// Copyright Epic Games, Inc. All Rights Reserved.

#include "zenhttp/security/passwordsecurity.h"
#include <zencore/compactbinaryutil.h>
#include <zencore/fmtutils.h>
#include <zencore/string.h>

#if ZEN_WITH_TESTS
#	include <zencore/compactbinarybuilder.h>
#	include <zencore/testing.h>
#endif	// ZEN_WITH_TESTS

namespace zen {
using namespace std::literals;

PasswordSecurity::PasswordSecurity(const PasswordSecurityConfiguration& Config) : m_Config(Config)
{
	m_UnprotectedUrlHashes.reserve(m_Config.UnprotectedUris.size());
	for (uint32_t Index = 0; Index < m_Config.UnprotectedUris.size(); Index++)
	{
		const std::string& UnprotectedUri = m_Config.UnprotectedUris[Index];
		if (auto Result = m_UnprotectedUrlHashes.insert({HashStringDjb2(UnprotectedUri), Index}); !Result.second)
		{
			throw std::runtime_error(fmt::format(
				"password security unprotected uris does not generate unique hashes. Uri #{} ('{}') collides with uri #{} ('{}')",
				Index + 1,
				UnprotectedUri,
				Result.first->second + 1,
				m_Config.UnprotectedUris[Result.first->second]));
		}
	}
}

bool
PasswordSecurity::IsUnprotectedUri(std::string_view Uri) const
{
	if (!m_Config.UnprotectedUris.empty())
	{
		uint32_t UriHash = HashStringDjb2(Uri);
		if (auto It = m_UnprotectedUrlHashes.find(UriHash); It != m_UnprotectedUrlHashes.end())
		{
			if (m_Config.UnprotectedUris[It->second] == Uri)
			{
				return true;
			}
		}
	}
	return false;
}

PasswordSecurityConfiguration
ReadPasswordSecurityConfiguration(CbObjectView ConfigObject)
{
	return PasswordSecurityConfiguration{
		.Password					 = std::string(ConfigObject["password"sv].AsString()),
		.ProtectMachineLocalRequests = ConfigObject["protect-machine-local-requests"sv].AsBool(),
		.UnprotectedUris			 = compactbinary_helpers::ReadArray<std::string>("unprotected-urls"sv, ConfigObject)};
}

bool
PasswordSecurity::IsAllowed(std::string_view InPassword, std::string_view Uri, bool IsMachineLocalRequest)
{
	if (IsUnprotectedUri(Uri))
	{
		return true;
	}
	if (!ProtectMachineLocalRequests() && IsMachineLocalRequest)
	{
		return true;
	}
	if (Password().empty())
	{
		return true;
	}
	if (Password() == InPassword)
	{
		return true;
	}
	return false;
}

#if ZEN_WITH_TESTS

TEST_CASE("passwordsecurity.readconfig")
{
	auto ReadConfigJson = [](std::string_view Json) {
		std::string JsonError;
		CbObject	Config = LoadCompactBinaryFromJson(Json, JsonError).AsObject();
		REQUIRE(JsonError.empty());
		return Config;
	};

	{
		PasswordSecurityConfiguration EmptyConfig = ReadPasswordSecurityConfiguration(CbObject());
		CHECK(EmptyConfig.Password.empty());
		CHECK(!EmptyConfig.ProtectMachineLocalRequests);
		CHECK(EmptyConfig.UnprotectedUris.empty());
	}

	{
		const std::string_view SimpleConfigJson =
			"{\n"
			"    \"password\": \"1234\"\n"
			"}";
		PasswordSecurityConfiguration SimpleConfig = ReadPasswordSecurityConfiguration(ReadConfigJson(SimpleConfigJson));
		CHECK(SimpleConfig.Password == "1234");
		CHECK(!SimpleConfig.ProtectMachineLocalRequests);
		CHECK(SimpleConfig.UnprotectedUris.empty());
	}

