauth2/token/revoke, but that appears to be wrong
    const DEAUTHORISE_METHOD = '2/auth/token/revoke';
    const ACCESS_TOKEN_METHOD = 'oauth2/token';
    // The next endpoint only exists with APIv1
    const OAUTH_UPGRADE = 'oauth2/token_from_oauth1';
    
    /**
     * Signature method, either PLAINTEXT or HMAC-SHA1
     * @var string
     */
    private $sigMethod = 'PLAINTEXT';
    
    /**
     * Output file handle
     * @var null|resource
     */
    protected $outFile = null;
    
    /**
     * Input file handle
     * @var null|resource
     */
    protected $inFile = null;
    
    /**
     * Authenticate using 3-legged OAuth flow, firstly
     * checking we don't already have tokens to use
     * @return void
     */
    protected function authenticate()
    {
        global $updraftplus;
        
        $access_token = $this->storage->get('access_token');
        //Check if the new token type is set if not they need to be upgraded to OAuth2
        if (!empty($access_token) && isset($access_token->oauth_token) && !isset($access_token->token_type)) {
            $updraftplus->log('OAuth v1 token found: upgrading to v2');
            $this->upgradeOAuth();
            $updraftplus->log('OAuth token upgrade successful');
        }
        
        if (empty($access_token) || !isset($access_token->oauth_token)) {
            try {
                $this->getAccessToken();
            } catch(Exception $e) {
                $excep_class = get_class($e);
                // 04-Sep-2015 - Dropbox started throwing a 400, which caused a Dropbox_BadRequestException which previously wasn't being caught
                if ('Dropbox_BadRequestException' == $excep_class || 'Dropbox_Exception' == $excep_class) {
                    global $updraftplus;
                    $updraftplus->log($e->getMessage().' - need to reauthenticate this site with Dropbox (if this fails, then you can also try wiping your settings from the Expert Settings section)');
                    //$this->getRequestToken();
                    $this->authorise();
                } else {
                    throw $e;
                }
            }
        }
    }
    
    /**
    * Upgrade the user's OAuth1 token to a OAuth2 token
    * @return void
    */
    private function upgradeOAuth()
    {
		// N.B. This call only exists under API v1 - i.e. there is no APIv2 equivalent. Hence the APIv1 endpoint (API_URL) is used, and not the v2 (API_URL_V2)
	    $url = 'https://api.dropbox.com/1/' . self::OAUTH_UPGRADE;
	    $response = $this->fetch('POST', $url, '');
        $token = new stdClass();
        /*
	        oauth token secret and oauth token were needed by oauth1 
	        these are replaced in oauth2 with an access token
	        currently they are still there just in case a method somewhere is expecting them to both be set
	        as far as I can tell only the oauth token is used
	        after more testing token secret can be removed.
        */
        
        $token->oauth_token_secret = $response['body']->access_token;
        $token->oauth_token = $response['body']->access_token;
        $token->token_type = $response['body']->token_type;
        $this->storage->set($token, 'access_token'); 
        $this->storage->set('true','upgraded');
        $this->storage->do_unset('request_token');
    }
    
    /**
     * Obtain user authorisation
     * The user will be redirected to Dropbox' web endpoint
     * @link http://tools.ietf.org/html/rfc5849#section-2.2
     * @return void
     */
    private function authorise()
    {
        // Only redirect if not using CLI
        if (PHP_SAPI !== 'cli' && (!defined('DOING_CRON') || !DOING_CRON) && (!defined('DOING_AJAX') || !DOING_AJAX)) {
            $url = $this->getAuthoriseUrl();
            if (!headers_sent()) {
                header('Location: ' . $url);
                exit;
            } else {
                throw new Dropbox_Exception(sprintf(__('The %s authentication could not go ahead, because something else on your site is breaking it. Try disabling your other plugins and switching to a default theme. (Specifically, you are looking for the component that sends output (most likely PHP warnings/errors) before the page begins. Turning off any debugging settings may also help).', 'updraftplus'), 'Dropbox'));
            }
            ?><?php
            return false;
        }
        global $updraftplus;
        $updraftplus->log('Dropbox reauthorisation needed; but we are running from cron, AJAX or the CLI, so this is not possible');
        $this->storage->do_unset('access_token');
        throw new Dropbox_Exception(sprintf(__('You need to re-authenticate with %s, as your existing credentials are not working.', 'updraftplus'), 'Dropbox'));
        #$updraftplus->log(sprintf(__('You need to re-authenticate with %s, as your existing credentials are not working.', 'updraftplus'), 'Dropbox'), 'error');
        return false;
    }
    
