<?php
/**
 * icard_managed_lib.php
 *
 * Copyright (c) 2007, Robert Richards <rrichards@cdatazone.org>.
 * All rights reserved.
 *
 * Redistribution and use in source and binary forms, with or without
 * modification, are permitted provided that the following conditions
 * are met:
 *
 *   * Redistributions of source code must retain the above copyright
 *     notice, this list of conditions and the following disclaimer.
 *
 *   * Redistributions in binary form must reproduce the above copyright
 *     notice, this list of conditions and the following disclaimer in
 *     the documentation and/or other materials provided with the
 *     distribution.
 *
 *   * Neither the name of Robert Richards nor the names of his
 *     contributors may be used to endorse or promote products derived
 *     from this software without specific prior written permission.
 *
 * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
 * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
 * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS
 * FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
 * COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT,
 * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING,
 * BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
 * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER
 * CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN
 * ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
 * POSSIBILITY OF SUCH DAMAGE.
 *
 * @author     Robert Richards <rrichards@cdatazone.org>
 * @copyright  2007 Robert Richards <rrichards@cdatazone.org>
 * @license    http://www.opensource.org/licenses/bsd-license.php  BSD License
 * @version    1.0.0
 */

class ICardEndpoint {
	private $address;
	private $secpolicy;
	private $identityCert = array('cert'=>NULL, 'isPem'=>True, 'isURL'=>False);

	const WSANS = 'http://www.w3.org/2005/08/addressing';
	const WSAPFX = 'wsa';
	
	const MEXNS = 'http://schemas.xmlsoap.org/ws/2004/09/mex';
	const MEXPFX = 'mex';
	
	const WSIDNS = 'http://schemas.xmlsoap.org/ws/2006/02/addressingidentity';
	const WSIDPFX = 'wsai';

	public function __construct($address, $secpolicyAddress) {
		if (empty($address)) {
			throw new Exception("Address must be supplied");
		}
		if (empty($secpolicyAddress)) {
			throw new Exception("Security Policy Address must be supplied");
		}
		$this->address = $address;
		$this->secpolicy = $secpolicyAddress;
	}

	public function setIdentityX509($cert, $isPEMFormat=TRUE, $isURL=False) {
		$this->identityCert['cert'] = $cert;
		$this->identityCert['isPem'] = $isPEMFormat;
		$this->identityCert['isURL'] = $isURL;
	}

	public function appendToDoc($parent) {
		if (! $parent instanceof DOMElement) {
			throw new Exception("Parent must be a DOMElement");
		}
		$doc = $parent->ownerDocument;
		$endpoint = $doc->createElementNS(self::WSANS, self::WSAPFX.':EndpointReference');
		$parent->appendChild($endpoint);

		$addrNode = $doc->createElementNS(self::WSANS, self::WSAPFX.':Address', $this->address);
		$endpoint->appendChild($addrNode);

		$WSAMetaNode = $doc->createElementNS(self::WSANS, self::WSAPFX.':Metadata');
		$endpoint->appendChild($WSAMetaNode);
		
		$MEXNode = $doc->createElementNS(self::MEXNS, self::MEXPFX.':Metadata');
		$WSAMetaNode->appendChild($MEXNode);
		
		$MEXSection = $doc->createElementNS(self::MEXNS, self::MEXPFX.':MetadataSection');
		$MEXNode->appendChild($MEXSection);
		$MEXSection->setAttribute('Dialect', 'http://schemas.xmlsoap.org/ws/2004/09/mex');
		
		$MEXRef = $doc->createElementNS(self::MEXNS, self::MEXPFX.':MetadataReference');
		$MEXSection->appendChild($MEXRef);

