from django import forms
from django.contrib.auth import authenticate
from django.utils.encoding import smart_unicode
from django.utils.translation import ugettext as _
from .. import scope
from ..constants import RESPONSE_TYPE_CHOICES, SCOPES
from ..forms import OAuthForm, OAuthValidationError
from ..scope import SCOPE_NAMES
from ..utils import now
from .models import Client, Grant, RefreshToken
 
 
class ClientForm(forms.ModelForm):
    """
    Form to create new consumers.
    """
    class Meta:
        model = Client
        fields = ('name', 'url', 'redirect_uri', 'client_type')
 
    def save(self, user=None, **kwargs):
        self.instance.user = user
        return super(ClientForm, self).save(**kwargs)
 
 
class ClientAuthForm(forms.Form):
    """
    Client authentication form. Required to make sure that we're dealing with a
    real client. Form is used in :attr:`provider.oauth2.backends` to validate
    the client.
    """
    client_id = forms.CharField()
    client_secret = forms.CharField()
 
    def clean(self):
        data = self.cleaned_data
        try:
            client = Client.objects.get(client_id=data.get('client_id'),
                client_secret=data.get('client_secret'))
        except Client.DoesNotExist:
            raise forms.ValidationError(_("Client could not be validated with "
                "key pair."))
 
        data['client'] = client
        return data
 
 
class ScopeChoiceField(forms.ChoiceField):
    """
    Custom form field that seperates values on space as defined in
    :rfc:`3.3`.
    """
    widget = forms.SelectMultiple
 
    def to_python(self, value):
        if not value:
            return []
 
        # New in Django 1.6: value may come in as a string.
        # Instead of raising an `OAuthValidationError`, try to parse and
        # ultimately return an empty list if nothing remains -- this will
        # eventually raise an `OAuthValidationError` in `validate` where
        # it should be anyways.
        if not isinstance(value, (list, tuple)):
            value = value.split(' ')
 
        # Split values into list
        return u' '.join([smart_unicode(val) for val in value]).split(u' ')
 
    def validate(self, value):
        """
        Validates that the input is a list or tuple.
        """
        if self.required and not value:
            raise OAuthValidationError({'error': 'invalid_request'})
 
        # Validate that each value in the value list is in self.choices.
        for val in value:
            if not self.valid_value(val):
                raise OAuthValidationError({
                    'error': 'invalid_request',
                    'error_description': _("'%s' is not a valid scope.") % \
                            val})
 
 
class ScopeMixin(object):
    """
    Form mixin to clean scope fields.
    """
    def clean_scope(self):
        """
        The scope is assembled by combining all the set flags into a single
        integer value which we can later check again for set bits.
 
        If *no* scope is set, we return the default scope which is the first
        defined scope in :attr:`provider.constants.SCOPES`.
 
        """
        default = SCOPES[0][0]
 
        flags = self.cleaned_data.get('scope', [])
 
        return scope.to_int(default=default, *flags)
 
 
class AuthorizationRequestForm(ScopeMixin, OAuthForm):
    """
    This form is used to validate the request data that the authorization
    endpoint receives from clients.
 
    Included data is specified in :rfc:`4.1.1`.
    """
    # Setting all required fields to false to explicitly check by hand
    # and use custom error messages that can be reused in the OAuth2
    # protocol
    response_type = forms.CharField(required=False)
    """
    ``"code"`` or ``"token"`` depending on the grant type.
    """
 
    redirect_uri = forms.URLField(required=False)
    """
    Where the client would like to redirect the user
    back to. This has to match whatever value was saved while creating
    the client.
    """
 
    state = forms.CharField(required=False)
    """
    Opaque - just pass back to the client for validation.
    """
 
    scope = ScopeChoiceField(choices=SCOPE_NAMES, required=False)
    """
    The scope that the authorization should include.
    """
 
    def clean_response_type(self):
        """
        :rfc:`3.1.1` Lists of values are space delimited.
        """
        response_type = self.cleaned_data.get('response_type')
 
        if not response_type:
            raise OAuthValidationError({'error': 'invalid_request',
                'error_description': "No 'response_type' supplied."})
 
        types = response_type.split(" ")
 
        for type in types:
            if type not in RESPONSE_TYPE_CHOICES:
                raise OAuthValidationError({
                    'error': 'unsupported_response_type',
                    'error_description': u"'%s' is not a supported response "
                        "type." % type})
 
        return response_type
 
    def clean_redirect_uri(self):
        """
        :rfc:`3.1.2` The redirect value has to match what was saved on the
            authorization server.
        """
        redirect_uri = self.cleaned_data.get('redirect_uri')
 
        if redirect_uri:
            if not redirect_uri == self.client.redirect_uri:
                raise OAuthValidationError({
                    'error': 'invalid_request',
                    'error_description': _("The requested redirect didn't "
                        "match the client settings.")})
 
