// Package authenticate is a pomerium service that handles user authentication
// and refersh (AuthN).
package authenticate

import (
	"errors"
	"fmt"
	"html/template"

	"github.com/pomerium/pomerium/config"
	"github.com/pomerium/pomerium/internal/frontend"
	"github.com/pomerium/pomerium/internal/identity"
	"github.com/pomerium/pomerium/internal/identity/oauth"
	"github.com/pomerium/pomerium/internal/log"
	"github.com/pomerium/pomerium/internal/urlutil"
	"github.com/pomerium/pomerium/pkg/cryptutil"
	"github.com/pomerium/pomerium/pkg/grpc"
	"github.com/pomerium/pomerium/pkg/grpc/databroker"
)

// ValidateOptions checks that configuration are complete and valid.
// Returns on first error found.
func ValidateOptions(o *config.Options) error {
	if _, err := cryptutil.NewAEADCipherFromBase64(o.SharedKey); err != nil {
		return fmt.Errorf("authenticate: 'SHARED_SECRET' invalid: %w", err)
	}
	if _, err := cryptutil.NewAEADCipherFromBase64(o.CookieSecret); err != nil {
		return fmt.Errorf("authenticate: 'COOKIE_SECRET' invalid %w", err)
	}
	if err := urlutil.ValidateURL(o.AuthenticateURL); err != nil {
		return fmt.Errorf("authenticate: invalid 'AUTHENTICATE_SERVICE_URL': %w", err)
	}
	if o.Provider == "" {
		return errors.New("authenticate: 'IDP_PROVIDER' is required")
	}
	if o.ClientID == "" {
		return errors.New("authenticate: 'IDP_CLIENT_ID' is required")
	}
	if o.ClientSecret == "" {
		return errors.New("authenticate: 'IDP_CLIENT_SECRET' is required")
	}
	if o.AuthenticateCallbackPath == "" {
		return errors.New("authenticate: 'AUTHENTICATE_CALLBACK_PATH' is required")
	}
	if err := urlutil.ValidateURL(o.DataBrokerURL); err != nil {
		return fmt.Errorf("authenticate: invalid 'DATABROKER_SERVICE_URL': %w", err)
	}
	return nil
}

// Authenticate contains data required to run the authenticate service.
type Authenticate struct {
	// dataBrokerClient is used to retrieve sessions
	dataBrokerClient databroker.DataBrokerServiceClient

	templates *template.Template

	options  *config.AtomicOptions
	provider *identity.AtomicAuthenticator
	state    *atomicAuthenticateState
}

// New validates and creates a new authenticate service from a set of Options.
func New(cfg *config.Config) (*Authenticate, error) {
	if err := ValidateOptions(cfg.Options); err != nil {
		return nil, err
	}

	dataBrokerConn, err := grpc.NewGRPCClientConn(
		&grpc.Options{
			Addr:                    cfg.Options.DataBrokerURL,
			OverrideCertificateName: cfg.Options.OverrideCertificateName,
			CA:                      cfg.Options.CA,
			CAFile:                  cfg.Options.CAFile,
			RequestTimeout:          cfg.Options.GRPCClientTimeout,
			ClientDNSRoundRobin:     cfg.Options.GRPCClientDNSRoundRobin,
			WithInsecure:            cfg.Options.GRPCInsecure,
			ServiceName:             cfg.Options.Services,
		})
	if err != nil {
		return nil, err
	}

	dataBrokerClient := databroker.NewDataBrokerServiceClient(dataBrokerConn)

	a := &Authenticate{
		// grpc client for cache
		dataBrokerClient: dataBrokerClient,
		templates:        template.Must(frontend.NewTemplates()),
		options:          config.NewAtomicOptions(),
		provider:         identity.NewAtomicAuthenticator(),
		state:            newAtomicAuthenticateState(newAuthenticateState()),
	}

	err = a.updateProvider(cfg)
	if err != nil {
		return nil, err
	}

	state, err := newAuthenticateStateFromConfig(cfg)
	if err != nil {
		return nil, err
	}
	a.state.Store(state)

	return a, nil
}

// OnConfigChange updates internal structures based on config.Options
func (a *Authenticate) OnConfigChange(cfg *config.Config) {
	if a == nil {
		return
	}

	log.Info().Str("checksum", fmt.Sprintf("%x", cfg.Options.Checksum())).Msg("authenticate: updating options")
	a.options.Store(cfg.Options)
	if err := a.updateProvider(cfg); err != nil {
		log.Error().Err(err).Msg("authenticate: failed to update identity provider")
	}
	if state, err := newAuthenticateStateFromConfig(cfg); err != nil {
		log.Error().Err(err).Msg("authenticate: failed to update state")
	} else {
		a.state.Store(state)
	}
}

func (a *Authenticate) updateProvider(cfg *config.Config) error {
	redirectURL, _ := urlutil.DeepCopy(cfg.Options.AuthenticateURL)
	redirectURL.Path = cfg.Options.AuthenticateCallbackPath

	// configure our identity provider
	provider, err := identity.NewAuthenticator(
		oauth.Options{
			RedirectURL:     redirectURL,
			ProviderName:    cfg.Options.Provider,
			ProviderURL:     cfg.Options.ProviderURL,
			ClientID:        cfg.Options.ClientID,
			ClientSecret:    cfg.Options.ClientSecret,
			Scopes:          cfg.Options.Scopes,
			ServiceAccount:  cfg.Options.ServiceAccount,
			AuthCodeOptions: cfg.Options.RequestParams,
		})
	if err != nil {
		return err
	}
	a.provider.Store(provider)

	return nil
}