hcuCommon_8i_source.html

<?php
/**
 *  File: hcuCommon.i
 *  Purpose:  These function can be used from Online Banking, Monitor, or Admin Backoffice
 *
 */

/**
  * Function: HCU_JsonDecode
  * Purpose:  Safely call the json_decode function.
  *           This may require certain calls to sanitize data or error check
  *    **** NOTE *****
  *           This function has different parameter order and defaults to return an assoc array .
  *                   The php json_decode defaults to returning an object rather than array
  * Parameters:
  *   @param string pJsonString       - This is the 'encoded' json string
  *   @param boolean pBolOnEmptyArray - If something went wrong, should the json be returned as an Array(true) or string(false)
  *   @param boolean pBolAssoc        - {Default: True}  Should the returned value be an associative array
  *
  * Returns:
  *   mixed  The return value will be determined on if the decode was successful and if there was an error.
  *          If no error occurred, then the function will return
  *          (object) if pBolAssoc was false
  *          array if pBolAssoc was true
  *          string   if there was an error and the pBolEmptyArray was true
  *
  *   mixed  MFA Quest Array structure
  */
function HCU_JsonDecode($pJsonString, $pBolOnEmptyArray=true, $pBolAssoc=true) {
  $dataReturn = ($pBolOnEmptyArray ? Array() : '');

  try {
    if (is_string($pJsonString)) {
      $pJsonString = trim($pJsonString);
      $dataReturn = json_decode($pJsonString, $pBolAssoc);
      switch (json_last_error()) {
        case JSON_ERROR_NONE:
          // ** ALL IS GOOD
          break;
        case JSON_ERROR_DEPTH:
        case JSON_ERROR_STATE_MISMATCH:
        case JSON_ERROR_CTRL_CHAR:
        case JSON_ERROR_SYNTAX:
        case JSON_ERROR_UTF8:
        default:
          throw new exception('Json decode error');
          break;
      }
    } else {
      throw new Exception('Invalid Data Type');
    }
  } catch (Throwable $t){
    // * Throwable Error Occurred - At this time do not report this
    $dataReturn = ($pBolOnEmptyArray ? ($pBolAssoc ? Array() : (object) Array()) : '');
  } catch (Exception $e) {
    // * An exception occurred - At this time do not report this
    $dataReturn = ($pBolOnEmptyArray ? ($pBolAssoc ? Array() : (object) Array()) : '');
  }

  return $dataReturn;
}

/**
  * Function: HCU_JsonEncode
  * Purpose:  Safely call the json_encode function.
  *
  * Parameters:
  *   @param array pJsonArray - This is the 'encoded' json string
  *
  * Returns:
  *   string  Returns a json encoded string
  */
function HCU_JsonEncode($pJsonArray) {
  // Default value is empty json string
  $dataReturn = '{}';

  try {

    $dataReturn = json_encode($pJsonArray);
    switch (json_last_error()) {
      case JSON_ERROR_NONE:
        // ** ALL IS GOOD
        break;
      case JSON_ERROR_DEPTH:
      case JSON_ERROR_STATE_MISMATCH:
      case JSON_ERROR_CTRL_CHAR:
      case JSON_ERROR_SYNTAX:
      case JSON_ERROR_UTF8:
      default:
        $dataReturn = '{}';
        break;
    }

  } catch (Throwable $t){
    // * Throwable Error Occurred - At this time do not report this
    $dataReturn = '{}';
  } catch (Exception $e) {
    // * An exception occurred - At this time do not report this
    $dataReturn = '{}';
  }
  return $dataReturn;
}


/**
  * Function: HCU_MFADecode
  * Purpose:  This will decode the mfaquest value from the {cucode}user table
  *           it will return the information related to the mfaquest
  * Parameters:
  *   @param  array  pJsonAry This should be the mfaquest array from {cucode}users table
  *
  * Return:
  *   @return array The following keys will be returned.
  *                 [mfacount] => "Number of answers in the mfaquest array" (ALWAYS RETURNED)
  *                 [answers] => "array of key(questid)->value(text) pairs "
  *                 [challenge] => "the active quest id for mfa challenge"
  *                 [authcode] => "the current secure access code"
  *                 [authexpires] => "timestamp when the current secure access code expires"
  *                 [mfadate] => "timestamp when challenge questions were saved"
  *
  */
function HCU_MFADecode($pJsonAry) {
  $retMfaArray = Array(
                      "mfacount" => 0,
                      "answers" => Array(),
                      "challenge" => 0,
                      "authcode" => '',
                      "authexpires" => '',
                      "mfadate" => 0
                   );

  $mfaQuestKey = 'answers';
  $mfaChallengeKey = 'challenge';

  // * pJsonAry should be an array with the key 'answers', this will contain the actual answers
  // * First check to ensure pJsonAry is an array
  try {
    if (HCU_array_key_exists($mfaQuestKey, $pJsonAry)) {
      // Be sure 'answers' is also an array
      if (is_array($pJsonAry[$mfaQuestKey])) {
        $retMfaArray['mfacount'] = count($pJsonAry[$mfaQuestKey]);
        $retMfaArray['answers'] = $pJsonAry[$mfaQuestKey];
      }
    }
    if (HCU_array_key_exists($mfaChallengeKey, $pJsonAry)) {
      // ** Challenge key found -- It is ALWAYS an integer
      $retMfaArray['challenge'] = intval($pJsonAry[$mfaChallengeKey]);
    }
    if (HCU_array_key_exists("authcode", $pJsonAry)) {
      // ** authcode key found -- It is ALWAYS string
      $retMfaArray['authcode'] = $pJsonAry["authcode"];
    }
    if (HCU_array_key_exists("authexpires", $pJsonAry)) {
      // ** authcode expiration key found -- It is ALWAYS an integer
      $retMfaArray['authexpires'] = intval($pJsonAry["authexpires"]);
    }
    if (HCU_array_key_exists("mfadate", $pJsonAry)) {
      // ** mfa change timestamp found -- It is ALWAYS an integer
      $retMfaArray['mfadate'] = intval($pJsonAry["mfadate"]);
    }
  } catch (Exception $e) {
    // Error occurred - set the return value to default
    $retMfaArray = Array(
                         "mfacount" => 0,
                         "answers" => Array(),
                         "challenge" => 0,
                         "authcode" => '',
                         "authexpires" => '',
                         "mfadate" => 0
                        );
  }


  return $retMfaArray;
}

/**
  * This will prepare the mfaquest array into a json string that contains ONLY
  *   the key fields that should be included.
  *
  * @param array $pMfaQuestAry Mfaquest array with ALL values that need to be saved
  *
  * @return string Returns the json string that can be saved
  *
  */
function PrepareMfaQuestString($pMfaQuestAry) {

  $allowedKeys = Array("answers", "challenge", "authcode", "authexpires", "mfadate");

  // ** Return an array that ONLY exists with the elements in AllowedKeys

  return json_encode(array_intersect_key($pMfaQuestAry, array_flip($allowedKeys)));

}
/**
 *
 * HCU_array_key_exists
 *
 * This function will check if a key exists in an array. BUT first it makes sure
 *   the Haystack is a valid array.  If it is not, then the function will fail
 *
 * Returns:  true - the needle exists in the haystack
 *           false - the haystack was NOT an array, or the key does not exist
 *
 * @param string $pNeedleKey
 * @param array $pAryHaystack
 *
 * @return boolean
 *
 */
function HCU_array_key_exists($pNeedleKey, $pAryHaystack) {
  $retVal = false;    // ** Assume, it is NOT found

  if (is_array($pAryHaystack)) {
    $retVal = array_key_exists($pNeedleKey, $pAryHaystack);
  }

  return $retVal;
}


/**
 *
 * This function will get the value for a specific array key
 *   But it will first ensure the Haystack IS an array
 *   AND it will check the existence of the key prior to returning the value
 *
 * @param string $pNeedleKey    - This is the Array Key that is being sought
 * @param array[] $pAryHaystack - This is the array that should contain the Needle
 *
 * @return mixed[] This will return the mixed value if the key does in fact exist in the array
 *                  If no value exists, then a false is returned
 *
 */
function HCU_array_key_value($pNeedleKey, $pAryHaystack) {

//print "<br/>HKV - One <br/>";
  if (HCU_array_key_exists($pNeedleKey, $pAryHaystack)) {
//print "<br/>HKV - 2 <br/>";
    return $pAryHaystack[$pNeedleKey];
  } else {
//print "<br/>HKV - 3 <br/>";
    return false;
  }
}

