func TestAddAndRetrieveApp(t *testing.T) {
	app := new(roll.Application)
	app.ApplicationName = "an app"
	app.ClientID = "123"
	app.ClientSecret = "hush"
	app.DeveloperEmail = "[email protected]"
	app.DeveloperID = "foo"
	app.LoginProvider = "auth0"
	app.RedirectURI = "neither here nor there"

	appRepo := NewMBDAppRepo()
	err := appRepo.CreateApplication(app)
	if assert.Nil(t, err) {
		defer appRepo.delete(app)
	}

	retapp, err := appRepo.RetrieveAppByNameAndDevEmail("an app", "[email protected]")
	assert.Nil(t, err)
	if assert.NotNil(t, app) {
		assert.Equal(t, app.ApplicationName, retapp.ApplicationName)
		assert.Equal(t, app.ClientID, retapp.ClientID)
		assert.Equal(t, app.ClientSecret, retapp.ClientSecret)
		assert.Equal(t, app.DeveloperEmail, retapp.DeveloperEmail)
		assert.Equal(t, app.DeveloperID, retapp.DeveloperID)
		assert.Equal(t, app.LoginProvider, retapp.LoginProvider)
		assert.Equal(t, app.RedirectURI, retapp.RedirectURI)
	}

	retapp, err = appRepo.RetrieveApplication(app.ClientID, app.DeveloperID, false)
	assert.Nil(t, err)
	if assert.NotNil(t, app) {
		assert.Equal(t, app.ApplicationName, retapp.ApplicationName)
		assert.Equal(t, app.ClientID, retapp.ClientID)
		assert.Equal(t, app.ClientSecret, retapp.ClientSecret)
		assert.Equal(t, app.DeveloperEmail, retapp.DeveloperEmail)
		assert.Equal(t, app.DeveloperID, retapp.DeveloperID)
		assert.Equal(t, app.LoginProvider, retapp.LoginProvider)
		assert.Equal(t, app.RedirectURI, retapp.RedirectURI)
	}

	retapp, err = appRepo.RetrieveApplication(app.ClientID, "huh", true)
	assert.Nil(t, err)
	if assert.NotNil(t, app) {
		assert.Equal(t, app.ApplicationName, retapp.ApplicationName)
		assert.Equal(t, app.ClientID, retapp.ClientID)
		assert.Equal(t, app.ClientSecret, retapp.ClientSecret)
		assert.Equal(t, app.DeveloperEmail, retapp.DeveloperEmail)
		assert.Equal(t, app.DeveloperID, retapp.DeveloperID)
		assert.Equal(t, app.LoginProvider, retapp.LoginProvider)
		assert.Equal(t, app.RedirectURI, retapp.RedirectURI)
	}

	retapp, err = appRepo.SystemRetrieveApplication(app.ClientID)
	assert.Nil(t, err)
	assert.Equal(t, app.ClientID, retapp.ClientID)

	retapp, err = appRepo.RetrieveApplication(app.ClientID, "huh", false)
	assert.NotNil(t, err)
	assert.Nil(t, retapp)
}

func (ar *MariaDBAppRepo) CreateApplication(app *roll.Application) error {
	//Generate a client secret as needed
	if app.ClientSecret == "" {
		clientSecret, err := secrets.GenerateClientSecret()
		if err != nil {
			return err
		}
		app.ClientSecret = clientSecret
	}

	//Check JWT flow parts are ok
	if err := repos.CheckJWTCertParts(app); err != nil {
		return err
	}

	//Insert the app
	const appSql = `insert into rolldb.application(applicationName, clientId, clientSecret, developerEmail, developerId, loginProvider,
	redirectUri,jwtFlowAudience, jwtFlowIssuer, jwtFlowPublicKey) values(?,?,?,?,?,?,?,?,?,?)
	`
	stmt, err := ar.db.Prepare(appSql)
	if err != nil {
		return err
	}
	defer stmt.Close()

	_, err = stmt.Exec(
		app.ApplicationName,
		app.ClientID,
		app.ClientSecret,
		app.DeveloperEmail,
		app.DeveloperID,
		app.LoginProvider,
		app.RedirectURI,
		app.JWTFlowAudience,
		app.JWTFlowIssuer,
		app.JWTFlowPublicKey,
	)

	if err != nil {
		log.Info(err)
		sqlErr := err.(*mysql.MySQLError)
		switch sqlErr.Number {
		case 1062:
			log.Info("Duplicate app definition found")
			return repos.NewDuplicationAppdefError(app.ApplicationName, app.DeveloperEmail)
		default:
			return err
		}
	}

	return nil
}

func TestUpdateNoSuchApp(t *testing.T) {

	appRepo := NewMBDAppRepo()

