module Maestrano
  module SSO
    class Session
      include Preset
      attr_accessor :session, :uid, :session_token, :recheck, :group_uid
      
      # Load a Maestrano::SSO::Session object from a
      # hash generated by Maestrano::SSO::BaseUser#to_hash
      def self.from_user_auth_hash(session, auth)
        instance = self.new({})
        instance.session = session
        
        if (extra = (auth[:extra] || auth['extra'])) && (sso_session = (extra[:session] || extra['session']))
          instance.uid = (sso_session[:uid] || sso_session['uid'])
          instance.session_token = (sso_session[:token] || sso_session['token'])
          instance.group_uid = (sso_session[:group_uid] || sso_session['group_uid'])
          if recheck = (sso_session[:recheck] || sso_session['recheck'])
            instance.recheck = recheck
          end
        end
        return instance
      end
      
      def initialize(session)
        self.session = session
        if (self.session = session)
          begin
            if mno_session = (self.session[:maestrano] || self.session['maestrano'])
              decrypted_session = JSON.parse(Base64.decode64(mno_session))
              self.uid = decrypted_session['uid']
              self.session_token = decrypted_session['session']
              self.recheck = Time.iso8601(decrypted_session['session_recheck'])
              self.group_uid = decrypted_session['group_uid']
            end
          rescue
          end
        end
      end
      
      def remote_check_required?
        if self.uid && self.session_token && self.recheck
          return (self.recheck <= Time.now)
        end
        return true
      end
      
      # Check remote maestrano session and update the
      # recheck attribute if the session is still valid
      # Return true if the session is still valid and
      # false otherwise
      def perform_remote_check
        # Get remote session info
        url = Maestrano::SSO[self.class.preset].session_check_url(self.uid, self.session_token)
        begin
          response = RestClient.get(url)
          response = JSON.parse(response)
        rescue Exception => e
          response = {}
        end
        
        # Process response
        if response['valid'] && response['recheck']
          self.recheck = Time.iso8601(response['recheck'])
          return true
        end
        
        return false
      end
      
      # Check whether this mno session is valid or not
      # Return true if SLO is disabled (via sso.slo_enabled config
      # param)
      # Return false if no session defined
      # ---
      # opts:
      # if_session: if true then the session will be
      # considered valid if the http session is nil or does
      # not have a maestrano key. Useful when the validity of
      # a session should be restricted to maestrano users only
      # within an application
      def valid?(opts = {})
        return true unless Maestrano[self.class.preset].param('sso.slo_enabled')
        return true if opts[:if_session] && (!self.session || (!self.session[:maestrano] && !self.session['maestrano']))
        return false unless self.session 
        
        if self.remote_check_required?
          if perform_remote_check
            self.save
            return true
          else
            return false
          end
        end
        return true
      end
      
      def save
        self.session[:maestrano] = Base64.encode64({
          uid: self.uid,
          session: self.session_token,
          session_recheck: self.recheck.utc.iso8601,
          group_uid: self.group_uid
        }.to_json)
      end
      
    end
  end
end