package org.openslx.bwlp.sat.thrift;

import java.sql.SQLException;
import java.util.Iterator;
import java.util.Map;
import java.util.concurrent.ConcurrentHashMap;
import java.util.concurrent.TimeUnit;

import org.apache.logging.log4j.LogManager;
import org.apache.logging.log4j.Logger;
import org.openslx.bwlp.sat.database.mappers.DbUser;
import org.openslx.bwlp.sat.permissions.User;
import org.openslx.bwlp.sat.util.Formatter;
import org.openslx.bwlp.thrift.iface.AuthorizationError;
import org.openslx.bwlp.thrift.iface.Role;
import org.openslx.bwlp.thrift.iface.TAuthorizationException;
import org.openslx.bwlp.thrift.iface.TInvalidTokenException;
import org.openslx.bwlp.thrift.iface.TInvocationException;
import org.openslx.bwlp.thrift.iface.UserInfo;
import org.openslx.thrifthelper.ThriftManager;
import org.openslx.util.QuickTimer;
import org.openslx.util.QuickTimer.Task;

/**
 * Manages user sessions. Mainly used to map tokens to users.
 * 
 */
public class SessionManager {

	private static final Logger LOGGER = LogManager.getLogger(SessionManager.class);

	private static class Entry {
		private static final long SESSION_TIMEOUT = TimeUnit.DAYS.toMillis(1);
		private final UserInfo user;
		private long validUntil;

		private Entry(UserInfo user) {
			this.user = user;
			this.validUntil = System.currentTimeMillis() + SESSION_TIMEOUT;
		}

		public void touch(long now) {
			this.validUntil = now + SESSION_TIMEOUT;
		}

		public boolean isTooOld(long now) {
			return validUntil < now;
		}
	}

	// saves the current tokens and the mapped userdata, returning from the server
	private static final Map<String, Entry> tokenManager = new ConcurrentHashMap<>();

	static {
		// Clean cached session periodically
		QuickTimer.scheduleAtFixedDelay(new Task() {
			@Override
			public void fire() {
				final long now = System.currentTimeMillis();
				for (Iterator<Entry> it = tokenManager.values().iterator(); it.hasNext();) {
					Entry e = it.next();
					if (e == null || e.isTooOld(now))
						it.remove();
				}
			}
		}, 60000, 1200600);
	}

	/**
	 * Get the user corresponding to the given token.
	 * 
	 * @param token user's token
	 * @return UserInfo for the matching user
	 * @throws TAuthorizationException if the token is not known or the session
	 *             expired
	 * @throws TInvocationException
	 */
	public static UserInfo getOrFail(String token) throws TAuthorizationException, TInvocationException {
		UserInfo ui = getInternal(token);
		if (ui != null)
			return ui;
		throw new TAuthorizationException(AuthorizationError.NOT_AUTHENTICATED,
				"Your session token is not known to the server");
	}

	/**
	 * Do nothing if a user belongs to the given token and is authorized to use
	 * this satellite, throw an exception otherwise.
	 * 
	 * @param token Token in question
	 * @throws TAuthorizationException
	 * @throws TInvocationException
	 */
	public static void ensureAuthenticated(String token) throws TAuthorizationException, TInvocationException {
		getInternal(token);
	}

	/**
	 * Get the user corresponding to the given token. Returns <code>null</code>
	 * if the token is not known, or the session already timed out.
	 * 
	 * @param token user's token
	 * @return UserInfo for the matching user
	 */
	public static UserInfo get(String token) {
		try {
			return getInternal(token);
		} catch (TAuthorizationException | TInvocationException e) {
			return null;
		}
	}

	private static UserInfo getInternal(String token) throws TAuthorizationException, TInvocationException {
		Entry e = tokenManager.get(token);
		if (e == null) {
			LOGGER.info("Cache miss for token " + token + ", asking master");
			return getRemote(token);
		}
		// User session already cached
		final long now = System.currentTimeMillis();
		if (e.isTooOld(now)) {
			tokenManager.remove(token);
			return getRemote(token);
		}
		e.touch(now);
		return e.user;
	}

	/**
	 * Remove session matching the given token
	 * 
	 * @param token
	 */
	public static void remove(String token) {
		tokenManager.remove(token);
	}

	/**
	 * Get {@link UserInfo} from master server.
	 * 
	 * @param token token of user to get
	 * @return
	 * @throws TAuthorizationException if user is not allowed to use this
	 *             satellite, this exception contains the reason
	 * @throws TInvocationException if something unexpected fails
	 */
	private static UserInfo getRemote(String token) throws TAuthorizationException, TInvocationException {
		UserInfo ui = null;
		try {
			ui = ThriftManager.getMasterClient().getUserFromToken(token);
		} catch (TInvalidTokenException ite) {
			LOGGER.warn("Master says: Invalid token: " + token);
			throw new TAuthorizationException(AuthorizationError.INVALID_TOKEN,
					"Your token is not known to the master server");
		} catch (Exception e) {
			LOGGER.warn("Could not reach master server to query for user token (" + token + ") of a client!",
					e);
			throw new TInvocationException();
		}
		LOGGER.info("Got '" + Formatter.userFullName(ui) + "' (" + ui.userId + ") for token " + token);
		if (ui.role == null) {
			// Fail-safe: No role supplied, assume student
			ui.role = Role.STUDENT;
		}
		// Valid reply, check if user is allowed to communicate with this satellite server
		AuthorizationError authError = User.canLogin(ui);
		handleAuthorizationError(ui, authError);
		// Is valid, insert/update db record, but ignore students
		if (ui.role != Role.STUDENT) {
			try {
				DbUser.writeUserOnLogin(ui);
			} catch (SQLException e) {
				LOGGER.info("User " + ui.userId + " cannot be written to DB - rejecting.");
				throw new TInvocationException();
			}
			// Check again, as it might be a fresh entry to the DB, and we don't allow logins by default
			authError = User.canLogin(ui);
			handleAuthorizationError(ui, authError);
		}
		tokenManager.put(token, new Entry(ui));
		return ui;
	}
	
	private static void handleAuthorizationError(UserInfo ui, AuthorizationError authError) throws TAuthorizationException {
		if (authError == null)
			return;
		
		LOGGER.info("User " + ui.userId + " cannot login: " + authError.toString());
		switch (authError) {
		case ACCOUNT_SUSPENDED:
			throw new TAuthorizationException(authError,
					"Your account is not allowed to log in to this satellite");
		case BANNED_NETWORK:
			throw new TAuthorizationException(authError, "Your IP address is banned from this satellite");
		case INVALID_CREDENTIALS:
		case INVALID_KEY:
		case CHALLENGE_FAILED:
			throw new TAuthorizationException(authError, "Authentication error");
		case INVALID_ORGANIZATION:
			throw new TAuthorizationException(authError,
					"Your organization is not known to this satellite");
		case ORGANIZATION_SUSPENDED:
			throw new TAuthorizationException(authError,
					"Your organization is not allowed to log in to this satellite");
		case NOT_AUTHENTICATED:
		case NO_PERMISSION:
			throw new TAuthorizationException(authError, "No permission");
		case GENERIC_ERROR:
		case INVALID_TOKEN:
		default:
			throw new TAuthorizationException(authError, "Internal server error");
		}
	}

}