package main

import (
	"encoding/json"
	"errors"
	"fmt"
	"net/http"
	"strings"

	"github.com/jcmturner/gokrb5/v8/client"
	"github.com/jcmturner/gokrb5/v8/config"
	"github.com/jcmturner/gokrb5/v8/iana/etypeID"
	"github.com/jcmturner/gokrb5/v8/krberror"
	"github.com/julienschmidt/httprouter"
)

func parseETypes(s []string, w bool) []int32 {
	var eti []int32
	for _, et := range s {
		if !w {
			var weak bool
			for _, wet := range strings.Fields(config.WeakETypeList) {
				if et == wet {
					weak = true
					break
				}
			}
			if weak {
				continue
			}
		}
		i := etypeID.EtypeSupported(et)
		if i != 0 {
			eti = append(eti, i)
		}
	}
	return eti
}

func checkAuthKrb5(w http.ResponseWriter, _ httprouter.Params, body []byte) (interface{}, error) {
	var lf loginForm
	if err := json.Unmarshal(body, &lf); err != nil {
		return nil, err
	}

	found := false
	for _, u := range localAuthUsers {
		if lf.Login == u {
			found = true
			break
		}
	}

	if !found {
		return nil, fmt.Errorf("You are not allowed to log you in this way. Please use OpenID Connect.")
	}

	cnf := config.New()
	cnf.LibDefaults.DNSLookupKDC = true
	cnf.LibDefaults.DNSLookupRealm = true
	cnf.LibDefaults.DefaultTGSEnctypeIDs = parseETypes(cnf.LibDefaults.DefaultTGSEnctypes, cnf.LibDefaults.AllowWeakCrypto)
	cnf.LibDefaults.DefaultTktEnctypeIDs = parseETypes(cnf.LibDefaults.DefaultTktEnctypes, cnf.LibDefaults.AllowWeakCrypto)
	cnf.LibDefaults.PermittedEnctypeIDs = parseETypes(cnf.LibDefaults.PermittedEnctypes, cnf.LibDefaults.AllowWeakCrypto)

	c := client.NewWithPassword(lf.Login, "CRI.EPITA.FR", lf.Password, cnf)
	if err := c.Login(); err != nil {
		if errk, ok := err.(krberror.Krberror); ok {
			if errk.RootCause == krberror.NetworkingError {
				return nil, errors.New(`{"status": "Authentication system unavailable, please retry."}`)
			} else if errk.RootCause == krberror.KDCError {
				return nil, errors.New(`{"status": "Invalid username or password"}`)
			}
		}
		return nil, err
	} else {
		return dummyAuth(w, nil, body)
	}
}