slack-rs 0.1.70

//! OAuth configuration management commands

use crate::oauth::OAuthError;
use crate::profile::{
    create_token_store, default_config_path, delete_oauth_client_secret, get_oauth_client_secret,
    load_config, save_config, store_oauth_client_secret, Profile, ProfilesConfig, TokenStoreError,
    TokenType,
};
use std::io::IsTerminal;

/// OAuth configuration parameters for a profile
pub struct OAuthSetParams {
    /// Profile name
    pub profile_name: String,
    /// OAuth client ID
    pub client_id: String,
    /// OAuth redirect URI
    pub redirect_uri: String,
    /// OAuth scopes (comma-separated, or 'all' for comprehensive preset)
    pub scopes: String,
    /// Environment variable name containing client secret
    pub client_secret_env: Option<String>,
    /// File path containing client secret
    pub client_secret_file: Option<String>,
    /// Direct client secret value (requires explicit confirmation)
    pub client_secret: Option<String>,
    /// Explicit confirmation flag (required for client_secret)
    pub confirmed: bool,
}

/// Client secret input options
#[derive(Default)]
struct ClientSecretOptions {
    /// Environment variable name containing client secret
    env_var: Option<String>,
    /// File path containing client secret
    file_path: Option<String>,
    /// Direct client secret value (requires confirmation)
    direct_value: Option<String>,
    /// Explicit confirmation flag (required for direct_value)
    confirmed: bool,
}

/// Resolve client secret from various input sources with priority order
///
/// Priority order:
/// 1. Explicit --client-secret-env (environment variable specified by user)
/// 2. SLACKRS_CLIENT_SECRET (default environment variable)
/// 3. --client-secret-file (file path specified by user)
/// 4. --client-secret (direct value, requires confirmation)
/// 5. Interactive prompt (if stdin is a TTY)
///
/// # Arguments
/// * `options` - Client secret input options
fn resolve_client_secret(options: ClientSecretOptions) -> Result<String, OAuthError> {
    // 1. Check explicit --client-secret-env
    if let Some(env_var) = options.env_var {
        if let Ok(secret) = std::env::var(&env_var) {
            return Ok(secret);
        } else {
            return Err(OAuthError::ConfigError(format!(
                "Environment variable '{}' not found or empty",
                env_var
            )));
        }
    }

    // 2. Check SLACKRS_CLIENT_SECRET
    if let Ok(secret) = std::env::var("SLACKRS_CLIENT_SECRET") {
        return Ok(secret);
    }

    // 3. Check --client-secret-file
    if let Some(file_path) = options.file_path {
        let secret = std::fs::read_to_string(&file_path).map_err(|e| {
            OAuthError::ConfigError(format!("Failed to read file '{}': {}", file_path, e))
        })?;
        return Ok(secret.trim().to_string());
    }

    // 4. Check --client-secret (requires --yes)
    if let Some(secret) = options.direct_value {
        if !options.confirmed {
            return Err(OAuthError::ConfigError(
                "Using --client-secret is unsafe (visible in shell history/process list).\n\
                 Available safer alternatives:\n\
                 - Set environment variable: SLACKRS_CLIENT_SECRET=<secret>\n\
                 - Use flag: --client-secret-env <ENV_VAR>\n\
                 - Use flag: --client-secret-file <PATH>\n\
                 - Interactive input (run without flags in a terminal)\n\
                 - Use --yes to confirm direct input (not recommended)"
                    .to_string(),
            ));
        }
        return Ok(secret);
    }

    // 5. Interactive prompt (only if stdin is a TTY)
    if std::io::stdin().is_terminal() {
        let secret = rpassword::prompt_password("Enter OAuth client secret: ")
            .map_err(|e| OAuthError::ConfigError(format!("Failed to read password: {}", e)))?;
        return Ok(secret);
    }

    // No input source available in non-interactive mode
    Err(OAuthError::ConfigError(
        "No client secret provided and running in non-interactive mode.\n\
         Available options:\n\
         - Set environment variable: SLACKRS_CLIENT_SECRET=<secret>\n\
         - Use flag: --client-secret-env <ENV_VAR>\n\
         - Use flag: --client-secret-file <PATH>\n\
         - Use flag: --client-secret <SECRET> --yes (unsafe, not recommended)"
            .to_string(),
    ))
}

