// =================================================================================
// File:    plugin-mssql.js
//
// Author:  Jarle Elshaug
//
// Purpose: SQL user-provisioning
//
// Prereq:
// CREATE TABLE [Users] (
//     [UserID] VARCHAR(50) NOT NULL,
//     [Enabled] VARCHAR(50) NULL,
//     [Password] VARCHAR(50) NULL,
//     [FirstName] VARCHAR(50) NULL,
//     [MiddleName] VARCHAR(50) NULL,
//     [LastName] VARCHAR(50) NULL,
//     [Email] VARCHAR(50) NULL,
//     [MobilePhone] VARCHAR(50) NULL,
//     CONSTRAINT [PK_User]
//         PRIMARY KEY ([UserID])
// );
//
// CREATE TABLE [Groups] (
//     [GroupID] VARCHAR(50) NOT NULL,
//     [Enabled] VARCHAR(50) NULL,
//     CONSTRAINT [PK_Group]
//         PRIMARY KEY ([GroupID])
// );
//
// CREATE TABLE [Users2Group] (
//     [GroupID] VARCHAR(50) NOT NULL,
//     [UserID] VARCHAR(50) NOT NULL,
//     CONSTRAINT [PK_Users2Group]
//         PRIMARY KEY ([GroupID],[UserID]),
//     CONSTRAINT [FK_U2G_Group]
//         FOREIGN KEY ([GroupID])
//         REFERENCES [Groups]([GroupID])
//         ON DELETE CASCADE,
//     CONSTRAINT [FK_U2G_Users]
//         FOREIGN KEY ([UserID])
//         REFERENCES [Users]([UserID])
//         ON DELETE CASCADE
// );
//
// Supported attributes:
//
// GlobalUser   Template                                Scim                        Endpoint
// --------------------------------------------------------------------------------------------
// User name    %AC%                                    userName                        UserID
// Suspended    (auto included)                         active                          Enabled
// Password     %P%                                     password                        Password
// First Name   %UF%                                    name.givenName                  FirstName
// Middle Name  %UMN%                                   name.middleName                 MiddleName
// Last Name    %UL%                                    name.familyName                 LastName
// Email        %UE% (Emails, type=Work)                emails.work                     emailAddress
// Phone        %UP% (Phone Numbers, type=Work)         phoneNumbers.work               phoneNumber
//
// =================================================================================

import { Connection, Request } from 'tedious'
// for supporting nodejs running scimgateway package directly, using dynamic import instead of: import { ScimGateway } from 'scimgateway'
// scimgateway also inclues HelperRest: import { ScimGateway, HelperRest } from 'scimgateway'

// start - mandatory plugin initialization
const ScimGateway: typeof import('scimgateway').ScimGateway = await (async () => {
  try {
    return (await import('scimgateway')).ScimGateway
  } catch (err: any) {
    const source = './scimgateway.ts'
    return (await import(source)).ScimGateway
  }
})()
const scimgateway = new ScimGateway()
const config = scimgateway.getConfig()
scimgateway.authPassThroughAllowed = false
// end - mandatory plugin initialization

if (config?.connection?.authentication?.options?.password) {
  config.connection.authentication.options.password = scimgateway.getSecret('endpoint.connection.authentication.options.password')
}

// =================================================
// getUsers
// =================================================
scimgateway.getUsers = async (baseEntity, getObj, attributes, ctx) => {
  const action = 'getUsers'
  scimgateway.logDebug(baseEntity, `handling ${action} getObj=${getObj ? JSON.stringify(getObj) : ''} attributes=${attributes}`)