    /**
    * Build the user authorisation URL
    * @return string
    */
    public function getAuthoriseUrl()
    {
	    /*
		    Generate a random key to be passed to Dropbox and stored in session to be checked to prevent CSRF
		    Uses OpenSSL or Mcrypt or defaults to pure PHP implementaion if neither are available.
		*/
	    
		global $updraftplus;
		if (!function_exists('crypt_random_string')) $updraftplus->ensure_phpseclib('Crypt_Random', 'Crypt/Random');

		$CSRF = base64_encode(crypt_random_string(16));
        $this->storage->set($CSRF,'CSRF');
        // Prepare request parameters
        /*
            For OAuth v2 Dropbox needs to use a authorisation url that matches one that is set inside the
            Dropbox developer console. In order to check this it needs the client ID for the OAuth v2 app
            This will use the default one unless the user is using their own Dropbox App
            
            For users that use their own Dropbox App there is also no need to provide the callbackhome as
            part of the CSRF as there is no need to go to auth.updraftplus.com also the redirect uri can
            then be set to the home as default
            
            Check if the key has dropbox: if so then remove it to stop the request from being invalid
        */
        $appkey = $this->storage->get('appkey');
        
        if (!empty($appkey) && 'dropbox:' == substr($appkey, 0, 8)) {
			$key = substr($appkey, 8);
        } else if (!empty($appkey)) {
            $key = $appkey;
        }

        if ('' != $this->instance_id) $this->instance_id = ':'.$this->instance_id;
        
        $params = array(
            'client_id' => empty($key) ? $this->oauth2_id : $key,
            'response_type' => 'code',
            'redirect_uri' => empty($key) ? $this->callback : $this->callbackhome,
            'state' => empty($key) ? "POST:".$CSRF.$this->instance_id.$this->callbackhome : $CSRF.$this->instance_id,
        );
    
        // Build the URL and redirect the user
        $query = '?' . http_build_query($params, '', '&');
        $url = self::WEB_URL . self::AUTHORISE_METHOD . $query;
        return $url;
    }
    
    protected function deauthenticate()
    {
	    $url = UpdraftPlus_Dropbox_API::API_URL_V2 . self::DEAUTHORISE_METHOD;
	    $response = $this->fetch('POST', $url, '', array('api_v2' => true));
        $this->storage->delete();
    }
    
    /**
     * Acquire an access token
     * Tokens acquired at this point should be stored to
     * prevent having to request new tokens for each API call
     * @link http://tools.ietf.org/html/rfc5849#section-2.3
     */
    public function getAccessToken()
    {
    
		// If this is non-empty, then we just received a code. It is stored in 'code' - our next job is to put it into the proper place.
	    $code = $this->storage->get('code');
        /*
            Checks to see if the user is using their own Dropbox App if so then they need to get
            a request token. If they are using our App then we just need to save these details
        */
        if (!empty($code)){	
            $appkey = $this->storage->get('appkey');
            if (!empty($appkey)){
                // Get the signed request URL
                $url = UpdraftPlus_Dropbox_API::API_URL_V2 . self::ACCESS_TOKEN_METHOD;
                $params = array(
                    'code' => $code,
                    'grant_type' => 'authorization_code',
                    'redirect_uri' => $this->callbackhome,
                    'client_id' => $this->consumerKey,
                    'client_secret' => $this->consumerSecret,
                );
                $response = $this->fetch('POST', $url, '' , $params);
                
                $code  = json_decode(json_encode($response['body']),true);
            
