package models

import (
	"database/sql"
	"errors"
	"fmt"
	"log"
	"smt/utils/token"

	"golang.org/x/crypto/bcrypt"
)

type User struct {
	UserId   int    `db:"UserId" json:"userId"`
	GroupId  int    `db:"GroupId" json:"groupId"`
	UserName string `db:"UserName" json:"userName"`
	Password string `db:"Password" json:"-"`
	LdapUser bool   `db:"LdapUser" json:"ldapUser"`
	Admin    bool   `db:"Admin"`
	//LdapDn   string `db:"LdapDN" json:"ldapDn"`
}

type UserRole struct {
	User
	RoleName string `db:"RoleName"`
	ReadOnly bool   `db:"ReadOnly"`
	Admin    bool   `db:"Admin"`
}

type UserGroup struct {
	User
	GroupName string `db:"GroupName"`
	LdapGroup bool   `db:"LdapGroup"`
	LdapDn    string `db:"LdapDN"`
	Admin     bool   `db:"Admin"`
}

type UserSafe struct {
	User
	AdminUser  bool   `db:"AdminUser"`
	AdminGroup bool   `db:"AdminGroup"`
	SafeId     int    `db:"SafeId"`
	SafeName   string `db:"SafeName"`
	GroupId    int    `db:"GroupId"`
}

func (u *User) SaveUser() (*User, error) {

	var err error

	// Validate username not already in use
	_, err = UserGetByName(u.UserName)
	if err != nil && err.Error() == "user not found" {
		log.Printf("SaveUser confirmed no existing user, continuing with creation of user '%s'\n", u.UserName)
		//log.Printf("u: %v\n", u)
		result, err := db.NamedExec((`INSERT INTO users (GroupId, UserName, Password, LdapUser, Admin) VALUES (:GroupId, :UserName, :Password, :LdapUser, :Admin)`), u)

		if err != nil {
			log.Printf("SaveUser error executing sql record : '%s'\n", err)
			return &User{}, err
		} else {
			affected, _ := result.RowsAffected()
			id, _ := result.LastInsertId()
			log.Printf("SaveUser insert returned result id '%d' affecting %d row(s).\n", id, affected)
		}
	} else {
		log.Printf("SaveUser Username already exists : '%v'\n", err)
	}

	return u, nil
}

func (u *User) DeleteUser() error {

	// Validate username exists
	_, err := UserGetByName(u.UserName)
	if err != nil {
		log.Printf("DeleteUser error finding user account to remove : '%s'\n", err)
		return err
	} else {
		log.Printf("DeleteUser confirmed user exists, continuing with deletion of user '%s'\n", u.UserName)
		result, err := db.NamedExec((`DELETE FROM users WHERE UserName = :UserName`), u)

		if err != nil {
			log.Printf("DeleteUser error executing sql delete : '%s'\n", err)
			return err
		} else {
			affected, _ := result.RowsAffected()
			id, _ := result.LastInsertId()
			log.Printf("DeleteUser returned result id '%d' affecting %d row(s).\n", id, affected)
		}

	}

	return nil
}

func VerifyPassword(password, hashedPassword string) error {

	if len(password) == 0 {
		return errors.New("unable to verify empty password")
	}

	if len(hashedPassword) == 0 {
		return errors.New("unable to compare password with empty hash")
	}

	log.Printf("VerifyPassword comparing input against hashed value '%s'\n", hashedPassword)
	return bcrypt.CompareHashAndPassword([]byte(hashedPassword), []byte(password))
}

func LoginCheck(username string, password string) (string, error) {
	var err error
	newLdapUser := false
	u := User{}

	// Query database for matching user object
	err = db.QueryRowx("SELECT * FROM Users WHERE Username=?", username).StructScan(&u)

	if err != nil {
		if err == sql.ErrNoRows {
			// check LDAP if enabled
			if LdapEnabled {
				ldapUser, err := LdapLoginCheck(username, password)
				if err != nil {
					errString := fmt.Sprintf("LoginCheck error checking LDAP for user : '%s'\n", err)
					log.Print(errString)
					return "", errors.New(errString)
				}

				if ldapUser == (User{}) {
					errString := fmt.Sprintf("LoginCheck user not found in LDAP : '%s'\n", err)
					log.Print(errString)
					return "", errors.New(errString)
				} else {
					log.Printf("LoginCheck verified LDAP user successfully\n")
					u = ldapUser

