# Copyright (C) 2020 The Android Open Source Project
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
#     http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
"""Utility functions for atest."""
from __future__ import print_function

import getpass
import logging
import os
import pathlib
from pathlib import Path
from socket import socket
import subprocess
import time
from typing import Any, Callable
import uuid

from atest import atest_utils
from atest import constants
from atest.atest_enum import DetectType
from atest.metrics import metrics
import httplib2
from oauth2client import client as oauth2_client
from oauth2client import contrib as oauth2_contrib
from oauth2client import tools as oauth2_tools


class RunFlowFlags:
  """Flags for oauth2client.tools.run_flow."""

  def __init__(self, browser_auth):
    self.auth_host_port = [8080, 8090]
    self.auth_host_name = 'localhost'
    self.logging_level = 'ERROR'
    self.noauth_local_webserver = not browser_auth


class GCPHelper:
  """GCP bucket helper class."""

  def __init__(
      self,
      client_id=None,
      client_secret=None,
      user_agent=None,
      scope=constants.SCOPE_BUILD_API_SCOPE,
  ):
    """Init stuff for GCPHelper class.

    Args:
        client_id: String, client id from the cloud project.
        client_secret: String, client secret for the client_id.
        user_agent: The user agent for the credential.
        scope: String, scopes separated by space.
    """
    self.client_id = client_id
    self.client_secret = client_secret
    self.user_agent = user_agent
    self.scope = scope

  def get_refreshed_credential_from_file(self, creds_file_path):
    """Get refreshed credential from file.

    Args:
        creds_file_path: Credential file path.

    Returns:
        An oauth2client.OAuth2Credentials instance.
    """
    credential = self.get_credential_from_file(creds_file_path)
    if credential:
      try:
        credential.refresh(httplib2.Http())
      except oauth2_client.AccessTokenRefreshError as e:
        logging.debug('Token refresh error: %s', e)
      if not credential.invalid:
        return credential
    logging.debug('Cannot get credential.')
    return None

  def get_credential_from_file(self, creds_file_path):
    """Get credential from file.

    Args:
        creds_file_path: Credential file path.

    Returns:
        An oauth2client.OAuth2Credentials instance.
    """
    storage = oauth2_contrib.multiprocess_file_storage.get_credential_storage(
        filename=os.path.abspath(creds_file_path),
        client_id=self.client_id,
        user_agent=self.user_agent,
        scope=self.scope,
    )
    return storage.get()

  def get_credential_with_auth_flow(self, creds_file_path):
    """Get Credential object from file.

    Get credential object from file. Run oauth flow if haven't authorized
    before.

    Args:
        creds_file_path: Credential file path.

    Returns:
        An oauth2client.OAuth2Credentials instance.
    """
    credentials = None
    # SSO auth
    try:
      token = self._get_sso_access_token()
      credentials = oauth2_client.AccessTokenCredentials(token, 'atest')
      if credentials:
        return credentials
    # pylint: disable=broad-except
    except Exception as e:
      logging.debug('Exception:%s', e)
    # GCP auth flow
    credentials = self.get_refreshed_credential_from_file(creds_file_path)
    if not credentials:
      storage = oauth2_contrib.multiprocess_file_storage.get_credential_storage(
          filename=os.path.abspath(creds_file_path),
          client_id=self.client_id,
          user_agent=self.user_agent,
          scope=self.scope,
      )
      return self._run_auth_flow(storage)
    return credentials

  def _run_auth_flow(self, storage):
    """Get user oauth2 credentials.

    Using the loopback IP address flow for desktop clients.

    Args:
        storage: GCP storage object.

    Returns:
        An oauth2client.OAuth2Credentials instance.
    """
    flags = RunFlowFlags(browser_auth=True)

    # Get a free port on demand.
    port = None
    while not port or port < 10000:
      with socket() as local_socket:
        local_socket.bind(('', 0))
        _, port = local_socket.getsockname()
    _localhost_port = port
    _direct_uri = f'http://localhost:{_localhost_port}'
    flow = oauth2_client.OAuth2WebServerFlow(
        client_id=self.client_id,
        client_secret=self.client_secret,
        scope=self.scope,
        user_agent=self.user_agent,
        redirect_uri=f'{_direct_uri}',
    )
    credentials = oauth2_tools.run_flow(flow=flow, storage=storage, flags=flags)
    return credentials

  @staticmethod
  def _get_sso_access_token():
    """Use stubby command line to exchange corp sso to a scoped oauth

    token.