		$addrNode = $doc->createElementNS(self::WSANS, self::WSAPFX.':Address', $this->secpolicy);
		$MEXRef->appendChild($addrNode);
		
		if (! empty($this->identityCert['cert'])) {
			$idNode = $doc->createElementNS(self::WSIDNS, self::WSIDPFX.':Identity');
			$endpoint->appendChild($idNode);
			XMLSecurityDSig::staticAdd509Cert($idNode, $this->identityCert['cert'],
								   $this->identityCert['isPem'],
								   $this->identityCert['isURL']);
		}
	}
}

class ICardSAML {
	private $samlDoc;
	private $attributes = array();
	private $conditions = array();
	private $identityCert = array('cert'=>NULL, 'isPem'=>True, 'isURL'=>False);

	private $samlTmpl = '<saml:Assertion MajorVersion="1" MinorVersion="0" xmlns:saml="urn:oasis:names:tc:SAML:1.0:assertion"><saml:AttributeStatement/></saml:Assertion>';

	const SAML10 = 'urn:oasis:names:tc:SAML:1.0:assertion';
	const SAML10PFX = 'saml';
	const NOTBEFORE = 'NotBefore';
	const NOTONORAFTER = 'NotOnOrAfter';
	const AUDIENCE = 'Audience';

	public function __construct($issuer) {
		$this->samlDoc = new DOMDocument();
		$this->samlDoc->loadXML($this->samlTmpl);
		$root = $this->samlDoc->documentElement;
		$root->setAttribute('Issuer', $issuer);
		$root->setAttribute('IssueInstant', gmdate("Y-m-d\TH:i:s", time()).'Z');
	}
	
	public function addAttribute($objAttr) {
		if (! $objAttr instanceof ICardClaimType) {
			throw new Exception('Attribute must be of ICardClaimType');
		}
		if (empty($objAttr->name)) {
			throw new Exception('Attribute does not have name/value set');
		}
		$this->attributes[] = $objAttr;
	}

	public function addCondition($condition, $value) {
		switch ($condition) {
			case (self::NOTBEFORE):
			case (self::NOTONORAFTER):
				/* check date */
				$xmlVal = gmdate("Y-m-d\TH:i:s", $value).'Z';
				break;
			case (self::AUDIENCE):
				$xmlVal = $value;
				break;
			default:
				throw new Exception('Supplied condition not supported');
		}
		$this->conditions['condition'] = $xmlVal;
	}

	private function createAttributes($parent) {
		foreach ($this->attributes AS $objAttr) {
			$attrNode = $this->samlDoc->createElementNS(self::SAML10, self::SAML10PFX.':Attribute');
			$parent->appendChild($attrNode);
			$attrNode->setAttribute('AttributeName', $objAttr->name);
			$attrNode->setAttribute('AttributeNamespace', $objAttr->URI);
			$attrValue = $this->samlDoc->createElementNS(self::SAML10, self::SAML10PFX.':AttributeValue', $objAttr->value);
			$attrNode->appendChild($attrValue);
		}
	}

	public function setX509Cert($cert, $isPEMFormat=TRUE, $isURL=False) {
		$this->identityCert['cert'] = $cert;
		$this->identityCert['isPem'] = $isPEMFormat;
		$this->identityCert['isURL'] = $isURL;
	}

	public function getXMLDisplay() {
		$doc = new DOMDocument();
		$doc->loadXML('<wsi:DisplayToken xmlns:wsi="http://schemas.xmlsoap.org/ws/2005/05/identity"/>');
		$token = $doc->documentElement;
		foreach ($this->attributes AS $objAttr) {
			$claimNode = $doc->createElementNS('http://schemas.xmlsoap.org/ws/2005/05/identity', 'wsi:DisplayClaim');
			$token->appendChild($claimNode);
			$claimNode->setAttribute('Uri', $objAttr->URI);

			$dispNode = $doc->createElementNS('http://schemas.xmlsoap.org/ws/2005/05/identity', 'wsi:DisplayTag', $objAttr->displayName);
			$claimNode->appendChild($dispNode);

			$dispNode = $doc->createElementNS('http://schemas.xmlsoap.org/ws/2005/05/identity', 'wsi:Description', $objAttr->description);
			$claimNode->appendChild($dispNode);