  let sqlQuery

  // mandatory if-else logic - start
  if (getObj.operator) {
    if (getObj.operator === 'eq' && ['id', 'userName', 'externalId'].includes(getObj.attribute)) {
      // mandatory - unique filtering - single unique user to be returned - correspond to getUser() in versions < 4.x.x
      sqlQuery = `select * from [Users] where UserID = '${getObj.value}'`
    } else if (getObj.operator === 'eq' && getObj.attribute === 'group.value') {
      // optional - only used when groups are member of users, not default behavior - correspond to getGroupUsers() in versions < 4.x.x
      throw new Error(`${action} error: not supporting groups member of user filtering: ${getObj.rawFilter}`)
    } else {
      // optional - simpel filtering
      throw new Error(`${action} error: not supporting simpel filtering: ${getObj.rawFilter}`)
    }
  } else if (getObj.rawFilter) {
    // optional - advanced filtering having and/or/not - use getObj.rawFilter
    throw new Error(`${action} not error: supporting advanced filtering: ${getObj.rawFilter}`)
  } else {
    // mandatory - no filtering (!getObj.operator && !getObj.rawFilter) - all users to be returned - correspond to exploreUsers() in versions < 4.x.x
    sqlQuery = 'select * from [Users]'
  }
  // mandatory if-else logic - end

  if (!sqlQuery) throw new Error(`${action} error: mandatory if-else logic not fully implemented`)

  try {
    return await new Promise(async (resolve) => {
      const ret: any = { // itemsPerPage will be set by scimgateway
        Resources: [],
        totalResults: null,
      }

      const users: any[] = await query(sqlQuery, ctx).catch(err => scimgateway.logWarn(baseEntity, `${action} warning: ${err.message}`))
      for (const user of users) {
        const scimUser = {
          id: user.UserID.value ? user.UserID.value : undefined,
          userName: user.UserID.value ? user.UserID.value : undefined,
          active: user.Enabled.value === 'true' || false,
          name: {
            givenName: user.FirstName.value ? user.FirstName.value : undefined,
            middleName: user.MiddleName.value ? user.MiddleName.value : undefined,
            familyName: user.LastName.value ? user.LastName.value : undefined,
          },
          phoneNumbers: user.MobilePhone.value ? [{ type: 'work', value: user.MobilePhone.value }] : undefined,
          emails: user.Email.value ? [{ type: 'work', value: user.Email.value }] : undefined,
        }
        ret.Resources.push(scimUser)
      }

      resolve(ret) // all explored users
    }) // Promise
  } catch (err: any) {
    throw new Error(`${action} error: ${err.message}`)
  }
}

// =================================================
// createUser
// =================================================
scimgateway.createUser = async (baseEntity, userObj, ctx) => {
  const action = 'createUser'
  scimgateway.logDebug(baseEntity, `handling ${action} userObj=${JSON.stringify(userObj)}`)

  try {
    return await new Promise(async (resolve) => {
      if (!userObj.name) userObj.name = {}
      if (!userObj.emails) userObj.emails = { work: {} }
      if (!userObj.phoneNumbers) userObj.phoneNumbers = { work: {} }

      const insert = {
        UserID: `'${userObj.userName}'`,
        Enabled: (userObj.active) ? `'${userObj.active}'` : '\'false\'',
        Password: (userObj.password) ? `'${userObj.password}'` : null,
        FirstName: (userObj.name.givenName) ? `'${userObj.name.givenName}'` : null,
        MiddleName: (userObj.name.middleName) ? `'${userObj.name.middleName}'` : null,
        LastName: (userObj.name.familyName) ? `'${userObj.name.familyName}'` : null,
        MobilePhone: (userObj.phoneNumbers.work.value) ? `'${userObj.phoneNumbers.work.value}'` : null,
        Email: (userObj.emails.work.value) ? `'${userObj.emails.work.value}'` : null,
      }

      const sqlQuery = `insert into [Users] (UserID, Enabled, Password, FirstName, MiddleName, LastName, Email, MobilePhone)
                values (${insert.UserID}, ${insert.Enabled}, ${insert.Password}, ${insert.FirstName}, ${insert.MiddleName}, ${insert.LastName}, ${insert.Email}, ${insert.MobilePhone})`

      await query(sqlQuery, ctx).catch(err => scimgateway.logWarn(baseEntity, `${action} warning: ${err.message}`))

      resolve(null)
    }) // Promise
  } catch (err: any) {
    throw new Error(`${action} error: ${err.message}`)
  }
}

