/*
 *  Copyright 2016 Anyware Services
 *
 *  Licensed under the Apache License, Version 2.0 (the "License");
 *  you may not use this file except in compliance with the License.
 *  You may obtain a copy of the License at
 *
 *      http://www.apache.org/licenses/LICENSE-2.0
 *
 *  Unless required by applicable law or agreed to in writing, software
 *  distributed under the License is distributed on an "AS IS" BASIS,
 *  WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 *  See the License for the specific language governing permissions and
 *  limitations under the License.
 */
package org.ametys.site;

import java.io.ByteArrayInputStream;
import java.io.ByteArrayOutputStream;
import java.nio.charset.StandardCharsets;
import java.util.ArrayList;
import java.util.Arrays;
import java.util.Collection;
import java.util.Enumeration;
import java.util.List;
import java.util.Map;
import java.util.Set;
import java.util.regex.Pattern;

import org.apache.avalon.framework.configuration.Configuration;
import org.apache.avalon.framework.configuration.DefaultConfigurationBuilder;
import org.apache.avalon.framework.parameters.Parameters;
import org.apache.cocoon.environment.ObjectModelHelper;
import org.apache.cocoon.environment.Redirector;
import org.apache.cocoon.environment.Request;
import org.apache.cocoon.environment.Session;
import org.apache.cocoon.environment.http.HttpCookie;
import org.apache.commons.lang3.StringUtils;
import org.apache.http.NameValuePair;
import org.apache.http.client.entity.UrlEncodedFormEntity;
import org.apache.http.client.methods.CloseableHttpResponse;
import org.apache.http.client.methods.HttpGet;
import org.apache.http.client.methods.HttpPost;
import org.apache.http.impl.client.CloseableHttpClient;
import org.apache.http.message.BasicNameValuePair;

import org.ametys.core.authentication.AuthenticateAction;
import org.ametys.core.authentication.CredentialProvider;
import org.ametys.core.user.UserIdentity;
import org.ametys.plugins.core.user.UserDAO;
import org.ametys.plugins.site.Site;
import org.ametys.runtime.config.Config;
import org.ametys.runtime.workspace.WorkspaceMatcher;

/**
 * The authenticate action for front side 
 */
public class FrontAuthenticateAction extends AuthenticateAction
{
    /** url requires for authentication */
    protected Collection<Pattern> _acceptedSiteUrlPatterns = Arrays.asList(new Pattern[]{Pattern.compile("^plugins/site/authenticate/[0-9]+$")});
    
    @Override
    protected boolean _acceptedUrl(Request request)
    {
        // URL without server context and leading slash.
        String url = (String) request.getAttribute(WorkspaceMatcher.IN_WORKSPACE_URL);
        for (Pattern pattern : _acceptedSiteUrlPatterns)
        {
            if (pattern.matcher(url).matches())
            {
                // Anonymous request
                request.setAttribute(REQUEST_ATTRIBUTE_GRANTED, true);

                return true;
            }
        }
        
        return false;
    }

    @Override
    protected void _setUserIdentityInSession(Request request, UserIdentity userIdentity, CredentialProvider credentialProvider, boolean blockingMode)
    {
        setUserIdentityInSession(request, userIdentity, credentialProvider, blockingMode);
    }
    
    /**
     * Save user identity in request
     * @param request The request
     * @param userIdentity The useridentity to save
     * @param credentialProvider The credential provider used to connect
     * @param blockingMode The mode used for the credential provider
     */
    public static void setUserIdentityInSession(Request request, UserIdentity userIdentity, CredentialProvider credentialProvider, boolean blockingMode)
    {
        Site site = (Site) request.getAttribute("site");
        String siteName = site.getName();
        
        Session session = request.getSession(true);
        _resetConnectingStateToSession(request);
        session.setAttribute(SESSION_USERIDENTITY + "-" + siteName, userIdentity);
        session.setAttribute(SESSION_CREDENTIALPROVIDER + "-" + siteName, credentialProvider);
        session.setAttribute(SESSION_CREDENTIALPROVIDER_MODE + "-" + siteName, blockingMode);
    }
    
