/app/helpers/auth_helper.rb

# frozen_string_literal: true

module AuthHelper
  PROVIDERS_WITH_ICONS = %w(
    atlassian_oauth2
    auth0
    authentiq
    azure_activedirectory_v2
    azure_oauth2
    bitbucket
    facebook
    dingtalk
    github
    gitlab
    google_oauth2
    jwt
    openid_connect
    salesforce
    shibboleth
    twitter
  ).freeze
  LDAP_PROVIDER = /\Aldap/.freeze
  POPULAR_PROVIDERS = %w(google_oauth2 github).freeze

  def ldap_enabled?
    Gitlab::Auth::Ldap::Config.enabled?
  end

  def ldap_sign_in_enabled?
    Gitlab::Auth::Ldap::Config.sign_in_enabled?
  end

  def omniauth_enabled?
    Gitlab::Auth.omniauth_enabled?
  end

  def provider_has_custom_icon?(name)
    icon_for_provider(name.to_s)
  end

  def provider_has_builtin_icon?(name)
    PROVIDERS_WITH_ICONS.include?(name.to_s)
  end

  def provider_has_icon?(name)
    provider_has_builtin_icon?(name) || provider_has_custom_icon?(name)
  end

  def qa_class_for_provider(provider)
    {
      saml: 'qa-saml-login-button'
    }[provider.to_sym]
  end

  def auth_providers
    Gitlab::Auth::OAuth::Provider.providers
  end

  def label_for_provider(name)
    Gitlab::Auth::OAuth::Provider.label_for(name)
  end

  def icon_for_provider(name)
    Gitlab::Auth::OAuth::Provider.icon_for(name)
  end

  def form_based_provider_priority
    ['crowd', /^ldap/, 'kerberos']
  end

  def form_based_provider_with_highest_priority
    @form_based_provider_with_highest_priority ||= begin
      form_based_provider_priority.each do |provider_regexp|
        highest_priority = form_based_providers.find { |provider| provider.match?(provider_regexp) }
        break highest_priority unless highest_priority.nil?
      end
    end
  end

  def form_based_auth_provider_has_active_class?(provider)
    form_based_provider_with_highest_priority == provider
  end

  def form_based_provider?(name)
    [LDAP_PROVIDER, 'crowd'].any? { |pattern| pattern === name.to_s }
  end

  def form_based_providers
    auth_providers.select { |provider| form_based_provider?(provider) }
  end

  def saml_providers
    auth_providers.select { |provider| auth_strategy_class(provider) == 'OmniAuth::Strategies::SAML' }
  end

  def auth_strategy_class(provider)
    config = Gitlab::Auth::OAuth::Provider.config_for(provider)
    return if config.nil? || config['args'].blank?

    config.args['strategy_class']
  end

  def any_form_based_providers_enabled?
    form_based_providers.any? { |provider| form_enabled_for_sign_in?(provider) }
  end

  def form_enabled_for_sign_in?(provider)
    return true unless provider.to_s.match?(LDAP_PROVIDER)

    ldap_sign_in_enabled?
  end

  def crowd_enabled?
    auth_providers.include? :crowd
  end

  def button_based_providers
    auth_providers.reject { |provider| form_based_provider?(provider) }
  end

  def display_providers_on_profile?
    button_based_providers.any?
  end

  def providers_for_base_controller
    auth_providers.reject { |provider| LDAP_PROVIDER === provider }
  end

  def enabled_button_based_providers
    disabled_providers = Gitlab::CurrentSettings.disabled_oauth_sign_in_sources || []

    providers = button_based_providers.map(&:to_s) - disabled_providers
    providers.sort_by do |provider|
      POPULAR_PROVIDERS.index(provider) || POPULAR_PROVIDERS.length
    end
  end

  def popular_enabled_button_based_providers
    enabled_button_based_providers & POPULAR_PROVIDERS
  end

  def button_based_providers_enabled?
    enabled_button_based_providers.any?
  end

  def provider_image_tag(provider, size = 64)
    label = label_for_provider(provider)

    if provider_has_custom_icon?(provider)
      image_tag(icon_for_provider(provider), alt: label, title: "Sign in with #{label}", class: "gl-button-icon")
    elsif provider_has_builtin_icon?(provider)
      file_name = "#{provider.to_s.split('_').first}_#{size}.png"

      image_tag("auth_buttons/#{file_name}", alt: label, title: "Sign in with #{label}", class: "gl-button-icon")
    else
      label
    end
  end

  # rubocop: disable CodeReuse/ActiveRecord
  def auth_active?(provider)
    return current_user.atlassian_identity.present? if provider == :atlassian_oauth2

    current_user.identities.exists?(provider: provider.to_s)
  end
  # rubocop: enable CodeReuse/ActiveRecord

  def unlink_provider_allowed?(provider)
    IdentityProviderPolicy.new(current_user, provider).can?(:unlink)
  end

  def link_provider_allowed?(provider)
    IdentityProviderPolicy.new(current_user, provider).can?(:link)
  end

  def allow_admin_mode_password_authentication_for_web?
    current_user.allow_password_authentication_for_web? && !current_user.password_automatically_set?
  end

  def google_tag_manager_enabled?
    return false unless Gitlab.com?

    if Feature.enabled?(:gtm_nonce, type: :ops)
      extra_config.has_key?('google_tag_manager_nonce_id') &&
         extra_config.google_tag_manager_nonce_id.present?
    else
      extra_config.has_key?('google_tag_manager_id') &&
         extra_config.google_tag_manager_id.present?
    end
  end

  def google_tag_manager_id
    return unless google_tag_manager_enabled?

    return extra_config.google_tag_manager_nonce_id if Feature.enabled?(:gtm_nonce, type: :ops)

    extra_config.google_tag_manager_id
  end

  def auth_app_owner_text(owner)
    return unless owner

    if owner.is_a?(Group)
      group_link = link_to(owner.name, group_path(owner))
      _("This application was created for group %{group_link}.").html_safe % { group_link: group_link }
    else
      user_link = link_to(owner.name, user_path(owner))
      _("This application was created by %{user_link}.").html_safe % { user_link: user_link }
    end
  end

  extend self
end

AuthHelper.prepend_mod_with('AuthHelper')

# The methods added in EE should be available as both class and instance
# methods, just like the methods provided by `AuthHelper` itself.
AuthHelper.extend_mod_with('AuthHelper')