package server

import (
	"context"
	"crypto/md5"
	"encoding/json"
	"fmt"
	"net/http"
	"net/http/httptest"
	"os"
	"strings"
	"time"

	"github.com/navidrome/navidrome/conf"
	"github.com/navidrome/navidrome/consts"
	"github.com/navidrome/navidrome/core/auth"
	"github.com/navidrome/navidrome/model"
	"github.com/navidrome/navidrome/model/id"
	"github.com/navidrome/navidrome/model/request"
	"github.com/navidrome/navidrome/tests"
	. "github.com/onsi/ginkgo/v2"
	. "github.com/onsi/gomega"
)

var _ = Describe("Auth", func() {
	Describe("User login", func() {
		var ds model.DataStore
		var req *http.Request
		var resp *httptest.ResponseRecorder

		BeforeEach(func() {
			ds = &tests.MockDataStore{}
			auth.Init(ds)
		})

		Describe("createAdmin", func() {
			var createdAt time.Time
			BeforeEach(func() {
				req = httptest.NewRequest("POST", "/createAdmin", strings.NewReader(`{"username":"johndoe", "password":"secret"}`))
				resp = httptest.NewRecorder()
				createdAt = time.Now()
				createAdmin(ds)(resp, req)
			})

			It("creates an admin user with the specified password", func() {
				usr := ds.User(context.Background())
				u, err := usr.FindByUsername("johndoe")
				Expect(err).To(BeNil())
				Expect(u.Password).ToNot(BeEmpty())
				Expect(u.IsAdmin).To(BeTrue())
				Expect(*u.LastLoginAt).To(BeTemporally(">=", createdAt, time.Second))
			})

			It("returns the expected payload", func() {
				Expect(resp.Code).To(Equal(http.StatusOK))
				var parsed map[string]interface{}
				Expect(json.Unmarshal(resp.Body.Bytes(), &parsed)).To(BeNil())
				Expect(parsed["isAdmin"]).To(Equal(true))
				Expect(parsed["username"]).To(Equal("johndoe"))
				Expect(parsed["name"]).To(Equal("Johndoe"))
				Expect(parsed["id"]).ToNot(BeEmpty())
				Expect(parsed["token"]).ToNot(BeEmpty())
			})
		})

		Describe("Login from HTTP headers", func() {
			const (
				trustedIpv4   = "192.168.0.42"
				untrustedIpv4 = "8.8.8.8"
				trustedIpv6   = "2001:4860:4860:1234:5678:0000:4242:8888"
				untrustedIpv6 = "5005:0:3003"
			)

			fs := os.DirFS("tests/fixtures")

			BeforeEach(func() {
				usr := ds.User(context.Background())
				_ = usr.Put(&model.User{ID: "111", UserName: "janedoe", NewPassword: "abc123", Name: "Jane", IsAdmin: false})
				req = httptest.NewRequest("GET", "/index.html", nil)
				req.Header.Add("Remote-User", "janedoe")
				resp = httptest.NewRecorder()
				conf.Server.UILoginBackgroundURL = ""
				conf.Server.ReverseProxyWhitelist = "192.168.0.0/16,2001:4860:4860::/48"
			})

			It("sets auth data if IPv4 matches whitelist", func() {
				req = req.WithContext(request.WithReverseProxyIp(req.Context(), trustedIpv4))
				serveIndex(ds, fs, nil)(resp, req)

				config := extractAppConfig(resp.Body.String())
				parsed := config["auth"].(map[string]interface{})

				Expect(parsed["id"]).To(Equal("111"))
			})

			It("sets no auth data if IPv4 does not match whitelist", func() {
				req = req.WithContext(request.WithReverseProxyIp(req.Context(), untrustedIpv4))
				serveIndex(ds, fs, nil)(resp, req)

				config := extractAppConfig(resp.Body.String())
				Expect(config["auth"]).To(BeNil())
			})

