from http.cookies import SimpleCookie

import jwt
from authlib.oauth2.rfc6749 import errors
from authlib.oauth2.rfc6749.util import scope_to_list
from aws_lambda_powertools import Logger
from aws_lambda_powertools.event_handler.api_gateway import Router
from aws_lambda_powertools.event_handler.exceptions import (
    BadRequestError,
    ForbiddenError,
    ServiceError,
    UnauthorizedError,
)
from layercake.dynamodb import DynamoDBPersistenceLayer, KeyPair, SortKey

from boto3clients import dynamodb_client
from config import ISSUER, OAUTH2_TABLE, SESSION_SECRET
from oauth2 import server

router = Router()
logger = Logger(__name__)
dyn = DynamoDBPersistenceLayer(OAUTH2_TABLE, dynamodb_client)


@router.get('/authorize')
def authorize():
    current_event = router.current_event
    cookies = _parse_cookies(current_event.get('cookies', []))
    session_id = cookies.get('session_id')

    if not session_id:
        raise BadRequestError('Missing session_id')

    try:
        sub, session_scope = verify_session(session_id)
        grant = server.get_consent_grant(
            request=router.current_event,
            end_user=sub,
        )
        client_scopes = set(scope_to_list(grant.client.scope))
        user_scopes = set(scope_to_list(session_scope)) if session_scope else set()

        # Deny authorization if user lacks scopes requested by client
        if not client_scopes.issubset(user_scopes):
            raise ForbiddenError('Access denied')

        return server.create_authorization_response(
            request=router.current_event,
            grant_user=sub,
            grant=grant,
        )
    except jwt.exceptions.InvalidTokenError as err:
        logger.exception(err)
        raise BadRequestError(str(err))
    except errors.OAuth2Error as err:
        logger.exception(err)
        raise ServiceError(
            status_code=err.status_code,
            msg=dict(err.get_body()),  # type: ignore
        )


def verify_session(session_id: str) -> tuple[str, str | None]:
    payload = jwt.decode(
        session_id,
        SESSION_SECRET,
        algorithms=['HS256'],
        issuer=ISSUER,
        options={
            'require': ['exp', 'sub', 'iss', 'sid'],
        },
    )

    user = dyn.collection.get_items(
        KeyPair(
            pk='SESSION',
            sk=payload['sid'],
            rename_key='session',
        )
        + KeyPair(
            pk=payload['sub'],
            sk=SortKey(
                sk='SCOPE',
                path_spec='scope',
                rename_key='scope',
            ),
        ),
        flatten_top=False,
    )

    if 'session' not in user:
        raise SessionRevokedError('Session revoked')

    return payload['sub'], user.get('scope')


def _parse_cookies(cookies: list[str] | None) -> dict[str, str]:
    parsed_cookies = {}

    if not cookies:
        return parsed_cookies

    for s in cookies:
        c = SimpleCookie()
        c.load(s)
        parsed_cookies.update({k: morsel.value for k, morsel in c.items()})

    return parsed_cookies


class SessionRevokedError(UnauthorizedError): ...