	//Specify an app
	app := new(roll.Application)
	app.ApplicationName = "an app"
	app.ClientID = "123"
	app.DeveloperEmail = "[email protected]"
	app.DeveloperID = "foo"
	app.LoginProvider = "auth0"
	app.RedirectURI = "neither here nor there"

	err := appRepo.UpdateApplication(app, app.DeveloperID)
	assert.NotNil(t, err)
}

func TestDuplicateAppCreateGeneratesError(t *testing.T) {
	app := new(roll.Application)
	app.ApplicationName = "an app"
	app.ClientID = "123"
	app.DeveloperEmail = "[email protected]"
	app.DeveloperID = "foo"
	app.LoginProvider = "auth0"
	app.RedirectURI = "neither here nor there"

	appRepo := NewMBDAppRepo()
	err := appRepo.CreateApplication(app)
	if assert.Nil(t, err) {
		defer appRepo.delete(app)
	}

	err = appRepo.CreateApplication(app)
	assert.NotNil(t, err)
}

func TestSecretGeneratedWhenNeede(t *testing.T) {
	app := new(roll.Application)
	app.ApplicationName = "an app"
	app.ClientID = "123"
	app.DeveloperEmail = "[email protected]"
	app.DeveloperID = "foo"
	app.LoginProvider = "auth0"
	app.RedirectURI = "neither here nor there"

	appRepo := NewMBDAppRepo()
	err := appRepo.CreateApplication(app)
	if assert.Nil(t, err) {
		defer appRepo.delete(app)
	}

	retapp, err := appRepo.RetrieveAppByNameAndDevEmail("an app", "[email protected]")
	assert.Nil(t, err)
	assert.NotEqual(t, "", retapp.ClientSecret)
}

//CreateApplication stores an application definition in DynamoDB
func (dar *DynamoAppRepo) CreateApplication(app *roll.Application) error {
	log.Info("create application")

	//Make sure we are not creating a new application definition for an existing
	//application name/developer email combination
	existing, err := dar.RetrieveAppByNameAndDevEmail(app.ApplicationName, app.DeveloperEmail)
	if err != nil {
		log.Info("Internal error attempting to check for duplicate app: ", err.Error())
		return err
	}

	if existing != nil {
		log.Info("Duplicate app definition found")
		return NewDuplicationAppdefError(app.ApplicationName, app.DeveloperEmail)
	}

	if app.ClientSecret == "" {
		clientSecret, err := secrets.GenerateClientSecret()
		if err != nil {
			return err
		}
		app.ClientSecret = clientSecret
	}

	appAttrs := map[string]*dynamodb.AttributeValue{
		ClientID:        {S: aws.String(app.ClientID)},
		ApplicationName: {S: aws.String(app.ApplicationName)},
		ClientSecret:    {S: aws.String(app.ClientSecret)},
		DeveloperEmail:  {S: aws.String(app.DeveloperEmail)},
		DeveloperID:     {S: aws.String(app.DeveloperID)},
		RedirectUri:     {S: aws.String(app.RedirectURI)},
		LoginProvider:   {S: aws.String(app.LoginProvider)},
	}

	if err := CheckJWTCertParts(app); err != nil {
		return err
	}

	if app.JWTFlowPublicKey != "" {

		appAttrs[JWTFlowPublicKey] = &dynamodb.AttributeValue{
			S: aws.String(app.JWTFlowPublicKey),
		}

		appAttrs[JWTFlowIssuer] = &dynamodb.AttributeValue{
			S: aws.String(app.JWTFlowIssuer),
		}

		appAttrs[JWTFlowAudience] = &dynamodb.AttributeValue{
			S: aws.String(app.JWTFlowAudience),
		}
	}

	params := &dynamodb.PutItemInput{
		TableName:           aws.String("Application"),
		ConditionExpression: aws.String("attribute_not_exists(ClientID)"),
		Item:                appAttrs,
	}
	_, err = dar.client.PutItem(params)

	return err
}

func init() {
	var dev roll.Developer
	var app roll.Application
	var retrievedApp roll.Application
	var clientId string
	var reRegisterStatus int
	var duplicationErrorMessage string

	Before("@apptests", func() {
		testutils.URLGuard("http://localhost:3000/v1/developers")
	})

	Given(`^a developer registered with the portal$`, func() {
		dev = testutils.CreateNewTestDev()
		resp := rollhttp.TestHTTPPutWithRollSubject(T, "http://localhost:3000/v1/developers/"+dev.Email, dev)
		println("resp is", resp)
		assert.Equal(T, http.StatusNoContent, resp.StatusCode)
	})

	And(`^they have a new application they wish to register$`, func() {
		app = roll.Application{
			ApplicationName: "int test app name",
			DeveloperEmail:  dev.Email,
			RedirectURI:     "http://localhost:3000/ab",
			LoginProvider:   "xtrac://localhost:9000",
		}
	})

