/*
 * Licensed to the Apache Software Foundation (ASF) under one or more
 * contributor license agreements.  See the NOTICE file distributed with
 * this work for additional information regarding copyright ownership.
 * The ASF licenses this file to You under the Apache License, Version 2.0
 * (the "License"); you may not use this file except in compliance with
 * the License.  You may obtain a copy of the License at
 *
 *     http://www.apache.org/licenses/LICENSE-2.0
 *
 * Unless required by applicable law or agreed to in writing, software
 * distributed under the License is distributed on an "AS IS" BASIS,
 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 * See the License for the specific language governing permissions and
 * limitations under the License.
 */

import NfRegistryService from 'services/nf-registry.service';
import NfStorage from 'services/nf-storage.service';
import { Router } from '@angular/router';
import { FdsDialogService } from '@nifi-fds/core';
import NfRegistryApi from 'services/nf-registry.api';

/**
 * NfRegistryUsersAdministrationAuthGuard constructor.
 *
 * @param nfRegistryService         The nfRegistryService module.
 * @param nfRegistryApi             The nfRegistryApi module.
 * @param nfStorage                 The NfStorage module.
 * @param router                    The angular router module.
 * @param fdsDialogService          The FDS dialog service.
 * @constructor
 */
function NfRegistryUsersAdministrationAuthGuard(nfRegistryService, nfRegistryApi, nfStorage, router, fdsDialogService) {
    this.nfRegistryService = nfRegistryService;
    this.nfRegistryApi = nfRegistryApi;
    this.nfStorage = nfStorage;
    this.router = router;
    this.dialogService = fdsDialogService;
}

NfRegistryUsersAdministrationAuthGuard.prototype = {
    constructor: NfRegistryUsersAdministrationAuthGuard,

    /**
     * Can activate guard.
     * @returns {*}
     */
    canActivate: function (route, state) {
        var url = state.url;

        return this.checkLogin(url);
    },

    checkLogin: function (url) {
        var self = this;
        return new Promise((resolve) => {
            if (this.nfRegistryService.currentUser.resourcePermissions.tenants.canRead) {
                resolve(true);
                return true;
            }

            // Store the attempted URL for redirecting
            this.nfRegistryService.redirectUrl = url;

            // attempt kerberos authentication
            this.nfRegistryApi.ticketExchange().subscribe(function (jwt) {
                self.nfRegistryApi.loadCurrentUser().subscribe(function (currentUser) {
                    // there is no anonymous access and we don't know this user - open the login page which handles login/registration/etc
                    if (currentUser.error) {
                        if (currentUser.error.status === 401) {
                            self.nfStorage.removeItem('jwt');
                            self.router.navigateByUrl('login');
                            resolve(false);
                        }
                    } else {
                        self.nfRegistryService.currentUser = currentUser;
                        if (currentUser.anonymous === false) {
                            // render the logout button if there is a token locally
                            if (self.nfStorage.getItem('jwt') !== null) {
                                self.nfRegistryService.currentUser.canLogout = true;
                            }

                            // redirect to explorer perspective if not admin
                            if (!currentUser.resourcePermissions.anyTopLevelResource.canRead) {
                                self.dialogService.openConfirm({
                                    title: 'Access denied',
                                    message: 'Please contact your system administrator.',
                                    acceptButton: 'Ok',
                                    acceptButtonColor: 'fds-warn'
                                });
                                self.router.navigateByUrl('explorer');
                                resolve(false);
                            } else if (currentUser.resourcePermissions.tenants.canRead) {
                                resolve(true);
                            } else {
                                self.dialogService.openConfirm({
                                    title: 'Access denied',
                                    message: 'Please contact your system administrator.',
                                    acceptButton: 'Ok',
                                    acceptButtonColor: 'fds-warn'
                                });
                                self.router.navigateByUrl('explorer');
                                resolve(false);
                            }
                        } else if (location.protocol === 'http:') {
                            // user is anonymous and we are NOT secure, redirect to workflow perspective
                            self.dialogService.openConfirm({
                                title: 'Not Applicable',
                                message: 'User administration is not configured for this registry.',
                                acceptButton: 'Ok',
                                acceptButtonColor: 'fds-warn'
                            });
                            self.router.navigateByUrl('administration/workflow');
                            resolve(false);
                        } else {
                            if (self.nfRegistryService.currentUser.resourcePermissions.tenants.canRead) {
                                resolve(true);
                                return true;
                            }

                            // user is anonymous and we are secure so don't allow the url, navigate to the main page
                            self.dialogService.openConfirm({
                                title: 'Access denied',
                                message: 'Please contact your system administrator.',
                                acceptButton: 'Ok',
                                acceptButtonColor: 'fds-warn'
                            });
                            self.router.navigateByUrl('explorer');
                            resolve(false);
                        }
                    }
                });
            });
        });
    }
};

