package auth

import (
	"errors"
	"git.inspur.com/sbg-jszt/cfn/cfn-schedule/internal/model/user"
	"github.com/dgrijalva/jwt-go"
	"time"
)

const (
	TokenExpired = "token expired"
)

var (
	UnexpectedSingingMethod = errors.New("unexpected signing method")
	UnknownEntity           = errors.New("unknown entity")
)

type entity struct {
	Encrypted string `json:"encrypted"`
	//------------更改token后新增的，兼容权限系统的token内容  -by King 2022-10-07
	Username string `json:"login_loginname"`
	Token    string `json:"token"`
	Role     int32  `json:"role"`
	//-------------
	LoginAppId       string `json:"login_app_id"`
	LoginUid         string `json:"login_uid"`
	LoginAccountId   string `json:"login_account_id"`
	ClientIp         string `json:"client_ip"`
	LoginAccountName string `json:"login_account_name"`
	UsersAppId       string `json:"users_app_id"`
	LoginUname       string `json:"login_uname"`
	jwt.StandardClaims
}

func Authorize(authToken string, user *user.UserObj) (string, error) {
	if authToken == "" || user == nil {
		return "", nil
	}
	var jwtToken *jwt.Token
	// 设置时钟偏移量
	jwt.TimeFunc = func() time.Time {
		return time.Now().Add(60 * time.Second)
	}

	jwtToken, err := jwt.ParseWithClaims(authToken, &entity{}, validateSecret)
	if err != nil {
		return "", err
	}
	obj, ok := jwtToken.Claims.(*entity)
	if !ok {
		return "", UnknownEntity
	}

	obj.Token = user.APIToken
	obj.Role = user.Role
	obj.Encrypted = user.EncryptedPassword
	jwtToken = jwt.NewWithClaims(jwt.SigningMethodHS512, obj)
	var rawToken string
	if rawToken, err = jwtToken.SignedString(secret); err != nil {
		return "", err
	}
	return rawToken, nil
}

func Validate(rawToken string) (loginInfo *LoginInfo, err error) {
	var token *jwt.Token
	if token, err = jwt.ParseWithClaims(rawToken, &entity{}, validateSecret); err != nil {
		return nil, err
	}
	obj, ok := token.Claims.(*entity)
	if !ok {
		return nil, UnknownEntity
	}
	loginInfo = &LoginInfo{
		Username:    obj.Username,
		DisplayName: obj.LoginAccountName,
		Token:       obj.Token,
		UserID:      obj.LoginAccountId,
		Role:        obj.Role,
	}
	return
}

func IsTokenExpiredErr(err error) bool {
	if jve, ok := err.(*jwt.ValidationError); ok && jve.Inner != nil {
		return jve.Errors&jwt.ValidationErrorExpired == jwt.ValidationErrorExpired
	}
	return false
}

func validateSecret(token *jwt.Token) (obj interface{}, err error) {
	if _, ok := token.Method.(*jwt.SigningMethodHMAC); !ok {
		err = UnexpectedSingingMethod
		return
	}
	return secret, nil
}