            } else {
                $code = base64_decode($code);
                $code = json_decode($code, true);    
            }
            
	        /*
		        Again oauth token secret and oauth token were needed by oauth1 
		        these are replaced in oauth2 with an access token
		        currently they are still there just in case a method somewhere is expecting them to both be set
		        as far as I can tell only the oauth token is used
		        after more testing token secret can be removed.
			*/
            
            $token = new stdClass();
            $token->oauth_token_secret = $code['access_token'];
            $token->oauth_token = $code['access_token'];
            $token->account_id = $code['account_id'];
            $token->token_type = $code['token_type'];
            $token->uid = $code['uid'];
            $this->storage->set($token, 'access_token');
            $this->storage->do_unset('upgraded');
            
            //reset code
            $this->storage->do_unset('code');
	    } else {
		    throw new Dropbox_BadRequestException("No Dropbox Code found, will try to get one now", 400);
	    }
    }
    
    /**
     * Get the request/access token
     * This will return the access/request token depending on
     * which stage we are at in the OAuth flow, or a dummy object
     * if we have not yet started the authentication process
     * @return object stdClass
     */
    private function getToken()
    {
        if (!$token = $this->storage->get('access_token')) {
            if (!$token = $this->storage->get('request_token')) {
                $token = new stdClass();
                $token->oauth_token = null;
                $token->oauth_token_secret = null;
            }
        }
        return $token;
    }
    
    /**
     * Generate signed request URL
     * See inline comments for description
     * @link http://tools.ietf.org/html/rfc5849#section-3.4
     * @param string $method HTTP request method
     * @param string $url API endpoint to send the request to
     * @param string $call API call to send
     * @param array $additional Additional parameters as an associative array
     * @return array
     */
    protected function getSignedRequest($method, $url, $call, array $additional = array())
    {
        // Get the request/access token
        $token = $this->getToken();

        // Prepare the standard request parameters differently for OAuth1 and OAuth2; we still need OAuth1 to make the request to the upgrade token endpoint
        if (isset($token->token_type)) {
	        $params = array(
	        	'access_token' => $token->oauth_token,
	        );

            /*
                To keep this API backwards compatible with the API v1 endpoints all v2 endpoints will also send to this method a api_v2 parameter this will then return just the access token as the signed request is not needed for any calls.
             */

            if (isset($additional['api_v2']) && $additional['api_v2'] == true) {
                unset($additional['api_v2']);
                if (isset($additional['content_download']) && $additional['content_download'] == true) {
                    unset($additional['content_download']);
                    $extra_headers = array();
                    if (isset($additional['headers'])) {
                        foreach ($additional['headers'] as $key => $header) {
                            $extra_headers[] = $header;
                        }
                        unset($additional['headers']);
                    }
                    $headers = array(
                        'Authorization: Bearer '.$params['access_token'],
                        'Content-Type:',
                        'Dropbox-API-Arg: '.json_encode($additional),
                    );

                    $headers = array_merge($headers, $extra_headers);
                    $additional = '';
                } else if (isset($additional['content_upload']) && $additional['content_upload'] == true) {
                    unset($additional['content_upload']);
                    $headers = array(
                        'Authorization: Bearer '.$params['access_token'],
                        'Content-Type: application/octet-stream',
                        'Dropbox-API-Arg: '.json_encode($additional),
                    );
                    $additional = '';
                } else {
                    $headers = array(
                        'Authorization: Bearer '.$params['access_token'],
                        'Content-Type: application/json',
                    );
                }
                return array(
                    'url' => $url . $call,
                    'postfields' => $additional,
                    'headers' => $headers,
                );
            }
        } else {
	        // Generate a random string for the request
	        $nonce = md5(microtime(true) . uniqid('', true));
	        $params = array(
	            'oauth_consumer_key' => $this->consumerKey,
	            'oauth_token' => $token->oauth_token,
	            'oauth_signature_method' => $this->sigMethod,
	            'oauth_version' => '1.0',
	            // Generate nonce and timestamp if signature method is HMAC-SHA1 
	            'oauth_timestamp' => ($this->sigMethod == 'HMAC-SHA1') ? time() : null,
	            'oauth_nonce' => ($this->sigMethod == 'HMAC-SHA1') ? $nonce : null,
	        );
	    }
    
