(in-package :mfa-tool)

(defun account-selected (account)
  (setf (ubiquitous:value :default-account)
        (cdr account)))

(defun region-selected (region)
  (setf (ubiquitous:value :default-region)
        region))

(defparameter *developer-p* (equal "elangley" (uiop/os:getenv "USER")))

(defgeneric assumed-credentials (store))
(defgeneric (setf assumed-credentials) (value store))

(defun current-account (interface)
  (cdr (capi:choice-selected-item (account-selector interface))))
(defun current-role (interface)
  (capi:choice-selected-item (role-selector interface)))

(defun credentials-for-account (interface account)
  (gethash account
           (assumed-credentials interface)))
(defun (setf credentials-for-account) (new-credentials interface account)
  (setf (gethash account
                 (assumed-credentials interface))
        new-credentials))

(defun current-credentials (interface)
  (credentials-for-account interface
                           (current-account interface)))


(defmethod mfa-tool.store:execute ((store (eql :mfa-tool.debugger))
                                   (action mfa-tool.read-credentials:credential-update))
  (with-accessors ((access-key mfa-tool.read-credentials:access-key)
                   (secret-access-key mfa-tool.read-credentials:secret-access-key)) action
    (mfa-tool.credential-provider:save-ubiquitous-credentials
     (aws-sdk:make-credentials :access-key-id access-key
                               :secret-access-key secret-access-key
                               :session-token nil))))

(defun authenticate (user-name role token)
  (handler-bind ((aws-sdk:no-credentials
                   (lambda (c)
                     (alexandria:when-let
                         ((result (mfa-tool.read-credentials:prompt-for-aws-credentials :mfa-tool.debugger)))
                       (set-aws-credentials (mfa-tool.read-credentials:access-key result)
                                            (mfa-tool.read-credentials:secret-access-key result)
                                            c)))))
    (run-process user-name
                 role
                 token)))

(defun go-on (_ interface)
  (declare (ignore _))
  (let ((token (capi:text-input-pane-text (mfa-input interface)))
        (user-name (capi:text-input-pane-text (user-input interface)))
        (account (current-account interface)))
    (clear-cookies)
    (multiple-value-bind (signin-token creds)
        (handler-bind (((or dexador:http-request-forbidden
                            dexador:http-request-bad-request)
                         (lambda (c)
                           (let ((message (nth-value 2 (sts-error-value (dex:response-body c)))))
                             (multiple-value-bind (new-code completed)
                                 (capi:prompt-for-string (format nil "~a~%Enter new MFA token:"
                                                                 message)
                                                         :ok-check (lambda (v)
                                                                     (and (every 'digit-char-p v)
                                                                          (= (length v) 6))))
                               (if completed
                                   (progn (setf (capi:text-input-pane-text (mfa-input interface))
                                                new-code)
                                          (change-mfa-token new-code))
                                   (capi:abort-callback)))))))
          (authenticate user-name
                        (ecase (current-role interface)
                          (:|Developer Role| (cj-developer-role account))
                          (:|Provisioner Role| (cj-provisioner-role account)))
                        token))
      (with-open-file (stream (make-pathname :name ""
                                             :type "cj-aws"
                                             :defaults (user-homedir-pathname))
                              :direction :output
                              :if-exists :rename
                              :if-does-not-exist :create)
        (let ((cred-stream (make-broadcast-stream stream
                                                  (capi:collector-pane-stream (output interface)))))
          (format cred-stream
                  "export AWS_ACCESS_KEY_ID='~a'~%export AWS_SECRET_ACCESS_KEY='~a'~%export AWS_SESSION_TOKEN='~a'~%"
                  (session-id creds)
                  (session-key creds)
                  (session-token creds))))
      (capi:set-button-panel-enabled-items (slot-value interface 'action-buttons)
                                           :set t)
      (setf (capi:button-enabled (slot-value interface 'open-console-button))
            t)
      (setf (credentials-for-account interface account) (session-credentials creds)
            (signin-url interface) (url-from-signin-token signin-token)))))

(defun close-active-screen ()
  (let ((active-interface
          (capi:screen-active-interface
           (capi:convert-to-screen))))
    (unless (typep active-interface 'mfa-tool)
      (capi:destroy active-interface))))


(defun close-active-screen-enabled ()
  (let ((active-interface
          (capi:screen-active-interface
           (capi:convert-to-screen))))
    (typep active-interface '(not mfa-tool))))

(defun load-accounts (&optional account-source)
  (yason:parse
   (alexandria:read-file-into-string
    (if account-source
        account-source
        (json-resource "accounts")))))

(defun reprocess-accounts (accounts)
  (let ((accounts (gethash "Accounts" accounts))
        (result ()))
    (mapc (lambda (account)
            (push (cons (format nil "~a: ~a (~a)"
                                (gethash "Name" account)
                                (gethash "Id" account)
                                (gethash "Type" account))
                        (gethash "Id" account))
                  result))
          accounts)
    (coerce (sort result 'string-lessp
                  :key 'car)
            'list)))