package bearertoken

import (
	"errors"
	"net/http"
	"strings"

	"github.com/openshift/origin/pkg/auth/authenticator"
	"k8s.io/kubernetes/pkg/auth/user"
)

type Authenticator struct {
	// auth is the token authenticator to use to validate the token
	auth authenticator.Token
	// removeHeader indicates whether the Authorization header should be removeHeaderd on successful auth
	removeHeader bool
}

func New(auth authenticator.Token, removeHeader bool) *Authenticator {
	return &Authenticator{auth, removeHeader}
}

var invalidToken = errors.New("invalid bearer token")

func (a *Authenticator) AuthenticateRequest(req *http.Request) (user.Info, bool, error) {
	auth := strings.TrimSpace(req.Header.Get("Authorization"))
	if auth == "" {
		return nil, false, nil
	}
	parts := strings.Split(auth, " ")
	if len(parts) < 2 || strings.ToLower(parts[0]) != "bearer" {
		return nil, false, nil
	}

	token := parts[1]

	// Empty bearer tokens aren't valid
	if len(token) == 0 {
		return nil, false, nil
	}

	user, ok, err := a.auth.AuthenticateToken(token)
	if ok && a.removeHeader {
		req.Header.Del("Authorization")
	}
	if !ok && err == nil {
		err = invalidToken
	}
	return user, ok, err
}