package oidc

import (
	"time"

	"forge.cadoles.com/cadoles/bouncer/internal/proxy/director/layer/authn"
	"forge.cadoles.com/cadoles/bouncer/internal/store"
	"github.com/pkg/errors"
)

const defaultCookieName = "_bouncer_authn_oidc"

type LayerOptions struct {
	authn.LayerOptions
	OIDC   OIDCOptions   `mapstructure:"oidc"`
	Cookie CookieOptions `mapstructure:"cookie"`
}

type OIDCOptions struct {
	ClientID               string            `mapstructure:"clientId"`
	ClientSecret           string            `mapstructure:"clientSecret"`
	PublicBaseURL          string            `mapstructure:"publicBaseURL"`
	LoginCallbackPath      string            `mapstructure:"loginCallbackPath"`
	MatchLoginCallbackPath string            `mapstructure:"matchLoginCallbackPath"`
	LogoutPath             string            `mapstructure:"logoutPath"`
	MatchLogoutPath        string            `mapstructure:"matchLogoutPath"`
	IssuerURL              string            `mapstructure:"issuerURL"`
	SkipIssuerVerification bool              `mapstructure:"skipIssuerVerification"`
	PostLogoutRedirectURLs []string          `mapstructure:"postLogoutRedirectURLs"`
	TLSInsecureSkipVerify  bool              `mapstructure:"tlsInsecureSkipVerify"`
	Scopes                 []string          `mapstructure:"scopes"`
	AuthParams             map[string]string `mapstructure:"authParams"`
}

type CookieOptions struct {
	Name     string        `mapstructure:"name"`
	Domain   string        `mapstructure:"domain"`
	Path     string        `mapstructure:"path"`
	SameSite string        `mapstructure:"sameSite"`
	Secure   bool          `mapstructure:"secure"`
	HTTPOnly bool          `mapstructure:"httpOnly"`
	MaxAge   time.Duration `mapstructure:"maxAge"`
}

func fromStoreOptions(storeOptions store.LayerOptions) (*LayerOptions, error) {
	loginCallbackPath := ".bouncer/authn/oidc/{{ .ProxyName }}/{{ .LayerName }}/callback"
	logoutPath := ".bouncer/authn/oidc/{{ .ProxyName }}/{{ .LayerName }}/logout"

	layerOptions := LayerOptions{
		LayerOptions: authn.DefaultLayerOptions(),
		OIDC: OIDCOptions{
			PublicBaseURL:          "",
			LoginCallbackPath:      loginCallbackPath,
			MatchLoginCallbackPath: "*" + loginCallbackPath,
			LogoutPath:             logoutPath,
			MatchLogoutPath:        "*" + logoutPath,
			Scopes:                 []string{"openid"},
		},
		Cookie: CookieOptions{
			Name:     defaultCookieName,
			Path:     "/",
			HTTPOnly: true,
			MaxAge:   time.Hour,
		},
	}

	if err := authn.FromStoreOptions(storeOptions, &layerOptions); err != nil {
		return nil, errors.WithStack(err)
	}

	return &layerOptions, nil
}