    Returns:
        A token string.
    """
    if not constants.TOKEN_EXCHANGE_COMMAND:
      return None

    request = constants.TOKEN_EXCHANGE_REQUEST.format(
        user=getpass.getuser(), scope=constants.SCOPE
    )
    # The output format is: oauth2_token: "<TOKEN>"
    return subprocess.run(
        constants.TOKEN_EXCHANGE_COMMAND,
        input=request,
        check=True,
        text=True,
        shell=True,
        stdout=subprocess.PIPE,
    ).stdout.split('"')[1]


# TODO: The usage of build_client should be removed from this method because
# it's not related to this module. For now, we temporarily declare the return
# type hint for build_client_creator to be Any to avoid circular importing.
def do_upload_flow(
    extra_args: dict[str, str],
    build_client_creator: Callable,
    invocation_properties: dict[str, str] = None,
) -> tuple:
  """Run upload flow.

  Asking user's decision and do the related steps.

  Args:
      extra_args: Dict of extra args to add to test run.
      build_client_creator: A function that takes a credential and returns a
        BuildClient object.
      invocation_properties: Additional invocation properties to write into the
        invocation.

  Return:
      A tuple of credential object and invocation information dict.
  """
  invocation_properties = invocation_properties or {}
  fetch_cred_start = time.time()
  creds = fetch_credential()
  metrics.LocalDetectEvent(
      detect_type=DetectType.FETCH_CRED_MS,
      result=int((time.time() - fetch_cred_start) * 1000),
  )
  if creds:
    prepare_upload_start = time.time()
    build_client = build_client_creator(creds)
    inv, workunit, local_build_id, build_target = _prepare_data(
        build_client, invocation_properties
    )
    metrics.LocalDetectEvent(
        detect_type=DetectType.UPLOAD_PREPARE_MS,
        result=int((time.time() - prepare_upload_start) * 1000),
    )
    extra_args[constants.INVOCATION_ID] = inv['invocationId']
    extra_args[constants.WORKUNIT_ID] = workunit['id']
    extra_args[constants.LOCAL_BUILD_ID] = local_build_id
    extra_args[constants.BUILD_TARGET] = build_target
    if not os.path.exists(os.path.dirname(constants.TOKEN_FILE_PATH)):
      os.makedirs(os.path.dirname(constants.TOKEN_FILE_PATH))
    with open(constants.TOKEN_FILE_PATH, 'w') as token_file:
      if creds.token_response:
        token_file.write(creds.token_response['access_token'])
      else:
        token_file.write(creds.access_token)
    return creds, inv
  return None, None


def fetch_credential():
  """Fetch the credential object."""
  creds_path = atest_utils.get_config_folder().joinpath(
      constants.CREDENTIAL_FILE_NAME
  )
  return GCPHelper(
      client_id=constants.CLIENT_ID,
      client_secret=constants.CLIENT_SECRET,
      user_agent='atest',
  ).get_credential_with_auth_flow(creds_path)


def _prepare_data(client, invocation_properties: dict[str, str]):
  """Prepare data for build api using.

  Args:
      build_client: The logstorage_utils.BuildClient object.
      invocation_properties: Additional invocation properties to write into the
        invocation.

  Return:
      invocation and workunit object.
      build id and build target of local build.
  """
  try:
    logging.disable(logging.INFO)
    external_id = str(uuid.uuid4())
    branch = _get_branch(client)
    target = _get_target(branch, client)
    build_record = client.insert_local_build(external_id, target, branch)
    client.insert_build_attempts(build_record)
    invocation = client.insert_invocation(build_record, invocation_properties)
    workunit = client.insert_work_unit(invocation)
    return invocation, workunit, build_record['buildId'], target
  finally:
    logging.disable(logging.NOTSET)


def _get_branch(build_client):
  """Get source code tree branch.

  Args:
      build_client: The build client object.

  Return:
      "git_main" in internal git, "aosp-main" otherwise.
  """
  default_branch = 'git_main' if constants.CREDENTIAL_FILE_NAME else 'aosp-main'
  local_branch = 'git_%s' % atest_utils.get_manifest_branch()
  branch = build_client.get_branch(local_branch)
  return local_branch if branch else default_branch


def _get_target(branch, build_client):
  """Get local build selected target.

  Args:
      branch: The branch want to check.
      build_client: The build client object.

  Return:
      The matched build target, "aosp_x86_64-trunk_staging-userdebug"
      otherwise.
  """
  default_target = 'aosp_x86_64-trunk_staging-userdebug'
  local_target = atest_utils.get_build_target()
  targets = [t['target'] for t in build_client.list_target(branch)['targets']]
  return local_target if local_target in targets else default_target