/**
 *
 * This function will return the count of items in the array for that key field
 *   If no items exist, it will return 0
 *
 * @param string $pNeedleKey    - This is the Array Key that is being sought
 * @param array[] $pAryHaystack - This is the array that should contain the Needle
 *
 * @return mixed[] This will return the mixed value if the key does in fact exist in the array
 *                  If no value exists, then a false is returned
 *
 */
function HCU_array_item_count($pNeedleKey, $pAryHaystack) {

  if (HCU_array_key_value($pNeedleKey, $pAryHaystack)) {
    return count($pAryHaystack[$pNeedleKey]);
  } else {
    return 0;
  }
}


/**
 *
 * setcookie replacement that will default to values in the settings array
 * If you want to specify the values, consider using HCU_setcookie directly
 *
 * @param array $pEnvSet This is the ENVSET array for the current environment.  It should have the minimum structure
 *          [
 *            'ticket' => [
 *                'domain' => GetEnvSetting('TICKET_DOMAIN', 'homecu.net'),
 *                'expires' => GetEnvSetting('TICKET_EXPIRES', 900),
 *                'persists' => GetEnvSetting('TICKET_PERSISTS', 94 * 86400),
 *                'inactive' => GetEnvSetting('TICKET_INACTIVE', 600),
 *            ],
 *            'site_path' => GetEnvSetting('SITE_PATH', '/home'),
 *            'server_host' => GetEnvSetting('SERVER_HOST', 'localhost'),
 *            'require_encryption' => GetEnvSetting('REQUIRE_ENCRYPTION', 1),
 *            'logger' => $logger
 *          ];
 *
 * @param string $pCookieName The name associated with this cookie
 * @param string $pCookieValue (defaults '') The value for this cookie
 * @param int    $pExpire (defaults 0) How long will this cookie exist
 *
 *
 * @return mixed
 */
function HCU_setcookie_env( $pEnvSet, $pCookieName, $pCookieValue='', $pExpire=0) {

  // Verify the ticket structure exist in envset
  if (HCU_array_key_exists('ticket', $pEnvSet)) {
    $domain = HCU_array_key_value('domain', $pEnvSet['ticket']);
    $secure = HCU_array_key_value('require_encryption', $pEnvSet);
  }
  // ** This will always be / when using this function -- Cookie will be good for all directories
  $path = '/';

  $retBaked = HCU_setcookie(HCU_array_key_value('logger', $pEnvSet), $pCookieName, $pCookieValue, $pExpire, $path, $domain, $secure);

  return $retBaked;
}

/**
 * Adjust some cookie requirements from `$settings.i` so infrastructure
 * can control some security guidelines.
 *
 * @param object $logger This is the Logger Object
 * @param string $name   Cookie Name
 * @param string $value  (default '') Cookie Value
 * @param int    $expire (default 0) Cookie Expire Time
 * @param string $path   Cookie path
 * @param string $domain Cookie Domain
 * @param
 */
function HCU_setcookie($logger, $name, $value="", $expire=0, $path="", $domain="", $secure=1, $httponly=false) {

//  $logger->info("Setting cookie $name ");
  if (!$secure) {
//    $logger->info("Setting cookie $name secure mode to: {$secure}");
  }

  if ($secure && !HCU_http_encrypted()) {
    $logger->error("Setting cookie {$name}={$value} expire={$expire} path={$path} domain={$domain}");
    /* NOTE: Currently exception handling is a WIP.  At some point this could just throw. */
    // throw new Exception('Can not set secure cookie on non HTTPS connection');
  }

  $ret = setcookie($name, $value, $expire, $path, $domain, $secure, $httponly);
  if (!$ret) {
    $logger->error("Failed to set cookie: {$name}");
  }
  return $ret;
}

/**
 * Generate a cryptographically secured secret key for
 * openssl encryption algorithms.
 */
function getOpenSSLKey($key_suffix, $bit_size='256') {
    // output raw binary data for key
    $raw_output = true;

    if ($bit_size != '256')
        throw new exception("Invalid key size. Supported: [256] bits.", 3);

    $hashKeyBilbo = GetOpenSSLKeyBilbo() . $key_suffix;
    $hashKeyBugs = GetOpenSSLKeyBugs() . $key_suffix;

    // TODO: consider sha3-256?
    $defaultKey = hash_hmac('sha256', $hashKeyBilbo, $hashKeyBugs, $raw_output); // Get 256-bit key

    switch($bit_size) {
    case '256':
        return $defaultKey;
        break;

    default:
        return $defaultKey;
    }
}

/**
 * Generate authentication hash given the message and derivation key.
 */
function getEncryptionAuthHash($message, $key_suffix, $auth_hash_algo, $auth_hash_binary) {
    if ($auth_hash_algo != 'sha1' && $auth_hash_algo != 'sha256') {
        throw new exception("Invalid hash algorithm: ". $auth_hash_algo, 2);
    }
    $hashKeyBilbo = GetOpenSSLKeyBilbo() . $key_suffix;
    return hash_hmac($auth_hash_algo, $message, $hashKeyBilbo, $auth_hash_binary);
}

/**
 * function hcuOpenSSLEncrypt($message)
 * Encrypts a message by key using the openssl_encrypt format
 *
 *
 * Supported encryption methods;
 * - "aes-256-ctr"
 * - "aes-256-ofb"
 * - "aes-256-cfb"
 * - "aes-256-cfb1"
 * - "aes-256-cfb8"
 * - "aes-256-ofb"
 * - "aes-256-xts"
 * - "aes-256-ecb"
 *
 * Note: $options argument in openssl_encrypt and openssl_decrypt functions
 *
 *     OPENSSL_ZERO_PADDING:
 *     If OPENSSL_ZERO_PADDING is included (as in
 *     OPENSSL_RAW_DATA|OPENSSL_ZERO_PADDING) in the options, this
 *     tells openssl encryption method that the input data IS ALREADY
 *     zero padded to a right byte/bits size and openssl does not need
 *     to do apply any padding.  Otherwise, OPENSSL_ZERO_PADDING is
 *     NOT INCLUDED as a part of $options to let openssl do the PKCS#7
 *     padding automatically; this means that the input string NEED
 *     NOT be padded.
 *
 *     OPENSSL_RAW_DATA:
 *     This option only affects the format of the data returned to the
 *     caller; When NOT specified in options, returns Base64 encoded
 *     data, otherwise returns as-is.
 *
 * @param string $message -- the message to encrypt
 * @param string $key_suffix -- encryption key or argument to getOpenSSLKey
 * @param string $method -- encryption cipher method (default: aes-256-cbc)
 * @param string $auth_hash_algo -- sha1 or sha256 (hash algo to used for encryption
 *                       authentication) (default: sha1)
 * @param string $auth_hash_binary -- output of authentication hash (raw or hexit?)
 *                         (default: binary raw (true))
 * @param string $iv -- initialization vector for some encryption modes (should
 *           be generated, used and returned as per $context if not provided)
 * @param string $context -- context of encryption
 *                - default - default encryption with authentication
 *                - connect_chkfree - for CHKFREE encryption
 *                - connect_ezcard - for EasyCard encryption
 *                - connect_certegy - for Certegy encryption
 *                - connect_digital - for digital mailer encryption
 *                - connect_ipay - for IPAY encryption
 *                - connect_vsoft - for VSHO/VSOFT encryption
 *                - connect_mvi - for MVI images encryption
 * @return array
 *       -- iv.message and hash -- default context
 *       -- message and iv -- otherwise
 */
function hcuOpenSSLEncrypt($message,
                           $key_suffix,
                           $method='aes-256-cbc',
                           $auth_hash_algo='sha1',
                           $auth_hash_binary=true,
                           $iv="",
                           $context="default") {

    // auth algo validation
    if ($auth_hash_algo != 'sha1' && $auth_hash_algo != 'sha256') {
        throw new exception("Invalid hash algorithm: ". $auth_hash_algo, 2);
    }
    // if initialization vector is not provided, we generate one by default
    // Obviously, IV would need to be returned along with the encrypted
    // ciphercode for various encryption modes, eg. except ECB. use context
    // argument to handle how to return the IV value back to the caller
    // Default context appends the IV to the ciphertext.
    $ivsize = openssl_cipher_iv_length($method);
    if ($iv == "") {
        $iv = openssl_random_pseudo_bytes($ivsize);
    } else {
        $iv = mb_substr($iv, 0, $ivsize, '8bit');
    }

    // Set encryption options before executing w.r.t. $context
    // OPTIONS:
    // OPENSSL_ZERO_PADDING: expects data to be space padded before encryption
    // OPENSSL_RAW_DATA: generate raw binary ciphertext
    if($context == "connect_chkfree" ||
       $context == "connect_ezcard" ||
       $context == "connect_certegy" ||
       $context == "connect_digital" ||
       $context == "connect_ipay" ||
       $context == "connect_vsoft" ||
       $context == "connect_mvi" ||
       $context == "connect_smo") {
        // OPENSSL_ZERO_PADDING means that it is expected that
        // the data is already padded appropriately; otherwise,
        // encryption with these options will fail
        $openssl_options = OPENSSL_RAW_DATA|OPENSSL_ZERO_PADDING;
        $encryptionKey = $key_suffix;
    } else if ($context == "credentials") {
      // return output as is (i.e. not base64 encoded)
      $openssl_options = OPENSSL_RAW_DATA;
      $encryptionKey = $key_suffix;
    } else { // defaults
        // PKCS7 padding and RAW ciphertext
        $openssl_options = OPENSSL_RAW_DATA;
        $encryptionKey = getOpenSSLKey($key_suffix);
    }