    @Override
    protected UserIdentity _getUserIdentityFromSession(Request request)
    {
        UserIdentity userIdentityFromSession = getUserIdentityFromSession(request);
        if (userIdentityFromSession != null)
        {
            return userIdentityFromSession;
        }

        Session session = request.getSession(false);
        if (session != null)
        {
            Set<String> availableUserPopulationsIds = _getAvailableUserPopulationsIds(request, _getContexts(request, null));

            // check if connected in the site application, not only on this site
            userIdentityFromSession = super._getUserIdentityFromSession(request);
            if (userIdentityFromSession != null && availableUserPopulationsIds.contains(userIdentityFromSession.getPopulationId()))
            {
                _setUserIdentityInSession(request, userIdentityFromSession, new UserDAO.ImpersonateCredentialProvider(), true);
                return userIdentityFromSession;
            }
             
            Enumeration<String> attributeNames = session.getAttributeNames();
            while (attributeNames.hasMoreElements())
            {
                String attributeName = attributeNames.nextElement();
                if (attributeName.startsWith(SESSION_USERIDENTITY + "-"))
                {
                    UserIdentity userIdentity = (UserIdentity) session.getAttribute(attributeName);
                    
                    if (availableUserPopulationsIds.contains(userIdentity.getPopulationId()))
                    {
                        _setUserIdentityInSession(request, userIdentity, new UserDAO.ImpersonateCredentialProvider(), true);
                        return userIdentity;
                    }
                }
            }
        }

        return null;
    }
    
    /**
     * Get the user identity of the connected user from the session 
     * @param request The request
     * @return The connected useridentity or null
     */
    public static UserIdentity getUserIdentityFromSession(Request request)
    {
        Site site = (Site) request.getAttribute("site");
        String siteName = site.getName();
        
        return getUserIdentityFromSession(request, siteName);
    }
    
    /**
     * Get the user identity of the connected user from the session 
     * @param request The request
     * @param siteName The current site name
     * @return The connected useridentity or null
     */
    public static UserIdentity getUserIdentityFromSession(Request request, String siteName)
    {
        Session session = request.getSession(false);
        if (session != null)
        {
            return (UserIdentity) session.getAttribute(SESSION_USERIDENTITY + "-" + siteName);
        }
        return null;
    }
    
    @Override
    protected CredentialProvider _getCredentialProviderFromSession(Request request)
    {
        return getCredentialProviderFromSession(request);
    }
    
    /**
     * Get the credential provider used for the current connection
     * @param request The request 
     * @return The credential provider used or null
     */
    public static CredentialProvider getCredentialProviderFromSession(Request request)
    {
        Site site = (Site) request.getAttribute("site");
        
        if (site == null)
        {
            return null;
        }
        
        String siteName = site.getName();
        
        return getCredentialProviderFromSession(request, siteName);
    }
    
    /**
     * Get the credential provider used for the current connection
     * @param request The request 
     * @param siteName The current site name
     * @return The credential provider used or null
     */
    public static CredentialProvider getCredentialProviderFromSession(Request request, String siteName)
    {
        Session session = request.getSession(false);
        if (session != null)
        {
            return (CredentialProvider) session.getAttribute(SESSION_CREDENTIALPROVIDER + "-" + siteName);
        }
        return null;
    }
    
    @Override
    protected Boolean _getCredentialProviderModeFromSession(Request request)
    {
        return getCredentialProviderModeFromSession(request);
    }
    
    /**
     * Get the credential provider mode used for the current connection
     * @param request The request 
     * @return The credential provider mode used or null
     */
    public static Boolean getCredentialProviderModeFromSession(Request request)
    {
        Site site = (Site) request.getAttribute("site");
        String siteName = site.getName();
        
        return getCredentialProviderModeFromSession(request, siteName);
    }
    
    /**
     * Get the credential provider mode used for the current connection
     * @param request The request 
     * @param siteName The current site name
     * @return The credential provider mode used or null
     */
    public static Boolean getCredentialProviderModeFromSession(Request request, String siteName)
    {
        Session session = request.getSession(false);
        if (session != null)
        {
            return (Boolean) session.getAttribute(SESSION_CREDENTIALPROVIDER_MODE + "-" + siteName);
        }
        return null;
    }
    
