require 'uri'
require 'openid/extensions/sreg'
require 'openid/extensions/ax'
require 'openid/store/filesystem'

require File.dirname(__FILE__) + '/open_id_authentication/db_store'
require File.dirname(__FILE__) + '/open_id_authentication/mem_cache_store'
require File.dirname(__FILE__) + '/open_id_authentication/request'
require File.dirname(__FILE__) + '/open_id_authentication/timeout_fixes' if OpenID::VERSION == "2.0.4"

module OpenIdAuthentication
  OPEN_ID_AUTHENTICATION_DIR = RAILS_ROOT + "/tmp/openids"

  def self.store
    @@store
  end

  def self.store=(*store_option)
    store, *parameters = *([ store_option ].flatten)

    @@store = case store
    when :db
      OpenIdAuthentication::DbStore.new
    when :mem_cache
      OpenIdAuthentication::MemCacheStore.new(*parameters)
    when :file
      OpenID::Store::Filesystem.new(OPEN_ID_AUTHENTICATION_DIR)
    else
      raise "Unknown store: #{store}"
    end
  end

  self.store = :db

  class InvalidOpenId < StandardError
  end

  class Result
    ERROR_MESSAGES = {
      :missing      => "Sorry, the OpenID server couldn't be found",
      :invalid      => "Sorry, but this does not appear to be a valid OpenID",
      :canceled     => "OpenID verification was canceled",
      :failed       => "OpenID verification failed",
      :setup_needed => "OpenID verification needs setup"
    }

    def self.[](code)
      new(code)
    end

    def initialize(code)
      @code = code
    end

    def status
      @code
    end

    ERROR_MESSAGES.keys.each { |state| define_method("#{state}?") { @code == state } }

    def successful?
      @code == :successful
    end

    def unsuccessful?
      ERROR_MESSAGES.keys.include?(@code)
    end

    def message
      ERROR_MESSAGES[@code]
    end
  end

  # normalizes an OpenID according to http://openid.net/specs/openid-authentication-2_0.html#normalization
  def self.normalize_identifier(identifier)
    # clean up whitespace
    identifier = identifier.to_s.strip

    # if an XRI has a prefix, strip it.
    identifier.gsub!(/xri:\/\//i, '')

    # dodge XRIs -- TODO: validate, don't just skip.
    unless ['=', '@', '+', '$', '!', '('].include?(identifier.at(0))
      # does it begin with http?  if not, add it.
      identifier = "http://#{identifier}" unless identifier =~ /^http/i

      # strip any fragments
      identifier.gsub!(/\#(.*)$/, '')

      begin
        uri = URI.parse(identifier)
        uri.scheme = uri.scheme.downcase  # URI should do this
        identifier = uri.normalize.to_s
      rescue URI::InvalidURIError
        raise InvalidOpenId.new("#{identifier} is not an OpenID identifier")
      end
    end

    return identifier
  end

  # deprecated for OpenID 2.0, where not all OpenIDs are URLs
  def self.normalize_url(url)
    ActiveSupport::Deprecation.warn "normalize_url has been deprecated, use normalize_identifier instead"
    self.normalize_identifier(url)
  end

  protected
    def normalize_url(url)
      OpenIdAuthentication.normalize_url(url)
    end

    def normalize_identifier(url)
      OpenIdAuthentication.normalize_identifier(url)
    end

    # The parameter name of "openid_identifier" is used rather than the Rails convention "open_id_identifier"
    # because that's what the specification dictates in order to get browser auto-complete working across sites
    def using_open_id?(identity_url = nil) #:doc:
      identity_url ||= params[:openid_identifier] || params[:openid_url]
      !identity_url.blank? || params[:open_id_complete]
    end

    def authenticate_with_open_id(identity_url = nil, options = {}, &block) #:doc:
      identity_url ||= params[:openid_identifier] || params[:openid_url]

      if params[:open_id_complete].nil?
        begin_open_id_authentication(identity_url, options, &block)
      else
        complete_open_id_authentication(&block)
      end
    end

