defmodule CookieAuthTest do
  use CouchTestCase

  @moduletag :authentication

  @users_db "_users"

  @moduletag config: [
               {
                 "chttpd_auth",
                 "authentication_db",
                 @users_db
               },
               {
                 "couch_httpd_auth",
                 "authentication_db",
                 @users_db
               },
               {
                 "chttpd_auth",
                 "iterations",
                 "1"
               },
               {
                 "admins",
                 "jan",
                 "apple"
               }
             ]

  @password "3.141592653589"

  setup do
    reset_db(@users_db)
    wait_for_design_auth(@users_db)
    on_exit(&tear_down/0)
  end

  defp tear_down do
    reset_db(@users_db)
  end

  defp login(user, password) do
    sess = Couch.login(user, password)
    assert sess.cookie, "Login correct is expected"
    sess
  end

  defp logout(session) do
    assert Couch.Session.logout(session).body["ok"]
  end

  defp login_as(user) do
    pws = %{
      "jan" => "apple",
      "Jason Davies" => @password,
      "jchris" => "funnybone"
    }

    user1 = Regex.replace(~r/[0-9]$/, user, "")
    login(user1, pws[user])
  end

  defp create_doc_expect_error(db_name, doc, status_code, msg) do
    resp = Couch.post("/#{db_name}", body: doc)
    assert resp.status_code == status_code
    assert resp.body["error"] == msg
    resp
  end

  defp open_as(db_name, doc_id, options) do
    use_session = Keyword.get(options, :use_session)
    user = Keyword.get(options, :user)
    expect_response = Keyword.get(options, :expect_response, 200)
    expect_message = Keyword.get(options, :error_message)

    session = use_session || login_as(user)

    resp =
      Couch.Session.get(
        session,
        "/#{db_name}/#{URI.encode(doc_id)}"
      )

    if use_session == nil do
      logout(session)
    end

    assert resp.status_code == expect_response

    if expect_message != nil do
      assert resp.body["error"] == expect_message
    end

    resp.body
  end

  defp save_as(db_name, doc, options) do
    use_session = Keyword.get(options, :use_session)
    user = Keyword.get(options, :user)
    expect_response = Keyword.get(options, :expect_response, [201, 202])
    expect_message = Keyword.get(options, :error_message)

    session = use_session || login_as(user)

    resp =
      Couch.Session.put(
        session,
        "/#{db_name}/#{URI.encode(doc["_id"])}",
        body: doc
      )

    if use_session == nil do
      logout(session)
    end

    if is_list(expect_response) do
      assert resp.status_code in expect_response
    else
      assert resp.status_code == expect_response
    end

    if expect_message != nil do
      assert resp.body["error"] == expect_message
    end

    resp
  end

  defp delete_as(db_name, doc, options) do
    use_session = Keyword.get(options, :use_session)
    user = Keyword.get(options, :user)
    expect_response = Keyword.get(options, :expect_response, [200, 202])
    expect_message = Keyword.get(options, :error_message)

    session = use_session || login_as(user)

    resp =
      Couch.Session.delete(
        session,
        "/#{db_name}/#{URI.encode(doc["_id"])}"
      )

    if use_session == nil do
      logout(session)
    end

    if is_list(expect_response) do
      assert resp.status_code in expect_response
    else
      assert resp.status_code == expect_response
    end

    if expect_message != nil do
      assert resp.body["error"] == expect_message
    end

    resp
  end

  defp test_change_admin_fun do
    sess = login("jchris", "funnybone")
    info = Couch.Session.info(sess)
    assert info["userCtx"]["name"] == "jchris"
    assert Enum.member?(info["userCtx"]["roles"], "_admin")
    assert Enum.member?(info["userCtx"]["roles"], "foo")

    jchris_user_doc =
      open_as(
        @users_db,
        "org.couchdb.user:jchris",
        use_session: sess
      )

    jchris_user_doc = Map.drop(jchris_user_doc, [:salt, :password_sha])
    save_as(@users_db, jchris_user_doc, use_session: sess)
    logout(sess)
    sess = login("jchris", "funnybone")
    info = Couch.Session.info(sess)
    assert info["userCtx"]["name"] == "jchris"
    assert Enum.member?(info["userCtx"]["roles"], "_admin")
    assert info["info"]["authenticated"] == "cookie"
    assert info["info"]["authentication_db"] == @users_db
    assert Enum.member?(info["userCtx"]["roles"], "foo")
    logout(sess)
  end

  test "cookie auth" do
    # test that the users db is born with the auth ddoc
    ddoc = open_as(@users_db, "_design/_auth", user: "jan")
    assert ddoc["validate_doc_update"] != nil

    jason_user_doc =
      prepare_user_doc([
        {:name, "Jason Davies"},
        {:password, @password}
      ])

    create_doc(@users_db, jason_user_doc)
    jason_check_doc = open_as(@users_db, jason_user_doc["_id"], user: "jan")
    assert jason_check_doc["name"] == "Jason Davies"

    jchris_user_doc =
      prepare_user_doc([
        {:name, "jchris"},
        {:password, "funnybone"}
      ])

    {:ok, resp} = create_doc(@users_db, jchris_user_doc)
    jchris_rev = resp.body["rev"]

    duplicate_jchris_user_doc =
      prepare_user_doc([
        {:name, "jchris"},
        {:password, "eh, Boo-Boo?"}
      ])