/// Set OAuth configuration for a profile
///
/// # Arguments
/// * `params` - OAuth configuration parameters
pub fn oauth_set(params: OAuthSetParams) -> Result<(), OAuthError> {
    let config_path = default_config_path()
        .map_err(|e| OAuthError::ConfigError(format!("Failed to get config path: {}", e)))?;

    let mut config = load_config(&config_path).unwrap_or_else(|_| ProfilesConfig::new());

    // Resolve client secret with priority order:
    // 1. Explicit --client-secret-env
    // 2. SLACKRS_CLIENT_SECRET environment variable
    // 3. --client-secret-file
    // 4. --client-secret (requires --yes)
    // 5. Interactive prompt (if stdin is a TTY)
    let client_secret = resolve_client_secret(ClientSecretOptions {
        env_var: params.client_secret_env,
        file_path: params.client_secret_file,
        direct_value: params.client_secret,
        confirmed: params.confirmed,
    })?;

    if client_secret.trim().is_empty() {
        return Err(OAuthError::ConfigError(
            "Client secret cannot be empty".to_string(),
        ));
    }

    // Parse scopes
    let scopes_vec: Vec<String> = params
        .scopes
        .split(',')
        .map(|s| s.trim().to_string())
        .filter(|s| !s.is_empty())
        .collect();

    if scopes_vec.is_empty() {
        return Err(OAuthError::ConfigError(
            "At least one scope is required".to_string(),
        ));
    }

    // Expand preset scopes (e.g., "all") and deduplicate
    let scopes_vec = crate::oauth::expand_scopes(&scopes_vec);

    // Get or create profile
    let profile = if let Some(existing) = config.get(&params.profile_name) {
        // Update existing profile with OAuth config
        Profile {
            team_id: existing.team_id.clone(),
            user_id: existing.user_id.clone(),
            team_name: existing.team_name.clone(),
            user_name: existing.user_name.clone(),
            client_id: Some(params.client_id.clone()),
            redirect_uri: Some(params.redirect_uri.clone()),
            scopes: Some(scopes_vec.clone()),
            bot_scopes: None,  // TODO: Will be populated in task 2
            user_scopes: None, // TODO: Will be populated in task 2
            default_token_type: existing.default_token_type,
        }
    } else {
        // Create placeholder profile (will be filled in during login)
        // We use placeholder values since OAuth config can be set before login
        Profile {
            team_id: "PLACEHOLDER".to_string(),
            user_id: "PLACEHOLDER".to_string(),
            team_name: None,
            user_name: None,
            client_id: Some(params.client_id.clone()),
            redirect_uri: Some(params.redirect_uri.clone()),
            scopes: Some(scopes_vec.clone()),
            bot_scopes: None,  // TODO: Will be populated in task 2
            user_scopes: None, // TODO: Will be populated in task 2
            default_token_type: None,
        }
    };

    config.set(params.profile_name.clone(), profile);

    save_config(&config_path, &config)
        .map_err(|e| OAuthError::ConfigError(format!("Failed to save config: {}", e)))?;

    // Save client secret to token store (Keyring or file backend)
    let token_store = create_token_store()
        .map_err(|e| OAuthError::ConfigError(format!("Failed to create token store: {}", e)))?;
    store_oauth_client_secret(&*token_store, &params.profile_name, &client_secret)
        .map_err(|e| OAuthError::ConfigError(format!("Failed to save client secret: {}", e)))?;

    println!(
        "✓ OAuth configuration saved for profile '{}'",
        params.profile_name
    );
    println!("  Client ID: {}", params.client_id);
    println!("  Redirect URI: {}", params.redirect_uri);
    println!("  Scopes: {}", scopes_vec.join(", "));
    println!("  Client secret: (saved securely in token store)");

    Ok(())
}

/// Show OAuth configuration for a profile
///
/// # Arguments
/// * `profile_name` - Profile name
pub fn oauth_show(profile_name: String) -> Result<(), OAuthError> {
    let config_path = default_config_path()
        .map_err(|e| OAuthError::ConfigError(format!("Failed to get config path: {}", e)))?;

    let config = load_config(&config_path)
        .map_err(|e| OAuthError::ConfigError(format!("Failed to load config: {}", e)))?;

    let profile = config
        .get(&profile_name)
        .ok_or_else(|| OAuthError::ConfigError(format!("Profile '{}' not found", profile_name)))?;

    println!("OAuth configuration for profile '{}':", profile_name);

    if let Some(client_id) = &profile.client_id {
        println!("  Client ID: {}", client_id);
    } else {
        println!("  Client ID: (not set)");
    }

    if let Some(redirect_uri) = &profile.redirect_uri {
        println!("  Redirect URI: {}", redirect_uri);
    } else {
        println!("  Redirect URI: (not set)");
    }

    if let Some(scopes) = &profile.scopes {
        println!("  Scopes: {}", scopes.join(", "));
    } else {
        println!("  Scopes: (not set)");
    }

