package com.atlassian.asap.core.server.jersey;
   
   import com.atlassian.asap.api.Jwt;
   import com.atlassian.asap.api.exception.AuthorizationFailedException;
   import org.apache.commons.lang3.StringUtils;
   
   import java.util.Arrays;
   import java.util.Collections;
   import java.util.Map;
  import java.util.Set;
  import java.util.function.Function;
  import java.util.stream.Collectors;
  import java.util.stream.Stream;
  
  import static com.atlassian.asap.core.server.jersey.Memoizer.memoize;
  import static java.lang.String.format;
  import static java.util.Objects.requireNonNull;
  
  /**
   * Validates a valid {@link Jwt} token against a whitelist of acceptable subjects and/or issuers.
   */
  @SuppressWarnings("WeakerAccess")
  public class AsapValidator {
  
      private final Function<Asap, Whitelist> whitelistProvider;
  
      public AsapValidator(Function<Asap, Whitelist> whitelistProvider) {
          this.whitelistProvider = requireNonNull(whitelistProvider);
      }
  
  
      public static AsapValidator newAnnotationValidator() {
          return new AsapValidator(memoize(new AsapWhitelistProvider()));
      }
  
      public static AsapValidator newEnvironmentVariablesValidator() {
          return new AsapValidator(memoize(new EnvironmentVariablesWhitelistProvider()));
      }
  
      /**
       * This validator gives preferential treatment to the subjects and issuers present in the Asap annotation.
       * If either of them is not present in the asap annotation then it falls back to the supplied one.
       *
       * @param authorizedSubjects - Set of authorized subjects
       * @param authorizedIssuers  - Set of authorized Issuers
       * @return AsapValidator with annotation support with fallback to configuration
       */
      public static AsapValidator newAnnotationWithConfigValidator(final Set<String> authorizedSubjects, final Set<String> authorizedIssuers) {
          return new AsapValidator(new AsapAnnotationWhitelistProviderWithConfigSupport(authorizedSubjects, authorizedIssuers));
      }
  
  
      private static String joinSet(final Set<String> validIssuers) {
          return String.join(",", validIssuers);
      }
  
      /**
       * Validates a jwt token.
       *
       * @param asap The annotation instance on a method, class, or package
       * @param jwt  The jwt token
       * @throws AuthorizationFailedException If the authorized subjects or issuers fails
       */
      public void validate(Asap asap, Jwt jwt) throws AuthorizationFailedException {
          Whitelist whitelist = whitelistProvider.apply(asap);
          validateSubject(whitelist, jwt);
          validateIssuer(whitelist, jwt);
      }
  
      private void validateIssuer(final Whitelist whitelist, final Jwt jwt)
              throws AuthorizationFailedException {
          String issuer = jwt.getClaims().getIssuer();
          Set<String> validIssuers = !whitelist.authorizedIssuers.isEmpty() ? whitelist.authorizedIssuers :
                  whitelist.authorizedSubjects;
          if (!validIssuers.isEmpty() && !validIssuers.contains(issuer)) {
              throw new AuthorizationFailedException(format("Unacceptable issuer ('%s' not in '%s')", issuer,
                      joinSet(validIssuers)));
          }
      }
  
      private void validateSubject(final Whitelist whitelist, final Jwt jwt) throws AuthorizationFailedException {
          String subject = jwt.getClaims().getSubject().orElse(jwt.getClaims().getIssuer());
          if (!whitelist.authorizedSubjects.isEmpty() &&
                  !whitelist.authorizedSubjects.contains(subject)) {
              throw new AuthorizationFailedException(format("Unacceptable subject ('%s' not in '%s')", subject,
                      joinSet(whitelist.authorizedSubjects)));
          }
      }
  
      /**
       * Provides whitelisted values.  If empty, treat as all allowed.
       */
      @SuppressWarnings("checkstyle:VisiblityModifier")
      public static class Whitelist {
          private final Set<String> authorizedSubjects;
          private final Set<String> authorizedIssuers;
  
          public Whitelist(final Set<String> authorizedSubjects, final Set<String> authorizedIssuers) {
              this.authorizedSubjects = Collections.unmodifiableSet(requireNonNull(authorizedSubjects));
             this.authorizedIssuers = Collections.unmodifiableSet(requireNonNull(authorizedIssuers));
         }
 
         Set<String> getAuthorizedSubjects() {
             return authorizedSubjects;
         }
 
         Set<String> getAuthorizedIssuers() {
             return authorizedIssuers;
         }
     }
 
     public static class AsapWhitelistProvider implements Function<Asap, Whitelist> {
         @Override
         public Whitelist apply(final Asap asap) {
             return new Whitelist(
                     Arrays.stream(asap.authorizedSubjects()).collect(Collectors.toSet()),
                     Arrays.stream(asap.authorizedIssuers()).collect(Collectors.toSet())
             );
         }
     }
 
 
     public static class AsapAnnotationWhitelistProviderWithConfigSupport implements Function<Asap, Whitelist> {
 
         private final Whitelist whiteList;
 
         public AsapAnnotationWhitelistProviderWithConfigSupport(final Set<String> authorizedSubjects, final Set<String> authorizedIssuers) {
             this.whiteList = new Whitelist(authorizedSubjects, authorizedIssuers);
 
         }
 
         @Override
         public Whitelist apply(final Asap asap) {
 
             if (asap.authorizedIssuers().length == 0 && asap.authorizedSubjects().length == 0) {
                 return whiteList;
             }
             return new Whitelist(
                     Arrays.stream(asap.authorizedSubjects()).collect(Collectors.toSet()),
                     Arrays.stream(asap.authorizedIssuers()).collect(Collectors.toSet())
             );
         }
     }
 
 
     /**
      * Provides the whitelist from environment variables.  The values should be comma-delimited, and an empty or missing
      * value will be treated as allow all.
      */
     public static class EnvironmentVariablesWhitelistProvider implements Function<Asap, Whitelist> {
         public static final String AUTHORIZED_SUBJECTS_KEY = "ASAP_AUTHORIZED_SUBJECTS";
         public static final String AUTHORIZED_ISSUERS_KEY = "ASAP_AUTHORIZED_ISSUERS";
 
         private final String authorizedSubjectsVariableName;
         private final String authorizedIssuersVariableName;
         private final Map<String, String> variables;
 
         public EnvironmentVariablesWhitelistProvider() {
             this(AUTHORIZED_SUBJECTS_KEY, AUTHORIZED_ISSUERS_KEY, System.getenv());
         }
 
         public EnvironmentVariablesWhitelistProvider(final String authorizedSubjectsVariableName,
                                                      final String authorizedIssuersVariableName, Map<String, String> variables) {
             this.authorizedSubjectsVariableName = requireNonNull(authorizedSubjectsVariableName);
             this.authorizedIssuersVariableName = requireNonNull(authorizedIssuersVariableName);
             this.variables = variables;
         }
 
         @Override
         public Whitelist apply(final Asap asap) {
             return new Whitelist(
                     getEnv(authorizedSubjectsVariableName),
                     getEnv(authorizedIssuersVariableName)
             );
         }
 
         private Set<String> getEnv(String name) {
             return Stream.of(variables.getOrDefault(name, "").split(","))
                     .map(String::trim)
                     .filter(StringUtils::isNotEmpty)
                     .collect(Collectors.toSet());
         }
     }
 }