// http://openid.net/specs/openid-connect-core-1_0.html#IDToken
func (s *Server) generateIDToken(userData interface{}, client Client, scopesString string, nonce string, accessToken string) (string, error) {
	token := jwt.New(jwt.SigningMethodRS256)
	token.Claims["iss"] = s.Config.Issuer
	token.Claims["sub"] = userData.(User).GetSub()
	token.Claims["aud"] = client.GetId()
	token.Claims["iat"] = time.Now().Unix()
	token.Claims["nonce"] = nonce
	token.Claims["exp"] = time.Now().Add(time.Duration(s.Config.IDTokenExpiration) * time.Second).Unix()
	if accessToken != "" {
		hasher := sha256.New()
		io.WriteString(hasher, accessToken)
		sum := hasher.Sum(nil)
		accessTokenHash := base64.URLEncoding.EncodeToString(sum[0 : len(sum)/2])
		token.Claims["at_hash"] = accessTokenHash
	}
	scopes := strings.Split(scopesString, " ")
	for _, scope := range scopes {
		claims := s.ClaimManager.GetClaims(scope, userData)
		for k, v := range claims {
			token.Claims[k] = v
		}
	}
	// kid
	token.Header["kid"] = s.Config.JWTKeyID
	key, _ := jwt.ParseRSAPrivateKeyFromPEM(s.Config.JWTKey)
	a, err := token.SignedString(key)
	return a, err
}

func InitTokens() (err error) {
	signBytes, err := ioutil.ReadFile("config/rsaKey")
	if err != nil {
		log.Error("Error reading private key from file: ", err)
		return
	}

	signKey, err = jwt.ParseRSAPrivateKeyFromPEM(signBytes)
	if err != nil {
		log.Error("Error parsing private key from file: ", err)
		return
	}

	verifyBytes, err := ioutil.ReadFile("config/pubKey")
	if err != nil {
		log.Error("Error reading public key from file: ", err)
		return
	}

	verifyKey, err = jwt.ParseRSAPublicKeyFromPEM(verifyBytes)
	if err != nil {
		log.Error("Error parsing public key from file: ", err)
		return
	}
	return
}

// ReadPrivateKey is a helper function for reading an rsa.PrivateKey from a PEM-encoded file
func ReadPrivateKey(file string) (*rsa.PrivateKey, error) {
	data, err := ioutil.ReadFile(file)
	if err != nil {
		return nil, err
	}
	return jwt.ParseRSAPrivateKeyFromPEM(data)
}

// loadMintKeyByName loads a key by filename and stores it in the struct
// The function is threadsafe and panics if the key file is invalid
func LoadMintKeyByName(filename string) {

	keyPath := util.GetPaths([]string{filename})[0]

	b, err := ioutil.ReadFile(keyPath)

	if err != nil {
		log.WithFields(log.Fields{
			"path": keyPath,
		}).Panic("Failed to load mint key: ", err)
	}

	k, err := jwt.ParseRSAPrivateKeyFromPEM(b)
	if err != nil {
		log.WithFields(log.Fields{
			"path": keyPath,
		}).Panic("Failed to parse mint key: ", err)
	}

	log.WithFields(log.Fields{
		"path": keyPath,
	}).Debugf("Successfully loaded mint key from %s", keyPath)
	// Store only after we are sure loading was good

	mint.Lock()
	defer mint.Unlock()
	mint.Key = k
	mint.From = keyPath
}

// ReadPrivateKeyFromPEM is a helper function for reading a private key from a PEM-encoded file
func ReadPrivateKeyFromPEM(data []byte) (interface{}, error) {
	if key, err := jwt.ParseRSAPrivateKeyFromPEM(data); err == nil {
		return key, nil
	}
	if key, err := jwt.ParseECPrivateKeyFromPEM(data); err == nil {
		return key, nil
	}
	return nil, fmt.Errorf("data does not contain a valid RSA or ECDSA private key")
}

func NewAuthServer(rsaPrivateKey string) (*authServer, error) {
	key, err := ioutil.ReadFile(rsaPrivateKey)
	if err != nil {
		return nil, fmt.Errorf("Error reading the jwt private key: %s", err)
	}
	parsedKey, err := jwt.ParseRSAPrivateKeyFromPEM(key)
	if err != nil {
		return nil, fmt.Errorf("Error parsing the jwt private key: %s", err)
	}
	return &authServer{parsedKey}, nil
}

func GetPrivateKeyFromPath(path string) *rsa.PrivateKey {
	bytes, err := ioutil.ReadFile(path)
	if err != nil {
		log.Fatal(err)
	}
	key, err := jwt.ParseRSAPrivateKeyFromPEM(bytes)
	if err != nil {
		log.Fatal(err)
	}
	return key
}