// =================================================
// deleteUser
// =================================================
scimgateway.deleteUser = async (baseEntity, id, ctx) => {
  const action = 'deleteUser'
  scimgateway.logDebug(baseEntity, `handling ${action} id=${id}`)

  try {
    return await new Promise(async (resolve) => {
      const sqlQuery = `delete from [Users] where UserID = '${id}'`
      await query(sqlQuery, ctx).catch(err => scimgateway.logWarn(baseEntity, `${action} warning: ${err.message}`))

      resolve(null)
    }) // Promise
  } catch (err: any) {
    throw new Error(`${action} error: ${err.message}`)
  }
}

// =================================================
// modifyUser
// =================================================
scimgateway.modifyUser = async (baseEntity, id, attrObj, ctx) => {
  const action = 'modifyUser'
  scimgateway.logDebug(baseEntity, `handling ${action} id=${id} attrObj=${JSON.stringify(attrObj)}`)

  try {
    return await new Promise(async (resolve) => {
      if (!attrObj.name) attrObj.name = {}
      if (!attrObj.emails) attrObj.emails = { work: {} }
      if (!attrObj.phoneNumbers) attrObj.phoneNumbers = { work: {} }

      let sql = ''

      if (attrObj.active !== undefined) sql += `Enabled='${attrObj.active}',`
      if (attrObj.password !== undefined) {
        if (attrObj.password === '') sql += 'Password=null,'
        else sql += `Password='${attrObj.password}',`
      }
      if (attrObj.name.givenName !== undefined) {
        if (attrObj.name.givenName === '') sql += 'FirstName=null,'
        else sql += `FirstName='${attrObj.name.givenName}',`
      }
      if (attrObj.name.middleName !== undefined) {
        if (attrObj.name.middleName === '') sql += 'MiddleName=null,'
        else sql += `MiddleName='${attrObj.name.middleName}',`
      }
      if (attrObj.name.familyName !== undefined) {
        if (attrObj.name.familyName === '') sql += 'LastName=null,'
        else sql += `LastName='${attrObj.name.familyName}',`
      }
      if (attrObj.phoneNumbers.work.value !== undefined) {
        if (attrObj.phoneNumbers.work.value === '') sql += 'MobilePhone=null,'
        else sql += `MobilePhone='${attrObj.phoneNumbers.work.value}',`
      }
      if (attrObj.emails.work.value !== undefined) {
        if (attrObj.emails.work.value === '') sql += 'Email=null,'
        else sql += `Email='${attrObj.emails.work.value}',`
      }

      sql = sql.substr(0, sql.length - 1) // remove trailing ","

      const sqlQuery = `update [Users] set ${sql} where UserID like '${id}'`
      await query(sqlQuery, ctx).catch(err => scimgateway.logWarn(baseEntity, `${action} warning: ${err.message}`))

      resolve(null)
    }) // Promise
  } catch (err: any) {
    throw new Error(`${action} error: ${err.message}`)
  }
}

// =================================================
// getGroups
// =================================================
scimgateway.getGroups = async (baseEntity, getObj, attributes, ctx) => {
  const action = 'getGroups'
  scimgateway.logDebug(baseEntity, `handling ${action} getObj=${getObj ? JSON.stringify(getObj) : ''} attributes=${attributes}`)