			It("sets auth data if IPv6 matches whitelist", func() {
				req = req.WithContext(request.WithReverseProxyIp(req.Context(), trustedIpv6))
				serveIndex(ds, fs, nil)(resp, req)

				config := extractAppConfig(resp.Body.String())
				parsed := config["auth"].(map[string]interface{})

				Expect(parsed["id"]).To(Equal("111"))
			})

			It("sets no auth data if IPv6 does not match whitelist", func() {
				req = req.WithContext(request.WithReverseProxyIp(req.Context(), untrustedIpv6))
				serveIndex(ds, fs, nil)(resp, req)

				config := extractAppConfig(resp.Body.String())
				Expect(config["auth"]).To(BeNil())
			})

			It("creates user and sets auth data if user does not exist", func() {
				newUser := "NEW_USER_" + id.NewRandom()

				req = req.WithContext(request.WithReverseProxyIp(req.Context(), trustedIpv4))
				req.Header.Set("Remote-User", newUser)
				serveIndex(ds, fs, nil)(resp, req)

				config := extractAppConfig(resp.Body.String())
				parsed := config["auth"].(map[string]interface{})

				Expect(parsed["username"]).To(Equal(newUser))
			})

			It("sets auth data if user exists", func() {
				req = req.WithContext(request.WithReverseProxyIp(req.Context(), trustedIpv4))
				serveIndex(ds, fs, nil)(resp, req)

				config := extractAppConfig(resp.Body.String())
				parsed := config["auth"].(map[string]interface{})

				Expect(parsed["id"]).To(Equal("111"))
				Expect(parsed["isAdmin"]).To(BeFalse())
				Expect(parsed["name"]).To(Equal("Jane"))
				Expect(parsed["username"]).To(Equal("janedoe"))
				Expect(parsed["subsonicSalt"]).ToNot(BeEmpty())
				Expect(parsed["subsonicToken"]).ToNot(BeEmpty())
				salt := parsed["subsonicSalt"].(string)
				token := fmt.Sprintf("%x", md5.Sum([]byte("abc123"+salt)))
				Expect(parsed["subsonicToken"]).To(Equal(token))

				// Request Header authentication should not generate a JWT token
				Expect(parsed).ToNot(HaveKey("token"))
			})

			It("does not set auth data when listening on unix socket without whitelist", func() {
				conf.Server.Address = "unix:/tmp/navidrome-test"
				conf.Server.ReverseProxyWhitelist = ""

				// No ReverseProxyIp in request context
				serveIndex(ds, fs, nil)(resp, req)

				config := extractAppConfig(resp.Body.String())
				Expect(config["auth"]).To(BeNil())
			})

			It("does not set auth data when listening on unix socket with incorrect whitelist", func() {
				conf.Server.Address = "unix:/tmp/navidrome-test"

				req = req.WithContext(request.WithReverseProxyIp(req.Context(), "@"))
				serveIndex(ds, fs, nil)(resp, req)

				config := extractAppConfig(resp.Body.String())
				Expect(config["auth"]).To(BeNil())
			})

			It("sets auth data when listening on unix socket with correct whitelist", func() {
				conf.Server.Address = "unix:/tmp/navidrome-test"
				conf.Server.ReverseProxyWhitelist = conf.Server.ReverseProxyWhitelist + ",@"

				req = req.WithContext(request.WithReverseProxyIp(req.Context(), "@"))
				serveIndex(ds, fs, nil)(resp, req)

				config := extractAppConfig(resp.Body.String())
				parsed := config["auth"].(map[string]interface{})

				Expect(parsed["id"]).To(Equal("111"))
			})
		})

		Describe("login", func() {
			BeforeEach(func() {
				req = httptest.NewRequest("POST", "/login", strings.NewReader(`{"username":"janedoe", "password":"abc123"}`))
				resp = httptest.NewRecorder()
			})

			It("fails if user does not exist", func() {
				login(ds)(resp, req)
				Expect(resp.Code).To(Equal(http.StatusUnauthorized))
			})