    // ENCRYPTION
    $ciphertext = openssl_encrypt($message,
                                  $method,
                                  $encryptionKey,
                                  $openssl_options,
                                  $iv);

    // iv and ciphertext are part of the default message
    // Default context appends the IV to the ciphertext in a raw format.
    $defaultCipher = $iv . $ciphertext;
    $defaultHash = getEncryptionAuthHash($defaultCipher,
                                         $key_suffix,
                                         $auth_hash_algo,
                                         $auth_hash_binary);
    $defaultResp = array("message" => $defaultCipher, "hash" => $defaultHash);

    // Prepare response after encryption based on the context of the encryption
    switch($context) {
    case "connect_chkfree":
    case "connect_ezcard":
    case "connect_certegy":
    case "connect_digital":
    case "connect_ipay":
    case "connect_vsoft":
    case "connect_mvi":
    case "connect_smo":
        $connectCipher = $ciphertext;
        $returnArray = array("message" => $connectCipher, "iv" => $iv);
        break;

    case "credentials":
        $credentialCipher = $ciphertext;
        $returnArray = array("message" => $credentialCipher, "iv" => $iv);
        break;

    // also for context="default" (case "default":)
    case "default":
    default:
        $returnArray= $defaultResp;
    }
    return $returnArray;
}

/**
 * function EncryptPayloadData($message, $key)
 * Encrypts a message by key using the openssl_encrypt format.
 *
 * @param string $message -- the message to encrypt
 * @param string $key -- the encryption key
 * @return string -- the nonce and encrypted message concatinated together and Base64 encoded
 */
function EncryptPayloadData( $message, $key )
{
    $method = 'aes-256-cbc';

    $nonceSize = openssl_cipher_iv_length( $method );
    $nonce = openssl_random_pseudo_bytes( $nonceSize );

    $ciphertext = openssl_encrypt( $message, $method, $key, OPENSSL_RAW_DATA, $nonce );

    $decrypttext = openssl_decrypt($ciphertext, $method, $key, OPENSSL_RAW_DATA, $nonce );

    $returnString = base64_encode( $nonce ) . "|" . base64_encode( $ciphertext );

    return $returnString;
} // end EncryptPayloadData

/**
 * function hcuOpenSSLDecrypt($message, $hash)
 * Decrypts a message by key using the openssl_encrypt format but only if the hashes match
 *
  * Supported encryption methods;
 * - "aes-256-ctr"
 * - "aes-256-ofb"
 * - "aes-256-cfb"
 * - "aes-256-cfb1"
 * - "aes-256-cfb8"
 * - "aes-256-ofb"
 * - "aes-256-xts"
 * - "aes-256-ecb"
 *
 * Note: $options argument in openssl_encrypt and openssl_decrypt functions
 *
 *     OPENSSL_ZERO_PADDING:
 *     If OPENSSL_ZERO_PADDING is included (as in
 *     OPENSSL_RAW_DATA|OPENSSL_ZERO_PADDING) in the options, this
 *     tells openssl encryption method that the input data IS ALREADY
 *     zero padded to a right byte/bits size and openssl does not need
 *     to do apply any padding.  Otherwise, OPENSSL_ZERO_PADDING is
 *     NOT INCLUDED as a part of $options to let openssl do the PKCS#7
 *     padding automatically; this means that the input string NEED
 *     NOT be padded.
 *
 *     OPENSSL_RAW_DATA:
 *     This option only affects the format of the data returned to the
 *     caller; When NOT specified in options, returns Base64 encoded
 *     data, otherwise returns as-is.
 *
 * @param string $message -- the message to decrypt
 * @param string $hash -- authenticated hash of the $message, if applicable to $context
 * @param string $key_suffix -- decryption key or argument to getOpenSSLKey
 * @param string $method -- decryption cipher method (default: aes-256-cbc)
 * @param string $auth_hash_algo -- sha1 or sha256 (hash algo to used for encryption
 *                       authentication) (default: sha1)
 * @param string $auth_hash_binary -- output of authentication hash (raw or hexit?)
 *                         (default: binary raw (true))
 * @param string $iv -- initialization vector for some encryption modes (should
 *           be generated, used and returned as per $context if not provided)
 * @param string $context -- context of decryption
 *                - default - default decryption with authentication
 *                - connect_chkfree - for CHKFREE decryption
 *                - connect_ezcard - for EasyCard decryption
 *                - connect_certegy - for Certegy decryption
 *                - connect_digital - for digital mailer decryption
 *                - connect_ipay - for IPAY decryption
 *                - connect_vsoft - for VSHO/VSOFT decryption
 *                - connect_mvi - for MVI images decryption
 *
 * @return string decrypted text
 */
function hcuOpenSSLDecrypt($message,
                           $hash,
                           $key_suffix,
                           $method='aes-256-cbc',
                           $auth_hash_algo="sha1",
                           $auth_hash_binary=true,
                           $iv="",
                           $context="default") {

    $hashKeyBilbo = GetOpenSSLKeyBilbo() . $key_suffix;
    $ivsize = openssl_cipher_iv_length($method);
    if ($iv != "") {
        $iv = mb_substr($iv, 0, $ivsize, '8bit');
    }

    // DEFAULTS
    // OPTIONS:
    // OPENSSL_ZERO_PADDING: expects data to be space padded before encryption
    // OPENSSL_RAW_DATA: generate raw binary ciphertext
    $openssl_options = OPENSSL_RAW_DATA;
    $encryptionKey = getOpenSSLKey($key_suffix);
    $ciphertext = $message;

    switch($context) {
    case "connect_chkfree":
    case "connect_ezcard":
    case "connect_certegy":
    case "connect_digital":
    case "connect_ipay":
    case "connect_vsoft":
    case "connect_mvi":
        $openssl_options = OPENSSL_RAW_DATA|OPENSSL_ZERO_PADDING;
        $encryptionKey = $key_suffix;
        break;

    case "credentials":
        $encryptionKey = $key_suffix;
        if ($iv == "") {
            throw new exception("IV cannot be empty for Credentials.", 3);
        }
        break;

    case "default":
    default:
        // $expectedHash = hash_hmac($auth_hash_algo, $message, $hashKeyBilbo, $auth_hash_binary);
        $expectedHash = getEncryptionAuthHash($message,
                                         $key_suffix,
                                         $auth_hash_algo,
                                         $auth_hash_binary);
        if (md5($expectedHash) !== md5($hash))
            throw new exception("Hash doesn't match!", 2);

        // iv and ciphertext are the part of the default $message
        $iv = mb_substr($message, 0, $ivsize, '8bit');
        $ciphertext = mb_substr($message, $ivsize, null, '8bit');
    }

    // DECRYPTION
    return openssl_decrypt($ciphertext,
                           $method,
                           $encryptionKey,
                           $openssl_options,
                           $iv);
}

/**
 * function DecryptPayloadData($message, $key)
 * Decrypts a message that was encrypted with EncryptPayloadData. The message is expected to
 * arrive with Base64 encoding and the $nonce as the first part.
 *
 * @param string $encryptedMessage -- the encrypted message
 * @param string $key -- the key used to encrypt the message
 * @return string -- the original decrypted message
 */
function DecryptPayloadData( $encodedMessage, $key )
{
    $method = 'aes-256-cbc';

    // NOTE: The base64 value "+" might have been decoded by a browser to " "; change back
    $encodedMessage = str_replace( " ", "+", $encodedMessage );

    $parts = explode( "|", $encodedMessage );

    $nonce = base64_decode( $parts[0] );
    $encryptedMessage = base64_decode( $parts[1] );

  try {
    $result = openssl_decrypt( $encryptedMessage, $method, $key, OPENSSL_RAW_DATA, $nonce );
  } catch (Exception $e) {
    $result = "Decryption failure";
  }

    return $result;
} // end DecryptPayloadData

/**
 * Indicate in a platform independent way if the application is encrypted
 * or more aptly behind and encryption proxy.
 */
function HCU_http_encrypted() {
    return !!((!empty($_SERVER['HTTP_X_FORWARDED_PROTO']) &&
               $_SERVER['HTTP_X_FORWARDED_PROTO'] == 'https') ||
              (isset($_SERVER['HTTPS']) && $_SERVER['HTTPS'] == 'on'));
}

