package tfa

import (
	// "fmt"
	"os"
	"testing"
	"time"

	"github.com/sirupsen/logrus"
	"github.com/sirupsen/logrus/hooks/test"
	"github.com/stretchr/testify/assert"
	"github.com/stretchr/testify/require"
)

/**
 * Tests
 */

func TestConfigDefaults(t *testing.T) {
	assert := assert.New(t)
	c, err := NewConfig([]string{})
	assert.Nil(err)

	assert.Equal("warn", c.LogLevel)
	assert.Equal("text", c.LogFormat)

	assert.Equal("", c.AuthHost)
	assert.Len(c.CookieDomains, 0)
	assert.False(c.InsecureCookie)
	assert.Equal("_forward_auth", c.CookieName)
	assert.Equal("_forward_auth_csrf", c.CSRFCookieName)
	assert.Equal("auth", c.DefaultAction)
	assert.Equal("google", c.DefaultProvider)
	assert.Len(c.Domains, 0)
	assert.Equal(time.Second*time.Duration(43200), c.Lifetime)
	assert.Equal("/_oauth", c.Path)
	assert.Len(c.Whitelist, 0)
}

func TestConfigParseArgs(t *testing.T) {
	assert := assert.New(t)
	c, err := NewConfig([]string{
		"--cookie-name=cookiename",
		"--csrf-cookie-name", "\"csrfcookiename\"",
		"--default-provider", "\"oidc\"",
		"--rule.1.action=allow",
		"--rule.1.rule=PathPrefix(`/one`)",
		"--rule.two.action=auth",
		"--rule.two.rule=\"Host(`two.com`) && Path(`/two`)\"",
	})
	require.Nil(t, err)

	// Check normal flags
	assert.Equal("cookiename", c.CookieName)
	assert.Equal("csrfcookiename", c.CSRFCookieName)
	assert.Equal("oidc", c.DefaultProvider)

	// Check rules
	assert.Equal(map[string]*Rule{
		"1": {
			Action:   "allow",
			Rule:     "PathPrefix(`/one`)",
			Provider: "oidc",
		},
		"two": {
			Action:   "auth",
			Rule:     "Host(`two.com`) && Path(`/two`)",
			Provider: "oidc",
		},
	}, c.Rules)
}

func TestConfigParseUnknownFlags(t *testing.T) {
	_, err := NewConfig([]string{
		"--unknown=_oauthpath2",
	})
	if assert.Error(t, err) {
		assert.Equal(t, "unknown flag: unknown", err.Error())
	}
}

func TestConfigParseRuleError(t *testing.T) {
	assert := assert.New(t)

	// Rule without name
	_, err := NewConfig([]string{
		"--rule..action=auth",
	})
	if assert.Error(err) {
		assert.Equal("route name is required", err.Error())
	}

	// Rule without value
	c, err := NewConfig([]string{
		"--rule.one.action=",
	})
	if assert.Error(err) {
		assert.Equal("route param value is required", err.Error())
	}
	// Check rules
	assert.Equal(map[string]*Rule{}, c.Rules)
}

func TestConfigFlagBackwardsCompatability(t *testing.T) {
	assert := assert.New(t)
	c, err := NewConfig([]string{
		"--client-id=clientid",
		"--client-secret=verysecret",
		"--prompt=prompt",
		"--cookie-secret=veryverysecret",
		"--lifetime=200",
		"--cookie-secure=false",
		"--cookie-domains=test1.com,example.org",
		"--cookie-domain=another1.net",
		"--domain=test2.com,example.org",
		"--domain=another2.net",
		"--whitelist=test3.com,example.org",
		"--whitelist=another3.net",
	})
	require.Nil(t, err)

	// The following used to be passed as comma separated list
	expected1 := []CookieDomain{
		*NewCookieDomain("another1.net"),
		*NewCookieDomain("test1.com"),
		*NewCookieDomain("example.org"),
	}
	assert.Equal(expected1, c.CookieDomains, "should read legacy comma separated list cookie-domains")

	expected2 := CommaSeparatedList{"test2.com", "example.org", "another2.net"}
	assert.Equal(expected2, c.Domains, "should read legacy comma separated list domains")

	expected3 := CommaSeparatedList{"test3.com", "example.org", "another3.net"}
	assert.Equal(expected3, c.Whitelist, "should read legacy comma separated list whitelist")

	// Name changed
	assert.Equal([]byte("veryverysecret"), c.Secret)

	// Google provider params used to be top level
	assert.Equal("clientid", c.ClientIdLegacy)
	assert.Equal("clientid", c.Providers.Google.ClientID, "--client-id should set providers.google.client-id")
	assert.Equal("verysecret", c.ClientSecretLegacy)
	assert.Equal("verysecret", c.Providers.Google.ClientSecret, "--client-secret should set providers.google.client-secret")
	assert.Equal("prompt", c.PromptLegacy)
	assert.Equal("prompt", c.Providers.Google.Prompt, "--prompt should set providers.google.promot")

