/*
 *  Copyright 2021 Anyware Services
 *
 *  Licensed under the Apache License, Version 2.0 (the "License");
 *  you may not use this file except in compliance with the License.
 *  You may obtain a copy of the License at
 *
 *      http://www.apache.org/licenses/LICENSE-2.0
 *
 *  Unless required by applicable law or agreed to in writing, software
 *  distributed under the License is distributed on an "AS IS" BASIS,
 *  WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 *  See the License for the specific language governing permissions and
 *  limitations under the License.
 */
package org.ametys.plugins.extrausermgt.authentication.aad;

import java.io.IOException;
import java.net.URI;
import java.util.Date;
import java.util.Map;
import java.util.Set;
import java.util.UUID;

import org.apache.avalon.framework.context.Context;
import org.apache.avalon.framework.context.ContextException;
import org.apache.avalon.framework.context.Contextualizable;
import org.apache.avalon.framework.service.ServiceException;
import org.apache.avalon.framework.service.ServiceManager;
import org.apache.avalon.framework.service.Serviceable;
import org.apache.cocoon.ProcessingException;
import org.apache.cocoon.components.ContextHelper;
import org.apache.cocoon.environment.ObjectModelHelper;
import org.apache.cocoon.environment.Redirector;
import org.apache.cocoon.environment.Request;
import org.apache.cocoon.environment.Session;

import org.ametys.core.authentication.AbstractCredentialProvider;
import org.ametys.core.authentication.BlockingCredentialProvider;
import org.ametys.core.user.UserIdentity;
import org.ametys.runtime.authentication.AccessDeniedException;

import com.microsoft.aad.msal4j.AuthorizationCodeParameters;
import com.microsoft.aad.msal4j.AuthorizationRequestUrlParameters;
import com.microsoft.aad.msal4j.AuthorizationRequestUrlParameters.Builder;
import com.microsoft.aad.msal4j.ClientCredentialFactory;
import com.microsoft.aad.msal4j.ConfidentialClientApplication;
import com.microsoft.aad.msal4j.IAccount;
import com.microsoft.aad.msal4j.IAuthenticationResult;
import com.microsoft.aad.msal4j.IClientSecret;
import com.microsoft.aad.msal4j.Prompt;
import com.microsoft.aad.msal4j.ResponseMode;
import com.microsoft.aad.msal4j.SilentParameters;
import com.nimbusds.jwt.JWTClaimsSet;
import com.nimbusds.jwt.SignedJWT;

/**
 * Sign in through Azure AD, using the OpenId Connect protocol.
 */
public class AADCredentialProvider extends AbstractCredentialProvider implements BlockingCredentialProvider, Contextualizable, Serviceable
{
    /** Session attribute for Azure AD token */
    public static final String TOKEN_SESSION_ATTRIBUTE = "aad_token";
    /** Session attribute for the redirect URI */
    public static final String REDIRECT_URI_SESSION_ATTRIBUTE = "aad_actualRedirectUri";
    
    private Context _context;
    
    private String _clientID;
    private String _clientSecret;
    private String _tenant;
    private boolean _prompt;
    
    private AzureADScopesExtensionPoint _azureADScopesExtensionPoint;
    
    public void service(ServiceManager manager) throws ServiceException
    {
        _azureADScopesExtensionPoint = (AzureADScopesExtensionPoint) manager.lookup(AzureADScopesExtensionPoint.ROLE);
    }
    
    @Override
    public void contextualize(Context context) throws ContextException
    {
        _context = context;
    }
    
    @Override
    public void init(String id, String cpModelId, Map<String, Object> paramValues, String label)
    {
        super.init(id, cpModelId, paramValues, label);
        
        _clientID = (String) paramValues.get("authentication.aad.appid");
        _clientSecret = (String) paramValues.get("authentication.aad.clientsecret");
        _tenant = (String) paramValues.get("authentication.aad.tenant");
        _prompt = (boolean) paramValues.get("authentication.aad.prompt");
    }
    
    private ConfidentialClientApplication _getClient() throws Exception
    {
        IClientSecret secret = ClientCredentialFactory.createFromSecret(_clientSecret);
        ConfidentialClientApplication client = ConfidentialClientApplication.builder(_clientID, secret)
                                                                            .authority("https://login.microsoftonline.com/" + _tenant)
                                                                            .build();
        
        return client;
    }

    @Override
    public boolean blockingIsStillConnected(UserIdentity userIdentity, Redirector redirector) throws Exception
    {
        Map objectModel = ContextHelper.getObjectModel(_context);
        Request request = ObjectModelHelper.getRequest(objectModel);
        Session session = request.getSession(true);
        
        // this check is also done by the following MSAL code, but it's way faster with juste a simple date check
        Date expDat = (Date) session.getAttribute("aad_expirationDate");
        if (new Date().before(expDat))
        {
            return true;
        }
        
        ConfidentialClientApplication client = _getClient();
        
        IAccount account = (IAccount) session.getAttribute("aad_account");
        String tokenCache = (String) session.getAttribute("aad_tokenCache");
        
        SilentParameters parameters = SilentParameters.builder(Set.of("openid"), account).build();
        client.tokenCache().deserialize(tokenCache);
        IAuthenticationResult result = client.acquireTokenSilently(parameters).get();
        