	Then(`^the application should be successfully registered$`, func() {
		resp := rollhttp.TestHTTPPostWithRollSubject(T, "http://localhost:3000/v1/applications", app)
		assert.Equal(T, http.StatusOK, resp.StatusCode)

		var appCreatedResponse rollhttp.ApplicationCreatedResponse

		dec := json.NewDecoder(resp.Body)
		err := dec.Decode(&appCreatedResponse)
		assert.Nil(T, err)
		assert.True(T, len(appCreatedResponse.ClientID) > 0)
		clientId = appCreatedResponse.ClientID
	})

	Given(`^a registered application$`, func() {
		retrieveAppDefinition(clientId, &retrievedApp)
	})

	Then(`^the details associated with the application can be retrieved$`, func() {
		assert.Equal(T, app.ApplicationName, retrievedApp.ApplicationName)
		assert.Equal(T, app.DeveloperEmail, retrievedApp.DeveloperEmail)
		assert.Equal(T, app.RedirectURI, retrievedApp.RedirectURI)
		assert.Equal(T, app.LoginProvider, retrievedApp.LoginProvider)
		assert.Equal(T, clientId, retrievedApp.ClientID)
		assert.True(T, len(retrievedApp.ClientSecret) > 0)
		assert.Equal(T, retrievedApp.JWTFlowPublicKey, "")
	})

	Given(`^an application has already been registered$`, func() {
		assert.True(T, len(clientId) > 0)
	})

	And(`^a developer attempts to register an application with the same name$`, func() {
		resp := rollhttp.TestHTTPPostWithRollSubject(T, "http://localhost:3000/v1/applications", app)
		reRegisterStatus = resp.StatusCode

		defer resp.Body.Close()
		bodyBytes, err := ioutil.ReadAll(resp.Body)
		assert.Nil(T, err)
		duplicationErrorMessage = string(bodyBytes)
	})

	Then(`^an error is returned with status code StatusConflict$`, func() {
		assert.Equal(T, http.StatusConflict, reRegisterStatus)
	})

	And(`^the error message indicates a duplicate registration was attempted$`, func() {
		assert.True(T, strings.Contains(duplicationErrorMessage, "definition exists for application"))
	})

	Given(`^a registered application to update$`, func() {
		assert.True(T, len(clientId) > 0)
	})

	And(`^there are updates to make to the application defnition$`, func() {
		app.RedirectURI = "http://localhost:3000/son_of_callback"
	})

	Then(`^the application can be updated$`, func() {
		resp := rollhttp.TestHTTPPutWithRollSubject(T, "http://localhost:3000/v1/applications/"+clientId, app)
		assert.Equal(T, http.StatusNoContent, resp.StatusCode)
	})

	And(`^the updates are reflected when retrieving the application definition anew$`, func() {
		retrieveAppDefinition(clientId, &retrievedApp)
		assert.Equal(T, "http://localhost:3000/son_of_callback", retrievedApp.RedirectURI)
	})

}

func TestUpdateApp(t *testing.T) {

	appRepo := NewMBDAppRepo()

	//Count the apps prior to creating one
	apps, err := appRepo.ListApplications("foo", true)
	assert.Nil(t, err)
	adminCount := len(apps)

	//No apps see with a user id of not foo and not an admin
	apps, err = appRepo.ListApplications("not foo", false)
	assert.Nil(t, err)
	assert.Equal(t, 0, len(apps))

	//Create an app
	app := new(roll.Application)
	app.ApplicationName = "an app"
	app.ClientID = "123"
	app.DeveloperEmail = "[email protected]"
	app.DeveloperID = "foo"
	app.LoginProvider = "auth0"
	app.RedirectURI = "neither here nor there"

	err = appRepo.CreateApplication(app)
	if assert.Nil(t, err) {
		defer appRepo.delete(app)
	}

	err = appRepo.UpdateApplication(app, "no way jose")
	assert.NotNil(t, err)

	err = appRepo.UpdateApplication(app, app.DeveloperID)
	assert.Nil(t, err)

	app.JWTFlowAudience = "aud"
	app.JWTFlowIssuer = "iss"
	app.JWTFlowPublicKey = "key to the city"
	appRepo.UpdateApplication(app, app.DeveloperID)

	retapp, err := appRepo.SystemRetrieveApplicationByJWTFlowAudience("aud")
	assert.Nil(t, err)
	if assert.NotNil(t, app) {
		assert.Equal(t, app.ApplicationName, retapp.ApplicationName)
		assert.Equal(t, app.ClientID, retapp.ClientID)
		assert.Equal(t, app.ClientSecret, retapp.ClientSecret)
		assert.Equal(t, app.DeveloperEmail, retapp.DeveloperEmail)
		assert.Equal(t, app.DeveloperID, retapp.DeveloperID)
		assert.Equal(t, app.LoginProvider, retapp.LoginProvider)
		assert.Equal(t, app.RedirectURI, retapp.RedirectURI)
		assert.Equal(t, app.JWTFlowAudience, retapp.JWTFlowAudience)
		assert.Equal(t, app.JWTFlowIssuer, retapp.JWTFlowIssuer)
		assert.Equal(t, app.JWTFlowPublicKey, retapp.JWTFlowPublicKey)
	}

