package org.gcube.common.iam;

import java.util.List;

import org.gcube.common.keycloak.KeycloakClientException;
import org.gcube.common.keycloak.model.TokenResponse;

public class D4ScienceIAMClientAuthn extends AbstractIAMResponse implements IAMResponse {

    protected D4ScienceIAMClientAuthn(D4ScienceIAMClient iamClient, String clientId, String clientSecret)
            throws D4ScienceIAMClientException {

        this(iamClient, clientId, clientSecret, null);
    }

    protected D4ScienceIAMClientAuthn(D4ScienceIAMClient iamClient, String clientId, String clientSecret,
            String audience)
            throws D4ScienceIAMClientException {

        super(iamClient, performAuthn(iamClient, clientId, clientSecret, audience));
    }

    protected static final TokenResponse performAuthn(D4ScienceIAMClient iamClient, String clientId, String clientSecret,
            String audience) throws D4ScienceIAMClientException {

        try {
            return iamClient.getKeycloakClient().queryOIDCTokenWithContext(iamClient.getTokenEndpointURL(), clientId,
                    clientSecret, audience);

        } catch (KeycloakClientException e) {
            throw new D4ScienceIAMClientException(e);
        }
    }

    /**
     * Authorizes the client by using the authn already obtained, for the specific audience and with optional permissions.
     * @param audience the requested audience (e.g. a specific context)
     * @param permissions the optional permissions
     * @return the authz object
     * @throws D4ScienceIAMClientException if an error occurs during authz process
     */
    public D4ScienceIAMClientAuthz authorize(String audience, List<String> permissions)
            throws D4ScienceIAMClientException {

        return new D4ScienceIAMClientAuthz(this, audience, permissions);
    }

}