// Copyright (C) The Arvados Authors. All rights reserved.
//
// SPDX-License-Identifier: AGPL-3.0

package localdb

import (
	"context"
	"encoding/json"
	"net"
	"net/http"

	"git.arvados.org/arvados.git/lib/config"
	"git.arvados.org/arvados.git/lib/controller/railsproxy"
	"git.arvados.org/arvados.git/lib/ctrlctx"
	"git.arvados.org/arvados.git/sdk/go/arvados"
	"git.arvados.org/arvados.git/sdk/go/arvadostest"
	"git.arvados.org/arvados.git/sdk/go/auth"
	"git.arvados.org/arvados.git/sdk/go/ctxlog"
	"github.com/bradleypeabody/godap"
	"github.com/jmoiron/sqlx"
	check "gopkg.in/check.v1"
)

var _ = check.Suite(&LDAPSuite{})

type LDAPSuite struct {
	cluster *arvados.Cluster
	ctrl    *ldapLoginController
	ldap    *godap.LDAPServer // fake ldap server that accepts auth goodusername/goodpassword
	db      *sqlx.DB

	// transaction context
	ctx      context.Context
	rollback func() error
}

func (s *LDAPSuite) TearDownSuite(c *check.C) {
	// Undo any changes/additions to the user database so they
	// don't affect subsequent tests.
	arvadostest.ResetEnv()
	c.Check(arvados.NewClientFromEnv().RequestAndDecode(nil, "POST", "database/reset", nil, nil), check.IsNil)
}

func (s *LDAPSuite) SetUpSuite(c *check.C) {
	cfg, err := config.NewLoader(nil, ctxlog.TestLogger(c)).Load()
	c.Assert(err, check.IsNil)
	s.cluster, err = cfg.GetCluster("")
	c.Assert(err, check.IsNil)

	ln, err := net.Listen("tcp", "127.0.0.1:0")
	c.Assert(err, check.IsNil)
	s.ldap = &godap.LDAPServer{
		Listener: ln,
		Handlers: []godap.LDAPRequestHandler{
			&godap.LDAPBindFuncHandler{
				LDAPBindFunc: func(binddn string, bindpw []byte) bool {
					return binddn == "cn=goodusername,dc=example,dc=com" && string(bindpw) == "goodpassword"
				},
			},
			&godap.LDAPSimpleSearchFuncHandler{
				LDAPSimpleSearchFunc: func(req *godap.LDAPSimpleSearchRequest) []*godap.LDAPSimpleSearchResultEntry {
					if req.FilterAttr != "uid" || req.BaseDN != "dc=example,dc=com" {
						return []*godap.LDAPSimpleSearchResultEntry{}
					}
					return []*godap.LDAPSimpleSearchResultEntry{
						{
							DN: "cn=" + req.FilterValue + "," + req.BaseDN,
							Attrs: map[string]interface{}{
								"SN":   req.FilterValue,
								"CN":   req.FilterValue,
								"uid":  req.FilterValue,
								"mail": req.FilterValue + "@example.com",
							},
						},
					}
				},
			},
		},
	}
	go func() {
		ctxlog.TestLogger(c).Print(s.ldap.Serve())
	}()

	s.cluster.Login.LDAP.Enable = true
	err = json.Unmarshal([]byte(`"ldap://`+ln.Addr().String()+`"`), &s.cluster.Login.LDAP.URL)
	s.cluster.Login.LDAP.StartTLS = false
	s.cluster.Login.LDAP.SearchBindUser = "cn=goodusername,dc=example,dc=com"
	s.cluster.Login.LDAP.SearchBindPassword = "goodpassword"
	s.cluster.Login.LDAP.SearchBase = "dc=example,dc=com"
	c.Assert(err, check.IsNil)
	s.ctrl = &ldapLoginController{
		Cluster: s.cluster,
		Parent:  &Conn{railsProxy: railsproxy.NewConn(s.cluster)},
	}
	s.db = arvadostest.DB(c, s.cluster)
}

func (s *LDAPSuite) SetUpTest(c *check.C) {
	tx, err := s.db.Beginx()
	c.Assert(err, check.IsNil)
	s.ctx = ctrlctx.NewWithTransaction(context.Background(), tx)
	s.rollback = tx.Rollback
}

func (s *LDAPSuite) TearDownTest(c *check.C) {
	if s.rollback != nil {
		s.rollback()
	}
}

func (s *LDAPSuite) TestLoginSuccess(c *check.C) {
	conn := NewConn(s.cluster)
	conn.loginController = s.ctrl
	resp, err := conn.UserAuthenticate(s.ctx, arvados.UserAuthenticateOptions{
		Username: "goodusername",
		Password: "goodpassword",
	})
	c.Check(err, check.IsNil)
	c.Check(resp.APIToken, check.Not(check.Equals), "")
	c.Check(resp.UUID, check.Matches, `zzzzz-gj3su-.*`)
	c.Check(resp.Scopes, check.DeepEquals, []string{"all"})

	ctx := auth.NewContext(s.ctx, &auth.Credentials{Tokens: []string{"v2/" + resp.UUID + "/" + resp.APIToken}})
	user, err := railsproxy.NewConn(s.cluster).UserGetCurrent(ctx, arvados.GetOptions{})
	c.Check(err, check.IsNil)
	c.Check(user.Email, check.Equals, "goodusername@example.com")
	c.Check(user.Username, check.Equals, "goodusername")
}

func (s *LDAPSuite) TestLoginFailure(c *check.C) {
	// search returns no results
	s.cluster.Login.LDAP.SearchBase = "dc=example,dc=invalid"
	resp, err := s.ctrl.UserAuthenticate(s.ctx, arvados.UserAuthenticateOptions{
		Username: "goodusername",
		Password: "goodpassword",
	})
	c.Check(err, check.ErrorMatches, `LDAP: Authentication failure \(with username "goodusername" and password\)`)
	hs, ok := err.(interface{ HTTPStatus() int })
	if c.Check(ok, check.Equals, true) {
		c.Check(hs.HTTPStatus(), check.Equals, http.StatusUnauthorized)
	}
	c.Check(resp.APIToken, check.Equals, "")

	// search returns result, but auth fails
	s.cluster.Login.LDAP.SearchBase = "dc=example,dc=com"
	resp, err = s.ctrl.UserAuthenticate(s.ctx, arvados.UserAuthenticateOptions{
		Username: "badusername",
		Password: "badpassword",
	})
	c.Check(err, check.ErrorMatches, `LDAP: Authentication failure \(with username "badusername" and password\)`)
	hs, ok = err.(interface{ HTTPStatus() int })
	if c.Check(ok, check.Equals, true) {
		c.Check(hs.HTTPStatus(), check.Equals, http.StatusUnauthorized)
	}
	c.Check(resp.APIToken, check.Equals, "")
}