        // Merge with the additional request parameters
        $params = array_merge($params, $additional);
        ksort($params);
    
        // URL encode each parameter to RFC3986 for use in the base string
        $encoded = array();
        foreach($params as $param => $value) {
            if ($value !== null) {
                // If the value is a file upload (prefixed with @), replace it with
                // the destination filename, the file path will be sent in POSTFIELDS
                if (isset($value[0]) && $value[0] === '@') $value = $params['filename'];
                # Prevent spurious PHP warning by only doing non-arrays
                if (!is_array($value)) $encoded[] = $this->encode($param) . '=' . $this->encode($value);
            } else {
                unset($params[$param]);
            }
        }
        
        // Build the first part of the string
        $base = $method . '&' . $this->encode($url . $call) . '&';
        
        // Re-encode the encoded parameter string and append to $base
        $base .= $this->encode(implode('&', $encoded));

        // Concatenate the secrets with an ampersand
        $key = $this->consumerSecret . '&' . $token->oauth_token_secret;
        
        // Get the signature string based on signature method
        $signature = $this->getSignature($base, $key);
        $params['oauth_signature'] = $signature;
        
        // Build the signed request URL
        $query = '?' . http_build_query($params, '', '&');
        
        return array(
            'url' => $url . $call . $query,
            'postfields' => $params,
        );
    }
    
    /**
     * Generate the oauth_signature for a request
     * @param string $base Signature base string, used by HMAC-SHA1
     * @param string $key Concatenated consumer and token secrets
     */
    private function getSignature($base, $key)
    {
        switch ($this->sigMethod) {
            case 'PLAINTEXT':
                $signature = $key;
                break;
            case 'HMAC-SHA1':
                $signature = base64_encode(hash_hmac('sha1', $base, $key, true));
                break;
        }
        
        return $signature;
    }
    
    /**
     * Set the OAuth signature method
     * @param string $method Either PLAINTEXT or HMAC-SHA1
     * @return void
     */
    public function setSignatureMethod($method)
    {
        $method = strtoupper($method);
        
        switch ($method) {
            case 'PLAINTEXT':
            case 'HMAC-SHA1':
                $this->sigMethod = $method;
                break;
            default:
                throw new Dropbox_Exception('Unsupported signature method ' . $method);
        }
    }
    
    /**
     * Set the output file
     * @param resource Resource to stream response data to
     * @return void
     */
    public function setOutFile($handle)
    {
        if (!is_resource($handle) || get_resource_type($handle) != 'stream') {
            throw new Dropbox_Exception('Outfile must be a stream resource');
        }
        $this->outFile = $handle;
    }
    
    /**
     * Set the input file
     * @param resource Resource to read data from
     * @return void
     */
    public function setInFile($handle) {
        $this->inFile = $handle;
    }
    
    /**
    * Parse response parameters for a token into an object
    * Dropbox returns tokens in the response parameters, and
    * not a JSON encoded object as per other API requests
    * @link http://oauth.net/core/1.0/#response_parameters
    * @param string $response
    * @return object stdClass
    */
    private function parseTokenString($response)
    {
        $parts = explode('&', $response);
        $token = new stdClass();
        foreach ($parts as $part) {
            list($k, $v) = explode('=', $part, 2);
            $k = strtolower($k);
            $token->$k = $v;
        }
        return $token;
    }
    
    /**
     * Encode a value to RFC3986
     * This is a convenience method to decode ~ symbols encoded
     * by rawurldecode. This will encode all characters except
     * the unreserved set, ALPHA, DIGIT, '-', '.', '_', '~'
     * @link http://tools.ietf.org/html/rfc5849#section-3.6
     * @param mixed $value
     */
    private function encode($value)
    {
        return str_replace('%7E', '~', rawurlencode($value));
    }
}