    // Check if client secret exists in token store
    let token_store = create_token_store()
        .map_err(|e| OAuthError::ConfigError(format!("Failed to create token store: {}", e)))?;
    let has_secret = get_oauth_client_secret(&*token_store, &profile_name).is_ok();
    println!(
        "  Client secret: {}",
        if has_secret {
            "(saved in token store)"
        } else {
            "(not set)"
        }
    );

    Ok(())
}

/// Delete OAuth configuration for a profile
///
/// # Arguments
/// * `profile_name` - Profile name
pub fn oauth_delete(profile_name: String) -> Result<(), OAuthError> {
    let config_path = default_config_path()
        .map_err(|e| OAuthError::ConfigError(format!("Failed to get config path: {}", e)))?;

    let mut config = load_config(&config_path)
        .map_err(|e| OAuthError::ConfigError(format!("Failed to load config: {}", e)))?;

    let profile = config
        .get(&profile_name)
        .ok_or_else(|| OAuthError::ConfigError(format!("Profile '{}' not found", profile_name)))?;

    // Clear OAuth config from profile
    let updated_profile = Profile {
        team_id: profile.team_id.clone(),
        user_id: profile.user_id.clone(),
        team_name: profile.team_name.clone(),
        user_name: profile.user_name.clone(),
        client_id: None,
        redirect_uri: None,
        scopes: None,
        bot_scopes: None,
        user_scopes: None,
        default_token_type: profile.default_token_type,
    };

    config.set(profile_name.clone(), updated_profile);

    save_config(&config_path, &config)
        .map_err(|e| OAuthError::ConfigError(format!("Failed to save config: {}", e)))?;

    // Delete client secret from token store
    let token_store = create_token_store()
        .map_err(|e| OAuthError::ConfigError(format!("Failed to create token store: {}", e)))?;
    match delete_oauth_client_secret(&*token_store, &profile_name) {
        Ok(_) => {}                             // Secret deleted successfully
        Err(TokenStoreError::NotFound(_)) => {} // Secret was not set, which is fine
        Err(e) => {
            return Err(OAuthError::ConfigError(format!(
                "Failed to delete client secret: {}",
                e
            )))
        }
    }

    println!(
        "✓ OAuth configuration deleted for profile '{}'",
        profile_name
    );

    Ok(())
}

/// Set default token type for a profile
///
/// # Arguments
/// * `profile_name` - Profile name
/// * `token_type` - Default token type (bot or user)
pub fn set_default_token_type(
    profile_name: String,
    token_type: TokenType,
) -> Result<(), OAuthError> {
    let config_path = default_config_path()
        .map_err(|e| OAuthError::ConfigError(format!("Failed to get config path: {}", e)))?;

    let mut config = load_config(&config_path).unwrap_or_else(|_| ProfilesConfig::new());

    // Get existing profile or return error
    let profile = config
        .get(&profile_name)
        .ok_or_else(|| OAuthError::ConfigError(format!("Profile '{}' not found", profile_name)))?
        .clone();

    // Update profile with new default token type
    let updated_profile = Profile {
        team_id: profile.team_id,
        user_id: profile.user_id,
        team_name: profile.team_name,
        user_name: profile.user_name,
        client_id: profile.client_id,
        redirect_uri: profile.redirect_uri,
        scopes: profile.scopes,
        bot_scopes: profile.bot_scopes,
        user_scopes: profile.user_scopes,
        default_token_type: Some(token_type),
    };

    config.set(profile_name.clone(), updated_profile);

    save_config(&config_path, &config)
        .map_err(|e| OAuthError::ConfigError(format!("Failed to save config: {}", e)))?;

    println!(
        "✓ Default token type set to '{}' for profile '{}'",
        token_type, profile_name
    );

    Ok(())
}

#[cfg(test)]
mod tests {
    use super::*;

    #[test]
    fn test_oauth_show_profile_not_found() {
        let result = oauth_show("nonexistent".to_string());
        assert!(result.is_err());
        assert!(result.unwrap_err().to_string().contains("not found"));
    }

    #[test]
    fn test_oauth_delete_profile_not_found() {
        let result = oauth_delete("nonexistent".to_string());
        assert!(result.is_err());
        assert!(result.unwrap_err().to_string().contains("not found"));
    }

