/*
Copyright 2018 The Kubernetes Authors.

Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at

    http://www.apache.org/licenses/LICENSE-2.0

Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
*/

package utils

import (
	"bufio"
	"fmt"
	"io"
	"sort"
	"strings"

	"k8s.io/apimachinery/pkg/runtime"
	"k8s.io/apimachinery/pkg/runtime/schema"
	"k8s.io/apimachinery/pkg/types"
	auditinternal "k8s.io/apiserver/pkg/apis/audit"
	"k8s.io/apiserver/pkg/audit"
)

// AuditEvent is a simplified representation of an audit event for testing purposes
type AuditEvent struct {
	ID                 types.UID
	Level              auditinternal.Level
	Stage              auditinternal.Stage
	RequestURI         string
	Verb               string
	Code               int32
	User               string
	ImpersonatedUser   string
	ImpersonatedGroups string
	Resource           string
	Namespace          string
	RequestObject      bool
	ResponseObject     bool
	AuthorizeDecision  string
}

// CheckAuditLines searches the audit log for the expected audit lines.
// if includeID is true the event ids will also be verified
func CheckAuditLines(stream io.Reader, expected []AuditEvent, version schema.GroupVersion) (missing []AuditEvent, err error) {
	expectations := buildEventExpectations(expected)

	scanner := bufio.NewScanner(stream)
	for scanner.Scan() {
		line := scanner.Text()
		e := &auditinternal.Event{}
		decoder := audit.Codecs.UniversalDecoder(version)
		if err := runtime.DecodeInto(decoder, []byte(line), e); err != nil {
			return expected, fmt.Errorf("failed decoding buf: %s, apiVersion: %s", line, version)
		}

		event, err := testEventFromInternal(e)
		if err != nil {
			return expected, err
		}

		// If the event was expected, mark it as found.
		if _, found := expectations[event]; found {
			expectations[event] = true
		}
	}
	if err := scanner.Err(); err != nil {
		return expected, err
	}

	missing = findMissing(expectations)
	return missing, nil
}

// CheckAuditList searches an audit event list for the expected audit events.
// if includeID is true the event ids will also be verified
func CheckAuditList(el auditinternal.EventList, expected []AuditEvent) (missing []AuditEvent, err error) {
	expectations := buildEventExpectations(expected)

	for _, e := range el.Items {
		event, err := testEventFromInternal(&e)
		if err != nil {
			return expected, err
		}

		// If the event was expected, mark it as found.
		if _, found := expectations[event]; found {
			expectations[event] = true
		}
	}

	missing = findMissing(expectations)
	return missing, nil
}

// CheckForDuplicates checks a list for duplicate events
func CheckForDuplicates(el auditinternal.EventList) (auditinternal.EventList, error) {
	// eventMap holds a map of audit events with just a nil value
	eventMap := map[AuditEvent]*bool{}
	duplicates := auditinternal.EventList{}
	var err error
	for _, e := range el.Items {
		event, err := testEventFromInternal(&e)
		if err != nil {
			return duplicates, err
		}
		event.ID = e.AuditID
		if _, ok := eventMap[event]; ok {
			duplicates.Items = append(duplicates.Items, e)
			err = fmt.Errorf("failed duplicate check")
			continue
		}
		eventMap[event] = nil
	}
	return duplicates, err
}

// buildEventExpectations creates a bool map out of a list of audit events
func buildEventExpectations(expected []AuditEvent) map[AuditEvent]bool {
	expectations := map[AuditEvent]bool{}
	for _, event := range expected {
		expectations[event] = false
	}
	return expectations
}

// testEventFromInternal takes an internal audit event and returns a test event
// if includeID is true the event id will be included
func testEventFromInternal(e *auditinternal.Event) (AuditEvent, error) {
	event := AuditEvent{
		Level:      e.Level,
		Stage:      e.Stage,
		RequestURI: e.RequestURI,
		Verb:       e.Verb,
		User:       e.User.Username,
	}
	if e.ObjectRef != nil {
		event.Namespace = e.ObjectRef.Namespace
		event.Resource = e.ObjectRef.Resource
	}
	if e.ResponseStatus != nil {
		event.Code = e.ResponseStatus.Code
	}
	if e.ResponseObject != nil {
		event.ResponseObject = true
	}
	if e.RequestObject != nil {
		event.RequestObject = true
	}
	if e.ImpersonatedUser != nil {
		event.ImpersonatedUser = e.ImpersonatedUser.Username
		sort.Strings(e.ImpersonatedUser.Groups)
		event.ImpersonatedGroups = strings.Join(e.ImpersonatedUser.Groups, ",")
	}
	event.AuthorizeDecision = e.Annotations["authorization.k8s.io/decision"]
	return event, nil
}

// findMissing checks for false values in the expectations map and returns them as a list
func findMissing(expectations map[AuditEvent]bool) []AuditEvent {
	var missing []AuditEvent
	for event, found := range expectations {
		if !found {
			missing = append(missing, event)
		}
	}
	return missing
}