    # make sure we can't create duplicate users
    create_doc_expect_error(@users_db, duplicate_jchris_user_doc, 409, "conflict")

    # we can't create _names
    underscore_user_doc =
      prepare_user_doc([
        {:name, "_why"},
        {:password, "copperfield"}
      ])

    create_doc_expect_error(@users_db, underscore_user_doc, 403, "forbidden")

    # we can't create malformed ids
    bad_id_user_doc =
      prepare_user_doc([
        {:id, "org.apache.couchdb:w00x"},
        {:name, "w00x"},
        {:password, "bar"}
      ])

    create_doc_expect_error(@users_db, bad_id_user_doc, 403, "forbidden")

    # login works
    session = login_as("Jason Davies")
    info = Couch.Session.info(session)
    assert info["userCtx"]["name"] == "Jason Davies"
    assert not Enum.member?(info["userCtx"]["roles"], "_admin")

    # update one's own credentials document
    jason_user_doc =
      jason_user_doc
      |> Map.put("_rev", jason_check_doc["_rev"])
      |> Map.put("foo", 2)

    resp = save_as(@users_db, jason_user_doc, use_session: session)
    jason_user_doc_rev = resp.body["rev"]

    # can't delete another users doc unless you are admin

    jchris_user_doc = Map.put(jchris_user_doc, "_rev", jchris_rev)

    delete_as(
      @users_db,
      jchris_user_doc,
      use_session: session,
      expect_response: 404,
      error_message: "not_found"
    )

    logout(session)

    # test redirect on success
    resp =
      Couch.post(
        "/_session",
        query: [next: "/_up"],
        body: %{
          :username => "Jason Davies",
          :password => @password
        }
      )

    assert resp.status_code == 302
    assert resp.body["ok"]
    assert String.ends_with?(resp.headers["location"], "/_up")

    # test redirect on fail
    resp =
      Couch.post(
        "/_session",
        query: [fail: "/_up"],
        body: %{
          :username => "Jason Davies",
          :password => "foobar"
        }
      )

    assert resp.status_code == 302
    assert resp.body["error"] == "unauthorized"
    assert String.ends_with?(resp.headers["location"], "/_up")

    session = login("jchris", "funnybone")
    info = Couch.Session.info(session)
    assert info["userCtx"]["name"] == "jchris"
    assert Enum.empty?(info["userCtx"]["roles"])

    jason_user_doc =
      jason_user_doc
      |> Map.put("_rev", jason_user_doc_rev)
      |> Map.put("foo", 3)

    save_as(
      @users_db,
      jason_user_doc,
      use_session: session,
      expect_response: 404,
      error_message: "not_found"
    )

    jchris_user_doc = Map.put(jchris_user_doc, "roles", ["foo"])

    save_as(
      @users_db,
      jchris_user_doc,
      use_session: session,
      expect_response: 403,
      error_message: "forbidden"
    )

    logout(session)

    jchris_user_doc = Map.put(jchris_user_doc, "foo", ["foo"])

    resp =
      save_as(
        @users_db,
        jchris_user_doc,
        user: "jan"
      )

    # test that you can't save system (underscore) roles even if you are admin
    jchris_user_doc =
      jchris_user_doc
      |> Map.put("roles", ["_bar"])
      |> Map.put("_rev", resp.body["rev"])

    save_as(
      @users_db,
      jchris_user_doc,
      user: "jan",
      expect_response: 403,
      error_message: "forbidden"
    )

    session = login("jchris", "funnybone")
    info = Couch.Session.info(session)

    assert not Enum.member?(info["userCtx"]["roles"], "_admin")
    assert(Enum.member?(info["userCtx"]["roles"], "foo"))

    logout(session)

    login("jan", "apple")

    run_on_modified_server(
      [
        %{
          :section => "admins",
          :key => "jchris",
          :value => "funnybone"
        }
      ],
      &test_change_admin_fun/0
    )

    # log in one last time so run_on_modified_server can clean up the admin account
    login("jan", "apple")
  end

  test "basic+cookie auth interaction" do
    # performing a successful basic authentication will create a session cookie
    resp = Couch.get(
      "/_all_dbs",
      no_auth: true,
      headers: [authorization: "Basic #{:base64.encode("jan:apple")}"])
    assert resp.status_code == 200

    # extract cookie value
    cookie = resp.headers[:"set-cookie"]
    [token | _] = String.split(cookie, ";")

    # Cookie is usable on its own
    resp = Couch.get(
      "/_session",
      no_auth: true,
      headers: [cookie: token])
    assert resp.status_code == 200
    assert resp.body["userCtx"]["name"]  == "jan"
    assert resp.body["info"]["authenticated"] == "cookie"

    # Cookie is usable with basic auth if usernames match
    resp = Couch.get(
      "/_session",
      no_auth: true,
      headers: [
        authorization: "Basic #{:base64.encode("jan:apple")}",
        cookie: token])
    assert resp.status_code == 200
    assert resp.body["userCtx"]["name"] == "jan"
    assert resp.body["info"]["authenticated"] == "cookie"

    # Cookie is not usable with basic auth if usernames don't match
    resp = Couch.get(
      "/_session",
      no_auth: true,
      headers: [
        authorization: "Basic #{:base64.encode("notjan:banana")}",
        cookie: token])
    assert resp.status_code == 401
  end
end