<?php
/**
 * Helper class for domain mapping functionality.
 *
 * @package WP_Ultimo
 * @subpackage Domain_Mapping
 * @since 2.0.0
 */

namespace WP_Ultimo\Domain_Mapping;

use Psr\Log\LogLevel;

// Exit if accessed directly
defined('ABSPATH') || exit;

/**
 * Helper class for domain mapping functionality.
 *
 * @since 2.0.0
 */
class Helper {

	/**
	 * List of API endpoints we can use to check the remote IP address.
	 *
	 * @var array
	 */
	static $providers = [
		'https://ipv4.canihazip.com/s',
		'https://ipv4.icanhazip.com/',
		'https://api.ipify.org/',
	];

	/**
	 * Static-only class.
	 */
	private function __construct() {}

	/**
	 * Checks if we are in development mode.
	 *
	 * @todo this needs to be migrate somewhere else, where it can be accessed by everyone.
	 * @since 2.0.0
	 * @return boolean
	 */
	public static function is_development_mode() {

		$site_url = site_url();

		$is_development_mode = preg_match('#(localhost|staging.*\.|\.local|\.test)#', $site_url);

		/**
		 * Allow plugin developers to add additional tests
		 * for development mode.
		 *
		 * @since 2.0.0
		 *
		 * @param bool   $is_development_mode The current development status.
		 * @param string $site_url The site URL.
		 * @return bool
		 */
		return apply_filters('wu_is_development_mode', $is_development_mode, $site_url);
	}

	/**
	 * Gets the local IP address of the network.
	 *
	 * Sometimes, this will be the same address as the public one, but we need different methods.
	 *
	 * @since 2.0.0
	 * @return string|bool
	 */
	public static function get_local_network_ip() {

		return $_SERVER['SERVER_ADDR'] ?? false;
	}

	/**
	 * Gets the public IP address of the network using an external HTTP call.
	 *
	 * The reason why this IP can't be determined locally is because proxies like
	 * Cloudflare and others will mask the real domain address.
	 * By default, we cache the values in a transient for 10 days.
	 *
	 * @since 2.0.0
	 * @return string
	 */
	public static function get_network_public_ip() {

		if ( self::is_development_mode() ) {
			$local_ip = self::get_local_network_ip();

			/**
			 * See more about this filter below, on this same method.
			 */
			return apply_filters('wu_get_network_public_ip', $local_ip, true);
		}

		$_ip_address = get_site_transient('wu_public_network_ip');

		if ( ! $_ip_address ) {
			$ip_address = false;

			foreach ( self::$providers as $provider_url ) {
				$response = wp_remote_get(
					$provider_url,
					[
						'timeout' => 5,
					]
				);

				if ( ! is_wp_error($response) ) {
					$ip_address = trim(wp_remote_retrieve_body($response));

					continue;
				}
			}

			set_site_transient('wu_public_network_ip', $ip_address, 10 * DAY_IN_SECONDS);

			$_ip_address = $ip_address;
		}

		/**
		 * Allow developers to change the public IP address of the network.
		 *
		 * This is displayed to the customer/users when new domains are mapped
		 * and need DNS records configured.
		 *
		 * This is useful in cases where a load balancer might be present and IP might vary.
		 *
		 * @see https://wpultimo.feedbear.com/boards/bug-reports/posts/network-ip-filter-required
		 *
		 * @param string $_ip_address The public IP address.
		 * @param bool $local True if this is a local network (localhost, .dev, etc.), false otherwise.
		 * @return string The new IP address.
		 */
		return apply_filters('wu_get_network_public_ip', $_ip_address, false);
	}

	/**
	 * Checks if a given domain name has a valid associated SSL certificate.
	 *
	 * @since 2.0.0
	 *
	 * @param string $domain Domain name, e.g. google.com.
	 * @return boolean
	 */
	public static function has_valid_ssl_certificate($domain = '') {
		$is_valid = false;

		// Ensure the domain is not empty.
		if (empty($domain)) {
			return $is_valid;
		}

		// Add 'https://' if not already present to use SSL context properly.
		$domain = str_starts_with($domain, 'https://') ? $domain : 'https://' . $domain;

		try {
			// Create SSL context to fetch the certificate.
			$context = stream_context_create(
				[
					'ssl' => [
						'capture_peer_cert' => true,
					],
				]
			);

			// Open a stream to the domain over SSL.
			$stream = @stream_socket_client(
				'ssl://' . parse_url($domain, PHP_URL_HOST) . ':443',
				$errno,
				$errstr,
				10,
				STREAM_CLIENT_CONNECT,
				$context
			);

			// If stream could not be established, SSL is invalid.
			if ( ! $stream) {
				throw new \Exception($errstr);
			}

			// Retrieve the certificate and parse its details.
			$options = stream_context_get_options($context);

			if (isset($options['ssl']['peer_certificate'])) {
				$cert = openssl_x509_parse($options['ssl']['peer_certificate']);

				if ($cert) {
					// Verify the certificate's validity period.
					$current_time = time();
					$valid_from   = $cert['validFrom_time_t'] ?? 0;
					$valid_to     = $cert['validTo_time_t'] ?? 0;

					// Check if the certificate is currently valid.
					if ($current_time >= $valid_from && $current_time <= $valid_to) {
						$host = parse_url($domain, PHP_URL_HOST);

						// Check that the domain matches the certificate.
						$common_name = $cert['subject']['CN'] ?? ''; // Common Name (CN)
						$alt_names   = $cert['extensions']['subjectAltName'] ?? ''; // Subject Alternative Names (SAN)

						// Parse SAN into an array if present.
						$alt_names_array   = array_filter(array_map('trim', explode(',', str_replace('DNS:', '', $alt_names))));
						$alt_names_array[] = $common_name;
						// Check if the host matches either the CN, any SAN entry, or supports a wildcard match.
						if (
							$host === $common_name ||
							in_array($host, $alt_names_array, true)
						) {
							$is_valid = true;
						} else {
							foreach ($alt_names_array as $alt_name) {
								if ( str_starts_with($alt_name, '*.') && str_ends_with($host, substr($alt_name, 1))) {
									$is_valid = true;
									break;
								}
							}
						}
					}
				}
			}

			// Close the stream after processing.
			fclose($stream);
		} catch (\Exception $e) {
			// Log the error message.
			wu_log_add(
				'domain-ssl-checks',
				sprintf(__('Certificate Invalid: %s', 'wp-multisite-waas'), $e->getMessage()),
				LogLevel::ERROR
			);
		}

		return $is_valid;
	}
}