local usermanager = require "core.usermanager";

local url = require "socket.url";

local array = require "util.array";

local cache = require "util.cache";

local encodings = require "util.encodings";

local errors = require "util.error";

local hashes = require "util.hashes";

local http = require "util.http";

local id = require "util.id";

local it = require "util.iterators";

local jid = require "util.jid";

local json = require "util.json";

local schema = require "util.jsonschema";

local jwt = require "util.jwt";

local random = require "util.random";

local set = require "util.set";

local st = require "util.stanza";

local base64 = encodings.base64;

local function b64url(s)

	return (base64.encode(s):gsub("[+/=]", { ["+"] = "-", ["/"] = "_", ["="] = "" }))

end

local function tmap(t)

	return function(k)

		return t[k];

	end

end

local function strict_formdecode(query)

	if not query then

		return nil;

	end

	local params = http.formdecode(query);

	if type(params) ~= "table" then

		return nil, "no-pairs";

	end

	local dups = {};

	for _, pair in ipairs(params) do

		if dups[pair.name] then

			return nil, "duplicate";

		end

		dups[pair.name] = true;

	end

	return params;

end

local function read_file(base_path, fn, required)

	local f, err = io.open(base_path .. "/" .. fn);

	if not f then

		module:log(required and "error" or "debug", "Unable to load template file: %s", err);

		if required then

			return error("Failed to load templates");

		end

		return nil;

	end

	local data = assert(f:read("*a"));

	assert(f:close());

	return data;

end

local allowed_locales = module:get_option_array("allowed_oauth2_locales", {});

-- TODO Allow translations or per-locale templates somehow.

local template_path = module:get_option_path("oauth2_template_path", "html");

local templates = {

	login = read_file(template_path, "login.html", true);

	consent = read_file(template_path, "consent.html", true);

	oob = read_file(template_path, "oob.html", true);

	device = read_file(template_path, "device.html", true);

	error = read_file(template_path, "error.html", true);

	css = read_file(template_path, "style.css");

	js = read_file(template_path, "script.js");

};

local site_name = module:get_option_string("site_name", module.host);

local security_policy = module:get_option_string("oauth2_security_policy", "default-src 'self'");

local render_html = require"util.interpolation".new("%b{}", st.xml_escape);

local function render_page(template, data, sensitive)

	data = data or {};

	data.site_name = site_name;

	local resp = {

		status_code = data.error and data.error.code or 200;

		headers = {

			["Content-Type"] = "text/html; charset=utf-8";

			["Content-Security-Policy"] = security_policy;

			["Referrer-Policy"] = "no-referrer";

			["X-Frame-Options"] = "DENY";

			["Cache-Control"] = (sensitive and "no-store" or "no-cache")..", private";

			["Pragma"] = "no-cache";

		};

		body = render_html(template, data);

	};

	return resp;

end

local authorization_server_metadata = nil;

local tokens = module:depends("tokenauth");

local default_access_ttl = module:get_option_number("oauth2_access_token_ttl", 3600);

local default_refresh_ttl = module:get_option_number("oauth2_refresh_token_ttl", 604800);

-- Used to derive client_secret from client_id, set to enable stateless dynamic registration.

local registration_key = module:get_option_string("oauth2_registration_key");

local registration_algo = module:get_option_string("oauth2_registration_algorithm", "HS256");

local registration_ttl = module:get_option("oauth2_registration_ttl", nil);

local registration_options = module:get_option("oauth2_registration_options",

	{ default_ttl = registration_ttl; accept_expired = not registration_ttl });

local pkce_required = module:get_option_boolean("oauth2_require_code_challenge", true);

local respect_prompt = module:get_option_boolean("oauth2_respect_oidc_prompt", false);

local verification_key;

local sign_client, verify_client;

if registration_key then

	-- Tie it to the host if global

	verification_key = hashes.hmac_sha256(registration_key, module.host);

	sign_client, verify_client = jwt.init(registration_algo, registration_key, registration_key, registration_options);

end

local new_device_token, verify_device_token = jwt.init("HS256", random.bytes(32), nil, { default_ttl = 600 });

