/*
 * Copyright (C) 2008-2019, Juick
 *
 * This program is free software: you can redistribute it and/or modify
 * it under the terms of the GNU Affero General Public License as
 * published by the Free Software Foundation, either version 3 of the
 * License, or (at your option) any later version.
 *
 * This program is distributed in the hope that it will be useful,
 * but WITHOUT ANY WARRANTY; without even the implied warranty of
 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
 * GNU Affero General Public License for more details.
 *
 * You should have received a copy of the GNU Affero General Public License
 * along with this program.  If not, see <http://www.gnu.org/licenses/>.
 */

package com.juick.server;

import com.fasterxml.jackson.databind.ObjectMapper;
import com.juick.User;
import com.juick.model.AnonymousUser;
import com.juick.server.api.activity.model.Context;
import com.juick.server.api.activity.model.objects.Person;
import com.juick.server.api.webfinger.model.Account;
import com.juick.server.api.webfinger.model.Link;
import com.juick.service.UserService;
import com.juick.util.DateFormattersHolder;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import org.springframework.http.HttpEntity;
import org.springframework.http.HttpHeaders;
import org.springframework.http.HttpMethod;
import org.springframework.http.ResponseEntity;
import org.springframework.stereotype.Component;
import org.springframework.web.client.RestTemplate;
import org.springframework.web.util.UriComponentsBuilder;
import org.tomitribe.auth.signatures.Signature;
import org.tomitribe.auth.signatures.Signer;
import org.tomitribe.auth.signatures.Verifier;
import rocks.xmpp.addr.Jid;

import javax.inject.Inject;
import java.io.IOException;
import java.net.URI;
import java.security.Key;
import java.security.NoSuchAlgorithmException;
import java.security.SignatureException;
import java.time.Instant;
import java.util.HashMap;
import java.util.Map;
import java.util.Optional;

import static com.juick.server.api.activity.model.Context.ACTIVITY_MEDIA_TYPE;

@Component
public class SignatureManager {
    private static final Logger logger = LoggerFactory.getLogger("ActivityPub");
    @Inject
    private KeystoreManager keystoreManager;
    @Inject
    private ObjectMapper jsonMapper;
    @Inject
    private UserService userService;
    @Inject
    private RestTemplate apClient;

    public void post(Person from, Person to, Context data) throws IOException {
        UriComponentsBuilder uriComponentsBuilder = UriComponentsBuilder.fromUriString(to.getInbox());
        URI inbox = uriComponentsBuilder.build().toUri();
        Instant now = Instant.now();
        String requestDate = DateFormattersHolder.getHttpDateFormatter().format(now);
        String host = inbox.getPort() > 0 ? String.format("%s:%d", inbox.getHost(), inbox.getPort()) : inbox.getHost();
        String signatureString = addSignature(from, host, "POST", inbox.getPath(), requestDate);

        HttpHeaders requestHeaders = new HttpHeaders();
        requestHeaders.add("Content-Type", Context.ACTIVITYSTREAMS_PROFILE_MEDIA_TYPE);
        requestHeaders.add("Date", requestDate);
        requestHeaders.add("Host", host);
        requestHeaders.add("Signature", signatureString);
        HttpEntity<Context> request = new HttpEntity<>(Context.build(data), requestHeaders);
        logger.info("Sending context to {}: {}", to.getId(), jsonMapper.writeValueAsString(data));
        ResponseEntity<Void> response = apClient.postForEntity(inbox, request, Void.class);
        logger.info("Remote response: {}", response.getStatusCodeValue());
    }

    public String addSignature(Person from, String host, String method, String path, String dateString) throws IOException {
        return addSignature(from, host, method, path, dateString, keystoreManager);
    }

    public String addSignature(Person from, String host, String method, String path, String dateString, KeystoreManager keystoreManager) throws IOException {
        Signature templateSignature = new Signature(from.getPublicKey().getId(), "rsa-sha256", null,
                "(request-target)", "host", "date");
        Map<String, String> headers = new HashMap<>();
        headers.put("host", host);
        headers.put("date", dateString);
        Signer signer = new Signer(keystoreManager.getPrivateKey(), templateSignature);
        Signature signature = signer.sign(method, path, headers);
        // remove "Signature: " from result
        return signature.toString().substring(10);
    }

    public User verifySignature(String method, String path, Map<String, String> headers) {
        String signatureString = headers.get("signature");
        logger.info("Signature: {}", signatureString);
        Signature signature = Signature.fromString(signatureString);
        Optional<Context> context = getContext(UriComponentsBuilder.fromUriString(signature.getKeyId())
                .fragment(null).build().toUri());
        if (context.isPresent() && context.get() instanceof Person) {
            Person person = (Person) context.get();
            Key key = KeystoreManager.publicKeyOf(person);

            Verifier verifier = new Verifier(key, signature);
            try {
                boolean result = verifier.verify(method, path, headers);
                logger.info("signature of {} is valid: {}", signature.getKeyId(), result);
                if (result) {
                    User user = new User();
                    user.setUri(URI.create(person.getId()));
                    if (key.equals(keystoreManager.getPublicKey())) {
                        return userService.getUserByName(person.getName());
                    }
                    return user;
                } else {
                    return AnonymousUser.INSTANCE;
                }
            } catch (NoSuchAlgorithmException | SignatureException | IOException e) {
                logger.warn("Invalid signature {}", signatureString);
            }
        } else {
            logger.warn("Unknown keyId");
        }
        return AnonymousUser.INSTANCE;
    }
    public Optional<Context> getContext(URI contextUri) {
        try {
            Context context = apClient.getForEntity(contextUri, Context.class).getBody();
            if (context == null) {
                logger.warn("Cannot identify {}", contextUri);
                return Optional.empty();
            }
            return Optional.of(context);
        } catch (Exception e) {
            logger.warn("REST Exception on {}: {}", contextUri, e.getMessage());
        }
        return Optional.empty();
    }
    public Optional<Context> discoverPerson(String acct) {
        Jid acctId = Jid.of(acct);
        URI resourceUri = UriComponentsBuilder.fromPath("/.well-known/webfinger")
                .host(acctId.getDomain())
                .scheme("https")
                .queryParam("resource", String.format("%s", acctId.toEscapedString())).build().toUri();
        HttpHeaders headers = new HttpHeaders();
        headers.add("Accept", "application/jrd+json");
        HttpEntity<Void> webfingerRequest = new HttpEntity<>(headers);
        ResponseEntity<Account> response = apClient.exchange(
                resourceUri, HttpMethod.GET, webfingerRequest, Account.class);
        if (response.getStatusCode().is2xxSuccessful()) {
            Account acctData = response.getBody();
            if (acctData != null) {
                for (Link l : acctData.getLinks()) {
                    if (l.getRel().equals("self") && l.getType().equals(ACTIVITY_MEDIA_TYPE)) {
                        return getContext(URI.create(l.getHref()));
                    }
                }
            }
        }
        return Optional.empty();
    }
}