    @Override
    protected List<String> _getContexts(Request request, Parameters parameters)
    {
        Site site = (Site) request.getAttribute("site");
        String siteName = site.getName();
        return Arrays.asList("/sites/" + siteName, "/sites-fo/" + siteName);
    }

    @Override
    protected String getLoginURL(Request request)
    {
        Site site = (Site) request.getAttribute("site");
        String siteName = site.getName();
        
        return getLoginURLParameters(request, "cocoon://_generate/plugins/web/frontoffice-formbasedauthentication/login/login/" + siteName);
    }
    
    @Override
    protected String getLogoutURL(Request request)
    {
        Site site = (Site) request.getAttribute("site");
        String siteName = site.getName();
        return "cocoon://_generate/plugins/web/frontoffice-formbasedauthentication/login/logout/" + siteName;
    }
    
    @Override
    protected boolean _handleLogout(Redirector redirector, Map objectModel, String source, Parameters parameters) throws Exception
    {
        boolean logout = super._handleLogout(redirector, objectModel, source, parameters);
        if (logout)
        {
            // Additionally we need to destroy potential server side session
            Request request = ObjectModelHelper.getRequest(objectModel);
            HttpCookie sessionId = (HttpCookie) request.getCookieMap().get(GeneratePageAction.__BACKOFFICE_JSESSION_ID);
            if (sessionId != null)
            {
                try (CloseableHttpClient httpClient = BackOfficeRequestHelper.getHttpClient())
                {
                    String cmsURL = Config.getInstance().getValue("org.ametys.site.bo");
                    HttpGet httpGet = new HttpGet(cmsURL + "/logout.html");
                    httpGet.addHeader("Cookie", "JSESSIONID=" + sessionId.getValue());
                    httpClient.execute(httpGet);
                }
            }
        }
        return logout;
    }
    
    @Override
    protected UserIdentity _validateToken(String token, String context)
    {
        // Get site names and URLs from the CMS
        String cmsURL = Config.getInstance().getValue("org.ametys.site.bo");
        
        try (CloseableHttpClient httpClient = BackOfficeRequestHelper.getHttpClient())
        {
            HttpPost httpPost = new HttpPost(cmsURL + "/_validate_token.xml");
            httpPost.addHeader("X-Ametys-FO", "true");
            
            List<NameValuePair> nvps = new ArrayList<>();
            nvps.add(new BasicNameValuePair("token", token));
            nvps.add(new BasicNameValuePair("tokenContext", context));
            httpPost.setEntity(new UrlEncodedFormEntity(nvps, StandardCharsets.UTF_8));
            
            try (CloseableHttpResponse response = httpClient.execute(httpPost); ByteArrayOutputStream os = new ByteArrayOutputStream())
            {
                switch (response.getStatusLine().getStatusCode())
                {
                    case 200: 
                        break;
                    
                    case 403: 
                        throw new IllegalStateException("The CMS back-office refused the connection");
                        
                    case 500: 
                    default:
                        throw new IllegalStateException("The CMS back-office returned an error");
                }
                
                response.getEntity().writeTo(os);
                try (ByteArrayInputStream is = new ByteArrayInputStream(os.toByteArray()))
                {
                    Configuration conf = new DefaultConfigurationBuilder().build(is);
                    
                    String login = conf.getChild("login").getValue(null);
                    String populationId = conf.getChild("populationId").getValue(null);
                    
                    if (StringUtils.isNoneBlank(login, populationId))
                    {
                        return new UserIdentity(login, populationId);
                    }
                    else
                    {
                        return null;
                    }
                }
            }
        }
        catch (Exception e)
        {
            throw new RuntimeException("Unable to synchronize site data", e);
        }
    }
}