const User = require('../../models/auth/User.model')
const Client = require('../../models/radius/Client.model')
const Application = require('../../models/Application.model')
const Policy = require('../../models/iam/Policy.model')

/**
 * @implements IAuthentication from radius-server
 */
class CoreIDAuthentication {
    async authenticate(username, password, packet) {
        // We only allow client-specific secrets to authenticate
        if ( !packet || !packet.secret ) {
            return false;
        }

        // Try to look up the client
        const client = await Client.findOne({
            active: true,
            secret: packet.secret,
        })
        if ( !client ) {
            return false;
        }

        // Try to look up the associated application
        const application = await Application.findOne({
            radius_client_ids: client.id,
        })
        if ( !application ) {
            return false;
        }

        // Try to look up the user
        /** @var {User} */
        const user = await User.findByLogin(username)
        if ( !user ) {
            return false;
        }

        // Validate the incoming credential
        if ( !(await user.check_credential_string(password)) ) {
            return false;
        }

        // Don't allow login if the user has a trap set
        if ( user.trap ) {
            return false;
        }

        // Check the IAM policy engine to make sure the user can access this resource
        return Policy.check_user_access(user, application.id)
    }
}

module.exports = exports = CoreIDAuthentication