//! Editor bearer token authentication
//!
//! Code for dealing with API bearer tokens (macaroons), which encode the editor identifier as well
//! as additional constraints (eg, to a particular endpoint or time span). Includes helpers for
//! role-based authentication (RBAC).

use data_encoding::BASE64;
use macaroon::{Format, Macaroon, Verifier};
use std::fmt;
use swagger::auth::{AuthData, Authorization, Scopes};

use crate::database_models::*;
use crate::database_schema::*;
use crate::editing_crud::{EditgroupCrud, EditorCrud};
use crate::errors::*;
use crate::identifiers::*;
use crate::server::*;
use chrono::prelude::*;
use diesel;
use diesel::prelude::*;
use fatcat_openapi::models::{Editgroup, Editor};
use std::collections::HashMap;
use std::env;
use std::str::FromStr;

// 32 bytes max (!)
static DUMMY_KEY: &[u8] = b"dummy-key-a-one-two-three-a-la";

#[derive(Clone, Copy, Debug, PartialEq)]
pub enum FatcatRole {
    Public,
    Editor,
    Bot,
    Human,
    Admin,
    Superuser,
}

#[derive(Clone)]
pub struct AuthContext {
    pub editor_id: FatcatId,
    editor_row: EditorRow,
}

impl AuthContext {
    pub fn has_role(&self, role: FatcatRole) -> bool {
        if !self.editor_row.is_active {
            // if account is disabled, only allow public role
            return role == FatcatRole::Public;
        }
        if self.editor_row.is_superuser {
            return true;
        }
        match role {
            FatcatRole::Public => true,
            FatcatRole::Editor => true,
            FatcatRole::Bot => self.editor_row.is_bot,
            FatcatRole::Human => !self.editor_row.is_bot,
            FatcatRole::Admin => self.editor_row.is_admin,
            FatcatRole::Superuser => self.editor_row.is_superuser,
        }
    }

    pub fn require_role(&self, role: FatcatRole) -> Result<()> {
        match self.has_role(role) {
            true => Ok(()),
            false => Err(FatcatError::InsufficientPrivileges(format!(
                "doesn't have required role: {:?}",
                role
            )))?,
        }
    }

    pub fn require_editgroup(&self, conn: &DbConn, editgroup_id: FatcatId) -> Result<()> {
        if self.has_role(FatcatRole::Admin) {
            return Ok(());
        }
        let editgroup: EditgroupRow = Editgroup::db_get(conn, editgroup_id)?;
        match editgroup.editor_id == self.editor_id.to_uuid() {
            true => Ok(()),
            false => Err(FatcatError::InsufficientPrivileges(format!(
                "editor does not own this editgroup ({})",
                editgroup_id
            )))?,
        }
    }
}

#[derive(Debug)]
pub struct AuthError {
    msg: String,
}

impl fmt::Display for AuthError {
    fn fmt(&self, f: &mut fmt::Formatter) -> fmt::Result {
        write!(f, "AuthError: {}", &self.msg)
    }
}

impl iron::Error for AuthError {
    fn description(&self) -> &str {
        &self.msg
    }
    fn cause(&self) -> Option<&dyn iron::Error> {
        None
    }
}

fn new_auth_ironerror(m: &str) -> iron::error::IronError {
    iron::error::IronError::new(
        AuthError { msg: m.to_string() },
        (iron::status::BadRequest, m.to_string()),
    )
}

#[derive(Debug, Default)]
pub struct OpenAuthMiddleware;

impl OpenAuthMiddleware {
    /// Create a middleware that authorizes with the configured subject.
    pub fn new() -> OpenAuthMiddleware {
        OpenAuthMiddleware
    }
}

impl iron::middleware::BeforeMiddleware for OpenAuthMiddleware {
    fn before(&self, req: &mut iron::Request) -> iron::IronResult<()> {
        req.extensions.insert::<Authorization>(Authorization {
            subject: "undefined".to_string(),
            scopes: Scopes::All,
            issuer: None,
        });
        Ok(())
    }
}

