package tech.powerjob.server.openapi.security;

import com.google.common.collect.Maps;
import lombok.extern.slf4j.Slf4j;
import org.apache.commons.collections4.MapUtils;
import org.apache.commons.lang3.StringUtils;
import org.springframework.stereotype.Service;
import tech.powerjob.client.module.AppAuthRequest;
import tech.powerjob.client.module.AppAuthResult;
import tech.powerjob.common.OpenAPIConstant;
import tech.powerjob.common.enums.ErrorCodes;
import tech.powerjob.common.exception.PowerJobException;
import tech.powerjob.server.auth.common.utils.HttpServletUtils;
import tech.powerjob.server.auth.jwt.JwtService;
import tech.powerjob.server.auth.jwt.ParseResult;
import tech.powerjob.server.core.service.AppInfoService;
import tech.powerjob.server.persistence.remote.model.AppInfoDO;

import javax.annotation.Resource;
import javax.servlet.http.HttpServletRequest;
import java.util.Map;
import java.util.Optional;

/**
 * OpenApiSecurityService
 *
 * @author tjq
 * @since 2024/2/19
 */
@Slf4j
@Service
public class OpenApiSecurityServiceImpl implements OpenApiSecurityService {

    @Resource
    private JwtService jwtService;
    @Resource
    private AppInfoService appInfoService;

    private static final String JWT_KEY_APP_ID = "appId";
    private static final String JWT_KEY_APP_PASSWORD = "password";
    private static final String JWT_KEY_ENCRYPT_TYPE = "encryptType";

    @Override
    public void authAppByToken(HttpServletRequest httpServletRequest) {

        String token = HttpServletUtils.fetchFromHeader(OpenAPIConstant.REQUEST_HEADER_ACCESS_TOKEN, httpServletRequest);
        String appIdFromHeader = HttpServletUtils.fetchFromHeader(OpenAPIConstant.REQUEST_HEADER_APP_ID, httpServletRequest);

        if (StringUtils.isEmpty(appIdFromHeader)) {
            throw new PowerJobException(ErrorCodes.INVALID_REQUEST, "lack_of_appId_in_header");
        }

        if (StringUtils.isEmpty(token)) {
            throw new PowerJobException(ErrorCodes.OPEN_API_AUTH_FAILED, "token_is_empty");
        }

        ParseResult parseResult = jwtService.parse(token, null);
        switch (parseResult.getStatus()) {
            case EXPIRED:
                throw new PowerJobException(ErrorCodes.TOKEN_EXPIRED, parseResult.getMsg());
            case FAILED:
                throw new PowerJobException(ErrorCodes.INVALID_TOKEN, parseResult.getMsg());
        }

        Map<String, Object> jwtResult = parseResult.getResult();

        Long appIdFromJwt = MapUtils.getLong(jwtResult, JWT_KEY_APP_ID);
        String passwordFromJwt = MapUtils.getString(jwtResult, JWT_KEY_APP_PASSWORD);
        String encryptType = MapUtils.getString(jwtResult, JWT_KEY_ENCRYPT_TYPE);

        // 校验 appId 一致性
        if (!StringUtils.equals(appIdFromHeader, String.valueOf(appIdFromJwt))) {
            throw new PowerJobException(ErrorCodes.INVALID_REQUEST, "Inconsistent_appId_from_token_and_header");
        }

        // 此处不考虑改密码后的缓存时间，毕竟只要改了密码，一定会报错。换言之 OpenAPI 模式下，密码不可更改
        Optional<AppInfoDO> appInfoOpt = appInfoService.findById(appIdFromJwt, true);
        if (!appInfoOpt.isPresent()) {
            throw new PowerJobException(ErrorCodes.INVALID_APP, "can_not_find_app");
        }

        appInfoService.assertApp(appInfoOpt.get(), passwordFromJwt, encryptType);
    }


    @Override
    public AppAuthResult authAppByParam(AppAuthRequest appAuthRequest) {

        String appName = appAuthRequest.getAppName();
        String encryptedPassword = appAuthRequest.getEncryptedPassword();

        Long appId = appInfoService.assertApp(appName, encryptedPassword, appAuthRequest.getEncryptType());

        Map<String, Object> jwtBody = Maps.newHashMap();
        jwtBody.put(JWT_KEY_APP_ID, appId);
        jwtBody.put(JWT_KEY_APP_PASSWORD, encryptedPassword);
        jwtBody.put(JWT_KEY_ENCRYPT_TYPE, appAuthRequest.getEncryptType());

        AppAuthResult appAuthResult = new AppAuthResult();

        appAuthResult.setAppId(appId);
        appAuthResult.setToken(jwtService.build(jwtBody, null));

        return appAuthResult;
    }
}