/*
 * The contents of this file are subject to the terms of the Common Development and
 * Distribution License (the License). You may not use this file except in compliance with the
 * License.
 *
 * You can obtain a copy of the License at legal/CDDLv1.0.txt. See the License for the
 * specific language governing permission and limitations under the License.
 *
 * When distributing Covered Software, include this CDDL Header Notice in each file and include
 * the License file at legal/CDDLv1.0.txt. If applicable, add the following below the CDDL
 * Header, with the fields enclosed by brackets [] replaced by your own identifying
 * information: "Portions Copyright [year] [name of copyright owner]".
 *
 * Copyright 2016 ForgeRock AS.
 */
package org.forgerock.opendj.rest2ldap.authz;

import static org.forgerock.opendj.rest2ldap.Rest2ldapMessages.*;
import static org.forgerock.json.JsonValueFunctions.*;
import static org.forgerock.opendj.ldap.requests.Requests.newSingleEntrySearchRequest;
import static org.forgerock.opendj.rest2ldap.authz.Utils.close;
import static org.forgerock.opendj.rest2ldap.authz.Utils.newAccessTokenException;
import static org.forgerock.util.Reject.checkNotNull;

import java.io.IOException;
import java.util.concurrent.atomic.AtomicReference;

import org.forgerock.http.oauth2.AccessTokenException;
import org.forgerock.http.oauth2.AccessTokenInfo;
import org.forgerock.http.oauth2.AccessTokenResolver;
import org.forgerock.http.util.Json;
import org.forgerock.json.JsonValue;
import org.forgerock.opendj.ldap.Connection;
import org.forgerock.opendj.ldap.ConnectionFactory;
import org.forgerock.opendj.ldap.DN;
import org.forgerock.opendj.ldap.Filter;
import org.forgerock.opendj.ldap.LdapException;
import org.forgerock.opendj.ldap.SearchScope;
import org.forgerock.opendj.ldap.responses.SearchResultEntry;
import org.forgerock.services.context.Context;
import org.forgerock.util.AsyncFunction;
import org.forgerock.util.Function;
import org.forgerock.util.promise.Promise;

/**
 * This class resolves an access token in order to get the {@link AccessTokenInfo}
 * by performing a request to an OpenDJ server.
 */
final class CtsAccessTokenResolver implements AccessTokenResolver {

    private static final Filter FR_CORE_TOKEN_OC_FILTER = Filter.equality("objectclass", "frCoreToken");

    private final ConnectionFactory connectionFactory;
    private final DN ctsBaseDN;

    CtsAccessTokenResolver(final ConnectionFactory connectionFactory, final String ctsBaseDN) {
        this.connectionFactory = checkNotNull(connectionFactory, "connectionFactory cannot be null");
        this.ctsBaseDN = DN.valueOf(checkNotNull(ctsBaseDN, "ctsBaseDN cannot be null"));
    }

    @Override
    public Promise<AccessTokenInfo, AccessTokenException> resolve(final Context context, final String token) {
        final AtomicReference<Connection> connectionHolder = new AtomicReference<>();

        return connectionFactory
            .getConnectionAsync()
            .thenAsync(new AsyncFunction<Connection, SearchResultEntry, LdapException>() {
                @Override
                public Promise<SearchResultEntry, LdapException> apply(final Connection connection)
                        throws LdapException {
                    connectionHolder.set(connection);
                    return connection.searchSingleEntryAsync(newSingleEntrySearchRequest(
                            ctsBaseDN.child("coreTokenId", token),
                            SearchScope.BASE_OBJECT, FR_CORE_TOKEN_OC_FILTER, "coreTokenObject"));
                }
            }).then(new Function<SearchResultEntry, AccessTokenInfo, AccessTokenException>() {
                @Override
                public AccessTokenInfo apply(final SearchResultEntry entry) throws AccessTokenException {
                    final JsonValue accessToken = parseJson(
                            entry.getAttribute("coreTokenObject").firstValueAsString(), token);

                    final String tokenName = getRequiredFirstValue(accessToken.get("tokenName"));
                    if (!tokenName.equals("access_token")) {
                        throw newAccessTokenException(ERR_OAUTH2_CTS_INVALID_TOKEN_TYPE.get(token, tokenName));
                    }

                    return new AccessTokenInfo(accessToken, token,
                            accessToken.get("scope").required().as(setOf(String.class)),
                            Long.parseLong(getRequiredFirstValue(accessToken.get("expireTime"))));
                }
            }, new Function<LdapException, AccessTokenInfo, AccessTokenException>() {
                @Override
                public AccessTokenInfo apply(final LdapException e) throws AccessTokenException {
                    throw newAccessTokenException(ERR_OAUTH2_CTS_TOKEN_NOT_FOUND.get(token, e.getMessage()), e);
                }
            }).thenCatchRuntimeException(new Function<RuntimeException, AccessTokenInfo, AccessTokenException>() {
                @Override
                public AccessTokenInfo apply(final RuntimeException e) throws AccessTokenException {
                    throw newAccessTokenException(ERR_OAUTH2_CTS_TOKEN_RESOLUTION.get(token, e.getMessage()), e);
                }
            }).thenFinally(close(connectionHolder));
    }

    private String getRequiredFirstValue(final JsonValue list) {
        return list.required().asList(String.class).get(0);
    }

    private JsonValue parseJson(final String accessTokenJson, final String token) throws AccessTokenException {
        try {
            return new JsonValue(Json.readJson(accessTokenJson));
        } catch (final IOException e) {
            throw newAccessTokenException(ERR_OAUTH2_CTS_INVALID_JSON_TOKEN.get(token));
        }
    }
}