#[derive(Debug, Default)]
pub struct MacaroonAuthMiddleware;

impl MacaroonAuthMiddleware {
    pub fn new() -> MacaroonAuthMiddleware {
        MacaroonAuthMiddleware
    }
}
impl iron::middleware::BeforeMiddleware for MacaroonAuthMiddleware {
    fn before(&self, req: &mut iron::Request) -> iron::IronResult<()> {
        // Structure here is sorta funky because we might some day actually want to parse token
        // here in some way
        let token: Option<String> = match req.extensions.get::<AuthData>() {
            Some(AuthData::ApiKey(header)) => {
                let header: Vec<String> =
                    header.split_whitespace().map(|s| s.to_string()).collect();
                if !(header.len() == 2 && header[0] == "Bearer") {
                    return Err(new_auth_ironerror("invalid bearer auth HTTP Header"));
                }
                Some(header[1].to_string())
            }
            None => None,
            _ => {
                return Err(new_auth_ironerror(
                    "auth HTTP Header should be empty or API token",
                ));
            }
        };
        if let Some(_token) = token {
            req.extensions.insert::<Authorization>(Authorization {
                // This is just a dummy; all actual authentication happens later
                subject: "undefined".to_string(),
                scopes: Scopes::All,
                issuer: None,
            });
        };
        Ok(())
    }
}

#[derive(Clone)]
pub struct AuthConfectionary {
    pub location: String,
    pub identifier: String,
    pub key: Vec<u8>,
    pub root_keys: HashMap<String, Vec<u8>>,
}

impl AuthConfectionary {
    pub fn new(
        location: String,
        identifier: String,
        key_base64: &str,
    ) -> Result<AuthConfectionary> {
        macaroon::initialize().unwrap();
        let key = BASE64.decode(key_base64.as_bytes())?;
        let mut root_keys = HashMap::new();
        root_keys.insert(identifier.clone(), key.clone());
        Ok(AuthConfectionary {
            location,
            identifier,
            key,
            root_keys,
        })
    }

    pub fn new_dummy() -> AuthConfectionary {
        AuthConfectionary::new(
            "test.fatcat.wiki".to_string(),
            "dummy".to_string(),
            &BASE64.encode(DUMMY_KEY),
        )
        .unwrap()
    }

    pub fn add_keypair(&mut self, identifier: String, key_base64: &str) -> Result<()> {
        let key = BASE64.decode(key_base64.as_bytes())?;
        self.root_keys.insert(identifier, key);
        Ok(())
    }

    pub fn create_token(
        &self,
        editor_id: FatcatId,
        duration: Option<chrono::Duration>,
    ) -> Result<String> {
        let mut mac = Macaroon::create(&self.location, &self.key, &self.identifier)
            .expect("Macaroon creation");
        mac.add_first_party_caveat(&format!("editor_id = {}", editor_id.to_string()));
        let now_utc = Utc::now();
        let now = now_utc.to_rfc3339_opts(SecondsFormat::Secs, true);
        mac.add_first_party_caveat(&format!("time > {}", now));
        if let Some(duration) = duration {
            let expires = now_utc + duration;
            mac.add_first_party_caveat(&format!(
                "time < {}",
                &expires.to_rfc3339_opts(SecondsFormat::Secs, true)
            ));
        };
        let raw = mac.serialize(Format::V2).expect("macaroon serialization");
        Ok(BASE64.encode(&raw))
    }