NfRegistryUsersAdministrationAuthGuard.parameters = [
    NfRegistryService,
    NfRegistryApi,
    NfStorage,
    Router,
    FdsDialogService
];

/**
 * NfRegistryWorkflowsAdministrationAuthGuard constructor.
 *
 * @param nfRegistryService         The nfRegistryService module.
 * @param nfRegistryApi             The nfRegistryApi module.
 * @param nfStorage                 The NfStorage module.
 * @param router                    The angular router module.
 * @param fdsDialogService          The FDS dialog service.
 * @constructor
 */
function NfRegistryWorkflowsAdministrationAuthGuard(nfRegistryService, nfRegistryApi, nfStorage, router, fdsDialogService) {
    this.nfRegistryService = nfRegistryService;
    this.nfRegistryApi = nfRegistryApi;
    this.nfStorage = nfStorage;
    this.router = router;
    this.dialogService = fdsDialogService;
}

NfRegistryWorkflowsAdministrationAuthGuard.prototype = {
    constructor: NfRegistryWorkflowsAdministrationAuthGuard,

    /**
     * Can activate guard.
     * @returns {*}
     */
    canActivate: function (route, state) {
        var url = state.url;

        return this.checkLogin(url);
    },

    checkLogin: function (url) {
        var self = this;
        return new Promise((resolve) => {
            if (this.nfRegistryService.currentUser.resourcePermissions.buckets.canRead) {
                resolve(true);
                return;
            }

            // Store the attempted URL for redirecting
            this.nfRegistryService.redirectUrl = url;

            // attempt kerberos authentication
            this.nfRegistryApi.ticketExchange().subscribe(function (jwt) {
                self.nfRegistryApi.loadCurrentUser().subscribe(function (currentUser) {
                    // there is no anonymous access and we don't know this user - open the login page which handles login/registration/etc
                    if (currentUser.error) {
                        if (currentUser.error.status === 401) {
                            self.nfStorage.removeItem('jwt');
                            self.router.navigateByUrl('login');
                            resolve(false);
                        }
                    } else {
                        self.nfRegistryService.currentUser = currentUser;
                        if (currentUser.anonymous === false) {
                            // render the logout button if there is a token locally
                            if (self.nfStorage.getItem('jwt') !== null) {
                                self.nfRegistryService.currentUser.canLogout = true;
                            }

                            // redirect to explorer perspective if not admin
                            if (!currentUser.resourcePermissions.anyTopLevelResource.canRead) {
                                self.dialogService.openConfirm({
                                    title: 'Access denied',
                                    message: 'Please contact your system administrator.',
                                    acceptButton: 'Ok',
                                    acceptButtonColor: 'fds-warn'
                                });
                                self.router.navigateByUrl('explorer');
                                resolve(false);
                            } else if (currentUser.resourcePermissions.buckets.canRead) {
                                resolve(true);
                            } else {
                                self.dialogService.openConfirm({
                                    title: 'Access denied',
                                    message: 'Please contact your system administrator.',
                                    acceptButton: 'Ok',
                                    acceptButtonColor: 'fds-warn'
                                });
                                self.router.navigateByUrl('explorer');
                                resolve(false);
                            }
                        } else if (location.protocol === 'http:') {
                            // user is anonymous and we are NOT secure so allow the url
                            resolve(true);
                        } else {
                            if (self.nfRegistryService.currentUser.resourcePermissions.buckets.canRead) {
                                resolve(true);
                                return;
                            }

                            // user is anonymous and we are secure so don't allow the url, navigate to the main page
                            self.dialogService.openConfirm({
                                title: 'Access denied',
                                message: 'Please contact your system administrator.',
                                acceptButton: 'Ok',
                                acceptButtonColor: 'fds-warn'
                            });
                            self.router.navigateByUrl('explorer');
                            resolve(false);
                        }
                    }
                });
            });
        });
    }
};

NfRegistryWorkflowsAdministrationAuthGuard.parameters = [
    NfRegistryService,
    NfRegistryApi,
    NfStorage,
    Router,
    FdsDialogService
];

/**
 * NfRegistryLoginAuthGuard constructor.
 *
 * @param nfRegistryService         The nfRegistryService module.
 * @param nfRegistryApi             The nfRegistryApi module.
 * @param nfStorage                 The NfStorage module.
 * @param router                    The angular router module.
 * @constructor
 */
function NfRegistryLoginAuthGuard(nfRegistryService, nfRegistryApi, nfStorage, router) {
    this.nfRegistryService = nfRegistryService;
    this.nfRegistryApi = nfRegistryApi;
    this.nfStorage = nfStorage;
    this.router = router;
}