	// "cookie-secure" used to be a standard go bool flag that could take
	// true, TRUE, 1, false, FALSE, 0 etc. values.
	// Here we're checking that format is still suppoted
	assert.Equal("false", c.CookieSecureLegacy)
	assert.True(c.InsecureCookie, "--cookie-secure=false should set insecure-cookie true")

	c, err = NewConfig([]string{"--cookie-secure=TRUE"})
	assert.Nil(err)
	assert.Equal("TRUE", c.CookieSecureLegacy)
	assert.False(c.InsecureCookie, "--cookie-secure=TRUE should set insecure-cookie false")
}

func TestConfigParseIni(t *testing.T) {
	assert := assert.New(t)
	c, err := NewConfig([]string{
		"--config=../test/config0",
		"--config=../test/config1",
		"--csrf-cookie-name=csrfcookiename",
	})
	require.Nil(t, err)

	assert.Equal("inicookiename", c.CookieName, "should be read from ini file")
	assert.Equal("csrfcookiename", c.CSRFCookieName, "should be read from ini file")
	assert.Equal("/two", c.Path, "variable in second ini file should override first ini file")
	assert.Equal(map[string]*Rule{
		"1": {
			Action:   "allow",
			Rule:     "PathPrefix(`/one`)",
			Provider: "google",
		},
		"two": {
			Action:   "auth",
			Rule:     "Host(`two.com`) && Path(`/two`)",
			Provider: "google",
		},
	}, c.Rules)
}

func TestConfigFileBackwardsCompatability(t *testing.T) {
	assert := assert.New(t)
	c, err := NewConfig([]string{
		"--config=../test/config-legacy",
	})
	require.Nil(t, err)

	assert.Equal("/two", c.Path, "variable in legacy config file should be read")
	assert.Equal("auth.legacy.com", c.AuthHost, "variable in legacy config file should be read")
}

func TestConfigParseEnvironment(t *testing.T) {
	assert := assert.New(t)
	os.Setenv("COOKIE_NAME", "env_cookie_name")
	os.Setenv("PROVIDERS_GOOGLE_CLIENT_ID", "env_client_id")
	os.Setenv("COOKIE_DOMAIN", "test1.com,example.org")
	os.Setenv("DOMAIN", "test2.com,example.org")
	os.Setenv("WHITELIST", "test3.com,example.org")

	c, err := NewConfig([]string{})
	assert.Nil(err)

	assert.Equal("env_cookie_name", c.CookieName, "variable should be read from environment")
	assert.Equal("env_client_id", c.Providers.Google.ClientID, "namespace variable should be read from environment")
	assert.Equal([]CookieDomain{
		*NewCookieDomain("test1.com"),
		*NewCookieDomain("example.org"),
	}, c.CookieDomains, "array variable should be read from environment COOKIE_DOMAIN")
	assert.Equal(CommaSeparatedList{"test2.com", "example.org"}, c.Domains, "array variable should be read from environment DOMAIN")
	assert.Equal(CommaSeparatedList{"test3.com", "example.org"}, c.Whitelist, "array variable should be read from environment WHITELIST")

	os.Unsetenv("COOKIE_NAME")
	os.Unsetenv("PROVIDERS_GOOGLE_CLIENT_ID")
	os.Unsetenv("COOKIE_DOMAIN")
	os.Unsetenv("DOMAIN")
	os.Unsetenv("WHITELIST")
}

func TestConfigParseEnvironmentBackwardsCompatability(t *testing.T) {
	assert := assert.New(t)
	vars := map[string]string{
		"CLIENT_ID":      "clientid",
		"CLIENT_SECRET":  "verysecret",
		"PROMPT":         "prompt",
		"COOKIE_SECRET":  "veryverysecret",
		"LIFETIME":       "200",
		"COOKIE_SECURE":  "false",
		"COOKIE_DOMAINS": "test1.com,example.org",
		"COOKIE_DOMAIN":  "another1.net",
		"DOMAIN":         "test2.com,example.org",
		"WHITELIST":      "test3.com,example.org",
	}
	for k, v := range vars {
		os.Setenv(k, v)
	}
	c, err := NewConfig([]string{})
	require.Nil(t, err)

	// The following used to be passed as comma separated list
	expected1 := []CookieDomain{
		*NewCookieDomain("another1.net"),
		*NewCookieDomain("test1.com"),
		*NewCookieDomain("example.org"),
	}
	assert.Equal(expected1, c.CookieDomains, "should read legacy comma separated list cookie-domains")

	expected2 := CommaSeparatedList{"test2.com", "example.org"}
	assert.Equal(expected2, c.Domains, "should read legacy comma separated list domains")

	expected3 := CommaSeparatedList{"test3.com", "example.org"}
	assert.Equal(expected3, c.Whitelist, "should read legacy comma separated list whitelist")

	// Name changed
	assert.Equal([]byte("veryverysecret"), c.Secret)