/**
 *  This function should return account found when not using a MIR packet
 *
 *  @param integer $pDbh  database handle to retrieve the values
 *  @param string $pMemberAcct  The Member Account Number we are seeking
 *
 *  @return array
 *        status
 *            code -  102 successful - account was found
 *                    001 Member Number NOT Found
 *                    999 Error - General Error
 *
 *            data - when [status][code] = 102
 *                           [accountnumber]
 *                    [accounts]          (always returned)
 *                      [deposit][array]  (structure is missing if there are NO results)
 *                            [accountnumber] - should match above
 *                            [accounttype]   - deposits accounttype
 *                            [certnumber]    - deposits only
 *                            [deposittype]   - {Y-Share Draft, N-Shares, O-Other, C-Certificate}
 *                            [description]   - Description from the core
 *                            [may_deposit]   - Does the account allow deposits? (DEPOSIT ONLY)
 *                            [may_withdraw]  - Does the account allow Withdrawals? (DEPOSIT ONLY)
 *                            [may_payment]   _ Does the Loan allow payume
 *                      [loan][array]  (structure is missing if there are NO results)
 *                            [accountnumber] - should match above
 *                            [loannumber]    - loannumber
 *                            [description]   - Description from the core
 *                            [may_payment]   - Does the Loan allow payume
 *                            [may_addon]     - Does the account allow deposits? (DEPOSIT ONLY)
 *
 */
function FindMemberAccountsWoMIR($pDbh, $pCu, $pMemberAcct) {

  $retAry = Array("code" => "000", "errors" => Array(), "data" => Array());

  $admLibrary= dirname(__FILE__) . "/../../admcom/library";

  $retData = Array();
  try {

    require_once ("$admLibrary/MbrExHcuMIR.i");

    // ** I want to look up data in the <cucode>useraccounts table
      $dms_ok = array('accountnumber' => 'digits',
          'firstname' => 'string',
          'middlename' => 'string',
          'lastname' => 'string',
          'email' => 'string',
          'homephone' => 'string',
          'workphone' => 'string',
          'cellphone' => 'string',
          'fax' => 'string',
          'ssn' => 'string',
          'address1' => 'string',
          'address2' => 'string',
          'city' => 'string',
          'state' => 'string',
          'zip' => 'string',
          'cc' => 'string',
          'dob' => 'string');

    /*
     *  SEARCH FOR MEMBER ACCOUNT IN <cucode>useraccounts table
     */
    $sql = "SELECT user_id, trim(accountnumber) as accountnumber
            FROM " . prep_save($pCu, 10) . "useraccounts
            WHERE accountnumber = '" . prep_save($pMemberAcct, 12) . "'
            LIMIT 1; ";
      // ** THERE SHOULD ONLY BE ONE, I AM PROGRAMMING AS ONLY ONE

    $sqlRs = db_query($sql, $pDbh);
    if (!($sqlRs)) {
      throw new ErrorException("SQL failed ($sql).");
    }

    if (db_num_rows($sqlRs) > 0) {

      // account record found, but return 102 so we know this was without MIR
      $retAry['code'] = "102";
      // * fetch the record
      $dRecord = db_fetch_assoc($sqlRs);

      $retData['accounts'] = Array();
      /*
       * FETCH DEPOSIT ACCOUNTS
       */
      $sql = "SELECT trim(accountnumber) as accountnumber, trim(accounttype) as accounttype,
                     certnumber, deposittype, trim(description) as description, may_deposit, may_withdraw
              FROM " . prep_save($pCu, 10) . "accountbalance
              WHERE accountnumber = '" . prep_save($pMemberAcct, 12) . "'
              ORDER BY accounttype; ";
      $sqlRs = db_query($sql, $pDbh);

      if (db_num_rows($sqlRs) > 0) {
        $acctList = Array();
        while ($dRecord = db_fetch_assoc($sqlRs)) {
          $acctList[] = $dRecord;
        }
        $retData['accounts']['deposit'] = $acctList;
      }
      /*
       * FETCH LOAN ACCOUNTS
       */
      $sql = "SELECT trim(accountnumber) as accountnumber, trim(loannumber) as loannumber,
                     trim(description) as description, may_payment, may_addon
              FROM " . prep_save($pCu, 10) . "loanbalance
              WHERE accountnumber = '" . prep_save($pMemberAcct, 12) . "'
              ORDER BY loannumber; ";
      $sqlRs = db_query($sql, $pDbh);

      if (db_num_rows($sqlRs) > 0) {
        $acctList = Array();
        while ($dRecord = db_fetch_assoc($sqlRs)) {
          $acctList[] = $dRecord;
        }
        $retData['accounts']['loan'] = $acctList;
      }
    } else {
      // ** NO ACCOUNT FOUND 001
      $retAry['code'] = "001";
    }

    $retAry['data'] = $retData;


  } catch (ErrorException $err) {
    $retAry['code'] = '999';
    $retAry['errors'] = 'An unexpected error occurred' . $err->getMessage();
  }

  return $retAry;
}

/**
 *
 *  Create a function that will Emulate the process of going to the core to get data to retrieve a member account and the list of accounts
 *    This function should return data similar to how we expect when we start using a live interface
 *
 *  @param integer $pDbh  database handle to retrieve the values
 *  @param string $pMemberAcct  The Member Account Number we are seeking
 *
 *  @return array
 *
 *        status
 *            code -  101 successful - member was found ** Standard throtlpkt resposne for successful result
 *                    001 Member Number NOT Found
 *                    999 Error - General Error
 *
 *            data - when [status][code] = 101
 *                    [mir]
 *                           [accountnumber]
 *                           [firstname]
 *                           [middlename]
 *                           [lastname]
 *                           [email]
 *                           [homephone]
 *                           [workphone]
 *                           [cellphone]
 *                           [fax]
 *                           [ssn]
 *                           [address1]
 *                           [address2]
 *                           [city]
 *                           [state]
 *                           [zip]
 *                           [cc]
 *                           [dob]
 *                    [accounts]          (always returned)
 *                      [deposit][array]  (structure is missing if there are NO results)
 *                            [accountnumber] - should match above
 *                            [accounttype]   - deposits accounttype
 *                            [certnumber]    - deposits only
 *                            [deposittype]   - {Y-Share Draft, N-Shares, O-Other, C-Certificate}
 *                            [description]   - Description from the core
 *                            [may_deposit]   - Does the account allow deposits? (DEPOSIT ONLY)
 *                            [may_withdraw]  - Does the account allow Withdrawals? (DEPOSIT ONLY)
 *                            [may_payment]   _ Does the Loan allow payume
 *                      [loan][array]  (structure is missing if there are NO results)
 *                            [accountnumber] - should match above
 *                            [loannumber]    - loannumber
 *                            [description]   - Description from the core
 *                            [may_payment]   - Does the Loan allow payume
 *                            [may_addon]     - Does the account allow deposits? (DEPOSIT ONLY)
 *
 */
function SpoofFindMemberAccounts($pDbh, $pCu, $pMemberAcct) {

  $retAry = Array("code" => "000", "errors" => Array(), "data" => Array());

  $admLibrary= dirname(__FILE__) . "/../../admcom/library";

  $retData = Array();
  try {

    require_once ("$admLibrary/MbrExHcuMIR.i");

    // ** I want to look up data in the <cucode>extkey table where providermode = 'HcuMIR'
      $dms_ok = array('accountnumber' => 'digits',
          'firstname' => 'string',
          'middlename' => 'string',
          'lastname' => 'string',
          'email' => 'string',
          'homephone' => 'string',
          'workphone' => 'string',
          'cellphone' => 'string',
          'fax' => 'string',
          'ssn' => 'string',
          'address1' => 'string',
          'address2' => 'string',
          'city' => 'string',
          'state' => 'string',
          'zip' => 'string',
          'cc' => 'string',
          'dob' => 'string');

    /*
     *  SEARCH FOR MEMBER ACCOUNT IN <cucode>extkey table
     */
    $sql = "SELECT user_id, trim(accountnumber) as accountnumber, parms
            FROM " . prep_save($pCu, 10) . "extkey
            WHERE providermode = 'HcuMIR'
              AND accountnumber = '" . prep_save($pMemberAcct, 12) . "'
            LIMIT 1; ";
      // ** THERE SHOULD ONLY BE ONE, I AM PROGRAMMING AS ONLY ONE

    $sqlRs = db_query($sql, $pDbh);
    if (!($sqlRs)) {
      throw new ErrorException("SQL failed ($sql).");
    }

    if (db_num_rows($sqlRs) > 0) {

      $retAry['code'] = "101";
      // * fetch the record
      $dRecord = db_fetch_assoc($sqlRs);

      // * Get the
      $payload = $HcuMIRi->parms_parse($dRecord['parms']);

      // fix up the dob to match what import will do
      $payload["dob"] = date( "m/d/Y", strtotime( $payload["dob"] ) );