	{
		const std::string_view ComplexConfigJson =
			"{\n"
			"    \"password\": \"1234\",\n"
			"    \"protect-machine-local-requests\": true,\n"
			"    \"unprotected-urls\": [\n"
			"        \"/health\",\n"
			"        \"/health/info\",\n"
			"        \"/health/version\"\n"
			"    ]\n"
			"}";
		PasswordSecurityConfiguration ComplexConfig = ReadPasswordSecurityConfiguration(ReadConfigJson(ComplexConfigJson));
		CHECK(ComplexConfig.Password == "1234");
		CHECK(ComplexConfig.ProtectMachineLocalRequests);
		CHECK(ComplexConfig.UnprotectedUris == std::vector<std::string>({"/health", "/health/info", "/health/version"}));
	}
}

TEST_CASE("passwordsecurity.allowanything")
{
	PasswordSecurity Anything({});
	CHECK(Anything.IsAllowed(""sv, "/supersecret/uri", /*IsMachineLocalRequest*/ false));
	CHECK(Anything.IsAllowed(""sv, "/supersecret/uri", /*IsMachineLocalRequest*/ true));
	CHECK(Anything.IsAllowed("thewrongpassword"sv, "/supersecret/uri", /*IsMachineLocalRequest*/ false));
	CHECK(Anything.IsAllowed("thewrongpassword"sv, "/supersecret/uri", /*IsMachineLocalRequest*/ true));
}

TEST_CASE("passwordsecurity.allowalllocal")
{
	PasswordSecurity AllLocal({.Password = "123456"});
	CHECK(AllLocal.IsAllowed(""sv, "/supersecret/uri", /*IsMachineLocalRequest*/ true));
	CHECK(!AllLocal.IsAllowed(""sv, "/supersecret/uri", /*IsMachineLocalRequest*/ false));
	CHECK(AllLocal.IsAllowed("thewrongpassword"sv, "/supersecret/uri", /*IsMachineLocalRequest*/ true));
	CHECK(!AllLocal.IsAllowed("thewrongpassword"sv, "/supersecret/uri", /*IsMachineLocalRequest*/ false));
	CHECK(AllLocal.IsAllowed("123456"sv, "/supersecret/uri", /*IsMachineLocalRequest*/ true));
}

TEST_CASE("passwordsecurity.allowonlypassword")
{
	PasswordSecurity AllLocal({.Password = "123456", .ProtectMachineLocalRequests = true});
	CHECK(!AllLocal.IsAllowed(""sv, "/supersecret/uri", /*IsMachineLocalRequest*/ true));
	CHECK(AllLocal.IsAllowed("123456"sv, "/supersecret/uri", /*IsMachineLocalRequest*/ true));
	CHECK(!AllLocal.IsAllowed(""sv, "/supersecret/uri", /*IsMachineLocalRequest*/ false));
	CHECK(!AllLocal.IsAllowed("thewrongpassword"sv, "/supersecret/uri", /*IsMachineLocalRequest*/ true));
	CHECK(!AllLocal.IsAllowed("thewrongpassword"sv, "/supersecret/uri", /*IsMachineLocalRequest*/ false));
	CHECK(AllLocal.IsAllowed("123456"sv, "/supersecret/uri", /*IsMachineLocalRequest*/ false));
}

