pub use microrm::prelude::*;
use serde::{Deserialize, Serialize};
use strum::EnumString;

use crate::key::KeyType;

// ----------------------------------------------------------------------
// Session types
// ----------------------------------------------------------------------

#[derive(Entity)]
pub struct Session {
    #[key]
    pub session_id: String,
    pub auth: microrm::RelationMap<SessionAuth>,
    pub expiry: time::OffsetDateTime,
}

#[derive(Entity)]
pub struct SessionAuth {
    pub realm: RealmID,

    pub user: Option<UserID>,

    pub pending_user: Option<UserID>,
    pub pending_challenges: microrm::Serialized<Vec<AuthChallengeType>>,
}

#[derive(Clone, PartialEq, PartialOrd, Serialize, Deserialize, Debug)]
pub enum AuthChallengeType {
    Username,
    Password,
    Totp,
    Grid,
    WebAuthn,
}

#[derive(Entity)]
pub struct AuthChallenge {
    #[key]
    pub user_id: UserID,
    #[key]
    pub challenge_type: microrm::Serialized<AuthChallengeType>,
    #[elide]
    pub public: Vec<u8>,
    #[elide]
    pub secret: Vec<u8>,
    pub enabled: bool,
}

#[derive(Entity)]
pub struct SingleUseAuth {
    #[key]
    pub code: String,
    pub user: UserID,
    pub expiry: time::OffsetDateTime,
}

// ----------------------------------------------------------------------
// OIDC types
// ----------------------------------------------------------------------

pub struct UserGroupRelation;
impl microrm::Relation for UserGroupRelation {
    type Domain = User;
    type Range = Group;
    const NAME: &'static str = "UserGroup";
}

pub struct GroupRoleRelation;
impl microrm::Relation for GroupRoleRelation {
    type Domain = Group;
    type Range = Role;
    const NAME: &'static str = "GroupRole";
}

#[derive(serde::Serialize, serde::Deserialize, Clone, Copy, PartialEq, Eq, Debug)]
pub enum KeyState {
    /// Key can be used without restrictions for signing and verification.
    Active,
    /// Key will be used for signing only if no other key of the same type is found, but is still
    /// good for verification of existing tokens.
    Retiring,
    /// Key is now fully retired and will not be used for signing or for verification.
    Retired,
}

#[derive(Entity)]
pub struct Key {
    #[key]
    pub key_id: String,
    pub key_type: microrm::Serialized<KeyType>,
    pub key_state: microrm::Serialized<KeyState>,
    pub public_data: Vec<u8>,
    #[elide]
    pub secret_data: Vec<u8>,
    pub expiry: time::OffsetDateTime,
}

#[derive(Entity)]
pub struct User {
    #[key]
    pub realm: RealmID,
    #[key]
    pub username: String,

    pub pending_external_auths: microrm::Serialized<Vec<ExternalAuthProvider>>,

    pub auth: microrm::RelationMap<AuthChallenge>,
    pub groups: microrm::RelationDomain<UserGroupRelation>,
}

#[derive(Entity)]
pub struct Group {
    #[key]
    pub realm: RealmID,
    #[key]
    pub shortname: String,
    pub users: microrm::RelationRange<UserGroupRelation>,
    pub roles: microrm::RelationDomain<GroupRoleRelation>,
}

#[derive(Entity)]
pub struct Role {
    #[key]
    pub realm: RealmID,
    /// key publicly-visible name for role
    #[key]
    pub shortname: String,
    pub groups: microrm::RelationRange<GroupRoleRelation>,
}

/// OAuth2 client representation
#[derive(Entity)]
pub struct Client {
    #[key]
    pub realm: RealmID,
    #[key]
    pub shortname: String,

    pub secret: String,

    pub access_key_type: microrm::Serialized<KeyType>,
    pub refresh_key_type: microrm::Serialized<KeyType>,

    pub direct_grant_enabled: bool,

    pub redirects: microrm::RelationMap<ClientRedirect>,
    pub scopes: microrm::RelationMap<Scope>,
}

#[derive(Entity)]
pub struct ClientRedirect {
    pub redirect_pattern: String,
}

#[derive(Entity)]
pub struct AuthCode {
    #[key]
    pub realm: RealmID,
    #[key]
    pub client: ClientID,
    #[key]
    pub code: String,

    pub expiry: time::OffsetDateTime,

    pub user: UserID,
    pub scopes: microrm::Serialized<Vec<String>>,
    pub redirect_uri: String,
}

/// Requested group of permissions
#[derive(Entity)]
pub struct Scope {
    #[key]
    pub realm: RealmID,
    #[key]
    pub shortname: String,
    pub roles: microrm::RelationMap<Role>,
}

// ----------------------------------------------------------------------
// External (social) authentication
// ----------------------------------------------------------------------

#[derive(PartialEq, Eq, PartialOrd, Ord, Clone, Debug, Serialize, Deserialize, EnumString)]
#[strum(serialize_all = "snake_case")]
#[serde(rename_all = "snake_case")]
pub enum ExternalAuthProvider {
    Github,
    GenericOIDC,
}

#[derive(Clone, Entity)]
pub struct ExternalAuthMap {
    #[key]
    pub external_user_id: String,
    #[key]
    pub provider: microrm::Serialized<ExternalAuthProvider>,

    pub internal_user_id: UserID,
}

// ----------------------------------------------------------------------
// Global container types
// ----------------------------------------------------------------------

#[derive(Clone, Default, Entity)]
pub struct Realm {
    #[key]
    pub shortname: String,

    pub clients: microrm::RelationMap<Client>,
    pub groups: microrm::RelationMap<Group>,
    pub keys: microrm::RelationMap<Key>,
    pub roles: microrm::RelationMap<Role>,
    pub scopes: microrm::RelationMap<Scope>,
    pub users: microrm::RelationMap<User>,
    pub auth_codes: microrm::RelationMap<AuthCode>,

    pub external_auth: microrm::RelationMap<ExternalAuthMap>,
    pub single_use_auth: microrm::RelationMap<SingleUseAuth>,
}