      $retData['mir'] = $payload;
      $retData['accounts'] = Array();
      /*
       * FETCH DEPOSIT ACCOUNTS
       */
      $sql = "SELECT trim(accountnumber) as accountnumber, trim(accounttype) as accounttype,
                     certnumber, deposittype, trim(description) as description, may_deposit, may_withdraw
              FROM " . prep_save($pCu, 10) . "accountbalance
              WHERE accountnumber = '" . prep_save($pMemberAcct, 12) . "'
              ORDER BY accounttype; ";
      $sqlRs = db_query($sql, $pDbh);

      if (db_num_rows($sqlRs) > 0) {
        $acctList = Array();
        while ($dRecord = db_fetch_assoc($sqlRs)) {
          $acctList[] = $dRecord;
        }
        $retData['accounts']['deposit'] = $acctList;
      }
      /*
       * FETCH LOAN ACCOUNTS
       */
      $sql = "SELECT trim(accountnumber) as accountnumber, trim(loannumber) as loannumber,
                     trim(description) as description, may_payment, may_addon
              FROM " . prep_save($pCu, 10) . "loanbalance
              WHERE accountnumber = '" . prep_save($pMemberAcct, 12) . "'
              ORDER BY loannumber; ";
      $sqlRs = db_query($sql, $pDbh);

      if (db_num_rows($sqlRs) > 0) {
        $acctList = Array();
        while ($dRecord = db_fetch_assoc($sqlRs)) {
          $acctList[] = $dRecord;
        }
        $retData['accounts']['loan'] = $acctList;
      }
    } else {
      // ** NO ACCOUNT FOUND 001
      $retAry['code'] = "001";
    }

    $retAry['data'] = $retData;


  } catch (ErrorException $err) {
    $retAry['code'] = '999';
    $retAry['errors'] = 'An unexpected error occurred' . $err->getMessage();
  }

  return $retAry;
}


/*
 * @uses Ecoding sensitive data for passing through the client side.
 *
 * this function will take an associative array of data, use the keys
 * found in the array to build a new array of the same key/value pairs
 * to encode.
 *
 * this seems redundant at the moment, but in the future we may want to
 * have a flag in an array to say don't include this key or value.
 *
 * this function will take a json string and decode it into an associative
 * array to be encoded as above.
 *
 * @param $pCu string : credit union code to be used in encrypting data.
 * @param $pMessage array : associative array of data to encrypt.
 * @param $pMessage string : json encoded string containing data to encrypt.
 * @param $pJson boolean : flag to tell the function if the message needs to be
 * decoded from a json string into an asociative array.
 *
 * @return $eReturn array
 */
function HCU_PayloadEncode($pCu, $pMessage, $pJson = false) {
  $eReturn = null;
  $eEncode = array();
  $eMessage = $pMessage;

  if ($pJson) {
    $eJson = html_entity_decode($eMessage, ENT_QUOTES);
    $eJson = trim($eMessage);

    if ($eJson == "") { throw new Exception("Payload not found."); }
    $eMessage = HCU_JsonDecode($eJson);
  }

  if (!is_array($eMessage)) { throw new Exception("Payload not found."); }
  if (!count($eMessage)) { throw new Exception("Payload not found."); }

  foreach ($eMessage as $key => $value) {
    $eEncode[$key] = $value;
  }

  $eEncode = HCU_JsonEncode($eEncode);
  $eEncrypt = hcuOpenSSLEncrypt($eEncode, $pCu);
  $eGlue = GetPayloadGlue();

  $eReturn = $eEncrypt['message'] . $eGlue . $eEncrypt['hash'];
  $eReturn = base64_encode($eReturn);

  return $eReturn;
}

/**
 * @uses this function is used to decrypt a payload of data encoded by the function
 * above.
 *
 * @param $pCu string : credit union code use to encrypt data
 * @param $pMessage string : encrypted data
 * @param $pJson boolean : flag to determine return type
 *
 * @return $dDecrypt array || json
 */
function HCU_PayloadDecode($pCu, $pMessage, $pJson = false) {
  $dMessage = base64_decode($pMessage);
  $dEncode = explode("|*|*|*|", $dMessage);

  $dMessage = $dEncode[0];
  $dHash = $dEncode[1];

  $dDecrypt = hcuOpenSSLDecrypt($dMessage, $dHash, $pCu);
  $dReturn = $pJson ? $dDecrypt : HCU_JsonDecode($dDecrypt);

  return $dReturn;
}

/**
 * Get the liveserver from the cuadmin table and return value
 *
 * @param array $pHbEnv -- The current HB_ENV .  Need the following
 *                          Cu - Credit Union Code
 *                          dbh - database handle
 *
 * @return mixed          The liveserver value from the database
 *                          if there is an error with the value, it will return a false
 *
 */
function GetHculiveUrl($pHbEnv) {

  $retVal = "";


  try {
    // ** Some things to check
    /* ** CREDIT UNION CODE ** */
    $cu = strtoupper(HCU_array_key_value("Cu", $pHbEnv));
    if ($cu == '') {
      // ** Credit union code is blank
      throw new ErrorException("CU Code Not Set");
    }

    /* ** DATABASE CONNECTION ** */
    $dbh = HCU_array_key_value("dbh", $pHbEnv);

    if (db_connection_status($dbh) !== PGSQL_CONNECTION_OK) {
      // * * database handle is bad -- throw error
      throw new ErrorException("Bad Database Connection");
    }


    $sql = "SELECT cu, liveserver
            FROM cuadmin
            WHERE cu = '" . prep_save($cu, 10) . "' ";
    $rs = db_query($sql, $dbh);
    if ($rs) {
      /* ** Recordset Value ** */
      $row = db_fetch_assoc($rs);

      // ** We now should have the value -- Get the value from the row associative array
      $retVal = HCU_array_key_value("liveserver", $row);
    }

  } catch (ErrorException $err) {
    $retVal = false;
  }

  return $retVal;
}
/**
 * Get a consistent confirmation code based on the data passed in. There are three cases:
 *    1. immediate processing of internal transfer,
 *    2. background processing of a scheduled transfer,
 *    3. admin processing of an ACH transaction
 *
 * For (1) the processed_by field will be NULL so we will use the posted_by id.
 * For (2) the processed_by field will have "scheduled" so we will use the posted_by id.
 * For (3) the processed_by field will have the admin username. For this one the name can be part of the confirmation code.
 *
 * Also need to include the type of confirmation code so know how to reverse it.
 *
 * Build the confirmation code using the epoch integer for time, converted to hex, the transaction id, the user id, and which type
 *  of confirmation code. Return in a concatinated string that is broken up in quads from right to left to account for increasing
 *  size of the ids.
 *
 * It is possible the code is being built right after the "which" operation completed as return data, or it is possible the code is
 *  being built after the fact and the caller just read the <cu>transhdr table. The fields passed in will be named as if the table
 *  was just read, but the caller could just supply the minimum necessary.
 *  NOTE: the date is the date stamp that would be in the table.
 *
 * @param string $pWhich          -- posted, approved, processed
 * @param array $pTransInfo     -- array with necessary information (depends on which code needed)
 *
 * @return  False if unsuccessful; string if successful
 */
function GetTransferConfirmCode( $pEnv, $pWhich, $pTranInfo ) {

  try {
    switch( $pWhich ) {
      case "post":
        // Posted pattern: Pan1bn2cn3, where a = # hex digits n1 (in hex),  b = # hex digits n2, c = # hex digits n3
        //  and n1 = trans id, n2 = date timestamp, n3 = user id
        $n1hex = dechex( $pTranInfo["id"] );
        $n1len = strlen( $n1hex );

        $n2hex = dechex( strtotime( $pTranInfo["posted_date"] ) );
        $n2len = strlen( $n2hex );

        $n3hex = dechex( $pTranInfo["posted_by"] );
        $n3len = strlen( $n3hex );

        $intermediateCode = "P" . $n1len . $n1hex . $n2len . $n2hex . $n3len . $n3hex;
        break;
      case "approve":
        // Approved pattern: Aan1bn2cn3, where a = # hex digits n1, b = # hex digits n2, c = # hex digits n3
        //  and n1 = trans id, n2 = date timestamp, n3 = user id
        $n1hex = dechex( $pTranInfo["id"] );
        $n1len = strlen( $n1hex );

        $n2hex = dechex( strtotime( $pTranInfo["approved_date"] ) );
        $n2len = strlen( $n2hex );

        $n3hex = dechex( $pTranInfo["approved_by"] );
        $n3len = strlen( $n3hex );

        $intermediateCode = "A" . $n1len . $n1hex . $n2len . $n2hex . $n3len . $n3hex;
        break;
      case "process":
        // Processed pattern: Ran1bn2user, where a = # hex digits n1, b = # hex digits n2, c = # hex digits n3
        //  and n1 = trans id, n2 = date timestamp, user = admin user name
        $n1hex = dechex( $pTranInfo["id"] );
        $n1len = strlen( $n1hex );

