// Copyright 2017 The LUCI Authors.
//
// Licensed under the Apache License, Version 2.0 (the "License");
// you may not use this file except in compliance with the License.
// You may obtain a copy of the License at
//
//      http://www.apache.org/licenses/LICENSE-2.0
//
// Unless required by applicable law or agreed to in writing, software
// distributed under the License is distributed on an "AS IS" BASIS,
// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
// See the License for the specific language governing permissions and
// limitations under the License.

// Command git-credential-luci is a Git credential helper.
//
// The protocol used for communication between Git and the credential helper
// is documented in:
//
// https://www.kernel.org/pub/software/scm/git/docs/technical/api-credentials.html#_credential_helpers
// https://www.kernel.org/pub/software/scm/git/docs/git-credential.html
package main

import (
	"context"
	"flag"
	"fmt"
	"os"
	"time"

	"go.chromium.org/luci/auth"
	"go.chromium.org/luci/auth/client/authcli"
	"go.chromium.org/luci/common/logging/gologger"

	"go.chromium.org/luci/common/api/gitiles"
	"go.chromium.org/luci/hardcoded/chromeinfra"
)

var (
	flags    authcli.Flags
	lifetime time.Duration
)

func init() {
	defaults := chromeinfra.DefaultAuthOptions()
	defaults.Scopes = []string{gitiles.OAuthScope, auth.OAuthScopeEmail}
	flags.Register(flag.CommandLine, defaults)
	flag.DurationVar(
		&lifetime, "lifetime", time.Minute,
		"Minimum token lifetime. If existing token expired and refresh token or service account is not present, returns nothing.",
	)

	flag.Usage = func() {
		fmt.Fprintf(os.Stderr, "usage: git-credential-luci command\n")
		flag.PrintDefaults()
	}
}

func main() {
	flag.Parse()

	if len(flag.Args()) != 1 {
		fmt.Fprintln(os.Stderr, "invalid number of arguments")
		os.Exit(1)
	}

	opts, err := flags.Options()
	if err != nil {
		fmt.Fprintln(os.Stderr, err)
		os.Exit(1)
	}
	if lifetime > 30*time.Minute {
		fmt.Fprintln(os.Stderr, "lifetime cannot exceed 30m")
		os.Exit(1)
	}

	ctx := gologger.StdConfig.Use(context.Background())
	auth := auth.NewAuthenticator(ctx, auth.SilentLogin, opts)

	switch flag.Args()[0] {
	case "get":
		t, err := auth.GetAccessToken(lifetime)
		if err != nil {
			printErr("cannot get access token", err)
			os.Exit(1)
		}
		fmt.Printf("username=git-luci\n")
		fmt.Printf("password=%s\n", t.AccessToken)
	case "erase":
		if err := auth.PurgeCredentialsCache(); err != nil {
			printErr("cannot erase cache", err)
			os.Exit(1)
		}
	default:
		// The specification for Git credential helper says: "If a helper
		// receives any other operation, it should silently ignore the
		// request."
	}
}

func printErr(prefix string, err error) {
	switch {
	case err == auth.ErrLoginRequired:
		fmt.Fprintln(os.Stderr, "not running with a service account and not logged in")
	case err != nil:
		fmt.Fprintf(os.Stderr, "%s: %v\n", prefix, err)
	}
}