require 'warden'
require 'gds-sso/user'

def logger
  if Rails.logger # if we are actually running in a rails app
    Rails.logger
  else
    env['rack.logger']
  end
end

Warden::Manager.after_authentication do |user, auth, opts|
  # We've successfully signed in.
  # If they were remotely signed out, clear the flag as they're no longer suspended
  user.clear_remotely_signed_out!
end

Warden::Manager.serialize_into_session do |user|
  if user.respond_to?(:uid) and user.uid
    [user.uid, Time.now.utc]
  else
    nil
  end
end

Warden::Manager.serialize_from_session do |tuple|
  # This will reject old sessions that don't have an auth_set time
  uid, auth_set = tuple
  if auth_set and (auth_set + GDS::SSO::Config.auth_valid_for) > Time.now.utc
    GDS::SSO::Config.user_klass.where(:uid => uid).first
  else
    nil
  end
end

Warden::Strategies.add(:gds_sso) do
  def valid?
    ! ::GDS::SSO::ApiAccess.api_call?(env)
  end

  def authenticate!
    logger.debug("Authenticating with gds_sso strategy")

    if request.env['omniauth.auth'].nil?
      fail!("No credentials, bub")
    else
      user = prep_user(request.env['omniauth.auth'])
      success!(user)
    end
  end

  private

  def prep_user(auth_hash)
    user = GDS::SSO::Config.user_klass.find_for_gds_oauth(auth_hash)
    fail!("Couldn't process credentials") unless user
    user
  end
end

Warden::Strategies.add(:gds_bearer_token) do
  def valid?
    ::GDS::SSO::ApiAccess.api_call?(env) &&
      ::GDS::SSO::ApiAccess.oauth_api_call?(env)
  end

  def authenticate!
    logger.debug("Authenticating with gds_bearer_token strategy")

    begin
      access_token = OAuth2::AccessToken.new(oauth_client, token_from_authorization_header)
      response_body = access_token.get('/user.json').body
      user_details = omniauth_style_response(response_body)
      user = prep_user(user_details)
      success!(user)
    rescue OAuth2::Error
      custom!(unauthorized)
    end
  end

  def oauth_client
    @oauth_client ||= OAuth2::Client.new(
      GDS::SSO::Config.oauth_id,
      GDS::SSO::Config.oauth_secret,
      :site => GDS::SSO::Config.oauth_root_url
    )
  end

  def token_from_authorization_header
    env['HTTP_AUTHORIZATION'].gsub(/Bearer /, '')
  end

  # Our User code assumes we're getting our user data back
  # via omniauth and so receiving it in omniauth's preferred
  # structure. Here we're addressing signonotron directly so
  # we need to transform the response ourselves.
  #
  # There may be a way to simplify matters by having this
  # strategy work via omniauth too but I've not worked out how
  # to wire that up yet.
  def omniauth_style_response(response_body)
    input = MultiJson.decode(response_body)['user']

    {
      'uid' => input['uid'],
      'info' => {
        'email' => input['email'],
        'name' => input['name']
      },
      'extra' => {
        'user' => {
          'permissions' => input['permissions'],
          'organisation_slug' => input['organisation_slug'],
        }
      }
    }
  end

  def prep_user(auth_hash)
    user = GDS::SSO::Config.user_klass.find_for_gds_oauth(auth_hash)
    custom!(unauthorized) unless user
    user
  end

  def unauthorized
    [
      401,
      {
        'Content-Type' => 'text/plain',
        'Content-Length' => '0',
        'WWW-Authenticate' => %(Bearer error="invalid_token")
      },
      []
    ]
  end
end

Warden::Strategies.add(:mock_gds_sso) do
  def valid?
    ! ::GDS::SSO::ApiAccess.api_call?(env)
  end

  def authenticate!
    logger.warn("Authenticating with mock_gds_sso strategy")

    test_user = GDS::SSO.test_user
    test_user ||= ENV['GDS_SSO_MOCK_INVALID'].present? ? nil : GDS::SSO::Config.user_klass.first
    if test_user
      # Brute force ensure test user has correct perms to signin
      if ! test_user.has_permission?("signin")
        permissions = test_user.permissions || []
        test_user.update_attribute(:permissions, permissions << "signin")
      end
      success!(test_user)
    else
      if Rails.env.test? && ENV['GDS_SSO_MOCK_INVALID'].present?
        fail!(:invalid)
      else
        raise "GDS-SSO running in mock mode and no test user found. Normally we'd load the first user in the database. Create a user in the database."
      end
    end
  end
end

Warden::Strategies.add(:mock_gds_sso_api_access) do
  def valid?
    ::GDS::SSO::ApiAccess.api_call?(env)
  end

  def authenticate!
    logger.debug("Authenticating with mock_gds_sso_api_access strategy")
    dummy_api_user = GDS::SSO.test_user || GDS::SSO::Config.user_klass.find_by_email("dummyapiuser@domain.com")
    if dummy_api_user.nil?
      dummy_api_user = GDS::SSO::Config.user_klass.create!(
          uid: "#{rand(10000)}",
          name: "Dummy API user created by gds-sso",
          permissions: ["signin"],
          as: :oauth)
    end
    success!(dummy_api_user)
  end
end