NfRegistryLoginAuthGuard.prototype = {
    constructor: NfRegistryLoginAuthGuard,

    /**
     * Can activate guard.
     * @returns {*}
     */
    canActivate: function (route, state) {
        var url = state.url;

        return this.checkLogin(url);
    },

    checkLogin: function (url) {
        var self = this;
        return new Promise((resolve) => {
            if (this.nfRegistryService.currentUser.anonymous) {
                resolve(true);
                return;
            }
            // attempt kerberos authentication
            this.nfRegistryApi.ticketExchange().subscribe(function (jwt) {
                self.nfRegistryApi.loadCurrentUser().subscribe(function (currentUser) {
                    self.nfRegistryService.currentUser = currentUser;
                    if (currentUser.anonymous === false) {
                        // render the logout button if there is a token locally
                        if (self.nfStorage.getItem('jwt') !== null) {
                            self.nfRegistryService.currentUser.canLogout = true;
                        }
                        self.nfRegistryService.currentUser.canActivateResourcesAuthGuard = true;
                        resolve(false);
                        self.router.navigateByUrl(self.nfRegistryService.redirectUrl);
                    } else if (self.nfRegistryService.currentUser.anonymous && !self.nfRegistryService.currentUser.loginSupported) {
                        resolve(false);
                        self.router.navigateByUrl('/nifi-registry');
                    } else {
                        self.nfRegistryService.currentUser.anonymous = true;
                        resolve(true);
                    }
                });
            });
        });
    }
};

NfRegistryLoginAuthGuard.parameters = [
    NfRegistryService,
    NfRegistryApi,
    NfStorage,
    Router
];

/**
 * NfRegistryResourcesAuthGuard constructor.
 *
 * @param nfRegistryService         The nfRegistryService module.
 * @param nfRegistryApi             The nfRegistryApi module.
 * @param nfStorage                 The NfStorage module.
 * @param router                    The angular router module.
 * @constructor
 */
function NfRegistryResourcesAuthGuard(nfRegistryService, nfRegistryApi, nfStorage, router) {
    this.nfRegistryService = nfRegistryService;
    this.nfRegistryApi = nfRegistryApi;
    this.nfStorage = nfStorage;
    this.router = router;
}

NfRegistryResourcesAuthGuard.prototype = {
    constructor: NfRegistryResourcesAuthGuard,

    /**
     * Can activate guard.
     * @returns {*}
     */
    canActivate: function (route, state) {
        var url = state.url;
        return this.checkLogin(url);
    },

    checkLogin: function (url) {
        var self = this;
        return new Promise((resolve) => {
            if (this.nfRegistryService.currentUser.canActivateResourcesAuthGuard === true) {
                resolve(true);
                return;
            }

            // Store the attempted URL for redirecting
            this.nfRegistryService.redirectUrl = url;

            // attempt kerberos authentication
            this.nfRegistryApi.ticketExchange().subscribe(function (jwt) {
                self.nfRegistryApi.loadCurrentUser().subscribe(function (currentUser) {
                    // there is no anonymous access and we don't know this user - open the login page which handles login/registration/etc
                    if (currentUser.error) {
                        if (currentUser.error.status === 401) {
                            self.nfStorage.removeItem('jwt');
                            self.router.navigateByUrl('login');
                            resolve(false);
                        }
                    } else {
                        self.nfRegistryService.currentUser = currentUser;
                        if (!currentUser || currentUser.anonymous === false) {
                            if (self.nfStorage.hasItem('jwt')) {
                                self.nfRegistryService.currentUser.canLogout = true;
                                self.nfRegistryService.currentUser.canActivateResourcesAuthGuard = true;
                                resolve(true);
                            } else {
                                self.router.navigateByUrl('login');
                                resolve(false);
                            }
                        } else if (currentUser.anonymous === true) {
                            // render the logout button if there is a token locally
                            if (self.nfStorage.getItem('jwt') !== null) {
                                self.nfRegistryService.currentUser.canLogout = true;
                            }
                            self.nfRegistryService.currentUser.canActivateResourcesAuthGuard = true;
                            resolve(true);
                        }
                    }
                });
            });
        });
    }
};

NfRegistryResourcesAuthGuard.parameters = [
    NfRegistryService,
    NfRegistryApi,
    NfStorage,
    Router
];

export {
    NfRegistryUsersAdministrationAuthGuard,
    NfRegistryWorkflowsAdministrationAuthGuard,
    NfRegistryLoginAuthGuard,
    NfRegistryResourcesAuthGuard
};