// Copyright (c) All respective contributors to the Peridot Project. All rights reserved.
// Copyright (c) 2021-2022 Rocky Enterprise Software Foundation, Inc. All rights reserved.
// Copyright (c) 2021-2022 Ctrl IQ, Inc. All rights reserved.
//
// Redistribution and use in source and binary forms, with or without
// modification, are permitted provided that the following conditions are met:
//
// 1. Redistributions of source code must retain the above copyright notice,
// this list of conditions and the following disclaimer.
//
// 2. Redistributions in binary form must reproduce the above copyright notice,
// this list of conditions and the following disclaimer in the documentation
// and/or other materials provided with the distribution.
//
// 3. Neither the name of the copyright holder nor the names of its contributors
// may be used to endorse or promote products derived from this software without
// specific prior written permission.
//
// THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS"
// AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
// IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
// ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE
// LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
// CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
// SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
// INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
// CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
// ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
// POSSIBILITY OF SUCH DAMAGE.

package obsidianimplv1

import (
	"context"
	"github.com/ory/hydra-client-go/client/admin"
	hydramodels "github.com/ory/hydra-client-go/models"
	"google.golang.org/grpc/codes"
	"google.golang.org/grpc/status"
	"google.golang.org/protobuf/proto"
	obsidianpb "peridot.resf.org/obsidian/pb"
)

const (
	invalidCheckType        = "invalid_check_type"
	challengeRequired       = "challenge_required"
	logoutChallengeRequired = "logout_challenge_required"
)

func (s *Server) SessionStatus(_ context.Context, req *obsidianpb.SessionStatusRequest) (*obsidianpb.SessionStatusResponse, error) {
	allowedTypes := map[string]bool{"login": true, "consent": true}
	if !allowedTypes[req.CheckType] {
		return nil, status.Error(codes.InvalidArgument, invalidCheckType)
	}

	if req.Challenge == "" {
		return nil, status.Error(codes.InvalidArgument, challengeRequired)
	}

	var res *obsidianpb.SessionStatusResponse
	var err error
	switch req.CheckType {
	case "login":
		res, err = s.ProcessLoginRequest(req.Challenge)
		break
	case "consent":
		res, err = s.ProcessConsentRequest(req.Challenge)
		break
	default:
		return nil, status.Error(codes.InvalidArgument, "")
	}

	if err != nil {
		return nil, err
	}

	return res, nil
}

func (s *Server) ConsentDecision(ctx context.Context, req *obsidianpb.ConsentDecisionRequest) (*obsidianpb.ConsentDecisionResponse, error) {
	if req.Challenge == "" {
		return nil, status.Error(codes.InvalidArgument, challengeRequired)
	}

	consentReq, err := s.hydra.Admin.GetConsentRequest(&admin.GetConsentRequestParams{
		Context:          ctx,
		ConsentChallenge: req.Challenge,
	})
	if err != nil {
		s.log.Error(err)
		return nil, status.Error(codes.Internal, authError)
	}

	var redirectURL string

	if req.Allow {
		res, err := s.AcceptConsentRequest(ctx, req.Challenge, consentReq)
		if err != nil {
			return nil, err
		}
		if !res.Valid {
			return nil, status.Error(codes.InvalidArgument, "invalid consent request")
		}
		redirectURL = res.RedirectUrl
	} else {
		res, err := s.hydra.Admin.RejectConsentRequest(&admin.RejectConsentRequestParams{
			Body: &hydramodels.RejectRequest{
				StatusCode:       int64(codes.Aborted),
				ErrorDescription: "User does not consent to data sharing",
				Error:            "no_consent",
			},
			ConsentChallenge: req.Challenge,
			Context:          ctx,
		})
		if err != nil {
			s.log.Errorf("error rejecting consent request: %s", err.Error())
			return nil, status.Error(codes.Internal, authError)
		}
		redirectURL = *res.Payload.RedirectTo
	}

	return &obsidianpb.ConsentDecisionResponse{
		RedirectUrl: redirectURL,
	}, nil
}

func (s *Server) LogoutDecision(ctx context.Context, req *obsidianpb.LogoutDecisionRequest) (*obsidianpb.LogoutDecisionResponse, error) {
	if req.Challenge == "" {
		return nil, status.Error(codes.InvalidArgument, logoutChallengeRequired)
	}

	logout, err := s.hydra.Admin.GetLogoutRequest(&admin.GetLogoutRequestParams{
		LogoutChallenge: req.Challenge,
		Context:         ctx,
	})
	if err != nil {
		s.log.Error(err)
		return nil, status.Error(codes.Internal, authError)
	}

	var redirectURL string
	if req.Accept {
		_, err = s.hydra.Admin.RevokeConsentSessions(&admin.RevokeConsentSessionsParams{
			All:     proto.Bool(true),
			Subject: logout.Payload.Subject,
			Context: ctx,
		})
		if err != nil {
			s.log.Errorf("error revoking consent sessions: %s", err.Error())
			return nil, status.Error(codes.Internal, "error revoking consent sessions")
		}

		acceptReq, err := s.hydra.Admin.AcceptLogoutRequest(&admin.AcceptLogoutRequestParams{
			LogoutChallenge: req.Challenge,
			Context:         ctx,
		})
		if err != nil {
			s.log.Errorf("error accepting logout request: %s", err.Error())
			return nil, status.Error(codes.Internal, "error accepting logout request")
		}
		redirectURL = *acceptReq.Payload.RedirectTo
	} else {
		_, err := s.hydra.Admin.RejectLogoutRequest(&admin.RejectLogoutRequestParams{
			Body: &hydramodels.RejectRequest{
				StatusCode:       int64(codes.Aborted),
				ErrorDescription: "User denied logout request",
				Error:            "user_denied",
			},
			LogoutChallenge: req.Challenge,
			Context:         nil,
			HTTPClient:      nil,
		})
		if err != nil {
			s.log.Errorf("error rejecting logout request: %s", err.Error())
			return nil, status.Error(codes.Internal, "error rejecting logout request")
		}
		redirectURL = logout.Payload.RequestURL
	}

	return &obsidianpb.LogoutDecisionResponse{
		RedirectUrl: redirectURL,
	}, nil
}