from os import environ

from django.db import transaction

from authentik.common.oauth.constants import SubModes
from authentik.core.models import Application, Group, User
from authentik.crypto.models import CertificateKeyPair
from authentik.flows.models import Flow
from authentik.policies.models import PolicyBinding
from authentik.providers.oauth2.models import (
    ClientTypes,
    IssuerMode,
    OAuth2LogoutMethod,
    OAuth2Provider,
    RedirectURI,
    RedirectURIMatchingMode,
    ScopeMapping,
)

GROUP_SPECS = [
    ("nodedc:superadmin", False),
    ("nodedc:launcher:admin", False),
    ("nodedc:launcher:user", False),
    ("nodedc:taskmanager:admin", False),
    ("nodedc:taskmanager:user", False),
]

APP_SPECS = [
    {
        "slug": "launcher",
        "name": "NODE.DC Launcher",
        "provider_name": "NODE.DC Launcher OIDC",
        "client_id_env": "LAUNCHER_OIDC_CLIENT_ID",
        "client_secret_env": "LAUNCHER_OIDC_CLIENT_SECRET",
        "redirect_uri_env": "LAUNCHER_OIDC_REDIRECT_URI",
        "launch_url": "http://launcher.local.nodedc",
        "logout_uri": "http://launcher.local.nodedc/logout",
        "groups": ["nodedc:superadmin", "nodedc:launcher:admin", "nodedc:launcher:user"],
        "description": "NODE.DC control plane launcher.",
    },
    {
        "slug": "task-manager",
        "name": "NODE.DC Task Manager",
        "provider_name": "NODE.DC Task Manager OIDC",
        "client_id_env": "PLANE_OIDC_CLIENT_ID",
        "client_secret_env": "PLANE_OIDC_CLIENT_SECRET",
        "redirect_uri_env": "PLANE_OIDC_REDIRECT_URI",
        "launch_url": "http://task.local.nodedc",
        "logout_uri": "http://task.local.nodedc/logout",
        "groups": ["nodedc:superadmin", "nodedc:taskmanager:admin", "nodedc:taskmanager:user"],
        "description": "NODE.DC Plane-based task manager.",
    },
]


def required_env(name):
    value = environ.get(name, "").strip()
    if not value:
        raise RuntimeError(f"{name} is required")
    return value


def ensure_group(name, is_superuser=False):
    group, _ = Group.objects.get_or_create(name=name)
    group.is_superuser = is_superuser
    group.save()
    return group


def ensure_groups():
    groups = {}
    for name, is_superuser in GROUP_SPECS:
        groups[name] = ensure_group(name, is_superuser)
    return groups


def ensure_user_groups(groups):
    admin_email = environ.get("NODEDC_BOOTSTRAP_ADMIN_EMAIL", "").strip()
    if not admin_email:
        return None

    user = User.objects.filter(email__iexact=admin_email).first() or User.objects.filter(
        username=admin_email
    ).first()
    if user is None:
        user = User(username=admin_email, email=admin_email, name=admin_email, type="internal")

    user.username = admin_email
    user.email = admin_email
    user.is_active = True
    user.type = "internal"
    if environ.get("NODEDC_BOOTSTRAP_ADMIN_PASSWORD"):
        user.set_password(environ["NODEDC_BOOTSTRAP_ADMIN_PASSWORD"])
    user.save()

    authentik_admins = Group.objects.filter(name="authentik Admins").first()
    if authentik_admins:
        user.groups.add(authentik_admins)

    for name in groups:
        user.groups.add(groups[name])
    return user


def ensure_groups_scope_mapping():
    mapping, _ = ScopeMapping.objects.get_or_create(
        name="NODE.DC OAuth Mapping: groups",
        defaults={
            "scope_name": "groups",
            "description": "Adds Authentik group names to NODE.DC OIDC tokens.",
            "expression": 'return {"groups": [group.name for group in request.user.groups.all()]}',
        },
    )
    mapping.scope_name = "groups"
    mapping.description = "Adds Authentik group names to NODE.DC OIDC tokens."
    mapping.expression = 'return {"groups": [group.name for group in request.user.groups.all()]}'
    mapping.save()
    return mapping


def default_scope_mappings():
    scope_names = ["openid", "email", "profile", "offline_access"]
    mappings = list(ScopeMapping.objects.filter(scope_name__in=scope_names))
    mappings.append(ensure_groups_scope_mapping())
    return mappings


def ensure_provider(spec, mappings):
    authorization_flow = Flow.objects.get(slug="default-provider-authorization-implicit-consent")
    invalidation_flow = Flow.objects.get(slug="default-provider-invalidation-flow")
    signing_key = (
        CertificateKeyPair.objects.filter(name="authentik Self-signed Certificate").first()
        or CertificateKeyPair.objects.first()
    )

    if signing_key is None:
        raise RuntimeError("No Authentik CertificateKeyPair exists for OIDC signing")

    provider = OAuth2Provider.objects.filter(name=spec["provider_name"]).first()
    if provider is None:
        provider = OAuth2Provider(name=spec["provider_name"])

    provider.name = spec["provider_name"]
    provider.client_type = ClientTypes.CONFIDENTIAL
    provider.client_id = required_env(spec["client_id_env"])
    provider.client_secret = required_env(spec["client_secret_env"])
    provider.redirect_uris = [
        RedirectURI(RedirectURIMatchingMode.STRICT, required_env(spec["redirect_uri_env"]))
    ]
    provider.logout_uri = spec["logout_uri"]
    provider.logout_method = OAuth2LogoutMethod.FRONTCHANNEL
    provider.include_claims_in_id_token = True
    provider.sub_mode = SubModes.USER_UUID
    provider.issuer_mode = IssuerMode.PER_PROVIDER
    provider.authorization_flow = authorization_flow
    provider.invalidation_flow = invalidation_flow
    provider.signing_key = signing_key
    provider.save()
    provider.property_mappings.set(mappings)
    return provider


def ensure_application(spec, provider, groups):
    application = Application.objects.filter(slug=spec["slug"]).first()
    if application is None:
        application = Application(slug=spec["slug"], name=spec["name"])

    application.name = spec["name"]
    application.slug = spec["slug"]
    application.group = "NODE.DC"
    application.provider = provider
    application.meta_launch_url = spec["launch_url"]
    application.meta_description = spec["description"]
    application.meta_publisher = "NODE.DC"
    application.open_in_new_tab = False
    application.policy_engine_mode = "any"
    application.save()

    PolicyBinding.objects.filter(target=application).exclude(
        group__name__in=spec["groups"]
    ).delete()
    for order, group_name in enumerate(spec["groups"]):
        binding = PolicyBinding.objects.filter(target=application, group=groups[group_name]).first()
        if binding is None:
            binding = PolicyBinding(target=application, group=groups[group_name])
        binding.enabled = True
        binding.negate = False
        binding.timeout = 30
        binding.failure_result = False
        binding.order = order
        binding.save()

    return application


@transaction.atomic
def main():
    groups = ensure_groups()
    user = ensure_user_groups(groups)
    mappings = default_scope_mappings()
    applications = []
    providers = []

    for spec in APP_SPECS:
        provider = ensure_provider(spec, mappings)
        application = ensure_application(spec, provider, groups)
        providers.append(provider)
        applications.append(application)

    summary = {
        "groups": list(groups),
        "admin_user": user.email if user else None,
        "applications": [application.slug for application in applications],
        "providers": [provider.name for provider in providers],
    }
    print(summary)


main()