    /// Test that oauth_show does not output client_secret value
    /// This verifies the security requirement that client_secret is never printed
    #[test]
    fn test_oauth_show_does_not_leak_client_secret() {
        use crate::profile::{store_oauth_client_secret, InMemoryTokenStore};

        // Create an in-memory token store with a secret
        let token_store = InMemoryTokenStore::new();
        let profile_name = "test-profile";
        let client_secret = "super-secret-value-12345";

        // Store the secret
        store_oauth_client_secret(&token_store, profile_name, client_secret).unwrap();

        // Verify the secret is stored
        assert_eq!(
            crate::profile::get_oauth_client_secret(&token_store, profile_name).unwrap(),
            client_secret
        );

        // Note: We cannot directly test oauth_show's output without capturing stdout,
        // but we can verify the code path:
        // 1. oauth_show calls get_oauth_client_secret only to check .is_ok()
        // 2. It never prints the actual value - only "(saved in file store)" or "(not set)"

        // Verify the function signature ensures this - oauth_show has no way to output
        // the actual secret value since it only checks is_ok() on the result
        let has_secret =
            crate::profile::get_oauth_client_secret(&token_store, profile_name).is_ok();
        assert!(has_secret);

        // The output would be "(saved in file store)" which doesn't contain the secret
        let output = if has_secret {
            "(saved in file store)"
        } else {
            "(not set)"
        };

        // Verify output doesn't contain the actual secret
        assert!(!output.contains(client_secret));
        assert!(output == "(saved in file store)" || output == "(not set)");
    }

    /// Test client secret resolution priority order
    #[test]
    #[serial_test::serial]
    fn test_resolve_client_secret_priority() {
        use std::env;
        use std::fs;
        use tempfile::NamedTempFile;

        // Test 1: Explicit --client-secret-env takes priority
        env::set_var("CUSTOM_SECRET", "custom-env-secret");
        env::set_var("SLACKRS_CLIENT_SECRET", "default-env-secret");

        let result = resolve_client_secret(ClientSecretOptions {
            env_var: Some("CUSTOM_SECRET".to_string()),
            ..Default::default()
        });
        assert!(result.is_ok());
        assert_eq!(result.unwrap(), "custom-env-secret");

        // Test 2: SLACKRS_CLIENT_SECRET as fallback
        let result = resolve_client_secret(ClientSecretOptions::default());
        assert!(result.is_ok());
        assert_eq!(result.unwrap(), "default-env-secret");

        // Clean up env
        env::remove_var("CUSTOM_SECRET");
        env::remove_var("SLACKRS_CLIENT_SECRET");

        // Test 3: --client-secret-file
        let temp_file = NamedTempFile::new().unwrap();
        fs::write(temp_file.path(), "file-secret\n").unwrap();

        let result = resolve_client_secret(ClientSecretOptions {
            file_path: Some(temp_file.path().to_str().unwrap().to_string()),
            ..Default::default()
        });
        assert!(result.is_ok());
        assert_eq!(result.unwrap(), "file-secret");

        // Test 4: --client-secret requires confirmation
        let result = resolve_client_secret(ClientSecretOptions {
            direct_value: Some("direct-secret".to_string()),
            ..Default::default()
        });
        assert!(result.is_err());
        assert!(result
            .unwrap_err()
            .to_string()
            .contains("Use --yes to confirm"));

        // Test 5: --client-secret with --yes
        let result = resolve_client_secret(ClientSecretOptions {
            direct_value: Some("direct-secret".to_string()),
            confirmed: true,
            ..Default::default()
        });
        assert!(result.is_ok());
        assert_eq!(result.unwrap(), "direct-secret");

        // Test 6: No input source in non-interactive mode (stdin is not a TTY in tests)
        let result = resolve_client_secret(ClientSecretOptions::default());
        assert!(result.is_err());
        assert!(result
            .unwrap_err()
            .to_string()
            .contains("No client secret provided"));
    }

    /// Test that explicit env var takes precedence over default
    #[test]
    #[serial_test::serial]
    fn test_resolve_client_secret_explicit_env_precedence() {
        use std::env;

        env::set_var("CUSTOM_VAR", "custom-value");
        env::set_var("SLACKRS_CLIENT_SECRET", "default-value");

        let result = resolve_client_secret(ClientSecretOptions {
            env_var: Some("CUSTOM_VAR".to_string()),
            ..Default::default()
        });
        assert!(result.is_ok());
        assert_eq!(result.unwrap(), "custom-value");

        env::remove_var("CUSTOM_VAR");
        env::remove_var("SLACKRS_CLIENT_SECRET");
    }

