package user

import (
	"crypto/rsa"
	"testing"
	"time"

	"geeks-accelerator/oss/saas-starter-kit/example-project/internal/platform/auth"
	"geeks-accelerator/oss/saas-starter-kit/example-project/internal/platform/tests"
	"github.com/dgrijalva/jwt-go"
	"github.com/google/go-cmp/cmp"
	"github.com/pborman/uuid"
	"github.com/pkg/errors"
)

// mockTokenGenerator is used for testing that Authenticate calls its provided
// token generator in a specific way.
type mockTokenGenerator struct{}

// Private key generated by GenerateToken that is need for ParseClaims
var mockTokenKey *rsa.PrivateKey

// GenerateToken implements the TokenGenerator interface. It returns a "token"
// that includes some information about the claims it was passed.
func (g mockTokenGenerator) GenerateToken(claims auth.Claims) (string, error) {
	privateKey, err := auth.Keygen()
	if err != nil {
		return "", err
	}

	mockTokenKey, err = jwt.ParseRSAPrivateKeyFromPEM(privateKey)
	if err != nil {
		return "", err
	}

	algorithm := "RS256"
	method := jwt.GetSigningMethod(algorithm)

	tkn := jwt.NewWithClaims(method, claims)
	tkn.Header["kid"] = "1"

	str, err := tkn.SignedString(mockTokenKey)
	if err != nil {
		return "", err
	}

	return str, nil
}

// ParseClaims recreates the Claims that were used to generate a token. It
// verifies that the token was signed using our key.
func (g mockTokenGenerator) ParseClaims(tknStr string) (auth.Claims, error) {
	algorithm := "RS256"
	parser := jwt.Parser{
		ValidMethods: []string{algorithm},
	}

	if mockTokenKey == nil {
		panic("key is nil")
	}

	f := func(t *jwt.Token) (interface{}, error) {
		return mockTokenKey.Public().(*rsa.PublicKey), nil
	}

	var claims auth.Claims
	tkn, err := parser.ParseWithClaims(tknStr, &claims, f)
	if err != nil {
		return auth.Claims{}, errors.Wrap(err, "parsing token")
	}

	if !tkn.Valid {
		return auth.Claims{}, errors.New("Invalid token")
	}

	return claims, nil
}

// TestAuthenticate validates the behavior around authenticating users.
func TestAuthenticate(t *testing.T) {
	defer tests.Recover(t)

	t.Log("Given the need to authenticate users")
	{
		t.Log("\tWhen handling a single User.")
		{
			ctx := tests.Context()

			tknGen := &mockTokenGenerator{}

			// Auth tokens are valid for an our and is verified against current time.
			// Issue the token one hour ago.
			now := time.Now().Add(time.Hour * -1)

			// Try to authenticate an invalid user.
			_, err := Authenticate(ctx, test.MasterDB, tknGen, now, "doesnotexist@gmail.com", "xy7")
			if errors.Cause(err) != ErrAuthenticationFailure {
				t.Logf("\t\tGot : %+v", err)
				t.Logf("\t\tWant: %+v", ErrAuthenticationFailure)
				t.Fatalf("\t%s\tAuthenticate non existant user failed.", tests.Failed)
			}
			t.Logf("\t%s\tAuthenticate non existant user ok.", tests.Success)

			// Create a new user for testing.
			initPass := uuid.NewRandom().String()
			user, err := Create(ctx, auth.Claims{}, test.MasterDB, CreateUserRequest{
				Name:            "Lee Brown",
				Email:           uuid.NewRandom().String() + "@geeksinthewoods.com",
				Password:        initPass,
				PasswordConfirm: initPass,
			}, now)
			if err != nil {
				t.Log("\t\tGot :", err)
				t.Fatalf("\t%s\tCreate user failed.", tests.Failed)
			}
			t.Logf("\t%s\tCreate user ok.", tests.Success)

			// Create a new random account and associate that with the user.
			// This defined role should be the claims.
			accountId := uuid.NewRandom().String()
			accountRole := UserAccountRole_Admin
			_, err = AddAccount(tests.Context(), auth.Claims{}, test.MasterDB, AddAccountRequest{
				UserID:    user.ID,
				AccountID: accountId,
				Roles:     []UserAccountRole{accountRole},
			}, now)
			if err != nil {
				t.Log("\t\tGot :", err)
				t.Fatalf("\t%s\tAddAccount failed.", tests.Failed)
			}

			// Add 30 minutes to now to simulate time passing.
			now = now.Add(time.Minute * 30)

			// Try to authenticate valid user with invalid password.
			_, err = Authenticate(ctx, test.MasterDB, tknGen, now, user.Email, "xy7")
			if errors.Cause(err) != ErrAuthenticationFailure {
				t.Logf("\t\tGot : %+v", err)
				t.Logf("\t\tWant: %+v", ErrAuthenticationFailure)
				t.Fatalf("\t%s\tAuthenticate user w/invalid password failed.", tests.Failed)
			}
			t.Logf("\t%s\tAuthenticate user w/invalid password ok.", tests.Success)

			// Verify that the user can be authenticated with the created user.
			tkn, err := Authenticate(ctx, test.MasterDB, tknGen, now, user.Email, initPass)
			if err != nil {
				t.Log("\t\tGot :", err)
				t.Fatalf("\t%s\tAuthenticate user failed.", tests.Failed)
			}
			t.Logf("\t%s\tAuthenticate user ok.", tests.Success)

			// Ensure the token string was correctly generated.
			claims, err := tknGen.ParseClaims(tkn.Token)
			if err != nil {
				t.Log("\t\tGot :", err)
				t.Fatalf("\t%s\tParse claims from token failed.", tests.Failed)
			} else if diff := cmp.Diff(claims, tkn.claims); diff != "" {
				t.Fatalf("\t%s\tExpected parsed claims to match from token. Diff:\n%s", tests.Failed, diff)
			} else if diff := cmp.Diff(claims.Roles, []string{accountRole.String()}); diff != "" {
				t.Fatalf("\t%s\tExpected parsed claims roles to match user account. Diff:\n%s", tests.Failed, diff)
			} else if diff := cmp.Diff(claims.AccountIds, []string{accountId}); diff != "" {
				t.Fatalf("\t%s\tExpected parsed claims account IDs to match the single user account. Diff:\n%s", tests.Failed, diff)
			}
			t.Logf("\t%s\tParse claims from token ok.", tests.Success)
		}
	}
}