// NewToken creates new JWT token for the gien username. It embedds the given
// public key as kontrolKey and signs the token with the private one.
func NewToken(username, private, public string) *jwt.Token {
	tknID := uuid.NewV4()

	hostname, err := os.Hostname()
	if err != nil {
		panic(err)
	}

	if username == "" {
		username = "testuser"
	}

	if testuser := os.Getenv("TESTKEY_USERNAME"); testuser != "" {
		username = testuser
	}

	claims := &kitekey.KiteClaims{
		StandardClaims: jwt.StandardClaims{
			Issuer:   "testuser",
			Subject:  username,
			Audience: hostname,
			IssuedAt: time.Now().UTC().Unix(),
			Id:       tknID.String(),
		},
		KontrolKey: public,
		KontrolURL: "http://localhost:4000/kite",
	}

	token := jwt.NewWithClaims(jwt.GetSigningMethod("RS256"), claims)

	rsaPrivate, err := jwt.ParseRSAPrivateKeyFromPEM([]byte(private))
	if err != nil {
		panic(err)
	}

	token.Raw, err = token.SignedString(rsaPrivate)
	if err != nil {
		panic(err)
	}

	// verify the token
	_, err = jwt.ParseWithClaims(token.Raw, claims, func(*jwt.Token) (interface{}, error) {
		return jwt.ParseRSAPublicKeyFromPEM([]byte(public))
	})

	if err != nil {
		panic(err)
	}

	token.Valid = true
	return token

}

// generateToken returns a JWT token string. Please see the URL for details:
// http://tools.ietf.org/html/draft-ietf-oauth-json-web-token-13#section-4.1
func (k *Kontrol) generateToken(aud, username, issuer string, kp *KeyPair) (string, error) {
	uniqKey := aud + username + issuer + kp.ID

	k.tokenCacheMu.Lock()
	defer k.tokenCacheMu.Unlock()

	signed, ok := k.tokenCache[uniqKey]
	if ok {
		return signed, nil
	}

	rsaPrivate, err := jwt.ParseRSAPrivateKeyFromPEM([]byte(kp.Private))
	if err != nil {
		return "", err
	}

	now := time.Now().UTC()

	claims := &kitekey.KiteClaims{
		StandardClaims: jwt.StandardClaims{
			Issuer:    issuer,
			Subject:   username,
			Audience:  aud,
			ExpiresAt: now.Add(k.tokenTTL()).Add(k.tokenLeeway()).UTC().Unix(),
			IssuedAt:  now.Add(-k.tokenLeeway()).UTC().Unix(),
			Id:        uuid.NewV4().String(),
		},
	}

	if !k.TokenNoNBF {
		claims.NotBefore = now.Add(-k.tokenLeeway()).Unix()
	}

	signed, err = jwt.NewWithClaims(jwt.GetSigningMethod("RS256"), claims).SignedString(rsaPrivate)
	if err != nil {
		return "", errors.New("Server error: Cannot generate a token")
	}

	// cache our token
	k.tokenCache[uniqKey] = signed

	// cache invalidation, because we cache the token in tokenCache we need to
	// invalidate it expiration time. This was handled usually within JWT, but
	// now we have to do it manually for our own cache.
	time.AfterFunc(TokenTTL-TokenLeeway, func() {
		k.tokenCacheMu.Lock()
		defer k.tokenCacheMu.Unlock()

		delete(k.tokenCache, uniqKey)
	})

	return signed, nil
}

// ReadPublicKey is a helper function for reading an rsa.PublicKey from a PEM-encoded file
// Reads public keys from both public and private key files
func ReadPublicKey(file string) (*rsa.PublicKey, error) {
	data, err := ioutil.ReadFile(file)
	if err != nil {
		return nil, err
	}

	if privateKey, err := jwt.ParseRSAPrivateKeyFromPEM(data); err == nil {
		return &privateKey.PublicKey, nil
	}

