# frozen_string_literal: true

module SuperIdentity
  # Mixin which implements an AAF Identity Enhancement client.
  module Client
    def entitlements(shared_token)
      attrs = identity_enhancements(shared_token)
      attrs.select { |a| a[:name] == 'eduPersonEntitlement' }
           .map { |a| a[:value] }
    end

    def identity_enhancements(shared_token)
      ide_data(shared_token)[:attributes]
    end

    private

    def ide_data(shared_token)
      uri = ide_uri(shared_token)
      req = Net::HTTP::Get.new(uri)

      with_ide_client(uri) do |http|
        response = http.request(req)
        response.value # Raise exception on HTTP error
        JSON.parse(response.body, symbolize_names: true)
      end
    rescue Net::HTTPServerException => e
      raise unless e.data.is_a?(Net::HTTPNotFound)
      { attributes: [] }
    end

    def ide_uri(shared_token)
      host = ide_config[:host]
      URI.parse("https://#{host}/api/subjects/#{shared_token}/attributes")
    end

    def with_ide_client(uri)
      client = Net::HTTP.new(uri.host, uri.port)
      client.use_ssl = true
      client.verify_mode = OpenSSL::SSL::VERIFY_PEER
      client.cert = ide_cert
      client.key = ide_key

      client.start { |http| yield http }
    end

    def ide_cert
      OpenSSL::X509::Certificate.new(File.read(ide_config[:cert]))
    end

    def ide_key
      OpenSSL::PKey::RSA.new(File.read(ide_config[:key]))
    end
  end
end