  private
    def begin_open_id_authentication(identity_url, options = {})
      identity_url = normalize_identifier(identity_url)
      return_to    = options.delete(:return_to)
      method       = options.delete(:method)
      
      options[:required] ||= []  # reduces validation later
      options[:optional] ||= []

      open_id_request = open_id_consumer.begin(identity_url)
      add_simple_registration_fields(open_id_request, options)
      add_ax_fields(open_id_request, options)
      redirect_to(open_id_redirect_url(open_id_request, return_to, method))
    rescue OpenIdAuthentication::InvalidOpenId => e
      yield Result[:invalid], identity_url, nil
    rescue OpenID::OpenIDError, Timeout::Error => e
      logger.error("[OPENID] #{e}")
      yield Result[:missing], identity_url, nil
    end

    def complete_open_id_authentication
      params_with_path = params.reject { |key, value| request.path_parameters[key] }
      params_with_path.delete(:format)
      open_id_response = timeout_protection_from_identity_server { open_id_consumer.complete(params_with_path, requested_url) }
      identity_url     = normalize_identifier(open_id_response.display_identifier) if open_id_response.display_identifier

      case open_id_response.status
      when OpenID::Consumer::SUCCESS
        profile_data = {}

        # merge the SReg data and the AX data into a single hash of profile data
        [ OpenID::SReg::Response, OpenID::AX::FetchResponse ].each do |data_response|
          if data_response.from_success_response( open_id_response )
            profile_data.merge! data_response.from_success_response( open_id_response ).data
          end
        end
        
        yield Result[:successful], identity_url, profile_data
      when OpenID::Consumer::CANCEL
        yield Result[:canceled], identity_url, nil
      when OpenID::Consumer::FAILURE
        yield Result[:failed], identity_url, nil
      when OpenID::Consumer::SETUP_NEEDED
        yield Result[:setup_needed], open_id_response.setup_url, nil
      end
    end

    def open_id_consumer
      OpenID::Consumer.new(session, OpenIdAuthentication.store)
    end

    def add_simple_registration_fields(open_id_request, fields)
      sreg_request = OpenID::SReg::Request.new
      
      # filter out AX identifiers (URIs)
      required_fields = fields[:required].collect { |f| f.to_s unless f =~ /^https?:\/\// }.compact
      optional_fields = fields[:optional].collect { |f| f.to_s unless f =~ /^https?:\/\// }.compact
      
      sreg_request.request_fields(required_fields, true) unless required_fields.blank?
      sreg_request.request_fields(optional_fields, false) unless optional_fields.blank?
      sreg_request.policy_url = fields[:policy_url] if fields[:policy_url]
      open_id_request.add_extension(sreg_request)
    end
    
    def add_ax_fields( open_id_request, fields )
      ax_request = OpenID::AX::FetchRequest.new
      
      # look through the :required and :optional fields for URIs (AX identifiers)
      fields[:required].each do |f|
        next unless f =~ /^https?:\/\//
        ax_request.add( OpenID::AX::AttrInfo.new( f, nil, true ) )
      end

      fields[:optional].each do |f|
        next unless f =~ /^https?:\/\//
        ax_request.add( OpenID::AX::AttrInfo.new( f, nil, false ) )
      end
      
      open_id_request.add_extension( ax_request )
    end
        
    def open_id_redirect_url(open_id_request, return_to = nil, method = nil)
      open_id_request.return_to_args['_method'] = (method || request.method).to_s
      open_id_request.return_to_args['open_id_complete'] = '1'
      open_id_request.redirect_url(root_url, return_to || requested_url)
    end

    def requested_url
      relative_url_root = self.class.respond_to?(:relative_url_root) ?
        self.class.relative_url_root.to_s :
        request.relative_url_root
      "#{request.protocol}#{request.host_with_port}#{relative_url_root}#{request.path}"
    end

    def timeout_protection_from_identity_server
      yield
    rescue Timeout::Error
      Class.new do
        def status
          OpenID::FAILURE
        end

        def msg
          "Identity server timed out"
        end
      end.new
    end
end