        return redirect_uri
 
 
class AuthorizationForm(ScopeMixin, OAuthForm):
    """
    A form used to ask the resource owner for authorization of a given client.
    """
    authorize = forms.BooleanField(required=False)
    scope = ScopeChoiceField(choices=SCOPE_NAMES, required=False)
 
    def save(self, **kwargs):
        authorize = self.cleaned_data.get('authorize')
 
        if not authorize:
            return None
 
        grant = Grant()
        grant.scope = self.cleaned_data.get('scope')
        return grant
 
 
class RefreshTokenGrantForm(ScopeMixin, OAuthForm):
    """
    Checks and returns a refresh token.
    """
    refresh_token = forms.CharField(required=False)
    scope = ScopeChoiceField(choices=SCOPE_NAMES, required=False)
 
    def clean_refresh_token(self):
        token = self.cleaned_data.get('refresh_token')
 
        if not token:
            raise OAuthValidationError({'error': 'invalid_request'})
 
        try:
            token = RefreshToken.objects.get(token=token,
                expired=False, client=self.client)
        except RefreshToken.DoesNotExist:
            raise OAuthValidationError({'error': 'invalid_grant'})
 
        return token
 
    def clean(self):
        """
        Make sure that the scope is less or equal to the previous scope!
        """
        data = self.cleaned_data
        want_scope = data.get('scope') or 0
        refresh_token = data.get('refresh_token')
        access_token = getattr(refresh_token, 'access_token', None) if \
            refresh_token else \
            None
        has_scope = access_token.scope if access_token else 0
 
        # Only check if we've actually got a scope in the data
        # (read: All fields have been cleaned)
        if want_scope is not 0 and not scope.check(want_scope, has_scope):
            raise OAuthValidationError({'error': 'invalid_scope'})
 
        return data
 
 
class AuthorizationCodeGrantForm(ScopeMixin, OAuthForm):
    """
    Check and return an authorization grant.
    """
    code = forms.CharField(required=False)
    scope = ScopeChoiceField(choices=SCOPE_NAMES, required=False)
 
    def clean_code(self):
        code = self.cleaned_data.get('code')
 
        if not code:
            raise OAuthValidationError({'error': 'invalid_request'})
 
        try:
            self.cleaned_data['grant'] = Grant.objects.get(
                code=code, client=self.client, expires__gt=now())
        except Grant.DoesNotExist:
            raise OAuthValidationError({'error': 'invalid_grant'})
 
        return code
 
    def clean(self):
        """
        Make sure that the scope is less or equal to the scope allowed on the
        grant!
        """
        data = self.cleaned_data
        want_scope = data.get('scope') or 0
        grant = data.get('grant')
        has_scope = grant.scope if grant else 0
 
        # Only check if we've actually got a scope in the data
        # (read: All fields have been cleaned)
        if want_scope is not 0 and not scope.check(want_scope, has_scope):
            raise OAuthValidationError({'error': 'invalid_scope'})
 
        return data
 
 
class PasswordGrantForm(ScopeMixin, OAuthForm):
    """
    Validate the password of a user on a password grant request.
    """
    username = forms.CharField(required=False)
    password = forms.CharField(required=False)
    scope = ScopeChoiceField(choices=SCOPE_NAMES, required=False)
 
    def clean_username(self):
        username = self.cleaned_data.get('username')
 
        if not username:
            raise OAuthValidationError({'error': 'invalid_request'})
 
        return username
 
    def clean_password(self):
        password = self.cleaned_data.get('password')
 
        if not password:
            raise OAuthValidationError({'error': 'invalid_request'})
 
        return password
 
    def clean(self):
        data = self.cleaned_data
 
        user = authenticate(username=data.get('username'),
            password=data.get('password'))
 
        if user is None:
            raise OAuthValidationError({'error': 'invalid_grant'})
 
        data['user'] = user
        return data
 
 
class PublicPasswordGrantForm(PasswordGrantForm):
    client_id = forms.CharField(required=True)
    grant_type = forms.CharField(required=True)
 
    def clean_grant_type(self):
        grant_type = self.cleaned_data.get('grant_type')
 
        if grant_type != 'password':
            raise OAuthValidationError({'error': 'invalid_grant'})
 
        return grant_type
 
    def clean(self):
        data = super(PublicPasswordGrantForm, self).clean()
 
        try:
            client = Client.objects.get(client_id=data.get('client_id'))
        except Client.DoesNotExist:
            raise OAuthValidationError({'error': 'invalid_client'})
 
        if client.client_type != 1: # public
            raise OAuthValidationError({'error': 'invalid_client'})
 
        data['client'] = client
        return data