        JWTClaimsSet claimsSet = SignedJWT.parse(result.idToken()).getJWTClaimsSet();
        
        session.setAttribute("aad_expirationDate", claimsSet.getExpirationTime());
        session.setAttribute("aad_tokenCache", client.tokenCache().serialize());
        session.setAttribute("aad_account", result.account());
        
        return true;
    }
    
    @Override
    public boolean blockingGrantAnonymousRequest()
    {       
        return false;
    }
    
    @Override
    public UserIdentity blockingGetUserIdentity(Redirector redirector) throws Exception
    {
        Map objectModel = ContextHelper.getObjectModel(_context);
        Request request = ObjectModelHelper.getRequest(objectModel);
        Session session = request.getSession(true);
        
        ConfidentialClientApplication client = _getClient();
        
        StringBuilder uriBuilder = new StringBuilder();
        if (request.isSecure())
        {
            uriBuilder.append("https://").append(request.getServerName());
            if (request.getServerPort() != 443)
            {
                uriBuilder.append(":");
                uriBuilder.append(request.getServerPort());
            }
        }
        else
        {
            uriBuilder.append("http://").append(request.getServerName());
            if (request.getServerPort() != 80)
            {
                uriBuilder.append(":");
                uriBuilder.append(request.getServerPort());
            }
        }
        
        uriBuilder.append(request.getContextPath());
        uriBuilder.append("/_extra-user-management/aad-callback");
        String requestURI = uriBuilder.toString();
        
        getLogger().debug("AADCredentialProvider callback URI: {}", requestURI);
        
        String code = request.getParameter("code");
        if (code == null)
        {
            // sign-in request: redirect the client through the actual authentication process
            
            String state = UUID.randomUUID().toString();
            session.setAttribute("aad_state", state);
            
            String actualRedirectUri = request.getRequestURI();
            if (request.getQueryString() != null) 
            {
                actualRedirectUri += "?" + request.getQueryString();
            }
            session.setAttribute(REDIRECT_URI_SESSION_ATTRIBUTE, actualRedirectUri);
            
            String nonce = UUID.randomUUID().toString();
            session.setAttribute("aad_nonce", nonce);
            
            Builder builder = AuthorizationRequestUrlParameters.builder(requestURI, _azureADScopesExtensionPoint.getScopes())
                                                               .responseMode(ResponseMode.QUERY)
                                                               .state(state)
                                                               .nonce(nonce);
            
            if (_prompt)
            {
                builder.prompt(Prompt.SELECT_ACCOUNT);
            }
            
            AuthorizationRequestUrlParameters parameters = builder.build();

            String authorizationRequestUrl = client.getAuthorizationRequestUrl(parameters).toString();
            redirector.redirect(false, authorizationRequestUrl);
            return null;
        }
        
        // we got an authorization code
        
        // but first, check the state to prevent CSRF attacks
        String storedState = (String) session.getAttribute("aad_state");
        String state = request.getParameter("state");
        
        if (!storedState.equals(state))
        {
            throw new AccessDeniedException("AAD state mismatch");
        }
        
        session.setAttribute("aad_state", null);
        
        // handle errors
        String error = request.getParameter("error");
        String errorDescription = request.getParameter("error_description");
        if (error != null || errorDescription != null) 
        {
            throw new AccessDeniedException(String.format("Received an error from AAD. Error: %s %nErrorDescription: %s", error, errorDescription));
        }
        
        // then get the token from the authorization code
        AuthorizationCodeParameters authParams = AuthorizationCodeParameters.builder(code, new URI(requestURI))
                                                                            .scopes(_azureADScopesExtensionPoint.getScopes())
                                                                            .build();
        
        IAuthenticationResult result = client.acquireToken(authParams).get();
        
        // parse the token
        JWTClaimsSet claimsSet = SignedJWT.parse(result.idToken()).getJWTClaimsSet();
        Map<String, Object> tokenClaims = claimsSet.getClaims();
        
        String storedNonce = (String) session.getAttribute("aad_nonce");
        String nonce = (String) tokenClaims.get("nonce");
        
        if (!storedNonce.equals(nonce))
        {
            throw new AccessDeniedException("AAD nonce mismatch");
        }
        
        session.setAttribute("aad_nonce", null);
        
        session.setAttribute("aad_expirationDate", claimsSet.getExpirationTime());
        session.setAttribute("aad_tokenCache", client.tokenCache().serialize());
        session.setAttribute("aad_account", result.account());
        
        session.setAttribute(TOKEN_SESSION_ATTRIBUTE, result.accessToken());
        
        // then the user is finally logged in
        String login = result.account().username();
        
        return new UserIdentity(login, null);
    }
    
    @Override
    public void blockingUserNotAllowed(Redirector redirector)
    {
        // Nothing to do.
    }
    
    @Override
    public void blockingUserAllowed(UserIdentity userIdentity, Redirector redirector) throws ProcessingException, IOException
    {
        Map objectModel = ContextHelper.getObjectModel(_context);
        Request request = ObjectModelHelper.getRequest(objectModel);
        Session session = request.getSession(true);
        
        String redirectUri = (String) session.getAttribute(AADCredentialProvider.REDIRECT_URI_SESSION_ATTRIBUTE);
        redirector.redirect(true, redirectUri);
    }
    
    public boolean requiresNewWindow()
    {
        return true;
    }
}