	return jwt.ParseRSAPublicKeyFromPEM(data)
}

func ParseTestPrivateKey() interface{} {
	keyBytes, err := ioutil.ReadFile("../test_utils/private.pem")
	if err != nil {
		log.Fatal("Failed to parse private key.", err)
	}

	privateKey, err := jwt.ParseRSAPrivateKeyFromPEM(keyBytes)
	if err != nil {
		log.Fatal("Failed to parse private key.", err)
	}

	return privateKey
}

func (t *JwtToken) parsePrivateKey(keyPath string) error {
	if pem, err := ioutil.ReadFile(keyPath); err != nil {
		return err
	} else {
		if privKey, err := libjwt.ParseRSAPrivateKeyFromPEM(pem); err != nil {
			return err
		} else {
			t.privKey = privKey
			return nil
		}

	}
}

func init() {
	signBytes, err := ioutil.ReadFile(privKeyPath)
	fatal(err)

	signKey, err = jwt.ParseRSAPrivateKeyFromPEM(signBytes)
	fatal(err)

	verifyBytes, err := ioutil.ReadFile(pubKeyPath)
	fatal(err)

	verifyKey, err = jwt.ParseRSAPublicKeyFromPEM(verifyBytes)
	fatal(err)
}

func showDevAuth() {
	currentKeyBytes, _ := ioutil.ReadFile(config.GetStr(setting.JWT_RSA_KEY_LOCATION))
	currentKey, err1 := jwt.ParseRSAPrivateKeyFromPEM(currentKeyBytes)
	if err1 != nil {
		log.Panic(err1)
	}

	token := jwt.New(jwt.SigningMethodRS512)

	// Set some claims
	token.Claims["userId"] = `eeee1df4-9fae-4e32-98c1-88f850a00001`
	token.Claims["exp"] = time.Now().Add(time.Minute * 60 * 24 * 30).Unix()

	// Sign and get the complete encoded token as a string
	tokenString, _ := token.SignedString(currentKey)
	fmt.Println("Please put the following string into http 'Authorization' header:")
	fmt.Println(tokenString)
}

func TestCreateTrackerQueryREST(t *testing.T) {
	resource.Require(t, resource.Database)

	privatekey, err := jwt.ParseRSAPrivateKeyFromPEM([]byte(almtoken.RSAPrivateKey))
	if err != nil {
		t.Fatal("Could not parse Key ", err)
	}

	service := goa.New("API")

	controller := NewTrackerController(service, gormapplication.NewGormDB(DB), RwiScheduler)
	payload := app.CreateTrackerAlternatePayload{
		URL:  "http://api.github.com",
		Type: "github",
	}
	_, tracker := test.CreateTrackerCreated(t, nil, nil, controller, &payload)

	jwtMiddleware := goajwt.New(&privatekey.PublicKey, nil, app.NewJWTSecurity())
	app.UseJWTMiddleware(service, jwtMiddleware)

	controller2 := NewTrackerqueryController(service, gormapplication.NewGormDB(DB), RwiScheduler)
	app.MountTrackerqueryController(service, controller2)

	server := httptest.NewServer(service.Mux)
	tqPayload := fmt.Sprintf(`{"query": "abcdefgh", "schedule": "1 1 * * * *", "trackerID": "%s"}`, tracker.ID)
	trackerQueryCreateURL := "/api/trackerqueries"
	req, _ := http.NewRequest("POST", server.URL+trackerQueryCreateURL, strings.NewReader(tqPayload))

	jwtToken := getValidAuthHeader(t, privatekey)
	req.Header.Set("Authorization", jwtToken)
	client := http.Client{}
	res, err := client.Do(req)
	if err != nil {
		t.Fatalf("Server error %s", err)
	}
	if res.StatusCode != http.StatusCreated {
		t.Fatalf("Expected a 201 Created response, got %d", res.StatusCode)
	}

	server.Close()
}

func init() {
	signBytes, err := ioutil.ReadFile(config.Settings.PrivKeyPath)
	if err != nil {
		logger.Log("Reading private Key File "+config.Settings.PrivKeyPath+" failed, Error: "+err.Error(), logger.ERROR)
	}

	signKey, err = jwt.ParseRSAPrivateKeyFromPEM(signBytes)
	if err != nil {
		logger.Log("Parsing private Key File failed, Error: "+err.Error(), logger.ERROR)
	}

