<?php

/**
 * @package        Joomla.Administrator
 * @subpackage     com_users
 *
 * @copyright  (C) 2022 Open Source Matters, Inc. <https://www.joomla.org>
 * @license        GNU General Public License version 2 or later; see LICENSE.txt
 */

namespace Joomla\Component\Users\Administrator\Helper;

use Exception;
use Joomla\CMS\Application\CMSApplication;
use Joomla\CMS\Component\ComponentHelper;
use Joomla\CMS\Document\HtmlDocument;
use Joomla\CMS\Event\MultiFactor\GetMethod;
use Joomla\CMS\Factory;
use Joomla\CMS\MVC\Factory\MVCFactoryInterface;
use Joomla\CMS\Plugin\PluginHelper;
use Joomla\CMS\Uri\Uri;
use Joomla\CMS\User\User;
use Joomla\CMS\User\UserFactoryInterface;
use Joomla\Component\Users\Administrator\DataShape\MethodDescriptor;
use Joomla\Component\Users\Administrator\Model\BackupcodesModel;
use Joomla\Component\Users\Administrator\Model\MethodsModel;
use Joomla\Component\Users\Administrator\Table\MfaTable;
use Joomla\Component\Users\Administrator\View\Methods\HtmlView;
use Joomla\Database\DatabaseDriver;
use Joomla\Database\ParameterType;

// phpcs:disable PSR1.Files.SideEffects
\defined('_JEXEC') or die;
// phpcs:enable PSR1.Files.SideEffects

/**
 * Helper functions for captive MFA handling
 *
 * @since 4.2.0
 */
abstract class Mfa
{
    /**
     * Cache of all currently active MFAs
     *
     * @var   array|null
     * @since 4.2.0
     */
    protected static $allMFAs = null;

    /**
     * Are we inside the administrator application
     *
     * @var   boolean
     * @since 4.2.0
     */
    protected static $isAdmin = null;

    /**
     * Get the HTML for the Multi-factor Authentication configuration interface for a user.
     *
     * This helper method uses a sort of primitive HMVC to display the com_users' Methods page which
     * renders the MFA configuration interface.
     *
     * @param   User  $user  The user we are going to show the configuration UI for.
     *
     * @return  string|null  The HTML of the UI; null if we cannot / must not show it.
     * @throws  Exception
     * @since   4.2.0
     */
    public static function getConfigurationInterface(User $user): ?string
    {
        // Check the conditions
        if (!self::canShowConfigurationInterface($user)) {
            return null;
        }

        /** @var CMSApplication $app */
        $app = Factory::getApplication();

        if (!$app->input->getCmd('option', '') === 'com_users') {
            $app->getLanguage()->load('com_users');
            $app->getDocument()
                ->getWebAssetManager()
                ->getRegistry()
                ->addExtensionRegistryFile('com_users');
        }

        // Get a model
        /** @var MVCFactoryInterface $factory */
        $factory = Factory::getApplication()->bootComponent('com_users')->getMVCFactory();

        /** @var MethodsModel $methodsModel */
        $methodsModel = $factory->createModel('Methods', 'Administrator');
        /** @var BackupcodesModel $methodsModel */
        $backupCodesModel = $factory->createModel('Backupcodes', 'Administrator');

        // Get a view object
        $appRoot = $app->isClient('site') ? \JPATH_SITE : \JPATH_ADMINISTRATOR;
        $prefix  = $app->isClient('site') ? 'Site' : 'Administrator';
        /** @var HtmlView $view */
        $view = $factory->createView(
            'Methods',
            $prefix,
            'Html',
            [
                'base_path' => $appRoot . '/components/com_users',
            ]
        );
        $view->setModel($methodsModel, true);
        /** @noinspection PhpParamsInspection */
        $view->setModel($backupCodesModel);
        $view->document  = $app->getDocument();
        $view->returnURL = base64_encode(Uri::getInstance()->toString());
        $view->user      = $user;
        $view->set('forHMVC', true);

        @ob_start();

        try {
            $view->display();
        } catch (\Throwable $e) {
            @ob_end_clean();

            /**
             * This is intentional! When you are developing a Multi-factor Authentication plugin you
             * will inevitably mess something up and end up with an error. This would cause the
             * entire MFA configuration page to disappear. No problem! Set Debug System to Yes in
             * Global Configuration and you can see the error exception which will help you solve
             * your problem.
             */
            if (defined('JDEBUG') && JDEBUG) {
                throw $e;
            }

            return null;
        }

        return @ob_get_clean();
    }

    /**
     * Get a list of all of the MFA Methods
     *
     * @return  MethodDescriptor[]
     * @since 4.2.0
     */
    public static function getMfaMethods(): array
    {
        PluginHelper::importPlugin('multifactorauth');

        if (is_null(self::$allMFAs)) {
            // Get all the plugin results
            $event = new GetMethod();
            $temp  = Factory::getApplication()
                ->getDispatcher()
                ->dispatch($event->getName(), $event)
                ->getArgument('result', []);

            // Normalize the results
            self::$allMFAs = [];

            foreach ($temp as $method) {
                if (!is_array($method) && !($method instanceof MethodDescriptor)) {
                    continue;
                }