			$dispNode = $doc->createElementNS('http://schemas.xmlsoap.org/ws/2005/05/identity', 'wsi:DisplayValue', $objAttr->value);
			$claimNode->appendChild($dispNode);
		}
		return $doc->saveXML($token);
	}

	public function asXML($strKey) {
		if (count($this->attributes) == 0) {
			throw new Exception('No attributes have been defined');
		}
		$root = $this->samlDoc->documentElement;
		
		if (count($this->conditions) > 0) {
			$condNode = $this->samlDoc->createElementNS(self::SAML10, self::SAML10PFX.':Conditions');
			$this->samlDoc->documentElement->appendChild($condNode);
			foreach ($this->conditions AS $condition=>$value) {
				if ($condition != self::AUDIENCE) {
					$condNode->setAttribute($condition, $value);
				} else {
					$audRest = $this->samlDoc->createElementNS(self::SAML10, self::SAML10PFX.':AudienceRestrictionCondition');
					$condNode->appendChild($audRest);
					$audience = $this->samlDoc->createElementNS(self::SAML10, self::SAML10PFX.':Audience', $value);
					$audRest->appendChild($audience);
				}
			}
		}
		
		$child = $root->firstChild;
		while ($child) {
			if ($child->localName == 'AttributeStatement') {
				$this->createAttributes($child);
			}
			$child = $child->nextSibling;
		}

		$objDSig = new XMLSecurityDSig();
		$objDSig->setCanonicalMethod(XMLSecurityDSig::EXC_C14N);
		$arOptions = array('id_name'=>'AssertionID');
		$objDSig->addReference($this->samlDoc->documentElement, XMLSecurityDSig::SHA1, array('http://www.w3.org/2000/09/xmldsig#enveloped-signature'), $arOptions);
		$objKey = new XMLSecurityKey(XMLSecurityKey::RSA_SHA1, array('type'=>'private'));
		$objKey->loadKey($strKey, False);
		$objDSig->sign($objKey);
		$objDSig->add509Cert($this->identityCert['cert'], $this->identityCert['isPem'], $this->identityCert['isURL']);
		
		$objDSig->appendSignature($root);
		
		return $this->samlDoc->saveXML($root);
	}
}

class ICardUserCredential {
	private $type;
	private $displayHint = NULL;
	private $userName = NULL;
	
	const UsernamePasswordCredential = 1;
	const KerberosV5Credential = 2;
	const X509V3Credential = 3;
	const SelfIssuedCredential = 4;

	public function __construct($type, $dispHint=NULL) {
		if ($type != self::UsernamePasswordCredential) {
			throw new Exception('Only UsernamePassword credential currently implemented');
		}
		$this->displayHint = $dispHint;
		$this->type = $type;
	}
	
	public function setUserName($Username) {
		$this->userName = $Username;
	}
	
	public function appendToDoc($parent) {
		if (! $parent instanceof DOMElement) {
			throw new Exception("Parent must be a DOMElement");
		}
		$doc = $parent->ownerDocument;
		$usercred = $doc->createElementNS(ICard::ICARDNS, ICard::ICARDNS_PFX.':UserCredential');
		$parent->appendChild($usercred);
		
		if (! empty($this->displayHint)) {
			$disphint = $doc->createElementNS(ICard::ICARDNS, ICard::ICARDNS_PFX.':DisplayCredentialHint', $this->displayHint);
			$usercred->appendChild($disphint);
		}
		switch ($this->type) {
			case (self::UsernamePasswordCredential):
				$cred = $doc->createElementNS(ICard::ICARDNS, ICard::ICARDNS_PFX.':UsernamePasswordCredential');
				$usercred->appendChild($cred);
				if (! empty($this->userName)) {
					$uname = $doc->createElementNS(ICard::ICARDNS, ICard::ICARDNS_PFX.':Username', $this->userName);
					$cred->appendChild($uname);
				}
				break;
			default:
				break;
		}
	}
}

class ICardTokenService {
	public $endPointRef = NULL;
	private $userCredential = NULL;
	
	public function __construct($endPoint, $userCred) {
		if (! $endPoint instanceof ICardEndpoint) {
			throw new Exception("EndPoint must be an ICardEndpoint");
		}
		if (! $userCred instanceof ICardUserCredential) {
			throw new Exception("UserCredential must be an ICardUserCredential");
		}
		$this->endPointRef = $endPoint;
		$this->userCredential = $userCred;
	}

	public function appendToDoc($parent) {
		if (! $parent instanceof DOMElement) {
			throw new Exception("Parent must be a DOMElement");
		}
		$doc = $parent->ownerDocument;

