import json


def test_security_over_nonexistent_endpoints(oauth_requests, secure_api_app):
    app_client = secure_api_app.app.test_client()
    headers = {"Authorization": "Bearer 300"}
    get_inexistent_endpoint = app_client.get(
        "/v1.0/does-not-exist-invalid-token", headers=headers
    )  # type: flask.Response
    assert get_inexistent_endpoint.status_code == 401
    assert get_inexistent_endpoint.content_type == "application/problem+json"

    headers = {"Authorization": "Bearer 100"}
    get_inexistent_endpoint = app_client.get(
        "/v1.0/does-not-exist-valid-token", headers=headers
    )  # type: flask.Response
    assert get_inexistent_endpoint.status_code == 404
    assert get_inexistent_endpoint.content_type == "application/problem+json"

    get_inexistent_endpoint = app_client.get(
        "/v1.0/does-not-exist-no-token"
    )  # type: flask.Response
    assert get_inexistent_endpoint.status_code == 401

    swagger_ui = app_client.get("/v1.0/ui/")  # type: flask.Response
    assert swagger_ui.status_code == 401

    headers = {"Authorization": "Bearer 100"}
    post_greeting = app_client.post(
        "/v1.0/greeting/rcaricio", data={}, headers=headers
    )  # type: flask.Response
    assert post_greeting.status_code == 200

    post_greeting = app_client.post(
        "/v1.0/greeting/rcaricio", data={}
    )  # type: flask.Response
    assert post_greeting.status_code == 401


def test_security(oauth_requests, secure_endpoint_app):
    app_client = secure_endpoint_app.app.test_client()

    get_bye_no_auth = app_client.get("/v1.0/byesecure/jsantos")  # type: flask.Response
    assert get_bye_no_auth.status_code == 401
    assert get_bye_no_auth.content_type == "application/problem+json"
    get_bye_no_auth_reponse = json.loads(
        get_bye_no_auth.data.decode("utf-8", "replace")
    )  # type: dict
    assert get_bye_no_auth_reponse["detail"] == "No authorization token provided"

    headers = {"Authorization": "Bearer 100"}
    get_bye_good_auth = app_client.get(
        "/v1.0/byesecure/jsantos", headers=headers
    )  # type: flask.Response
    assert get_bye_good_auth.status_code == 200
    assert get_bye_good_auth.data == b"Goodbye jsantos (Secure: test-user)"

    headers = {"Authorization": "Bearer 200"}
    get_bye_wrong_scope = app_client.get(
        "/v1.0/byesecure/jsantos", headers=headers
    )  # type: flask.Response
    assert get_bye_wrong_scope.status_code == 403
    assert get_bye_wrong_scope.content_type == "application/problem+json"
    get_bye_wrong_scope_reponse = json.loads(
        get_bye_wrong_scope.data.decode("utf-8", "replace")
    )  # type: dict
    assert (
        get_bye_wrong_scope_reponse["detail"]
        == "Provided token doesn't have the required scope"
    )

    headers = {"Authorization": "Bearer 300"}
    get_bye_bad_token = app_client.get(
        "/v1.0/byesecure/jsantos", headers=headers
    )  # type: flask.Response
    assert get_bye_bad_token.status_code == 401
    assert get_bye_bad_token.content_type == "application/problem+json"
    get_bye_bad_token_reponse = json.loads(
        get_bye_bad_token.data.decode("utf-8", "replace")
    )  # type: dict
    assert get_bye_bad_token_reponse["detail"] == "Provided token is not valid"

    response = app_client.get(
        "/v1.0/more-than-one-security-definition"
    )  # type: flask.Response
    assert response.status_code == 401

    # also tests case-insensitivity
    headers = {"X-AUTH": "mykey"}
    response = app_client.get(
        "/v1.0/more-than-one-security-definition", headers=headers
    )  # type: flask.Response
    assert response.status_code == 200

    headers = {"Authorization": "Bearer 100"}
    get_bye_good_auth = app_client.get(
        "/v1.0/byesecure-ignoring-context/hjacobs", headers=headers
    )  # type: flask.Response
    assert get_bye_good_auth.status_code == 200
    assert get_bye_good_auth.data == b"Goodbye hjacobs (Secure!)"

    headers = {"Authorization": "Bearer 100"}
    get_bye_from_flask = app_client.get(
        "/v1.0/byesecure-from-flask", headers=headers
    )  # type: flask.Response
    assert get_bye_from_flask.data == b"Goodbye test-user (Secure!)"

    headers = {"Authorization": "Bearer 100"}
    get_bye_from_connexion = app_client.get(
        "/v1.0/byesecure-from-connexion", headers=headers
    )  # type: flask.Response
    assert get_bye_from_connexion.data == b"Goodbye test-user (Secure!)"

    headers = {"Authorization": "Bearer 100"}
    get_bye_from_connexion = app_client.get(
        "/v1.0/byesecure-jwt/test-user", headers=headers
    )  # type: flask.Response
    assert get_bye_from_connexion.data == b"Goodbye test-user (Secure: 100)"

    # has optional auth
    response = app_client.get("/v1.0/optional-auth")  # type: flask.Response
    assert response.status_code == 200
    assert response.data == b'"Unauthenticated"\n'
    headers = {"X-AUTH": "mykey"}
    response = app_client.get(
        "/v1.0/optional-auth", headers=headers
    )  # type: flask.Response
    assert response.status_code == 200
    assert response.data == b'"Authenticated"\n'
    headers = {"X-AUTH": "wrong-key"}
    response = app_client.get(
        "/v1.0/optional-auth", headers=headers
    )  # type: flask.Response
    assert response.data == b'"Unauthenticated"\n'
    assert response.status_code == 200

    # security function throws exception
    response = app_client.get("/v1.0/auth-exception", headers={"X-Api-Key": "foo"})
    assert response.status_code == 401


def test_checking_that_client_token_has_all_necessary_scopes(
    oauth_requests, secure_endpoint_app
):
    app_client = secure_endpoint_app.app.test_client()

    # has only one of the required scopes
    headers = {"Authorization": "Bearer has_myscope"}
    response = app_client.get(
        "/v1.0/more-than-one-scope", headers=headers
    )  # type: flask.Response
    assert response.status_code == 403

    # has none of the necessary scopes
    headers = {"Authorization": "Bearer has_wrongscope"}
    response = app_client.get(
        "/v1.0/more-than-one-scope", headers=headers
    )  # type: flask.Response
    assert response.status_code == 403

    # is not auth
    headers = {"Authorization": "Bearer is_not_invalid"}
    response = app_client.get(
        "/v1.0/more-than-one-scope", headers=headers
    )  # type: flask.Response
    assert response.status_code == 401

    # has all necessary scopes
    headers = {"Authorization": "Bearer has_myscope_otherscope"}
    response = app_client.get(
        "/v1.0/more-than-one-scope", headers=headers
    )  # type: flask.Response
    assert response.status_code == 200

    # has all necessary scopes but under key 'scopes'
    headers = {"Authorization": "Bearer has_scopes_in_scopes_with_s"}
    response = app_client.get(
        "/v1.0/more-than-one-scope", headers=headers
    )  # type: flask.Response
    assert response.status_code == 200