	verifyBytes, err := ioutil.ReadFile(config.Settings.PubKeyPath)
	if err != nil {
		logger.Log("Reading public Key File "+config.Settings.PubKeyPath+" failed, Error: "+err.Error(), logger.ERROR)
	}

	verifyKey, err = jwt.ParseRSAPublicKeyFromPEM(verifyBytes)
	if err != nil {
		logger.Log("Parsing public Key File failed, Error: "+err.Error(), logger.ERROR)
	}
}

func (k *Kontrol) registerUser(username, publicKey, privateKey string) (kiteKey string, err error) {
	claims := &kitekey.KiteClaims{
		StandardClaims: jwt.StandardClaims{
			Issuer:   k.Kite.Kite().Username,
			Subject:  username,
			IssuedAt: time.Now().Add(-k.tokenLeeway()).UTC().Unix(),
			Id:       uuid.NewV4().String(),
		},
		KontrolURL: k.Kite.Config.KontrolURL,
		KontrolKey: strings.TrimSpace(publicKey),
	}

	rsaPrivate, err := jwt.ParseRSAPrivateKeyFromPEM([]byte(privateKey))
	if err != nil {
		return "", err
	}

	k.Kite.Log.Info("Registered machine on user: %s", username)

	return jwt.NewWithClaims(jwt.GetSigningMethod("RS256"), claims).SignedString(rsaPrivate)
}

// ReadPublicKeysFromPEM is a helper function for reading an array of rsa.PublicKey or ecdsa.PublicKey from a PEM-encoded byte array.
// Reads public keys from both public and private key files.
func ReadPublicKeysFromPEM(data []byte) ([]interface{}, error) {
	var block *pem.Block
	keys := []interface{}{}
	for {
		// read the next block
		block, data = pem.Decode(data)
		if block == nil {
			break
		}

		// get PEM bytes for just this block
		blockData := pem.EncodeToMemory(block)
		if privateKey, err := jwt.ParseRSAPrivateKeyFromPEM(blockData); err == nil {
			keys = append(keys, &privateKey.PublicKey)
			continue
		}
		if publicKey, err := jwt.ParseRSAPublicKeyFromPEM(blockData); err == nil {
			keys = append(keys, publicKey)
			continue
		}

		if privateKey, err := jwt.ParseECPrivateKeyFromPEM(blockData); err == nil {
			keys = append(keys, &privateKey.PublicKey)
			continue
		}
		if publicKey, err := jwt.ParseECPublicKeyFromPEM(blockData); err == nil {
			keys = append(keys, publicKey)
			continue
		}

		// tolerate non-key PEM blocks for backwards compatibility
		// originally, only the first PEM block was parsed and expected to be a key block
	}

	if len(keys) == 0 {
		return nil, fmt.Errorf("data does not contain a valid RSA or ECDSA key")
	}
	return keys, nil
}

func (k *Kontrol) updateKeyWithKeyPair(t *jwt.Token, keyPair *KeyPair) string {
	claims := t.Claims.(*kitekey.KiteClaims)

	if claims.KontrolKey != "" {
		claims.KontrolKey = keyPair.Public
	}

	rsaPrivate, err := jwt.ParseRSAPrivateKeyFromPEM([]byte(keyPair.Private))
	if err != nil {
		k.log.Error("key update error for %q: %s", claims.Subject, err)

		return ""
	}

	kiteKey, err := t.SignedString(rsaPrivate)
	if err != nil {
		k.log.Error("key update error for %q: %s", claims.Subject, err)

		return ""
	}

	return kiteKey
}

func NewAuthResource(privateKeyPath, publicKeyPath string, tokenDuration time.Duration, validator AuthValidator) *AuthResource {
	verifyBytes, err := ioutil.ReadFile(publicKeyPath)
	fatal(err)

	verifyKey, err := jwt.ParseRSAPublicKeyFromPEM(verifyBytes)
	fatal(err)

	signBytes, err := ioutil.ReadFile(privateKeyPath)
	fatal(err)

	signKey, err := jwt.ParseRSAPrivateKeyFromPEM(signBytes)
	fatal(err)

	if tokenDuration < 1 {
		tokenDuration = DEFAULT_TOKEN_DURATION
	}

	if nil == validator {
		validator = DummyAuthValidator
	}

	return &AuthResource{verifyKey, signKey, tokenDuration, validator}
}