TEST_CASE("passwordsecurity.allowsomeexternaluris")
{
	PasswordSecurity AllLocal(
		{.Password = "123456", .ProtectMachineLocalRequests = false, .UnprotectedUris = std::vector<std::string>({"/free/access", "/ok"})});
	CHECK(AllLocal.IsAllowed(""sv, "/supersecret/uri", /*IsMachineLocalRequest*/ true));
	CHECK(AllLocal.IsAllowed("123456"sv, "/supersecret/uri", /*IsMachineLocalRequest*/ true));
	CHECK(!AllLocal.IsAllowed(""sv, "/supersecret/uri", /*IsMachineLocalRequest*/ false));
	CHECK(AllLocal.IsAllowed("thewrongpassword"sv, "/supersecret/uri", /*IsMachineLocalRequest*/ true));
	CHECK(!AllLocal.IsAllowed("thewrongpassword"sv, "/supersecret/uri", /*IsMachineLocalRequest*/ false));
	CHECK(AllLocal.IsAllowed(""sv, "/free/access", /*IsMachineLocalRequest*/ true));
	CHECK(AllLocal.IsAllowed(""sv, "/ok", /*IsMachineLocalRequest*/ true));
	CHECK(AllLocal.IsAllowed("thewrongpassword"sv, "/free/access", /*IsMachineLocalRequest*/ true));
	CHECK(AllLocal.IsAllowed("thewrongpassword"sv, "/ok", /*IsMachineLocalRequest*/ true));
	CHECK(AllLocal.IsAllowed(""sv, "/free/access", /*IsMachineLocalRequest*/ false));
	CHECK(AllLocal.IsAllowed(""sv, "/ok", /*IsMachineLocalRequest*/ false));
	CHECK(AllLocal.IsAllowed("thewrongpassword"sv, "/free/access", /*IsMachineLocalRequest*/ false));
	CHECK(AllLocal.IsAllowed("thewrongpassword"sv, "/ok", /*IsMachineLocalRequest*/ false));
	CHECK(AllLocal.IsAllowed("123456"sv, "/supersecret/uri", /*IsMachineLocalRequest*/ false));
}

TEST_CASE("passwordsecurity.allowsomelocaluris")
{
	PasswordSecurity AllLocal(
		{.Password = "123456", .ProtectMachineLocalRequests = true, .UnprotectedUris = std::vector<std::string>({"/free/access", "/ok"})});
	CHECK(!AllLocal.IsAllowed(""sv, "/supersecret/uri", /*IsMachineLocalRequest*/ true));
	CHECK(AllLocal.IsAllowed("123456"sv, "/supersecret/uri", /*IsMachineLocalRequest*/ true));
	CHECK(!AllLocal.IsAllowed(""sv, "/supersecret/uri", /*IsMachineLocalRequest*/ false));
	CHECK(!AllLocal.IsAllowed("thewrongpassword"sv, "/supersecret/uri", /*IsMachineLocalRequest*/ true));
	CHECK(!AllLocal.IsAllowed("thewrongpassword"sv, "/supersecret/uri", /*IsMachineLocalRequest*/ false));
	CHECK(AllLocal.IsAllowed(""sv, "/free/access", /*IsMachineLocalRequest*/ true));
	CHECK(AllLocal.IsAllowed(""sv, "/ok", /*IsMachineLocalRequest*/ true));
	CHECK(AllLocal.IsAllowed("thewrongpassword"sv, "/free/access", /*IsMachineLocalRequest*/ true));
	CHECK(AllLocal.IsAllowed("thewrongpassword"sv, "/ok", /*IsMachineLocalRequest*/ true));
	CHECK(AllLocal.IsAllowed(""sv, "/free/access", /*IsMachineLocalRequest*/ false));
	CHECK(AllLocal.IsAllowed(""sv, "/ok", /*IsMachineLocalRequest*/ false));
	CHECK(AllLocal.IsAllowed("thewrongpassword"sv, "/free/access", /*IsMachineLocalRequest*/ false));
	CHECK(AllLocal.IsAllowed("thewrongpassword"sv, "/ok", /*IsMachineLocalRequest*/ false));
	CHECK(AllLocal.IsAllowed("123456"sv, "/supersecret/uri", /*IsMachineLocalRequest*/ false));
}

TEST_CASE("passwordsecurity.conflictingunprotecteduris")
{
	try
	{
		PasswordSecurity AllLocal({.Password					= "123456",
								   .ProtectMachineLocalRequests = true,
								   .UnprotectedUris				= std::vector<std::string>({"/free/access", "/free/access"})});
		CHECK(false);
	}
	catch (const std::runtime_error& Ex)
	{
		CHECK_EQ(Ex.what(),
				 std::string("password security unprotected uris does not generate unique hashes. Uri #2 ('/free/access') collides with "
							 "uri #1 ('/free/access')"));
	}
}
void
passwordsecurity_forcelink()
{
}
#endif	// ZEN_WITH_TESTS

}  // namespace zen