	//Admin user should see an additional app in the list
	apps, err = appRepo.ListApplications("foo", true)
	assert.Nil(t, err)
	assert.Equal(t, adminCount+1, len(apps))

	//User adding the app should see a list with 1 entry
	apps, err = appRepo.ListApplications("foo", false)
	assert.Nil(t, err)
	assert.Equal(t, 1, len(apps))
}

func handleApplicationPost(core *roll.Core, w http.ResponseWriter, r *http.Request) {
	var app roll.Application
	if err := parseRequest(r, &app); err != nil {
		respondError(w, http.StatusBadRequest, err)
		return
	}

	//Assign a client ID
	id, err := core.GenerateID()
	if err != nil {
		respondError(w, http.StatusInternalServerError, err)
		return
	}

	app.ClientID = id

	//Validate the content
	if err := app.Validate(); err != nil {
		respondError(w, http.StatusBadRequest, err)
		return
	}

	//Extract the subject from the request header based on security mode
	subject, _, err := subjectAndAdminScopeFromRequestCtx(r)
	if err != nil {
		log.Print("Error extracting subject:", err.Error())
		respondError(w, http.StatusInternalServerError, nil)
		return
	}

	app.DeveloperID = subject

	//Store the application definition
	log.Info("storing app def: ", app)
	err = core.CreateApplication(&app)
	if err != nil {
		log.Info("Error storing app def: ", err.Error())
		switch err.(type) {
		case *repos.DuplicateAppdefError:
			respondError(w, http.StatusConflict, err)
		default:
			respondError(w, http.StatusInternalServerError, err)
		}

		return
	}

	//Generate a private/public key pair
	log.Info("Generate key pair")
	private, public, err := secrets.GenerateKeyPair()
	if err != nil {
		respondError(w, http.StatusBadRequest, err)
		return
	}

	//Store keys in secrets vault
	log.Info("store key pair in vault")
	err = core.StoreKeysForApp(id, private, public)
	if err != nil {
		respondError(w, http.StatusInternalServerError, err)
		return
	}

	//Return the client id
	log.Info("return client id: ", id)
	clientID := ApplicationCreatedResponse{ClientID: id}

	respondOk(w, clientID)

}

func handleApplicationPut(core *roll.Core, w http.ResponseWriter, r *http.Request) {
	var app roll.Application
	if err := parseRequest(r, &app); err != nil {
		respondError(w, http.StatusBadRequest, err)
		return
	}

	//Make sure we use the clientID in the resource not any clientID sent in the JSON.
	clientID := strings.TrimPrefix(r.RequestURI, ApplicationsURI)
	if clientID == "" {
		respondError(w, http.StatusBadRequest, nil)
		return
	}

	app.ClientID = clientID

	//Validate the content
	if err := app.Validate(); err != nil {
		respondError(w, http.StatusBadRequest, err)
		return
	}

	//Extract the subject from the request header based on security mode
	subject, adminScope, err := subjectAndAdminScopeFromRequestCtx(r)
	if err != nil {
		log.Print("Error extracting subject:", err.Error())
		respondError(w, http.StatusInternalServerError, nil)
		return
	}

	//Retrieve the app definition to update
	storedApp, err := core.RetrieveApplication(clientID, subject, adminScope)
	if err != nil {
		respondError(w, http.StatusInternalServerError, err)
		return
	}

	if storedApp == nil {
		respondError(w, http.StatusNotFound, nil)
		return
	}

	//Copy over the potential updates
	storedApp.ApplicationName = app.ApplicationName
	storedApp.DeveloperEmail = app.DeveloperEmail
	storedApp.LoginProvider = app.LoginProvider
	storedApp.RedirectURI = app.RedirectURI
	storedApp.DeveloperID = app.DeveloperID

	//Store the application definition
	log.Info("updating app def: ", app)
	err = core.UpdateApplication(&app, subject)

	if err != nil {
		log.Info("Error updating definition: ", err.Error())
		switch err.(type) {
		case roll.NonOwnerUpdateError:
			respondError(w, http.StatusUnauthorized, err)
		case roll.NoSuchApplicationError:
			respondError(w, http.StatusNotFound, err)
		default:
			respondError(w, http.StatusInternalServerError, err)
		}
	}

	respondOk(w, nil)
}