package main

import (
	"context"
	"encoding/json"
	"oc-auth/conf"
	"oc-auth/infrastructure"
	auth_connectors "oc-auth/infrastructure/auth_connector"
	_ "oc-auth/routers"
	"strings"
	"time"

	oclib "cloud.o-forge.io/core/oc-lib"
	"cloud.o-forge.io/core/oc-lib/tools"
	beego "github.com/beego/beego/v2/server/web"
)

const appname = "oc-auth"

// @securityDefinitions.apikey Bearer
// @in header
// @name Authorization
// @description Type "Bearer" followed by a space and JWT token.
func main() {
	oclib.InitAPI(appname)
	// Load the right config file
	o := oclib.GetConfLoader(appname)

	conf.GetConfig().AdminRole = o.GetStringDefault("ADMIN_ROLE", "admin")
	conf.GetConfig().PublicKeyPath = o.GetStringDefault("PUBLIC_KEY_PATH", "./pem/public.pem")
	conf.GetConfig().PrivateKeyPath = o.GetStringDefault("PRIVATE_KEY_PATH", "./pem/private.pem")
	conf.GetConfig().ClientSecret = o.GetStringDefault("CLIENT_SECRET", "oc-auth-got-secret")
	conf.GetConfig().OAuth2ClientSecretName = o.GetStringDefault("OAUTH2_CLIENT_SECRET_NAME", "oc-oauth2-client-secret")
	conf.GetConfig().OAuth2ClientSecretNamespace = o.GetStringDefault("NAMESPACE", "default")
	conf.GetConfig().Auth = o.GetStringDefault("AUTH", "hydra")
	conf.GetConfig().AuthConnectorHost = o.GetStringDefault("AUTH_CONNECTOR_HOST", "localhost")
	conf.GetConfig().AuthConnectPublicHost = o.GetStringDefault("AUTH_CONNECTOR_PUBLIC_HOST", "localhost")
	conf.GetConfig().AuthConnectorPort = o.GetIntDefault("AUTH_CONNECTOR_PORT", 4444)
	conf.GetConfig().AuthConnectorAdminPort = o.GetStringDefault("AUTH_CONNECTOR_ADMIN_PORT", "4445/admin")
	conf.GetConfig().PermissionConnectorWriteHost = o.GetStringDefault("PERMISSION_CONNECTOR_WRITE_HOST", "keto")
	conf.GetConfig().PermissionConnectorReadHost = o.GetStringDefault("PERMISSION_CONNECTOR_READ_HOST", "keto")
	conf.GetConfig().PermissionConnectorPort = o.GetStringDefault("PERMISSION_CONNECTOR_PORT", "4466")
	conf.GetConfig().PermissionConnectorAdminPort = o.GetStringDefault("PERMISSION_CONNECTOR_ADMIN_PORT", "4467")

	conf.GetConfig().Origin = o.GetStringDefault("ADMIN_ORIGIN", "http://localhost:8000")
	conf.GetConfig().AdminOrigin = o.GetStringDefault("ADMIN_ORIGIN", "http://localhost:8001")

	conf.GetConfig().OAuthRedirectURI = o.GetStringDefault("OAUTH_REDIRECT_URI", "http://google.com")
	conf.GetConfig().OAdminAuthRedirectURI = o.GetStringDefault("ADMIN_OAUTH_REDIRECT_URI", "http://chatgpt.com")
	conf.GetConfig().Local = o.GetBoolDefault("LOCAL", true)

	// config LDAPauth
	conf.GetConfig().SourceMode = o.GetStringDefault("SOURCE_MODE", "ldap")
	conf.GetConfig().LDAPEndpoints = o.GetStringDefault("LDAP_ENDPOINTS", "ldap:389")
	conf.GetConfig().LDAPBindDN = o.GetStringDefault("LDAP_BINDDN", "cn=admin,dc=example,dc=com")
	conf.GetConfig().LDAPBindPW = o.GetStringDefault("LDAP_BINDPW", "password")
	conf.GetConfig().LDAPBaseDN = o.GetStringDefault("LDAP_BASEDN", "dc=example,dc=com")
	conf.GetConfig().LDAPUserBaseDN = o.GetStringDefault("LDAP_USER_BASEDN", "ou=users,dc=example,dc=com")
	conf.GetConfig().LDAPRoleBaseDN = o.GetStringDefault("LDAP_ROLE_BASEDN", "ou=AppRoles,dc=example,dc=com")
	go generateRole()
	go discovery()

	beego.Run()
}

func generateRole() {
	logger := oclib.GetLogger()
	defer func() {
		if r := recover(); r != nil {
			logger.Error().Msgf("generateRole recovered from panic: %v", r)
		}
	}()
	if conf.GetConfig().SourceMode == "ldap" {
		for {
			ldap := auth_connectors.New()
			roles, err := ldap.GetRoles(context.Background())
			if err == nil {
				logger.Info().Msgf("Syncing %d LDAP role groups to Keto", len(roles))
				for _, role := range roles {
					for r, m := range role.Members {
						infrastructure.GetPermissionConnector("").CreateRole(r)
						for _, p := range m {
							infrastructure.GetPermissionConnector("").BindRole(r, p)
						}
					}
				}
				break
			} else {
				logger.Error().Msg("Failed to get LDAP roles, retrying in 10s: " + err.Error())
				time.Sleep(10 * time.Second)
				continue
			}
		}
	}
}

func discovery() {
	logger := oclib.GetLogger()
	defer func() {
		if r := recover(); r != nil {
			logger.Error().Msgf("discovery recovered from panic: %v", r)
		}
	}()
	for {
		api := tools.API{}
		conn := infrastructure.GetPermissionConnector("")
		logger.Info().Msg("Starting permission discovery")
		_, _, err := conn.CreateRole(conf.GetConfig().AdminRole)
		if err != nil {
			if !strings.Contains(err.Error(), "already exist") {
				logger.Error().Msg("Failed to create admin role, retrying in 10s: " + err.Error())
				time.Sleep(10 * time.Second)
				continue
			}
		}
		if _, _, err := conn.BindRole(conf.GetConfig().AdminRole, "admin"); err != nil {
			logger.Error().Msg("Failed to admin bind role: " + err.Error())
		}
		addPermissions := func(m tools.NATSResponse) {
			var resp map[string][]interface{}
			json.Unmarshal(m.Payload, &resp)
			for k, v := range resp {
				for _, p := range v {
					if _, _, err := conn.CreatePermission(k, p.(string), true); err != nil {
						logger.Error().Msg("Failed to admin create permission: " + err.Error())
					}
				}
			}
		}
		api.ListenRouter(addPermissions)
		b, _ := json.Marshal(map[string]interface{}{})
		tools.NewNATSCaller().SetNATSPub(tools.DISCOVERY, tools.NATSResponse{
			FromApp:  "oc-auth",
			Datatype: -1,
			User:     "root",
			Method:   tools.GET.EnumIndex(),
			Payload:  b,
		})
		break
	}
}