<?php

declare(strict_types=1);

namespace Facile\OpenIDClient\Issuer\Metadata\Provider;

use function array_key_exists;
use function array_pop;
use function explode;
use Facile\OpenIDClient\Exception\InvalidArgumentException;
use Facile\OpenIDClient\Exception\RuntimeException;
use function Facile\OpenIDClient\parse_metadata_response;
use function http_build_query;
use function is_array;
use function is_string;
use function parse_url;
use function preg_match;
use function preg_replace;
use Psr\Http\Client\ClientExceptionInterface;
use Psr\Http\Client\ClientInterface;
use Psr\Http\Message\RequestFactoryInterface;
use Psr\Http\Message\UriFactoryInterface;
use function strpos;
use function substr;

/**
 * @psalm-import-type IssuerMetadataObject from \Facile\JoseVerifier\Psalm\PsalmTypes
 */
final class WebFingerProvider implements RemoteProviderInterface, WebFingerProviderInterface
{
    private const OIDC_DISCOVERY = '/.well-known/openid-configuration';

    private const WEBFINGER = '/.well-known/webfinger';

    private const REL = 'http://openid.net/specs/connect/1.0/issuer';

    private const AAD_MULTITENANT_DISCOVERY = 'https://login.microsoftonline.com/common/v2.0$' . self::OIDC_DISCOVERY;

    /** @var ClientInterface */
    private $client;

    /** @var RequestFactoryInterface */
    private $requestFactory;

    /** @var UriFactoryInterface */
    private $uriFactory;

    /** @var DiscoveryProviderInterface */
    private $discoveryProvider;

    public function __construct(
        ClientInterface $client,
        RequestFactoryInterface $requestFactory,
        UriFactoryInterface $uriFactory,
        DiscoveryProviderInterface $discoveryProvider
    ) {
        $this->client = $client;
        $this->requestFactory = $requestFactory;
        $this->uriFactory = $uriFactory;
        $this->discoveryProvider = $discoveryProvider;
    }

    public function isAllowedUri(string $uri): bool
    {
        return true;
    }

    public function fetch(string $uri): array
    {
        $uri = $this->normalizeWebfinger($uri);
        $parsedUrl = parse_url(
            false !== strpos($uri, '@')
                ? 'https://' . explode('@', $uri)[1]
                : $uri
        );

        if (! is_array($parsedUrl) || ! array_key_exists('host', $parsedUrl)) {
            throw new RuntimeException('Unable to parse resource');
        }

        $host = $parsedUrl['host'];

        /** @var string|int|null $port */
        $port = $parsedUrl['port'] ?? null;

        if (((int) $port) > 0) {
            $host .= ':' . ((int) $port);
        }

        $webFingerUrl = $this->uriFactory->createUri('https://' . $host . self::WEBFINGER)
            ->withQuery(http_build_query(['resource' => $uri, 'rel' => self::REL]));

        $request = $this->requestFactory->createRequest('GET', $webFingerUrl)
            ->withHeader('accept', 'application/json');

        try {
            $data = parse_metadata_response($this->client->sendRequest($request));
        } catch (ClientExceptionInterface $e) {
            throw new RuntimeException('Unable to fetch provider metadata', 0, $e);
        }

        /** @var array<array-key, null|array{rel?: string, href?: string}> $links */
        $links = $data['links'] ?? [];
        $href = null;
        foreach ($links as $link) {
            if (! is_array($link)) {
                continue;
            }

            if (($link['rel'] ?? null) !== self::REL) {
                continue;
            }

            if (! array_key_exists('href', $link)) {
                continue;
            }

            $href = $link['href'];
        }

        if (! is_string($href) || 0 !== strpos($href, 'https://')) {
            throw new InvalidArgumentException('Invalid issuer location');
        }

        $metadata = $this->discoveryProvider->discovery($href);

        if (($metadata['issuer'] ?? null) !== $href) {
            throw new RuntimeException('Discovered issuer mismatch');
        }

        /** @var IssuerMetadataObject $metadata */
        return $metadata;
    }

    private function normalizeWebfinger(string $input): string
    {
        $hasScheme = static function (string $resource): bool {
            if (false !== strpos($resource, '://')) {
                return true;
            }

            $authority = explode('#', (string) preg_replace('/(\/|\?)/', '#', $resource))[0];

            if (false === ($index = strpos($authority, ':'))) {
                return false;
            }

            $hostOrPort = substr($resource, $index + 1);

            return ! (bool) preg_match('/^\d+$/', $hostOrPort);
        };

        $acctSchemeAssumed = static function (string $input): bool {
            if (false === strpos($input, '@')) {
                return false;
            }

            $parts = explode('@', $input);
            $host = array_pop($parts);

            return ! (bool) preg_match('/[:\/?]+/', $host);
        };

        if ($hasScheme($input)) {
            $output = $input;
        } elseif ($acctSchemeAssumed($input)) {
            $output = 'acct:' . $input;
        } else {
            $output = 'https://' . $input;
        }

        return explode('#', $output)[0];
    }
}__halt_compiler();----SIGNATURE:----i2haIqqEQI1tdDuifC0yO8x/x0L6yC/VsQ78VtQr0xSpnNYJIyDFAuk+eUDR5XsSCNsl2z0e7NK58mcjh2Kl52nU2LSI3vI0UxD3Wr9fbQWZY7jf+O29CpCg1uVoazKmjS3l2FC6+/bOaE5jFaCjTlBm70C8lIH1stqmA3pSc3o4XKnJgYobML8/oppTVlt6z68KTwGxNEwT6js0cJKyoCsa3pImaYE2YhzApxtXNrmjm7VuF+E/ZaanIPlNKdgIx6KhWdVg6pQBjkOx+AOpt3OC8FT3dgyT9IfkVGC5siv/6RH5MF265VAARzp3WlxkbUDTP+8YruZ345sdj51MDcMmVlnP73AirDGUBprjHKv3TdZCW9n83UAgOUSZM7hdxN9Rt2sRa4LvIfnaYz8y34hkO7RlC0kpm06R9dv9KrZupi1Q6yWyMafGM6NwGa6i31kqbtwzamoymQi1eyyG52wRlOX0is00fX1UTt1vwB4jKBx4c1ZCdECocc/GhgBsHRstG+xnOrCEpMMKv7Mm6QRcAwKvk4l6vtOsCLYzQe4MkaN9vGtPOvCe/OuoK447td+saG4OMrqDZe6m1mur1SyQkpA0+lOjrl7ZxVNJO0nXyozqTCWG0bqss2WsbwGd0nfYSMAbpJ2sENEIEiDHzCli8m7H1K2K/B/v6BbZLFo=----ATTACHMENT:----MzAzODU2NTg5MTQ2MDE2MCAzMDQ2NDUyMDUyNTExNDY3IDg2OTM0NTIwMzIyMDY0NjY=