        $n2hex = dechex( strtotime( $pTranInfo["processed_date"] ) );
        $n2len = dechex( strlen( $n2hex ) );

        // this depends on the value
        if ( $pTranInfo["processed_by"] == "*immed*" ||
             $pTranInfo["processed_by"] == "*sched*" ) {
          // immediate or scheduled transfer, use the posted_by
          $whoProcessed = dechex( $pTranInfo["posted_by"] );
          $leadingCode = ( $pTranInfo["processed_by"] == "*immed*" ) ? "I" : "S";
        } else {
          // use the contents since likely an admin
          $whoProcessed = $pTranInfo["processed_by"] ;
          $leadingCode = "R";
        }

        $intermediateCode = $leadingCode . $n1len . $n1hex . $n2len . $n2hex . $whoProcessed;
        break;
      default:
        throw new Exception ( "Bad call to create confirmation code" );
        break;
    }

    // make all caps
    $upperCode = strtoupper( $intermediateCode );

    // break up string for output
    $aryConfirmId = str_split( $upperCode, 4 );
    $confirmId = implode( "-", $aryConfirmId );

  } catch(Exception $ex) {
    $logInfo = array( "message" => $ex->getMessage(), "code" => $ex->getCode() );
    $pEnv["SYSENV"]["logger"]->info( HCU_JsonEncode( $logInfo ) );

    $confirmId = false;
  }

  return $confirmId;

} // end GetTransferConfirmCode

// unresolved - This is just a stub so things work. At some point this function goes away and a real one replaces it in an included file.
/**
 *  This function will be the called function when making a transaction, than based on the CU configuration it will make the appropriate
 *    requests/calls/updates
 *  For a live CU, this will make the request to the core.
 *  For a batch CU, this will make a different request that will insert a record into the <client>transaction table
 *
 *  @param array  $pHBEnv     - The HB_ENV environment settings
 *                          - passed by address it could
 *  @param string $pOpCode    - (needed?) The type of transaction to be sent
 *  @param array  $pTxnValues - Contains the list of data items to be posted
 *                              {TRANSFER}
 *                                "txncode" => Transaction Code
                                  "source_sub_account" => Source Sub Account
                                  "dest_sub_account" => Destination Sub Account
                                  "email" => Email
                                  "misc1" => Misc. needed for some credit card transactions
                                  "dest_account" => $destAccount,         // this could be 10/20 for checking/savings
                                  "amount" => $AMT,
                                  "memo" => $TRMEMO
 *
 *
 *
 *  @return array
 *                [code] - {000 - a request was made to the core and a response was returned, 999 - an error occured and was unable to get a response from the core}
 *                [errors] - list
 *                [data]
 *                  [code] - The code returned from the core under normal circumstances
 *                  [desc] - The description from the core
 *
 *
 */
function  SendTransaction( $pHBEnv, $pOpCode, $pTxnValues ) {
    $retStatusAry = Array(
      "status" => Array( "code"=>'000', "errors" => Array() ),
      "data" => ""
    );

    $logger = $pHBEnv['SYSENV']['logger'];


    try {
      if ($pHBEnv['live']) {
        /**
         * ** LIVE CREDIT UNION
         * ** REAL TIME POST TO CORE INTERFACE
         */
        /**
         *  ** PRE PROCESS
         */
        switch ($pOpCode) {
          case "TRANSFER":
            $pTxnValues['pkt-type'] = PACKET_REQUEST_TRN;
            break;
          case "MEMBERACTIVATE":
            $pTxnValues['pkt-type'] = PACKET_REQUEST_MA;
            break;
          case "ESTMTACTIVATE":
            $pTxnValues['pkt-type'] = PACKET_REQUEST_ES;
            break;
          case "ESTMTSTOP":
            $pTxnValues['pkt-type'] = PACKET_REQUEST_ES;
            break;
          default:
            // ** ERROR - Operation NOT SPECIFIED
            throw new Exception ("No Operation Selection");
        }
        $reqResult = PostTransactionRequest($pHBEnv, $pTxnValues);
        if ($reqResult['code'] == '999') {
          throw new Exception ("Unexpected Error");
        }

        // ** Success -- SET the response of this function to match from the CORE
        $retStatusAry['status']['code'] = HCU_array_key_value("code", $reqResult['data']);

        // ** Assume the transfer failed UNLESS the code returned is 000
        if ($retStatusAry['status']['code'] != '000') {
          $retStatusAry['status']['errors'][] = HCU_array_key_value("desc", $reqResult['data']);
        }
        $retStatusAry['data'] = HCU_array_key_value("data", $reqResult);

        /**
         *  **
         *  ** POST PROCESSING **
         *  **
         */
        switch ($pOpCode) {
          case "TRANSFER":

            /* ** Update the packet stamp for the user.
             * **   This has the affect of forcing the bal/history to update on the next
             * **   Get_Balances call
             */
            if (HCU_array_key_value('code', $retStatusAry['data']) == '000') {

              // * ONLY UPDATE ON SUCCESS
              // * *Create an array with the member numbers
              $userData = Array("accountnumbers" => Array(HCU_array_key_value("member", $pTxnValues)));

              if (HCU_array_key_value("member", $pTxnValues) != HCU_array_key_value("ref5", $pTxnValues)) {
                // If the From/To member are different then add the To member
                  // userData was declared an array above
                $userData['accountnumbers'][] = HCU_array_key_value("ref5", $pTxnValues);
              }

              // ** If the transfer is between two overloaded accounts, then the main account is not
                //    the [from / to] member.  I need to also check the 'tauth' member to see if it's
                //    different.  If it is, then include the tauth member in the list of accounts to
                //    retrieve.
              if (HCU_array_key_value("tauth", $pTxnValues) != '' && HCU_array_key_value("member", $pTxnValues) != HCU_array_key_value("tauth", $pTxnValues)) {
                $userData['accountnumbers'][] = HCU_array_key_value("tauth", $pTxnValues);
              }

              $updResp = SetbackMemberStamps($pHBEnv, $pHBEnv['Uid'], $userData);
              // * Not much that can be done if this fails.. so let it go.
            }
            break;
          case "MEMBERACTIVATE":
            /* ** NOTHING ** */
            break;
        }
      } else {
        /**
         * ** BATCH CREDIT UNION
         * ** INSERT RECORD INTO <client>transaction table
         */
/*
          $sql = "insert into {$Cu}transaction (
                    accountnumber, memberto, transactioncode,
                    reference1, reference2, reference3,
                    amount, date)
                    values ('$acct', '$R5', '$tc', '$R1', '$R2', '" .
                   prep_save(urldecode($R3)) . "'," .
                   $AMT . ",  now());";
          $sql.="select currval('${Cu}transaction_id_seq')";

*/
      }
    } catch (Exception $e) {
      // ** Unexpected Error Occurred
      $retStatusAry['status']['code'] = '999';
      $retStatusAry['status']['errors'] = 'Unexpected Error';
      $retStatusAry['data'] = Array();
    }


    return $retStatusAry;
} // end SendTransaction

/**
 * Reverse the confirmation code to get the identifying data.
 *
 * @param string $pEnv                -- environment info with at least the db handle
 * @param string $pCUCode             -- the credit union code (to get to correct table)
 * @param string $pConfirmCode        -- the confirmation code
 *
 * @return  structure with user name, transaction date, <cu>transhdr id
 */
function ReverseTransferConfirmCode( $pEnv, $pCUCode, $pConfirmCode ) {

  try {
    $condensedCode = strtoupper( str_replace( "-", "", $pConfirmCode ) );

    // get all the common information first
    $which = substr( $condensedCode, 0, 1 );

    $currOffset = 1;
    $n1len = hexdec( substr( $condensedCode, $currOffset, 1 ) );

    if ( !$n1len ) {
      throw new Exception ( "Bad value when reversing confirmation code" );
    }

    $currOffset++;
    $transId = hexdec( substr( $condensedCode, $currOffset, $n1len ) );

    $currOffset += $n1len;

    $n2len = hexdec( substr( $condensedCode, $currOffset, 1 ) );

    if ( !$n2len ) {
      throw new Exception ( "Bad value when reversing confirmation code" );
    }

    $currOffset++;
    $txnStamp = hexdec( substr( $condensedCode, $currOffset, $n2len ) );
    $txnString = date( "m/d/Y h:ia", $txnStamp );

    $currOffset += $n2len;
    $n3len = hexdec( substr( $condensedCode, $currOffset, 1 ) );

    if ( !$n3len ) {
      throw new Exception ( "Bad value when reversing confirmation code" );
    }