-- verify and prepare client structure

local function check_client(client_id)

	if not verify_client then

		return nil, "client-registration-not-enabled";

	end

	local ok, client = verify_client(client_id);

	if not ok then

		return ok, client;

	end

	client.client_hash = b64url(hashes.sha256(client_id));

	return client;

end

local purpose_map = { ["oauth2-refresh"] = "refresh_token"; ["oauth"] = "access_token" };

-- scope : string | array | set

--

-- at each step, allow the same or a subset of scopes

-- (all ( client ( grant ( token ) ) ))

-- preserve order since it determines role if more than one granted

-- string -> array

local function parse_scopes(scope_string)

	return array(scope_string:gmatch("%S+"));

end

local openid_claims = set.new();

module:add_item("openid-claim", "openid");

module:handle_items("openid-claim", function(event)

	authorization_server_metadata = nil;

	openid_claims:add(event.item);

end, function()

	authorization_server_metadata = nil;

	openid_claims = set.new(module:get_host_items("openid-claim"));

end, true);

-- array -> array, array, array

local function split_scopes(scope_list)

	local claims, roles, unknown = array(), array(), array();

	local all_roles = usermanager.get_all_roles(module.host);

	for _, scope in ipairs(scope_list) do

		if openid_claims:contains(scope) then

			claims:push(scope);

		elseif scope == "xmpp" or all_roles[scope] then

			roles:push(scope);

		else

			unknown:push(scope);

		end

	end

	return claims, roles, unknown;

end

local function can_assume_role(username, requested_role)

	return requested_role == "xmpp" or usermanager.user_can_assume_role(username, module.host, requested_role);

end

-- function (string) : function(string) : boolean

local function role_assumable_by(username)

	return function(role)

		return can_assume_role(username, role);

	end

end

-- string, array --> array

local function user_assumable_roles(username, requested_roles)

	return array.filter(requested_roles, role_assumable_by(username));

end

-- string, string|nil --> string, string

local function filter_scopes(username, requested_scope_string)

	local requested_scopes, requested_roles = split_scopes(parse_scopes(requested_scope_string or ""));

	local granted_roles = user_assumable_roles(username, requested_roles);

	local granted_scopes = requested_scopes + granted_roles;

	local selected_role = granted_roles[1];

	return granted_scopes:concat(" "), selected_role;

end

local function code_expires_in(code) --> number, seconds until code expires

	return os.difftime(code.expires, os.time());

end

local function code_expired(code) --> boolean, true: has expired, false: still valid

	return code_expires_in(code) < 0;

end

-- LRU cache for short-term storage of authorization codes and device codes

local codes = cache.new(10000, function (_, code)

	-- If the cache is full and the oldest item hasn't expired yet then we

	-- might be under some kind of DoS attack, so might as well reject further

	-- entries for a bit.

	return code_expired(code)

end);

-- Clear out unredeemed codes so they don't linger in memory.

module:daily("Clear expired authorization codes", function()

	-- The tail should be the least recently touched item, and most likely to

	-- have expired already, so check and remove that one until encountering

	-- one that has not expired.

	local k, code = codes:tail();

	while code and code_expired(code) do

		codes:set(k, nil);

		k, code = codes:tail();

	end

end)

local function get_issuer()

	return (module:http_url(nil, "/"):gsub("/$", ""));

end

-- Non-standard special redirect URI that has the AS show the authorization

-- code to the user for them to copy-paste into the client, which can then

-- continue as if it received it via redirect.

local oob_uri = "urn:ietf:wg:oauth:2.0:oob";

local device_uri = "urn:ietf:params:oauth:grant-type:device_code";

local loopbacks = set.new({ "localhost", "127.0.0.1", "::1" });

local function oauth_error(err_name, err_desc)

	return errors.new({

		type = "modify";

		condition = "bad-request";

		code = err_name == "invalid_client" and 401 or 400;

		text = err_desc or err_name:gsub("^.", string.upper):gsub("_", " ");

		extra = { oauth2_response = { error = err_name, error_description = err_desc } };