  let sqlQuery

  // mandatory if-else logic - start
  if (getObj.operator) {
    if (getObj.operator === 'eq' && ['id', 'displayName', 'externalId'].includes(getObj.attribute)) {
      // mandatory - unique filtering - single unique user to be returned - correspond to getGroup() in versions < 4.x.x
      sqlQuery = `select * from [Groups] where GroupID = '${getObj.value}'`
    } else if (getObj.operator === 'eq' && getObj.attribute === 'members.value') {
      // mandatory - return all groups the user 'id' (getObj.value) is member of - correspond to getGroupMembers() in versions < 4.x.x
      sqlQuery = `select * from [Groups] join [Users2Group] on Groups.GroupID = Users2Group.GroupID where Users2Group.UserID = '${getObj.value}'`
    } else {
      // optional - simpel filtering
      throw new Error(`${action} error: not supporting simple filtering: ${getObj.rawFilter}`)
    }
  } else if (getObj.rawFilter) {
    // optional - advanced filtering having and/or/not - use getObj.rawFilter
    throw new Error(`${action} not error: supporting advanced filtering: ${getObj.rawFilter}`)
  } else {
    // mandatory - no filtering (!getObj.operator && !getObj.rawFilter) - all groups to be returned - correspond to exploreGroups() in versions < 4.x.x
    sqlQuery = 'select * from [Groups]'
  }
  // mandatory if-else logic - end
  if (!sqlQuery) throw new Error(`${action} error: mandatory if-else logic not fully implemented`)

  try {
    return await new Promise(async (resolve) => {
      const ret: any = { // itemsPerPage will be set by scimgateway
        Resources: [],
        totalResults: null,
      }

      const groups: any[] = await query(sqlQuery, ctx).catch(err => scimgateway.logWarn(baseEntity, `${action} warning: ${err.message}`))

      for (const group of groups) {
        const scimGroup: Record<string, any> = {
          id: group.GroupID.value ? group.GroupID.value : undefined,
          displayName: group.GroupID.value ? group.GroupID.value : undefined,
          active: group.Enabled.value === 'true' || false,
          members: [],
        }

        const sqlQuery = `select UserID from [Users2Group] where GroupID = '${scimGroup.id}'`
        const members = await query(sqlQuery, ctx).catch(err => scimgateway.logWarn(baseEntity, `${action} warning: ${err.message}`))
        for (const member of members) {
          const scimMember = {
            value: member.UserID.value,
            display: member.UserID.value,
          }
          scimGroup.members.push(scimMember)
        }

        ret.Resources.push(scimGroup)
      }

      resolve(ret)
    }) // Promise
  } catch (err: any) {
    throw new Error(`${action} error: ${err.message}`)
  }
}

// =================================================
// createGroup
// =================================================
scimgateway.createGroup = async (baseEntity, groupObj, ctx) => {
  const action = 'createGroup'
  scimgateway.logDebug(baseEntity, `handling ${action} groupObj=${JSON.stringify(groupObj)}`)

  try {
    return await new Promise(async (resolve) => {
      const insert = {
        GroupID: `'${groupObj.displayName}'`,
        Enabled: (groupObj.active) ? `'${groupObj.active}'` : '\'false\'',
      }

      const sqlQuery = `insert into [Groups] (GroupID, Enabled) values (${insert.GroupID}, ${insert.Enabled})`
      await query(sqlQuery, ctx).catch(err => scimgateway.logWarn(baseEntity, `${action} warning: ${err.message}`))

      if (Array.isArray(groupObj.members) && groupObj.members) {
        for (const member of groupObj.members) {
          const sqlQuery = `insert into [Users2Group] (UserID, GroupID) values ('${member.value}', ${insert.GroupID})`
          await query(sqlQuery, ctx).catch(err => scimgateway.logWarn(baseEntity, `${action} warning: ${err.message}`))
        }
      }

      resolve(null)
    }) // Promise
  } catch (err: any) {
    throw new Error(`${action} error: ${err.message}`)
  }
}

// =================================================
// deleteGroup
// =================================================
scimgateway.deleteGroup = async (baseEntity, id, ctx) => {
  const action = 'deleteGroup'
  scimgateway.logDebug(baseEntity, `handling ${action} id=${id}`)

  try {
    return await new Promise(async (resolve) => {
      const sqlQuery = `delete from [Groups] where GroupID = '${id}'`
      await query(sqlQuery, ctx).catch(err => scimgateway.logWarn(baseEntity, `${action} warning: ${err.message}`))

      resolve(null)
    }) // Promise
  } catch (err: any) {
    throw new Error(`${action} error: ${err.message}`)
  }
}