    $currOffset++;

    switch( $which ) {
      case "P":
        // posted
      case "A":
        // accepted
      case "I":
        // posted immediately (uses user id)
      case "S":
        // posted by the scheduler (uses user id)
          $userId = hexdec( substr( $condensedCode, $currOffset, $n3len ) );

          if ( !$userId ) {
            throw new Exception ( "Bad user id when reversing confirmation code" );
          }

          // look up user name
          $sql = "SELECT user_name
                  FROM {$pEnv["Cu"]}user
                  WHERE user_id = $userId";
          $rs = db_query( $sql, $pEnv["dbh"] );
          list( $username ) = db_fetch_array( $rs );
          db_free_result( $rs );

          // return the correct operation
          if ( $which == "P" ) {
            $operation = "Posted";
          } else if ( $which == "A" ) {
            $operation = "Accepted";
          } else if ( $which == "I" ) {
            $operation = "Immediate Posted";
          } else if ( $which == "S" ) {
            $operation = "Scheduled Posted";
          }
        break;
      case "R":
        // processed by admin (has admin username)
          $currOffset++;
          $adminUsername = substr( $condensedCode, $currOffset, $n3len );

          $operation = "Processed";
          $userId = 0;
          $username = $adminUsername;
        break;
      default:
        throw new Exception ( "Bad call to reverse confirmation code" );
        break;
    }

    $returnParts = array( "operation" => $operation,
                                       "date" => $txnString,
                                       "id" => $transId,
                                       "name" => $username );

  } catch(Exception $ex) {
    $returnParts = false;
  }

  return $returnParts;

} // end ReverseTransferConfirmCode

// Get the timezone for the credit union (from the database).
function GetCreditUnionTimezone( $pDbh, $pCu ) {
  // get the timezone for the CU
  $sql = "select rtrim(tz) from cuadmin where cu= '$pCu'";
  $sth = db_query( $sql, $pDbh );
  if ( $sth ) { list($tz) =  db_fetch_array( $sth, 0 ); }
  $tz = ("$tz" == "" ? "Mountain" : $tz);
  if (strpos("$tz","/") === false) { $tz = "US/$tz"; }

  return $tz;
} // end GetCreditUnionTimezone

/**
 * Apply a timezone to an epoch using the supplied format
 *
 * @param integer $pEpoch  - The date represented in second from 1/1/1970
 * @param string  $pFormat - The desired format for the date representation
 * @param string  $pTz     - The Timezone the date should use with the format
 *
 * @return string
 */
function GetDateFormatTimezone($pEpoch, $pFormat, $pTz) {
  try {

    if ($pEpoch == 0) {
      throw new Exception ("No Date to Format");
    }

    // ** To create this format from an epoch use the createFromFormat and specify U for "seconds since epoch"
    $srcFormat = "U";
    $myDateTime = DateTime::createFromFormat($srcFormat, $pEpoch);

    $myDateTime->setTimezone(new DateTimeZone($pTz));

    $formatted = $myDateTime->format($pFormat);
  } catch (exception $e) {
    // ** On Error Set the formatted to empty string
    $formatted = '';
  }

  return $formatted;
}

/**
 *  Function to explode the Acct ID value into the appropriate pieces
 *
 *  @param $pAcctId   - the AcctId -- this will be formatted similar to:
 *                                      D|ACCTNBR|ACCTSFX|CERTNO
 *                                      L|ACCTNBR|LOANNBR
 *  @return array
 *              [valid]         - Did the value appear to be valid
 *              [original]      - Original value that was being parsed
 *              [type]          - {D, L}
 *              [acctnumber]    - Member number for account
 *              [segment3]      - Deposit - Account Suffix; Loan - Loan Number
 *              [segment4]      - Deposit - Cert Number; Loan - Empty
 */
function HCU_AcctIdExplode($pAcctId) {
  $retAcctAry = Array("valid" => false, "original" => $pAcctId, "type" => "", "acctnumber" => "", "segment3" => "", "segment4" => "");

  $acctIdType = substr($pAcctId, 0, 1);

  switch (strtoupper($acctIdType)) {
    case "D":
      // ** Deposit
      if (substr_count($pAcctId, "|") === 3) {
        list($retAcctAry['type'], $retAcctAry['acctnumber'], $retAcctAry['segment3'], $retAcctAry['segment4']) = explode("|", $pAcctId);
        $retAcctAry['valid'] = true;
      } // ** ELSE FAIL

      break;
    case "L":
    case "O":
    case "P":
    case "C":
      // ** Loan
      if (substr_count($pAcctId, "|") === 2) {
        list($retAcctAry['type'], $retAcctAry['acctnumber'], $retAcctAry['segment3']) = explode("|", $pAcctId);
        $retAcctAry['valid'] = true;
      } // ** ELSE FAIL
      break;
    case "M":
      // ** Member to Member transfer destination
      // M|999999|{10,20}
      if (substr_count($pAcctId, "|") === 2) {
        list($retAcctAry['type'], $retAcctAry['acctnumber'], $retAcctAry['segment3']) = explode("|", $pAcctId);
        $retAcctAry['valid'] = true;
      } // ** ELSE FAIL

  }

  return $retAcctAry;
}


/**
 *  Function: GetAwsCertFile
 *
 *  This function will call the python script aws_get_certificate.py that will
 *    in turn fetch the "key" from AWS secrets manager to unlock the file
 *    and save in the local container
 *
 *  @param string $pCertSecretId   - the secret id used to identify the cert information
 *                                   in aws secrets manager.
 *  @param string $pEncFileBaseDir - the base directory for the secret id eg (/home/homecu/ssl/).
 *  @param string $pOutBaseDir     - the base directory where the certs will be saved.
 *
 *  @return string                 This will return the path to the cert where it was saved in the container.
 */
function GetAwsCertFile($pCertSecretId, $pEncFileBaseDir, $pOutBaseDir) {

  $retCertFileLocation = '';

  // ** Location of the python script to be executed.
  $getCertPy = "/opt/odyssey/tools/bin/aws_get_certificate.py";

  try {
    // ** VALIDATION **
    // * Validate the Encrypted file exists
    $encFileLocation = $pEncFileBaseDir . $pCertSecretId;
    if (!is_readable($encFileLocation)) {
      throw new Exception("Encrypted file not found.");
    }

    $expectedFileLocation = $pOutBaseDir . $pCertSecretId;
    /* **
     *  Is the file found and readable?
     *  YES, then return
     *
     *  The file being readable assumes that any problems during decryption will result
     *    in the file NOT existing.  If we find that this one check is not enough then
     *    we may need to make system calls to validate the file was correctly decrypted.
     */
    if (is_readable($expectedFileLocation)) {
      return $expectedFileLocation;
    }

    /* ** Build shell command ** */
    // ** Parameters **
    $certPyArgs = " '" . escapeshellarg($encFileLocation) . "' '" . escapeshellarg($pCertSecretId). "'";

    // ** Put it together
    $shellPyCmd = "python3 " . escapeshellcmd($getCertPy) . " " . $certPyArgs;

    $execResults = exec($shellPyCmd);

    // ** We are back -- Verify the expected file was found
    if (is_readable($expectedFileLocation)) {
      /* ** SUCCESS ** */
      $retCertFileLocation = $expectedFileLocation;
    }

  } catch (Exception $ex ) {
    /** ** ERROR ** */
    // * Ensure the returned location is blank.
    $retCertFileLocation = '';
  }

  return $retCertFileLocation;
}
/**
 * Load HB_ENV array (passed by reference) with values from the cuusers / cuadmin records
 * for the Cu / Member given.
 *
 * Intended for use by scripts outside the "normal" HB channel - OFXRequest, MoneyDesk,
 * and friends - to load the environment array in a standard fashion
 *
 * 4/3/18 Moved out of OFXRequest / into this include so it can be shared
 * 4/3/18 Replaces in-line query and processing in RemoteAuth
 * TBD Replace in-line query and processing in MoneyDesk
 * @param resource $dbh database handle
 * @param string $CU HCU cu code / ORG id
 * @param string $MEMBER HCU Cu / USERID value
 * @param string $USERPASS password
 * @param string $CAUTH authenticated member; same as USERID in this context
 * @param numeric $live true/1 for live clients false/0 for batch
 * @param array $HB_ENV existing array to be populated. Passed by reference
 * @param numeric $CFGFLAG # not fully implemented, left for backward compatibility
 */
function Load_HB_ENVc($dbh, $CU, $MEMBER, &$HB_ENV, $CFGFLAG = 0) {
    // ** First thing is First Check the username
    $username = trim($MEMBER);
    $live = $HB_ENV['live'];

