/*
Copyright (c) 2020 Stefan Kürzeder <info@stivik.de>
This code is licensed under MIT license (see LICENSE for details)
*/
package httphandler

import (
	"fmt"
	"net/http"
	"net/url"

	"github.com/google/uuid"
	"github.com/sirupsen/logrus"
)

// RootHandler returns a handler function which handles all requests to the root
func (root *HttpHandler) rootHandler(w http.ResponseWriter, r *http.Request, forwardedURI *url.URL, queryURI *url.URL) {
	logger := logrus.WithFields(logrus.Fields{
		"SourceIP":      r.Header.Get("X-Forwarded-For"),
		"RequestTarget": root.forwardAuth.GetReturnUri(r),
		"Path":          forwardedURI.Path,
	})

	claims, err := root.forwardAuth.IsAuthenticated(r.Context(), logger, w, r, root.options)
	if err != nil {
		logger = logger.WithField("FunctionSource", "RootHandler")
		logger.Warn("IsAuthenticated failed, initating login flow.")

		http.SetCookie(w, root.forwardAuth.ClearAuthCookie(root.options))
		//http.SetCookie(w, root.forwardAuth.ClearRefreshAuthCookie(root.options))

		state := uuid.New().String()
		http.SetCookie(w, root.forwardAuth.MakeCSRFCookie(w, r, root.options, state))
		http.Redirect(w, r, root.forwardAuth.OAuth2Config.AuthCodeURL(state), http.StatusTemporaryRedirect)
		return
	}

	// Check group
	group := queryURI.Query().Get("group")
	if len(group) > 0 {
		if !contains(claims.Groups, group) {
			logger.Warnf("User %s not member of group %s", claims.PreferedUsername, group)
			http.Error(w, fmt.Sprintf("You need to be a member of the group '%s' to access this site", group), http.StatusForbidden)
		}
	}

	w.Header().Set("X-Forwarded-User", claims.Email)
	w.WriteHeader(200)
}

func contains(s []string, e string) bool {
	for _, a := range s {
		if a == e {
			return true
		}
	}
	return false
}