require_dependency 'single_sign_on'
class DiscourseSingleSignOn < SingleSignOn
  def self.sso_url
    SiteSetting.sso_url
  end

  def self.sso_secret
    SiteSetting.sso_secret
  end

  def self.generate_url(return_path="/")
    sso = new
    sso.nonce = SecureRandom.hex
    sso.register_nonce(return_path)
    sso.to_url
  end

  def register_nonce(return_path)
    if nonce
      $redis.setex(nonce_key, NONCE_EXPIRY_TIME, return_path)
    end
  end

  def nonce_valid?
    nonce && $redis.get(nonce_key).present?
  end

  def return_path
    $redis.get(nonce_key) || "/"
  end

  def expire_nonce!
    if nonce
      $redis.del nonce_key
    end
  end

  def nonce_key
    "SSO_NONCE_#{nonce}"
  end

  def lookup_or_create_user
    sso_record = SingleSignOnRecord.where(external_id: external_id).first

    if sso_record && user = sso_record.user
      sso_record.last_payload = unsigned_payload
    else
      user = match_email_or_create_user
      sso_record = user.single_sign_on_record
    end

    # if the user isn't new or it's attached to the SSO record we might be overriding username or email
    unless user.new_record?
      change_external_attributes_and_override(sso_record, user)
    end

    if sso_record && (user = sso_record.user) && !user.active
      user.active = true
      user.save
      user.enqueue_welcome_message('welcome_user')
    end

    # optionally save the user and sso_record if they have changed
    user.save!
    sso_record.save!

    sso_record && sso_record.user
  end

  private

  def match_email_or_create_user
    user = User.where(email: Email.downcase(email)).first

    user_params = {
        email: email,
        name:  User.suggest_name(name || username || email),
        username: UserNameSuggester.suggest(username || name || email),
    }

    if user || user = User.create(user_params)
      if sso_record = user.single_sign_on_record
        sso_record.last_payload = unsigned_payload
        sso_record.external_id = external_id
      else
        sso_record = user.create_single_sign_on_record(last_payload: unsigned_payload,
                                          external_id: external_id,
                                          external_username: username,
                                          external_email: email,
                                          external_name: name)
      end
    end

    user
  end

  def change_external_attributes_and_override(sso_record, user)
    if SiteSetting.sso_overrides_email && email != sso_record.external_email
      # set the user's email to whatever came in the payload
      user.email = email
    end

    if SiteSetting.sso_overrides_username && username != sso_record.external_username && user.username != username
      # we have an external username change, and the user's current username doesn't match
      # run it through the UserNameSuggester to override it
      user.username = UserNameSuggester.suggest(username || name || email)
    end

    if SiteSetting.sso_overrides_name && name != sso_record.external_name && user.name != name
      # we have an external name change, and the user's current name doesn't match
      # run it through the name suggester to override it
      user.name = User.suggest_name(name || username || email)
    end

    # change external attributes for sso record
    sso_record.external_username = username
    sso_record.external_email = email
    sso_record.external_name = name
  end
end