package handlers

import (
	"context"
	"net/http"

	"github.com/go-openapi/runtime/client"
	"github.com/lestrrat-go/jwx/jwk"
	"github.com/lestrrat-go/jwx/jwt"
	"github.com/sirupsen/logrus"
	"golang.org/x/oauth2"

	"git.cacert.org/oidc_login/app/services"
)

const (
	sessionKeyAccessToken = iota
	sessionKeyRefreshToken
	sessionKeyIdToken
	sessionKeyUserId
	sessionKeyRoles
	sessionKeyEmail
	sessionKeyUsername
	sessionRedirectTarget
)

type oidcCallbackHandler struct {
	keySet       *jwk.Set
	oauth2Config *oauth2.Config
}

func (c *oidcCallbackHandler) ServeHTTP(writer http.ResponseWriter, request *http.Request) {
	if request.Method != http.MethodGet {
		http.Error(writer, http.StatusText(http.StatusMethodNotAllowed), http.StatusMethodNotAllowed)
		return
	}
	if request.URL.Path != "/callback" {
		http.NotFound(writer, request)
		return
	}

	code := request.URL.Query().Get("code")

	ctx := context.Background()
	httpClient, err := client.TLSClient(client.TLSClientOptions{InsecureSkipVerify: true})
	ctx = context.WithValue(ctx, oauth2.HTTPClient, httpClient)

	tok, err := c.oauth2Config.Exchange(ctx, code)
	if err != nil {
		logrus.Error(err)
		http.Error(writer, http.StatusText(http.StatusInternalServerError), http.StatusInternalServerError)
		return
	}

	session, err := services.GetSessionStore().Get(request, "resource_session")
	if err != nil {
		http.Error(writer, err.Error(), http.StatusInternalServerError)
		return
	}

	session.Values[sessionKeyAccessToken] = tok.AccessToken
	session.Values[sessionKeyRefreshToken] = tok.RefreshToken
	session.Values[sessionKeyIdToken] = tok.Extra("id_token").(string)

	idToken := tok.Extra("id_token")
	if parsedIdToken, err := jwt.ParseString(idToken.(string), jwt.WithKeySet(c.keySet), jwt.WithOpenIDClaims()); err != nil {
		logrus.Error(err)
		http.Error(writer, http.StatusText(http.StatusInternalServerError), http.StatusInternalServerError)
		return
	} else {
		logrus.Infof(`
ID Token
========

Subject:          %s
Audience:         %s
Issued at:        %s
Issued by:        %s
Not valid before: %s
Not valid after:  %s

`,
			parsedIdToken.Subject(),
			parsedIdToken.Audience(),
			parsedIdToken.IssuedAt(),
			parsedIdToken.Issuer(),
			parsedIdToken.NotBefore(),
			parsedIdToken.Expiration(),
		)

		session.Values[sessionKeyUserId] = parsedIdToken.Subject()

		if roles, ok := parsedIdToken.Get("Groups"); ok {
			session.Values[sessionKeyRoles] = roles
		}
		if username, ok := parsedIdToken.Get("Username"); ok {
			session.Values[sessionKeyUsername] = username
		}
		if email, ok := parsedIdToken.Get("Email"); ok {
			session.Values[sessionKeyEmail] = email
		}
	}
	if err = session.Save(request, writer); err != nil {
		http.Error(writer, err.Error(), http.StatusInternalServerError)
	}
	if redirectTarget, ok := session.Values[sessionRedirectTarget]; ok {
		writer.Header().Set("Location", redirectTarget.(string))
	} else {
		writer.Header().Set("Location", "/")
	}

	writer.WriteHeader(http.StatusFound)
}

func NewCallbackHandler(keySet *jwk.Set, oauth2Config *oauth2.Config) *oidcCallbackHandler {
	return &oidcCallbackHandler{keySet: keySet, oauth2Config: oauth2Config}
}