// =================================================
// modifyGroup
// =================================================
scimgateway.modifyGroup = async (baseEntity, id, attrObj, ctx) => {
  const action = 'modifyGroup'
  scimgateway.logDebug(baseEntity, `handling ${action} id=${id} attrObj=${JSON.stringify(attrObj)}`)

  let sql = ''

  if (attrObj.active !== undefined) sql += `Enabled='${attrObj.active}',`
  sql = sql.substr(0, sql.length - 1) // remove trailing ","

  const queries = []
  if (sql) {
    queries.push(`update [Groups] set ${sql} where GroupID like '${id}'`)
  }

  // This BLINDLY inserts all user/groups and gracefully breaks on PK violation
  // for each existing membership
  if (Array.isArray(attrObj.members) && attrObj.members) {
    for (const member of attrObj.members) {
      if (member.operation == 'delete') {
        queries.push(`delete from [Users2Group] where GroupID='${id}' and UserID='${member.value}'`)
      } else {
        queries.push(`insert into [Users2Group] (UserID, GroupID) values ('${member.value}','${id}')`)
      }
    }
  }

  const sqlQuery = queries.join(';')

  try {
    return await new Promise(async (resolve) => {
      if (sqlQuery) {
        scimgateway.logDebug(baseEntity, `sqlQuery: ${sqlQuery}`)
        await query(sqlQuery, ctx).catch(err => scimgateway.logWarn(baseEntity, `${action} warning: ${err.message}`))
      }

      resolve(null)
    }) // Promise
  } catch (err: any) {
    throw new Error(`${action} error: ${err.message}`)
  }
}

// =================================================
// helpers
// =================================================

//
// getCtxAuth returns username/secret from ctx header when using Auth PassThrough
//
const getCtxAuth = (ctx: undefined | Record<string, any>) => {
  if (!ctx?.request?.header?.authorization) return []
  const [authType, authToken] = (ctx.request.header.authorization || '').split(' ') // [0] = 'Basic' or 'Bearer'
  let username, password
  if (authType === 'Basic') [username, password] = (Buffer.from(authToken, 'base64').toString() || '').split(':')
  if (username) return [username, password] // basic auth
  else return [undefined, authToken] // bearer auth
}

const connectionCfg = (ctx: undefined | Record<string, any>) => {
  const connectionCfg = scimgateway.copyObj(config.connection)
  if (ctx?.request?.header?.authorization) { // Auth PassThrough (don't use configuration password)
    if (!connectionCfg.authentication) connectionCfg.authentication = {}
    if (!connectionCfg.authentication.type) connectionCfg.authentication.type = 'default'
    if (!connectionCfg.authentication.options) connectionCfg.authentication.options = {}
    const [username, password] = getCtxAuth(ctx)
    connectionCfg.authentication.options.password = password
    if (username) connectionCfg.authentication.options.userName = username
  }
  return connectionCfg
}

const query: (sql: string, ctx: any) => Promise<any> = (sql, ctx) => new Promise((resolve, reject) => {
  const connection = new Connection(connectionCfg(ctx))

  connection.connect((err) => {
    if (err) {
      const e = new Error(`MSSQL client connect error: ${err.message}`)
      reject(e)
    } else {
      const request = new Request(sql, (err, rowCount, rows) => {
        if (err) {
          connection.close()
          const e = new Error(`MSSQL client request: ${sql} Error: ${err.message}`)
          reject(e)
        } else {
          connection.close()
          resolve(rows)
        }
      })
      connection.execSql(request)
    }
  })
})

//
// Cleanup on exit
//
process.on('SIGTERM', () => { // kill
})
process.on('SIGINT', () => { // Ctrl+C
})