	// Google provider params used to be top level
	assert.Equal("clientid", c.ClientIdLegacy)
	assert.Equal("clientid", c.Providers.Google.ClientID, "--client-id should set providers.google.client-id")
	assert.Equal("verysecret", c.ClientSecretLegacy)
	assert.Equal("verysecret", c.Providers.Google.ClientSecret, "--client-secret should set providers.google.client-secret")
	assert.Equal("prompt", c.PromptLegacy)
	assert.Equal("prompt", c.Providers.Google.Prompt, "--prompt should set providers.google.promot")

	// "cookie-secure" used to be a standard go bool flag that could take
	// true, TRUE, 1, false, FALSE, 0 etc. values.
	// Here we're checking that format is still supported
	assert.Equal("false", c.CookieSecureLegacy)
	assert.True(c.InsecureCookie, "--cookie-secure=false should set insecure-cookie true")

	c, err = NewConfig([]string{"--cookie-secure=TRUE"})
	assert.Nil(err)
	assert.Equal("TRUE", c.CookieSecureLegacy)
	assert.False(c.InsecureCookie, "--cookie-secure=TRUE should set insecure-cookie false")

	for k := range vars {
		os.Unsetenv(k)
	}
}

func TestConfigTransformation(t *testing.T) {
	assert := assert.New(t)
	c, err := NewConfig([]string{
		"--url-path=_oauthpath",
		"--secret=verysecret",
		"--lifetime=200",
	})
	require.Nil(t, err)

	assert.Equal("/_oauthpath", c.Path, "path should add slash to front")

	assert.Equal("verysecret", c.SecretString)
	assert.Equal([]byte("verysecret"), c.Secret, "secret should be converted to byte array")

	assert.Equal(200, c.LifetimeString)
	assert.Equal(time.Second*time.Duration(200), c.Lifetime, "lifetime should be read and converted to duration")
}

func TestConfigValidate(t *testing.T) {
	assert := assert.New(t)

	// Install new logger + hook
	var hook *test.Hook
	log, hook = test.NewNullLogger()
	log.ExitFunc = func(code int) {}

	// Validate defualt config + rule error
	c, _ := NewConfig([]string{
		"--rule.1.action=bad",
	})
	c.Validate()

	logs := hook.AllEntries()
	assert.Len(logs, 3)

	// Should have fatal error requiring secret
	assert.Equal("\"secret\" option must be set", logs[0].Message)
	assert.Equal(logrus.FatalLevel, logs[0].Level)

	// Should also have default provider (google) error
	assert.Equal("providers.google.client-id, providers.google.client-secret must be set", logs[1].Message)
	assert.Equal(logrus.FatalLevel, logs[1].Level)

	// Should validate rule
	assert.Equal("invalid rule action, must be \"auth\" or \"allow\"", logs[2].Message)
	assert.Equal(logrus.FatalLevel, logs[2].Level)

	hook.Reset()

	// Validate with invalid providers
	c, _ = NewConfig([]string{
		"--secret=veryverysecret",
		"--providers.google.client-id=id",
		"--providers.google.client-secret=secret",
		"--rule.1.action=auth",
		"--rule.1.provider=bad2",
	})
	c.Validate()

	logs = hook.AllEntries()
	assert.Len(logs, 1)

	// Should have error for rule provider
	assert.Equal("Unknown provider: bad2", logs[0].Message)
	assert.Equal(logrus.FatalLevel, logs[0].Level)
}

func TestConfigGetProvider(t *testing.T) {
	assert := assert.New(t)
	c, _ := NewConfig([]string{})

	// Should be able to get "google" provider
	p, err := c.GetProvider("google")
	assert.Nil(err)
	assert.Equal(&c.Providers.Google, p)

	// Should be able to get "oidc" provider
	p, err = c.GetProvider("oidc")
	assert.Nil(err)
	assert.Equal(&c.Providers.OIDC, p)

	// Should catch unknown provider
	p, err = c.GetProvider("bad")
	if assert.Error(err) {
		assert.Equal("Unknown provider: bad", err.Error())
	}
}

func TestConfigGetConfiguredProvider(t *testing.T) {
	assert := assert.New(t)
	c, _ := NewConfig([]string{})

	// Should be able to get "google" default provider
	p, err := c.GetConfiguredProvider("google")
	assert.Nil(err)
	assert.Equal(&c.Providers.Google, p)

	// Should fail to get valid "oidc" provider as it's not configured
	p, err = c.GetConfiguredProvider("oidc")
	if assert.Error(err) {
		assert.Equal("Unconfigured provider: oidc", err.Error())
	}
}

func TestConfigCommaSeparatedList(t *testing.T) {
	assert := assert.New(t)
	list := CommaSeparatedList{}

	err := list.UnmarshalFlag("one,two")
	assert.Nil(err)
	assert.Equal(CommaSeparatedList{"one", "two"}, list, "should parse comma sepearated list")

	marshal, err := list.MarshalFlag()
	assert.Nil(err)
	assert.Equal("one,two", marshal, "should marshal back to comma sepearated list")
}