    /// Test that file takes precedence over direct secret
    #[test]
    #[serial_test::serial]
    fn test_resolve_client_secret_file_precedence() {
        use std::env;
        use std::fs;
        use tempfile::NamedTempFile;

        // Clear SLACKRS_CLIENT_SECRET to ensure it doesn't interfere with this test
        env::remove_var("SLACKRS_CLIENT_SECRET");

        let temp_file = NamedTempFile::new().unwrap();
        fs::write(temp_file.path(), "file-secret").unwrap();

        let result = resolve_client_secret(ClientSecretOptions {
            file_path: Some(temp_file.path().to_str().unwrap().to_string()),
            direct_value: Some("direct-secret".to_string()),
            confirmed: true,
            ..Default::default()
        });
        assert!(result.is_ok());
        assert_eq!(result.unwrap(), "file-secret");
    }

    /// Test error message for missing environment variable
    #[test]
    #[serial_test::serial]
    fn test_resolve_client_secret_missing_env() {
        use std::env;

        env::remove_var("NONEXISTENT_VAR");

        let result = resolve_client_secret(ClientSecretOptions {
            env_var: Some("NONEXISTENT_VAR".to_string()),
            ..Default::default()
        });
        assert!(result.is_err());
        assert!(result
            .unwrap_err()
            .to_string()
            .contains("Environment variable 'NONEXISTENT_VAR' not found"));
    }

    /// Test error message for missing file
    #[test]
    #[serial_test::serial]
    fn test_resolve_client_secret_missing_file() {
        use std::env;

        // Clear SLACKRS_CLIENT_SECRET to ensure it doesn't interfere with this test
        env::remove_var("SLACKRS_CLIENT_SECRET");

        let result = resolve_client_secret(ClientSecretOptions {
            file_path: Some("/nonexistent/path/to/secret".to_string()),
            ..Default::default()
        });
        assert!(result.is_err());
        assert!(result
            .unwrap_err()
            .to_string()
            .contains("Failed to read file"));
    }

    /// Test that oauth_set saves client secret to file backend
    #[test]
    #[serial_test::serial]
    fn test_oauth_set_saves_to_file_backend() {
        use crate::profile::{get_oauth_client_secret, FileTokenStore};
        use std::env;
        use std::fs;
        use tempfile::TempDir;

        // Create temporary directory for config and tokens
        let temp_dir = TempDir::new().unwrap();
        let config_path = temp_dir.path().join("profiles.json");
        let tokens_path = temp_dir.path().join("tokens.json");

        // Set up environment
        env::set_var("SLACKRS_CLIENT_SECRET", "test-secret-12345");

        // Create a file token store
        let token_store = FileTokenStore::with_path(tokens_path.clone()).unwrap();

        // Call oauth_set with environment variable
        let profile_name = "test-profile".to_string();
        let _client_id = "123.456".to_string();
        let _redirect_uri = "http://127.0.0.1:8765/callback".to_string();
        let _scopes = "chat:write,users:read".to_string();

        // Note: We can't directly test oauth_set because it uses default_config_path
        // Instead, we'll test that the client secret can be stored and retrieved
        // using the same mechanism that oauth_set uses

        let client_secret = resolve_client_secret(ClientSecretOptions::default()).unwrap();
        assert_eq!(client_secret, "test-secret-12345");

        // Store the secret using the same function oauth_set uses
        crate::profile::store_oauth_client_secret(&token_store, &profile_name, &client_secret)
            .unwrap();

        // Verify the secret was saved
        let retrieved_secret = get_oauth_client_secret(&token_store, &profile_name).unwrap();
        assert_eq!(retrieved_secret, "test-secret-12345");

        // Verify the tokens.json file exists and contains the key
        assert!(tokens_path.exists());
        let tokens_content = fs::read_to_string(&tokens_path).unwrap();
        assert!(tokens_content.contains("oauth-client-secret:test-profile"));

        // Verify the secret is NOT stored in the config file (profiles.json)
        // Since we didn't actually call oauth_set, we just verify that the design
        // keeps secrets separate from profiles
        assert!(
            !config_path.exists()
                || !fs::read_to_string(&config_path)
                    .unwrap_or_default()
                    .contains("test-secret-12345")
        );

        // Clean up
        env::remove_var("SLACKRS_CLIENT_SECRET");
    }
}