    pub fn parse_macaroon_token(
        &self,
        conn: &DbConn,
        s: &str,
        endpoint: Option<&str>,
    ) -> Result<EditorRow> {
        let raw = BASE64.decode(s.as_bytes())?;
        let mac = match Macaroon::deserialize(&raw) {
            Ok(m) => m,
            Err(e) => {
                // TODO: should be "chaining" here
                return Err(FatcatError::InvalidCredentials(format!(
                    "macaroon deserialize error: {:?}",
                    e
                ))
                .into());
            }
        };
        let mac = match mac.validate() {
            Ok(m) => m,
            Err(e) => {
                // TODO: should be "chaining" here
                return Err(FatcatError::InvalidCredentials(format!(
                    "macaroon validate error: {:?}",
                    e
                ))
                .into());
            }
        };
        let mut verifier = Verifier::new();
        let mut editor_id: Option<FatcatId> = None;
        for caveat in mac.first_party_caveats() {
            if caveat.predicate().starts_with("editor_id = ") {
                editor_id = Some(FatcatId::from_str(caveat.predicate().get(12..).unwrap())?);
                break;
            }
        }
        let editor_id = match editor_id {
            Some(id) => id,
            None => {
                return Err(FatcatError::InvalidCredentials(
                    "expected an editor_id caveat".to_string(),
                )
                .into());
            }
        };
        verifier.satisfy_exact(&format!("editor_id = {}", editor_id.to_string()));
        if let Some(endpoint) = endpoint {
            // API endpoint
            verifier.satisfy_exact(&format!("endpoint = {}", endpoint));
        }
        let mut created: Option<DateTime<Utc>> = None;
        for caveat in mac.first_party_caveats() {
            if caveat.predicate().starts_with("time > ") {
                let ts: chrono::ParseResult<DateTime<Utc>> =
                    DateTime::parse_from_rfc3339(caveat.predicate().get(7..).unwrap())
                        .map(|x| x.with_timezone(&Utc));
                if let Ok(ts) = ts {
                    created = Some(ts);
                    break;
                } else {
                    info!(
                        "couldn't parse macaroon time constraint: {}",
                        caveat.predicate()
                    );
                }
            }
        }
        let created = match created {
            Some(c) => c,
            None => {
                return Err(FatcatError::InvalidCredentials(
                    "expected a 'created' (time >) caveat".to_string(),
                )
                .into());
            }
        };
        verifier.satisfy_exact(&format!(
            "time > {}",
            created.to_rfc3339_opts(SecondsFormat::Secs, true)
        ));
        // not finding the editor_id is an auth issue, not a 404
        let editor: EditorRow =
            match Editor::db_get(conn, editor_id).map_err(|e| FatcatError::from(e)) {
                Ok(ed) => ed,
                Err(FatcatError::NotFound(_, _)) => {
                    return Err(FatcatError::InvalidCredentials(format!(
                        "editor_id not found: {}",
                        editor_id
                    ))
                    .into());
                }
                other_db_err => other_db_err?,
            };
        let auth_epoch = DateTime::<Utc>::from_utc(editor.auth_epoch, Utc);
        // allow a second of wiggle room for precision and, eg, tests
        if created < (auth_epoch - chrono::Duration::seconds(1)) {
            return Err(FatcatError::InvalidCredentials(
                "token created before current auth_epoch (was probably revoked by editor)"
                    .to_string(),
            )
            .into());
        }
        verifier.satisfy_general(|p: &str| -> bool {
            // not expired (based on time)
            if p.starts_with("time < ") {
                let expires: chrono::ParseResult<DateTime<Utc>> =
                    DateTime::parse_from_rfc3339(p.get(7..).unwrap())
                        .map(|x| x.with_timezone(&Utc));
                if let Ok(when) = expires {
                    //info!("checking time constraint: {} < {}", Utc::now(), when);
                    Utc::now() < when
                } else {
                    info!("couldn't parse macaroon time constraint: {}", p);
                    false
                }
            } else {
                false
            }
        });
        let verify_key = match self.root_keys.get(mac.identifier()) {
            Some(key) => key,
            None => {
                return Err(FatcatError::InvalidCredentials(format!(
                    "no valid auth signing key for identifier: {}",
                    mac.identifier()
                ))
                .into());
            }
        };
        match mac.verify(verify_key, &mut verifier) {
            Ok(true) => (),
            Ok(false) => {
                return Err(FatcatError::InvalidCredentials(
                    "auth token (macaroon) not valid (signature and/or caveats failed)".to_string(),
                )
                .into());
            }
            Err(e) => {
                // TODO: chain
                return Err(FatcatError::InvalidCredentials(format!(
                    "token parsing failed: {:?}",
                    e
                ))
                .into());
            }
        }
        Ok(editor)
    }

    pub fn parse_swagger(
        &self,
        conn: &DbConn,
        auth_data: &Option<AuthData>,
        endpoint: Option<&str>,
    ) -> Result<Option<AuthContext>> {
        let token: Option<String> = match auth_data {
            Some(AuthData::ApiKey(header)) => {
                let header: Vec<String> =
                    header.split_whitespace().map(|s| s.to_string()).collect();
                if !(header.len() == 2 && header[0] == "Bearer") {
                    return Err(FatcatError::InvalidCredentials(
                        "invalid Bearer Auth HTTP header".to_string(),
                    )
                    .into());
                }
                Some(header[1].clone())
            }
            None => None,
            _ => {
                return Err(FatcatError::InvalidCredentials(
                    "Authentication HTTP Header should either be empty or a Beaerer API key"
                        .to_string(),
                )
                .into());
            }
        };
        let token = match token {
            Some(t) => t,
            None => return Ok(None),
        };
        let editor_row = self.parse_macaroon_token(conn, &token, endpoint)?;
        Ok(Some(AuthContext {
            editor_id: FatcatId::from_uuid(&editor_row.id),
            editor_row,
        }))
    }

