# Copyright (C) 2018-2025 by BDE ENS Paris-Saclay
# SPDX-License-Identifier: GPL-3.0-or-later

import base64

from django.contrib.auth.models import User
from django.test import TestCase
from member.models import Membership, Club
from note.models import NoteUser
from oauth2_provider.models import Application

from ..models import Role, Permission


class OAuth2TestCase(TestCase):
    fixtures = ('initial', )

    def setUp(self):
        self.user = User.objects.create(
            username="toto",
            password="toto1234",
        )

        NoteUser.objects.create(user=self.user)
        membership = Membership.objects.create(user=self.user, club_id=1)
        membership.roles.add(Role.objects.get(name="Adhérent⋅e BDE"))
        membership.save()

        bde = Club.objects.get(name="BDE")
        view_user_perm = Permission.objects.get(pk=1)  # View own user detail

        self.base_scope = f'{view_user_perm.pk}_{bde.pk}'

    def test_oauth2_authorization_code_flow(self):
        """
        Ensure OAuth2 Authorization Code Flow work
        """
        pass

    def test_oauth2_implicit_flow(self):
        """
        Ensure OAuth2 Implicit Flow work
        """
        pass

    def test_oauth2_resource_owner_password_credentials_flow(self):
        """
        Ensure OAuth2 Resource Owner Password Credentials Flow work
        """
        pass

    def test_oauth2_client_credentials(self):
        """
        Ensure OAuth2 Client Credentials work
        """
        app = Application.objects.create(
            name="Test credentials",
            client_type=Application.CLIENT_CONFIDENTIAL,
            authorization_grant_type=Application.GRANT_CLIENT_CREDENTIALS,
            user=self.user,
            hash_client_secret=False,
            algorithm=Application.NO_ALGORITHM,
        )

        # No token without credential
        resp = self.client.post('/o/token/',
                                data={"grant_type": "client_credentials"},
                                **{"Content-Type": 'application/x-www-form-urlencoded'}
                                )

        self.assertEqual(resp.status_code, 401)

        # Access with credential
        credential = base64.b64encode(f'{app.client_id}:{app.client_secret}'.encode('utf-8')).decode()

        resp = self.client.post('/o/token/',
                                data={"grant_type": "client_credentials"},
                                **{'HTTP_Authorization': f'Basic {credential}',
                                   "Content-Type": 'application/x-www-form-urlencoded'}
                                )

        self.assertEqual(resp.status_code, 200)

        token = resp.json()['access_token']

        # Token is valid but has no right
        resp = self.client.get('/api/user/{self.user.pk}',
                               **{'Authorization': f'Bearer {token}'}
                               )

        self.assertEqual(resp.status_code, 403)

        # RFC6749 4.4.2 allows use of scope in client credential flow
        resp = self.client.post('/o/token/',
                                data={"grant_type": "client_credentials",
                                      "scope": self.base_scope},
                                **{'http_Authorization': f'Basic {credential}',
                                   "Content-Type": 'application/x-www-form-urlencoded'}
                                )

        self.assertEqual(resp.status_code, 200)

        token = resp.json()['access_token']

        # Now app can see his creator
        resp = self.client.post(f'/api/user/{self.user.pk}/',
                                **{'Authorization': f'Bearer {token}'})

        self.assertEqual(resp.status_code, 200)

    def test_oidc_flow(self):
        """
        Ensure OIDC Flow work
        """
        pass