					// Since this user wasn't in the database, they must have been logging in for the first time
					// So we don't need to repeat the ldap bind and verification
					newLdapUser = true

				}
			} else {
				// LDAP is not enabled, if user is not in the database then they can't login
				return "", errors.New("specified user not found in database")
			}
		} else {
			errString := fmt.Sprintf("LoginCheck error querying database : '%s'\n", err)
			log.Print(errString)
			return "", errors.New(errString)
		}
	} else {
		log.Printf("LoginCheck retrieved user '%v' from database\n", u)
	}

	log.Printf("u: %v\n", u)

	if !u.LdapUser {
		// Locally defined user, perform password verification
		err = VerifyPassword(password, u.Password)

		if err != nil && err == bcrypt.ErrMismatchedHashAndPassword {
			log.Printf("LoginCheck says password doesn't match stored hash.\n")
			return "", err
		} else {
			log.Printf("LoginCheck verified password against stored hash.\n")
		}
	} else {
		// LDAP user, verify credential if user wasn't logging in for the first time
		if !newLdapUser {
			err := VerifyLdapCreds(username, password)

			if err != nil {
				errString := fmt.Sprintf("LoginCheck LDAP user bind unsuccessful : '%s'\n", err)
				log.Print(errString)
				return "", errors.New(errString)
			} else {
				log.Printf("LoginCheck successfully verified LDAP user\n")
			}
		} else {
			log.Printf("LoginCheck no need to repeat LDAP bind for new user login\n")
		}
	}

	// If we reached this point then the login was successful
	// Generate a new token and return it to the user
	log.Printf("LoginCheck generating token for user id '%d'\n", uint(u.UserId))
	token, err := token.GenerateToken(uint(u.UserId))

	if err != nil {
		log.Printf("LoginCheck error generating token : '%s'\n", err)
		return "", err
	}

	return token, nil

}

func LdapLoginCheck(username string, password string) (User, error) {
	var u User
	u.UserName = username

	// try to get LDAP group membership
	ldapGroups, err := LdapGetGroupMembership(username, password)
	if err != nil {
		if err.Error() == "invalid user credentials" {
			return u, nil
		} else {
			return u, err
		}
	}

	// Compare all roles against the list of user's group membership
	//roleList, err := QueryRoles()
	groupList, err := GroupList()
	if err != nil {
		return u, err
	}

	matchFound := false
	/*
		for _, role := range roleList {
			for _, group := range groups {
				if role.LdapGroup == group {
					log.Printf("Found match with role '%s' and LDAP group '%s', user is allowed role ID '%d'\n", role.RoleName, role.LdapGroup, role.RoleId)
					u.RoleId = role.RoleId
					matchFound = true
					break
				} //else {
				//log.Printf("Role '%s' with LDAP group '%s' not match user group '%s'\n", role.RoleName, role.LdapGroup, group)
				//}
			}
		}
	*/
	for _, group := range groupList {
		for _, lg := range ldapGroups {
			if group.LdapDn == lg {
				log.Printf("Found match with groupname '%s' and LDAP group DN '%s', user is a member of group ID '%d'\n", group.GroupName, group.LdapDn, group.GroupId)
				u.GroupId = group.GroupId
				matchFound = true
				break
			} else {
				log.Printf("Groupname '%s' with LDAP group '%s' not match user group '%s'\n", group.GroupName, group.LdapDn, lg)
			}
		}
	}

	if matchFound {
		// If we found a match, then store user with appropriate role ID
		u.LdapUser = true
		u.SaveUser()
	}

	return u, nil
}

// StoreLdapUser creates a user record in the database and returns the corresponding userId
func StoreLdapUser(u *User) error {

	// TODO

	return nil
}

func UserGetByID(uid uint) (User, error) {

	var u User

	// Query database for matching user object
	err := db.QueryRowx("SELECT * FROM users WHERE UserId=?", uid).StructScan(&u)
	if err != nil {
		return u, errors.New("user not found")
	}
	/*
		if err := DB.First(&u, uid).Error; err != nil {
			return u, errors.New("User not found!")
		}
	*/
	//u.PrepareGive()

	return u, nil

}

func UserGetByName(username string) (User, error) {

	var u User

	// Query database for matching user object
	err := db.QueryRowx("SELECT * FROM users WHERE UserName=?", username).StructScan(&u)
	if err != nil {
		return u, errors.New("user not found")
	}