	});

end

-- client_id / client_metadata are pretty large, filter out a subset of

-- properties that are deemed useful e.g. in case tokens issued to a certain

-- client needs to be revoked

local function client_subset(client)

	return {

		name = client.client_name;

		uri = client.client_uri;

		id = client.software_id;

		version = client.software_version;

		hash = client.client_hash;

	};

end

local function new_access_token(token_jid, role, scope_string, client, id_token, refresh_token_info)

	local token_data = { oauth2_scopes = scope_string, oauth2_client = nil };

	if client then

		token_data.oauth2_client = client_subset(client);

	end

	if next(token_data) == nil then

		token_data = nil;

	end

	local grant = refresh_token_info and refresh_token_info.grant;

	if not grant then

		-- No existing grant, create one

		grant = tokens.create_grant(token_jid, token_jid, nil, token_data);

	end

	if refresh_token_info then

		-- out with the old refresh tokens

		local ok, err = tokens.revoke_token(refresh_token_info.token);

		if not ok then

			module:log("error", "Could not revoke refresh token: %s", err);

			return 500;

		end

	end

	-- in with the new refresh token

	local refresh_token = refresh_token_info ~= false and tokens.create_token(token_jid, grant.id, nil, default_refresh_ttl, "oauth2-refresh");

	if role == "xmpp" then

		-- Special scope meaning the users default role.

		local user_default_role = usermanager.get_user_role(jid.node(token_jid), module.host);

		role = user_default_role and user_default_role.name;

	end

	local access_token, access_token_info = tokens.create_token(token_jid, grant.id, role, default_access_ttl, "oauth2");

	local expires_at = access_token_info.expires;

	return {

		token_type = "bearer";

		access_token = access_token;

		expires_in = expires_at and (expires_at - os.time()) or nil;

		scope = scope_string;

		id_token = id_token;

		refresh_token = refresh_token or nil;

	};

end

local function normalize_loopback(uri)

	local u = url.parse(uri);

	if u.scheme == "http" and loopbacks:contains(u.host) then

		u.authority = nil;

		u.host = "::1";

		u.port = nil;

		return url.build(u);

	end

	-- else, not a valid loopback uri

end

local function get_redirect_uri(client, query_redirect_uri) -- record client, string : string

	if not query_redirect_uri then

		if #client.redirect_uris ~= 1 then

			-- Client registered multiple URIs, it needs specify which one to use

			return;

		end

		-- When only a single URI is registered, that's the default

		return client.redirect_uris[1];

	end

	if query_redirect_uri == device_uri and client.grant_types then

		for _, grant_type in ipairs(client.grant_types) do

			if grant_type == device_uri then

				return query_redirect_uri;

			end

		end

		-- Tried to use device authorization flow without registering it.

		return;

	end

	-- Verify the client-provided URI matches one previously registered

	for _, redirect_uri in ipairs(client.redirect_uris) do

		if query_redirect_uri == redirect_uri then

			return redirect_uri

		end

	end

	-- The authorization server MUST allow any port to be specified at the time

	-- of the request for loopback IP redirect URIs, to accommodate clients that

	-- obtain an available ephemeral port from the operating system at the time

	-- of the request.

	-- https://www.ietf.org/archive/id/draft-ietf-oauth-v2-1-08.html#section-8.4.2

	local loopback_redirect_uri = normalize_loopback(query_redirect_uri);

	if loopback_redirect_uri then

		for _, redirect_uri in ipairs(client.redirect_uris) do

			if loopback_redirect_uri == normalize_loopback(redirect_uri) then

				return query_redirect_uri;

			end

		end

	end

end

local grant_type_handlers = {};

local response_type_handlers = {};

local verifier_transforms = {};

function grant_type_handlers.implicit()

	-- Placeholder to make discovery work correctly.

	-- Access tokens are delivered via redirect when using the implict flow, not

	-- via the token endpoint, so how did you get here?