package org.gcube.smartgears.security.defaults;

import java.net.URL;
import java.util.Collections;
import java.util.HashSet;
import java.util.Map;
import java.util.Set;

import org.gcube.common.keycloak.KeycloakClient;
import org.gcube.common.keycloak.KeycloakClientFactory;
import org.gcube.common.keycloak.model.AccessToken.Access;
import org.gcube.common.keycloak.model.ModelUtils;
import org.gcube.common.keycloak.model.TokenResponse;
import org.gcube.common.scope.impl.ScopeBean;
import org.gcube.smartgears.security.AuthorizationProvider;
import org.gcube.smartgears.security.SimpleCredentials;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

public class DefaultAuthorizationProvider implements AuthorizationProvider {

	private static Logger LOG = LoggerFactory.getLogger(DefaultAuthorizationProvider.class);
	
	private KeycloakClient client = KeycloakClientFactory.newInstance();
	
	private SimpleCredentials credentials;
	
	public DefaultAuthorizationProvider(SimpleCredentials credentials) {
		this.credentials = credentials;				
	}
	

	@Override
	public Set<String> getAllowedContexts() {
		Set<String> contexts = new HashSet<String>();
		try {
			TokenResponse response = client.queryOIDCToken(new URL(credentials.getEndpoint()), credentials.getClientID(), credentials.getSecret());
			Map<String, Access> resourceAccess = ModelUtils.getAccessTokenFrom(response).getResourceAccess();
			for (String context : resourceAccess.keySet()) {
				try {
					ScopeBean scope = new ScopeBean(context.replaceAll("%2F", "/"));
					contexts.add(scope.toString());
				}catch (IllegalArgumentException e) {
					LOG.warn("invalid context found in token: {}", context);
				}
			}
		} catch (Exception e) {
			LOG.error("error getting OIDToken from keycloak",e);
			return Collections.emptySet();
		}
		return contexts;
	}

}