		$tokensvc = $doc->createElementNS(ICard::ICARDNS, ICard::ICARDNS_PFX.':TokenService');
		$parent->appendChild($tokensvc);
		$this->endPointRef->appendToDoc($tokensvc);
		$this->userCredential->appendToDoc($tokensvc);
	}
}

class ICardClaimType {
	public $URI = NULL;
	public $displayName = NULL;
	public $description = NULL;
	public $name = NULL;
	public $value = NULL;

	public function __construct($URI, $displayName = NULL, $description = NULL) {
		$this->URI = $URI;
		$this->displayName = $displayName;
		$this->description = $description;
	}

	public function setValue($name, $value = NULL) {
		$this->name = $name;
		$this->value = $value;
	}	
	
}

class ICard {
	public $lang = 'en-us';

	public $CardId;
	public $CardVersion;
	
	public $CardName = NULL;
	private $CardImage = NULL;
	private $CardImageMime = NULL;
	
	public $Issuer;
	
	public $TimeExpires;
	
	public $RequireAppliesTo = NULL;
	
	private $PrivacyURI = NULL;
	private $PrivacyVersion = NULL;
// change this later	private $cardDoc = NULL;
	public $cardDoc = NULL;
	
	private $tokenServices = array();
	private $tokenTypes = NULL;
	private $claimTypes = NULL;
	
	const ICARDNS = 'http://schemas.xmlsoap.org/ws/2005/05/identity';
	const ICARDNS_PFX = 'wsi';

	const WSTRUSTNS = 'http://schemas.xmlsoap.org/ws/2005/02/trust';
	const WSTRUSTNS_PFX = 'wst';

	public function __construct($CardId, $CardVersion, $Issuer, $cardLang=NULL) {
		if (! empty($cardLang)) {
			$this->lang = $cardLang;
		}
		$cardDoc = new DOMDocument();
		$root = $cardDoc->createElementNS(self::ICARDNS, self::ICARDNS_PFX.':InformationCard');
		$cardDoc->appendChild($root);
		$root->setAttribute('xml:lang', $this->lang);
		$iref = $cardDoc->createElementNS(self::ICARDNS, self::ICARDNS_PFX.':InformationCardReference');
		$root->appendChild($iref);
		$id = $cardDoc->createElementNS(self::ICARDNS, self::ICARDNS_PFX.':CardId', $CardId);
		$iref->appendChild($id);
		$id = $cardDoc->createElementNS(self::ICARDNS, self::ICARDNS_PFX.':CardVersion', $CardVersion);
		$iref->appendChild($id);
		
		$this->Issuer = $Issuer;
		
		$this->cardDoc = $cardDoc;
	}
	
	public function setExpireTime($expireDate) {
		if (($timestamp = strtotime($expireDate)) === false) {
			throw new Exception("Invalid ExpireTime");
		}
		if ($timestamp < time()) {
			throw new Exception("ExpireTime cannot be in the past");
		}
		$this->TimeExpires = $timestamp;
	}
	
	private function buildRelyingParty() {
		if (! is_null($this->RequireAppliesTo)) {
			$root = $this->cardDoc->documentElement;
			$uri = $this->cardDoc->createElementNS(self::ICARDNS, self::ICARDNS_PFX.':RequireAppliesTo');
			$root->appendChild($uri);
			if ($this->RequireAppliesTo) {
				$uri->setAttribute('Optional', 'false');
			} else {
				$uri->setAttribute('Optional', 'true');
			}
		}
	}
	
	public function requireRelyingParty($RequireAppliesTo=NULL) {
		if (! is_null($RequireAppliesTo)) {
			$this->RequireAppliesTo = (bool)$RequireAppliesTo;
		} else {
			$this->RequireAppliesTo = NULL;
		}
	} 
	
	public function addClaimType($objClaim) {
		if (! $objClaim instanceof ICardClaimType) {
			throw new Exception('Claim must be of ICardClaimType');
		}
		if (! is_array($this->claimTypes)) {
			$this->claimTypes = array();
		}
		$this->claimTypes[] = $objClaim;
	}
	
	public function setTokenTypes($arTokenTypes = NULL) {
		if (is_null($arTokenTypes)) {
			$this->tokenTypes = NULL;
			return True;
		}
		if (! is_array($arTokenTypes)) {
			throw new Exception('NULL or array of Token Types required for input parameter');
		}
		$this->tokenTypes = $arTokenTypes;
	}
	