    # on first (method MFA) login, MEMBER will have username
    # after that, (method SSO) MEMBER will have USERID
//   if ($HB_ENV['AuthMode'] == 'MFQ') {
    # AuthMode=MFQ Multi-factor w/questions
    $qby = "cuuser.user_name ilike '" . prep_save($MEMBER) . "' ";
//    } else {
//        # AuthMode=SSO w/Userkey
//        $qby = "cuuser.user_id = $MEMBER ";
//    }
    // ** QUERY THE USER INFORMATION
    $sqluser = "SELECT cuuser.user_id as user_id, trim(cuuser.user_name) as user_name,
                trim(cuuser.passwd) as password, forcechange, forceremain, failedremain,
                pwchange, trim(email) as email, egenl_flag, trim(confidence) as confidence,
                cuuser.user_id as cuuser_id,
                cuuser.group_id as cuuser_group_id, lastlogin, failedlogin, msg_tx,
                userflags & {$GLOBALS['MEM_FORCE_RESET']}::int4 as mem_force_reset, userflags,
                histdays, gracelimit, trmemomaxlen, mfaquest, primary_account

                  FROM {$CU}user as cuuser
                  JOIN cuadmin on cuadmin.cu = '" . prep_save($CU) . "'
                  WHERE $qby ";

    $mbr_sth = db_query($sqluser, $dbh);
    $HB_ENV['rowfound'] = db_num_rows($mbr_sth);
    if ($HB_ENV['rowfound']) {
        $drow = db_fetch_array($mbr_sth, 0);
        $HB_ENV['Cu'] = $CU;
        $HB_ENV['cu'] = $CU;
        $HB_ENV['chome'] = strtolower($CU);
        $HB_ENV['Cauth'] = trim($drow['user_id']);
        $HB_ENV['Uid'] = $drow['user_id'];
        $HB_ENV['Cn'] = $drow['user_name'];
        $HB_ENV['username'] = $drow['user_name'];
        $HB_ENV['user_name'] = $drow['user_name'];
        $HB_ENV['confidence'] = $drow['confidence'];
//    $HB_ENV['Ml'] = urlencode($drow['email']);
        $HB_ENV['Ml'] = $drow['email'];
        $HB_ENV['savemail'] = $drow['email'];
        $HB_ENV['egenl_flag'] = urlencode($drow['egenl_flag']);
        $HB_ENV['password'] = $drow['password'];
        $HB_ENV['userflags'] = $drow['userflags'];
        $HB_ENV['failedremain'] = $drow['failedremain'];
        $HB_ENV['Ffchg'] = $drow['forcechange'];
        $HB_ENV['Ffremain'] = $drow['forceremain'];
        $HB_ENV['dbforceremain'] = $drow['forceremain'];
        $HB_ENV['Ffreset'] = (is_null($drow['mem_force_reset']) ? 0 : $drow['mem_force_reset']);
//    $HB_ENV['Fmsg_tx'] = ($drow['msg_tx'] | $CFGFLAG); # this would add any CFGFLAG passed to msg_tx only
        $HB_ENV['Fmsg_tx'] = (is_null($drow['msg_tx']) ? 0 : $drow['msg_tx']);
        $HB_ENV['cfgflag'] = $CFGFLAG; # set cfgflag if CFGFLAG if passed
        $HB_ENV['Fverifyml'] = ($drow['msg_tx'] & 512);
        # mammoth data calls use Clw; odyssey switched to livewait so define both
        $HB_ENV['Clw'] = ((is_null($HB_ENV['livewait']) || $HB_ENV['livewait'] == 0) ? 300 : $HB_ENV['livewait']);
        $HB_ENV['lastupdate'] = (empty($drow['lastupdate']) ? "Unknown" : urlencode(trim($drow['lastupdate'])));
        $HB_ENV['pwchange'] = (is_null($drow['pwchange']) ? date('Ymd') : $drow['pwchange']);
//    $HB_ENV['employee'] = $drow['employee'];
        $HB_ENV['HCUPOST'] = array(); # set empty parameter array
        if ($HB_ENV['flagset2'] & $GLOBALS['CU2_ALIAS_REQ']) {
            $alias = 'REQUIRE';
        } else {
            $alias = 'ALLOW';
        }
//    } elseif ($HB_ENV['flagset2'] & $GLOBALS['CU2_ALIAS_OK']) {
//        $alias = 'ALLOW';
//    } else {
//        $alias = 'NONE';
//    }
        $HB_ENV['alias'] = $alias; # this shouldn't be needed - oh but it is
        # alias is always allowed
        # required means must start with non-digit
        $HB_ENV['Fset'] = $HB_ENV['flagset'];
        $HB_ENV['Fset2'] = $HB_ENV['flagset2'];
        $HB_ENV['Fset3'] = $HB_ENV['flagset3'];

        // * Create the MFA Quest Array (or set empty if Legacy, which shouldn't happen in Odyssey...)
        $HB_ENV['MFA'] = ($HB_ENV['cver'] == 'L' ? array() : HCU_MFADecode(HCU_JsonDecode($drow['mfaquest'])));
        $HB_ENV['mfaquest'] = $drow['mfaquest'];
        $HB_ENV['savecqid'] = $HB_ENV['MFA']['challenge'];
        $HB_ENV['chcount'] = $HB_ENV['MFA']['mfacount'];

        $FORCEUPDATE = 0;
        if ($HB_ENV['Ffchg'] == 'Y') {
            $FORCEUPDATE += 1; #password
        }
        if ($HB_ENV['Fverifyml'] == 512 || $HB_ENV['Ml'] == '') {
            $FORCEUPDATE += 2; # email
        }

        if (intval($HB_ENV['flagset3'] & $GLOBALS['CU3_MFA_AUTHCODE']) == 0 &&
            ( $HB_ENV['Ffreset'] == 2 || $HB_ENV['chcount'] < $HB_ENV['cu_chgqst_count'] )) {
            $FORCEUPDATE += 4; #challenge questions
        }

        if (($HB_ENV['flagset2'] & $GLOBALS['CU2_ALIAS_REQ']) && !Check_Member_UseAlias($HB_ENV['user_name'])) {
            $FORCEUPDATE += 8;
        }

        if (intval($HB_ENV['flagset3'] & $GLOBALS['CU3_MFA_AUTHCODE']) > 0 && $HB_ENV['Ffreset'] == 2) {
            $FORCEUPDATE += 16; #phone numbers
        }

        $HB_ENV['forceupdate'] = $FORCEUPDATE;
        $HB_ENV['allowupdate'] = 11; # password, email, and user_name update always allowed
        $HB_ENV['allowupdate'] += (intval($HB_ENV['flagset3'] & $GLOBALS['CU3_MFA_AUTHCODE']) == 0 ? 4 : 0); # can't update Challenge Questions if SAC in use
        $HB_ENV['allowupdate'] += (intval($HB_ENV['flagset3'] & $GLOBALS['CU3_MFA_AUTHCODE']) == 0 ? 0 : 16); # can only update contact phone if SAC in use
#
        $HB_ENV['requpdate'] = 0; # assume at first this is not a 'getsettings' request

        if ($HB_ENV['failedremain'] <= 0 ||
            ( ($HB_ENV['forceupdate'] & 29) > 0 && $HB_ENV['Ffremain'] <= 0 )
        ) {

            $HB_ENV['lockedacct'] = 1;
        } else {
            $HB_ENV['lockedacct'] = 0;
        }

# eventually this will come from a new column in cuadmin
# but for now....
        $HB_ENV['AppTimeout'] = intval($HB_ENV['SYSENV']['ticket']['expires'] * .8);
        $lastlogin = (trim(HCU_array_key_value('lastlogin', $drow)) == '' ? 'None' : $drow['lastlogin']);

        $HB_ENV['Fplog'] = ($lastlogin == 'None' ? '' : (strftime("%D %R", mktime(
                        substr($lastlogin, 11, 2), substr($lastlogin, 14, 2), substr($lastlogin, 17, 2), substr($lastlogin, 5, 2), substr($lastlogin, 8, 2), substr($lastlogin, 0, 4)))));
        $failedlogin = (trim(HCU_array_key_value('failedlogin', $drow)) == '' ? 'None' : $drow['failedlogin']);
        $HB_ENV['Fflog'] = ($failedlogin == 'None' ? '' : (strftime("%D %R", mktime(
                        substr($failedlogin, 11, 2), substr($failedlogin, 14, 2), substr($failedlogin, 17, 2), substr($failedlogin, 5, 2), substr($failedlogin, 8, 2), substr($failedlogin, 0, 4)))));
    }
}

/**
 * Is the current platform on an iPhone or Android app?
 *
 * This is determined with the 'platform' key of the HB_ENV
 *   structure.
 *
 * @param $pHbEnv Common Array Structure
 *
 * @return boolean
 *
 */
function hcuIsAppPhone($pHbEnv) {

  $platForm = HCU_array_key_value("platform", $pHbEnv);

  $appList = array("APP", "ADA");

  if (in_array($platForm, $appList)) {
    return true;
  }

  return false;
}