	return u, nil
}

/*
func GetUserRoleByID(uid uint) (UserRole, error) {

	var ur UserRole

	// Query database for matching user object
	log.Printf("GetUserRoleByID querying for userid '%d'\n", uid)
	err := db.QueryRowx("SELECT users.UserId, users.RoleId, users.UserName, users.Password, users.LdapUser, users.LdapDN, roles.RoleName, roles.ReadOnly, roles.Admin FROM users INNER JOIN roles ON users.RoleId = roles.RoleId WHERE users.UserId=?", uid).StructScan(&ur)
	if err != nil {
		log.Printf("GetUserRoleByID received error when querying database : '%s'\n", err)
		return ur, errors.New("GetUserRoleByID user not found")
	}

	return ur, nil
}
*/

func UserGetGroupByID(uid uint) (UserGroup, error) {

	var ug UserGroup

	// Query database for matching user object
	log.Printf("UserGetGroupByID querying for userid '%d'\n", uid)

	err := db.QueryRowx("SELECT users.UserId, users.GroupId, users.UserName, users.Password, users.LdapUser, groups.GroupName, groups.LdapGroup, groups.LdapDN, groups.Admin FROM users INNER JOIN groups ON users.GroupId = groups.GroupId WHERE users.UserId=?", uid).StructScan(&ug)
	if err != nil {
		log.Printf("UserGetGroupByID received error when querying database : '%s'\n", err)
		return ug, errors.New("UserGetGroupByID user id not found")
	}

	return ug, nil
}

/*
func UserGetRoleFromToken(c *gin.Context) (UserRole, error) {

	var ur UserRole

	user_id, err := token.ExtractTokenID(c)

	if err != nil {
		c.JSON(http.StatusBadRequest, gin.H{"error": err.Error()})
		return ur, err
	}

	// Query database for matching user object
	log.Printf("UserGetRoleFromToken querying for userid '%d'\n", user_id)
	err = db.QueryRowx("SELECT users.UserId, users.RoleId, users.UserName, users.Password, users.LdapUser, users.LdapDN, roles.RoleName, roles.ReadOnly, roles.Admin FROM users INNER JOIN roles ON users.RoleId = roles.RoleId WHERE users.UserId=?", user_id).StructScan(&ur)
	if err != nil {
		log.Printf("UserGetRoleFromToken received error when querying database : '%s'\n", err)
		return ur, errors.New("UserGetRoleFromToken user not found")
	}

	return ur, nil
}
*/

func UserGetSafesAllowed(userId int) ([]UserSafe, error) {

	var results []UserSafe

	// join users, groups and permissions
	rows, err := db.Queryx(`
	SELECT users.UserId, users.GroupId, users.Admin as AdminUser, groups.Admin as AdminGroup,
	permissions.SafeId, safes.SafeName FROM users
	INNER JOIN groups ON users.GroupId = groups.GroupId
	INNER JOIN permissions ON groups.GroupId = permissions.GroupId
	INNER JOIN safes on permissions.SafeId = safes.SafeId
	WHERE users.UserId=?`, userId)
	if err != nil {
		log.Printf("UserGetSafesAllowed error executing sql record : '%s'\n", err)
		return results, err
	} else {
		// parse all the results into a slice
		for rows.Next() {
			var us UserSafe
			err = rows.StructScan(&us)
			if err != nil {
				log.Printf("UserGetSafesAllowed error parsing sql record : '%s'\n", err)
				return results, err
			}
			results = append(results, us)

		}
		log.Printf("UserGetSafesAllowed retrieved '%d' results\n", len(results))
	}

	return results, nil
}

func UserList() ([]User, error) {
	var results []User

	// Query database for role definitions
	rows, err := db.Queryx("SELECT * FROM users")

	if err != nil {
		log.Printf("QueryUsers error executing sql record : '%s'\n", err)
		return results, err
	} else {
		// parse all the results into a slice
		for rows.Next() {
			var u User
			err = rows.StructScan(&u)
			if err != nil {
				log.Printf("QueryUsers error parsing sql record : '%s'\n", err)
				return results, err
			}
			results = append(results, u)

		}
		log.Printf("QueryUsers retrieved '%d' results\n", len(results))
	}

	return results, nil
}

func UserCheckIfAdmin(userId int) bool {
	// TODO

	u, err := UserGetByID(uint(userId))
	if err != nil {
		log.Printf("UserCheckIfAdmin received error : '%s'\n", err)
		return false
	}

	return u.Admin
}

func UserGetSafe() {

}

// need a way of checking what safe a user has access to
// if they only have access to one then that is easy
// if they are an admin then they have access to everything