import logging
import re

from flask import request, jsonify, abort

from app import app, userevents, instance_keys
from data import model
from auth.auth import process_auth
from auth.auth_context import get_authenticated_user, get_validated_token, get_validated_oauth_token
from auth.permissions import (ModifyRepositoryPermission, ReadRepositoryPermission,
                              CreateRepositoryPermission)
from cachetools import lru_cache
from endpoints.v2 import v2_bp
from endpoints.decorators import anon_protect
from util.cache import no_cache
from util.names import parse_namespace_repository, REPOSITORY_NAME_REGEX
from util.security.registry_jwt import generate_bearer_token, build_context_and_subject


logger = logging.getLogger(__name__)


TOKEN_VALIDITY_LIFETIME_S = 60 * 60  # 1 hour
SCOPE_REGEX_TEMPLATE = (
    r'^repository:((?:{}\/)?((?:[\.a-zA-Z0-9_\-]+\/)?[\.a-zA-Z0-9_\-]+)):((?:push|pull|\*)(?:,(?:push|pull|\*))*)$'
)


@lru_cache(maxsize=1)
def get_scope_regex():
  hostname = re.escape(app.config['SERVER_HOSTNAME'])
  scope_regex_string = SCOPE_REGEX_TEMPLATE.format(hostname)
  return re.compile(scope_regex_string)


@v2_bp.route('/auth')
@process_auth
@no_cache
@anon_protect
def generate_registry_jwt():
  """ This endpoint will generate a JWT conforming to the Docker registry v2 auth spec:
      https://docs.docker.com/registry/spec/auth/token/
  """
  audience_param = request.args.get('service')
  logger.debug('Request audience: %s', audience_param)

  scope_param = request.args.get('scope') or ''
  logger.debug('Scope request: %s', scope_param)

  user = get_authenticated_user()
  logger.debug('Authenticated user: %s', user)

  token = get_validated_token()
  logger.debug('Authenticated token: %s', token)

  oauthtoken = get_validated_oauth_token()
  logger.debug('Authenticated OAuth token: %s', oauthtoken)

  auth_credentials_sent = bool(request.headers.get('authorization', ''))
  if auth_credentials_sent and not user and not token:
    # The auth credentials sent for the user are invalid.
    logger.debug('Invalid auth credentials')
    abort(401)

  access = []
  user_event_data = {
    'action': 'login',
  }

  if len(scope_param) > 0:
    match = get_scope_regex().match(scope_param)
    if match is None:
      logger.debug('Match: %s', match)
      logger.debug('len: %s', len(scope_param))
      logger.warning('Unable to decode repository and actions: %s', scope_param)
      abort(400)

    logger.debug('Match: %s', match.groups())

    registry_and_repo = match.group(1)
    namespace_and_repo = match.group(2)
    actions = match.group(3).split(',')

    lib_namespace = app.config['LIBRARY_NAMESPACE']
    namespace, reponame = parse_namespace_repository(namespace_and_repo, lib_namespace)

    # Ensure that we are never creating an invalid repository.
    if not REPOSITORY_NAME_REGEX.match(reponame):
      logger.debug('Found invalid repository name in auth flow: %s', reponame)
      abort(400)

    final_actions = []

    if 'push' in actions:
      # If there is no valid user or token, then the repository cannot be
      # accessed.
      if user is not None or token is not None:
        # Lookup the repository. If it exists, make sure the entity has modify
        # permission. Otherwise, make sure the entity has create permission.
        repo = model.repository.get_repository(namespace, reponame)
        if repo:
          if ModifyRepositoryPermission(namespace, reponame).can():
            final_actions.append('push')
          else:
            logger.debug('No permission to modify repository %s/%s', namespace, reponame)
        else:
          if CreateRepositoryPermission(namespace).can() and user is not None:
            logger.debug('Creating repository: %s/%s', namespace, reponame)
            model.repository.create_repository(namespace, reponame, user)
            final_actions.append('push')
          else:
            logger.debug('No permission to create repository %s/%s', namespace, reponame)

    if 'pull' in actions:
      # Grant pull if the user can read the repo or it is public.
      if (ReadRepositoryPermission(namespace, reponame).can() or
          model.repository.repository_is_public(namespace, reponame)):
        final_actions.append('pull')
      else:
        logger.debug('No permission to pull repository %s/%s', namespace, reponame)

    # Add the access for the JWT.
    access.append({
      'type': 'repository',
      'name': registry_and_repo,
      'actions': final_actions,
    })

    # Set the user event data for the auth.
    if 'push' in final_actions:
      user_action = 'push_start'
    elif 'pull' in final_actions:
      user_action = 'pull_start'
    else:
      user_action = 'login'

    user_event_data = {
      'action': user_action,
      'repository': reponame,
      'namespace': namespace,
    }

  elif user is None and token is None:
    # In this case, we are doing an auth flow, and it's not an anonymous pull
    logger.debug('No user and no token sent for empty scope list')
    abort(401)

  # Send the user event.
  if user is not None:
    event = userevents.get_event(user.username)
    event.publish_event_data('docker-cli', user_event_data)

  # Build the signed JWT.
  context, subject = build_context_and_subject(user, token, oauthtoken)
  token = generate_bearer_token(audience_param, subject, context, access,
                                TOKEN_VALIDITY_LIFETIME_S, instance_keys)
  return jsonify({'token': token})