                $method = $method instanceof MethodDescriptor
                    ? $method : new MethodDescriptor($method);

                if (empty($method['name'])) {
                    continue;
                }

                self::$allMFAs[$method['name']] = $method;
            }
        }

        return self::$allMFAs;
    }

    /**
     * Is the current user allowed to add/edit MFA methods for $user?
     *
     * This is only allowed if I am adding / editing methods for myself.
     *
     * If the target user is a member of any group disallowed to use MFA this will return false.
     *
     * @param   User|null  $user  The user you want to know if we're allowed to edit
     *
     * @return  boolean
     * @throws  Exception
     * @since 4.2.0
     */
    public static function canAddEditMethod(?User $user = null): bool
    {
        // Cannot do MFA operations on no user or a guest user.
        if (is_null($user) || $user->guest) {
            return false;
        }

        // If the user is in a user group which disallows MFA we cannot allow adding / editing methods.
        $neverMFAGroups = ComponentHelper::getParams('com_users')->get('neverMFAUserGroups', []);
        $neverMFAGroups = is_array($neverMFAGroups) ? $neverMFAGroups : [];

        if (count(array_intersect($user->getAuthorisedGroups(), $neverMFAGroups))) {
            return false;
        }

        // Check if this is the same as the logged-in user.
        $myUser = Factory::getApplication()->getIdentity()
            ?: Factory::getContainer()->get(UserFactoryInterface::class)->loadUserById(0);

        return $myUser->id === $user->id;
    }

    /**
     * Is the current user allowed to delete MFA methods / disable MFA for $user?
     *
     * This is allowed if:
     * - The user being queried is the same as the logged-in user
     * - The logged-in user is a Super User AND the queried user is NOT a Super User.
     *
     * Note that Super Users can be edited by their own user only for security reasons. If a Super
     * User gets locked out they must use the Backup Codes to regain access. If that's not possible,
     * they will need to delete their records from the `#__user_mfa` table.
     *
     * @param   User|null  $user  The user being queried.
     *
     * @return  boolean
     * @throws  Exception
     * @since   4.2.0
     */
    public static function canDeleteMethod(?User $user = null): bool
    {
        // Cannot do MFA operations on no user or a guest user.
        if (is_null($user) || $user->guest) {
            return false;
        }

        $myUser = Factory::getApplication()->getIdentity()
            ?: Factory::getContainer()->get(UserFactoryInterface::class)->loadUserById(0);

        return $myUser->id === $user->id
            || ($myUser->authorise('core.admin') && !$user->authorise('core.admin'));
    }

    /**
     * Return all MFA records for a specific user
     *
     * @param   int|null  $userId  User ID. NULL for currently logged in user.
     *
     * @return  MfaTable[]
     * @throws  Exception
     *
     * @since 4.2.0
     */
    public static function getUserMfaRecords(?int $userId): array
    {
        if (empty($userId)) {
            $user   = Factory::getApplication()->getIdentity() ?: Factory::getUser();
            $userId = $user->id ?: 0;
        }

        /** @var DatabaseDriver $db */
        $db    = Factory::getContainer()->get('DatabaseDriver');
        $query = $db->getQuery(true)
            ->select($db->quoteName('id'))
            ->from($db->quoteName('#__user_mfa'))
            ->where($db->quoteName('user_id') . ' = :user_id')
            ->bind(':user_id', $userId, ParameterType::INTEGER);

        try {
            $ids = $db->setQuery($query)->loadColumn() ?: [];
        } catch (Exception $e) {
            $ids = [];
        }

        if (empty($ids)) {
            return [];
        }

        /** @var MVCFactoryInterface $factory */
        $factory = Factory::getApplication()->bootComponent('com_users')->getMVCFactory();

        // Map all results to MFA table objects
        $records = array_map(
            function ($id) use ($factory) {
                /** @var MfaTable $record */
                $record = $factory->createTable('Mfa', 'Administrator');
                $loaded = $record->load($id);

                return $loaded ? $record : null;
            },
            $ids
        );

        // Let's remove Methods we couldn't decrypt when reading from the database.
        $hasBackupCodes = false;

        $records = array_filter(
            $records,
            function ($record) use (&$hasBackupCodes) {
                $isValid = !is_null($record) && (!empty($record->options));

                if ($isValid && ($record->method === 'backupcodes')) {
                    $hasBackupCodes = true;
                }

                return $isValid;
            }
        );

        // If the only Method is backup codes it's as good as having no records
        if ((count($records) === 1) && $hasBackupCodes) {
            return [];
        }

        return $records;
    }

    /**
     * Are the conditions for showing the MFA configuration interface met?
     *
     * @param   User|null  $user  The user to be configured
     *
     * @return  boolean
     * @throws  Exception
     * @since 4.2.0
     */
    public static function canShowConfigurationInterface(?User $user = null): bool
    {
        // If I have no user to check against that's all the checking I can do.
        if (empty($user)) {
            return false;
        }

        // I need at least one MFA method plugin for the setup interface to make any sense.
        $plugins = PluginHelper::getPlugin('multifactorauth');

        if (count($plugins) < 1) {
            return false;
        }

        /** @var CMSApplication $app */
        $app = Factory::getApplication();

        // We can only show a configuration page in the front- or backend application.
        if (!$app->isClient('site') && !$app->isClient('administrator')) {
            return false;
        }

        // Only show the configuration page if we have an HTML document
        if (!($app->getDocument() instanceof HtmlDocument)) {
            return false;
        }

        // I must be able to add, edit or delete the user's MFA settings
        return self::canAddEditMethod($user) || self::canDeleteMethod($user);
    }
}