<?php
declare(strict_types=1);

session_start();

// Load config
$config = require __DIR__ . '/../../config/config.php';

// Simple login check (same as index.php)
$sessionKey = $config['security']['session_key_user'] ?? 'admin_user';
if (!isset($_SESSION[$sessionKey])) {
    header('Location: ../index.php?route=login');
    exit;
}

// Only accept POST
if ($_SERVER['REQUEST_METHOD'] !== 'POST') {
    header('Location: ../index.php?route=createuser');
    exit;
}

// Basic input validation
$sam = trim((string)($_POST['samaccountname'] ?? ''));
$display = trim((string)($_POST['displayname'] ?? ''));
$mail = trim((string)($_POST['mail'] ?? ''));
$pass = (string)($_POST['password'] ?? '');
$ou = trim((string)($_POST['ou'] ?? ''));
$groups = trim((string)($_POST['groups'] ?? ''));

if ($sam === '' || $pass === '') {
    $_SESSION['flash_error'] = 'Anmeldename und Passwort sind erforderlich.';
    header('Location: ../index.php?route=createuser');
    exit;
}

// Server-side password validation (same rules as CSV script)
$passwordHint = "Das Passwort muss mindestens 7 Zeichen lang sein, darf keine größeren Teile des Benutzernamens enthalten und muss Zeichen aus mindestens 3 von 4 Kategorien enthalten: Großbuchstaben, Kleinbuchstaben, Ziffern, Sonderzeichen.";
function validate_password_php(string $password, string $sam): array {
    $errors = [];
    if ($password === '' || mb_strlen($password) < 7) {
        $errors[] = 'Passwort muss mindestens 7 Zeichen lang sein.';
    }
    $categories = 0;
    if (preg_match('/[A-Z]/u', $password)) $categories++;
    if (preg_match('/[a-z]/u', $password)) $categories++;
    if (preg_match('/\d/', $password)) $categories++;
    if (preg_match('/[^A-Za-z0-9]/u', $password)) $categories++;
    if ($categories < 3) {
        $errors[] = 'Passwort muss Zeichen aus mindestens 3 von 4 Kategorien enthalten.';
    }
    $samLower = mb_strtolower($sam);
    $pwLower = mb_strtolower($password);
    if ($samLower !== '' && mb_strpos($pwLower, $samLower) !== false) {
        $errors[] = 'Passwort darf den Benutzernamen nicht enthalten.';
    } else {
        $minLen = 4;
        if (mb_strlen($samLower) >= $minLen) {
            $samLen = mb_strlen($samLower);
            for ($len = $minLen; $len <= $samLen; $len++) {
                for ($start = 0; $start <= $samLen - $len; $start++) {
                    $sub = mb_substr($samLower, $start, $len);
                    if (mb_strpos($pwLower, $sub) !== false) {
                        $errors[] = 'Passwort darf keine größeren Teile des Benutzernamens enthalten.';
                        break 2;
                    }
                }
            }
        }
    }
    return $errors;
}

$pwErrors = validate_password_php($pass, $sam);
if (count($pwErrors) > 0) {
    $_SESSION['flash_error'] = 'Ungültiges Passwort: ' . implode(' | ', $pwErrors) . "\n\nHinweis: $passwordHint";
    header('Location: ../index.php?route=createuser');
    exit;
}

if ($ou === '') {
    $defaultOu = (string)($config['powershell']['default_ou'] ?? '');
    if ($defaultOu !== '') {
        $ou = $defaultOu;
    }
}


// Build payload
$payload = [
    'samaccountname' => $sam,
    'displayname' => $display,
    'mail' => $mail,
    'password' => $pass,
    'ou' => $ou,
    'groups' => $groups,
    'dry_run' => (bool)($config['powershell']['dry_run'] ?? false),
];

// Write payload to temp file
$tmpFile = tempnam(sys_get_temp_dir(), 'create_user_') . '.json';
file_put_contents($tmpFile, json_encode($payload, JSON_UNESCAPED_UNICODE | JSON_UNESCAPED_SLASHES));

// Build PS script path
$scriptDir = $config['powershell']['script_dir'] ?? __DIR__ . '/../../scripts/powershell';
$script = $scriptDir . DIRECTORY_SEPARATOR . 'create_user.ps1';

$exe = $config['powershell']['exe'] ?? 'powershell';
$executionPolicy = $config['powershell']['execution_policy'] ?? 'Bypass';

$cmd = sprintf(
    '%s -NoProfile -NonInteractive -ExecutionPolicy %s -File "%s" -InputFile "%s"',
    $exe,
    $executionPolicy,
    $script,
    $tmpFile
);

// Execute and capture output and exit code
$output = [];
$returnVar = null;
if (!file_exists($script)) { 
    $_SESSION['flash_error'] = 'PowerShell-Skript nicht gefunden: ' . $script;
    @unlink($tmpFile);
    header('Location: ../index.php?route=createuser');
    exit;
}

// Try to locate the PowerShell executable
$exePathCheck = shell_exec(sprintf('where %s 2>NUL', escapeshellarg($exe)));
if ($exePathCheck === null) {
    // 'where' returns null when command fails; continue anyways, exec will fail if not found
}

exec($cmd . ' 2>&1', $output, $returnVar);
$json = implode("\n", $output);

// Optional: write raw output into logs for debugging
@file_put_contents(__DIR__ . '/../logs/create_user_output.log', date('Y-m-d H:i:s') . ' CMD: ' . $cmd . "\n" . $json . "\n\n", FILE_APPEND | LOCK_EX);

@unlink($tmpFile);

// Try to parse JSON output
$result = null;
if ($json !== '') {
    $decoded = json_decode($json, true);
    if (is_array($decoded)) {
        $result = $decoded;
    }
}

if ($result === null) {
    $_SESSION['flash_error'] = 'Unbekannter Fehler beim Ausführen des PowerShell-Skripts: ' . ($json ?: 'Keine Ausgabe');
    header('Location: ../index.php?route=createuser');
    exit;
}

if (!empty($result['success'])) {
    $_SESSION['flash_success'] = $result['message'] ?? 'Benutzer erfolgreich erstellt.';
} else {
    $_SESSION['flash_error'] = $result['message'] ?? 'Fehler beim Erstellen des Benutzers.';
}

header('Location: ../index.php?route=createuser');
exit;