	public function setCardImage($imgFile, $imgMime = NULL) {
		$this->CardImage = $imgFile;
		$this->CardImageMime = $imgMime;
	}
	
	public function setPrivacyNotice($URI, $version=NULL) {
		$this->PrivacyURI = $URI;
		$this->PrivacyVersion = $version;
	}

	public function addService($objSvc) {
		if (! $objSvc instanceof ICardTokenService) {
			throw new Exception('Service must be an ICardTokenService');
		}
		$this->tokenServices[] = $objSvc;
	}

	public function getCard() {
		$doc = $this->cardDoc;
		$root = $doc->documentElement;

		if (! empty($this->CardName)) {
			$iref = $doc->createElementNS(self::ICARDNS, self::ICARDNS_PFX.':CardName', $this->CardName);
			$root->appendChild($iref);
		}
		
		if (! empty($this->CardImage)) {
			$image = file_get_contents($this->CardImage);
			$encodedImage = base64_encode($image);
			$iref = $doc->createElementNS(self::ICARDNS, self::ICARDNS_PFX.':CardImage', $encodedImage);
			$root->appendChild($iref);
			if (! empty($this->CardImageMime)) {
				$iref->setAttribute('MimeType', $this->CardImageMime);
			}
		}

		$current = $doc->createElementNS(self::ICARDNS, self::ICARDNS_PFX.':Issuer', $this->Issuer);
		$root->appendChild($current);
		
		$currentTime = time();
		$current = $doc->createElementNS(self::ICARDNS, self::ICARDNS_PFX.':TimeIssued', gmdate("Y-m-d\TH:i:s", $currentTime).'Z');
		$root->appendChild($current);

		if (! empty($this->TimeExpires)) {
			$expires = $doc->createElementNS(self::ICARDNS, self::ICARDNS_PFX.':TimeExpires', gmdate("Y-m-d\TH:i:s", $this->TimeExpires).'Z');
			$root->appendChild($expires);
		}
		
		$tokensvclist = $doc->createElementNS(self::ICARDNS, self::ICARDNS_PFX.':TokenServiceList');
		$root->appendChild($tokensvclist);
		
		foreach ($this->tokenServices AS $tokensvc) {
			$tokensvc->appendToDoc($tokensvclist);
		}
		
		if (! empty($this->tokenTypes)) {
			$tokenlist = $doc->createElementNS(self::ICARDNS, self::ICARDNS_PFX.':SupportedTokenTypeList');
			$root->appendChild($tokenlist);
			foreach ($this->tokenTypes AS $tokenType) {
				$token = $doc->createElementNS(self::WSTRUSTNS, self::WSTRUSTNS_PFX.':TokenType', $tokenType);
				$tokenlist->appendChild($token);
			}
		}

		if (is_array($this->claimTypes)) {
			$claimlist = $doc->createElementNS(self::ICARDNS, self::ICARDNS_PFX.':SupportedClaimTypeList');
			$root->appendChild($claimlist);
			foreach ($this->claimTypes AS $objClaim) {
				$claimtype = $doc->createElementNS(self::ICARDNS, self::ICARDNS_PFX.':SupportedClaimType');
				$claimlist->appendChild($claimtype);
				$claimtype->setAttribute('Uri', $objClaim->URI);
				if (! empty($objClaim->displayName)) {
					$claimdisp = $doc->createElementNS(self::ICARDNS, self::ICARDNS_PFX.':DisplayTag', $objClaim->displayName);
					$claimtype->appendChild($claimdisp);
				}
				if (! empty($objClaim->description)) {
					$claimdesc = $doc->createElementNS(self::ICARDNS, self::ICARDNS_PFX.':Description', $objClaim->description);
					$claimtype->appendChild($claimdesc);
				}
			}
		}

		$this->buildRelyingParty();
		if (! empty($this->PrivacyURI)) {
			$uri = $doc->createElementNS(self::ICARDNS, self::ICARDNS_PFX.':PrivacyNotice', $this->PrivacyURI);
			$root->appendChild($uri);
			if (! is_null($this->PrivacyVersion)) {
				$uri->setAttribute('Version', $this->PrivacyVersion);
			}
		}
		
		$doc->formatOutput = True;
		return $doc->saveXML();
	}
}
?>