			It("logs in successfully if user exists", func() {
				usr := ds.User(context.Background())
				_ = usr.Put(&model.User{ID: "111", UserName: "janedoe", NewPassword: "abc123", Name: "Jane", IsAdmin: false})

				login(ds)(resp, req)
				Expect(resp.Code).To(Equal(http.StatusOK))

				var parsed map[string]interface{}
				Expect(json.Unmarshal(resp.Body.Bytes(), &parsed)).To(BeNil())
				Expect(parsed["isAdmin"]).To(Equal(false))
				Expect(parsed["username"]).To(Equal("janedoe"))
				Expect(parsed["name"]).To(Equal("Jane"))
				Expect(parsed["id"]).ToNot(BeEmpty())
				Expect(parsed["token"]).ToNot(BeEmpty())
			})
		})
	})

	Describe("tokenFromHeader", func() {
		It("returns the token when the Authorization header is set correctly", func() {
			req := httptest.NewRequest("GET", "/", nil)
			req.Header.Set(consts.UIAuthorizationHeader, "Bearer testtoken")

			token := tokenFromHeader(req)
			Expect(token).To(Equal("testtoken"))
		})

		It("returns an empty string when the Authorization header is not set", func() {
			req := httptest.NewRequest("GET", "/", nil)

			token := tokenFromHeader(req)
			Expect(token).To(BeEmpty())
		})

		It("returns an empty string when the Authorization header is not a Bearer token", func() {
			req := httptest.NewRequest("GET", "/", nil)
			req.Header.Set(consts.UIAuthorizationHeader, "Basic testtoken")

			token := tokenFromHeader(req)
			Expect(token).To(BeEmpty())
		})

		It("returns an empty string when the Bearer token is too short", func() {
			req := httptest.NewRequest("GET", "/", nil)
			req.Header.Set(consts.UIAuthorizationHeader, "Bearer")

			token := tokenFromHeader(req)
			Expect(token).To(BeEmpty())
		})
	})

	Describe("validateIPAgainstList", func() {
		Context("when provided with empty inputs", func() {
			It("should return false", func() {
				Expect(validateIPAgainstList("", "")).To(BeFalse())
				Expect(validateIPAgainstList("192.168.1.1", "")).To(BeFalse())
				Expect(validateIPAgainstList("", "192.168.0.0/16")).To(BeFalse())
			})
		})

		Context("when provided with invalid IP inputs", func() {
			It("should return false", func() {
				Expect(validateIPAgainstList("invalidIP", "192.168.0.0/16")).To(BeFalse())
			})
		})

		Context("when provided with valid inputs", func() {
			It("should return true when IP is in the list", func() {
				Expect(validateIPAgainstList("192.168.1.1", "192.168.0.0/16,10.0.0.0/8")).To(BeTrue())
				Expect(validateIPAgainstList("10.0.0.1", "192.168.0.0/16,10.0.0.0/8")).To(BeTrue())
			})

			It("should return false when IP is not in the list", func() {
				Expect(validateIPAgainstList("172.16.0.1", "192.168.0.0/16,10.0.0.0/8")).To(BeFalse())
			})
		})

		Context("when provided with invalid CIDR notation in the list", func() {
			It("should ignore invalid CIDR and return the correct result", func() {
				Expect(validateIPAgainstList("192.168.1.1", "192.168.0.0/16,invalidCIDR")).To(BeTrue())
				Expect(validateIPAgainstList("10.0.0.1", "invalidCIDR,10.0.0.0/8")).To(BeTrue())
				Expect(validateIPAgainstList("172.16.0.1", "192.168.0.0/16,invalidCIDR")).To(BeFalse())
			})
		})

		Context("when provided with IP:port format", func() {
			It("should handle IP:port format correctly", func() {
				Expect(validateIPAgainstList("192.168.1.1:8080", "192.168.0.0/16,10.0.0.0/8")).To(BeTrue())
				Expect(validateIPAgainstList("10.0.0.1:1234", "192.168.0.0/16,10.0.0.0/8")).To(BeTrue())
				Expect(validateIPAgainstList("172.16.0.1:9999", "192.168.0.0/16,10.0.0.0/8")).To(BeFalse())
			})
		})
	})
})