package com.qmth.distributed.print.auth;

import com.qmth.boot.core.enums.Platform;
import com.qmth.boot.core.security.model.AccessEntity;
import com.qmth.boot.core.security.service.AuthorizationService;
import com.qmth.boot.tools.signature.SignatureType;
import com.qmth.teachcloud.common.bean.auth.AuthBean;
import com.qmth.teachcloud.common.contant.SystemConstant;
import com.qmth.teachcloud.common.entity.SysUser;
import com.qmth.teachcloud.common.entity.TBSession;
import com.qmth.teachcloud.common.enums.ExceptionResultEnum;
import com.qmth.teachcloud.common.enums.PrivilegePropertyEnum;
import com.qmth.teachcloud.common.enums.RoleTypeEnum;
import com.qmth.teachcloud.common.service.CacheService;
import com.qmth.teachcloud.common.service.TBSessionService;
import com.qmth.teachcloud.common.util.RedisUtil;
import com.qmth.teachcloud.common.util.ServletUtil;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import org.springframework.stereotype.Component;

import javax.annotation.Resource;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import java.util.List;
import java.util.Objects;
import java.util.Set;

@Component
public class DistributedPrintAuthenticationService implements AuthorizationService {
    private final static Logger log = LoggerFactory.getLogger(DistributedPrintAuthenticationService.class);

    @Resource
    CacheService cacheService;

    @Resource
    RedisUtil redisUtil;

    @Override
    public AccessEntity findByIdentity(String identity, SignatureType signatureType, String path) {
        return new DistributedPrintSession(identity, SignatureType.TOKEN);
    }

    @Override
    public boolean hasPermission(AccessEntity accessEntity, String path) {
        if (Objects.nonNull(accessEntity) && Objects.nonNull(accessEntity.getIdentity())) {
            TBSession tbSession = (TBSession) redisUtil.getUserSession(accessEntity.getIdentity());
            if (Objects.isNull(tbSession)) {
                log.warn("Authorization faile: session id not exists: " + accessEntity.getIdentity());
                throw ExceptionResultEnum.NOT_LOGIN.exception();
            }
            if (tbSession.getExpireTime() <= System.currentTimeMillis()) {
                log.warn("Authorization faile: session has expired, expire time=" + tbSession.getExpireTime());
                throw ExceptionResultEnum.NOT_LOGIN.exception();
            }
            Platform platform = ServletUtil.getRequestPlatform();
            String deviceId = ServletUtil.getRequestDeviceId();
            if (!tbSession.getPlatform().equalsIgnoreCase(platform.name())) {
                log.warn("Authorization faile: platform invalid, session platform is " + tbSession.getPlatform());
                throw ExceptionResultEnum.AUTHORIZATION_ERROR.exception();
            }
            if (!tbSession.getDeviceId().equalsIgnoreCase(deviceId)) {
                log.warn("Authorization faile: deviceId invalid, session deviceId is " + tbSession.getDeviceId());
                throw ExceptionResultEnum.AUTHORIZATION_ERROR.exception();
            }
            List<String> privilegeUrl = cacheService.privilegeUrlCache(PrivilegePropertyEnum.NO_AUTH);
            //无需鉴权的url
            int noAuthCount = Objects.nonNull(privilegeUrl) ? (int) privilegeUrl.stream().filter(s -> s.equalsIgnoreCase(path)).count() : 0;
            if (noAuthCount > 0) {
                return true;
            }
            Long userId = Long.parseLong(tbSession.getIdentity());
            SysUser sysUser = cacheService.userCache(userId);
            HttpServletRequest request = ServletUtil.getRequest();
            HttpServletResponse response = ServletUtil.getResponse();
            request.setAttribute(SystemConstant.SESSION, tbSession);
            request.setAttribute(SystemConstant.USER, sysUser);
            return authFootCommon(userId, SystemConstant.USER_OAUTH_CACHE, path, request, response);
        }
        return false;
    }

    /**
     * 鉴权尾公用
     *
     * @param userId
     * @param type
     * @param path
     * @param request
     * @param response
     * @return
     */
    public boolean authFootCommon(Long userId,
                                  String type,
                                  String path,
                                  HttpServletRequest request,
                                  HttpServletResponse response) {
        //验证权限
        AuthBean authBean = type.contains(SystemConstant.USER_OAUTH_CACHE) ? authBean = cacheService.userAuthCache(userId) : null;
        if (Objects.isNull(authBean)) {
            throw ExceptionResultEnum.ROLE_ENABLE_AUTHORIZATION.exception();
        }
        request.setAttribute(SystemConstant.SCHOOL, authBean.getSchool());
        request.setAttribute(SystemConstant.ORG, authBean.getOrg());

        //超级系统管理员拥有所有权限
        int count = Objects.nonNull(authBean) ? (int) authBean.getRoleList().stream().filter(s -> s.getType() == RoleTypeEnum.ADMIN).count() : 0;
        if (count > 0) {
            return true;
        }
        //系统公用接口不拦截
        List<String> sysUrls = cacheService.privilegeUrlCache(PrivilegePropertyEnum.SYS);
        int sysCount = Objects.nonNull(sysUrls) ? (int) sysUrls.stream().filter(s -> s.equalsIgnoreCase(path)).count() : 0;
        if (sysCount > 0) {
            return true;
        }
        Set<String> urls = authBean.getUrls();
        int privilegeCount = Objects.nonNull(urls) ? (int) urls.stream().filter(s -> s.equalsIgnoreCase(path)).count() : 0;
        if (privilegeCount == 0) {
            log.warn("Authorization faile: url cannot access");
            throw ExceptionResultEnum.UN_AUTHORIZATION.exception();
        }
        response.setStatus(ExceptionResultEnum.SUCCESS.getCode());
        return true;
    }
}