    pub fn require_auth(
        &self,
        conn: &DbConn,
        auth_data: &Option<AuthData>,
        endpoint: Option<&str>,
    ) -> Result<AuthContext> {
        match self.parse_swagger(conn, auth_data, endpoint)? {
            Some(auth) => Ok(auth),
            None => Err(FatcatError::InvalidCredentials("no token supplied".to_string()).into()),
        }
    }

    // TODO: refactor out of this file?
    /// Only used from CLI tool
    pub fn inspect_token(&self, conn: &DbConn, token: &str) -> Result<()> {
        let raw = BASE64.decode(token.as_bytes())?;
        let mac = match Macaroon::deserialize(&raw) {
            Ok(m) => m,
            Err(e) => bail!("macaroon deserialize error: {:?}", e),
        };
        let now = Utc::now().to_rfc3339_opts(SecondsFormat::Secs, true);
        println!("current time: {}", now);
        println!("domain (location): {:?}", mac.location());
        println!("signing key name (identifier): {}", mac.identifier());
        for caveat in mac.first_party_caveats() {
            println!("caveat: {}", caveat.predicate());
        }
        println!("verify: {:?}", self.parse_macaroon_token(conn, token, None));
        Ok(())
    }
}

pub fn create_key() -> String {
    let mut key: Vec<u8> = vec![0; 32];
    for v in key.iter_mut() {
        *v = rand::random()
    }
    BASE64.encode(&key)
}

pub fn revoke_tokens(conn: &DbConn, editor_id: FatcatId) -> Result<()> {
    diesel::update(editor::table.filter(editor::id.eq(&editor_id.to_uuid())))
        .set(editor::auth_epoch.eq(Utc::now()))
        .execute(conn)?;
    Ok(())
}

pub fn revoke_tokens_everyone(conn: &DbConn) -> Result<()> {
    diesel::update(editor::table)
        .set(editor::auth_epoch.eq(Utc::now()))
        .execute(conn)?;
    Ok(())
}

// TODO: refactor out of this file?
/// Only used from CLI tool
pub fn print_editors(conn: &DbConn) -> Result<()> {
    // iterate over all editors. format id, print flags, auth_epoch
    let all_editors: Vec<EditorRow> = editor::table.load(conn)?;
    println!("editor_id\t\t\tsuper/admin/bot\tauth_epoch\t\t\tusername\twrangler_id");
    for e in all_editors {
        println!(
            "{}\t{}/{}/{}\t{}\t{}\t{:?}",
            FatcatId::from_uuid(&e.id).to_string(),
            e.is_superuser,
            e.is_admin,
            e.is_bot,
            e.auth_epoch,
            e.username,
            e.wrangler_id,
        );
    }
    Ok(())
}

pub fn env_confectionary() -> Result<AuthConfectionary> {
    let auth_location = env::var("AUTH_LOCATION").expect("AUTH_LOCATION must be set");
    let auth_key = env::var("AUTH_SECRET_KEY").expect("AUTH_SECRET_KEY must be set");
    let auth_key_ident = env::var("AUTH_KEY_IDENT").expect("AUTH_KEY_IDENT must be set");
    info!("Loaded primary auth key: {}", auth_key_ident);
    let mut confectionary = AuthConfectionary::new(auth_location, auth_key_ident, &auth_key)?;
    if let Ok(var) = env::var("AUTH_ALT_KEYS") {
        for pair in var.split(',') {
            let pair: Vec<&str> = pair.split(':').collect();
            if pair.len() != 2 {
                println!("{:#?}", pair);
                bail!("couldn't parse keypair from AUTH_ALT_KEYS (expected 'ident:key' pairs separated by commas)");
            }
            info!("Loading alt auth key: {}", pair[0]);
            confectionary.add_keypair(pair[0].to_string(), pair[1])?;
        }
    };
    Ok(confectionary)
}